[Samba] Samba/LDAP documentation

[Craig White]

On Sat, 2005-02-12 at 19:18 +0100, Tony Earnshaw wrote:
> List, documenters;
> 
> I'd like to exchange notes about the official Samba 3 LDAP doco.
> 
> I'd like to do this off list, since doing it on list would simply confuse
> and confound users wit perfectly working systems.
> 
> Background:
> 
> Me, Samba relative newbie, though I can get *everything* Samba-orientated
> to work simply by using umpteen years Unix experience. Many years as
> Openldap admin. With Windows it's worse, since I'm beginning again after
> many years' absence - but it all works if I try hard enough and follow the
> docs (but more importantly my own intuition. Windows stinks, since changes
> in subversions nullify the experience gained in previous versions.
> However, we all knew that.
> 
> Openldap experience is a couple or three years long, BUT I'm not prepared
> to discuss *anything* prior to OL 2.2.17 (the present stable version as
> notified by OpenLDAP.org is 2.2.23). For example, Red Hat's 2.0.27 or
> 2.1.22 are unstable and will break on extended loading or extended uptime.
> Worst is, that with OL 2.0.27 there's no method of repairing
> sparse/corrupted databases other than wit a rebuild from a dumped ldif;
> with Red Hat's 2.1.22 databases are guaranteed to become corrupted
> (Sleepycat BDB 4.1), though there is a way of repairing the DB (whilst the
> server is *down*). OL 2.2.17's and higher use patched Sleepycat's BDB
> 4.2.52, are mostly guaranteed against corruption (if correctly configured
> using DB_CONFIG) and even in the case of a corrupted DB (which I've
> *never* experienced, whatever) can be repaired.
> 
> Samba's NT groups as documented in the HOWTO (Terpstra and Coupeau) are
> worthless. (Sorry JT). OL 2.2 don't like Unix GIDs or UIDs with spaces in
> their names (f.ex. "Domain Admins"). Worse, Linux don't like them. Worst
> of all, it looks like shit on an 'ls -l'. I have my own alternative method
> which works perfectly. That's what I'd like to discuss, off list. No, I
> haven't asked IDEALX, no I haven't consulted anyone else than Billy my
> Cat, my IT consultant. He's in perfect agreement with me - but then, he
> usually is, if he gets food and petting regularly.
----
yeah but how good is he at coding?

I am pretty much in agreement with your assessments, both in this
message and on previous messages but it's probably an exaggeration to
call the HOWTO with respect to groups as worthless.

What I find that I have issue with - an apparently so do you, is that
the official HOWTO tends to view LDAP in a vacuum with respect to samba
and that is too expedient to be practical for those who have implemented
LDAP already and not entirely cooperative with Unix/Linux tools when you
use the names such as "Domain Admins" etc. The documentation in the
HOWTO does tell you how to assign windows type "Domain Users" to Unix
"dom_users" via group map commands and it took me some time to figure
out that the intent is to create an object in the DSA like this...

# dom_users, Groups, azapple.com
dn: cn=dom_users,ou=Groups,dc=azapple,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: dom_users
userPassword:: 
gidNumber: 500
memberUid: craig
memberUid: jennifer
memberUid: holly
sambaGroupType: 2
sambaSID: S-1-5-21-9999999999-9999999999-9999999999-513
description: Netbios Domain Users
displayName: Domain Users

where the group map command puts the windows name for the group into the
'displayName' attribute and obviously the RID is important in this case.
In fact, Windows needs the sambaSID to be right, the displayName to be
consistent with the expectations of an experienced Windows administrator
and this setup permits sanity when dealing with the posix type
attributes as well.

I found the IDEALX scripts interesting in that they create the necessary
groups for Windows to be happy but obstructive if you try to use those
groups added to the DSA because of the erratic behavior of various
utilities dealing with group names such as "Domain Users". Thus, I
haven't used them since my early fumbling. Whether you choose to
populate your base with the IDEALX script or do 'net rpc vampire' you
will bring these groups into your DSA and you will have to deal with
them or not deal with them as you see fit.

Interestingly enough, I used Gerry Carter's LDAP book which deals with
LDAP first and then how to integrate samba (of course, this was 2.2 when
book was published) which is clearly the approach that you and I have
taken.

There was a brief exchange last week where John Terpstra took me to task
for expressing my opinion that root should not be used in the DSA at all
which goes against his advice and against the current Samba
documentation but Gerry Carter piped in with his agreement to my point
of view so evidently, there is a fundamental disagreement between them
that hasn't been resolved with clarity for us lowly and less
sophisticated users. 

I guess I have come to the conclusion that the current documentation
(I'm mostly referring to the HOWTO since I haven't studied the 'by
Example' stuff) is geared towards LDAP used in a vacuum with Samba with
the assumption that an experienced LDAP Administrator will be able to
integrate samba into the existing DSA without resorting to the expedient
methods described in the HOWTO. Perhaps there needs to be a section for
using samba with LDAP for the novice LDAP administrator and a section
for integrating samba into your existing DSA for the more sophisticated
and experienced administrators.

I think it would be best to keep this exchange on list as it does
provide clarity for all who wish to consider the implications of their
setups and the ability to find this info in the archive.

Craig