[Samba] CENTOS4.6+SAMBA3.0.25+FEDORA-DS
Suphakit
suphakit at bluebottle.com
Thu Mar 6 03:17:38 GMT 2008
Thank you very much Mr.Terpstra. Your answer is very informative to me.
Now I can expand my learning. I'll go back to square one and start it
over again.It's a long way to go. :-)
Best Regards,
Tom
John H Terpstra wrote:
> On Wednesday 05 March 2008 12:32:14 am suphakit Chamwuthipricha wrote:
>
>> Hi
>> I am new to linux & Samba. I would like to setup Samba as a
>> domain controller and using Fedora-ds for authentication.
>>
>
> That is a VERY ambitious project fro someone who is new to Linux and new to
> Samba. It is a little bit like picking up a manual on brain surgery and
> going straight into the operating theatre.
>
> Please note that Linux and Samba are potentially complex tools. While most
> simple things can be done with little effort, getting into technically
> complex areas like directory services and domain control takes you into a
> very specialized realm for which a good deal of understanding is important.
>
>
>> I have read some documents from www.samba.org but I am still in
>> the mist.
>>
>
> Most people on this list are very happy to help someone who is new to the
> game. When posting questions, it is good etiquet to keep the overall message
> short and to provide enough information so that others can see that you have
> prepared yourself as much as you could.
>
> Please don't say "some information" - spell it out. Which documents did you
> read?
>
>
>> Here is my dumb questions about Samba as follows.
>>
>
> Well, here are my simple answers - but I suspect they will nto help you too
> much.
>
>
>> 1. Is CENTOS4.6+SAMBA3.0.25 as PDC +FEDORA-DS possible?
>>
>
> Samba can use most LDAP servers. It is certainly possible to use Fedora-DS.
>
>
>> 2. Is this HOWTO from
>> http://directory.fedoraproject.org/wiki/Howto:Samba sufficient
>> information? please suggest more
>>
>
> That is not a Samba document. I suspect that very few people on this list
> would have seen that document, but I may be wrong.
>
> I checked the information on the Fedora Project Wiki - it looks quite enough
> to get a system running - if you know what you are doing.
>
> I would recommend that you start with the "Samba3-ByExample" book. Work your
> way through chapters 1-5. What you learn will help you when you are ready for
> more complex projects.
>
> If you have a problem with any of the examples in the book - ask for help on
> this list.
>
>
>> 3. Since I tried to integrate Samba+Fedora-ds ,I am always stuck
>> at this step "net groupmap add".
>>
>
> If this command fails, it means that you most likely have a communication
> problem with the LDAP server.
>
>
>> Does these command need to be done? What will happen if we
>> skip them?
>>
>
> Yes, they are necessary. If you don't do this there will be no Windows groups
> for your Windows clients.
>
>
>> # net groupmap add rid=2512 ntgroup='Domain Admins'
>> unixgroup='Domain Admins'
>> # net groupmap add rid=2513 ntgroup='Domain Users'
>> unixgroup='Domain Users'
>> # net groupmap add rid=2514 ntgroup='Domain Guests'
>> unixgroup='Domain Guests'
>> # net groupmap add rid=2515 ntgroup='Domain Computers'
>> unixgroup='Domain Computers'
>>
>> 3.1 Linux won't allow me to add unix group name with space
>> like Domain Admins ,can we change to DomainAdmins (no space)
>> as I tried to add unix group DomainAdmins in linux box
>> and run the command , It is failed.
>>
>
> Some Linux implementations do not permit upper case characters or spaces in
> the Linux group name. In your situation, these groups should be added to the
> LDAP directory. The limitation on group names does not exist with the LDAP
> backend.
>
>
>> # net groupmap add rid=2512 ntgroup='Domain Admins'
>> unixgroup='DomainAdmins'
>>
>> I also noticed that this somehow relates to smb.conf file
>> Some source says:
>> ldap admin dn = cn=Directory Manager
>> or
>> ldap admin dn = cn=Directory Manager,dc=mycompany,dc=com
>>
>> 3.1.1 If I use this one ldap dn = cn=Directory Manager
>> The result of net groupmap show failed to add
>> group map
>>
>
> You may need to specify the ldap admin dn as "cn=Directory
> Manager,dc=mycompany,dc=com" - note the double quotes.
