[Samba] Samba/LDAP documentation

Tony Earnshaw tonye at billy.demon.nl
Sun Feb 13 15:16:16 GMT 2005

John H Terpstra:


> FYI. I run Samba training classes around the world. I use SuSE Linux
> Enterprise Server 9 and SuSE Linux 9.2 Professional to host Samba. All
> classes are run using OpenLDAP 2.2 and the Idealx scripts.
> I have deployed Samba-3 and OpenLDAP 2.2.x in several large sites - they
> are operating without problems.

I'll believe it. I'm a newbie at Samba -  but as Craig has pointed out,
and for the same reasons, the methods used by IDEALX and repeated in the
official Samba doco and Coupeau's "HOWTO" were screwing up my ldapsam DB
and uglifying my servers. There had to be a better way, and both Craig and
I discovered that independently of one another. Actually, I find it
marvelous that it works :)

> I concur that the use of use names and group names that have spaces and
> upper-case characters does is not to my taste either,

What is achieved works, and that's the best that can be said about it.
However, it's totally unnecessary and can easily be avoided.

Furthermore, whatever one does, SWAT (which I don't normally use - apart
form reading about the defaults) makes a complete mess of groups with
spaces in them.

> however, it is a
> compromise that is easier than any attempt to render another solution
> viable at this time.

That is not so. An alternative solution is available with Samba 3.0.7 thru
3.0.11. Both Craig and I have posted (this thread) what that method is.
However, it makes use of the IDEALX scripts impossible.

> Much of this is likely to change for Samba-4. Samba-4
> may go into beta during the later half of this year.
> I am well aware that part of the Open Source Gestapo has implemented
> means in Linux of enforcing particular tastes. Examples include:
> 1. No upper-case characters in user names and group names
> 2. No spaces in user names and group names

Gestapo in Open Source? Wouldn't that rather be Posix, many years ago (in
an attempt to clean up a diversity of alternative systems)? Red Hat
(Linux) accepts both, but they are *ugly* and lead to all sorts of
complications. IIRC SCO Openserver 5 accepted neither.

> This is not universal in Linux distributions - some preserve the old
> behaviour.
> 3. Voiding the ability to use /dev/null as a valid home directory.
> 4. Voiding the ability to specify /bin/false as a shell.

I have no problems with either?

> I recognize that we need a work-around solution for platforms that
> implement Gestapo admin policies.

It really has nothing to do with the gestapo, maybe a bit of history
reading wouldn't come amiss?

> Please bear in mind that Samba interfaces between MS Windows and
> UNIX-like
> platforms. The issues we are touching on here are deeper than the
> cosmetics of user names and group names. To change the behaviour will
> require changes deep inside the smbd source code to affect new mapping
> semantics and to enforce conversion of all Windows user and group names
> before making any reference to the UNIX environment for name look-ups
> and/or for identity resolution.

That is not so. The solution lies for the hand and is already present in
the current code. Craig and I both implement it ;)



mail: tonye at billy.demon.nl

More information about the samba mailing list