[Samba] samba failed to authenticate to openLDAP

Tony Earnshaw tonye at billy.demon.nl
Thu Mar 3 16:14:29 GMT 2005 

Paul Gienger skrev:
[...]

>> At a site, I already have a DIT with 1150+ users:
>>
>> rootdn
>>      | ou=directors
>>                    cn=director1
>>                    cn=director2
>>      | ou=teachers
>>                    cn=teacher1
>>                    cn=teacher2
>>      | ou=staff
>>                    cn=member1
>>                    cn=member2
>>      | ou=pupils
>>                    cn=pupil1
>>                    cn=pupil2
>>      | ou=system
>>                 | ou=pykota
>>                 | ou=smb
>>  
>>
> Where are your groups here? I'm curious as to how this is laid out.

Each (Posix) group is in each ou container, sorry. The specific SMB 
groups (domadmins, domguests, domusers, computers etc9 are in the smb ou 
container. They have cn RDNs. The Samba tools (net, smbpasswd, pdbedit), 
as well as the method of specifying suffixes in smb.conf are clever 
enough to find whichever group I want, for example for mapping. I'm 
astounded that the tools are so flexible. Which is why I was so 
disappointed in the sambasam-tools ...

>> etc.
>>
>> Even worse, at my test site I have:
>>
>> rootdn
>>      | ou=groups
>>                 | cn=people (Posix group)
>>                            cn=person1
>>                            cn=person2
>>      | ou=smb
>>
>> etc.
>>
>> The tools can't cope. What's more, LAM can't cope with my test site,
>> either (wants an ou for a container, won't accept a cn). Neither you nor
>> anyone else can tell me that my architecture is wrong ;)

... which is why I went on to redesign the DIT on my test rig, cutting 
out the ou container and using the primary Posix group as the leaf 
container: it's more logical and works just as well. Now the pupils have 
decided that they want to be divided up into subgroups by class or 
project: no sweat, Samba can cope with all of that.

Using GQ as primary tool to visualize this is a boon and GQ has the 
added advantage over other GUIs of drag'n drop.

> Nope, I wouldn't go that far.  Looks like you are doing things just 
> fine, trying to keep things organized ans whatnot.  However, you are 
> correct that the scropts can't cope.  The scripts are in fact created 
> with one ou type things in mind.
> 
>> I've written my own awk script for adding basic Posix users to groups
>> (from lists of first-middle-last names) and my own (disjointed) shell
>> scripts for adding Samba users to Posix users (using ldapsearch).
>>  
>>
> I'm afraid then that you may have to do some more scripting, but at 
> least you can start with the tools and modify to your hearts content.

Oh definitely ;) But my sites are very specific and I tend to stop when 
each script does what I want. They're all very disjointed. ldapsearch 
plays a major part in most of the shell scripts.

Thanks for taking an interest :)

--Tonni

-- 

mail: tonye at billy.demon.nl
http://www.billy.demon.nl

They love us, don't they, They feed us, won't they ...

More information about the samba mailing list