[Samba] Initial samba + ldap howto
Marcus White
1midniterider at comcast.net
Tue Apr 13 02:08:34 GMT 2004
Check out...
http://sapiens.wustl.edu/~sysmain/info/openldap/openldap_configure.html
for starters. Unless LDAP is configured properly nothing else will work.
Then go to this one
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html
Marcus O.
On Mon, 2004-04-12 at 12:33, John Schmerold wrote:
> Wim,
>
> Thanks for this information . Later this week, I'm scheduled to attempt
> installation of SAMBA+LDAP using the by Example book. I'll let you know
> how it goes. They by Example books seems better than the How-To in terms
> of practical information needed to get a server up and running. Only
> problem with the by Example book is that it's a bit long. In addition,
> it does the same thing every other Linux book does, that is it goes into
> detail about too many approaches to doing things. When I searched for
> the word Linux on Amazon, I came up with 3,735 books. I wish one of them
> specifically outlined how to do what I want done, that is a book the
> helps me configure a SBS (microsoft small business server) replacement.
>
> I may be missing something, but in essence it would be a series of books:
> Replacing SBS with Linux (second edition):
> 1. Download & install Fedora
> 2. Install LDAP and configure for use with SAMBA & postfix
> 3. Download & install Samba
> 4. Download & install postfix/courier/squirrelmail
> 5. Download & install ClamAV/Spam Assassin/TDMA
> 6. Download & install Apache
> 7. Keeping system up to date with YUM
> 8. Appendix 1 - Updating first edition of this book
> Replacing linksys with Linux
> 1. Configuring netfilter
> 2. Configuring VPN - Server
> 3. Configuring VPN - Client
> 4. Download & install dansguardian.
> 5. Configure PPPOE
>
> There could be different books for different distributions. Most people
> reading (myself included) don't care about many of the decisions. For
> example I don't care about Fedora vs SUSE vs Debian, I am going with
> Fedora at this time because I wanted ACLs found in Kernel 2.6. I don't
> care about Courier vs Dovecot. I do care about LDAP because this is the
> holy grail of system administration, with LDAP, you can have a central
> addressbook / accout store etc just like NWAdmin or Domain manager.
>
> John
>
>
>
>
> Wim Bakker wrote:
>
> >A couple of days ago I decided that I needed a samba and ldap
> >setup. After reading the samba mailing list , specifically the
> >thread "Re: [Samba] Samba and LDAP backend - howto docs problems?"
> >I decided to buy the Official Samba-3 HowTo and Reference guide",
> >(the Samba-3 By Example mentioned in that thread wasn't available
> >in my bookstore and they could't order it for me too) expecting
> >to find a workable example for a setup, as I made out more or less
> >from the remarks in that thread there would be, chapter 2 specifically.
> >That chapter has an example (page 26) but I wouldn't recommend to
> >actually use it, it's very limited and inaccurate, lacks information
> >of what more is needed, which additional system packages etc. It says
> >in the beginning that a functioning os is assumed , but that's rather
> >vague on what implies a functioning os. From page 136 on there are
> >some more examples of ldap pwdbackend, but hardly sufficient.
> > http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy
> >info on how to get samba-3 and ldap working, but that document seems
> >to be incomplete and transitioning from samba-2 to samba-3.
> >One of the posters on the aforementioned thread remarked that an accurate,
> >complete into detail, config file is a great help for learning to grasp
> >what has to be done , and how things work together, I agree and following
> >are the steps I took to get a working samba-3 + ldap install. I hardly know
> >anything of linux or samba , let alone ldap , but from the mailling list
> >I understood that the following is neccessary:
> >A goal:
> >get samba + ldap on slackware 9.1 with support for acl's in a usable
> >state working.
