[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unix auth via LDAP & now need to add Samba!

To: ". ." <libogen@hotmail.com>
Subject: Re: Unix auth via LDAP & now need to add Samba!
From: Adam Williams6 <awilliam@whitemice.org>
Date: Tue, 30 Apr 2002 23:22:36 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <F973Clp38NdTyj6iZkx00001df1@hotmail.com>

>>>I only have the root account in both passwd (shadow)
>>>and in LDAP. All other test 'user' accounts are in LDAP only.
>>>I created a test base dn "o=local" and used Padl's base, passwd & >group 
>>migration scripts to build up the ldbm. I only keep the user
>>>accounts in LDAP under ou=People. All system accounts remain in the 
>>>passwd file. All groups are in both the group file and LDAP under 
>>>ou=Group.
>>Why?  This duplicity certainly seems to defeat the purpose of LDAP.
>I guess I should exclude the root account from LDAP and only keep 'normal' 
>user accounts and their related group in LDAP eg. keep "bob" user & "bob" 
>group, "fred" user & "fred" group in LDAP?

You real pain is going to come from the NT flat name space.  With UN*X 
user names and group names are seperate name spaces.  I can have a group 
fred and a user fred,  the system knows them apart.  With NT group name != 
user name,  it is one unified name space.  In the long run I actually 
think the NT model for this is a better idea.

>>ldd /usr/sbin/smbd
>>Are the LDAP libraries in the list?
>Thanks, I'll check on that tomorrow.
>> >Right from the start I want Samba to authenticate via LDAP against
>>the >existing People & Group ou's but am not sure how to integrate
>>this. > >You need to add sambaAccount objectclass and attributes to the
>appropriate >objects, typically posixAccounts.
>As you mentioned below, smbpasswd will automagically create them for me, 
>right?

Works for me.

>>>I've read the info on samba.idealx.org and see, like Padl, that they 
>>>also provide some migration scripts (smbldap-tools) and a >sample 
>>"Initial Entries" LDIF that will setup various gids amongst >other things.
>>Make sure your not looking at something for Samba-TNG.  2.2.3a doesn't use 
>>the built-ins entries.
>The Idealx site refers to Samba not Samba-TNG

Hmmm.

>RedHat's authconfig tool sounds like it makes life a bit easier. Oh well, 
>I'm running Mandrake :)
>> >The output from both Padl's and Idealx's migration scripts doesn't >seem 
>>straightforward to combine. Also, I'm not sure whether it's >worth adding 
>>an additional (Samba only) ou=Computers, as proposed by >Idealx. Wouldn't 
>>it be simpler to just stick with only ou=People & >ou=Group?
>>But computers aren't people (yet).  You don't want nt01688$ showing up
>>when someone does a search for someone's e-mail address.  Also chopping
>>them off into a seperate tree makes it easier to create the ACLs, as the 
>>PDC need full control of these guys,  but shouldn't be able to remove your 
>>users, etc....
>Well if you met some of the people I've met........Just kidding ;-)

Oh, I know.

>"easier to create ACLs" sounds good to me. Ok, I'll add an ou=Computers.
>>>I could proceed by;
>>>a) manually adding Samba related objectClasses, etc. to the few test 
>>>uid's under ou=People and adding necessary Samba groups to ou=Group >or;
>>>b) delete my ldbm and start again using only Idealx's migration >scripts 
>>or; > >c) another way suggested by you gurus ;-) > >Get samba w/ldap up
>and running and do a smbpasswd fred, where fred is a >posix user, and
>watch it magically add all the required attributes for you.  > And set
>the initial cifs password.
>As long as I use the same uid(s) in Samba as there are in ou=People 
>(originally users from passwd) and add [ ldap suffix = "ou=People,o=local" ] 
>in smb.conf I don't need to manually add anything Samba related to LDAP, 
>apart from creating ou=Computers?

"use the same uid(s) in Samba"?  The uid attribute is the user name.  You 
can't use a 'different' uid for the same person.  The objectclasses for 
posixAccount and sambaAccount overlap.

>WARNING: Extreme Newbie question coming =o) How does Samba know how to find 
>and store computer accounts in ou=Computers ?
>>No reason to "do" anything other than run smbpasswd.

You do have to create posixAccount objects for machine accounts,  so that 
smbpasswd finds something.

>That's reassuring, really! I thought there was more to do, hehe.
>>>Also, is there a good resource to help with setting up correct ACL's >in 
>>slapd.conf for a Unix/Samba account authentication based OpenLDAP?
>>Good question.
>How about a good, basic OpenLDAP 2.x ACL resource?

My LDAP presentation

ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf

covers this Samba 2.2.3a stuff too.

>If I feel comfortable enough with ACL's in the future, I'll see if I can
>put together a mini-HowTo! Don't hold your breath though :)

-- 
-----------------------------------------------------------
Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS
-----------------------------------------------------------

Prev by Date: Re: Unix auth via LDAP & now need to add Samba!
Next by Date: Userpassword check
Index(es):
- Chronological
- Thread