On 12/29/2010 11:08, Jon Detert wrote:
Thanks, that clarifies several points, and introduces me to the
ldapsam:editposix configuration setting.
A few questions about using ldapsam:editposix :
1) Does the use of ldapsam:editposix mean that I won't need to specify the
'add user script' or 'add group script' settings?
2) how does the ldap admin dn happen to have read/write access to the
entries in the OU's shown in the wiki article ('users', 'groups', 'idmap',
and 'computers')? Do I have to manually grant those privileges, or are they
automatically conferred somehow?
you have to grant them manually. most sane walkthroughs include a
stepthat does this.
3) I assume that the MsWin program 'srvtools.exe' (a.k.a. 'User Manager for
Domains') will transparently make use of the ldapsam:editposix when
creating/editting/deleting users and groups. Will the samba-provided
utility 'net rpc {user|group} {add|delete|}' do the same?
Samba ObjectClass question:
What about assigning the samba ObjectClasses to existing users that don't
have them already? Can/should I use the smbldap-tools to do so? If not,
any suggestions?
smbldap-usermod -a user-without-sambaSamAccount
posixAccount and posixGroup ObjectClass questions:
1) The existing users in ldap don't have the posixAccount or posixGroup
objectClasses at present. How should I populate them?
how did you get posix users without posix accounts or posix groups?
2) Are the posixAccount uid and posixGroup gid attributes the uid and gid
that the samba config settings 'idmap uid' and 'idmap gid' refer to? In any
case, how do I pick ranges that will work? Do I just make sure the ranges
include every posixAccount uid and posixGroup gid that I set?
pick ranges you'll never use for automatic generation (I use 10K for
posix users, so 20K is their RID range), so 10K and 20K are out. I'd be
picking something like 50K, just incase I expand my userbase later.
AtDhVaAnNkCsE,
Jon
On Wed, Dec 29, 2010 at 11:05 AM, TAKAHASHI Motonobu<[email protected]>wrote:
2010/12/30 Jon Detert<[email protected]>:
How do the samba ObjectClasses and their attributes get set for new
users?
E.g. will they be set automagically if I specify the 'add
{user|group|machine} script' settings in the smb.conf? If not, how then?
Use smbldap-tools or ldapsam:editposix parameter.
If you have already migrated LDAP users, smbldap-tools will be easy to use,
although mbldap-tools are not maintenanced.
There is a webpage that mentions about ldapsam:editposix:
http://wiki.samba.org/index.php/Ldapsam_Editposix
Or make scripts like smbldap-tools by yourself.
I'm confused about how/when the samba-supplied ldap schema is used (I
mean
the schema that's in the samba distribution, that contains the
'sambaSamAccount' objectClass).
(snip)
Does the simple fact of specifying 'passdb backend' = ldapsam imply that
this schema is used?
Yes, Samba assumes proper schema is defined in the LDAP directory.
---
TAKAHASHI Motonobu<[email protected]>
2010/12/30 Jon Detert<[email protected]>:
Hello,
I want to use samba v3.3.x to implement an NT4/Win2k style domain:
a samba PDC and a samba BDC, using ldapsam for the 'passdb backend'. I
plan
to use RedHat Directory Server v8.2 as the ldap server.
I'm trying to sort out how user/group management and nss will work.
I'm confused about how/when the samba-supplied ldap schema is used (I
mean
the schema that's in the samba distribution, that contains the
'sambaSamAccount' objectClass).
I understand that I have to add/activate the schema within my ldap server
(and that in its distributed form, it's for openLDAP, and so I have to
convert it to a syntax suitable for RedHat DirServer).
However, I don't understand how to make samba use it.
Does the simple fact of specifying 'passdb backend' = ldapsam imply that
this schema is used?
How do the samba ObjectClasses and their attributes get set for new
users?
E.g. will they be set automagically if I specify the 'add
{user|group|machine} script' settings in the smb.conf? If not, how then?
The ldap server is already populated with inetOrgPerson information for
my
user population. I've just added the samba schema and the posixAccount
schema. How should I populate the samba and posixAccount ObjectClasses
and
attributes for the existing users? I.e. run a one-time script to
populate
them, or is there a more clever way? If the former, are there ready-made
scripts to do this, or do I need to write my own?
Once the samba schema objects and attributes are populated, how does smbd
know about them? Will I need to run winbind in order for samba to map
posix
UIDs and GIDs to SIDs and RIDs, or will that be done automagically by
virtue
of specifying that the 'passdb backend' is ldapsam, and populating the
samba
schema?
Even if I don't need to run winbind, should I? I'll need to use nss in
any
case, but if I use nss_ldap, I think that the o.s. won't grok nested
groups. If I use nss_winbind, I think it will.
AtDhVaAnNkCsE,
Jon
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
