[Samba] Samba/LDAP documentation
John H Terpstra
jht at samba.org
Sat Feb 12 22:38:33 GMT 2005
On Saturday 12 February 2005 14:39, Craig White wrote:
> I am pretty much in agreement with your assessments, both in this
> message and on previous messages but it's probably an exaggeration to
> call the HOWTO with respect to groups as worthless.
> What I find that I have issue with - an apparently so do you, is that
> the official HOWTO tends to view LDAP in a vacuum with respect to samba
> and that is too expedient to be practical for those who have implemented
> LDAP already and not entirely cooperative with Unix/Linux tools when you
> use the names such as "Domain Admins" etc. The documentation in the
> HOWTO does tell you how to assign windows type "Domain Users" to Unix
> "dom_users" via group map commands and it took me some time to figure
> out that the intent is to create an object in the DSA like this...
The Samba-HOWTO-Collection has the objective to document the methods by which
core features of Samba can be used. It does not aim to document example
deployments. By its very nature the Samba-HOWTO-Collection is an eclectic
collection of snippets that document techniques and approaches. Very little
of the HOWTO document provides a complete compendium of deployment guidance -
The purpose of the HOWTO sections on Samba use with LDAP is deliberately
intent on providing minimal guidance. It is not a tutorial on LDAP and never
The Samba-3 by Example book was written with the intent that it should fully
document example network solutions. There is room for a chapter that could
cover integration of Samba with a pre-existing LDAP server. I would welcome
such a chapter being submitted for inclusion.
> # dom_users, Groups, azapple.com
> dn: cn=dom_users,ou=Groups,dc=azapple,dc=com
> objectClass: posixGroup
> objectClass: top
> objectClass: sambaGroupMapping
> cn: dom_users
> gidNumber: 500
> memberUid: craig
> memberUid: jennifer
> memberUid: holly
> sambaGroupType: 2
> sambaSID: S-1-5-21-9999999999-9999999999-9999999999-513
> description: Netbios Domain Users
> displayName: Domain Users
> where the group map command puts the windows name for the group into the
> 'displayName' attribute and obviously the RID is important in this case.
> In fact, Windows needs the sambaSID to be right, the displayName to be
> consistent with the expectations of an experienced Windows administrator
> and this setup permits sanity when dealing with the posix type
> attributes as well.
> I found the IDEALX scripts interesting in that they create the necessary
> groups for Windows to be happy but obstructive if you try to use those
> groups added to the DSA because of the erratic behavior of various
> utilities dealing with group names such as "Domain Users". Thus, I
> haven't used them since my early fumbling. Whether you choose to
> populate your base with the IDEALX script or do 'net rpc vampire' you
> will bring these groups into your DSA and you will have to deal with
> them or not deal with them as you see fit.
Again, right on!
> Interestingly enough, I used Gerry Carter's LDAP book which deals with
> LDAP first and then how to integrate samba (of course, this was 2.2 when
> book was published) which is clearly the approach that you and I have
Neither of the Samba documents in any way is meant to provide any form of
introductory coverage of LDAP. Jerry's book is a good book - I recommend it.
I believe that Samba documentation is not the right place for LDAP basic
training. If the common consensus differs from this I am happy to receive
basic introductory LDAP info for inclusion in the document.
> There was a brief exchange last week where John Terpstra took me to task
> for expressing my opinion that root should not be used in the DSA at all
> which goes against his advice and against the current Samba
The is not quite my recollection Craig.
I was addressing the need for unambiguous resolution of UIDs and GIDs to SIDs,
and login IDs.
If you are using LDAP and a version of Samba prior to 3.0.11 then the root
account needs to be in LDAP also. Personally speaking, this freaks me out
because I dislike having system accounts in LDAP. I believe Jerry and I are
actually in agreement here.
Jerry chimed in to point out that with the priviliges code that is new to
Samba-3.0.11 you no longer need the root account. The core of this
functionality is documented in the current on-line version of the
Samba-HOWTO-Collection in chapter 12.
> documentation but Gerry Carter piped in with his agreement to my point
> of view so evidently, there is a fundamental disagreement between them
> that hasn't been resolved with clarity for us lowly and less
> sophisticated users.
Please go back and re-read my comments and Jerry's - we are in total agreement
on not putting system accounts in LDAP. Why are we being mis-interpreted
> I guess I have come to the conclusion that the current documentation
> (I'm mostly referring to the HOWTO since I haven't studied the 'by
> Example' stuff) is geared towards LDAP used in a vacuum with Samba with
> the assumption that an experienced LDAP Administrator will be able to
> integrate samba into the existing DSA without resorting to the expedient
> methods described in the HOWTO. Perhaps there needs to be a section for
> using samba with LDAP for the novice LDAP administrator and a section
> for integrating samba into your existing DSA for the more sophisticated
> and experienced administrators.
Craig, are you offering to write that? It is welcome, and it is time we fix
whatever problem people keep complaining about. I'm tired of complaints - I
want fixes. Will someone please write a silver bullet update so we can get on
with life. Please! Pretty please.
Anyone who can write the magic update that clears the air so we can all breath
again will be eulogised with attribution in neon lights. Honest! :)
> I think it would be best to keep this exchange on list as it does
> provide clarity for all who wish to consider the implications of their
> setups and the ability to find this info in the archive.
You really have high hopes!
I spent a year writing and judging from the mail I get it is all wrong and of
Other than using this information myself in real deployments and thus seeing
it work, it appears to me that none of us will ever get it right. There is no
hope for anyone who writes documentation! Let's have a public flogging - it
is a just reward for the documenter. :) PS: That was sarcastic humor to be
- John T.
John H Terpstra
Phone: +1 (650) 580-8668
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba