[Samba] RE: Samba+LDAP+PDC

Chris McKeever cgmckeever at prupref.com
Fri May 16 02:01:40 GMT 2003 

 
> 
> Hello everyone.
> 
> Well, I have been working very hard lately, trying to get a 
> server up to 
> act as our Samba PDC with LDAP. So far, everything seems to 
> be working 
> well. I've been able to get samba 2.2.8 and openldap 2.0.27 
> installed with 
> no problems. I've setup my config files (ldap.conf, 
> slapd.conf, smb.conf) 
> as well as added some initial entries to the LDAP directory.
> 
> I've been able to add a user to the directory and set the 
> password for that 
> user.
> 
> This is where I wanted to ask some questions:
> 
> Now, let me try and explain what I want to do:
> 
> As it is now, our network is setup in a workgroup, with 30+ 
> users. I want 
> all of our users to be able to join the Domain/Samba PDC. 
> They will not be 
> using roaming profiles, just login to their workstation into 
> the Domain.
> 
> What I am trying to understand is the best way to go about 
> adding my users 
> to the domain as well as authenticating against the domain. 
> It may seem 
> vague, but im a little confused here myself.
> 

I am telling you , make a PHP utility using the LDAP calls (www.php.net) to
add/edit users...authenticating against the domain are the /smb.conf
variables
domain logins
local broswer

> I thought i'd post some of my initial entries and go from 
> there. Here goes:
> 
> # mycompany, com
> dn: dc=mycompany,dc=com
> objectClass: top
> objectClass: domain
> dc: mycompany
> description: mycompany comanization
> 
> # Groups, mycompany, com
> dn: ou=Groups,dc=mycompany,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: Groups
> description: System Groups
> 
> # Users, mycompany, com
> dn: ou=Users,dc=mycompany,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: Users
> description: Users of the comanization
> 
> # Computers, mycompany, com
> dn: ou=Computers,dc=mycompany,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: Computers
> description: Windows Domain Computers
> 
> # Domain Admins, Groups, mycompany, com
> dn: cn=Domain Admins,ou=Groups,dc=mycompany,dc=com
> objectClass: posixGroup
> gidNumber: 200
> cn: Domain Admins
> memberUid: administrator
> description: Windows Domain users
> 
> # Domain Users, Groups, mycompany, com
> dn: cn=Domain Users,ou=Groups,dc=mycompany,dc=com
> objectClass: posixGroup
> gidNumber: 201
> cn: Domain Users
> description: Windows Domain Users
> 
> # Administrators, Groups, mycompany, com
> dn: cn=Administrators,ou=Groups,dc=mycompany,dc=com
> objectClass: posixGroup
> gidNumber: 220
> cn: Administrators
> description: Windows Domain Members can administer the 
> computer and Domain
> 
> That is just some initial entries. Here is what I have 
> questions about:
> 
> I am going to have about 3-4 groups. For instance, officers, 
> processors and 
> admin.
> Now, I need to add my users to the PDC. From what I have 
> read, not only do 
> I need to add my users to the PDC, but a machine/computer 
> account as well, 
> correct?
> 
> So, my question is what is the best way to add my users to 
> the PDC and 
> their machine accounts?
> 

users need to be done through the LDAP utilities or through some creative
scripting (via PHP or PERL), there are some utilities that can handle it
that have been written, some better than others..

machine accounts, I am no completely certain how that all works into
play...if someone else could elaborate on this that would be great..are they
just added as users? or is there another group that machine accounts belong
to?

> Secondly, as you can see in my LDAP directory above, I have 
> some initial 
> entires. I am unclear as how to add my users to the server 
> and LDAP and 
> make sure they go into the correct group and correct part of the LDAP 
> Directory. That make sense? For example, if I have a user 
> named Todd that 
> needs to go into the group "officers" how would I go about doing that?
>

After you add a user, you edit the group entry and attach thier UID to the
groups memberuid list...

 
> Lastly, (for now :) ) when I go around to my Windows 2000 
> workstations to 
> have my users join the domain, from some prior testing, once 
> I change it 
> from a workgroup to a domain, a username and password box 
> will pop up. What 
> username and password must I use here? Is it what I have 
> specified in my 
> slapd.conf and smb.conf: "cn=Manager,dc=company,dc=com"
> 
> I appreciate everyone's help.

I'm looking for this answer as well

> 
> Thank you!
> Best,
> 
> Jason
>

More information about the samba mailing list