LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   SAMBA, LDAP and LAM (http://www.linuxquestions.org/questions/linux-server-73/samba-ldap-and-lam-568450/)

metallica1973 07-11-2007 12:03 PM

SAMBA, LDAP and LAM
 
I just recently intergraded a Fedora 6 box using LDAP, SAMBA and LAM(LDAP Administration Manager, I think)into my network to take over the Microsoft PDC that was giving me major headaches and made it my PDC. I use LAM to create accounts that have the appropiate privileges. The trouble that I am having is that when I login from a windows workstation as a normal user, I cannot get into certain directories. I am having trouble with permissions with certain directories. I looked at samba.conf and am having a lot of trouble setting up permission. Using this setup how would I control permission to directories like you would using MS Active Directory?

hob 07-14-2007 02:16 PM

Define your users and groups in the LDAP directory, and if you have configured it correctly the Linux system can use them just like local users and groups. By default, Linux only attaches one group to a file or directory though - you need to use the ACLs tools to build more complex permission sets.

metallica1973 07-14-2007 11:14 PM

Does LDAP sycronize its accounts with the local accounts in /etc/passwd and /etc/groups of the local machine that is holding all of my linux accounts(I hope you understand that). The reason that I ask this is because if you create a user in LAM and LDAP then is should also create the account in /etc/passwd and /etc/group, correct?

hob 07-16-2007 02:05 PM

Quote:

Originally Posted by metallica1973
Does LDAP sycronize its accounts with the local accounts in /etc/passwd and /etc/groups of the local machine that is holding all of my linux accounts(I hope you understand that). The reason that I ask this is because if you create a user in LAM and LDAP then is should also create the account in /etc/passwd and /etc/group, correct?

No. The relevant Linux components (nsswitch, PAM) will work with multiple information sources, but use local files by default. The idea is that you create the minimum on each system, and define the rest in your directory service. You configure your systems check their local files first for each lookup, and then query the network directory service if there is no match.

metallica1973 07-16-2007 02:33 PM

So the accounts in LDAP are completly separate from the accounts that are stored on the local machine under /etc/passwd and /etc/groups, right? If that is the case then what controls the permission of the directories that are being shared on the machine? So really then LDAP is only used for account authenication? I am confused!

hob 07-17-2007 03:13 PM

Well, the basic principles are really the same as Windows - once you attach a system to a domain administrators can specify users and groups from either network sources or the local account files (/etc/passwd and friends) when they set permissions on files and directories. If you configure the system correctly chown etc. don't care whether the names that you specify are from a standard LDAP directory, an Active Directory, or the local account files. An LDAP directory is just a kind of database that can hold user account information (and many other things) for client systems to search.

Note that the system hosting an LDAP service doesn't automatically use that directory service for account lookups - you have to configure it like any other client system. Fedora ships with a tool to attach the system to authentication sources like LDAP, Kerberos etc.

There is a shortage of good documentation for OpenLDAP, but Red Hat provide several free books from their Website for "Red Hat Directory Server", which is a brand name for their own LDAP product (Fedora Directory Server):

https://www.redhat.com/docs/manuals/dir-server/

metallica1973 07-17-2007 04:19 PM

So in order for the LDAP to control the whole system then I have to make the whole computer use LDAP as the authenication mechanism? I have tried that and modified my system to act as a client and played with the nsswitch.conf file and etc. I will create another post for that particular problem.


All times are GMT -5. The time now is 11:26 PM.