Fedora DS Support

Andrew Bartlett abartlet at samba.org
Tue Sep 1 00:10:12 MDT 2009 

On Tue, 2009-09-01 at 01:02 -0400, Endi Sukma Dewata wrote:
> Andrew,
> 
> ----- "Andrew Bartlett" <abartlet at samba.org> wrote:
> 
> > > I've been looking at the code and thinking to do this:
> > > 
> > > 1. Create cn=samba partition in FDS.
> > > 2. As FDS directory manager, add user cn=samba-admin,cn=samba to the
> > >    directory and set the password in clear text.
> > > 3. Setup SASL mapping for samba-admin to the above user.
> > > 4. Change the auth for Samba-to-FDS from anonymous to SASL as
> > >    samba-admin as in Samba-to-OpenLDAP.
> > > 
> > > Is this the correct approach? I've figured out how to do #1 and #3.
> > 
> > Yes, I think this is exactly the right approach.  The only other thing
> > you might consider is if you can create the cn=samba-admin,cn=samba user
> > via an 'initial LDIF' fragment into FDS. 
> 
> > > I was trying to do #2 by adding another partition in samdb, but
> > > it seems that an LDB can only have one rootDomainNamingContext,
> > > so I can't add cn=samba because the root context is dc=samba,dc=example,
> > > dc=com. Another alternative is to do this by invoking ldapi
> > directly,
> > 
> > Yes, you should do this against ldapi directly. 
> 
> Ok, I got it working now. I've verified in FDS access log that Samba is
> authenticated using SASL. Thanks for the instructions. Attached is the
> result.

Great!  (and yes, I'll need to look into the segfault once I reproduce
your success). 

> There's an issue about SASL mapping, by default the FDS includes this
> mapping:
> 
> dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: uid mapping
> nssaslmapregexstring: ^[^:@]+$
> nssaslmapbasedntemplate: DC=samba,DC=example,DC=com
> nssaslmapfiltertemplate: (uid=&)
> 
> But for samba-admin I need the following mapping:
> 
> dn: cn=samba-admin,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: uid mapping
> nssaslmapregexstring: ^samba-admin$
> nssaslmapbasedntemplate: CN=samba-admin,CN=samba
> nsSaslMapFilterTemplate: (objectclass=*)
> 
> To avoid conflict I have to change the regex of the first mapping
> to: ^(?!samba-admin)$. I'm not sure if this is actually working.

We should just replace it with the samba mapping.  (Because we will
never bind using any other user, and normal users  - ie those in
dc=samba,dc=example,dc=com will not bind to the backend directly)

> Also, Samba only includes the 00core.ldif and 99_ad.ldif schema files
> which is causing the FDS to complain about undefined schema for some
> of its configuration objects (cn=config). For now I have to partially
> include some additional FDS schema files.

My original work to spit 00core.ldif from the 'important, but not quite
core' schema is showing it's age.  You will probably need to re-adjust
the balance, while trying not to import the whole schema (due to
conflicts with the AD schema). 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090901/f3df888e/attachment.pgp>

More information about the samba-technical mailing list