Also remember the simple trick, if you want accounts where the user can not logon, just make their shell /bin/false
On Tue, Mar 6, 2012 at 6:18 PM, Jonathan Adams <t12nsloo...@gmail.com> wrote: > /etc/passwd still exists for local users (root should always exist as > a local user) ... ldap is additional to it (and likewise should never > have root in it) > > zones are really straight forward, > http://wiki.openindiana.org/oi/7.+Virtualization > > you just need a space you want to install the zone in ( a slice of > disk ) and an IP address ... there are advanced things you can do if > you want to use virtual nics, and we now have an OI server doing > stupendous things in zones that we couldn't have done in 4 machines in > the past. > > however, if you don't want to do zones you probably need to run > "ldapclient" on the server to allow it to authenticate against the > LDAP server. > > something like (if you use an LDAP server name, remember to put it in > /etc/hosts): > > ldapclient manual -a domainName=dc=domain,dc=com -a > preferredServerList=<LDAP Server ip/name> -a > authenticationMethod=simple > > you may want to set the credentialLevel=proxy (if you have protection > on who can see the password field of users), or to specify the > defaultsearchbase ... you should be able to find out more with "man > ldapclient" ... > > you then might need to change /etc/nsswitch.conf to have "passwd: > files ldap" and "group: files ldap" > > make sure files comes first. > > you should then be able to "getent passwd administrator" > > Jon > > On 6 March 2012 12:55, IVO GELOV (CRM) <i...@crm.walltopia.com> wrote: >> On Tue, 06 Mar 2012 12:01:21 +0200, Jonathan Adams <t12nsloo...@gmail.com> >> wrote: >> >> I am including the "samba.schema" in slapd.conf - and I have also this in >> LDAP: >> >> # Entry 1: ou=users,dc=domain,dc=com >> >> dn: ou=users,dc=domain,dc=com >> objectclass: organizationalUnit >> objectclass: top >> ou: users >> >> # Entry 2: uid=administration,ou=users,dc=domain,dc=com >> dn: uid=administration,ou=users,dc=domain,dc=com >> cn: administration >> gidnumber: 101 >> homedirectory: /tmp >> objectclass: top >> objectclass: account >> objectclass: posixAccount >> objectclass: sambaSamAccount >> sambaacctflags: [UX ] >> sambalmpassword: C4B274309D14EC00AAD3B435B51404EE >> sambantpassword: 02ECCB1802088A4C42E17664D55819E5 >> sambasid: S-1-5-21-1-10208 >> uid: administration >> uidnumber: 104 >> userpassword: >> >> I am still not familiar enough with Solaris, so zones are still dark place >> for me :) >> May be I am not understanding very well the things. I assume that LDAP >> replaces >> /etc/passwd - i.e. instead of poluting /etc/passwd I will populate LDAP. >> From both, >> the latter is more convenient for me. The exact thing I want is to have only >> 2 UIDs >> and about 50 user SAMBA accounts which should map to one or the other of my >> 2 UIDs. >> These UIDs are 104 and 105 and already exist. >> The problem is, that SAMBA - or most probably the Solaris itself - can not >> do this >> mapping. >> Issuing "getent passwd administration" gives me no output. And I do not know >> how >> to debug "getent" in order to see what is wrong ..... >> >> So this is the issue which I need some help for :( >> >> PS: we do not have a Windows domain currently (please do not laugh), so I >> only need >> a workgroup mode for SAMBA. >> >> >>> ok, well thats relatively straight forward ... >>> >>> you might want to do this in a zone on Solaris, if you're worried >>> about polluting the passwd file because each samba user _does_ need a >>> user on the system, if you do it in a zone then the zone can be an >>> LDAP client and you can disable all ssh, telnet and ftp access so that >>> people can only access their user partitions using samba. >>> >>> after you have the zone as an LDAP client, you need to configure the >>> LDAP for samba and the smb.conf file. >>> >>> If you are brave and know your way around LDAP you can do this >>> manually if you get the Samba LDAP Schema from the Samba source tar >>> file ( https://www.samba.org/samba/download/ ) and loading it into the >>> LDAP server. >>> >>> the users you want to have access to the domain will need to have the >>> class of "posixAccount" and "sambaSamAccount" ... and you will need to >>> know your sambaSID ... >>> >>> otherwise you can look to getting smbldap tools, written in perl ( >>> http://gna.org/projects/smbldap-tools ) essential if you are planning >>> on having domain logons, or even look at other tools from >>> https://wiki.samba.org/index.php/Samba_&_LDAP >>> >>> I'm a script'er so we have in house tools. >>> >>> logging in to the first share for the first time is the hardest bit >>> ... after that it is just setting up groups and access levels. >>> >>> Jon >>> >> >> _______________________________________________ >> OpenIndiana-discuss mailing list >> OpenIndiana-discuss@openindiana.org >> http://openindiana.org/mailman/listinfo/openindiana-discuss > > _______________________________________________ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss