samba - Mar 2008 - CENTOS4.6+SAMBA3.0.25+FEDORA-DS

Hi
         I am new to linux & Samba. I would like to setup Samba as a
domain controller and using Fedora-ds for authentication.
         I have read some documents from www.samba.org but I am still in
the mist.

         Here is  my dumb questions about Samba as follows.

        1. Is CENTOS4.6+SAMBA3.0.25 as PDC +FEDORA-DS possible?
        2. Is this  HOWTO from
http://directory.fedoraproject.org/wiki/Howto:Samba  sufficient
information? please suggest more
        3. Since I tried to integrate Samba+Fedora-ds ,I am always stuck
at this step "net groupmap add".
            Does these command need to be done? What will happen if we
skip them?
            # net groupmap add rid=2512 ntgroup='Domain Admins'
unixgroup='Domain Admins'
            # net groupmap add rid=2513 ntgroup='Domain Users'
unixgroup='Domain Users'
            # net groupmap add rid=2514 ntgroup='Domain Guests'
unixgroup='Domain Guests'
            # net groupmap add rid=2515 ntgroup='Domain Computers'
unixgroup='Domain Computers'

            3.1 Linux won't allow me to add unix group name with space
like Domain Admins ,can we change to DomainAdmins (no space)
                  as I tried to add unix group DomainAdmins in linux box
and run the command , It is failed.
                  # net groupmap add rid=2512 ntgroup='Domain Admins'
unixgroup='DomainAdmins'   
 
                I also noticed that this somehow relates to smb.conf file
                 Some source says:
                ldap admin dn = cn=Directory Manager
                or
                ldap admin dn = cn=Directory Manager,dc=mycompany,dc=com
 
               3.1.1 If I use this one  ldap dn = cn=Directory Manager
                        The result of net groupmap show failed to add
group map
                3.1.2 If I use this one ldap admin dn = cn=Directory
Manager,dc=mycompany,dc=com
                The result of net groupmap show cannot find object
"cn=Directory Manager,dc=mycompany,dc=com"
            3.2 Where does the command looks for ntgroup="Domain
Admins'
to map with unixgroup=Domain Admins
            3.3 Some source say the net group map should add type=d at
the end of the line ,is it true?
                   # net groupmap add rid=2512 ntgroup='Domain Admins'
unixgroup='Domain Admins' type=d
            4. Does this line in my smb.conf look ok? (I installed Samba
& Fedora-ds in same machine)
                passdb backend = ldapsam:ldap://192.168.100.7

            5. Does these line need to be included in smb.conf file?
What will happen if we don't include them?
                ldap idmap suffix = ou=Users
                ldap passed sync = Yes
            6. Does user add scripts need to be included in smb.conf file?
                How it works and when these lines are used.
                What will happen if we don't include them.

                # Useradd scripts
                    add user script
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m %u
                    delete user script
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-userdel -r %u
                    add group script
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupadd %g
                    delete group script
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupdel %g
                    add user to group script
=/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupmod
-G %g %u
                    add machine script
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -w %u
                    idmap uid = 15000-20000
                    idmap gid = 15000-20000
                    passwd program
=/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-passwd %u

            7.  What does this command do?  Do  we have to do this with
every users?
                   # pdbedit -U $( net getlocalsid | sed 's/SID for
domain YOURWORKGROUP is: //' )-500 -u Administrator -r 

            8. In many HOWTO from website ,they state about PAM and NSS
config with ldap ,do we need it ,can we skip this?

            9. I hardly find the instruction on how to set up Samba as
PDC + Fedora-ds ,please advise]

Thank you and Best Regards,
Tom

----------------------------------------------------------------------
Finally - A spam blocker that actually works.
http://www.bluebottle.com/tag/4

whoa you have so many things wrong its hard to decide even where to 
start.  read 
http://www.iallanis.info/smbldap-tools/docs/samba-ldap-howto/, and 
chapter 5 of samba 3 by example, and 
http://directory.fedoraproject.org/wiki/Howto:Samba

