[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Where to start a migration from passwd/shadow/smbpasswd to openldap



Am Freitag 26 März 2010 14:29:04 schrieb Buchan Milne:
> On Friday, 26 March 2010 11:27:28 Götz Reinicke - IT-Koordinator wrote:
> > Buchan Milne schrieb:
> 
> >> For the rgc2307 vs rfc2307bis group issue, I don't think samba
> > > supports rfc2307bis, so you should go with rfc2307 (using memberUid for
> > > denoting members of groups, holding the username, not the DN).
> 
> 
> > "The nss_ldap library from PADL software (http://www.padl.com) supports
> > this by enabling the library’s RFC2307bis extensions (pass the
> > --enable-rfc2307bis option to the nss_ldap configure script when
> > compiling) ..."
> > 
> > 
> > And http://www.padl.com/OSS/nss_ldap.html mentions also Support for the
> > RFC 2307/RFC 2307bis.
> > 
> > Or do I get something wrong?
> 
> nss_ldap supports rfc2307bis, but samba does not (AFAIK). If you are using 
> Samba as a Domain Controller, the groups visible on windows clients (for local 
> ACLs on windows computers, rights etc.) will not align with your unix groups 
IIRC that depends on the samba configuration. I.e. if you have ldapsam:trusted=yes in smb.conf your statement is true. But the default for ldapsam:trusted is "no" (at least according to the smb.conf man-page) and then samba will use the NSS Subsystem (and through that nss_ldap, if configured) to access user and group information. 
So unless you use ldapsam:trusted=yes, the rfc2307bis is usable with Samba as well.

-- 
Ralf