Re: Directory structure for Samba and Posix accounts

[Adam Williams <adam@morrison-ind.com>]

> At our school we are trying to implement Samba 3.0.0 as a PDC. Because
> the school divided over several locations we want to use an OpenLDAP
> for authentication purposes.

Excellent.  Samba 3.0.0rc4 has been working excellently here, in
production, against an OpenLDAP SAM.

> We want to have a central source of authentication. But there will be
> file servers at every location all using the same LDAP server.
> As I see it - but I may be wrong - there must be at least two levels
> of authentication:
> - Samba will have to use the LDAP for the users

Yep.

> - Linux will have to know those same users and their groups

Yep. 

These two things actually blend naturally.

> I have been reading the "Samba (v.3) PDC LDAP howto", the "LDAP Linux
> HOWTO" and the "LDAP Implementing HOWTO" and have allready succeeded
> in letting Samba use a LDAP server using that first howto.
> But now I am at a point where I will have to plan the layout for the
> directory and I am puzzled/confused.
> The samba howto sugested I should add my samba users to a
> organizational unit like "smb". The other howtos sugest that for the
> posix accounts I should use something like "people" and "groups".
> The things I am wondering about are these:
> - Can those ou's "smb" and "people" be the same?

Yes.  We have just "ou=People"

> - Can I have a separate ou for the machine accounts?

Yes.  We have "ou=System Accounts" for machine accounts and service
"users" (apache, ftp, mail, clamav, etc...)


Then there is "ou=Groups" for groups.

> I would be verry pleased if someone could explain this to me, or point
> me in the direction of some documentation explaining this kind of
> planning.

ftp://ftp.kalamazoolinux.org/pub/pdf/Samba3-WhatsNew.sxi.pdf
ftp://ftp.kalamazoolinux.org/pub/pdf/ldapv3.pdf

You should probably take any more specific questions over to the Samba
list(s).