> >The means:
> >slackware-9.1
> >acl-2.2.22.src.tar.gz
> >attr-2.4.14.src.tar.gz
> >ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz
> >linux-2.4.24.tar.gz
> >coreutils-5.0-attr+acl.tar.gz
> >nss_ldap.tgz
> >pam_ldap.tgz
> >perl-5.8.3.tar.gz
> >openldap-2.1.19.tgz
> >ldap-account-manager_0.4.5.tar.gz
> >Linux-PAM-0.77.tar.bz2
> >openssl-0.9.7d.tar.gz
> >db-4.2.52.tar.gz
> >samba-3.0.2a.tar.gz
> >smbldap-tools-0.8.4.tgz
> >
> >I made the following install and configs, I don't know
> >how correct or secure or unneccessary they were, in the end
> >I had a complete and correct funcioning ldap + samba setup,
> >that was usable.It was especially frustrating to get tls connection
> >working, it kept failing with the following error:
> >TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> >s3_pkt.c:1052
> >samba and ldap run on the same server. Besides the documented config
> >for slapd: (etc/openldap/slapd.conf)
> >TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem
> >TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key
> >TLSCACertificateFile /etc/ssl/certs/ca.pem
> >quite important it is allso that ldap knows how to verify:
> >(/etc/ldap.conf symlink to /etc/openldap/ldap.conf):
> >TLS_CACERT /etc/ssl/certs/ca.pem
> >Maybe the documentation that exists mentions it, but I couldn't
> >find it.
> >http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually
> >fairly helpful to get things right, including the initial populating
> >of the ldap database. Their site mentions two config files in
> >/etc/smbldap-tools, but I think that configuration is overruled by
> >the file /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm, which contains
> >the same info as those config files.I moved the /etc/smbldap-tools away
> >and everything still worked correctly with the parameters from
> >/usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm.
> >Allso , I don't think pam_ldap is neccessary if you don't have linux users.
> >Anyways, if the following example would have been in the howto, I wouldn't
> >have
> >wasted 4 days, figuring out what was wrong/incomplete with the current example
> >in the howto book, but could have spent that time figuring out what it all
> >means. Everything comes from various websites, but there is no site where
> >it is complete in one place.
> >
> >-slackware 9.1
> >standard installation without samba and ldap etc. only basic + compiler +cups.
> >
> >-openssl-0.9.7d
> >./config --prefix=/usr --openssldir=/etc/ssl shared zlib ; make ; make install
> >
> >-perl-5.8.3
> >built with prefix=/usr , defaults accepted.
> >perl -MCPAN -e 'shell'
> >install Bundle::CPAN
> >(chose follow for dependencies)
> >install Net::LDAP
> >install Net::SSLeay
> >install IO::Socket::SSL
> >
> >Net::SSLeay failed because of ou of memory
> >during tcp tests (I built everything on a dual P233 MMX
> >with 104Mb of edo-ram), but manually it installed fine.
> >
> >-Linux-PAM-0.77
> >./configure --prefix=/ --includedir=/usr/include --mandir=/usr/share/man \
> >--libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc \
> >--localstatedir=/var --infodir=/usr/share/info
> >--sharedstatedir=/usr/share/com
> >make install.
> >
> >/etc/pam.d/passwd :
> >password required pam_cracklib.so
> >password sufficient pam_ldap.so
> >password sufficient pam_unix.so
> >password required pam_deny.so
> >/etc/pam.d/login
> >auth required pam_nologin.so
> >auth sufficient pam_ldap.so
> >auth sufficient pam_unix.so shadow use_first_pass
> >auth required pam_deny.so
> >account sufficient pam_unix.so
> >account sufficient pam_ldap.so
> >account required pam_deny.so
> >/etc/pam.d/system-auth:
> >
> >auth required /lib/security/pam_env.so
> >auth sufficient /lib/security/pam_unix.so likeauth nullok
> >auth sufficient /lib/security/pam_ldap.so use_first_pass
> >auth required /lib/security/pam_deny.so
> >account required /lib/security/pam_unix.so
> >account sufficient /lib/security/pam_ldap.so
> >password required /lib/security/pam_cracklib.so retry=3 type=
> >password sufficient /lib/security/pam_unix.so nullok use_authtok
> >md5 shadow
> >password sufficient /lib/security/pam_ldap.so use_authtok
> >password required /lib/security/pam_deny.so
> >session required /lib/security/pam_limits.so
> >session required /lib/security/pam_unix.so
> >session optional /lib/security/pam_ldap.so
> >
> >-db-4.2.52
> >../dist/configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> >--enable-compat185 --enable-cxx
> >make and make install
> >
> >-openldap-2.1.x
> >./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> >--enable-passwd --enable-perl --enable-shell --enable-crypt --enable-rewrite
> >--enable-ldap --enable-slapd --enable-dnssrv --enable-monitor
> >--enable-shared; make depend ; make ; make install
> >
> >-nss_ldap and pam_ldap
> >./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> >--enable-shared
> >make install
> >/etc/nsswitch.conf:
> >passwd: files ldap
> >shadow: files ldap
> >group: files ldap
> >/etc/pam_ldap.conf:
> >uri ldap://smb.ahm.nl/
> >base dc=ahm,dc=nl
> >pam_password exop
> >------------------------
> >TLS certs:
> >% cd /etc/ssl
> >% ./misc/CA.sh -newca
> >CA certificate filename (or enter to create) <enter>
> >
> >etc...
