Re: [Samba] samba failed to authenticate to openLDAP

[Paul Gienger]

Tony Earnshaw wrote:
Paul Gienger:
 

2: doing that nearly fscked up my already existent DIT for always;

     

I'd be very interested in hearing how this happened and what almost got
borked.  I can't for the life of me think of anything that the
smbldap-tools package should have done above just adding random attributes
and entries in a lot of places if badly configured.  The worst (again,
that I can imagine) that you would have had to do would be clean with a
fine tooth scrub brush.
I haven't delved deep into the code, so I don't doubt that things could
be pretty powerful, just that I haven't seen how they could go far enough
to completely bork up a whole LDAP database.
   

The smbldap-tools allow for only one group suffix, only one user suffix.
 

Yep, I'll agree.
At a site, I already have a DIT with 1150+ users:
rootdn
     | ou=directors
                   cn=director1
                   cn=director2
     | ou=teachers
                   cn=teacher1
                   cn=teacher2
     | ou=staff
                   cn=member1
                   cn=member2
     | ou=pupils
                   cn=pupil1
                   cn=pupil2
     | ou=system
                | ou=pykota
                | ou=smb
 

Where are your groups here? I'm curious as to how this is laid out. 

etc.
Even worse, at my test site I have:
rootdn
     | ou=groups
                | cn=people (Posix group)
                           cn=person1
                           cn=person2
     | ou=smb
etc.
The tools can't cope. What's more, LAM can't cope with my test site,
either (wants an ou for a container, won't accept a cn). Neither you nor
anyone else can tell me that my architecture is wrong ;)
 

Nope, I wouldn't go that far.  Looks like you are doing things just 
fine, trying to keep things organized ans whatnot.  However, you are 
correct that the scropts can't cope.  The scripts are in fact created 
with one ou type things in mind. 

I've written my own awk script for adding basic Posix users to groups
(from lists of first-middle-last names) and my own (disjointed) shell
scripts for adding Samba users to Posix users (using ldapsearch).
 

I'm afraid then that you may have to do some more scripting, but at 
least you can start with the tools and modify to your hearts content.

--
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: [EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba