[Samba] Initial samba + ldap howto
John Schmerold
john at katy.com
Mon Apr 12 16:33:32 GMT 2004
Wim,
Thanks for this information . Later this week, I'm scheduled to attempt
installation of SAMBA+LDAP using the by Example book. I'll let you know
how it goes. They by Example books seems better than the How-To in terms
of practical information needed to get a server up and running. Only
problem with the by Example book is that it's a bit long. In addition,
it does the same thing every other Linux book does, that is it goes into
detail about too many approaches to doing things. When I searched for
the word Linux on Amazon, I came up with 3,735 books. I wish one of them
specifically outlined how to do what I want done, that is a book the
helps me configure a SBS (microsoft small business server) replacement.
I may be missing something, but in essence it would be a series of books:
Replacing SBS with Linux (second edition):
1. Download & install Fedora
2. Install LDAP and configure for use with SAMBA & postfix
3. Download & install Samba
4. Download & install postfix/courier/squirrelmail
5. Download & install ClamAV/Spam Assassin/TDMA
6. Download & install Apache
7. Keeping system up to date with YUM
8. Appendix 1 - Updating first edition of this book
Replacing linksys with Linux
1. Configuring netfilter
2. Configuring VPN - Server
3. Configuring VPN - Client
4. Download & install dansguardian.
5. Configure PPPOE
There could be different books for different distributions. Most people
reading (myself included) don't care about many of the decisions. For
example I don't care about Fedora vs SUSE vs Debian, I am going with
Fedora at this time because I wanted ACLs found in Kernel 2.6. I don't
care about Courier vs Dovecot. I do care about LDAP because this is the
holy grail of system administration, with LDAP, you can have a central
addressbook / accout store etc just like NWAdmin or Domain manager.
John
Wim Bakker wrote:
>A couple of days ago I decided that I needed a samba and ldap
>setup. After reading the samba mailing list , specifically the
>thread "Re: [Samba] Samba and LDAP backend - howto docs problems?"
>I decided to buy the Official Samba-3 HowTo and Reference guide",
>(the Samba-3 By Example mentioned in that thread wasn't available
>in my bookstore and they could't order it for me too) expecting
>to find a workable example for a setup, as I made out more or less
>from the remarks in that thread there would be, chapter 2 specifically.
>That chapter has an example (page 26) but I wouldn't recommend to
>actually use it, it's very limited and inaccurate, lacks information
>of what more is needed, which additional system packages etc. It says
>in the beginning that a functioning os is assumed , but that's rather
>vague on what implies a functioning os. From page 136 on there are
>some more examples of ldap pwdbackend, but hardly sufficient.
> http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy
>info on how to get samba-3 and ldap working, but that document seems
>to be incomplete and transitioning from samba-2 to samba-3.
>One of the posters on the aforementioned thread remarked that an accurate,
>complete into detail, config file is a great help for learning to grasp
>what has to be done , and how things work together, I agree and following
>are the steps I took to get a working samba-3 + ldap install. I hardly know
>anything of linux or samba , let alone ldap , but from the mailling list
>I understood that the following is neccessary:
>A goal:
>get samba + ldap on slackware 9.1 with support for acl's in a usable
>state working.
>The means:
>slackware-9.1
>acl-2.2.22.src.tar.gz
>attr-2.4.14.src.tar.gz
>ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz
>linux-2.4.24.tar.gz
>coreutils-5.0-attr+acl.tar.gz
>nss_ldap.tgz
>pam_ldap.tgz
>perl-5.8.3.tar.gz
>openldap-2.1.19.tgz
>ldap-account-manager_0.4.5.tar.gz
>Linux-PAM-0.77.tar.bz2
>openssl-0.9.7d.tar.gz
>db-4.2.52.tar.gz
>samba-3.0.2a.tar.gz
>smbldap-tools-0.8.4.tgz
>
>I made the following install and configs, I don't know
>how correct or secure or unneccessary they were, in the end
>I had a complete and correct funcioning ldap + samba setup,
>that was usable.It was especially frustrating to get tls connection
>working, it kept failing with the following error:
>TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>s3_pkt.c:1052
>samba and ldap run on the same server. Besides the documented config
>for slapd: (etc/openldap/slapd.conf)
>TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem
>TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key
>TLSCACertificateFile /etc/ssl/certs/ca.pem
>quite important it is allso that ldap knows how to verify:
>(/etc/ldap.conf symlink to /etc/openldap/ldap.conf):
>TLS_CACERT /etc/ssl/certs/ca.pem
>Maybe the documentation that exists mentions it, but I couldn't
>find it.
