Re: Unix auth via LDAP & now need to add Samba!

[Adam Williams6 <awilliam@whitemice.org>]

>I'm quite new to LDAP/OpenLDAP and just starting with Samba :)
>I've recently setup OpenLDAP 2.0.21, pam_ldap & nss_ldap and authenticate 
>Unix logins via LDAP. I only have the root account in both passwd (shadow) 
>and in LDAP. All other test 'user' accounts are in LDAP only.
>I created a test base dn "o=local" and used Padl's base, passwd & group 
>migration scripts to build up the ldbm. I only keep the user accounts  in 
>LDAP under ou=People. All system accounts remain in the passwd file. All 
>groups are in both the group file and LDAP under ou=Group.

Why?  This duplicity certainly seems to defeat the purpose of LDAP.

>Unix passwords in LDAP are 'crypt'ed and the cn=manager,o=local password 
>uses SSHA.
>I have the Mandrake (8.2) Samba 2.2.3a RPM installed (it's not clear from 
>the changelog if it was built with LDAP support!) and want to start using 
>Samba.

ldd /usr/sbin/smbd

Are the LDAP libraries in the list?

>Right from the start I want Samba to authenticate via LDAP against the 
>existing People & Group ou's but am not sure how to integrate this.

You need to add sambaAccount objectclass and attributes to the appropriate 
objects,  typically posixAccounts.

>I've read the info on samba.idealx.org and see, like Padl, that they also 
>provide some migration scripts (smbldap-tools) and a sample "Initial 
>Entries" LDIF that will setup various gids amongst other things.

Make sure your not looking at something for Samba-TNG.  2.2.3a doesn't use 
the built-ins entries.

>The output from both Padl's and Idealx's migration scripts doesn't seem 
>straightforward to combine. Also, I'm not sure whether it's worth adding an 
>additional (Samba only) ou=Computers, as proposed by Idealx. Wouldn't it be 
>simpler to just stick with only ou=People & ou=Group?

But computers aren't people (yet).  You don't want nt01688$ showing up 
when someone does a search for someone's e-mail address.  Also chopping 
them off into a seperate tree makes it easier to create the ACLs,  as the 
PDC need full control of these guys,  but shouldn't be able to remove your 
users, etc....

>I could proceed by;
>a) manually adding Samba related objectClasses, etc. to the few test uid's 
>under ou=People and adding necessary Samba groups to ou=Group or;
>b) delete my ldbm and start again using only Idealx's migration scripts or;
>c) another way suggested by you gurus ;-)

Get samba w/ldap up and running and do a smbpasswd fred, where fred is a 
posix user, and watch it magically add all the required attributes for 
you.  And set the initial cifs password.

>For a) above I'm not sure what to add manually so I'd need help or pointers 
>to a good resource.

No reason to "do" anything other than run smbpasswd.

>Also, is there a good resource to help with setting up correct ACL's in 
>slapd.conf for a Unix/Samba account authentication based OpenLDAP?

Good question.

>Once all is setup correctly, I will test the "Directory administrator" 
>program ( http://diradmin.open-it.org/index.php ) and hopefully use it to 
>create a new user template(s) to ease the process of adding combined 
>Unix/Samba accounts into LDAP in the future.
>FYI, I'm not familiar with shell scripting (just bought a book which has a 
>shell scripting chapter :) ).
>Sorry if I've posed too many questions. I'm most interested in feedback 
>about combining integrated Unix/Samba account authentication into OpenLDAP.
>P.S. It would be nice if Webmin could administer pam_ldap'ed Unix & Samba 
>accounts. Guess I'd better drop them a suggestion ;-)

Unfortunately Samba & LDAP users are still pretty few (relatively 
speaking)  it will take awhile for other packages to catch up.

-- 
-----------------------------------------------------------
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS
-----------------------------------------------------------