[Samba] user entries in LDAP, group mapping (samba 3.0alpha cvs -
LDAP)
Tom Van Overschelde
vanovers at hotmail.com
Tue Mar 4 17:25:25 GMT 2003
Hello everybody,
I'm experimenting with samba 3.0 but something is not very clear to me,
especially the user entries in the OpenLDAP server.
On my samba server, I configured NSS_LDAP to lookup passwd, group and shadow
entries.
Now I have to add some entries to my LDAP: uid=Administrator and uid=nobody.
According to
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html a user with uidNumber
0 should also be present in the ldap.
I decided to add
uid: Administrator
uidNumber: 0
gidNumber: 0
primaryGroupID: 512
(..)
uid: nobody
uidNumber: 65534
gidNumber: 65534
primaryGroupID: 514
(...)
I mapped the 'nogroup' group (under debian gid 65534) with smbgroupedit, so
I think the "guest" stuff is ok, but what about the Administrator entry? Is
it save to create such an entry with uidNumber and gidNumber 0 ??? Or do I
have to create another entry?
My intention is to use Administrator as a domain admin with all user rights.
Must this user have uidNumber 0? Probably I have to create an extra group in
LDAP (ex. domadmin) and map this GROUP RID 512, but which gidNumber must
have this group (also gidNumber 0 ???)?
Because I have 2 entries with uid=0 (root in /etc/passwd and
uid=Administrator in ldap via NSS), sometimes 'su' doesn't work on my linux
server, I get "pam_authenticate: Authentication service cannot retrieve
authentication info". Note, I don't have PAM configured to use LDAP.
Also creating user entries as Administrator with NT USRMGR gives some error.
Has somebody some advice for me? A working example (LDAP entries (users +
groups?))?
Thanx for your answers!!
Tom Van Overschelde
/etc/nsswitch.conf :
--------------
passwd: compat ldap
group: compat ldap
shadow: compat ldap
(...)
--------------
I've imported the following in my LDAP :
-----------------------------------------------------------
dn: uid=Administrator, ou=People, o=hogent,c=be
logonTime: 0
objectClass: sambaAccount
objectClass: posixAccount
lmPassword: 2ACFE0DCD4F90C9728D41
primaryGroupID: 512
acctFlags: [U ]
userPassword:: e1NTSEF9S05lbXBPaVQxZVI
uid: Administrator
uidNumber: 0
cn: Administrator
loginShell: /dev/null
logoffTime: 0
gidNumber: 0
kickoffTime: 0
pwdLastSet: 1046643900
rid: 500
gecos: Samba Admin
description: Domain Administrator
homeDirectory: /home/administrator
pwdCanChange: 1
pwdMustChange: 1048458300
ntPassword: 8A05EB5942D5E619D9EA6
dn: uid=nobody, ou=People, o=hogent,c=be
logonTime: 0
displayName: Nobody
objectClass: sambaAccount
objectClass: posixAccount
primaryGroupID: 514
acctFlags: [NU ]
userPassword:: e1NTSEF9cG9HdXF3W
uid: nobody
uidNumber: 65534
cn: Nobody
loginShell: /dev/null
logoffTime: 2147483647
gidNumber: 65534
kickoffTime: 2147483647
pwdLastSet: 1046644586
rid: 501
gecos: Nobody or Guest
description: Domain Guest
homeDirectory: /dev/null
pwdCanChange: 0
pwdMustChange: 1048458986
-----------------------------------------------------------
My current configuration:
-----------------------------------------------------------
/usr/local/samba/bin/testparm
Load smb config files from /usr/local/samba/lib/smb.conf
Processing section "[homes]"
Processing section "[temp]"
Processing section "[printers]"
Processing section "[Netlogon]"
Processing section "[Profile]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
# Global parameters
[global]
unix charset = "CP850"
workgroup = LOKAALNETWERK
server string = %h server (Samba %v)
map to guest = Bad User
null passwords = Yes
passdb backend = ldapsam:ldap://enterprise.lokaalnetwerk.thuis
log level = 1
log file = /var/log/samba/log.%m
max log size = 1000
time server = Yes
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=8192
SO_RCVBUF=8192
load printers = No
add user script = /usr/local/sbin/smbldap-useradd.pl -a %U
delete user script = /usr/local/sbin/smbldap-userdel.pl -r %U
add machine script = /usr/local/sbin/smbldap-useradd.pl -w -g
machines %u
logon script = logon.bat
logon path = \\%N\profile\%U
logon drive = X:
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
wins support = Yes
ldap suffix = o=hogent,c=be
ldap machine suffix = ou=Computers,o=hogent,c=be
ldap user suffix = ou=People,o=hogent,c=be
ldap admin dn = "cn=Manager,o=hogent,c=be"
ldap passwd sync = Yes
lock dir = /var/run/samba
socket address = 192.168.1.1 127.0.0.1
invalid users = root
[homes]
comment = Home Directories
read only = No
create mask = 0600
directory mask = 0700
browseable = No
[temp]
comment = Temporary disk space
path = /tmp
read only = No
guest ok = Yes
[printers]
comment = All Printers
path = /tmp
create mask = 0600
printable = Yes
browseable = No
[Netlogon]
path = /home/samba/netlogon
browseable = No
locking = No
[Profile]
comment = %u's roaming profile
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
locking = No
-----------------------------------------------------------
More information about the samba
mailing list