>http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually
>fairly helpful to get things right, including the initial populating
>of the ldap database. Their site mentions two config files in
>/etc/smbldap-tools, but I think that configuration is overruled by
>the file /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm, which contains
>the same info as those config files.I moved the /etc/smbldap-tools away
>and everything still worked correctly with the parameters from
>/usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm.
>Allso , I don't think pam_ldap is neccessary if you don't have linux users.
>Anyways, if the following example would have been in the howto, I wouldn't
>have
>wasted 4 days, figuring out what was wrong/incomplete with the current example
>in the howto book, but could have spent that time figuring out what it all
>means. Everything comes from various websites, but there is no site where
>it is complete in one place.
>
>-slackware 9.1
>standard installation without samba and ldap etc. only basic + compiler +cups.
>
>-openssl-0.9.7d
>./config --prefix=/usr --openssldir=/etc/ssl shared zlib ; make ; make install
>
>-perl-5.8.3
>built with prefix=/usr , defaults accepted.
>perl -MCPAN -e 'shell'
>install Bundle::CPAN
>(chose follow for dependencies)
>install Net::LDAP
>install Net::SSLeay
>install IO::Socket::SSL
>
>Net::SSLeay failed because of ou of memory
>during tcp tests (I built everything on a dual P233 MMX
>with 104Mb of edo-ram), but manually it installed fine.
>
>-Linux-PAM-0.77
>./configure --prefix=/ --includedir=/usr/include --mandir=/usr/share/man \
>--libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc \
>--localstatedir=/var --infodir=/usr/share/info
>--sharedstatedir=/usr/share/com
>make install.
>
>/etc/pam.d/passwd :
>password required pam_cracklib.so
>password sufficient pam_ldap.so
>password sufficient pam_unix.so
>password required pam_deny.so
>/etc/pam.d/login
>auth required pam_nologin.so
>auth sufficient pam_ldap.so
>auth sufficient pam_unix.so shadow use_first_pass
>auth required pam_deny.so
>account sufficient pam_unix.so
>account sufficient pam_ldap.so
>account required pam_deny.so
>/etc/pam.d/system-auth:
>
>auth required /lib/security/pam_env.so
>auth sufficient /lib/security/pam_unix.so likeauth nullok
>auth sufficient /lib/security/pam_ldap.so use_first_pass
>auth required /lib/security/pam_deny.so
>account required /lib/security/pam_unix.so
>account sufficient /lib/security/pam_ldap.so
>password required /lib/security/pam_cracklib.so retry=3 type=
>password sufficient /lib/security/pam_unix.so nullok use_authtok
>md5 shadow
>password sufficient /lib/security/pam_ldap.so use_authtok
>password required /lib/security/pam_deny.so
>session required /lib/security/pam_limits.so
>session required /lib/security/pam_unix.so
>session optional /lib/security/pam_ldap.so
>
>-db-4.2.52
>../dist/configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
>--enable-compat185 --enable-cxx
>make and make install
>
>-openldap-2.1.x
>./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
>--enable-passwd --enable-perl --enable-shell --enable-crypt --enable-rewrite
>--enable-ldap --enable-slapd --enable-dnssrv --enable-monitor
>--enable-shared; make depend ; make ; make install
>
>-nss_ldap and pam_ldap
>./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
>--enable-shared
>make install
>/etc/nsswitch.conf:
>passwd: files ldap
>shadow: files ldap
>group: files ldap
>/etc/pam_ldap.conf:
>uri ldap://smb.ahm.nl/
>base dc=ahm,dc=nl
>pam_password exop
>------------------------
>TLS certs:
>% cd /etc/ssl
>% ./misc/CA.sh -newca
>CA certificate filename (or enter to create) <enter>
>
>etc...
