[Samba] Question on LDAP+Samba+PDC

Lance Rathbone l.rathbone at imb.uq.edu.au
Thu May 15 22:20:52 GMT 2003

Lance Rathbone wrote:

>> Hello everyone.
>> Well, I have been working very hard lately, trying to get a server up 
>> to act as our Samba PDC with LDAP. So far, everything seems to be 
>> working well. I've been able to get samba 2.2.8 and openldap 2.0.27 
>> installed with no problems. I've setup my config files (ldap.conf, 
>> slapd.conf, smb.conf) as well as added some initial entries to the 
>> LDAP directory.
>> I've been able to add a user to the directory and set the password 
>> for that user.
>> This is where I wanted to ask some questions:
>> Now, let me try and explain what I want to do:
>> As it is now, our network is setup in a workgroup, with 30+ users. I 
>> want all of our users to be able to join the Domain/Samba PDC. They 
>> will not be using roaming profiles, just login to their workstation 
>> into the Domain.
>> What I am trying to understand is the best way to go about adding my 
>> users to the domain as well as authenticating against the domain. It 
>> may seem vague, but im a little confused here myself.
>> I thought i'd post some of my initial entries and go from there. Here 
>> goes:
>> .......
>> That is just some initial entries. Here is what I have questions about:
>> I am going to have about 3-4 groups. For instance, officers, 
>> processors and admin.
>> Now, I need to add my users to the PDC. From what I have read, not 
>> only do I need to add my users to the PDC, but a machine/computer 
>> account as well, correct?

>> So, my question is what is the best way to add my users to the PDC 
>> and their machine accounts?
There are tools provided by PADL that simplify exporting user accounts 
from unix to LDAP - Are you coming from unix? have you tried them?

I found that machine accounts are best added automatically using the 
scipts from IDEALX. (I have just been through this - some of my notes 
are at http://research.imb.uq.edu.au/~l.rathbone/ldap/samba_pdc.shtml. I 
have used a different ldap schema from you but the principles apply. 
Note specifically the line in smp.conf

add user script = /usr/local/sbin/smbldap-useradd.pl -w %u

and the note at the bottom of the page.

>> Secondly, as you can see in my LDAP directory above, I have some 
>> initial entires. I am unclear as how to add my users to the server 
>> and LDAP and make sure they go into the correct group and correct 
>> part of the LDAP Directory. That make sense? For example, if I have a 
>> user named Todd that needs to go into the group "officers" how would 
>> I go about doing that? 

A user only has there primary gid recorded in their LDAP record. So you 
need to know the gidNumber of that persons primary group and assign it 
to them. Group membership is held in the group record.


dn: uid=b.wise,ou=Users,dc=mycompany,dc=com
uid: b.wise
cn: Bob Wise
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: sambaAccount
objectClass: person
sn: Wyse
uidNumber: 10568
gidNumber: 23456

My group records look like this (and they seem to work)

dn: cn=sales,ou=Groups,dc=mycompany,dc=com
objectClass: posixGroup
objectClass: top
cn: sales
gidNumber: 23456
memberUid: a.blogg
memberUid: b.wise
memberUid: c.dumb

>> Lastly, (for now :) ) when I go around to my Windows 2000 
>> workstations to have my users join the domain, from some prior 
>> testing, once I change it from a workgroup to a domain, a username 
>> and password box will pop up. What username and password must I use 
>> here? Is it what I have specified in my slapd.conf and smb.conf: 
>> "cn=Manager,dc=company,dc=com" 
No - you need to set up a normal user account in LDAP, something like 
"uid=root, ou=Users,dc=mycompany,dc=com" then give this user the same 
ACL privileges as "cn=Manager,dc=company,dc=com" (usually in 
slapd.conf). E.g

access to dn=".*,dc=company,dc=com"
        by dn="uid=root, ou=Users,dc=mycompany,dc=com" write

Then when prompted to join the domain, the user name would be "root" and 
the password is whatever you gave that root user.

>> I appreciate everyone's help.
>> Thank you!
>> Best,
>> Jason
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list