[Samba] Question on LDAP+Samba+PDC
Lance Rathbone
l.rathbone at imb.uq.edu.au
Tue May 20 00:08:19 GMT 2003
>Hello again Lance!
>
>Well, lets see. Im not exactly sure why the gidNumbers were
>incorrect before. I did a few tests and then it started to work
>correctly. That seems to be ok.
Good
>
>What's wrong with adding your users to secondary groups such as you
>do on unix?
>You enforce meaning to that group by the way you assign members to it.
>dn: cn=groupname,ou=Groups,dc=courtesymortgage,dc=com
>objectClass: posixGroup
>cn: loanofficers
>gidNumber: 1003
>memberUid: jason
>memberUid: fred
>
>This is something I have thought about doing quite a bit recently.
>However, i'm hoping that management will let me make the decisionis
>on how to design this.
>
>I think I may go this route. Just add the group to be under GROUPS,
>then make people members of the groupname by issuing:
>
>smbldap-usermod.pl -G <groupname> <user>
>
>Should work ok.
>The only thing i've been thinking of doing is adding another OU
>called devices. Inside there, i could put information on our
>printers, servers etc.
>
>At this point, I would imagine it is about personal preference.
>
>Also, I remember asking you about creating a user that would be used
>to join computers to the domain. Correct me if im wrong, but I
>should create a username of my choice...
Yes - the user that is used to join computers to the domain just
needs to have write access to the LDAP directory
e.g
access to dn=".*,dc=courtesymortgage,dc=com" attr=userPassword
by dn="cn=Manager,dc=courtesymortgage,dc=com" write
by uid=f.flintstone,ou=Users,dc=courtesymortgage,dc=com write
by self write
by * auth
where f.flintstone is a valid user
>
>I think I have this right...let me show you:
>
># Administrators, Groups, courtesymortgage, com
>dn: cn=Administrators,ou=Groups,dc=courtesymortgage,dc=com
>objectClass: posixGroup
>gidNumber: 220
>cn: Administrators
>description: Windows Domain Members can administer the computer and Domain
>memberUid: ldapadmin
>
># ldapadmin, Users, courtesymortgage, com
>dn: uid=ldapadmin,ou=Users,dc=courtesymortgage,dc=com
>objectClass: inetOrgPerson
>objectClass: posixAccount
>cn: ldapadmin
>sn: ldapadmin
>uid: ldapadmin
>uidNumber: 1000
>gidNumber: 1002
>homeDirectory: /home/ldapadmin
>loginShell: /bin/bash
>gecos: System User
>description: System User
>
>ldapadmin to adminster, added to the Administrators group. Then, I
>add @Administrators domain admin group = @Administrators in smb.conf
>
>
>My ACL in slapd.conf:
>
>access to dn=".*,dc=courtesymortgage,dc=com" attr=userPassword
> by dn="cn=Manager,dc=courtesymortgage,dc=com" write
> by self write
> by * auth
>
>access to dn=".*,dc=courtesymortgage,dc=com"
> by dn="uid=ldapadmin,ou=Users,dc=courtesymortgage,dc=com" write
>
>access to dn=".*,dc=courtesymortgage,dc=com" attr=mail
> by dn="cn=Manager,dc=courtesymortgage,dc=com" write
> by self write
> by * read
>
>access to dn=".*,ou=People,dc=courtesymortgage,dc=com"
> by * read
>
>access to dn=".*,dc=courtesymortgage,dc=com"
> by self write
> by * read
>
>Look good? Bad? horrible?
>
>Last question....you are from Australia? What part if you dont mind me asking?
Brisbane, Queensland
>
>Thank you.
>
>Best,
>
>Jason
>At 08:20 AM 5/20/2003 +1000, you wrote:
>
>>>Hello Lance!
>>>
>>>Ok, let me answer a few questions:
>>>
>>>This is a problem - gidNumbers should be unique. Are you creating
>>>theses manually? Make sure they have different numbers. The IDEALX
>>>scripts should create unique numbers.
>>>I am using the idealx scripts to create groups. I am not sure
>>>exactly why the groups are not getting unique numbers....something
>>>I misconfigured in smbldap_conf.pm ? I'm not sure exactly.
>>>
>>
>>I'm not sure what is happening here - In smbldap_conf.pm you just
>>configure the starting gidNumber. The function called is group_add
>>in smbldap_tools.pm. It seems strange that it is not giving you an
>>error and not working.
