> -----Original Message----- > From: John H Terpstra [mailto:[EMAIL PROTECTED] > > There is still time for more input. Please do provide any material you > believe may be useful to a Samba administrator. Information > for novices > and experts alike is welcome. > > Cheers, > John T.
Hi, A good LDAP base.ldif would be nice to add. Since samba changed schema in 3.0, all howto's and base.ldif's are useless or contain only half of the needed information. Here's my LDAP base entries, for basic system with common known names and groupmappings. Where sambaSID last number (RID) is > 1000, there is the SID calculated from GID, otherwise it's set as needed for windows world. Of course there can be a few mistakes, but it works for most needs. Users can log into domain, get authed, windows security tabs list is shown correctly. Exchange Server 5.5 is capable of using Samba domain for security and user nt accounts. Users can connect to w2k terminal server, open applications - non-admin users can use outlook (no special changes to TS needed). Users who belong to domain_admin group, have administrative power on NT/2k/XP workstations. For LDAP administration I use LAM (LDAP Account Manager). Best tool at the moment. smbldap-tools aren't that good. Then, nowhere in samba docs is explained sambaGroupType, for changing LDAP entries manually, it would be nice to know what they mean and what are the correct values. AFAIK: sambaGroupType: 2 - domain group (global group) sambaGroupType: 5 - local group (built-in group) what about: 1, 3, 4? # smb.conf ldap admin dn = cn=Manager,dc=ehk,dc=lan ldap suffix = dc=ehk,dc=lan ldap machine suffix = ou=Computers,dc=ehk,dc=lan ldap user suffix = ou=Users,dc=ehk,dc=lan # ldap group suffix, ldap idmap suffix are unspecified. Changing "ldap group suffix" to "ou=Groups,dc=ehk,dc=lan" caused groupmapping failure. For adding workstations to domain, I have in my smb.conf admin users = @domain_admins Otherwise adding to domain fails. =================================== basics: Users gidNumber: 221 (group users). USers sambaPrimaryGroupSID: S-1-5-21-....-1443 =================================== dn: dc=mydomain,dc=lan objectClass: domain dc: MYDOMAIN dn: ou=Groups,dc=mydomain,dc=lan objectClass: top objectClass: organizationalUnit ou: Groups description: System Groups dn: ou=Users,dc=mydomain,dc=lan objectClass: top objectClass: organizationalUnit ou: Users description: Users of the Organization dn: ou=Computers,dc=mydomain,dc=lan objectClass: top objectClass: organizationalUnit ou: Computers description: Windows Domain Computers dn: ou=Domains,dc=mydomain,dc=lan objectClass: organizationalunit ou: Domains dn: sambaDomainName=MYDOMAIN,ou=Domains,dc=mydomain,dc=lan objectClass: sambaDomain sambaDomainName: MYDOMAIN sambaSID: S-1-5-21-1111111111-222222222-3333333333 sambaAlgorithmicRidBase: 1000 dn: cn=machines,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping cn: machines gidNumber: 240 description: machines sambaSID: S-1-5-21-1111111111-222222222-3333333333-1481 sambaGroupType: 2 displayName: machines dn: cn=domain_users,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 201 cn: domain_users description: Windows Domain Users sambaSID: S-1-5-21-1111111111-222222222-3333333333-513 sambaGroupType: 2 displayName: Domain Users dn: cn=domain_guests,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 202 cn: domain_guests description: Windows Domain Guests Users sambaGroupType: 2 displayName: Domain Guests sambaSID: S-1-5-21-1111111111-222222222-3333333333-514 dn: cn=users,ou=Groups,dc=mydomain,dc=lan description: Ordinary users description: Windows Domain Ordinary users objectClass: sambaGroupMapping objectClass: posixGroup gidNumber: 221 cn: users sambaSID: S-1-5-21-1111111111-222222222-3333333333-1443 sambaGroupType: 2 displayName: Users dn: cn=guests,ou=Groups,dc=mydomain,dc=lan description: Users granted guest access to the computer/domain description: Windows Domain Users granted guest access to the computer/domain objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 222 cn: guests memberUid: nobody sambaSID: S-1-5-21-1111111111-222222222-3333333333-1445 sambaGroupType: 2 displayName: Guests dn: cn=power_users,ou=Groups,dc=mydomain,dc=lan description: Members can share directories and printers description: Windows Domain Members can share directories and printers objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 223 cn: power_users sambaSID: S-1-5-21-1111111111-222222222-3333333333-1447 sambaGroupType: 2 displayName: Power Users dn: cn=account_operators,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 224 cn: account_operators description: Windows Domain Users to manipulate users accounts displayName: Account Operators sambaSID: S-1-5-32-1449 sambaGroupType: 5 dn: cn=server_operators,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 225 cn: server_operators description: Windows Domain Server Operators displayName: Server Operators sambaSID: S-1-5-32-1541 sambaGroupType: 5 dn: cn=print_operators,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 226 cn: print_operators description: Windows Domain Print Operators displayName: Print Operators sambaSID: S-1-5-32-1453 sambaGroupType: 5 dn: cn=backup_operators,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 227 cn: backup_operators description: Windows Domain Members can bypass file security to back up files displayName: Backup Operators sambaSID: S-1-5-32-1455 sambaGroupType: 5 dn: cn=replicator,ou=Groups,dc=mydomain,dc=lan description: Supports file replication in a domain description: Windows Domain Supports file replication in a domain objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 228 cn: replicator sambaSID: S-1-5-21-1111111111-222222222-3333333333-1457 sambaGroupType: 2 displayName: Replicator dn: cn=enterprise_admins,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping cn: enterprise_admins gidNumber: 203 sambaGroupType: 2 displayName: Enterprise Admins sambaSID: S-1-5-21-1111111111-222222222-3333333333-519 dn: cn=domain_admins,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 200 cn: domain_admins sambaSID: S-1-5-21-1111111111-222222222-3333333333-512 sambaGroupType: 2 displayName: Domain Admins dn: cn=administrators,ou=Groups,dc=ehk,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping cn: administrators gidNumber: 220 sambaGroupType: 5 displayName: Administrators description: Local Unix group sambaSID: S-1-5-32-1441 =================================== PS. Since the unicode was fixed, samba 3.0 works like a charm. Best regards, Rauno Tuul. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