>-----
>Country Name (2 letter code) [AU]:NL
>State or Province Name (full name) [Some-State]:Noordholland
>Locality Name (eg, city) []:Amsterdam
>Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM
>Organizational Unit Name (eg, section) []:Suckers from Hell
>Common Name (eg, YOUR name) []:smb.ahm.nl
>Email Address []:.
>%
>This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and
>private key).
>
>Make your server certificate signing request (CSR):
>
>Country Name (2 letter code) [AU]:NL
>State or Province Name (full name) [Some-State]:Noordholland
>Locality Name (eg, city) []:Amsterdam
>Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM
>Organizational Unit Name (eg, section) []:Suckers from Hell
>Common Name (eg, YOUR name) []:smb.ahm.nl
>Email Address []:wastebin at office.desk
>
>% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
>
>A challenge password []: <pass>
>An optional company name []:.
>% etc....
>
>The result is newreq.pem.
>
>Have the CA sign the CSR:
>
>% ./misc/CA.sh -sign
>Using configuration from /etc/ssl/openssl.cnf
>Enter PEM pass phrase: <ca pass>
>
>Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days)
>Sign the certificate? [y/n]:y
>
>1 out of 1 certificate requests certified, commit? [y/n]y
>Write out database with 1 new entries
>Data Base Updated
>Certificate:
> etc....
>
>Signed certificate is in newcert.pem
>%
>
>This creates newcert.pem (server certificate signed by CA) with private key,
>newreq.pem.
>Now the certificates can be moved to the desired certificate repository and
>renamed.
>
>% cp demoCA/cacert.pem /etc/ssl/certs/ca.pem
>% mv newcert.pem /etc/ssl/certs/smb.ahm.nl.pem
>% mv newreq.pem /etc/ssl/keys/smb.ahm.nl.key
>% chmod 400 /etc/ssl/keys/smb.ahm.nl.key
>------------------
>slappasswd -v -s secret:
>{SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw
>
>/etc/openldap/slapd.conf:
>#
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>#
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/nis.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/samba.schema
>pidfile /var/run/slapd.pid
>argsfile /var/run/slapd.args
>TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem
>TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key
>TLSCACertificateFile /etc/ssl/certs/ca.pem
>TLSCipherSuite EXPORT56
>database bdb
>suffix "dc=ahm,dc=nl"
>rootdn "cn=Manager,dc=ahm,dc=nl"
>rootpw {SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw
>directory /var/openldap-data
>cachesize 40000
>index cn,sn,uid,displayName pres,sub,eq
>index uidNumber,gidNumber eq
>index sambaSID eq
>index sambaPrimaryGroupSID eq
>index sambaDomainName eq
>index default sub
>index memberUid eq
>index objectClass eq
>access to dn=".*,dc=ahm,dc=nl"
> by self write
> by * read
>
>
>-------------------------
>/etc/ldap.conf:
># LDAP Defaults
>#
>host 10.0.0.20
># See ldap.conf(5) for details
># This file should be world readable but not world writable.
>BASE dc=ahm,dc=nl
>#URI ldap://smb.ahm.nl
>nss_base_passwd dc=ahm,dc=nl?sub
>nss_base_shadow dc=ahm,dc=nl?sub
>nss_base_group dc=ahm,dc=nl?one
>ssl no
>pam_passwd md5
>TLS_CACERT /etc/ssl/certs/ca.pem
>------------------------------
>
>-acl-2.2.x and attr-2.4.x from sgi and kernel patches from bestbits.
>Build kernel with acl support etc. and libraries.
>patched and rebuilt the coreutils after that allso.
>mount filesystems with acl,user_xattr options to have it work (ext2,ext3).
>
>-samba-3.0.2a
>./configure --with-automount --with-smbmount --with-acl-support
>--with-libsmbclient --with-configdir=/etc/samba
>--with-logfilebase=/var/log/samba --with-privatedir=/etc/samba/private
>--with-lockdir=/var/lock/samba --with-piddir=/var/run --enable-cups
>--with-ldap ; make install
>
>/etc/samba/smb.conf:
>[global]
> workgroup = AHM
> netbios name = LAVIE
> server string = Samba PDC running %v
> passdb backend = ldapsam:ldap://localhost
> username map = /etc/samba/smbusers
> encrypt passwords = Yes
> update encrypted = Yes
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
>SO_RCVBUF=8192
> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
>"%g"
> delete user from group script = /usr/local/sbin/smbldap-groupmod -x
>"%u" "%g"
> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
>"%u"
> logon script = logon.bat
> logon path = \\%L\profiles\%U
> logon drive = H:
> logon home = \\%L\%U\.profile
> domain logons = Yes
> os level = 255
> preferred master = Yes
> domain master = Yes
> local master = Yes
> wins support = Yes
> ldap suffix = dc=ahm,dc=nl
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=People
> ldap admin dn = "cn=Manager,dc=ahm,dc=nl"
> ldap ssl = start_tls
> ldap passwd sync = yes
> ldap delete dn = Yes
> idmap uid = 15000-20000
> idmap gid = 15000-20000
> winbind separator = +
>
>Still not sure what idmap uid and gid now exactly do, but the
>entries don't seem to be harmfull as up till now.The reference
>guide and howto explain it(page 151), but I don't understand
>that explanation or it's implication. It doesn't seem to influence
>the UID_START GID_START parameters of the smbldap_tools or prevent
>the correct working of the net command, so I suppose it's ok to have
>them there.
>----------------------
>smbldap-tools.
>extracted to /usr/local/sbin
>moved smbldap_conf.pm and smbldap_tools.pm
>to /usr/lib/perl5/site_perl/5.8.3/
>built mkntpwd and moved to /usr/local/sbin.
>-------------------
>smbldap_conf.pm variables:
>$UID_START = 1000;
>$GID_START = 1000;
># to obtain this number do: "net getlocalsid"
>$SID = "S-1-5-21-4269728302-1655870493-3894479995";
>$slaveLDAP = "127.0.0.1";
>$slavePort = "389";
>
># Master LDAP : needed for write operations
># Ex: $masterLDAP = "127.0.0.1";
>$masterLDAP = "127.0.0.1";
>$masterPort = "389";
>
># Use SSL for LDAP
># If set to "1", this option will use start_tls for connection
># (you should also used the port 389)
>$ldapSSL = "1";
>$suffix = "dc=ahm,dc=nl";
>$usersou = q(People);
>$usersdn = "ou=People,$suffix";
>$computersou = q(Computers);
>$computersdn = "ou=Computers,$suffix";
>$groupsou = q(Groups);
>$groupsdn = "ou=Groups,$suffix";
>$scope = "sub";
>$hash_encrypt = "SSHA";
>$binddn = "cn=Manager,$suffix";
>$bindpasswd = "secret";
>$slaveDN = $binddn;
>$slavePw = $bindpasswd;
>$masterDN = $binddn;
>$masterPw = $bindpasswd;
>$_userLoginShell = q(/bin/false);
>$_userHomePrefix = q(/shares/home);
>$_userGecos = q(System User);
>$_defaultUserGid = 513;
>$_defaultComputerGid = 553;
>$_skeletonDir = q(/etc/skel);
>$_defaultMaxPasswordAge = 45;
>
>$_userSmbHome = q(\\\\LAVIE\\homes);
>$_userProfile = q(\\\\LAVIE\\profiles\\);
>$_userHomeDrive = q(H:);
>$_userScript = q(startup.cmd); # make sure script file is edited under dos
>$with_smbpasswd = 0;
>$smbpasswd = "/usr/local/samba/bin/smbpasswd";
>$mk_ntpasswd = "/usr/local/sbin/mkntpwd";
>$slaveURI = "ldap://$slaveLDAP:$slavePort";
>$masterURI = "ldap://$masterLDAP:$masterPort";
>
>$ldap_path = "/usr/bin";
>
>if ( $ldapSSL eq "0" ) {
> $ldap_opts = "-x";
>} elsif ( $ldapSSL eq "1" ) {
> $ldap_opts = "-x -Z";
>} else {
> die "ldapSSL option must be either 0 or 1.\n";
>}
>$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN'
>-w '$masterPw'";
>
>1;
>
># - The End
>#I think the $_userSmbHome and the $_userProfile should be
>#q(\\\\LAVIE\\$user) and q(\\\\LAVIE\\profiles\\$user) resp.
