[Date Prev][Date Next]
Re: Unix auth via LDAP & now need to add Samba!
>>>I only have the root account in both passwd (shadow)
>>>and in LDAP. All other test 'user' accounts are in LDAP only.
>>>I created a test base dn "o=local" and used Padl's base, passwd & >group
>>migration scripts to build up the ldbm. I only keep the user
>>>accounts in LDAP under ou=People. All system accounts remain in the
>>>passwd file. All groups are in both the group file and LDAP under
>>Why? This duplicity certainly seems to defeat the purpose of LDAP.
>I guess I should exclude the root account from LDAP and only keep 'normal'
>user accounts and their related group in LDAP eg. keep "bob" user & "bob"
>group, "fred" user & "fred" group in LDAP?
You real pain is going to come from the NT flat name space. With UN*X
user names and group names are seperate name spaces. I can have a group
fred and a user fred, the system knows them apart. With NT group name !=
user name, it is one unified name space. In the long run I actually
think the NT model for this is a better idea.
>>Are the LDAP libraries in the list?
>Thanks, I'll check on that tomorrow.
>> >Right from the start I want Samba to authenticate via LDAP against
>>the >existing People & Group ou's but am not sure how to integrate
>>this. > >You need to add sambaAccount objectclass and attributes to the
>appropriate >objects, typically posixAccounts.
>As you mentioned below, smbpasswd will automagically create them for me,
Works for me.
>>>I've read the info on samba.idealx.org and see, like Padl, that they
>>>also provide some migration scripts (smbldap-tools) and a >sample
>>"Initial Entries" LDIF that will setup various gids amongst >other things.
>>Make sure your not looking at something for Samba-TNG. 2.2.3a doesn't use
>>the built-ins entries.
>The Idealx site refers to Samba not Samba-TNG
>RedHat's authconfig tool sounds like it makes life a bit easier. Oh well,
>I'm running Mandrake :)
>> >The output from both Padl's and Idealx's migration scripts doesn't >seem
>>straightforward to combine. Also, I'm not sure whether it's >worth adding
>>an additional (Samba only) ou=Computers, as proposed by >Idealx. Wouldn't
>>it be simpler to just stick with only ou=People & >ou=Group?
>>But computers aren't people (yet). You don't want nt01688$ showing up
>>when someone does a search for someone's e-mail address. Also chopping
>>them off into a seperate tree makes it easier to create the ACLs, as the
>>PDC need full control of these guys, but shouldn't be able to remove your
>Well if you met some of the people I've met........Just kidding ;-)
Oh, I know.
>"easier to create ACLs" sounds good to me. Ok, I'll add an ou=Computers.
>>>I could proceed by;
>>>a) manually adding Samba related objectClasses, etc. to the few test
>>>uid's under ou=People and adding necessary Samba groups to ou=Group >or;
>>>b) delete my ldbm and start again using only Idealx's migration >scripts
>>or; > >c) another way suggested by you gurus ;-) > >Get samba w/ldap up
>and running and do a smbpasswd fred, where fred is a >posix user, and
>watch it magically add all the required attributes for you. > And set
>the initial cifs password.
>As long as I use the same uid(s) in Samba as there are in ou=People
>(originally users from passwd) and add [ ldap suffix = "ou=People,o=local" ]
>in smb.conf I don't need to manually add anything Samba related to LDAP,
>apart from creating ou=Computers?
"use the same uid(s) in Samba"? The uid attribute is the user name. You
can't use a 'different' uid for the same person. The objectclasses for
posixAccount and sambaAccount overlap.
>WARNING: Extreme Newbie question coming =o) How does Samba know how to find
>and store computer accounts in ou=Computers ?
>>No reason to "do" anything other than run smbpasswd.
You do have to create posixAccount objects for machine accounts, so that
smbpasswd finds something.
>That's reassuring, really! I thought there was more to do, hehe.
>>>Also, is there a good resource to help with setting up correct ACL's >in
>>slapd.conf for a Unix/Samba account authentication based OpenLDAP?
>How about a good, basic OpenLDAP 2.x ACL resource?
My LDAP presentation
covers this Samba 2.2.3a stuff too.
>If I feel comfortable enough with ACL's in the future, I'll see if I can
>put together a mini-HowTo! Don't hold your breath though :)
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS