[Samba] Samba/LDAP/PDC Questions

Paul Gienger pgienger at ae-solutions.com
Mon Jul 19 21:18:53 GMT 2004 

>        1. In what situtation do I need People group as the group for 
>machines?
>  
>
Always.  Until they fix the bug/design issue that is.

>        2. Should the PDC itself be in the ldap backend database?
>  
>
I haven't found a good reason that it 'has' to in my tests.

>        3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot log 
>in to the dmain anymore. It said "User does not exist".
>  
>
Can you expand on this a bit more?  From what you've said (which isn't 
much) it almost sounds like you didn't have ldap working as the posix 
auth system before you layered on samba.

>Here are the specs of my setup:
>        Fedora 2 (kernel 2.6.5-1.358)
>        samba-3.0.3-5
>        openldap-2.1.29-1
>        smbldap-tools-0.8.5-1.1.fc2.dag
>
>########### /etc/samba/smb.conf #########################
>[global]
>        workgroup = ab
>        netbios name = pdc
>        username map = /etc/samba/smbusers
>        admin users= @"Domain Admins"
>        server string = Samba Server %v
>        security = user
>        encrypt passwords = Yes
>        min passwd length = 3
>        obey pam restrictions = No
>        ldap passwd sync = Yes
>        time server = Yes
>        mangling method = hash2
>
>        domain logons = Yes
>        os level = 65
>        preferred master = Yes
>        domain master = Yes
>        wins support = Yes
>        passdb backend = ldapsam:ldap://127.0.0.1/
>        ldap admin dn = cn=Manager,dc=ab,dc=com
>        ldap suffix = dc=ab,dc=com
>        ldap group suffix = ou=Groups
>        ldap user suffix = ou=Users
>        ldap machine suffix = ou=Computers
>        ldap idmap suffix = ou=Users
>        ldap ssl = no
>        add user script = /usr/sbin/smbldap-useradd -m "%u"
>        ldap delete dn = Yes
>        delete user script = /usr/sbin/smbldap-userdel "%u"
>        add machine script = /usr/sbin/smbldap-useradd -w "%u"
>        add group script = /usr/sbin/smbldap-groupadd -p "%g" 
>        delete group script = /usr/sbin/smbldap-groupdel "%g"
>        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" 
>"%g"
>        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>        preserve case = yes
>        short preserve case = yes
>        case sensitive = no
>
>[homes]
>        comment = repertoire de %U, %u
>        read only = No
>        create mask = 0644
>        directory mask = 0775
>        browseable = No
>
>[netlogon]
>        path = /home/netlogon/
>        browseable = No
>        read only = yes
>
>[profiles]
>        path = /home/profiles
>        read only = no
>        create mask = 0600
>        directory mask = 0700
>        browseable = No
>        guest ok = Yes
>        profile acls = yes
>        csc policy = disable
>        # next line is a great way to secure the profiles 
>        force user = %U 
>        # next line allows administrator to access all profiles 
>        valid users = %U "Domain Admins"
>
>##################### /etc/openldap/slap.conf 
>################################
>#
>include         /etc/openldap/schema/core.schema
>include         /etc/openldap/schema/cosine.schema
>include         /etc/openldap/schema/inetorgperson.schema
>include         /etc/openldap/schema/nis.schema
>include         /etc/openldap/schema/redhat/autofs.schema
>include         /etc/openldap/schema/samba.schema
>
>allow bind_v2
>pidfile /var/run/slapd.pid
>
>database        ldbm
>suffix          "dc=ab,dc=com"
>rootdn          "cn=Manager,dc=ab,dc=com"
>rootpw          some secret
>
>directory       /var/lib/ldap
>
>index objectClass                       eq,pres
>index ou,cn,mail,surname,givenname      eq,pres,sub
>index uidNumber,gidNumber,loginShell    eq,pres
>index uid,memberUid                     eq,pres,sub
>index nisMapName,nisMapEntry            eq,pres,sub
>
>##################### /etc/smbldap-tools/smbldap.conf 
>################################
>
>SID="S-1-5-21-324808091-3910462042-2848579765"
>
>slaveLDAP="127.0.0.1"
>slavePort="389"
>masterLDAP="127.0.0.1"
>masterPort="389"
>
>ldapTLS="0"
>
>suffix="dc=ab,dc=com"
>usersdn="ou=Users,${suffix}"
>computersdn="ou=Computers,${suffix}"
>groupsdn="ou=Groups,${suffix}"
>idmapdn="ou=Idmap,${suffix}"
>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
>
>scope="sub"
>hash_encrypt="SSHA"
>crypt_salt_format="%s"
>
>userLoginShell="/bin/tcsh"
>userHome="/u/%U"
>userGecos="System User"
>defaultUserGid="513"
>defaultComputerGid="515"
>skeletonDir="/etc/skel"
>
>userSmbHome="\\pdc\%U"
>userProfile=""
>userHomeDrive="H:"
>
>with_smbpasswd="0"
>smbpasswd="/usr/bin/smbpasswd"
>
>######################## /etc/ldap.conf ################################
>#
>host 127.0.0.1
>base dc=ab,dc=com
># nss_base_passwd        ou=Users,dc=ab,dc=com?one
># nss_base_shadow        ou=Users,dc=ab,dc=com?one
># nss_base_group         ou=Group,dc=ab,dc=com?one
>ssl no
>pam_password md5
>
>--- Kang Sun
>
>
>
>  
>

-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger at ae-solutions.com

More information about the samba mailing list