Check out... http://sapiens.wustl.edu/~sysmain/info/openldap/openldap_configure.html
for starters. Unless LDAP is configured properly nothing else will work. Then go to this one http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html Marcus O. On Mon, 2004-04-12 at 12:33, John Schmerold wrote: > Wim, > > Thanks for this information . Later this week, I'm scheduled to attempt > installation of SAMBA+LDAP using the by Example book. I'll let you know > how it goes. They by Example books seems better than the How-To in terms > of practical information needed to get a server up and running. Only > problem with the by Example book is that it's a bit long. In addition, > it does the same thing every other Linux book does, that is it goes into > detail about too many approaches to doing things. When I searched for > the word Linux on Amazon, I came up with 3,735 books. I wish one of them > specifically outlined how to do what I want done, that is a book the > helps me configure a SBS (microsoft small business server) replacement. > > I may be missing something, but in essence it would be a series of books: > Replacing SBS with Linux (second edition): > 1. Download & install Fedora > 2. Install LDAP and configure for use with SAMBA & postfix > 3. Download & install Samba > 4. Download & install postfix/courier/squirrelmail > 5. Download & install ClamAV/Spam Assassin/TDMA > 6. Download & install Apache > 7. Keeping system up to date with YUM > 8. Appendix 1 - Updating first edition of this book > Replacing linksys with Linux > 1. Configuring netfilter > 2. Configuring VPN - Server > 3. Configuring VPN - Client > 4. Download & install dansguardian. > 5. Configure PPPOE > > There could be different books for different distributions. Most people > reading (myself included) don't care about many of the decisions. For > example I don't care about Fedora vs SUSE vs Debian, I am going with > Fedora at this time because I wanted ACLs found in Kernel 2.6. I don't > care about Courier vs Dovecot. I do care about LDAP because this is the > holy grail of system administration, with LDAP, you can have a central > addressbook / accout store etc just like NWAdmin or Domain manager. > > John > > > > > Wim Bakker wrote: > > >A couple of days ago I decided that I needed a samba and ldap > >setup. After reading the samba mailing list , specifically the > >thread "Re: [Samba] Samba and LDAP backend - howto docs problems?" > >I decided to buy the Official Samba-3 HowTo and Reference guide", > >(the Samba-3 By Example mentioned in that thread wasn't available > >in my bookstore and they could't order it for me too) expecting > >to find a workable example for a setup, as I made out more or less > >from the remarks in that thread there would be, chapter 2 specifically. > >That chapter has an example (page 26) but I wouldn't recommend to > >actually use it, it's very limited and inaccurate, lacks information > >of what more is needed, which additional system packages etc. It says > >in the beginning that a functioning os is assumed , but that's rather > >vague on what implies a functioning os. From page 136 on there are > >some more examples of ldap pwdbackend, but hardly sufficient. > > http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy > >info on how to get samba-3 and ldap working, but that document seems > >to be incomplete and transitioning from samba-2 to samba-3. > >One of the posters on the aforementioned thread remarked that an accurate, > >complete into detail, config file is a great help for learning to grasp > >what has to be done , and how things work together, I agree and following > >are the steps I took to get a working samba-3 + ldap install. I hardly know > >anything of linux or samba , let alone ldap , but from the mailling list > >I understood that the following is neccessary: > >A goal: > >get samba + ldap on slackware 9.1 with support for acl's in a usable > >state working. > >The means: > >slackware-9.1 > >acl-2.2.22.src.tar.gz > >attr-2.4.14.src.tar.gz > >ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz > >linux-2.4.24.tar.gz > >coreutils-5.0-attr+acl.tar.gz > >nss_ldap.tgz > >pam_ldap.tgz > >perl-5.8.3.tar.gz > >openldap-2.1.19.tgz > >ldap-account-manager_0.4.5.tar.gz > >Linux-PAM-0.77.tar.bz2 > >openssl-0.9.7d.tar.gz > >db-4.2.52.tar.gz > >samba-3.0.2a.tar.gz > >smbldap-tools-0.8.4.tgz > > > >I made the following install and configs, I don't know > >how correct or secure or unneccessary they were, in the end > >I had a complete and correct funcioning ldap + samba setup, > >that was usable.It was especially frustrating to get tls connection > >working, it kept failing with the following error: > >TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > >s3_pkt.c:1052 > >samba and ldap run on the same server. Besides the documented config > >for slapd: (etc/openldap/slapd.conf) > >TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem > >TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key > >TLSCACertificateFile /etc/ssl/certs/ca.pem > >quite important it is allso that ldap knows how to verify: > >(/etc/ldap.conf symlink to /etc/openldap/ldap.conf): > >TLS_CACERT /etc/ssl/certs/ca.pem > >Maybe the documentation that exists mentions it, but I couldn't > >find it. > >http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually > >fairly helpful to get things right, including the initial populating > >of the ldap database. Their site mentions two config files in > >/etc/smbldap-tools, but I think that configuration is overruled by > >the file /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm, which contains > >the same info as those config files.I moved the /etc/smbldap-tools away > >and everything still worked correctly with the parameters from > >/usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm. > >Allso , I don't think pam_ldap is neccessary if you don't have linux users. > >Anyways, if the following example would have been in the howto, I wouldn't > >have > >wasted 4 days, figuring out what was wrong/incomplete with the current example > >in the howto book, but could have spent that time figuring out what it all > >means. Everything comes from various websites, but there is no site where > >it is complete in one place. > > > >-slackware 9.1 > >standard installation without samba and ldap etc. only basic + compiler +cups. > > > >-openssl-0.9.7d > >./config --prefix=/usr --openssldir=/etc/ssl shared zlib ; make ; make install > > > >-perl-5.8.3 > >built with prefix=/usr , defaults accepted. > >perl -MCPAN -e 'shell' > >install Bundle::CPAN > >(chose follow for dependencies) > >install Net::LDAP > >install Net::SSLeay > >install IO::Socket::SSL > > > >Net::SSLeay failed because of ou of memory > >during tcp tests (I built everything on a dual P233 MMX > >with 104Mb of edo-ram), but manually it installed fine. > > > >-Linux-PAM-0.77 > >./configure --prefix=/ --includedir=/usr/include --mandir=/usr/share/man \ > >--libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc \ > >--localstatedir=/var --infodir=/usr/share/info > >--sharedstatedir=/usr/share/com > >make install. > > > >/etc/pam.d/passwd : > >password required pam_cracklib.so > >password sufficient pam_ldap.so > >password sufficient pam_unix.so > >password required pam_deny.so > >/etc/pam.d/login > >auth required pam_nologin.so > >auth sufficient pam_ldap.so > >auth sufficient pam_unix.so shadow use_first_pass > >auth required pam_deny.so > >account sufficient pam_unix.so > >account sufficient pam_ldap.so > >account required pam_deny.so > >/etc/pam.d/system-auth: > > > >auth required /lib/security/pam_env.so > >auth sufficient /lib/security/pam_unix.so likeauth nullok > >auth sufficient /lib/security/pam_ldap.so use_first_pass > >auth required /lib/security/pam_deny.so > >account required /lib/security/pam_unix.so > >account sufficient /lib/security/pam_ldap.so > >password required /lib/security/pam_cracklib.so retry=3 type= > >password sufficient /lib/security/pam_unix.so nullok use_authtok > >md5 shadow > >password sufficient /lib/security/pam_ldap.so use_authtok > >password required /lib/security/pam_deny.so > >session required /lib/security/pam_limits.so > >session required /lib/security/pam_unix.so > >session optional /lib/security/pam_ldap.so > > > >-db-4.2.52 > >../dist/configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var > >--enable-compat185 --enable-cxx > >make and make install > > > >-openldap-2.1.x > >./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var > >--enable-passwd --enable-perl --enable-shell --enable-crypt --enable-rewrite > >--enable-ldap --enable-slapd --enable-dnssrv --enable-monitor > >--enable-shared; make depend ; make ; make install > > > >-nss_ldap and pam_ldap > >./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var > >--enable-shared > >make install > >/etc/nsswitch.conf: > >passwd: files ldap > >shadow: files ldap > >group: files ldap > >/etc/pam_ldap.conf: > >uri ldap://smb.ahm.nl/ > >base dc=ahm,dc=nl > >pam_password exop > >------------------------ > >TLS certs: > >% cd /etc/ssl > >% ./misc/CA.sh -newca > >CA certificate filename (or enter to create) <enter> > > > >etc... > >----- > >Country Name (2 letter code) [AU]:NL > >State or Province Name (full name) [Some-State]:Noordholland > >Locality Name (eg, city) []:Amsterdam > >Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM > >Organizational Unit Name (eg, section) []:Suckers from Hell > >Common Name (eg, YOUR name) []:smb.ahm.nl > >Email Address []:. > >% > >This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and > >private key). > > > >Make your server certificate signing request (CSR): > > > >Country Name (2 letter code) [AU]:NL > >State or Province Name (full name) [Some-State]:Noordholland > >Locality Name (eg, city) []:Amsterdam > >Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM > >Organizational Unit Name (eg, section) []:Suckers from Hell > >Common Name (eg, YOUR name) []:smb.ahm.nl > >Email Address []:[EMAIL PROTECTED] > > > >% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem > > > >A challenge password []: <pass> > >An optional company name []:. > >% etc.... > > > >The result is newreq.pem. > > > >Have the CA sign the CSR: > > > >% ./misc/CA.sh -sign > >Using configuration from /etc/ssl/openssl.cnf > >Enter PEM pass phrase: <ca pass> > > > >Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days) > >Sign the certificate? [y/n]:y > > > >1 out of 1 certificate requests certified, commit? [y/n]y > >Write out database with 1 new entries > >Data Base Updated > >Certificate: > > etc.... > > > >Signed certificate is in newcert.pem > >% > > > >This creates newcert.pem (server certificate signed by CA) with private key, > >newreq.pem. > >Now the certificates can be moved to the desired certificate repository and > >renamed. > > > >% cp demoCA/cacert.pem /etc/ssl/certs/ca.pem > >% mv newcert.pem /etc/ssl/certs/smb.ahm.nl.pem > >% mv newreq.pem /etc/ssl/keys/smb.ahm.nl.key > >% chmod 400 /etc/ssl/keys/smb.ahm.nl.key > >------------------ > >slappasswd -v -s secret: > >{SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw > > > >/etc/openldap/slapd.conf: > ># > ># See slapd.conf(5) for details on configuration options. > ># This file should NOT be world readable. > ># > >include /etc/openldap/schema/core.schema > >include /etc/openldap/schema/cosine.schema > >include /etc/openldap/schema/nis.schema > >include /etc/openldap/schema/inetorgperson.schema > >include /etc/openldap/schema/samba.schema > >pidfile /var/run/slapd.pid > >argsfile /var/run/slapd.args > >TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem > >TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key > >TLSCACertificateFile /etc/ssl/certs/ca.pem > >TLSCipherSuite EXPORT56 > >database bdb > >suffix "dc=ahm,dc=nl" > >rootdn "cn=Manager,dc=ahm,dc=nl" > >rootpw {SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw > >directory /var/openldap-data > >cachesize 40000 > >index cn,sn,uid,displayName pres,sub,eq > >index uidNumber,gidNumber eq > >index sambaSID eq > >index sambaPrimaryGroupSID eq > >index sambaDomainName eq > >index default sub > >index memberUid eq > >index objectClass eq > >access to dn=".*,dc=ahm,dc=nl" > > by self write > > by * read > > > > > >------------------------- > >/etc/ldap.conf: > ># LDAP Defaults > ># > >host 10.0.0.20 > ># See ldap.conf(5) for details > ># This file should be world readable but not world writable. > >BASE dc=ahm,dc=nl > >#URI ldap://smb.ahm.nl > >nss_base_passwd dc=ahm,dc=nl?sub > >nss_base_shadow dc=ahm,dc=nl?sub > >nss_base_group dc=ahm,dc=nl?one > >ssl no > >pam_passwd md5 > >TLS_CACERT /etc/ssl/certs/ca.pem > >------------------------------ > > > >-acl-2.2.x and attr-2.4.x from sgi and kernel patches from bestbits. > >Build kernel with acl support etc. and libraries. > >patched and rebuilt the coreutils after that allso. > >mount filesystems with acl,user_xattr options to have it work (ext2,ext3). > > > >-samba-3.0.2a > >./configure --with-automount --with-smbmount --with-acl-support > >--with-libsmbclient --with-configdir=/etc/samba > >--with-logfilebase=/var/log/samba --with-privatedir=/etc/samba/private > >--with-lockdir=/var/lock/samba --with-piddir=/var/run --enable-cups > >--with-ldap ; make install > > > >/etc/samba/smb.conf: > >[global] > > workgroup = AHM > > netbios name = LAVIE > > server string = Samba PDC running %v > > passdb backend = ldapsam:ldap://localhost > > username map = /etc/samba/smbusers > > encrypt passwords = Yes > > update encrypted = Yes > > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 > >SO_RCVBUF=8192 > > add user script = /usr/local/sbin/smbldap-useradd -m "%u" > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > > add group script = /usr/local/sbin/smbldap-groupadd -p "%g" > > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" > >"%g" > > delete user from group script = /usr/local/sbin/smbldap-groupmod -x > >"%u" "%g" > > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" > >"%u" > > logon script = logon.bat > > logon path = \\%L\profiles\%U > > logon drive = H: > > logon home = \\%L\%U\.profile > > domain logons = Yes > > os level = 255 > > preferred master = Yes > > domain master = Yes > > local master = Yes > > wins support = Yes > > ldap suffix = dc=ahm,dc=nl > > ldap machine suffix = ou=Computers > > ldap user suffix = ou=People > > ldap group suffix = ou=Groups > > ldap idmap suffix = ou=People > > ldap admin dn = "cn=Manager,dc=ahm,dc=nl" > > ldap ssl = start_tls > > ldap passwd sync = yes > > ldap delete dn = Yes > > idmap uid = 15000-20000 > > idmap gid = 15000-20000 > > winbind separator = + > > > >Still not sure what idmap uid and gid now exactly do, but the > >entries don't seem to be harmfull as up till now.The reference > >guide and howto explain it(page 151), but I don't understand > >that explanation or it's implication. It doesn't seem to influence > >the UID_START GID_START parameters of the smbldap_tools or prevent > >the correct working of the net command, so I suppose it's ok to have > >them there. > >---------------------- > >smbldap-tools. > >extracted to /usr/local/sbin > >moved smbldap_conf.pm and smbldap_tools.pm > >to /usr/lib/perl5/site_perl/5.8.3/ > >built mkntpwd and moved to /usr/local/sbin. > >------------------- > >smbldap_conf.pm variables: > >$UID_START = 1000; > >$GID_START = 1000; > ># to obtain this number do: "net getlocalsid" > >$SID = "S-1-5-21-4269728302-1655870493-3894479995"; > >$slaveLDAP = "127.0.0.1"; > >$slavePort = "389"; > > > ># Master LDAP : needed for write operations > ># Ex: $masterLDAP = "127.0.0.1"; > >$masterLDAP = "127.0.0.1"; > >$masterPort = "389"; > > > ># Use