[Samba] CENTOS4.6+SAMBA3.0.25+FEDORA-DS
John H Terpstra
jht at samba.org
Thu Mar 6 02:45:52 GMT 2008
On Wednesday 05 March 2008 12:32:14 am suphakit Chamwuthipricha wrote:
> Hi
> I am new to linux & Samba. I would like to setup Samba as a
> domain controller and using Fedora-ds for authentication.
That is a VERY ambitious project fro someone who is new to Linux and new to
Samba. It is a little bit like picking up a manual on brain surgery and
going straight into the operating theatre.
Please note that Linux and Samba are potentially complex tools. While most
simple things can be done with little effort, getting into technically
complex areas like directory services and domain control takes you into a
very specialized realm for which a good deal of understanding is important.
> I have read some documents from www.samba.org but I am still in
> the mist.
Most people on this list are very happy to help someone who is new to the
game. When posting questions, it is good etiquet to keep the overall message
short and to provide enough information so that others can see that you have
prepared yourself as much as you could.
Please don't say "some information" - spell it out. Which documents did you
read?
> Here is my dumb questions about Samba as follows.
Well, here are my simple answers - but I suspect they will nto help you too
much.
> 1. Is CENTOS4.6+SAMBA3.0.25 as PDC +FEDORA-DS possible?
Samba can use most LDAP servers. It is certainly possible to use Fedora-DS.
> 2. Is this HOWTO from
> http://directory.fedoraproject.org/wiki/Howto:Samba sufficient
> information? please suggest more
That is not a Samba document. I suspect that very few people on this list
would have seen that document, but I may be wrong.
I checked the information on the Fedora Project Wiki - it looks quite enough
to get a system running - if you know what you are doing.
I would recommend that you start with the "Samba3-ByExample" book. Work your
way through chapters 1-5. What you learn will help you when you are ready for
more complex projects.
If you have a problem with any of the examples in the book - ask for help on
this list.
> 3. Since I tried to integrate Samba+Fedora-ds ,I am always stuck
> at this step "net groupmap add".
If this command fails, it means that you most likely have a communication
problem with the LDAP server.
> Does these command need to be done? What will happen if we
> skip them?
Yes, they are necessary. If you don't do this there will be no Windows groups
for your Windows clients.
> # net groupmap add rid=2512 ntgroup='Domain Admins'
> unixgroup='Domain Admins'
> # net groupmap add rid=2513 ntgroup='Domain Users'
> unixgroup='Domain Users'
> # net groupmap add rid=2514 ntgroup='Domain Guests'
> unixgroup='Domain Guests'
> # net groupmap add rid=2515 ntgroup='Domain Computers'
> unixgroup='Domain Computers'
>
> 3.1 Linux won't allow me to add unix group name with space
> like Domain Admins ,can we change to DomainAdmins (no space)
> as I tried to add unix group DomainAdmins in linux box
> and run the command , It is failed.
Some Linux implementations do not permit upper case characters or spaces in
the Linux group name. In your situation, these groups should be added to the
LDAP directory. The limitation on group names does not exist with the LDAP
backend.
> # net groupmap add rid=2512 ntgroup='Domain Admins'
> unixgroup='DomainAdmins'
>
> I also noticed that this somehow relates to smb.conf file
> Some source says:
> ldap admin dn = cn=Directory Manager
> or
> ldap admin dn = cn=Directory Manager,dc=mycompany,dc=com
>
> 3.1.1 If I use this one ldap dn = cn=Directory Manager
> The result of net groupmap show failed to add
> group map
You may need to specify the ldap admin dn as "cn=Directory
Manager,dc=mycompany,dc=com" - note the double quotes.
> 3.1.2 If I use this one ldap admin dn = cn=Directory
> Manager,dc=mycompany,dc=com
> The result of net groupmap show cannot find object
> "cn=Directory Manager,dc=mycompany,dc=com"
Did you add that object to the LDAP directory first? This was one of the steps
in populating your Fedora-DS directory.
> 3.2 Where does the command looks for ntgroup="Domain Admins'
> to map with unixgroup=Domain Admins
In the LDAP directory.
> 3.3 Some source say the net group map should add type=d at
> the end of the line ,is it true?
Sure, but it is the default anyhow.
> # net groupmap add rid=2512 ntgroup='Domain Admins'
> unixgroup='Domain Admins' type=d
> 4. Does this line in my smb.conf look ok? (I installed Samba
> & Fedora-ds in same machine)
> passdb backend = ldapsam:ldap://192.168.100.7
If the LDAP server is on the same system I'd use:
passdb backend = ldapsam:ldap://127.0.0.1
Also, make sure that the LDAP server is listening on port 389.
> 5. Does these line need to be included in smb.conf file?
> What will happen if we don't include them?
> ldap idmap suffix = ou=Users
> ldap passed sync = Yes
For starters, the IDMAP entry should not go into the Users dsa.
Check "Samba3ByExample" for a fulyl worked example of how to set up a Samba
server with a local LDAP server. The local LDAP server the example users is
OpenLDAP - but the basics are the same.
> 6. Does user add scripts need to be included in smb.conf file?
> How it works and when these lines are used.
> What will happen if we don't include them.
Yes. These are used by Samba to manage LDAP directory objects.
> # Useradd scripts
> add user script =
> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m %u
> delete user script =
> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-userdel -r %u
> add group script =
> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupadd %g
> delete group script =
> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupdel %g
> add user to group script
> =/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupmod
> -G %g %u
> add machine script =
> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -w %u
> idmap uid = 15000-20000
> idmap gid = 15000-20000
> passwd program
> =/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-passwd %u
>
> 7. What does this command do? Do we have to do this with
> every users?
> # pdbedit -U $( net getlocalsid | sed 's/SID for
> domain YOURWORKGROUP is: //' )-500 -u Administrator -r
It creates the SambaSAM account attributes for the Windows network
Administrator account. It relys on having a correct LDAP entry for the POSIX
portion of the user account you previously migrated to LDAP from the entry:
Administrator:x:0:0:Samba Admin:/root:/bin/bash
This is all shown clearly in the instructions on the Fedora Wiki.
> 8. In many HOWTO from website ,they state about PAM and NSS
> config with ldap ,do we need it ,can we skip this?
Absolutely essential if you use LDAP to store your POSIX accounts. This is
clearly covered in both the HOWTO document and in the Samba3-ByExample book.
Please let me know what is not clear in these documents.
> 9. I hardly find the instruction on how to set up Samba as
> PDC + Fedora-ds ,please advise]
Well, that is not really a Samba matter - it is one covered on the Fedora site
and by the Fedora community. If someone were to write up appropriate
documentation I will gladly add it to the Samba3-HOWTO document.
> Thank you and Best Regards,
> Tom
I hope this helps.
- John T.
More information about the samba
mailing list