Re: [Samba] Re: Samba/LDAP/PDC Questions

[Buchan Milne]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Paul Gienger wrote:
|
| | 1. In what situtation do I need People group as the group for
| | machines?
|
| In the case where you use:
| nss_base_passwdou=Users,dc=ab,dc=com?one
|
| If you use:
| nss_base_passwddc=ab,dc=com?sub
|
|
|
| Would people please stop suggesting this without explaining the
| ramifications?
When people stop giving the other reply (that it is impossible).
|  If you do this, you are going to (theoretically)(1)
| severely harm the performance on your server.
Yes, for only the LDAP clients which are samba servers.
|  Setting the nss library
| to do a search on the 'entire' directory every time it needs to look up
| user information is asinine to put it in a word.
That really depends on the structure of your LDAP server.
And, you are also ignoring the fact that nss_ldap will use a search
fileter for the specific user - and doing a search for
((objectclass=posixAccount)(uid=)) isn't going to be much slower
for most small implentations. Then of course, there's always nscd ...
If you've tuned your LDAP server, it should be getting most of the
entries out of cache anyway.
|  It's like doing this
| in DNS terms... rather than looking for a machine named
| 'something.else.com' in the dns servers for else.com you go ask .com who
| then goes in and asks else.com by proxy.  Doing the first example (the
| one searching with ?one) you are restricting searches to a respectable
| scope, doing the second you are searching all OUs which may be numerous
| and deep (in our LDAP tree we have 10 OUs, two of which are at least 3
| levels deep).
If your OUs are so deep, you should be able to have a deeper search
filter. I suggested reducing the depth of the search by one level and
increasing the scope. If there was already a huge and complex DIT, that
still would not have made a big impact.
| You would be better served by defining ou=Computers and ou=People under
| something like ou=Accounts (which would give you DNs of
| ou=Computers,ou=Accounts,dc=ab,dc=com and
| ou=People,ou=Accounts,dc=ab,dc=com)
|
Sure, but the user *first* wanted to get something working ... he didn't
ask on the generic LDAP list how to structure his directory for
efficient searching (the samba list is the wrong place to ask these
questions anyway).
| and then then set:
| nss_base_passwdou=Accounts,dc=ab,dc=com?sub
|
|
| Note that I'm not saying that doing a sub search is necessarily bad,
| just when you are searching your entire ldap DIT, especially for
| something that happens as often as passwd lookups.
If your LDAP server is tuned and indexed well enough, queries that
happen so often should cost nothing.
| (1) I say theoretically because I've never tried it, it's a Bad Idea(C)
| from the word go.   There are a lot of other things that I haven't tried
| that are bad ideas but I can safely say they are also dangerous, such as
| sticking forks in my eyes and jumping off cliffs.
Regards,
Buchan
- --
Buchan Milne  Senior Support Technician
Obsidian Systems  http://www.obsidian.co.za
B.EngRHCE (803004789010797)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBAP8orJK6UGDSBKcRAvOlAJwOXIGWe5YzmtVIO+AFJg5Vn37idQCgrDTG
KqZ1ZXGDjLyPeN49b8CY2fw=
=qvFj
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba/LDAP/PDC Questions

[Buchan Milne]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| Subject:
| [Samba] Samba/LDAP/PDC Questions
| From:
| [EMAIL PROTECTED]
| Date:
| Mon, 19 Jul 2004 21:10:29 + (UTC)
| To:
| [EMAIL PROTECTED]
|
| Greetings!
|
| I created a Samba/OpenLDAP/smbldap-tools Primary Domain Controller. So
far
| I am able to do the folowing:
| 1. Using USRMGR,EXE to administrating users and groups.
| 2. Adding Windows 2000, XP workstation on the fly.
| 3. PDBEDIT/SMBLDAP-TOOLS/GQ all works as they suppose to.
| 4. LDAP autheticate unix accounts.
|
| However, I am not able to to the following:
| 1. Cannot joint an NT machine (SP6a) into the domwin. It keeps
| saying that the Machine account is not available or not accessible even
| if I manually added the machine account manually using smbldap-useradd
| NT$.
| 2. Cannot use SRVMGR.EXE to add machine to domain. It complains
| Access Denied, though I can do other things like change the permission
| of a share etc.
| 3. Cannot join an existing domain after I configure it as a BDC
| with the PDC's SID. It complains Failed to setup BDC creds.
|
| It looks like the communication between samba and openldap is OK since I
| can managing user/group with USRMGR.EXE. However, a few questions puzzles
| me:
| 1. In what situtation do I need People group as the group for
| machines?
In the case where you use:
nss_base_passwdou=Users,dc=ab,dc=com?one
If you use:
nss_base_passwddc=ab,dc=com?sub
then you can have machine accounts anywhere you like under dc=ab,dc=com
Regards,
Buchan
- --
Buchan Milne  Senior Support Technician
Obsidian Systems  http://www.obsidian.co.za
B.EngRHCE (803004789010797)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFA/lscrJK6UGDSBKcRAlmKAJ4z1HLpysdmbleQbv3+lW7IHblOvACeJ5nn
FSzpemqu+CZdgaFGwhmXNII=
=tlrI
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba/LDAP/PDC Questions

[Paul Gienger]

| 1. In what situtation do I need People group as the group for
| machines?
In the case where you use:
nss_base_passwdou=Users,dc=ab,dc=com?one
If you use:
nss_base_passwddc=ab,dc=com?sub

Would people please stop suggesting this without explaining the 
ramifications?  If you do this, you are going to (theoretically)(1) 
severely harm the performance on your server.  Setting the nss library 
to do a search on the 'entire' directory every time it needs to look up 
user information is asinine to put it in a word.  It's like doing this 
in DNS terms... rather than looking for a machine named 
'something.else.com' in the dns servers for else.com you go ask .com who 
then goes in and asks else.com by proxy.  Doing the first example (the 
one searching with ?one) you are restricting searches to a respectable 
scope, doing the second you are searching all OUs which may be numerous 
and deep (in our LDAP tree we have 10 OUs, two of which are at least 3 
levels deep). 

You would be better served by defining ou=Computers and ou=People under 
something like ou=Accounts (which would give you DNs of
ou=Computers,ou=Accounts,dc=ab,dc=com and
ou=People,ou=Accounts,dc=ab,dc=com)

and then then set:
nss_base_passwdou=Accounts,dc=ab,dc=com?sub
Note that I'm not saying that doing a sub search is necessarily bad, 
just when you are searching your entire ldap DIT, especially for 
something that happens as often as passwd lookups.

(1) I say theoretically because I've never tried it, it's a Bad Idea(C) 
from the word go.   There are a lot of other things that I haven't tried 
that are bad ideas but I can safely say they are also dangerous, such as 
sticking forks in my eyes and jumping off cliffs.

--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. 
Information Systems Consultant   Fax:701-281-1322
URL: www.ae-solutions.commailto: [EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba/LDAP/PDC Questions

[ksun]

Thank you for the response!



1. In what situtation do I need People group as the group for 
machines?

 Always.  Until they fix the bug/design issue that is.

OK, I reconfigured smb.conf and smbldap_config.pm to Users for users, 
Groups for groups, and People for computers.

2. Should the PDC itself be in the ldap backend database?

 I haven't found a good reason that it 'has' to in my tests.

I did join PDC to the domain using 'net rpc join -Uadministrator%secret' 
according to John H. Terpatra's Samba-3 by Example. After joining, I do 
see the PDC machine is the ldap backend database. 

3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot 
log 
 in to the dmain anymore. It said User does not exist.

 Can you expand on this a bit more?  From what you've said (which isn't 
 much) it almost sounds like you didn't have ldap working as the posix 
 auth system before you layered on samba.

My /etc/ldap.conf is as follow:

host 127.0.0.1
base dc=ab,dc=com
# nss_base_passwdou=Users,dc=ab,dc=com?one
# nss_base_shadowou=Users,dc=ab,dc=com?one
# nss_base_group ou=Group,dc=ab,dc=com?one
ssl no
pam_password md5
#

What I was trying to say is that the three nss_base lines:
   o with or without them, I can do 'getent password' etc with all the 
posixAcounts
   o with them uncommented, I cannot loginto a domain account from an XP 
machine, though the XP machine itself joined the domain on a fly.
   [* actually I cannot login to a domain account from the XP no matter 
what after I reconfigure the PDC with People for computers *]
   So I wonder what exactly these three lines do.

