[Samba] 'ldap passwd sync' not working

[Tony Earnshaw]

John H Terpstra:

>>> The Samba-HOWTO-Collection is literally intended to be correct and
>>> capable of being followed literally! Please document what sucks and
>>> help us to improve our documentation. I encourage you to file a bug
>>> report with details of what needs to be fixed. You can file a bug
>>> report on https://bugzilla.samba.org
>>>
>>
>> On the basis of what the Samba team has done over the years, its
>> availability and quality, it would be my bounden duty to do so.
>>
>> However, this would mean a complete rewrite, producing a parallel doc
>> that omitted all reference to Samba V2 (with which I'm not familiar)
>
> What in goodness name are you referring to? The current Samba-3 HOWTO
> Collection is NOT written around Samba-2. The Samba-3 by Example book
> (Samba-Guide on the Samba Web Site) is entirely based on Samba-3. I must
> be missing something very seriously and must be completely confused.
> Please help
> me to understand your point.

I have no gripes with the official Samba docs as included in the Red Hat 
3.0.9 Samba srpm. Either the Terpstra docs or Jerry Carter's O'Reilly
boot. They are very clear, accurate and to the point; much trouble has
been taken in compiling them, the English is perfect and there are no
spelling mistakes.

I *do* have a problem with Samba (v.3) PDC LDAP howto by Ignacio Coupeau
of CTI, University of Navarra. I've no idea where I got it from in the
first place; it isn't included with the Red Hat release. It is
diametrically the opposite to what I've just written about the official
Samba docs. I shall refer to it as "Navarra" in what follows.

I've constantly referred to this document in what I wrote, not to the
official Samba docs..

Unfortunately the official Samba docs do not cover ldapsam in any depth;
as a complete newbie, one can obviously not judge the worth of any doc
until one has followed that doc and attempted to put its content into
practice.

> If the documentation is as bad as you say it is we should withdraw it at
> once and not release it again until it is fixed.

> What are others opinions of this situation? Should we withdraw it at
> once?

You can't withdraw something you don't publish and for which you aren't
responsible.

>> My basic point of criticism (I started with Samba 3.0.7, Openldap
>> V2.2.20)
>> after following the "HOWTO", finding out that it crippled my system and
>
> If the documentation is causing people to suffer crippled systems please
> accept my fullest apologies. That is really bad. Is this a generic
> problem? Have others suffered the same crippling because of misleading and
> bad documentation? Wow! This blows my mind!

I've been a Novell NDS (eDirectory) and Openldap person for years. I know
Openldap pretty well, use it for enterprise-size production and can
trouble-shoot it effectively. Navarra dictates that I posess that
propensity; following Navarra blindly will inevitably lead to crippled
systems.

>> asking myself how Samba/LDAP should be configured. For all of what
>> follows I used GQ 1.0.b1 (jump from www.biot.com), since it gives a
>> graphical representation of the DSA, drag'n drop is possible, making
>> experimenting a breeze, shows *all* mandatory and optional attributes in
>> different colors and gives sensible error reports when you do something
>> wrong:
>>
>
> OK. Please give me wording to add to the documentation - or to replace
> bad and misleading sections of the existing documentation. All
> contributions will be gladly received.

I've already pointed out what didn't work and how to correct it. Since you
aren't responsible for it, you can't do much about it.

>> 1: under ou=smb, *no* groups called (cn=)"Domain Admins", "Domain
>> Guests"
>> or "Domain Users" should be set up. cns with spaces in are not liked by
>> Openldap 2.2 and Samba makes a hash of them; furthermore Linux doesn't
>> like them . Anyway, these groups are NT groups and not Posix groups and
>> are defined in the *record* for the group, as defined in the
>> displayName attribute. Instead, under ou=smb, define 3 Posix groups
>> domadm, domguest and domuser. Give them regular, unique gidNumbers. For
>> domadm, set attribute displayName to Domain Admins, for domguest set
>> displayName to Domain Guests and domuser set displayName to Domain
>> Users. Make each group
>> an objectClass member of sambaGroupMapping. Get your local SID using
>> 'net
>> getlocalsid' Give each group its SID as defined in the regular Samba
>> HOWTO.
>
> Is this really necessary? Why? How does this advice affect the greater
> picture?

