[Samba] Samba/LDAP documentation

[Craig White]

On Sat, 2005-02-12 at 15:38 -0700, John H Terpstra wrote:

> > Interestingly enough, I used Gerry Carter's LDAP book which deals with
> > LDAP first and then how to integrate samba (of course, this was 2.2 when
> > book was published) which is clearly the approach that you and I have
> > taken.
> 
> Neither of the Samba documents in any way is meant to provide any form of 
> introductory coverage of LDAP. Jerry's book is a good book - I recommend it.
> 
> I believe that Samba documentation is not the right place for LDAP basic 
> training. If the common consensus differs from this I am happy to receive 
> basic introductory LDAP info for inclusion in the document.
----
I agree
----
> > There was a brief exchange last week where John Terpstra took me to task
> > for expressing my opinion that root should not be used in the DSA at all
> > which goes against his advice and against the current Samba
> 
> The is not quite my recollection Craig.
> 
> I was addressing the need for unambiguous resolution of UIDs and GIDs to SIDs, 
> and login IDs.
> 
> If you are using LDAP and a version of Samba prior to 3.0.11 then the root 
> account needs to be in LDAP also. Personally speaking, this freaks me out 
> because I dislike having system accounts in LDAP. I believe Jerry and I are 
> actually in agreement here.
> 
> Jerry chimed in to point out that with the priviliges code that is new to 
> Samba-3.0.11 you no longer need the root account. The core of this 
> functionality is documented in the current on-line version of the 
> Samba-HOWTO-Collection in chapter 12.
----
I see a new section in chapter 11 called 'Important Administrative
Information' which is what I guess you are referring to.

I also gather that if/when http://samba.org/~jerry/Samba-Rights-HOWTO
reaches commit level, adjustments will be made to the HOWTO to reflect
that as well.

I certainly agree with your 'unambiguous resolution of UIDs and GIDs to
SIDs and login IDs and that isn't going to change with the addition of
Samba-Rights as I see it...only a new mechanism that means that you
don't have to try to have multiple users in DSA with uidNumber:
attribute of 0 - obviously more than 1 isn't unambigous and I certainly
wouldn't advocate doing so.

I notice that does leave people endlessly confused though - witness
David Trask last weekend where he could only get things to work with a
uid=root in his 'bulk load' which used the IDEALX toolset...even knowing
that IDEALX recommended against that method themselves.

and if you view the following from archives...
<http://lists.samba.org/archive/samba/2005-February/099983.html>

you will clearly see that I was suggesting a method of unambiguous
resolution of these values...

> Personally, I find it easier for my state of being NOT to have root in
> LDAP but have Administrator with uid=0

whereupon you stated "best advice is to have just 'root' with UID=0..."
which was clearly not in line with Gerry's message in the same thread
<http://lists.samba.org/archive/samba/2005-February/099988.html>

where he says "Seriously though, we need to move people away from using root
to join domains admins."

How could people not be confused? Your best advice is to use root - Gerry's advice is to move people away from using root.

Less than 40 minutes separated these messages - I do marvel at the speed
with which you guys develop.
----
> > documentation but Gerry Carter piped in with his agreement to my point
> > of view so evidently, there is a fundamental disagreement between them
> > that hasn't been resolved with clarity for us lowly and less
> > sophisticated users.
> 
> Please go back and re-read my comments and Jerry's - we are in total agreement 
> on not putting system accounts in LDAP. Why are we being mis-interpreted 
> again? Sheesh!
----
see above example
----
> I spent a year writing and judging from the mail I get it is all wrong and of 
> no use. 
> 
> Other than using this information myself in real deployments and thus seeing 
> it work, it appears to me that none of us will ever get it right. There is no 
> hope for anyone who writes documentation! Let's have a public flogging - it 
> is a just reward for the documenter. :) PS: That was sarcastic humor to be 
> sure!
----
You are a brilliant writer an excellent communicator and the
documentation that is the Official Samba HOWTO is clearly the standard
of open source software - by far.

You are a kind, warm and generous person and the thought that I might
have said anything that wounds you bothers me. Any criticism that I may
have offered was only offered to make the documentation better.

I don't have any skill at writing technical manuals. I have never joined
samba to an AD, never used winbindd, nor do I even bein to understand
SASL or Kerberos (seems to be a worthy endeavor). I am probably on the
bottom rung of knowledge of OpenLDAP and my interaction with other LDAP
implementations is limited to setting up imp/horde/turba to query a
Novell Directory (had to use the -P 2) and that was a mighty struggle. I
have enough skills to do only the barest rudiments of a section on
integrating Samba into an existing DSA (I didn't even know the
definition of DSA until a few weeks ago - thanks Adam).

What I have learned is this...the explanation of the net group map
command modified the ldapsam - I didn't understand it for quite some
time. I found that using the base setup from IDEALX left me a bunch to
clean up as did the net rpc vampire command as they created 'Groups'
that didn't fit my intentions for the DSA. I suspect that Tonni ran into
this too but I haven't compared notes. He is probably much more adept at
writing this section we are talking about and is certainly more
knowledgeable about all aspects of this than I, with maybe the exception
being the Windows portion.

I don't generally use the online version of the HOWTO - I have my 2nd
printing edition by my desk (though I don't refer to it much anymore) -
it has at present (because I am actually going to count them) 7 sticky
notes marking relevant sections for me - just to give you an idea of the
value of the book to me.

With respect to your sarcasm above, I defer to your experience, your
knowledge and your obvious technical writing skills and meant only to
point out that I identified with Tonni's thoughts on merging Samba 3
into LDAP wasn't entirely obvious from the HOWTO.

Craig