Re: Unix auth via LDAP & now need to add Samba!

[". ." <libogen@hotmail.com>]

> From: Adam Williams6 <awilliam@whitemice.org>
> Date: Tue, 30 Apr 2002 14:01:03 -0400 (EDT)
>
> >I only have the root account in both passwd (shadow)
> >and in LDAP. All other test 'user' accounts are in LDAP only.
> >I created a test base dn "o=local" and used Padl's base, passwd & >group 
> migration scripts to build up the ldbm. I only keep the user
> >accounts in LDAP under ou=People. All system accounts remain in the 
> >passwd file. All groups are in both the group file and LDAP under 
> >ou=Group.
>
> Why?  This duplicity certainly seems to defeat the purpose of LDAP.

I guess I should exclude the root account from LDAP and only keep 'normal' 
user accounts and their related group in LDAP eg. keep "bob" user & "bob" 
group, "fred" user & "fred" group in LDAP?

> ldd /usr/sbin/smbd
>
> Are the LDAP libraries in the list?

Thanks, I'll check on that tomorrow.

> >Right from the start I want Samba to authenticate via LDAP against >the 
> existing People & Group ou's but am not sure how to integrate >this.
>
> You need to add sambaAccount objectclass and attributes to the appropriate 
> objects, typically posixAccounts.

As you mentioned below, smbpasswd will automagically create them for me, 
right?

> >I've read the info on samba.idealx.org and see, like Padl, that they 
> >also provide some migration scripts (smbldap-tools) and a >sample 
> "Initial Entries" LDIF that will setup various gids amongst >other things.
>
> Make sure your not looking at something for Samba-TNG.  2.2.3a doesn't use 
> the built-ins entries.

The Idealx site refers to Samba not Samba-TNG

RedHat's authconfig tool sounds like it makes life a bit easier. Oh well, 
I'm running Mandrake :)

> >The output from both Padl's and Idealx's migration scripts doesn't >seem 
> straightforward to combine. Also, I'm not sure whether it's >worth adding 
> an additional (Samba only) ou=Computers, as proposed by >Idealx. Wouldn't 
> it be simpler to just stick with only ou=People & >ou=Group?
>
> But computers aren't people (yet).  You don't want nt01688$ showing up
> when someone does a search for someone's e-mail address.  Also chopping
> them off into a seperate tree makes it easier to create the ACLs, as the 
> PDC need full control of these guys,  but shouldn't be able to remove your 
> users, etc....

Well if you met some of the people I've met........Just kidding ;-)

"easier to create ACLs" sounds good to me. Ok, I'll add an ou=Computers.

> >I could proceed by;
> >a) manually adding Samba related objectClasses, etc. to the few test 
> >uid's under ou=People and adding necessary Samba groups to ou=Group >or;
> >b) delete my ldbm and start again using only Idealx's migration >scripts 
> or;
> >c) another way suggested by you gurus ;-)
>
> Get samba w/ldap up and running and do a smbpasswd fred, where fred is a 
> posix user, and watch it magically add all the required attributes for you. 
>  And set the initial cifs password.

As long as I use the same uid(s) in Samba as there are in ou=People 
(originally users from passwd) and add [ ldap suffix = "ou=People,o=local" ] 
in smb.conf I don't need to manually add anything Samba related to LDAP, 
apart from creating ou=Computers?

WARNING: Extreme Newbie question coming =o) How does Samba know how to find 
and store computer accounts in ou=Computers ?

> No reason to "do" anything other than run smbpasswd.

That's reassuring, really! I thought there was more to do, hehe.

> >Also, is there a good resource to help with setting up correct ACL's >in 
> slapd.conf for a Unix/Samba account authentication based OpenLDAP?
>
> Good question.

How about a good, basic OpenLDAP 2.x ACL resource?

If I feel comfortable enough with ACL's in the future, I'll see if I can put 
together a mini-HowTo! Don't hold your breath though :)

Wish me luck!

Thanks,
Scrumpy :)

_________________________________________________________________
Join the world?s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com