[Samba] confusion about using samba as NT4 PDC with ldapsam backend

Christ Schlacta lists at aarcane.org
Wed Dec 29 12:28:50 MST 2010


On 12/29/2010 11:08, Jon Detert wrote:
> Thanks, that clarifies several points, and introduces me to the
> ldapsam:editposix configuration setting.
>
> A few questions about using ldapsam:editposix :
> 1) Does the use of ldapsam:editposix mean that I won't need to specify the
> 'add user script' or 'add group script' settings?
> 2) how does the ldap admin dn happen to have read/write access to the
> entries in the OU's shown in the wiki article ('users', 'groups', 'idmap',
> and 'computers')?  Do I have to manually grant those privileges, or are they
> automatically conferred somehow?
you have to grant them manually.    most sane walkthroughs include a 
stepthat does this.
> 3) I assume that the MsWin program 'srvtools.exe' (a.k.a. 'User Manager for
> Domains') will transparently make use of the ldapsam:editposix when
> creating/editting/deleting users and groups.  Will the samba-provided
> utility 'net rpc {user|group} {add|delete|}' do the same?
>
> Samba ObjectClass question:
> What about assigning the samba ObjectClasses to existing users that don't
> have them already?  Can/should I use the smbldap-tools to do so?  If not,
> any suggestions?
smbldap-usermod -a user-without-sambaSamAccount
> posixAccount and posixGroup ObjectClass questions:
> 1) The existing users in ldap don't have the posixAccount or posixGroup
> objectClasses at present.  How should I populate them?
how did you get posix users without posix accounts or posix groups?
> 2) Are the posixAccount uid and posixGroup gid attributes the uid and gid
> that the samba config settings 'idmap uid' and 'idmap gid' refer to?  In any
> case, how do I pick ranges that will work?  Do I just make sure the ranges
> include every posixAccount uid and posixGroup gid that I set?
>
pick ranges you'll never use for automatic generation (I use 10K for 
posix users, so 20K is their RID range), so 10K and 20K are out.  I'd be 
picking something like 50K, just incase I expand my userbase later.
> AtDhVaAnNkCsE,
>
> Jon
>
> On Wed, Dec 29, 2010 at 11:05 AM, TAKAHASHI Motonobu<monyo at monyo.com>wrote:
>
>> 2010/12/30 Jon Detert<jdetert at infinityhealthcare.com>:
>>> How do the samba ObjectClasses and their attributes get set for new
>> users?
>>> E.g. will they be set automagically if I specify the 'add
>>> {user|group|machine} script' settings in the smb.conf?  If not, how then?
>> Use smbldap-tools or ldapsam:editposix parameter.
>> If you have already migrated LDAP users, smbldap-tools will be easy to use,
>> although mbldap-tools are not maintenanced.
>>
>> There is a webpage that mentions about ldapsam:editposix:
>>   http://wiki.samba.org/index.php/Ldapsam_Editposix
>>
>> Or make scripts like smbldap-tools by yourself.
>>
>>> I'm confused about how/when the samba-supplied ldap schema is used (I
>> mean
>>> the schema that's in the samba distribution, that contains the
>>> 'sambaSamAccount' objectClass).
>> (snip)
>>> Does the simple fact of specifying 'passdb backend' = ldapsam imply that
>>> this schema is used?
>> Yes, Samba assumes proper schema is defined in the LDAP directory.
>>
>> ---
>> TAKAHASHI Motonobu<monyo at samba.gr.jp>
>>
>> 2010/12/30 Jon Detert<jdetert at infinityhealthcare.com>:
>>> Hello,
>>>
>>> I want to use samba v3.3.x to implement an NT4/Win2k style domain:
>>> a samba PDC and a samba BDC, using ldapsam for the 'passdb backend'.  I
>> plan
>>> to use RedHat Directory Server v8.2 as the ldap server.
>>>
>>> I'm trying to sort out how user/group management and nss will work.
>>>
>>> I'm confused about how/when the samba-supplied ldap schema is used (I
>> mean
>>> the schema that's in the samba distribution, that contains the
>>> 'sambaSamAccount' objectClass).
>>>
>>> I understand that I have to add/activate the schema within my ldap server
>>> (and that in its distributed form, it's for openLDAP, and so I have to
>>> convert it to a syntax suitable for RedHat DirServer).
>>>
>>> However, I don't understand how to make samba use it.
>>>
>>> Does the simple fact of specifying 'passdb backend' = ldapsam imply that
>>> this schema is used?
>>>
>>> How do the samba ObjectClasses and their attributes get set for new
>> users?
>>> E.g. will they be set automagically if I specify the 'add
>>> {user|group|machine} script' settings in the smb.conf?  If not, how then?
>>>
>>> The ldap server is already populated with inetOrgPerson information for
>> my
>>> user population.  I've just added the samba schema and the posixAccount
>>> schema.  How should I populate the samba and posixAccount ObjectClasses
>> and
>>> attributes for the existing users?  I.e. run a one-time script to
>> populate
>>> them, or is there a more clever way?  If the former, are there ready-made
>>> scripts to do this, or do I need to write my own?
>>>
>>> Once the samba schema objects and attributes are populated, how does smbd
>>> know about them?  Will I need to run winbind in order for samba to map
>> posix
>>> UIDs and GIDs to SIDs and RIDs, or will that be done automagically by
>> virtue
>>> of specifying that the 'passdb backend' is ldapsam, and populating the
>> samba
>>> schema?
>>>
>>> Even if I don't need to run winbind, should I?  I'll need to use nss in
>> any
>>> case, but if I use nss_ldap, I think that the o.s. won't grok nested
>>> groups.  If I use nss_winbind, I think it will.
>>>
>>> AtDhVaAnNkCsE,
>>>
>>> Jon



More information about the samba mailing list