>#with the lam webinterface that gets correct.
>-----------------------------------
>
>Now starting /usr/libexec/slapd and /usr/local/samba/sbin/nmbd and
>/usr/local/samba/sbin/smbd.
>
>run:
>%smbpasswd -w secret
>%Setting stored password for "cn=Manager,dc=ahm,dc=nl" in secrets.tdb
>
>running smbldap_populate.pl fills ldap with the first initial
>entries:
>dn: sambaDomainName=AHM,dc=ahm,dc=nl
>sambaDomainName: AHM
>sambaSID: S-1-5-21-4269728302-1655870493-3894479995
>sambaAlgorithmicRidBase: 1000
>objectClass: sambaDomain
>sambaNextUserRid: 41000
>sambaNextGroupRid: 41001
>structuralObjectClass: sambaDomain
>entryUUID: 02deaf3c-2013-1028-860e-bb5268b7f8fd
>creatorsName: cn=Manager,dc=ahm,dc=nl
>createTimestamp: 20040411144816Z
>entryCSN: 2004041114:48:16Z#0x0001#0#0000
>modifiersName: cn=Manager,dc=ahm,dc=nl
>modifyTimestamp: 20040411144816Z
>etc...
>
>added to /etc/group:
>wheel:x:512:root,administrator
>smbusers:x:513:
>smbguests:x:514:
>exact:x:1000:
>
>net groupmap list:
>Domain Admins (S-1-5-21-4269728302-1655870493-3894479995-512) -> wheel
>Domain Users (S-1-5-21-4269728302-1655870493-3894479995-513) -> smbusers
>Domain Guests (S-1-5-21-4269728302-1655870493-3894479995-514) -> smbguests
>exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact
>
>smbldap-groupshow.pl exact:
>dn: cn=exact,ou=Groups,dc=ahm,dc=nl
>objectClass: posixGroup,sambaGroupMapping
>cn: exact
>gidNumber: 1000
>sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001
>sambaGroupType: 4
>memberUid: gerrit,piet
>
>
>net rpc group LIST global -U administrator
>Password:
>Domain Admins
>Domain Users
>Domain Guests
>Administrators
>users
>Guests
>Power Users
>Account Operators
>Server Operators
>Print Operators
>Backup Operators
>Replicator
>Domain Computers
>
>smbldap-useradd.pl -a -G 'Domain Admins' -d /shares/home/thadeus -s /bin/false
>-P -F '\\LAVIE\profiles\thadeus' -s 'Hermitage' -m -N "Thadeus Hermitage"
>-C'\\LAVIE\thadeus' thadeus :
>adds thadeus to the domain admins and the domain users:
>dn: uid=thadeus,ou=People,dc=ahm,dc=nl
>objectClass: top
>objectClass: inetOrgPerson
>objectClass: posixAccount
>objectClass: sambaSamAccount
>cn: Thadeus Hermitage
>sn: Hermitage
>uid: thadeus
>uidNumber: 1004
>gidNumber: 513
>homeDirectory: /shares/home/thadeus
>loginShell: /bin/false
>gecos: System User
>description: System User
>structuralObjectClass: inetOrgPerson
>entryUUID: e3926754-20cb-1028-9934-bb74a2f96abc
>creatorsName: cn=Manager,dc=ahm,dc=nl
>createTimestamp: 20040412125141Z
>sambaLogonTime: 0
>sambaLogoffTime: 2147483647
>sambaKickoffTime: 2147483647
>sambaPwdCanChange: 0
>displayName: System User
>sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3008
>sambaPrimaryGroupSID: S-1-5-21-4269728302-1655870493-3894479995-513
>sambaHomeDrive: H:
>sambaLogonScript: startup.cmd
>sambaProfilePath: \\LAVIE\profiles\thadeus
>sambaHomePath: \\LAVIE\thadeus
>sambaLMPassword: 4411488B6354F2B8AAD3B435B51404EE
