[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: 1.2.11 + Linux 2.4.4 grief
Hi, I suggest you use 2.0.8. Also I suggest that you use the latest snapshot
that mirco has provided on his howto site.
(http://arena.sci.univr.it/~mami/tng-ldap/howto/howto.html), this is btw the
most up to date documentation on this. you will find a v3 schema either
under tng\ldap og tng\source\ldap (cannot remember).
Also, I attach a html document wich tries to exsplain some of the things
surounding users and groups and ldap (it aint to easy, but when you know is,
it's hasslefree :) ).
I got some scripts I use to add machines and users (modified versions of
mirkos scripts) I can send them to you if you like.
Tarjei
> Configuration is: 900MHz Athlon, 256MB, Promise IDE RAID,
> 4x60GB storage (+ 20GB "boot" drive), dual Intel 10/100 Ethernet,
> Linux 2.4.4 (+ recent reiserfs nfsd patches to cure filesystem
> corruption problems), the four 60GB drives are striped using software
> RAID5 into one volume with LVM on top of that and reiserfs inside the
> logical volumes, base distribution is SuSE 7.1. I have my
> doubts about
> reiserfs in this scheme: is anyone running a similar setup
> sucessfully.
>
>
> Thanks.
>
>
>
> --
> James Macnicol
> jamesm@faceng.anu.edu.au
xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
= Samba - LDAP.
Understanding users and groups in samba-tng w/ LDAP.
This document try's to explain how samba-tng with ldap relates to and finds = users and groups. The document try's to explain how you can make a single ldap = entry for a groups and users that works for both samba and = linux-pam.
LDAP is = steadily growing as a unified logon-system across networks for Linux. The newer = (7.x) versions of redhat now support ldap-authentication already during the installation. As long as your system supports pam(most do), it is quite = easy to install the modules by hand. You can download them from = padl.com.
Now the = question arises: What are the prerequisites for making a ldap group that works = both as a pam-ldap->unix group and as a samba-tng windows group?
With the = right setup (se the ldap-implementation howto as well as Mirco's howto on = samba-tng and ldap) both tng and pam querys the ldap server for the group and user = info, so if the query returns the same answers, then you're done with the user = and group problems that are a continuing problem with = samba.
NOTE: = It is = important that you get the latest padl.com sources. At the time of writing that = was pam-ldap 108 and nss-ldap 150.
I am not = sure if it is needed, but I also added the following entries to the file = /etc/ld.so.conf:
/usr/local/samba/lib (I'm using dual head)
/usr/local/tng/lib
and ran /sbin/ldconf
Setup = and Configuration of Samba-tng is described in two very nice howtos that you = will find under the docs section on samba-tng.org. Mapping of users to the = domain is here done via ldap querys. By using the pam-ldap and nss-ldap modules + = the migrationscript from padl.com you can easily migrate users from your = normal passwd file and over to ldap.
Note = however that samba-tng does not add the "normal" unix user info to the user = that is created. Therefore it is not advisable to use the samedit comands to = add users unless you are just using the users for a NT domain. If you want something more, then there are scripts made in perl that are made for = ""
One of = the strengths the samba-ldap solution has is that it makes it simple for you = to use the info in different contexts. F.x for integration with the excelent = IMAP server Cyrus.
The = user:
To make = a LDAP - user (i.e. an entry that the system thinks is a user)
dn: = uid=arne, ou=Brukere, o=nu,c=no
logonTime: = 00000000
objectClass: account
objectClass: posixAccount
objectClass: = top
objectClass: = shadowAccount
objectClass: sambaAccount
userPassword: {crypt} pokpæokæpokæpokæpok
shadowLastChange: 11270
shadowWarning: = 7
uid: = tarjei
uidNumber: = 1004
cn: = arne
loginShell: /bin/bash (if you do not want to give the user shell access, set this = entry to /bin/false)
gidNumber: = 1000
shadowMax: = 99999
gecos: = DST Student
homeDirectory: /home/arne
lmPassword: poewrkepwkrewprokew
objectClass=sambaGr= oup
objectclass: top(I'm not sure on this one, but I belive it should be = there)
ntuid=Domain = Admins
cn=Domain = Admins
sambaMember=Adminis= trator, 1f4, 1
The sambamember attribute = needs these values: sambaMember: = userName,userRid,1
To add a user, you use the sambaMember attribute. "sambaMember" values = have their own meaning (and their own syntax) which is not that of a DN. The "sambaMember" attribute contains a comma-separated list of = values starting with and followed by two codes, userRid and a = number between 1 and 5. This is from the source:
Username = uint8 attr; = /* attributes forced to be set to 0x7: SE_GROUP_xxx */
UserRID uint32 rid;
Code:uint8 sid_use;
mostly you will set this code to 1. If you are joining a group to a group, then you = must use the code 2. I do not know the meaning of the others. Thanks to Mirko = for pointing this out.
