[Samba] root user in smbldap...how to change home

Craig White craigwhite at azapple.com
Tue Feb 8 00:06:31 GMT 2005


On Mon, 2005-02-07 at 18:43 -0500, David Trask wrote:
> Craig White <craigwhite at azapple.com> on Monday, February 7, 2005 at 6:27
> PM +0000 wrote:
> >1 - if you have root user in both /etc/passwd and DSA, you get errors in
> >ldap logs. You seem to have seized upon a configuration that is
> >knowingly imperfect but expedient for samba use. What happens if you
> >change root's password? which gets changed? who knows...probably depends
> >upon what client package is used to make the change. I only see
> >confusion here.
> >
> 
> In all fairness to you, Craig, (and me) the guys at IDEALX who are putting
> together smbldap-tools actually wrote the Administrator user right into
> the default ldif that is populated when you run smbldap-populate.  It
> actually creates the Administrator user.  Running it with -a root  changes
> that user to root....which is proving to be a good thing.
----
again though...a choice of expediency when considering ldap in a context
for primarily for use with samba and not a choice that facilitates a
good design for using ldap
----
>    So although it
> may be "naughty" a LOT of folks are handing out that advice and even
> building it into scripts.
----
people sell guns but they don't intend for people to shoot themselves.
----
>   I wanted to NOT have that be the thing that was
> causing problems in the smbldap-installer script we wrote.  Latest version
> (corrected the bugs) is located here (still gamma as it needs updated
> docs)  http://majen.net/smbldap-installer-1.2-gamma.tgz    (FC3 or K12LTSP
> 4.2 only at this point)
----
Every time I don't do something the right way, it invariably ends up
biting me later on.

If JHT recalls, shortly after samba 3.0.0 and RHEL 3.0 were released, I
endeavored to 'vampire' an NT4 server and take control over the existing
domain and asked tons of questions - most of them really dumb. JHT was
invaluable with his support.

I ended up creating a methodology to dump the ldap data after each
vampire attempt, adjusting the IDEALX scripts and running again. It
probably took 25 or 30 takes on it until I got it right. Adjusting the
items after the fact is really dicey.

To me, it is far more important to have a properly designed ldap setup
with effective acl's, the right settings for users, the right settings
for groups, that extends to other services such as mail, mod_authz_ldap,
etc. than it is to set the root user up in ldap with Administrator SID
because you haven't figured out how to make the permissions work for
joining systems to the domain or setting up service shares such as
profiles.

Craig



More information about the samba mailing list