Apr 10, 2007, 5:27:38 AM (14 years ago)
Paul Smedley

Updated source to 3.0.25rc1

1 edited


  • trunk/samba/docs/manpages/smb.conf.5

    r22 r26  
    539539This is the full pathname to a script that will be run by\fBsmbd\fR(8) when a machine is added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not already exist\&.
     541This option is very similar to the add user script, and likewise uses the %u substitution for the account name\&. Do not use the %m substitution\&.
    541543Default: \fB\fIadd machine script\fR = \fR
     2205ldapsam:editposix (G)
     2206Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller eliminating the need to set up custom scripts to add and manage the posix users and groups\&. This option will instead directly manipulate the ldap tree to create, remove and modify user and group entries\&. This option also requires a running winbindd as it is used to allocate new uids/gids on user/group creation\&. The allocation range must be therefore configured\&.
     2208To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly configured\&. On virgin servers the default users and groups (Administrator, Guest, Domain Users, Domain Admins, Domain Guests) can be precreated with the command \fBnet sam provision\fR\&. To run this command the ldap server must be running, Winindd must be running and the smb\&.conf ldap options must be properly configured\&. The tipical ldap setup used with the ldapsam:trusted = yes option is usually sufficient to use ldapsam:editposix = yes as well\&.
     2210An example configuration can be the following:
     2214        encrypt passwords = true
     2215        passdb backend = ldapsam
     2217        ldapsam:trusted=yes
     2218        ldapsam:editposix=yes
     2220        ldap admin dn = cn=admin,dc=samba,dc=org
     2221        ldap delete dn = yes
     2222        ldap group suffix = ou=groups
     2223        ldap idmap suffix = ou=idmap
     2224        ldap machine suffix = ou=computers
     2225        ldap user suffix = ou=users
     2226        ldap suffix = dc=samba,dc=org
     2228        idmap backend = ldap:"ldap://localhost"
     2230        idmap uid = 5000\-50000
     2231        idmap gid = 5000\-50000
     2234 This configuration assume the ldap server have been loaded with a base tree like described in the following ldif:
     2238        dn: dc=samba,dc=org
     2239        objectClass: top
     2240        objectClass: dcObject
     2241        objectClass: organization
     2242        o: samba\&.org
     2243        dc: samba
     2245        dn: cn=admin,dc=samba,dc=org
     2246        objectClass: simpleSecurityObject
     2247        objectClass: organizationalRole
     2248        cn: admin
     2249        description: LDAP administrator
     2250        userPassword: secret
     2252        dn: ou=users,dc=samba,dc=org
     2253        objectClass: top
     2254        objectClass: organizationalUnit
     2255        ou: users
     2257        dn: ou=groups,dc=samba,dc=org
     2258        objectClass: top
     2259        objectClass: organizationalUnit
     2260        ou: groups
     2262        dn: ou=idmap,dc=samba,dc=org
     2263        objectClass: top
     2264        objectClass: organizationalUnit
     2265        ou: idmap
     2267        dn: ou=computers,dc=samba,dc=org
     2268        objectClass: top
     2269        objectClass: organizationalUnit
     2270        ou: computers
     2275Default: \fB\fIldapsam:editposix\fR = no \fR
    22032278ldapsam:trusted (G)
    22042279By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix\-style NSS subsystem to access user and group information\&. Due to the way Unix stores user information in /etc/passwd and /etc/group this inevitably leads to inefficiencies\&. One important question a user needs to know is the list of groups he is member of\&. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS counterparts in LDAP\&. UNIX has optimized functions to enumerate group membership\&. Sadly, other functions that are used to deal with user and group attributes lack such optimization\&.
Note: See TracChangeset for help on using the changeset viewer.