[Samba] Question on LDAP+Samba+PDC
l.rathbone at imb.uq.edu.au
Thu May 15 22:20:52 GMT 2003
Lance Rathbone wrote:
>> Hello everyone.
>> Well, I have been working very hard lately, trying to get a server up
>> to act as our Samba PDC with LDAP. So far, everything seems to be
>> working well. I've been able to get samba 2.2.8 and openldap 2.0.27
>> installed with no problems. I've setup my config files (ldap.conf,
>> slapd.conf, smb.conf) as well as added some initial entries to the
>> LDAP directory.
>> I've been able to add a user to the directory and set the password
>> for that user.
>> This is where I wanted to ask some questions:
>> Now, let me try and explain what I want to do:
>> As it is now, our network is setup in a workgroup, with 30+ users. I
>> want all of our users to be able to join the Domain/Samba PDC. They
>> will not be using roaming profiles, just login to their workstation
>> into the Domain.
>> What I am trying to understand is the best way to go about adding my
>> users to the domain as well as authenticating against the domain. It
>> may seem vague, but im a little confused here myself.
>> I thought i'd post some of my initial entries and go from there. Here
>> That is just some initial entries. Here is what I have questions about:
>> I am going to have about 3-4 groups. For instance, officers,
>> processors and admin.
>> Now, I need to add my users to the PDC. From what I have read, not
>> only do I need to add my users to the PDC, but a machine/computer
>> account as well, correct?
>> So, my question is what is the best way to add my users to the PDC
>> and their machine accounts?
There are tools provided by PADL that simplify exporting user accounts
from unix to LDAP - Are you coming from unix? have you tried them?
I found that machine accounts are best added automatically using the
scipts from IDEALX. (I have just been through this - some of my notes
are at http://research.imb.uq.edu.au/~l.rathbone/ldap/samba_pdc.shtml. I
have used a different ldap schema from you but the principles apply.
Note specifically the line in smp.conf
add user script = /usr/local/sbin/smbldap-useradd.pl -w %u
and the note at the bottom of the page.
>> Secondly, as you can see in my LDAP directory above, I have some
>> initial entires. I am unclear as how to add my users to the server
>> and LDAP and make sure they go into the correct group and correct
>> part of the LDAP Directory. That make sense? For example, if I have a
>> user named Todd that needs to go into the group "officers" how would
>> I go about doing that?
A user only has there primary gid recorded in their LDAP record. So you
need to know the gidNumber of that persons primary group and assign it
to them. Group membership is held in the group record.
cn: Bob Wise
My group records look like this (and they seem to work)
>> Lastly, (for now :) ) when I go around to my Windows 2000
>> workstations to have my users join the domain, from some prior
>> testing, once I change it from a workgroup to a domain, a username
>> and password box will pop up. What username and password must I use
>> here? Is it what I have specified in my slapd.conf and smb.conf:
No - you need to set up a normal user account in LDAP, something like
"uid=root, ou=Users,dc=mycompany,dc=com" then give this user the same
ACL privileges as "cn=Manager,dc=company,dc=com" (usually in
access to dn=".*,dc=company,dc=com"
by dn="uid=root, ou=Users,dc=mycompany,dc=com" write
Then when prompted to join the domain, the user name would be "root" and
the password is whatever you gave that root user.
>> I appreciate everyone's help.
>> Thank you!
>> To unsubscribe from this list go to the following URL and read the
>> instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba