[Samba] Question on LDAP+Samba+PDC
Lance Rathbone
l.rathbone at imb.uq.edu.au
Mon May 19 22:20:21 GMT 2003
>Hello Lance!
>
>Ok, let me answer a few questions:
>
>This is a problem - gidNumbers should be unique. Are you creating
>theses manually? Make sure they have different numbers. The IDEALX
>scripts should create unique numbers.
>
>I am using the idealx scripts to create groups. I am not sure
>exactly why the groups are not getting unique numbers....something I
>misconfigured in smbldap_conf.pm ? I'm not sure exactly.
I'm not sure what is happening here - In smbldap_conf.pm you just
configure the starting gidNumber. The function called is group_add in
smbldap_tools.pm. It seems strange that it is not giving you an error
and not working.
>
>If the group loanofficers is the primary group for the user then
>that user's gidNumber needs to be set to loanofficers gidNumber.
>In addition the memberUid of the group will contain the user's uid
>
>e.g
>dn: uid=f.flintstone,ou=Users,dc=courtesymortgage,dc=com
>uid: f.flinstone
>gidNumber: 1000
>
>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>objectClass: posixGroup
>cn: loanprocessors
>gidNumber: 1000
>memberUid: f.bloggs
>memberUid: f.flintstone
>
>IDEALX have a script to add members to a group:
>smbldap-groupmod.pl -m f.flintstone loanofficers
>
>Here is a quick snip of my stuff:
>
>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>objectClass: posixGroup
>cn: loanofficers
>gidNumber: 1002
>memberUid: jason
>
>dn: uid=jason,ou=Users,dc=courtesymortgage,dc=com
>cn: jason
>sn: jason
>uid: jason
>uidNumber: 1000
>gidNumber: 1002
><snip>
>
>That looks about right, yes? Jason's GID number is the same as the
>GID number for LoanOfficers.
Looks good to me
>
>Here is something that I have been curious about. It is in relation
>to designing a LDAP directory. I picked up a few books on LDAP this
>weekend and they are really explaining things that I understand
>now...but here is something I wanted to ask:
>
>If you look at the DN for loanofficers and Jason:
>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>dn: uid=jason,ou=Users,dc=courtesymortgage,dc=com
>
>My question is this: Right now, my loanofficers as a cn (common name?)
>What if I wanted to setup my structure so that I have ou=Groups and
>underneath it, I have my groups that I want? Here is an example:
>
>dn: ou=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>
>Then, I would place my "loanofficers" users in that leaf.
>Is that possible?
>Is that a good idea or a bad idea?
I see what you are trying to do but I'm not sure - it does not look
good to me. I would wait for more knowledgeable responses than mine.
>
>I am trying to figure out the best way to manage and setup my users....
>
>Any suggestions there?
What's wrong with adding your users to secondary groups such as you do on unix?
You enforce meaning to that group by the way you assign members to it.
dn: cn=groupname,ou=Groups,dc=courtesymortgage,dc=com
objectClass: posixGroup
cn: loanofficers
gidNumber: 1003
memberUid: jason
memberUid: fred
>
>Thanks again.
>
>Cheers,
>
>Jason
>
>
>At 02:24 PM 5/19/2003 +1000, you wrote:
>
>>>Lance,
>>>
>>>I appreciate all your help. It has been great in helping me move
>>>farther along as well as understand more.
>>>
>>>I've been working with the IDEALX scripts and they are working
>>>great. However, I have a couple of questions I wanted to run by
>>>you.
>>>
>>>As of now, I have ou's of: ou=Computers, ou=Users, ou=Groups
>>>I also have: cn=Domain Admins,ou=Groups
>>> cn=Domain Users,ou=Groups
>>>
>>>My question(s) are: If I want to create my own groups, for
>>>example: Loan Officers and Loan Processors, I can do that no
>>>problem. It creates it like so:
>>> cn=loanofficers,ou=Groups
>>>
>>>Thus, if I had 4-5 groups, I could create them using the IDEALX
>>>scripts. Simple enough.
