[Samba] Question on LDAP+Samba+PDC

[Jason Williams]

Hello everyone.

Well, I have been working very hard lately, trying to get a server up to 
act as our Samba PDC with LDAP. So far, everything seems to be working 
well. I've been able to get samba 2.2.8 and openldap 2.0.27 installed with 
no problems. I've setup my config files (ldap.conf, slapd.conf, smb.conf) 
as well as added some initial entries to the LDAP directory.

I've been able to add a user to the directory and set the password for that 
user.

This is where I wanted to ask some questions:

Now, let me try and explain what I want to do:

As it is now, our network is setup in a workgroup, with 30+ users. I want 
all of our users to be able to join the Domain/Samba PDC. They will not be 
using roaming profiles, just login to their workstation into the Domain.

What I am trying to understand is the best way to go about adding my users 
to the domain as well as authenticating against the domain. It may seem 
vague, but im a little confused here myself.

I thought i'd post some of my initial entries and go from there. Here goes:

# mycompany, com
dn: dc=mycompany,dc=com
objectClass: top
objectClass: domain
dc: mycompany
description: mycompany comanization

# Groups, mycompany, com
dn: ou=Groups,dc=mycompany,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
description: System Groups

# Users, mycompany, com
dn: ou=Users,dc=mycompany,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Users
description: Users of the comanization

# Computers, mycompany, com
dn: ou=Computers,dc=mycompany,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Computers
description: Windows Domain Computers

# Domain Admins, Groups, mycompany, com
dn: cn=Domain Admins,ou=Groups,dc=mycompany,dc=com
objectClass: posixGroup
gidNumber: 200
cn: Domain Admins
memberUid: administrator
description: Windows Domain users

# Domain Users, Groups, mycompany, com
dn: cn=Domain Users,ou=Groups,dc=mycompany,dc=com
objectClass: posixGroup
gidNumber: 201
cn: Domain Users
description: Windows Domain Users

# Administrators, Groups, mycompany, com
dn: cn=Administrators,ou=Groups,dc=mycompany,dc=com
objectClass: posixGroup
gidNumber: 220
cn: Administrators
description: Windows Domain Members can administer the computer and Domain

That is just some initial entries. Here is what I have questions about:

I am going to have about 3-4 groups. For instance, officers, processors and 
admin.
Now, I need to add my users to the PDC. From what I have read, not only do 
I need to add my users to the PDC, but a machine/computer account as well, 
correct?

So, my question is what is the best way to add my users to the PDC and 
their machine accounts?

Secondly, as you can see in my LDAP directory above, I have some initial 
entires. I am unclear as how to add my users to the server and LDAP and 
make sure they go into the correct group and correct part of the LDAP 
Directory. That make sense? For example, if I have a user named Todd that 
needs to go into the group "officers" how would I go about doing that?

Lastly, (for now :) ) when I go around to my Windows 2000 workstations to 
have my users join the domain, from some prior testing, once I change it 
from a workgroup to a domain, a username and password box will pop up. What 
username and password must I use here? Is it what I have specified in my 
slapd.conf and smb.conf: "cn=Manager,dc=company,dc=com"

I appreciate everyone's help.

Thank you!
Best,

Jason