>sambaAcctFlags: [U]
>sambaNTPassword: 7E07C8CA84F5765D8B5DFCF7AC5CEE04
>sambaPwdLastSet: 1081774312
>sambaPwdMustChange: 1085662312
>userPassword:: e1NTSEF9R1FkakxPN1Bhc09OaEJQOXF5ZkNFN0dkOTBtTy96YjM=
>entryCSN: 2004041212:51:52Z#0x0002#0#0000
>modifiersName: cn=Manager,dc=ahm,dc=nl
>modifyTimestamp: 20040412125152Z
>
>and :
>dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl
>objectClass: posixGroup
>objectClass: sambaGroupMapping
>gidNumber: 512
>cn: Domain Admins
>memberUid: Administrator
>memberUid: thadeus
>description: Netbios Domain Administrators
>sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512
>sambaGroupType: 2
>displayName: Domain Admins
>structuralObjectClass: posixGroup
>entryUUID: 72f46890-2011-1028-8600-bb5268b7f8fd
>creatorsName: cn=Manager,dc=ahm,dc=nl
>createTimestamp: 20040411143705Z
>entryCSN: 2004041212:51:42Z#0x0001#0#0000
>modifiersName: cn=Manager,dc=ahm,dc=nl
>modifyTimestamp: 20040412125142Z
>
>ls -l /shares/home:
>drwx------+ 2 gerrit smbusers 4096 Apr 11 19:01 gerrit
>drwx------+ 2 hornie smbusers 4096 Apr 12 16:40 hornie
>drwx------+ 2 krelis smbusers 4096 Apr 11 20:58 krelis
>drwx------+ 2 thadeus smbusers 4096 Apr 12 14:51 thadeus
>
>The only necessity is still to add manually the groups
>for groupmapping to /etc/group, otherwise the users can't access the
>shares that are for groups accessible. I thought it would be
>enough to add the group smbusers to ldap with the same gid as
>"Domain Users" and that the entry in nsswitch.con: group: files ldap,
>would do the rest , is not the case, though it is for users.
>Don't understand why or how.
>
>smbldap-groupadd.pl has the option -t , which is the grouptype, apparently
>this can take the following types, domain, local and builtin, which will
>be the sambaGroupType's 2, 4 and 5 which refer to, I think , the windows
>types:
> SID_NAME_USE_NONE = 0,/* NOTUSED */
> SID_NAME_USER = 1, /* user */
> SID_NAME_DOM_GRP = 2, /* domain group */
> SID_NAME_DOMAIN = 3, /* domain: don't know what this is */
> SID_NAME_ALIAS = 4, /* local group */
> SID_NAME_WKN_GRP = 5, /* well-known group */
> SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */
> SID_NAME_INVALID = 7, /* invalid account */
> SID_NAME_UNKNOWN = 8 /* oops. */
>as found on one of the websites.
>What one should choose when creating a group is not clear to me, I suppose
>that type 2 is a windows domain group , visible with windows tools and
>needs to be mapped to a unix group with the same gid to function.
>Type 4 is a local unixgroup and has no groupmapping but exists in the
>ldap database and in /etc/group with the same gid. Type 5 is a riddle.
>Hope this helps getting samba + ldap up and running a little faster
>than I did.
>
>WB
>
>
--
John Schmerold
Katy Computer Systems, Inc
20 Meramec Station Rd
Valley Park MO 63088
314-316-9000 v
775-227-6947 f
More information about the samba
mailing list