[Samba] RE: Documentation

Rauno Tuul rauno.tuul at haigekassa.ee
Mon Sep 15 08:32:00 GMT 2003 

> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
>
> There is still time for more input. Please do provide any material you
> believe may be useful to a Samba administrator. Information
> for novices
> and experts alike is welcome.
>
> Cheers,
> John T.

Hi,

A good LDAP base.ldif would be nice to add.
Since samba changed schema in 3.0, all howto's and base.ldif's are useless
or contain only half of the needed information.

Here's my LDAP base entries, for basic system with common known names and
groupmappings.
Where sambaSID last number (RID) is > 1000, there is the SID calculated from
GID, otherwise it's set as needed for windows world.

Of course there can be a few mistakes, but it works for most needs.
Users can log into domain, get authed, windows security tabs list is shown
correctly.
Exchange Server 5.5 is capable of using Samba domain for security and user
nt accounts. 
Users can connect to w2k terminal server, open applications - non-admin
users can use outlook (no special changes to TS needed).  
Users who belong to domain_admin group, have administrative power on
NT/2k/XP workstations.

For LDAP administration I use LAM (LDAP Account Manager). Best tool at the
moment. smbldap-tools aren't that good.


Then, nowhere in samba docs is explained sambaGroupType, for changing LDAP
entries manually, it would be nice to know what they mean and what are the
correct values.
AFAIK:
sambaGroupType: 2 - domain group (global group)
sambaGroupType: 5 - local group (built-in group)
what about: 1, 3, 4?


# smb.conf
   ldap admin dn = cn=Manager,dc=ehk,dc=lan
   ldap suffix = dc=ehk,dc=lan
   ldap machine suffix = ou=Computers,dc=ehk,dc=lan
   ldap user suffix = ou=Users,dc=ehk,dc=lan

#   ldap group suffix, ldap idmap suffix are unspecified.
Changing "ldap group suffix" to "ou=Groups,dc=ehk,dc=lan" caused
groupmapping failure.

For adding workstations to domain, I have in my smb.conf
   admin users = @domain_admins
Otherwise adding to domain fails.

===================================
basics:
Users gidNumber: 221     (group users).
USers sambaPrimaryGroupSID: S-1-5-21-....-1443

===================================
dn: dc=mydomain,dc=lan
objectClass: domain
dc: MYDOMAIN

dn: ou=Groups,dc=mydomain,dc=lan
objectClass: top
objectClass: organizationalUnit
ou: Groups
description: System Groups

dn: ou=Users,dc=mydomain,dc=lan
objectClass: top
objectClass: organizationalUnit
ou: Users
description: Users of the Organization

dn: ou=Computers,dc=mydomain,dc=lan
objectClass: top
objectClass: organizationalUnit
ou: Computers
description: Windows Domain Computers

dn: ou=Domains,dc=mydomain,dc=lan
objectClass: organizationalunit
ou: Domains

dn: sambaDomainName=MYDOMAIN,ou=Domains,dc=mydomain,dc=lan
objectClass: sambaDomain
sambaDomainName: MYDOMAIN
sambaSID: S-1-5-21-1111111111-222222222-3333333333
sambaAlgorithmicRidBase: 1000

dn: cn=machines,ou=Groups,dc=mydomain,dc=lan
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: machines
gidNumber: 240
description: machines
sambaSID: S-1-5-21-1111111111-222222222-3333333333-1481
sambaGroupType: 2
displayName: machines

dn: cn=domain_users,ou=Groups,dc=mydomain,dc=lan
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 201
cn: domain_users
description: Windows Domain Users
sambaSID: S-1-5-21-1111111111-222222222-3333333333-513
sambaGroupType: 2
displayName: Domain Users

dn: cn=domain_guests,ou=Groups,dc=mydomain,dc=lan
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 202
cn: domain_guests
description: Windows Domain Guests Users
sambaGroupType: 2
displayName: Domain Guests
sambaSID: S-1-5-21-1111111111-222222222-3333333333-514

dn: cn=users,ou=Groups,dc=mydomain,dc=lan
description: Ordinary users
description: Windows Domain Ordinary users
objectClass: sambaGroupMapping
objectClass: posixGroup
gidNumber: 221
cn: users
sambaSID: S-1-5-21-1111111111-222222222-3333333333-1443
sambaGroupType: 2
displayName: Users

dn: cn=guests,ou=Groups,dc=mydomain,dc=lan
description: Users granted guest access to the computer/domain
description: Windows Domain Users granted guest access to the
computer/domain
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 222
cn: guests
memberUid: nobody
sambaSID: S-1-5-21-1111111111-222222222-3333333333-1445
sambaGroupType: 2
displayName: Guests

dn: cn=power_users,ou=Groups,dc=mydomain,dc=lan
description: Members can share directories and printers
description: Windows Domain Members can share directories and printers
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 223
cn: power_users
sambaSID: S-1-5-21-1111111111-222222222-3333333333-1447
sambaGroupType: 2
displayName: Power Users

dn: cn=account_operators,ou=Groups,dc=mydomain,dc=lan
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 224
cn: account_operators
description: Windows Domain Users to manipulate users accounts
displayName: Account Operators
sambaSID: S-1-5-32-1449
sambaGroupType: 5

dn: cn=server_operators,ou=Groups,dc=mydomain,dc=lan
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 225
cn: server_operators
description: Windows Domain Server Operators
displayName: Server Operators
sambaSID: S-1-5-32-1541
sambaGroupType: 5

dn: cn=print_operators,ou=Groups,dc=mydomain,dc=lan
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 226
cn: print_operators
description: Windows Domain Print Operators
displayName: Print Operators
sambaSID: S-1-5-32-1453
sambaGroupType: 5

dn: cn=backup_operators,ou=Groups,dc=mydomain,dc=lan
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 227
cn: backup_operators
description: Windows Domain Members can bypass file security to back up
files
displayName: Backup Operators
sambaSID: S-1-5-32-1455
sambaGroupType: 5

dn: cn=replicator,ou=Groups,dc=mydomain,dc=lan
description: Supports file replication in a domain
description: Windows Domain Supports file replication in a domain
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 228
cn: replicator
sambaSID: S-1-5-21-1111111111-222222222-3333333333-1457
sambaGroupType: 2
displayName: Replicator

dn: cn=enterprise_admins,ou=Groups,dc=mydomain,dc=lan
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: enterprise_admins
gidNumber: 203
sambaGroupType: 2
displayName: Enterprise Admins
sambaSID: S-1-5-21-1111111111-222222222-3333333333-519

dn: cn=domain_admins,ou=Groups,dc=mydomain,dc=lan
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 200
cn: domain_admins
sambaSID: S-1-5-21-1111111111-222222222-3333333333-512
sambaGroupType: 2
displayName: Domain Admins

dn: cn=administrators,ou=Groups,dc=ehk,dc=lan
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: administrators
gidNumber: 220
sambaGroupType: 5
displayName: Administrators
description: Local Unix group
sambaSID: S-1-5-32-1441
===================================

PS. Since the unicode was fixed, samba 3.0 works like a charm.

Best regards,

Rauno Tuul.

More information about the samba mailing list