OpenLDAP & Samba for Mac home drives

Question

We are in the process of setting up our existing OpenLDAP (on Ubuntu) to provide authentication and MCX etc for our Macs.

We are hitting a problem with our home directories - they work fine using AFP (and presumably NFS), but we want to use Samba for obvious reasons and we don't want to use Kerberos. I have searched high and low for info on using Samba in this way, but have had no luck

My simplistic approach so far was to change the following schema value from AFP to SMB, but with no success - the login fails with a generic error.

apple-user-homeurl: afp://server/home/jrhoades

Does anybody have any experience using Samba in this way?

To answer your good questions:

• We use OpenLDAP & Samba exclusively - no AD at all.
• Windows XP & Macs (mix of 10.4 & 10.5) are the only clients.
• We were hoping to avoiding the hassle of setting up Kerberos - if it is between Kerberized NFS and AFP, probably AFP will win.
• We already have Samba running of the file server in front of our SAN.
• I'm told NFS without Kerberos is just not secure enough (we have multiple independent groups using our file sever with serious IP implications/regulations)

Answer 1

Can you re-edit and give a few more details? Are you setting up all authentication via Ubuntu? Is there a Windows Domain Controller involved, or is it all Ubuntu all the time? Will you have Windows clients (XP, Vista, 7) connecting? Is this an all-Mac-client shop? Just curious, why do you not want Kerberos?

Using SMB on OS X for home directories is troublesome; I know of one person that had all kinds of trouble getting the home directory to map properly when they logged in. The drive would show up, but no matter how they attempted to open it, they just couldn't access it.

If you're a 100% non-windows shop, I really recommend that you just go with NFS. I guarantee you'll cut out loads of heartache, it will mesh with your existing Unix(y) permissions schema, and you can generally get things done.

If you have Windows clients that need to attach, well, Samba is pretty much the only game in town.

If you have Windows Domain Controllers and you're setting up Ubuntu as a member server acting as a file server, then you want Kerberos in your life, it will simplify your authentication. If you're avoiding Kerberos because you fear you need a KDC, then have no fear, because the Windows Domain Controller will provide that for you.

Answer 2

It would appear that by changing the following ldap entry

apple-user-homeurl : <home_dir><url>smb://server/</url><path>jrhoades</path></home_dir>

to

apple-user-homeurl : <home_dir><url>smb://server/jrhoades/</url><path></path></home_dir>

Fixed it!

Answer 3

I've faced the alike problem: My point is to build a single domain for different clients (Windows XP, Windows 7, Mac OS 10.6) with home folders and roaming profiles.

I suggest two possible solutions:

1. Windows binds to Samba PDC, Mac binds to OpenLDAP. In this case, OpenLDAP requires some schemas (see down this topic). And i don't know how to manage this.
2. All clients bind to Samba Domain. Mac client thinks it join to AD, and doesn't need something else. As I found out, Macs require Kerberos.