[Samba] confusion about using samba as NT4 PDC with ldapsam backend

Jon Detert jdetert at infinityhealthcare.com
Wed Dec 29 12:08:17 MST 2010 

Thanks, that clarifies several points, and introduces me to the
ldapsam:editposix configuration setting.

A few questions about using ldapsam:editposix :
1) Does the use of ldapsam:editposix mean that I won't need to specify the
'add user script' or 'add group script' settings?
2) how does the ldap admin dn happen to have read/write access to the
entries in the OU's shown in the wiki article ('users', 'groups', 'idmap',
and 'computers')?  Do I have to manually grant those privileges, or are they
automatically conferred somehow?
3) I assume that the MsWin program 'srvtools.exe' (a.k.a. 'User Manager for
Domains') will transparently make use of the ldapsam:editposix when
creating/editting/deleting users and groups.  Will the samba-provided
utility 'net rpc {user|group} {add|delete|}' do the same?

Samba ObjectClass question:
What about assigning the samba ObjectClasses to existing users that don't
have them already?  Can/should I use the smbldap-tools to do so?  If not,
any suggestions?

posixAccount and posixGroup ObjectClass questions:
1) The existing users in ldap don't have the posixAccount or posixGroup
objectClasses at present.  How should I populate them?
2) Are the posixAccount uid and posixGroup gid attributes the uid and gid
that the samba config settings 'idmap uid' and 'idmap gid' refer to?  In any
case, how do I pick ranges that will work?  Do I just make sure the ranges
include every posixAccount uid and posixGroup gid that I set?

AtDhVaAnNkCsE,

Jon

On Wed, Dec 29, 2010 at 11:05 AM, TAKAHASHI Motonobu <monyo at monyo.com>wrote:

> 2010/12/30 Jon Detert <jdetert at infinityhealthcare.com>:
> > How do the samba ObjectClasses and their attributes get set for new
> users?
> > E.g. will they be set automagically if I specify the 'add
> > {user|group|machine} script' settings in the smb.conf?  If not, how then?
>
> Use smbldap-tools or ldapsam:editposix parameter.
> If you have already migrated LDAP users, smbldap-tools will be easy to use,
> although mbldap-tools are not maintenanced.
>
> There is a webpage that mentions about ldapsam:editposix:
>  http://wiki.samba.org/index.php/Ldapsam_Editposix
>
> Or make scripts like smbldap-tools by yourself.
>
> > I'm confused about how/when the samba-supplied ldap schema is used (I
> mean
> > the schema that's in the samba distribution, that contains the
> > 'sambaSamAccount' objectClass).
> (snip)
> > Does the simple fact of specifying 'passdb backend' = ldapsam imply that
> > this schema is used?
>
> Yes, Samba assumes proper schema is defined in the LDAP directory.
>
> ---
> TAKAHASHI Motonobu <monyo at samba.gr.jp>
>
> 2010/12/30 Jon Detert <jdetert at infinityhealthcare.com>:
> > Hello,
> >
> > I want to use samba v3.3.x to implement an NT4/Win2k style domain:
> > a samba PDC and a samba BDC, using ldapsam for the 'passdb backend'.  I
> plan
> > to use RedHat Directory Server v8.2 as the ldap server.
> >
> > I'm trying to sort out how user/group management and nss will work.
> >
> > I'm confused about how/when the samba-supplied ldap schema is used (I
> mean
> > the schema that's in the samba distribution, that contains the
> > 'sambaSamAccount' objectClass).
> >
> > I understand that I have to add/activate the schema within my ldap server
> > (and that in its distributed form, it's for openLDAP, and so I have to
> > convert it to a syntax suitable for RedHat DirServer).
> >
> > However, I don't understand how to make samba use it.
> >
> > Does the simple fact of specifying 'passdb backend' = ldapsam imply that
> > this schema is used?
> >
> > How do the samba ObjectClasses and their attributes get set for new
> users?
> > E.g. will they be set automagically if I specify the 'add
> > {user|group|machine} script' settings in the smb.conf?  If not, how then?
> >
> > The ldap server is already populated with inetOrgPerson information for
> my
> > user population.  I've just added the samba schema and the posixAccount
> > schema.  How should I populate the samba and posixAccount ObjectClasses
> and
> > attributes for the existing users?  I.e. run a one-time script to
> populate
> > them, or is there a more clever way?  If the former, are there ready-made
> > scripts to do this, or do I need to write my own?
> >
> > Once the samba schema objects and attributes are populated, how does smbd
> > know about them?  Will I need to run winbind in order for samba to map
> posix
> > UIDs and GIDs to SIDs and RIDs, or will that be done automagically by
> virtue
> > of specifying that the 'passdb backend' is ldapsam, and populating the
> samba
> > schema?
> >
> > Even if I don't need to run winbind, should I?  I'll need to use nss in
> any
> > case, but if I use nss_ldap, I think that the o.s. won't grok nested
> > groups.  If I use nss_winbind, I think it will.
> >
> > AtDhVaAnNkCsE,
> >
> > Jon
>

More information about the samba mailing list