   The PDC is on Fedora 2 system. I ran authconfig to enable ldap 
authentication. The pam.d is automatically configured. I am not sure it is 
using ldap_nss stuff at all.

Right now, I can join the XP machine into the domain but after reboot I 
just cannot log into domain Administrator account. The error from the XP 
is The system could not log you on, Make sure your user name and domain 
are correct, then type your oassword again.

From the log.xp file, I see errors. Any suggestion?

-- Kang Sun

#
[2004/07/20 14:42:38, 0] 
rpc_server/srv_pipe.c:api_pipe_netsec_process(1397)
  failed to decode PDU
[2004/07/20 14:42:38, 0] 
rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
  process_request_pdu: failed to do schannel processing.
##


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba/LDAP/PDC Questions

[Paul Gienger]

[EMAIL PROTECTED] wrote:
Thank you for the response!
 

And thank you for also posting in plaintext.  That fonted stuff was 
tough to read.

  2. Should the PDC itself be in the ldap backend database?
 

I haven't found a good reason that it 'has' to in my tests.
   

I did join PDC to the domain using 'net rpc join -Uadministrator%secret' 
according to John H. Terpatra's Samba-3 by Example. After joining, I do 
see the PDC machine is the ldap backend database. 
 

Nothing wrong with that...
  3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot 
 

log 
 

in to the dmain anymore. It said User does not exist.
 

 

Can you expand on this a bit more?  From what you've said (which isn't 
much) it almost sounds like you didn't have ldap working as the posix 
auth system before you layered on samba.
   

My /etc/ldap.conf is as follow:

host 127.0.0.1
base dc=ab,dc=com
# nss_base_passwdou=Users,dc=ab,dc=com?one
# nss_base_shadowou=Users,dc=ab,dc=com?one
# nss_base_group ou=Group,dc=ab,dc=com?one
ssl no
pam_password md5
#
What I was trying to say is that the three nss_base lines:
  o with or without them, I can do 'getent password' etc with all the 
posixAcounts
  o with them uncommented, I cannot loginto a domain account from an XP 
machine, though the XP machine itself joined the domain on a fly.
  [* actually I cannot login to a domain account from the XP no matter 
what after I reconfigure the PDC with People for computers *]
  So I wonder what exactly these three lines do.

  The PDC is on Fedora 2 system. I ran authconfig to enable ldap 
authentication. The pam.d is automatically configured. I am not sure it is 
using ldap_nss stuff at all.
 

Ok, I believe on Fedora that ou=People is the default, so when you 
uncomment these then you are changing the authentication system and nss 
to look in Users instead of People.  It is running on defaults entirely 
if these are missing.  If you are authenticating directly (ssh or ftp or 
something) that should fail as well when you have those lines enabled.

Right now, I can join the XP machine into the domain but after reboot I 
just cannot log into domain Administrator account. The error from the XP 
is The system could not log you on, Make sure your user name and domain 
are correct, then type your oassword again.
 

Can you log in with a regular user?  Perhaps one that you know is 
configured correctly?  It sounds like your machine is added correctly or 
the error you would get would say something to the effect of 'Cannot 
find your machine account or the domain controller is unavailable.'  I'm 
sure I mangled that error, but that's the best I can remember right now.

From the log.xp file, I see errors. Any suggestion?
-- Kang Sun
#
[2004/07/20 14:42:38, 0] 
rpc_server/srv_pipe.c:api_pipe_netsec_process(1397)
 failed to decode PDU
[2004/07/20 14:42:38, 0] 
rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
 process_request_pdu: failed to do schannel processing.
##
 

A lot of people have posted about schannel stuff, but I think I may have 
glossed over the end of those threads.  Anybody who actually read them 
care to chime in here? :-/

--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. 
Information Systems Consultant   Fax:701-281-1322
URL: www.ae-solutions.commailto: [EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba