[Samba] Samba LDAP and add machine script problems

Tony Earnshaw tonye at billy.demon.nl
Mon Jan 24 17:18:29 GMT 2005

Geoff Scott:


>>> tell us what happens.
>> What happens is, that RHAS3 gets all mixed upo (Openldap 2.2.20) as to
>> what's root and what's administrator.
>> This is a *LOUSY* solution and worthy by all men of utter condemnation.


> hmmm.  I was just quoting from JHT's book samba by example: Making Users
> Happy
> step 11#
> In the above listing, you can see that the user Administrator has been
> given UID=998. This means that operations conducted from a Windows client
> using tools such as the Domain User Manager fails under UNIX because the
> management of user and group accounts requires that the UID=0. You decide
> to rectify this immediately as demonstrated here:
> root#  cd /var/lib/samba/sbin root#  ./smbldap-usermod.pl -u 0
> Administrator
> OK. I see the criticism, but where's your solution?  You know, on the
> postfix user lists those guys will tell you you're a dweeb and then tell
> you where to RTFM, but at least they tell you where in the README's to
> find the info.
> I've posted here a number of times and never gotten a response.  I don't
> think that my questions were that silly.  But rather than let someone else
>  sit around wondering how to fix a problem, I am trying to help.  What
> have you done to help this fellow lister?
> Look, I don't want to flame....  But do something constructive.   I can't
>  help this guy anymore.  His problem is beyond me.  It looks like you can
>  tho....  So please do.

No flame taken. So I'm a Postfix person; I don't usually "dweeb" (as you
put it) people, I mostly RTFM and make people like VD and MB sick by
telling them them i know better than they do, which is rubbish, since
they're my superior any day. However, RTFM is the secret: Postfix docs and
Samba docs are utterly supreme: there is *nothing* to my mind, that isn't
in the docs or in Google somewhere.

Anyway, here RH Samba 3.0.9 and (self-compiled) Openldap 2.2.20, on RHAS3,
with Red Hat's nss_ldap. I'm as green as heck on Samba; only chose to do
it at all because "the boss" told me I had to help to replace the MS shit
at present accounting for great user missatisfaction at the high school
where i do LDAP and mail administration. Windows clients (those making the
users unhappy) are XP and 2000. I now have a Samba PDC and people can
access what they want from any Windows workstation, using the Samba PDC.
All I did, was read docs and experiment for a fortnight:

Relevant docs:

1: the Samba html HOWTOs in /usr/share/doc/samba*/docs/htmldocs;
2: don't know where from but Samba (v.3) PDC LDAP HOWTO by Ignacio
Coupeau, CTI, University of Navarra. Maybe from the same distro. The
latter is worth gold to LDAP people, but contains many mix ups  between
Samba 2 and samba 3, though Openldap people should be able to sort things
out for themselves using the innate mindset that got them over to Unix
from Windows (whatever) in the first place.

Bottom line: Ignacio Coupeau tells you (blam) right out that your LDAP
admin user has to have a uidnumber and gidnumber attribute both of 0 and
you'd better believe him, since otherwise nothing works from XP/2000's
side. However, if you try to make new users/groups with these values,
*HORRIBLE* things happen to your RHAS3 mappings. Applications that expect
uids to be "root" get confronted with "Administrator" or gids root get
confronted with "DomainAdmins" or whatever. And the apps croak.

So. I end up with an LDAP "root" with uidnumber 0, gidnumber 0, who may
well have another password than the /etc/passwd root, but who gets the job
done (i.e. enabling XP/200 Windows domain logons). I find this abhorrent,
but "the boss" pays me, and my job is to provide the solutions for which
he pays my beer.


mail: tonye at billy.demon.nl

More information about the samba mailing list