-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Heyya all. I have posted here in the last few weeks with various questions regarding samba 3, so I thought you'd all like to know, i've got it working. The setup is: Samba 3.0beta3 running on a Debian Woody box (with a few tools backported from testing) with an LDAP backend (OpenLDAP 2.1) Samba is setup: * with posix file attributes (see http://acl.bestbits.at) * as a Primary Domain controller. I pulled all the user accounts and group accounts accross and kept the same password, etc. The only thing I couldn't do was carry the files accross with the right acl entries. (I tried with windows (using scopy), but got access denied errors(?!), and couldn't find a linux tool for it). I will try and produce a document discussing all the things I found later, but for now, here is a brief overview of the procedure. Compiled samba 3.0 using debian package scripts (bug: There is a makefile patch that needs to be deleted first) Backported OpenLDAP latest to woody. Setup LDAP authentication (eg pulled all the user/groups into ldap using padl tools, nsswitch, pam, etc). Configured samba to use the ldap server (another bug I noticed further on was a problem with 'ldap group suffix', it works better if you leave it blank). During this whole time, I spent quite a bit of it with high debug levels, and looking through logs, its not for the faint of heart). The biggest problem I had was the 'net' tool crashing, turned out (see https://bugzilla.samba.org/show_bug.cgi?id=278) after a long time spent learning the samba source, debugging, etc, that the 'ldap group suffix' needs to be nothing. I'm not sure why that was. Anyway, after playing around a bit with some manually created accounts, I setup the "add user script", "add group script", "add machine script", and "add user to group script". (I custom wrote those scripts, what most of them do is call adduser/addgroup with sane settings). (btw - I got a ldap enabled adduser for debian from someone who's name escapes me.. if you hunt through debians BTS, you'll find someone talking about it, he has it). The "add group script" script was written in perl, and took the windows requested group name (eg "My Users Group_This is the one!" (which unix would throw a fit over if you tried to create a group with that name)), and "safed" it. (coverted to lowercase, replaced spaces, underscores, etc, with dashes). Once I had all the scripts working, and I could use windows's usrmgr.exe program to add/remove/alter users and groups without problem, then had some fun pulling the user/group lists from the old NT4PDC. (another bug to note: For some reason, I can add and remove users from groups in usrmgr.exe under the User properties, but if I bring up a groups properties, and try to add/remove a user from the group, it fails. Never did find out why, didn't really need to). First, I added the samba server as a BDC, then found the NT4's sid (as per the migration documentation), and then I _ALTERED_ my samba's sid to be that. Rather crudly, I dumped the ldap database to a ldif file, the sed 's/samba_sid/nts_sid/g' < ldap.ldif > new.ldif Hey, it worked. (I think I needed to redo smbpasswd -w <ldappass>). Then I did the net vampire bit... Wow that was fun..... Many errors came up, but after investigating each of them, I either determined that they were harmless, or I fixed them. (btw - I found its perfectly safe to vampire the user/groups over and over again till you get it right). After that, another dump of the ldif, and a quick fiddle with sed/perl/grep, etc. In the end, I got it working... finally. Oh, and samba3 with posix acls works like a dream. Users can use the ACL lists in windows with very few problems, and generally don't notice anything different from NT4). It took the better part of 2 weeks of work to get it fully working. Admitadly, I have a rather custom setup, so that plays a part in it. My experience before this trial: I am/was a coder, and have messed with large programs before, debugged, etc, and consider myself pretty good at coding and debugging. So if you can't code, I would advise caution before attempting something like my experience. I frequently used the samba source to answer questions where the documenation failed, or to figure out why samba was reporting various things in the log. If anyone would like any of the tools/scripts I mentioned, please feel free to send me an email, however it will take a few days to get organized enough to send the tools/scripts. I will also CONSIDER posting my smb.conf and ldap servers .ldif dump, but they will be heavily editted for security reasons. If anyone has any questions of me, please remember a few things: 1) I'm not a samba developer, I don't even play one on TV. 2) Your questions will, I'm afraid, be a low priority for me. I have a very busy work schedule, so you may not get responses back for awhile, however, I will try my best, especially if you ask specific questions, and not hunt for vauge clues. 3) I will not "tell you how I did it".. I've already done that in this email. If you want information on a particular area, I may be how to help, but requests of "My samba server doesn't work, it crashes, or nt logins don't work, please tell me how you did it", will go straight to /dev/null. Sorry. 4) I have a bad memory, so I've already forgotten lots of things I discovered. Anyway, good luck all on your samba quests, and thanks to the samba developers, despite my rocky road, you make a GREAT product, and samba stable (2.2.*), is always rock solid and works well for me. Nick - -- Nick 'Zaf' Clifford <zaf@nrc.co.nz> GnuPG: 0xA8D0F53D In matters of style, swim with the current; in matters of principle, stand like a rock - Thomas Jefferson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: public key: http://www.nrc.co.nz/Zaf/pubkey.txt iD8DBQE/PfHPPWICtKjQ9T0RAhu7AJ4xTa9FxDJpJMLBUzmW3lOccIdSlACcD2NC iolI+uJFjRewlRibFPDY8B0=wE3C -----END PGP SIGNATURE-----