>>>
>>>This is where i'm a bit lost. If I create a second group,
>>>loanprocessors, it creates the following:
>>>
>>>cn=loanprocessors,ou=Groups Which is correct. However, if I
>>>compare the two of them, i'm confused in one spot:
>>>
>>># loanofficers, Groups, courtesymortgage, com
>>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>>>objectClass: posixGroup
>>>cn: loanofficers
>>>gidNumber: 1000
>>>
>>># loanprocessors, Groups, courtesymortgage, com
>>>dn: cn=loanprocessors,ou=Groups,dc=courtesymortgage,dc=com
>>>objectClass: posixGroup
>>>cn: loanprocessors
>>>gidNumber: 1000
>>>
>>
>>This is a problem - gidNumbers should be unique. Are you creating
>>theses manually? Make sure they have different numbers. The IDEALX
>>scripts should create unique numbers.
>>
>>>
>>>Being that they both have gidNumber's of 1000, is that going to be
>>>a problem?
>>>Which leads to my next question. If I have a user, Jason, that
>>>needs to be added to the group loanofficers, how can I do that
>>>with the scripts? Is it even possible?
>>>
>>
>>If the group loanofficers is the primary group for the user then
>>that user's gidNumber needs to be set to loanofficers gidNumber.
>>In addition the memberUid of the group will contain the user's uid
>>
>>e.g
>>dn: uid=f.flintstone,ou=Users,dc=courtesymortgage,dc=com
>>uid: f.flinstone
>>gidNumber: 1000
>>
>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com
>>objectClass: posixGroup
>>cn: loanprocessors
>>gidNumber: 1000
>>memberUid: f.bloggs
>>memberUid: f.flintstone
>>
>>IDEALX have a script to add members to a group:
>>smbldap-groupmod.pl -m f.flintstone loanofficers
>>
>>
>>>
>>>I hope i'm not rambling. I've been struggling to find out what the
>>>problem is and I have not been able to find any documentation on
>>>this.
>>>
>>>Thanks for your help Lance,
>>>
>>>CHeers,
>>>
>>>Jason
>>>
>>>
>>>
>>>At 09:16 AM 5/16/2003 +1000, you wrote:
>>>
>>>>>Lance,
>>>>>
>>>>>Thanks for your help. I do appreciate it.
>>>>>
>>>>>I have been reviewing the documentation that you sent as well as
>>>>>the scripts from idealx. I still have a lot of questions and
>>>>>testing to do.
>>>>>
>>>>>If you dont mind me asking you a couple more questions, i'd love
>>>>>to hear your advice.
>>>>>
>>>>>Are you coming from unix? have you tried them?
>>>>>The actual server I am working on is brand new. Nothing on it.
>>>>>All of our users use Win2k Pro computers and we are setup in a
>>>>>workgroup environment. They will all be joining the Samba PDC
>>>>>
>>>>>"
>>>>>
>>>>>This is what I currently have. I am trying to figure out how to
>>>>>add the users and their machines to the PDC. I've tried using
>>>>>the smbldap-adduser.pl script to add users to the PDC, and it
>>>>>seems to work. However, I do not get the response that it has
>>>>>been added. But if I do a search, it is added.
>>>>>
>>>>
>>>>When I add a machine like that it doesn't come back with a
>>>>response either, but what you really want to happen is to join
>>>>the domain automatically. This is in the line add user script
>>>>= /usr/local/sbin/smbldap-useradd.pl -w %u
>>>>
>>>>To test this out go to a machine (windows client) that doesn't
>>>>have an LDAP account - delete an existing account if necessary -
>>>>and try to join the domain from the windows client. You will be
>>>>prompted for a username and password. (This is your LDAP "root"
>>>>user with write acces to the LDAP directory.)
>>>>Then it will try to join the domain. My machines take 20-30
>>>>seconds then come back with something about 'welcome to domain'.
>>>>If it takes 3-4 minutes it hasn't worked!
>>>>
>>>>
>>>>
--
=====================================
Lance Rathbone BSc MCompStud
Senior IT Officer
Institute for Molecular Bioscience
Queensland Bioscience Precinct
Bldg 80, Services Road
The University of Queensland
St Lucia Qld 4072
AUSTRALIA
Tel +61 7 3346 2205
http://www.imb.uq.edu.au
=====================================
More information about the samba
mailing list