Re: [Samba] ldapsam:editposix with inetOrgPerson objectClass for users
On Fri, Feb 26, 2010 at 06:57:01PM -0600, Carlos Ramos Gómez wrote: Hello list, have a samba 3.4.3 as domain controller with openldap as backend, using ldapsam:trusted = Yes and ldapsam:editposix = Yes and everything works like a charm. Now i would like to use this ldap for storing more information about my users; full name, phone, address and maybe even a picture. InetOrgPerson is the objectClass i would like to use since it's standard and has all i need and more. Samba use the account objectClass as structural class for user and computer accounts, and since inetOrgPerson and account are both structural openldap won't let me have both in the same entry. I've been checking the code and it looks like the creation of the users with account as objectClass is hardcoded in samba so i guess there is no parameter in the configuration file which allows me to override this behavior. I also tried to modify my schema making inetOrgPerson the parent class of the account class but it turns out that sn is a required attribute in inetOrgPerson and samba obviously doesn't add this parameter so the user creation fails. The other options i see here would require heavy modifications to the ldap schema or modify the samba itself to create user accounts as inetOrgPerson and add an sn attribute in the process. So before taking any of those options i just wanted to make sure that there is not an easier one i have not seen. Any ideas are welcome. The best here would be to remove the ldapsam:editposix and do it with scripts of your own. ldapsam:editposix was made for simple configuration of a very specific DIT layout. If you need it to be different, please look at scripts. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldapsam:editposix with inetOrgPerson objectClass for users
Hello list, have a samba 3.4.3 as domain controller with openldap as backend, using ldapsam:trusted = Yes and ldapsam:editposix = Yes and everything works like a charm. Now i would like to use this ldap for storing more information about my users; full name, phone, address and maybe even a picture. InetOrgPerson is the objectClass i would like to use since it's standard and has all i need and more. Samba use the account objectClass as structural class for user and computer accounts, and since inetOrgPerson and account are both structural openldap won't let me have both in the same entry. I've been checking the code and it looks like the creation of the users with account as objectClass is hardcoded in samba so i guess there is no parameter in the configuration file which allows me to override this behavior. I also tried to modify my schema making inetOrgPerson the parent class of the account class but it turns out that sn is a required attribute in inetOrgPerson and samba obviously doesn't add this parameter so the user creation fails. The other options i see here would require heavy modifications to the ldap schema or modify the samba itself to create user accounts as inetOrgPerson and add an sn attribute in the process. So before taking any of those options i just wanted to make sure that there is not an easier one i have not seen. Any ideas are welcome. Thanks a lot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldapsam:editposix: Which samba.schema attributes are modified when using smbpasswd -a?
Hi,
I'm using Samba 3.2.5 on Debian Lenny in conjunction with MIT
Kerberos. LDAP user accounts have already been added prior to the
Samba installation using the ldapscripts package (also included in
Debian).
I understand that I have to run smbpasswd -a as root on the Samba
server for each user that's supposed to be visible to (and usable by)
Samba as well (a whole bunch of SambaSam* attributes gets added to a
user's attribute set).
What's not obvious to me is whether the userPassword attribute is
changed after one has provided the passwd to the smbpasswd utility.
(In conjunction with Kerberos, the value for the userPassword
attribute always has a fixed notation like
{KERBEROS}name-of-principal@kerberos-realm
and thus that value should remain unmodified). In cases where the
Kerberos database is also stored in LDAP, a different attribute is
modified when changing a user's password (starting with krb5 in the
attribute name).
Is this taken into account by smbpasswd? Or is the passwd specified
upon smbpasswd invocation just useless for kerberized Samba setups?
Does a smbpasswd -a invocation modify the value of the userPassword
attribute of a particular user's LDAP entry?
Thanks for clarifying this kind regards,
Holger
signature.asc
Description: Digital signature
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Ldapsam:editposix: How to continue once it's setup
Hi to everybody,
I managed to setup ldapsam:editposix for Debian Lenny
as described here:
http://wiki.samba.org/index.php/Ldapsam_Editposix
and had the impression that in order to add a Samba Unix client, it
would be best to continue here:
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html
However, in the ldapsam:editposix tutorial, the Administrator is
mentioned instead of root (judging from what I've read so far, the
Administrator user is only used for real Windows client PCs).