>>
>>>
>>>If the group loanofficers is the primary group for the user then
>>>that user's gidNumber needs to be set to loanofficers gidNumber.
>>>In addition the memberUid of the group will contain the user's uid
>>>
>>>e.g
>>>dn: uid=f.flintstone,ou=Users,dc=courtesymortgage,dc=com
>>>uid: f.flinstone
>>>gidNumber: 1000
>>>
>>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>>>objectClass: posixGroup
>>>cn: loanprocessors
>>>gidNumber: 1000
>>>memberUid: f.bloggs
>>>memberUid: f.flintstone
>>>
>>>IDEALX have a script to add members to a group:
>>>smbldap-groupmod.pl -m f.flintstone loanofficers
>>>
>>>Here is a quick snip of my stuff:
>>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>>>objectClass: posixGroup
>>>cn: loanofficers
>>>gidNumber: 1002
>>>memberUid: jason
>>>
>>>dn: uid=jason,ou=Users,dc=courtesymortgage,dc=com
>>>cn: jason
>>>sn: jason
>>>uid: jason
>>>uidNumber: 1000
>>>gidNumber: 1002
>>><snip>
>>>
>>>That looks about right, yes? Jason's GID number is the same as the
>>>GID number for LoanOfficers.
>>>
>>
>>Looks good to me
>>
>>>
>>>Here is something that I have been curious about. It is in
>>>relation to designing a LDAP directory. I picked up a few books on
>>>LDAP this weekend and they are really explaining things that I
>>>understand now...but here is something I wanted to ask:
>>>If you look at the DN for loanofficers and Jason:
>>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>>>dn: uid=jason,ou=Users,dc=courtesymortgage,dc=com
>>>
>>>My question is this: Right now, my loanofficers as a cn (common name?)
>>>What if I wanted to setup my structure so that I have ou=Groups
>>>and underneath it, I have my groups that I want? Here is an
>>>example:
>>>dn: ou=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>>>
>>>Then, I would place my "loanofficers" users in that leaf.
>>>Is that possible?
>>>Is that a good idea or a bad idea?
>>>
>>
>>I see what you are trying to do but I'm not sure - it does not look
>>good to me. I would wait for more knowledgeable responses than mine.
>>
>>>
>>>I am trying to figure out the best way to manage and setup my users....
>>>
>>>Any suggestions there?
>>>
>>
>>What's wrong with adding your users to secondary groups such as you
>>do on unix?
>>You enforce meaning to that group by the way you assign members to it.
>>dn: cn=groupname,ou=Groups,dc=courtesymortgage,dc=com
>>objectClass: posixGroup
>>cn: loanofficers
>>gidNumber: 1003
>>memberUid: jason
>>memberUid: fred
>>
>>>
>>>Thanks again.
>>>
>>>Cheers,
>>>
>>>Jason
>>>
>>>
>>>At 02:24 PM 5/19/2003 +1000, you wrote:
>>>
>>>>>Lance,
>>>>>
>>>>>I appreciate all your help. It has been great in helping me move
>>>>>farther along as well as understand more.
>>>>>
>>>>>I've been working with the IDEALX scripts and they are working
>>>>>great. However, I have a couple of questions I wanted to run by
>>>>>you.
>>>>>
>>>>>As of now, I have ou's of: ou=Computers, ou=Users, ou=Groups
>>>>>I also have: cn=Domain Admins,ou=Groups
>>>>> cn=Domain Users,ou=Groups
>>>>>
>>>>>My question(s) are: If I want to create my own groups, for
>>>>>example: Loan Officers and Loan Processors, I can do that no
>>>>>problem. It creates it like so:
>>>>> cn=loanofficers,ou=Groups
>>>>>
>>>>>Thus, if I had 4-5 groups, I could create them using the IDEALX
>>>>>scripts. Simple enough.
>>>>>
>>>>>This is where i'm a bit lost. If I create a second group,
>>>>>loanprocessors, it creates the following:
>>>>>
>>>>>cn=loanprocessors,ou=Groups Which is correct. However, if I
>>>>>compare the two of them, i'm confused in one spot:
>>>>>
>>>>># loanofficers, Groups, courtesymortgage, com
>>>>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>>>>>objectClass: posixGroup
>>>>>cn: loanofficers
>>>>>gidNumber: 1000
>>>>>
>>>>># loanprocessors, Groups, courtesymortgage, com
>>>>>dn: cn=loanprocessors,ou=Groups,dc=courtesymortgage,dc=com
>>>>>objectClass: posixGroup
>>>>>cn: loanprocessors
>>>>>gidNumber: 1000
>>>>>
>>>>
>>>>This is a problem - gidNumbers should be unique. Are you creating
>>>>theses manually? Make sure they have different numbers. The
>>>>IDEALX scripts should create unique numbers.