>
>
>> 3.1.2 If I use this one ldap admin dn = cn=Directory
>> Manager,dc=mycompany,dc=com
>> The result of net groupmap show cannot find object
>> "cn=Directory Manager,dc=mycompany,dc=com"
>>
>
> Did you add that object to the LDAP directory first? This was one of the steps
> in populating your Fedora-DS directory.
>
>
>> 3.2 Where does the command looks for ntgroup="Domain Admins'
>> to map with unixgroup=Domain Admins
>>
>
> In the LDAP directory.
>
>
>> 3.3 Some source say the net group map should add type=d at
>> the end of the line ,is it true?
>>
>
> Sure, but it is the default anyhow.
>
>
>> # net groupmap add rid=2512 ntgroup='Domain Admins'
>> unixgroup='Domain Admins' type=d
>> 4. Does this line in my smb.conf look ok? (I installed Samba
>> & Fedora-ds in same machine)
>> passdb backend = ldapsam:ldap://192.168.100.7
>>
>
> If the LDAP server is on the same system I'd use:
> passdb backend = ldapsam:ldap://127.0.0.1
>
> Also, make sure that the LDAP server is listening on port 389.
>
>
>> 5. Does these line need to be included in smb.conf file?
>> What will happen if we don't include them?
>> ldap idmap suffix = ou=Users
>> ldap passed sync = Yes
>>
>
> For starters, the IDMAP entry should not go into the Users dsa.
> Check "Samba3ByExample" for a fulyl worked example of how to set up a Samba
> server with a local LDAP server. The local LDAP server the example users is
> OpenLDAP - but the basics are the same.
>
>
>> 6. Does user add scripts need to be included in smb.conf file?
>> How it works and when these lines are used.
>> What will happen if we don't include them.
>>
>
> Yes. These are used by Samba to manage LDAP directory objects.
>
>
>> # Useradd scripts
>> add user script =
>> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m %u
>> delete user script =
>> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-userdel -r %u
>> add group script =
>> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupadd %g
>> delete group script =
>> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupdel %g
>> add user to group script
>> =/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupmod
>> -G %g %u
>> add machine script =
>> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -w %u
>> idmap uid = 15000-20000
>> idmap gid = 15000-20000
>> passwd program
>> =/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-passwd %u
>>
>> 7. What does this command do? Do we have to do this with
>> every users?
>> # pdbedit -U $( net getlocalsid | sed 's/SID for
>> domain YOURWORKGROUP is: //' )-500 -u Administrator -r
>>
>
> It creates the SambaSAM account attributes for the Windows network
> Administrator account. It relys on having a correct LDAP entry for the POSIX
> portion of the user account you previously migrated to LDAP from the entry:
>
> Administrator:x:0:0:Samba Admin:/root:/bin/bash
>
> This is all shown clearly in the instructions on the Fedora Wiki.
>
>
>> 8. In many HOWTO from website ,they state about PAM and NSS
>> config with ldap ,do we need it ,can we skip this?
>>
>
> Absolutely essential if you use LDAP to store your POSIX accounts. This is
> clearly covered in both the HOWTO document and in the Samba3-ByExample book.
> Please let me know what is not clear in these documents.
>
>
>> 9. I hardly find the instruction on how to set up Samba as
>> PDC + Fedora-ds ,please advise]
>>
>
> Well, that is not really a Samba matter - it is one covered on the Fedora site
> and by the Fedora community. If someone were to write up appropriate
> documentation I will gladly add it to the Samba3-HOWTO document.
>
>
>> Thank you and Best Regards,
>> Tom
>>
>
> I hope this helps.
>
> - John T.
>
>
----------------------------------------------------------------------
Free pop3 email with a spam filter.
http://www.bluebottle.com/tag/5
More information about the samba
mailing list