> >-----
> >Country Name (2 letter code) [AU]:NL
> >State or Province Name (full name) [Some-State]:Noordholland
> >Locality Name (eg, city) []:Amsterdam
> >Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM
> >Organizational Unit Name (eg, section) []:Suckers from Hell
> >Common Name (eg, YOUR name) []:smb.ahm.nl
> >Email Address []:.
> >%
> >This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and
> >private key).
> >
> >Make your server certificate signing request (CSR):
> >
> >Country Name (2 letter code) [AU]:NL
> >State or Province Name (full name) [Some-State]:Noordholland
> >Locality Name (eg, city) []:Amsterdam
> >Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM
> >Organizational Unit Name (eg, section) []:Suckers from Hell
> >Common Name (eg, YOUR name) []:smb.ahm.nl
> >Email Address []:wastebin at office.desk
> >
> >% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
> >
> >A challenge password []: <pass>
> >An optional company name []:.
> >% etc....
> >
> >The result is newreq.pem.
> >
> >Have the CA sign the CSR:
> >
> >% ./misc/CA.sh -sign
> >Using configuration from /etc/ssl/openssl.cnf
> >Enter PEM pass phrase: <ca pass>
> >
> >Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days)
> >Sign the certificate? [y/n]:y
> >
> >1 out of 1 certificate requests certified, commit? [y/n]y
> >Write out database with 1 new entries
> >Data Base Updated
> >Certificate:
> > etc....
> >
> >Signed certificate is in newcert.pem
> >%
> >
> >This creates newcert.pem (server certificate signed by CA) with private key,
> >newreq.pem.
> >Now the certificates can be moved to the desired certificate repository and
> >renamed.
> >
> >% cp demoCA/cacert.pem /etc/ssl/certs/ca.pem
> >% mv newcert.pem /etc/ssl/certs/smb.ahm.nl.pem
> >% mv newreq.pem /etc/ssl/keys/smb.ahm.nl.key
> >% chmod 400 /etc/ssl/keys/smb.ahm.nl.key
> >------------------
> >slappasswd -v -s secret:
> >{SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw
> >
> >/etc/openldap/slapd.conf:
> >#
> ># See slapd.conf(5) for details on configuration options.
> ># This file should NOT be world readable.
> >#
> >include /etc/openldap/schema/core.schema
> >include /etc/openldap/schema/cosine.schema
> >include /etc/openldap/schema/nis.schema
> >include /etc/openldap/schema/inetorgperson.schema
> >include /etc/openldap/schema/samba.schema
> >pidfile /var/run/slapd.pid
> >argsfile /var/run/slapd.args
> >TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem
> >TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key
> >TLSCACertificateFile /etc/ssl/certs/ca.pem
> >TLSCipherSuite EXPORT56
> >database bdb
> >suffix "dc=ahm,dc=nl"
> >rootdn "cn=Manager,dc=ahm,dc=nl"
> >rootpw {SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw
> >directory /var/openldap-data
> >cachesize 40000
> >index cn,sn,uid,displayName pres,sub,eq
> >index uidNumber,gidNumber eq
> >index sambaSID eq
> >index sambaPrimaryGroupSID eq
> >index sambaDomainName eq
> >index default sub
> >index memberUid eq
> >index objectClass eq
> >access to dn=".*,dc=ahm,dc=nl"
> > by self write
> > by * read
> >
> >
> >-------------------------
> >/etc/ldap.conf:
> ># LDAP Defaults
> >#
> >host 10.0.0.20
> ># See ldap.conf(5) for details
> ># This file should be world readable but not world writable.
> >BASE dc=ahm,dc=nl
> >#URI ldap://smb.ahm.nl
> >nss_base_passwd dc=ahm,dc=nl?sub
> >nss_base_shadow dc=ahm,dc=nl?sub
> >nss_base_group dc=ahm,dc=nl?one
> >ssl no
> >pam_passwd md5
> >TLS_CACERT /etc/ssl/certs/ca.pem
> >------------------------------
> >
> >-acl-2.2.x and attr-2.4.x from sgi and kernel patches from bestbits.