My smb.conf is setup so that no NetBIOS stuff is used (no wins, only
port 445, netbios disabled).
Before running net sam provision, there were already user accounts
present in LDAP. Do I have to execute smbpasswd, even though I
intend to use MIT Kerberos (the value for the userPassword attribute in
LDAP looks like this
{KERBEROS}user@kerberos-realm
???
(This especially applies to the root user since this account doesn't
seem to be created during net sam provision).
By the way, the Kerberos database is also stored in LDAP.
What do I have to do so that the remaining users in LDAP also get the
Samba specific LDAP attributes added to their account info and can be
used for Kerberized Samba sessions (either from Windows or smbclient
setups from Unix)?
getent passwd, getent group, kinit all work as expected, i. e.
they return the accounts and groups stored in LDAP and I can obtain
Kerberos tickets. I can also use these tickets for passwordless SSH
logins and create files as that user, including changing group
membership to an auxiliary group using newgrp. So, Kerberos works.
In case you need any additional info (etc. smb.conf) I will surely
provide it, but I didn't want to make this mail too long.
Any help is greatly appreciated!
Thanks kind regards,
Holger
signature.asc
Description: Digital signature
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldapsam:editposix add machine script
Hi, small question here... if I have all users, groups, machines and idmaps in LDAP and I set: ldapsam:trusted = yes ldapsam:editposix = yes then I *don't* need an add machine script. Am I correct? TIA -- Mariano Absatz - El Baby el.b...@gmail.com www.clueless.com.ar -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldapsam:editposix and add user script
Hello Everyone, We run a Samba 3.0 PDC and got all account information in LDAP. No idealx scripts, as we let samba do all the work of creating unix accounts in LDAP. Now until recently, the add user script parameter worked as expected, simply calling that script when I did a net rpc user add. Now it won't do that anymore, unless it finds that there's no unix account for a legitimage SMB user upon session setup (according to manpage). This condition however, is negated by ldapsam:editposix = yes. As I understood it, the add user script was a general purpose option to do anything that needs to be done upon user addition in samba. The new behaviour just limits flexibility. Any idea how one could implement a custom script that's run when a user is created? thanks, Victor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldapsam:editposix
Hello list, I'm trying to setup Samba to use: ldapsam:editposix = yes but I'm having problems to add users via smbpasswd -a. It seems smbpasswd tries to modify an existing entry (and falling of course) instead of adding a new entry. Is that a bug, a configuration problem, or intended behavior? Do I need to create a postixaccount entry prior to use smbpasswd -a? Thanks in advance, Norberto This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldapsam:editposix
Sent this direct to the poster again, and not to the list. Here it is for the list. On 12/10/2008, at 3:53 AM, Norberto Bensa wrote: Hello list, I'm trying to setup Samba to use: ldapsam:editposix = yes but I'm having problems to add users via smbpasswd -a. It seems smbpasswd tries to modify an existing entry (and falling of course) instead of adding a new entry. Is that a bug, a configuration problem, or intended behavior? Do I need to create a postixaccount entry prior to use smbpasswd -a? Yes, you do. Or, at least, that's the way I've always had to do it. I have a small script with an LDAP template that makes the minimal entries in the ldap for a posixAccount and shadowAccount for the user, then create the samba account. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ldapsam:editposix and winbind questions
Hi, I'm testing a other solution about managing my user and group in the ldap tree. I try to switch from smbldap-tools and webmin interface TO ldapsam-editposix and winbind. I used the howto available on samba wiki for that Now, I have some questions : - How make winbind to enum all users (newly users created with new config and users created with older system). - Why samba not set attribute in ldap tree if password policies is set ( like sambaPwdMustChange, sambabadpasswordcount) when set password with net rpc. Can anyone help me ? thanks Stéphane Purnelle --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
