On 02/12/2011 02:16 AM, J. Echter wrote: > Am 05.02.2011 10:33, schrieb J. Echter: ...
> can nobody tell my where the accounts have to be in? is it correct that > idmap is empty? Juergen, Manageability, performance and readability are the key reasons for putting group accounts into an ou=groups, and for having users accounts under ou=users, and machine accounts under another ou. It is quite possible to store all the accounts directly off the root of the LDAP directory - it will work if everything else is configured correctly. This is certainly NOT a recommended configuration, but it can work. You need to make sure that the "everything else" of your configuration is correct. If you do not understand how the pieces all fit together life gets a bit challenging. The following need to be configured: You need to install and configure an NSS LDAP library. If you use nss_ldap (from http://www.padl.com), the configuration file (ldap.conf) must be correctly configured. This file is often located (compile time option) in /etc. When this has been correctly configured you will see all LDAP user accounts when you execute: getent passwd You should also see all LDAP group accounts when you execute: getent group If these two commands do not work - you need to fix that. Samba relies on being able to resolve POSIX user and group information by simple calls to the getpwent() family of system calls. Next, it is necessary to install and configure the toolset you want to use to maintain and manage accounts in the LDAP directory. Many people make use of the smbldap-tools package. After installation and configuration, use the appropriate tool to validate account information. For example: smbldap-usershow jackb Example: #> smbldap-tfarmer dn: uid=tfarmer,ou=People,ou=Users,dc=world,dc=org objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount cn: tfarmer sn: tfarmer givenName: tfarmer uid: tfarmer uidNumber: 1021 gidNumber: 513 homeDirectory: /users/tfarmer loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: tfarmer sambaSID: S-1-5-21-726309263-4128913645-1188186429-3042 sambaPrimaryGroupSID: S-1-5-21-726309263-4128913645-1188186429-513 sambaLogonScript: scripts\logon.bat sambaProfilePath: \\%L\profiles\tfarmer sambaHomePath: \\SWEVWE\tfarmer sambaHomeDrive: H: sambaAcctFlags: [U] sambaNTPassword: 4A9F7B6CEFB63E5733F4C44E3DD93362 sambaPwdLastSet: 1264562105 sambaPwdMustChange: 1268450105 userPassword: {SSHA}XrAzItbFAgDFa6BhdffC6s+L6QEyYbBL shadowLastChange: 14636 shadowMax: 45 #> smbldap-groupshow engineers dn: cn=Engineers,ou=Groups,dc=world,dc=org objectClass: posixGroup,sambaGroupMapping cn: Engineers gidNumber: 1009 sambaSID: S-1-5-21-726309263-4128913645-1188186429-401050 sambaGroupType: 2 displayName: Engineers description: Finely Trained Technicians memberUid: tfarmer,dlop,jb It is also necessary to correctly configure Samba. Please refer to chapter 5 of the book "Samba4-ByExample" available from your local bookstore or on-line from: http://www.samba.org/samba/Samba3-ByExample Chapter 5 systematically steps through the process of installation and configuration of a complete Novell SLES (OpenSUSE) -based Samba/LDAP configuration. The example is based on SLES, but it applies for the most part also for RHEL and Fedora. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