> >Build kernel with acl support etc. and libraries.
> >patched and rebuilt the coreutils after that allso.
> >mount filesystems with acl,user_xattr options to have it work (ext2,ext3).
> >
> >-samba-3.0.2a
> >./configure --with-automount --with-smbmount --with-acl-support
> >--with-libsmbclient --with-configdir=/etc/samba
> >--with-logfilebase=/var/log/samba --with-privatedir=/etc/samba/private
> >--with-lockdir=/var/lock/samba --with-piddir=/var/run --enable-cups
> >--with-ldap ; make install
> >
> >/etc/samba/smb.conf:
> >[global]
> > workgroup = AHM
> > netbios name = LAVIE
> > server string = Samba PDC running %v
> > passdb backend = ldapsam:ldap://localhost
> > username map = /etc/samba/smbusers
> > encrypt passwords = Yes
> > update encrypted = Yes
> > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
> >SO_RCVBUF=8192
> > add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> > add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> > add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> >"%g"
> > delete user from group script = /usr/local/sbin/smbldap-groupmod -x
> >"%u" "%g"
> > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> >"%u"
> > logon script = logon.bat
> > logon path = \\%L\profiles\%U
> > logon drive = H:
> > logon home = \\%L\%U\.profile
> > domain logons = Yes
> > os level = 255
> > preferred master = Yes
> > domain master = Yes
> > local master = Yes
> > wins support = Yes
> > ldap suffix = dc=ahm,dc=nl
> > ldap machine suffix = ou=Computers
> > ldap user suffix = ou=People
> > ldap group suffix = ou=Groups
> > ldap idmap suffix = ou=People
> > ldap admin dn = "cn=Manager,dc=ahm,dc=nl"
> > ldap ssl = start_tls
> > ldap passwd sync = yes
> > ldap delete dn = Yes
> > idmap uid = 15000-20000
> > idmap gid = 15000-20000
> > winbind separator = +
> >
> >Still not sure what idmap uid and gid now exactly do, but the
> >entries don't seem to be harmfull as up till now.The reference
> >guide and howto explain it(page 151), but I don't understand
> >that explanation or it's implication. It doesn't seem to influence
> >the UID_START GID_START parameters of the smbldap_tools or prevent
> >the correct working of the net command, so I suppose it's ok to have
> >them there.
> >----------------------
> >smbldap-tools.
> >extracted to /usr/local/sbin
> >moved smbldap_conf.pm and smbldap_tools.pm
> >to /usr/lib/perl5/site_perl/5.8.3/
> >built mkntpwd and moved to /usr/local/sbin.
> >-------------------
> >smbldap_conf.pm variables:
> >$UID_START = 1000;
> >$GID_START = 1000;
> ># to obtain this number do: "net getlocalsid"
> >$SID = "S-1-5-21-4269728302-1655870493-3894479995";
> >$slaveLDAP = "127.0.0.1";
> >$slavePort = "389";
> >
> ># Master LDAP : needed for write operations
> ># Ex: $masterLDAP = "127.0.0.1";
> >$masterLDAP = "127.0.0.1";
> >$masterPort = "389";
> >
> ># Use SSL for LDAP
> ># If set to "1", this option will use start_tls for connection
> ># (you should also used the port 389)
> >$ldapSSL = "1";
> >$suffix = "dc=ahm,dc=nl";
> >$usersou = q(People);
> >$usersdn = "ou=People,$suffix";
> >$computersou = q(Computers);
> >$computersdn = "ou=Computers,$suffix";
> >$groupsou = q(Groups);
> >$groupsdn = "ou=Groups,$suffix";
> >$scope = "sub";
> >$hash_encrypt = "SSHA";
> >$binddn = "cn=Manager,$suffix";
> >$bindpasswd = "secret";
> >$slaveDN = $binddn;
> >$slavePw = $bindpasswd;
> >$masterDN = $binddn;
> >$masterPw = $bindpasswd;
> >$_userLoginShell = q(/bin/false);
> >$_userHomePrefix = q(/shares/home);
> >$_userGecos = q(System User);
> >$_defaultUserGid = 513;
> >$_defaultComputerGid = 553;
> >$_skeletonDir = q(/etc/skel);
> >$_defaultMaxPasswordAge = 45;
> >
> >$_userSmbHome = q(\\\\LAVIE\\homes);
> >$_userProfile = q(\\\\LAVIE\\profiles\\);
> >$_userHomeDrive = q(H:);
> >$_userScript = q(startup.cmd); # make sure script file is edited under dos
> >$with_smbpasswd = 0;
> >$smbpasswd = "/usr/local/samba/bin/smbpasswd";
> >$mk_ntpasswd = "/usr/local/sbin/mkntpwd";
> >$slaveURI = "ldap://$slaveLDAP:$slavePort";
> >$masterURI = "ldap://$masterLDAP:$masterPort";
> >
> >$ldap_path = "/usr/bin";
> >
> >if ( $ldapSSL eq "0" ) {
> > $ldap_opts = "-x";
> >} elsif ( $ldapSSL eq "1" ) {
> > $ldap_opts = "-x -Z";
> >} else {
> > die "ldapSSL option must be either 0 or 1.\n";
> >}
> >$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN'
> >-w '$masterPw'";
> >
> >1;
> >
> ># - The End
> >#I think the $_userSmbHome and the $_userProfile should be
> >#q(\\\\LAVIE\\$user) and q(\\\\LAVIE\\profiles\\$user) resp.
