[Samba] samba failed to authenticate to openLDAP

[Paul Gienger]

Tony Earnshaw wrote:

>Paul Gienger:
>
>  
>
>>>2: doing that nearly fscked up my already existent DIT for always;
>>>
>>>
>>>
>>>      
>>>
>>I'd be very interested in hearing how this happened and what almost got
>>borked.  I can't for the life of me think of anything that the
>>smbldap-tools package should have done above just adding random attributes
>>and entries in a lot of places if badly configured.  The worst (again,
>>that I can imagine) that you would have had to do would be clean with a
>>fine tooth scrub brush.
>>
>>I haven't delved deep into the code, so I don't doubt that things could
>>be pretty powerful, just that I haven't seen how they could go far enough
>>to completely bork up a whole LDAP database.
>>    
>>
>
>The smbldap-tools allow for only one group suffix, only one user suffix.
>  
>
Yep, I'll agree.

>At a site, I already have a DIT with 1150+ users:
>
>rootdn
>      | ou=directors
>                    cn=director1
>                    cn=director2
>      | ou=teachers
>                    cn=teacher1
>                    cn=teacher2
>      | ou=staff
>                    cn=member1
>                    cn=member2
>      | ou=pupils
>                    cn=pupil1
>                    cn=pupil2
>      | ou=system
>                 | ou=pykota
>                 | ou=smb
>  
>
Where are your groups here? I'm curious as to how this is laid out. 

>etc.
>
>Even worse, at my test site I have:
>
>rootdn
>      | ou=groups
>                 | cn=people (Posix group)
>                            cn=person1
>                            cn=person2
>      | ou=smb
>
>etc.
>
>The tools can't cope. What's more, LAM can't cope with my test site,
>either (wants an ou for a container, won't accept a cn). Neither you nor
>anyone else can tell me that my architecture is wrong ;)
>  
>
Nope, I wouldn't go that far.  Looks like you are doing things just 
fine, trying to keep things organized ans whatnot.  However, you are 
correct that the scropts can't cope.  The scripts are in fact created 
with one ou type things in mind. 

>I've written my own awk script for adding basic Posix users to groups
>(from lists of first-middle-last names) and my own (disjointed) shell
>scripts for adding Samba users to Posix users (using ldapsearch).
>  
>
I'm afraid then that you may have to do some more scripting, but at 
least you can start with the tools and modify to your hearts content.


-- 
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger at ae-solutions.com