suphakit Chamwuthipricha wrote:
> Hi
>          I am new to linux & Samba. I would like to setup Samba as a
> domain controller and using Fedora-ds for authentication.
>          I have read some documents from www.samba.org but I am still in
> the mist.
>
>          Here is  my dumb questions about Samba as follows.
>
>         1. Is CENTOS4.6+SAMBA3.0.25 as PDC +FEDORA-DS possible?
>         2. Is this  HOWTO from
> http://directory.fedoraproject.org/wiki/Howto:Samba  sufficient
> information? please suggest more
>         3. Since I tried to integrate Samba+Fedora-ds ,I am always stuck
> at this step "net groupmap add".
>             Does these command need to be done? What will happen if we
> skip them?
>             # net groupmap add rid=2512 ntgroup='Domain Admins'
> unixgroup='Domain Admins'
>             # net groupmap add rid=2513 ntgroup='Domain Users'
> unixgroup='Domain Users'
>             # net groupmap add rid=2514 ntgroup='Domain Guests'
> unixgroup='Domain Guests'
>             # net groupmap add rid=2515 ntgroup='Domain Computers'
> unixgroup='Domain Computers'
>
>             3.1 Linux won't allow me to add unix group name with space
> like Domain Admins ,can we change to DomainAdmins (no space)
>                   as I tried to add unix group DomainAdmins in linux box
> and run the command , It is failed.
>                   # net groupmap add rid=2512 ntgroup='Domain
Admins'
> unixgroup='DomainAdmins'   
>  
>                 I also noticed that this somehow relates to smb.conf file
>                  Some source says:
>                 ldap admin dn = cn=Directory Manager
>                 or
>                 ldap admin dn = cn=Directory Manager,dc=mycompany,dc=com
>  
>                3.1.1 If I use this one  ldap dn = cn=Directory Manager
>                         The result of net groupmap show failed to add
> group map
>                 3.1.2 If I use this one ldap admin dn = cn=Directory
> Manager,dc=mycompany,dc=com
>                 The result of net groupmap show cannot find object
> "cn=Directory Manager,dc=mycompany,dc=com"
>             3.2 Where does the command looks for ntgroup="Domain
Admins'
> to map with unixgroup=Domain Admins
>             3.3 Some source say the net group map should add type=d at
> the end of the line ,is it true?
>                    # net groupmap add rid=2512 ntgroup='Domain
Admins'
> unixgroup='Domain Admins' type=d
>             4. Does this line in my smb.conf look ok? (I installed Samba
> & Fedora-ds in same machine)
>                 passdb backend = ldapsam:ldap://192.168.100.7
>
>             5. Does these line need to be included in smb.conf file?
> What will happen if we don't include them?
>                 ldap idmap suffix = ou=Users
>                 ldap passed sync = Yes
>             6. Does user add scripts need to be included in smb.conf file?
>                 How it works and when these lines are used.
>                 What will happen if we don't include them.
>
>                 # Useradd scripts
>                     add user script >
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m %u
>                     delete user script >
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-userdel -r %u
>                     add group script >
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupadd %g
>                     delete group script >
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupdel %g
>                     add user to group script
> =/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupmod
> -G %g %u
>                     add machine script >
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -w %u
>                     idmap uid = 15000-20000
>                     idmap gid = 15000-20000
>                     passwd program
> =/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-passwd %u
>
>             7.  What does this command do?  Do  we have to do this with
> every users?
>                    # pdbedit -U $( net getlocalsid | sed 's/SID for
> domain YOURWORKGROUP is: //' )-500 -u Administrator -r 
>
>             8. In many HOWTO from website ,they state about PAM and NSS
> config with ldap ,do we need it ,can we skip this?
>
>             9. I hardly find the instruction on how to set up Samba as
> PDC + Fedora-ds ,please advise]
>
> Thank you and Best Regards,
> Tom
>
> ----------------------------------------------------------------------
> Finally - A spam blocker that actually works.
> http://www.bluebottle.com/tag/4
>
>

On Wednesday 05 March 2008 12:32:14 am suphakit Chamwuthipricha
wrote:
> Hi
>          I am new to linux & Samba. I would like to setup Samba as a
> domain controller and using Fedora-ds for authentication.
That is a VERY ambitious project fro someone who is new to Linux and new to 
Samba.  It is a little bit like picking up a manual on brain surgery and 
going straight into the operating theatre.

Please note that Linux and Samba are potentially complex tools.  While most 
simple things can be done with little effort, getting into technically 
complex areas like directory services and domain control takes you into a 
very specialized realm for which a good deal of understanding is important.
>          I have read some documents from www.samba.org but I am still in
> the mist.
Most people on this list are very happy to help someone who is new to the 
game.  When posting questions, it is good etiquet to keep the overall message 
short and to provide enough information so that others can see that you have 
prepared yourself as much as you could.

Please don't say "some information" - spell it out.  Which
documents did you
read? 
>          Here is  my dumb questions about Samba as follows.
Well, here are my simple answers - but I suspect they will nto help you too 
much.
>         1. Is CENTOS4.6+SAMBA3.0.25 as PDC +FEDORA-DS possible?
Samba can use most LDAP servers.  It is certainly possible to use Fedora-DS.
>         2. Is this  HOWTO from
> http://directory.fedoraproject.org/wiki/Howto:Samba  sufficient
> information? please suggest more
That is not a Samba document.  I suspect that very few people on this list 
would have seen that document, but I may be wrong.

I checked the information on the Fedora Project Wiki - it looks quite enough 
to get a system running - if you know what you are doing.

I would recommend that you start with the "Samba3-ByExample" book. 
Work your
way through chapters 1-5. What you learn will help you when you are ready for 
more complex projects.

If you have a problem with any of the examples in the book - ask for help on 
this list.
>         3. Since I tried to integrate Samba+Fedora-ds ,I am always stuck
> at this step "net groupmap add".
If this command fails, it means that you most likely have a communication 
problem with the LDAP server.
>             Does these command need to be done? What will happen if we
> skip them?
Yes, they are necessary.  If you don't do this there will be no Windows
groups
for your Windows clients.
>             # net groupmap add rid=2512 ntgroup='Domain Admins'
> unixgroup='Domain Admins'
>             # net groupmap add rid=2513 ntgroup='Domain Users'
> unixgroup='Domain Users'
>             # net groupmap add rid=2514 ntgroup='Domain Guests'
> unixgroup='Domain Guests'
>             # net groupmap add rid=2515 ntgroup='Domain Computers'
> unixgroup='Domain Computers'
>
>             3.1 Linux won't allow me to add unix group name with space
> like Domain Admins ,can we change to DomainAdmins (no space)
>                   as I tried to add unix group DomainAdmins in linux box
> and run the command , It is failed.
Some Linux implementations do not permit upper case characters or spaces in 
the Linux group name.  In your situation, these groups should be added to the 
LDAP directory.  The limitation on group names does not exist with the LDAP 
backend.
>                   # net groupmap add rid=2512 ntgroup='Domain
Admins'
> unixgroup='DomainAdmins'
>
>                 I also noticed that this somehow relates to smb.conf file
>                  Some source says:
>                 ldap admin dn = cn=Directory Manager
>                 or
>                 ldap admin dn = cn=Directory Manager,dc=mycompany,dc=com
>
>                3.1.1 If I use this one  ldap dn = cn=Directory Manager
>                         The result of net groupmap show failed to add
> group map
You may need to specify the ldap admin dn as "cn=Directory 
Manager,dc=mycompany,dc=com"  - note the double quotes.
>                 3.1.2 If I use this one ldap admin dn = cn=Directory
> Manager,dc=mycompany,dc=com
>                 The result of net groupmap show cannot find object
> "cn=Directory Manager,dc=mycompany,dc=com"
Did you add that object to the LDAP directory first? This was one of the steps 
in populating your Fedora-DS directory.
>             3.2 Where does the command looks for ntgroup="Domain
Admins'
> to map with unixgroup=Domain Admins
In the LDAP directory.
>             3.3 Some source say the net group map should add type=d at
> the end of the line ,is it true?
Sure, but it is the default anyhow.
>                    # net groupmap add rid=2512 ntgroup='Domain
Admins'
> unixgroup='Domain Admins' type=d
>             4. Does this line in my smb.conf look ok? (I installed Samba
> & Fedora-ds in same machine)
>                 passdb backend = ldapsam:ldap://192.168.100.7
If the LDAP server is on the same system I'd use:
	passdb backend = ldapsam:ldap://127.0.0.1

Also, make sure that the LDAP server is listening on port 389.
>             5. Does these line need to be included in smb.conf file?
> What will happen if we don't include them?
>                 ldap idmap suffix = ou=Users
>                 ldap passed sync = Yes
For starters, the IDMAP entry should not go into the Users dsa.  
Check "Samba3ByExample" for a fulyl worked example of how to set up a
Samba
server with a local LDAP server.  The local LDAP server the example users is 
OpenLDAP - but the basics are the same.
>             6. Does user add scripts need to be included in smb.conf file?
>                 How it works and when these lines are used.
>                 What will happen if we don't include them.
Yes. These are used by Samba to manage LDAP directory objects.
>                 # Useradd scripts
>                     add user script >
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m %u
>                     delete user script >
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-userdel -r %u
>                     add group script >
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupadd %g
>                     delete group script >
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupdel %g
>                     add user to group script
> =/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupmod
> -G %g %u
>                     add machine script >
/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -w %u
>                     idmap uid = 15000-20000
>                     idmap gid = 15000-20000
>                     passwd program
> =/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-passwd %u
>
>             7.  What does this command do?  Do  we have to do this with
> every users?
>                    # pdbedit -U $( net getlocalsid | sed 's/SID for
> domain YOURWORKGROUP is: //' )-500 -u Administrator -r
It creates the SambaSAM account attributes for the Windows network 
Administrator account. It relys on having a correct LDAP entry for the POSIX 
portion of the user account you previously migrated to LDAP from the entry:

Administrator:x:0:0:Samba Admin:/root:/bin/bash

This is all shown clearly in the instructions on the Fedora Wiki.
>             8. In many HOWTO from website ,they state about PAM and NSS
> config with ldap ,do we need it ,can we skip this?
Absolutely essential if you use LDAP to store your POSIX accounts. This is 
clearly covered in both the HOWTO document and in the Samba3-ByExample book. 
Please let me know what is not clear in these documents.
>             9. I hardly find the instruction on how to set up Samba as
> PDC + Fedora-ds ,please advise]
Well, that is not really a Samba matter - it is one covered on the Fedora site 
and by the Fedora community.  If someone were to write up appropriate 
documentation I will gladly add it to the Samba3-HOWTO document.
> Thank you and Best Regards,
> Tom
I hope this helps.

- John T.