>>>>
>>>>>
>>>>>Being that they both have gidNumber's of 1000, is that going to
>>>>>be a problem?
>>>>>Which leads to my next question. If I have a user, Jason, that
>>>>>needs to be added to the group loanofficers, how can I do that
>>>>>with the scripts? Is it even possible?
>>>>>
>>>>
>>>>If the group loanofficers is the primary group for the user then
>>>>that user's gidNumber needs to be set to loanofficers gidNumber.
>>>>In addition the memberUid of the group will contain the user's uid
>>>>
>>>>e.g
>>>>dn: uid=f.flintstone,ou=Users,dc=courtesymortgage,dc=com
>>>>uid: f.flinstone
>>>>gidNumber: 1000
>>>>
>>>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>>>>objectClass: posixGroup
>>>>cn: loanprocessors
>>>>gidNumber: 1000
>>>>memberUid: f.bloggs
>>>>memberUid: f.flintstone
>>>>
>>>>IDEALX have a script to add members to a group:
>>>>smbldap-groupmod.pl -m f.flintstone loanofficers
>>>>
>>>>
>>>>>
>>>>>I hope i'm not rambling. I've been struggling to find out what
>>>>>the problem is and I have not been able to find any
>>>>>documentation on this.
>>>>>
>>>>>Thanks for your help Lance,
>>>>>
>>>>>CHeers,
>>>>>
>>>>>Jason
>>>>>
>>>>>
>>>>>
>>>>>At 09:16 AM 5/16/2003 +1000, you wrote:
>>>>>
>>>>>>>Lance,
>>>>>>>
>>>>>>>Thanks for your help. I do appreciate it.
>>>>>>>
>>>>>>>I have been reviewing the documentation that you sent as well
>>>>>>>as the scripts from idealx. I still have a lot of questions
>>>>>>>and testing to do.
>>>>>>>
>>>>>>>If you dont mind me asking you a couple more questions, i'd
>>>>>>>love to hear your advice.
>>>>>>>
>>>>>>>Are you coming from unix? have you tried them?
>>>>>>>The actual server I am working on is brand new. Nothing on it.
>>>>>>>All of our users use Win2k Pro computers and we are setup in a
>>>>>>>workgroup environment. They will all be joining the Samba PDC
>>>>>>>
>>>>>>>"
>>>>>>>
>>>>>>>This is what I currently have. I am trying to figure out how
>>>>>>>to add the users and their machines to the PDC. I've tried
>>>>>>>using the smbldap-adduser.pl script to add users to the PDC,
>>>>>>>and it seems to work. However, I do not get the response that
>>>>>>>it has been added. But if I do a search, it is added.
>>>>>>>
>>>>>>
>>>>>>When I add a machine like that it doesn't come back with a
>>>>>>response either, but what you really want to happen is to join
>>>>>>the domain automatically. This is in the line add user
>>>>>>script = /usr/local/sbin/smbldap-useradd.pl -w %u
>>>>>>
>>>>>>To test this out go to a machine (windows client) that doesn't
>>>>>>have an LDAP account - delete an existing account if necessary
>>>>>>- and try to join the domain from the windows client. You will
>>>>>>be prompted for a username and password. (This is your LDAP
>>>>>>"root" user with write acces to the LDAP directory.)
>>>>>>Then it will try to join the domain. My machines take 20-30
>>>>>>seconds then come back with something about 'welcome to domain'.
>>>>>>If it takes 3-4 minutes it hasn't worked!
>>>>>>
>>>>>>
>>>>>>
--
=====================================
Lance Rathbone BSc MCompStud
Senior IT Officer
Institute for Molecular Bioscience
Queensland Bioscience Precinct
Bldg 80, Services Road
The University of Queensland
St Lucia Qld 4072
AUSTRALIA
Tel +61 7 3346 2205
http://www.imb.uq.edu.au
=====================================
More information about the samba
mailing list