[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unix auth via LDAP & now need to add Samba!

From: Adam Williams6 <awilliam@whitemice.org>
Date: Tue, 30 Apr 2002 14:01:03 -0400 (EDT)

>I only have the root account in both passwd (shadow)
>and in LDAP. All other test 'user' accounts are in LDAP only.
>I created a test base dn "o=local" and used Padl's base, passwd & >group migration scripts to build up the ldbm. I only keep the user
>accounts in LDAP under ou=People. All system accounts remain in the >passwd file. All groups are in both the group file and LDAP under >ou=Group.

Why? This duplicity certainly seems to defeat the purpose of LDAP.

I guess I should exclude the root account from LDAP and only keep 'normal' user accounts and their related group in LDAP eg. keep "bob" user & "bob" group, "fred" user & "fred" group in LDAP?

ldd /usr/sbin/smbd

Are the LDAP libraries in the list?

Thanks, I'll check on that tomorrow.

>Right from the start I want Samba to authenticate via LDAP against >the existing People & Group ou's but am not sure how to integrate >this.

You need to add sambaAccount objectclass and attributes to the appropriate objects, typically posixAccounts.

As you mentioned below, smbpasswd will automagically create them for me, right?

>I've read the info on samba.idealx.org and see, like Padl, that they >also provide some migration scripts (smbldap-tools) and a >sample "Initial Entries" LDIF that will setup various gids amongst >other things.

Make sure your not looking at something for Samba-TNG. 2.2.3a doesn't use the built-ins entries.

The Idealx site refers to Samba not Samba-TNG

RedHat's authconfig tool sounds like it makes life a bit easier. Oh well, I'm running Mandrake :)

>The output from both Padl's and Idealx's migration scripts doesn't >seem straightforward to combine. Also, I'm not sure whether it's >worth adding an additional (Samba only) ou=Computers, as proposed by >Idealx. Wouldn't it be simpler to just stick with only ou=People & >ou=Group?

But computers aren't people (yet). You don't want nt01688$ showing up
when someone does a search for someone's e-mail address. Also chopping
them off into a seperate tree makes it easier to create the ACLs, as the PDC need full control of these guys, but shouldn't be able to remove your users, etc....

Well if you met some of the people I've met........Just kidding ;-)

"easier to create ACLs" sounds good to me. Ok, I'll add an ou=Computers.

>I could proceed by;
>a) manually adding Samba related objectClasses, etc. to the few test >uid's under ou=People and adding necessary Samba groups to ou=Group >or;
>b) delete my ldbm and start again using only Idealx's migration >scripts or;
>c) another way suggested by you gurus ;-)

Get samba w/ldap up and running and do a smbpasswd fred, where fred is a posix user, and watch it magically add all the required attributes for you. And set the initial cifs password.

As long as I use the same uid(s) in Samba as there are in ou=People (originally users from passwd) and add [ ldap suffix = "ou=People,o=local" ] in smb.conf I don't need to manually add anything Samba related to LDAP, apart from creating ou=Computers?

WARNING: Extreme Newbie question coming =o) How does Samba know how to find and store computer accounts in ou=Computers ?

No reason to "do" anything other than run smbpasswd.

That's reassuring, really! I thought there was more to do, hehe.

>Also, is there a good resource to help with setting up correct ACL's >in slapd.conf for a Unix/Samba account authentication based OpenLDAP?

Good question.

How about a good, basic OpenLDAP 2.x ACL resource?

If I feel comfortable enough with ACL's in the future, I'll see if I can put together a mini-HowTo! Don't hold your breath though :)

Wish me luck!

Scrumpy :)

Join the world?s largest e-mail service with MSN Hotmail. http://www.hotmail.com