SSL for LDAP > ># If set to "1", this option will use start_tls for connection > ># (you should also used the port 389) > >$ldapSSL = "1"; > >$suffix = "dc=ahm,dc=nl"; > >$usersou = q(People); > >$usersdn = "ou=People,$suffix"; > >$computersou = q(Computers); > >$computersdn = "ou=Computers,$suffix"; > >$groupsou = q(Groups); > >$groupsdn = "ou=Groups,$suffix"; > >$scope = "sub"; > >$hash_encrypt = "SSHA"; > >$binddn = "cn=Manager,$suffix"; > >$bindpasswd = "secret"; > >$slaveDN = $binddn; > >$slavePw = $bindpasswd; > >$masterDN = $binddn; > >$masterPw = $bindpasswd; > >$_userLoginShell = q(/bin/false); > >$_userHomePrefix = q(/shares/home); > >$_userGecos = q(System User); > >$_defaultUserGid = 513; > >$_defaultComputerGid = 553; > >$_skeletonDir = q(/etc/skel); > >$_defaultMaxPasswordAge = 45; > > > >$_userSmbHome = q(\\\\LAVIE\\homes); > >$_userProfile = q(\\\\LAVIE\\profiles\\); > >$_userHomeDrive = q(H:); > >$_userScript = q(startup.cmd); # make sure script file is edited under dos > >$with_smbpasswd = 0; > >$smbpasswd = "/usr/local/samba/bin/smbpasswd"; > >$mk_ntpasswd = "/usr/local/sbin/mkntpwd"; > >$slaveURI = "ldap://$slaveLDAP:$slavePort";; > >$masterURI = "ldap://$masterLDAP:$masterPort";; > > > >$ldap_path = "/usr/bin"; > > > >if ( $ldapSSL eq "0" ) { > > $ldap_opts = "-x"; > >} elsif ( $ldapSSL eq "1" ) { > > $ldap_opts = "-x -Z"; > >} else { > > die "ldapSSL option must be either 0 or 1.\n"; > >} > >$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' > >-w '$masterPw'"; > > > >1; > > > ># - The End > >#I think the $_userSmbHome and the $_userProfile should be > >#q(\\\\LAVIE\\$user) and q(\\\\LAVIE\\profiles\\$user) resp. > >#with the lam webinterface that gets correct. > >----------------------------------- > > > >Now starting /usr/libexec/slapd and /usr/local/samba/sbin/nmbd and > >/usr/local/samba/sbin/smbd. > > > >run: > >%smbpasswd -w secret > >%Setting stored password for "cn=Manager,dc=ahm,dc=nl" in secrets.tdb > > > >running smbldap_populate.pl fills ldap with the first initial > >entries: > >dn: sambaDomainName=AHM,dc=ahm,dc=nl > >sambaDomainName: AHM > >sambaSID: S-1-5-21-4269728302-1655870493-3894479995 > >sambaAlgorithmicRidBase: 1000 > >objectClass: sambaDomain > >sambaNextUserRid: 41000 > >sambaNextGroupRid: 41001 > >structuralObjectClass: sambaDomain > >entryUUID: 02deaf3c-2013-1028-860e-bb5268b7f8fd > >creatorsName: cn=Manager,dc=ahm,dc=nl > >createTimestamp: 20040411144816Z > >entryCSN: 2004041114:48:16Z#0x0001#0#0000 > >modifiersName: cn=Manager,dc=ahm,dc=nl > >modifyTimestamp: 20040411144816Z > >etc... > > > >added to /etc/group: > >wheel:x:512:root,administrator > >smbusers:x:513: > >smbguests:x:514: > >exact:x:1000: > > > >net groupmap list: > >Domain Admins (S-1-5-21-4269728302-1655870493-3894479995-512) -> wheel > >Domain Users (S-1-5-21-4269728302-1655870493-3894479995-513) -> smbusers > >Domain Guests (S-1-5-21-4269728302-1655870493-3894479995-514) -> smbguests > >exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact > > > >smbldap-groupshow.pl exact: > >dn: cn=exact,ou=Groups,dc=ahm,dc=nl > >objectClass: posixGroup,sambaGroupMapping > >cn: exact > >gidNumber: 1000 > >sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001 > >sambaGroupType: 4 > >memberUid: gerrit,piet > > > > > >net rpc group LIST global -U administrator > >Password: > >Domain Admins > >Domain Users > >Domain Guests > >Administrators > >users > >Guests > >Power Users > >Account Operators > >Server Operators > >Print Operators > >Backup Operators > >Replicator > >Domain Computers > > > >smbldap-useradd.pl -a -G 'Domain Admins' -d /shares/home/thadeus -s /bin/false > >-P -F '\\LAVIE\profiles\thadeus' -s 'Hermitage' -m -N "Thadeus Hermitage" > >-C'\\LAVIE\thadeus' thadeus : > >adds thadeus to the domain admins and the domain users: > >dn: uid=thadeus,ou=People,dc=ahm,dc=nl > >objectClass: top > >objectClass: inetOrgPerson > >objectClass: posixAccount > >objectClass: sambaSamAccount > >cn: Thadeus Hermitage > >sn: Hermitage > >uid: thadeus > >uidNumber: 1004 > >gidNumber: 513 > >homeDirectory: /shares/home/thadeus > >loginShell: /bin/false > >gecos: System User > >description: System User > >structuralObjectClass: inetOrgPerson > >entryUUID: e3926754-20cb-1028-9934-bb74a2f96abc > >creatorsName: cn=Manager,dc=ahm,dc=nl > >createTimestamp: 20040412125141Z > >sambaLogonTime: 0 > >sambaLogoffTime: 2147483647 > >sambaKickoffTime: 2147483647 > >sambaPwdCanChange: 0 > >displayName: System User > >sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3008 > >sambaPrimaryGroupSID: S-1-5-21-4269728302-1655870493-3894479995-513 > >sambaHomeDrive: H: > >sambaLogonScript: startup.cmd > >sambaProfilePath: \\LAVIE\profiles\thadeus > >sambaHomePath: \\LAVIE\thadeus > >sambaLMPassword: 4411488B6354F2B8AAD3B435B51404EE > >sambaAcctFlags: [U] > >sambaNTPassword: 7E07C8CA84F5765D8B5DFCF7AC5CEE04 > >sambaPwdLastSet: 1081774312 > >sambaPwdMustChange: 1085662312 > >userPassword:: e1NTSEF9R1FkakxPN1Bhc09OaEJQOXF5ZkNFN0dkOTBtTy96YjM= > >entryCSN: 2004041212:51:52Z#0x0002#0#0000 > >modifiersName: cn=Manager,dc=ahm,dc=nl > >modifyTimestamp: 20040412125152Z > > > >and : > >dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl > >objectClass: posixGroup > >objectClass: sambaGroupMapping > >gidNumber: 512 > >cn: Domain Admins > >memberUid: Administrator > >memberUid: thadeus > >description: Netbios Domain Administrators > >sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512 > >sambaGroupType: 2 > >displayName: Domain Admins > >structuralObjectClass: posixGroup > >entryUUID: 72f46890-2011-1028-8600-bb5268b7f8fd > >creatorsName: cn=Manager,dc=ahm,dc=nl > >createTimestamp: 20040411143705Z > >entryCSN: 2004041212:51:42Z#0x0001#0#0000 > >modifiersName: cn=Manager,dc=ahm,dc=nl > >modifyTimestamp: 20040412125142Z > > > >ls -l /shares/home: > >drwx------+ 2 gerrit smbusers 4096 Apr 11 19:01 gerrit > >drwx------+ 2 hornie smbusers 4096 Apr 12 16:40 hornie > >drwx------+ 2 krelis smbusers 4096 Apr 11 20:58 krelis > >drwx------+ 2 thadeus smbusers 4096 Apr 12 14:51 thadeus > > > >The only necessity is still to add manually the groups > >for groupmapping to /etc/group, otherwise the users can't access the > >shares that are for groups accessible. I thought it would be > >enough to add the group smbusers to ldap with the same gid as > >"Domain Users" and that the entry in nsswitch.con: group: files ldap, > >would do the rest , is not the case, though it is for users. > >Don't understand why or how. > > > >smbldap-groupadd.pl has the option -t , which is the grouptype, apparently > >this can take the following types, domain, local and builtin, which will > >be the sambaGroupType's 2, 4 and 5 which refer to, I think , the windows > >types: > > SID_NAME_USE_NONE = 0,/* NOTUSED */ > > SID_NAME_USER = 1, /* user */ > > SID_NAME_DOM_GRP = 2, /* domain group */ > > SID_NAME_DOMAIN = 3, /* domain: don't know what this is */ > > SID_NAME_ALIAS = 4, /* local group */ > > SID_NAME_WKN_GRP = 5, /* well-known group */ > > SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */ > > SID_NAME_INVALID = 7, /* invalid account */ > > SID_NAME_UNKNOWN = 8 /* oops. */ > >as found on one of the websites. > >What one should choose when creating a group is not clear to me, I suppose > >that type 2 is a windows domain group , visible with windows tools and > >needs to be mapped to a unix group with the same gid to function. > >Type 4 is a local unixgroup and has no groupmapping but exists in the > >ldap database and in /etc/group with the same gid. Type 5 is a riddle. > >Hope this helps getting samba + ldap up and running a little faster > >than I did. > > > >WB > > > > > > -- > John Schmerold > Katy Computer Systems, Inc > 20 Meramec Station Rd > Valley Park MO 63088 > 314-316-9000 v > 775-227-6947 f -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