> >#with the lam webinterface that gets correct.
> >-----------------------------------
> >
> >Now starting /usr/libexec/slapd and /usr/local/samba/sbin/nmbd and
> >/usr/local/samba/sbin/smbd.
> >
> >run:
> >%smbpasswd -w secret
> >%Setting stored password for "cn=Manager,dc=ahm,dc=nl" in secrets.tdb
> >
> >running smbldap_populate.pl fills ldap with the first initial
> >entries:
> >dn: sambaDomainName=AHM,dc=ahm,dc=nl
> >sambaDomainName: AHM
> >sambaSID: S-1-5-21-4269728302-1655870493-3894479995
> >sambaAlgorithmicRidBase: 1000
> >objectClass: sambaDomain
> >sambaNextUserRid: 41000
> >sambaNextGroupRid: 41001
> >structuralObjectClass: sambaDomain
> >entryUUID: 02deaf3c-2013-1028-860e-bb5268b7f8fd
> >creatorsName: cn=Manager,dc=ahm,dc=nl
> >createTimestamp: 20040411144816Z
> >entryCSN: 2004041114:48:16Z#0x0001#0#0000
> >modifiersName: cn=Manager,dc=ahm,dc=nl
> >modifyTimestamp: 20040411144816Z
> >etc...
> >
> >added to /etc/group:
> >wheel:x:512:root,administrator
> >smbusers:x:513:
> >smbguests:x:514:
> >exact:x:1000:
> >
> >net groupmap list:
> >Domain Admins (S-1-5-21-4269728302-1655870493-3894479995-512) -> wheel
> >Domain Users (S-1-5-21-4269728302-1655870493-3894479995-513) -> smbusers
> >Domain Guests (S-1-5-21-4269728302-1655870493-3894479995-514) -> smbguests
> >exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact
> >
> >smbldap-groupshow.pl exact:
> >dn: cn=exact,ou=Groups,dc=ahm,dc=nl
> >objectClass: posixGroup,sambaGroupMapping
> >cn: exact
> >gidNumber: 1000
> >sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001
> >sambaGroupType: 4
> >memberUid: gerrit,piet
> >
> >
> >net rpc group LIST global -U administrator
> >Password:
> >Domain Admins
> >Domain Users
> >Domain Guests
> >Administrators
> >users
> >Guests
> >Power Users
> >Account Operators
> >Server Operators
> >Print Operators
> >Backup Operators
> >Replicator
> >Domain Computers
> >
> >smbldap-useradd.pl -a -G 'Domain Admins' -d /shares/home/thadeus -s /bin/false
> >-P -F '\\LAVIE\profiles\thadeus' -s 'Hermitage' -m -N "Thadeus Hermitage"
> >-C'\\LAVIE\thadeus' thadeus :
> >adds thadeus to the domain admins and the domain users:
> >dn: uid=thadeus,ou=People,dc=ahm,dc=nl
> >objectClass: top
> >objectClass: inetOrgPerson
> >objectClass: posixAccount
> >objectClass: sambaSamAccount
> >cn: Thadeus Hermitage
> >sn: Hermitage
> >uid: thadeus
> >uidNumber: 1004
> >gidNumber: 513
> >homeDirectory: /shares/home/thadeus
> >loginShell: /bin/false
> >gecos: System User
> >description: System User
> >structuralObjectClass: inetOrgPerson
> >entryUUID: e3926754-20cb-1028-9934-bb74a2f96abc
> >creatorsName: cn=Manager,dc=ahm,dc=nl
> >createTimestamp: 20040412125141Z
> >sambaLogonTime: 0
> >sambaLogoffTime: 2147483647
> >sambaKickoffTime: 2147483647
> >sambaPwdCanChange: 0
> >displayName: System User
> >sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3008
> >sambaPrimaryGroupSID: S-1-5-21-4269728302-1655870493-3894479995-513
> >sambaHomeDrive: H:
> >sambaLogonScript: startup.cmd
> >sambaProfilePath: \\LAVIE\profiles\thadeus
> >sambaHomePath: \\LAVIE\thadeus