Example:
sambaMember: tarjei,3ec,1
A = complete samba-tng group would look something like this:
dn: cn=Domain Users,dc=sci,dc=univr,dc=it
objectclass: sambaGroup
objectClass: posixGroup
objectClass: = top
ntuid: Domain Users
rid: 201
= cn: Domain Users
gidNumber: = 100
userPassword:
To add the user arne to the group you must add the following two attributes to = the group:
memberUid = uid=arne,ou=People,o=nu,c=no
sambaMember = arne, 3ec, 1
A note = on groupmembership in posix groups.
The = pam-ldap package uses the combination of objectclass:posixGroup and = memberUid= for it's members. Personally I used the directory adminisrator a = lot. Therefor I've gotten used to using objectclass: groupofuniquenames and = adding members with uniqueMember= instead. for linux it's your = choice. Both are just as good (well, se below). Just stick with one of them (no = problem changing after migrating though).
Why use groupofuniqenames?
I = noticed that someone on this list wrote directory admin(DA). DA uses = objectClass=groupOfUniqueNames instead of (or on top of)objectclass=posixgroup while the padl = Migrationscripts does not.
Manuel = Amador writes:
the = correct way, specified in rfc2307bis is groupofuniquenames, which contains DNs for = "" members. That way, a directory hosting multiple users with colliding uid attributes won't be the source of operating system confusion when = assigning file/process rights.
Adding = machine accounts.
The = samba- machineaccounts are added a bit differently than other accounts. I've = changed a bit of mirkos script to make my own machineadd = script.
There are two ways to join an NT domain.
1) Add the machine account to the PDC (in NT, run "Server Manager") with = a default password (based on the name of the client machine). Then the = client machine joins the domain by logging in with this default password and immediately changing it to something random.
2) Add the machine account on the PDC by logging in from the client as a domain administrator. (On NT this = is the "create an account in the domain" option, and it asks for the = admin user/password.) This is the = better way since it is more secure -- there is no window of opportunity for a third = party to use the domain services using the default (well-known) machine = password before it is changed by the client.
My experience is:
To add = a normal nt-workstation to you domain.
Use the script machineadd.pl (no, do not = add $ at the end!!).
logon
To add = another sambaserver, this approach did not work perfect. Here's what to = do:
1. ./machineadd.pl (as above)
2. l./samedit -S . -U Administrator
3. samuserset2 < servernetbiosname >$ -c U -s W
4. Start the server.
5. Try to login from another machine.
I´m also using this script to add machine-accounts to the domain ;) samuserset2 -c U -s W
samuserset2 SERVER$ -c U -s W
Anther methods I've heard of:
sername -c D
You can = use createuser $ -L to manually (method 1) add a = machine to the domain.
Becoming administrator.
To be = able to gain administrator privliges in the nt domain, you must do the = following:
Add the user to = the Domain Admins group by adding a entry like: sambaMember: Username, = rid, 1
Changing the = users gidnumber to 0 and grouprid to 200.
On = Aliases.
[Tarjei Huse]
> What are the sambaaliases ? How do they work internaly? Are = they
> different than the samba groups?
I don't know exactly how Samba treats these things, but an alias = in NT
domain terminology is a "local group". It is valid only on a = single
machine (or, in the case of a PDC/BDC, on every domain controller = in
the same domain).
The other difference between aliases and groups (i.e. domain = groups) is
that the members of a group must all be users in the same = domain. The
members of an alias can be any user/group/alias on the local = machine,
the local domain, or any trusted domain.
Implementation-wise, this means that the membership list of a = group (as
opposed to that of an alias) can store RIDs rather than SIDs, = since the
domain portion of each SID is constant. I don't know if either NT or
TNG makes use of this optimisation....
About = windows and ldap-browsing.
To view = and edit ldap entries in a win32 envrioment, I advise that you donload both the = ldap browser from softerra, at = http://www.softerra.com/download/download.php3?sID= and the javabased browser found here:
A tip on ACLS:
Use thisone in conection with a Domain Admins group wich is = working as a posix group as well (note I add members through Directory Admin at the = moment, they do not use the same objectclass as pam-ldap, hence the = syntax:
access = to *
by group/groupOfUniqueNames/uniqueMember="cn=Domain Admins,ou=NTGroups,o=nu,c=no" write
by * = none
access = to dn="cn=Domain Admins,o=nu,c=no" by dnattr=member = self write by * none