[Samba] Question on LDAP+Samba+PDC

Buchan Milne bgmilne at cae.co.za
Fri May 16 10:49:46 GMT 2003

Hash: SHA1

> Message: 53
> Date: Thu, 15 May 2003 14:13:35 -0700
> From: Jason Williams <jwilliams at courtesymortgage.com>
> Subject: [Samba] Question on LDAP+Samba+PDC
> To: samba at lists.samba.org
> Message-ID:
> 	< at pop.courtesymortgage.com>
> Content-Type: text/plain; charset="us-ascii"; format=flowed
> Hello everyone.
> Well, I have been working very hard lately, trying to get a server up to
> act as our Samba PDC with LDAP. So far, everything seems to be working
> well. I've been able to get samba 2.2.8 and openldap 2.0.27 installed
> no problems. I've setup my config files (ldap.conf, slapd.conf, smb.conf)
> as well as added some initial entries to the LDAP directory.
> I've been able to add a user to the directory and set the password for
> user.
> This is where I wanted to ask some questions:
> Now, let me try and explain what I want to do:
> As it is now, our network is setup in a workgroup, with 30+ users. I want
> all of our users to be able to join the Domain/Samba PDC. They will
not be
> using roaming profiles, just login to their workstation into the Domain.

Well, it's not necessary to use LDAP for this ...

> What I am trying to understand is the best way to go about adding my
> to the domain as well as authenticating against the domain. It may seem
> vague, but im a little confused here myself.
> I thought i'd post some of my initial entries and go from there. Here
> # mycompany, com
> dn: dc=mycompany,dc=com
> objectClass: top
> objectClass: domain
> dc: mycompany
> description: mycompany comanization
> # Groups, mycompany, com
> dn: ou=Groups,dc=mycompany,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: Groups
> description: System Groups
> # Users, mycompany, com
> dn: ou=Users,dc=mycompany,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: Users
> description: Users of the comanization
> # Computers, mycompany, com
> dn: ou=Computers,dc=mycompany,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: Computers
> description: Windows Domain Computers
> # Domain Admins, Groups, mycompany, com
> dn: cn=Domain Admins,ou=Groups,dc=mycompany,dc=com
> objectClass: posixGroup
> gidNumber: 200
> cn: Domain Admins
> memberUid: administrator
> description: Windows Domain users
> # Domain Users, Groups, mycompany, com
> dn: cn=Domain Users,ou=Groups,dc=mycompany,dc=com
> objectClass: posixGroup
> gidNumber: 201
> cn: Domain Users
> description: Windows Domain Users
> # Administrators, Groups, mycompany, com
> dn: cn=Administrators,ou=Groups,dc=mycompany,dc=com
> objectClass: posixGroup
> gidNumber: 220
> cn: Administrators
> description: Windows Domain Members can administer the computer and Domain
> That is just some initial entries. Here is what I have questions about:
> I am going to have about 3-4 groups. For instance, officers,
processors and
> admin.
> Now, I need to add my users to the PDC. From what I have read, not
only do
> I need to add my users to the PDC, but a machine/computer account as
> correct?
> So, my question is what is the best way to add my users to the PDC and
> their machine accounts?

IMHO, use smbldap-tools, which provides work-alike's for useradd,
groupadd, usermod, groupmod, userdel, groupdel, passwd etc, but which
work with Samba/LDAP accounts.

> Secondly, as you can see in my LDAP directory above, I have some initial
> entires. I am unclear as how to add my users to the server and LDAP and
> make sure they go into the correct group and correct part of the LDAP
> Directory. That make sense? For example, if I have a user named Todd that
> needs to go into the group "officers" how would I go about doing that?

smbldap-usermod -G officers todd

> Lastly, (for now  ) when I go around to my Windows 2000 workstations to
> have my users join the domain, from some prior testing, once I change it
> from a workgroup to a domain, a username and password box will pop up.
> username and password must I use here? Is it what I have specified in my
> slapd.conf and smb.conf: "cn=Manager,dc=company,dc=com"

It must be an account that has write access to the LDAP directory for
the attributes samba needs. For the purposes of samba, you can make sure
that a group can use the smbldap-tools (which has a config file
determining the single dn all operations will use). As long as that
group is listed in the 'domain admin group' parameter in smb.conf you
they should be able to join a machine. Note, it is a unix account (thus
todd), not an LDAP dn (ie uid=todd,ou=... etc).

BTW, I am just about finished with my document on Samba+LDAP, you may be
interested in reading it and the documents it refers to:


BTW, you may have noticed this is all pretty easy on Mandrake ...

Finally, you may want to reconsider your group names, since
1)With samba-2.2.x  you can't use them from Windows anyway
2)Names with spaces always cause problems under unix (or make life more
3)Samba3 will map Windows group names to Unix group names, so Windows
group names can be similar to those Windows uses, but unix will still
have decent, short names without spaces.


- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list