> >sambaLMPassword: 4411488B6354F2B8AAD3B435B51404EE
> >sambaAcctFlags: [U]
> >sambaNTPassword: 7E07C8CA84F5765D8B5DFCF7AC5CEE04
> >sambaPwdLastSet: 1081774312
> >sambaPwdMustChange: 1085662312
> >userPassword:: e1NTSEF9R1FkakxPN1Bhc09OaEJQOXF5ZkNFN0dkOTBtTy96YjM=
> >entryCSN: 2004041212:51:52Z#0x0002#0#0000
> >modifiersName: cn=Manager,dc=ahm,dc=nl
> >modifyTimestamp: 20040412125152Z
> >
> >and :
> >dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl
> >objectClass: posixGroup
> >objectClass: sambaGroupMapping
> >gidNumber: 512
> >cn: Domain Admins
> >memberUid: Administrator
> >memberUid: thadeus
> >description: Netbios Domain Administrators
> >sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512
> >sambaGroupType: 2
> >displayName: Domain Admins
> >structuralObjectClass: posixGroup
> >entryUUID: 72f46890-2011-1028-8600-bb5268b7f8fd
> >creatorsName: cn=Manager,dc=ahm,dc=nl
> >createTimestamp: 20040411143705Z
> >entryCSN: 2004041212:51:42Z#0x0001#0#0000
> >modifiersName: cn=Manager,dc=ahm,dc=nl
> >modifyTimestamp: 20040412125142Z
> >
> >ls -l /shares/home:
> >drwx------+ 2 gerrit smbusers 4096 Apr 11 19:01 gerrit
> >drwx------+ 2 hornie smbusers 4096 Apr 12 16:40 hornie
> >drwx------+ 2 krelis smbusers 4096 Apr 11 20:58 krelis
> >drwx------+ 2 thadeus smbusers 4096 Apr 12 14:51 thadeus
> >
> >The only necessity is still to add manually the groups
> >for groupmapping to /etc/group, otherwise the users can't access the
> >shares that are for groups accessible. I thought it would be
> >enough to add the group smbusers to ldap with the same gid as
> >"Domain Users" and that the entry in nsswitch.con: group: files ldap,
> >would do the rest , is not the case, though it is for users.
> >Don't understand why or how.
> >
> >smbldap-groupadd.pl has the option -t , which is the grouptype, apparently
> >this can take the following types, domain, local and builtin, which will
> >be the sambaGroupType's 2, 4 and 5 which refer to, I think , the windows
> >types:
> > SID_NAME_USE_NONE = 0,/* NOTUSED */
> > SID_NAME_USER = 1, /* user */
> > SID_NAME_DOM_GRP = 2, /* domain group */
> > SID_NAME_DOMAIN = 3, /* domain: don't know what this is */
> > SID_NAME_ALIAS = 4, /* local group */
> > SID_NAME_WKN_GRP = 5, /* well-known group */
> > SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */
> > SID_NAME_INVALID = 7, /* invalid account */
> > SID_NAME_UNKNOWN = 8 /* oops. */
> >as found on one of the websites.
> >What one should choose when creating a group is not clear to me, I suppose
> >that type 2 is a windows domain group , visible with windows tools and
> >needs to be mapped to a unix group with the same gid to function.
> >Type 4 is a local unixgroup and has no groupmapping but exists in the
> >ldap database and in /etc/group with the same gid. Type 5 is a riddle.
> >Hope this helps getting samba + ldap up and running a little faster
> >than I did.
> >
> >WB
> >
> >
>
> --
> John Schmerold
> Katy Computer Systems, Inc
> 20 Meramec Station Rd
> Valley Park MO 63088
> 314-316-9000 v
> 775-227-6947 f
More information about the samba
mailing list