I don't understand the question. It's important to use the correct local
SID and use system RIDs, as defined in the official Samba docs.

> Have you discussed this advice with Idealx? I am sure they would love to
> hear from you. My intent so far as documentation goes is to document what
> works and how it works. I am not out to write a full LDAP management
> system. Idealx are working on that - as are others.

I've not discussed it with anyone. I don't suppose Idealx is responsible
for Navarra. Navarra's English is bad, it's full of spelling mistakes and
it cripples systems. It mixes up Samba v2 and V3, such that only a
practised Openldap person can make any sense of it.

>> Into domadm, put cn=Administrator and cn=root as described in the
>> "HOWTO".
>
> Do not use both Administrator and 'root' - The current advice is to use
> only 'root' or 'Administrator' as the Windows and UNIX local admin
> account. Having both will result in ambiguous names that will break the
> ability to administer Samba. i.e.: If both Administrator and root have
> UID=0 (so both are UNIX
> admins) then Samba will not be able to resolve who is the real UID=0
> owner.

I found out by trial and error that one needs root (uid=0) for operations
where Unix/Linux privileged system disk writes and administration are
necessary. There is *NO* way I'd give my Windows users (even those with
Windows domain privileges) access to an account with root privileges
(UID=0) on my Unix/Linux servers. I use Administrator for normal Windows
operations, UID=16, GID=5004, RID=500. Works fine.

>> objectClasses top, person, organizationalPerson, inetOrgPerson,
>> posixAccount and sambaSamAccount, Administrator can have any uidNumber
>> (I
>> use a Red Hat "system" number, 16( and his gidNumber will be that of
>> domadm. root has to have uidNumber=0 and domadm's gidNumber.
>> Administrator's sambaSID is localsid+calculated RID as in the Samba
>> HOWTO
>> docs, sambaPrimaryGroupSID=localsid+512; root\s sambaSID=localsid+502,
>> primary group SID=localsid+512.
>
> Whatever you call the Windows domain administrator account, it must have
> the correct RID=500. If it has anything else it will NOT be the domain
> administrator on the windows client. For the domain administrator on the
> Windows client to have UNIX admin rights the POSIX account must have
> UID=0.

O.k. See above.

> Translation from UID->SID, from SID->login_name, from login_name->UID,
> etc. must be unambiguous.

Obviously. Samba does a ggod job there.

> New to Samba-3.0.11, it is now possible to assign some administrative
> rights to users who are not administrator on either platform - but that is
> not at issue here.

I'll be trying out 3.0.11 soon.

>> When following the Navarra "HOWTO", 'net groupmap list' didn't work at
>> all, nor could I do a 'net rpc join'; that was what started me
>> experimenting. now it works as it should and I can do a 'net rpc join'.
>
> The Navarra HOWTO is not my direct concern, but if it is wrong and
> misleading we should advise the author to either withdraw it, or to
> correct it.

It should definitely be corrected and cleaned up. I can make a start on
it, but it will take me weeks, months, years.

>> Hope this helps someone, it cost me enough pain before it worked
>> properly for me.
>
> You have put the official Samba documentation in the position that it
> must be withdrawn until we can get it right. I will not rest until this
> issue is fully resolved. This is a very serious problem. Please help us to
> fix this.

I'm sorry if I gave this impression. My criticism has never been of the
official Samba documentation. Remember that thousands of people use it and
I've not seen any criticism yet.

Best, and thanks for taking what I wrote seriously :)

--Tonni

--
mail: tonye at billy.demon.nl
http://www.billy.demon.nl