[Samba] Samba/LDAP documentation

John H Terpstra jht at samba.org
Sat Feb 12 22:38:33 GMT 2005

On Saturday 12 February 2005 14:39, Craig White wrote:
> I am pretty much in agreement with your assessments, both in this
> message and on previous messages but it's probably an exaggeration to
> call the HOWTO with respect to groups as worthless.
> What I find that I have issue with - an apparently so do you, is that
> the official HOWTO tends to view LDAP in a vacuum with respect to samba
> and that is too expedient to be practical for those who have implemented
> LDAP already and not entirely cooperative with Unix/Linux tools when you
> use the names such as "Domain Admins" etc. The documentation in the
> HOWTO does tell you how to assign windows type "Domain Users" to Unix
> "dom_users" via group map commands and it took me some time to figure
> out that the intent is to create an object in the DSA like this...

The Samba-HOWTO-Collection has the objective to document the methods by which 
core features of Samba can be used. It does not aim to document example 
deployments. By its very nature the Samba-HOWTO-Collection is an eclectic 
collection of snippets that document techniques and approaches. Very little 
of the HOWTO document provides a complete compendium of deployment guidance - 
if any!

The purpose of the HOWTO sections on Samba use with LDAP is deliberately 
intent on providing minimal guidance. It is not a tutorial on LDAP and never 
will be.

The Samba-3 by Example book was written with the intent that it should fully 
document example network solutions. There is room for a chapter that could 
cover integration of Samba with a pre-existing LDAP server. I would welcome 
such a chapter being submitted for inclusion.

> # dom_users, Groups, azapple.com
> dn: cn=dom_users,ou=Groups,dc=azapple,dc=com
> objectClass: posixGroup
> objectClass: top
> objectClass: sambaGroupMapping
> cn: dom_users
> userPassword::
> gidNumber: 500
> memberUid: craig
> memberUid: jennifer
> memberUid: holly
> sambaGroupType: 2
> sambaSID: S-1-5-21-9999999999-9999999999-9999999999-513
> description: Netbios Domain Users
> displayName: Domain Users
> where the group map command puts the windows name for the group into the
> 'displayName' attribute and obviously the RID is important in this case.
> In fact, Windows needs the sambaSID to be right, the displayName to be
> consistent with the expectations of an experienced Windows administrator
> and this setup permits sanity when dealing with the posix type
> attributes as well.

Right on!

> I found the IDEALX scripts interesting in that they create the necessary
> groups for Windows to be happy but obstructive if you try to use those
> groups added to the DSA because of the erratic behavior of various
> utilities dealing with group names such as "Domain Users". Thus, I
> haven't used them since my early fumbling. Whether you choose to
> populate your base with the IDEALX script or do 'net rpc vampire' you
> will bring these groups into your DSA and you will have to deal with
> them or not deal with them as you see fit.

Again, right on!

> Interestingly enough, I used Gerry Carter's LDAP book which deals with
> LDAP first and then how to integrate samba (of course, this was 2.2 when
> book was published) which is clearly the approach that you and I have
> taken.

Neither of the Samba documents in any way is meant to provide any form of 
introductory coverage of LDAP. Jerry's book is a good book - I recommend it.

I believe that Samba documentation is not the right place for LDAP basic 
training. If the common consensus differs from this I am happy to receive 
basic introductory LDAP info for inclusion in the document.

> There was a brief exchange last week where John Terpstra took me to task
> for expressing my opinion that root should not be used in the DSA at all
> which goes against his advice and against the current Samba

The is not quite my recollection Craig.

I was addressing the need for unambiguous resolution of UIDs and GIDs to SIDs, 
and login IDs.

If you are using LDAP and a version of Samba prior to 3.0.11 then the root 
account needs to be in LDAP also. Personally speaking, this freaks me out 
because I dislike having system accounts in LDAP. I believe Jerry and I are 
actually in agreement here.

Jerry chimed in to point out that with the priviliges code that is new to 
Samba-3.0.11 you no longer need the root account. The core of this 
functionality is documented in the current on-line version of the 
Samba-HOWTO-Collection in chapter 12.

> documentation but Gerry Carter piped in with his agreement to my point
> of view so evidently, there is a fundamental disagreement between them
> that hasn't been resolved with clarity for us lowly and less
> sophisticated users.

Please go back and re-read my comments and Jerry's - we are in total agreement 
on not putting system accounts in LDAP. Why are we being mis-interpreted 
again? Sheesh!

> I guess I have come to the conclusion that the current documentation
> (I'm mostly referring to the HOWTO since I haven't studied the 'by
> Example' stuff) is geared towards LDAP used in a vacuum with Samba with
> the assumption that an experienced LDAP Administrator will be able to
> integrate samba into the existing DSA without resorting to the expedient
> methods described in the HOWTO. Perhaps there needs to be a section for
> using samba with LDAP for the novice LDAP administrator and a section
> for integrating samba into your existing DSA for the more sophisticated
> and experienced administrators.

Craig, are you offering to write that? It is welcome, and it is time we fix 
whatever problem people keep complaining about. I'm tired of complaints - I 
want fixes. Will someone please write a silver bullet update so we can get on 
with life. Please! Pretty please.

Anyone who can write the magic update that clears the air so we can all breath 
again will be eulogised with attribution in neon lights. Honest! :)

> I think it would be best to keep this exchange on list as it does
> provide clarity for all who wish to consider the implications of their
> setups and the ability to find this info in the archive.

You really have high hopes! 

I spent a year writing and judging from the mail I get it is all wrong and of 
no use. 

Other than using this information myself in real deployments and thus seeing 
it work, it appears to me that none of us will ever get it right. There is no 
hope for anyone who writes documentation! Let's have a public flogging - it 
is a just reward for the documenter. :) PS: That was sarcastic humor to be 

- John T.
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list