samba - Dec 2010 - few quick domain questions

I've got a somewhat special domain (servers only, no clients, for 
unified passwords stored in ldap and unix passwords are in there too), 
and I'm looking at my directory and there are a few things I don't quite
understand, or that I need some clarification on..

1) these "Domain Admins" and "Domain Guests" and
"Domain Computers"
groups..  do they NEED to be present?  if they have no members, is it 
okay to delete them?  they feel like cruft...  I may someday add a 
windows domain member workstation..  is it okay to delete them, or will 
windows go wonky on me when the day comes?

2) Why can't I use rids that are just SID-(uid-or-gid) ?  it seems that 
smbldap-groupadd and smbldap-useradd make every attempt to ensure that 
all rids are unique..  so with groups and users being both in the range 
10K-20K, I get 
10000=user,10001=group,1000[2-9]=user,1001[0-5]=group,10016=system(yes, 
I know it's a user), and so on...  why can't I use rid=(uid-or-gid) and 
do away with the wierd 2*uid+1000 thing?

3) are PDCs and BDCs supposed to join the domain?  net join -U 
administrator PDC joins the system as a PDC, how is that different from 
joining as a BDC or a master?  how do I swap the roles specified there 
later, when a PDC gets retired and a BDC is promoted to PDC and a member 
to BDC, etc...

4) do I have to use a single ou=People, ou=Groups, ou=Machines, for each 
type of account, or can I actually put them in something resembling a 
hierarchy?  (if applicable, If I use a hierarchy, does that have any 
effect on samba, or on unix?  can it be mapped to "primary group" or 
similar?)

5) there are a few places where local groups or users need to overlap 
with ldap users or groups..  (one system has an exclusive group 
www-data, for example..  if I put the group in ldap, the webserver user 
needs to join the group but the webserver user is a local user...  
however, if I put the group locally, a half dozen people from the 
directory need to be put in the www-data group from the directory...)  
The webserver is just an example, there are others as well.  how do I 
handle this?

Thank you for reading this far.  These are all the issues I've come 
across in setting up my test domain.  I've let my google-fu fail me one 
too many times, and these questions answered clearly and concisely are 
difficult to come by.  Any help you can provide me in answering these 
questions would be a big help!

Thank you again,
Christ Schlacta

1.  Domain Admins, Domain Computers etc


Those are well known groups.   Do you have any windows servers or are 
they just samba servers?    If you have, or plan to have, any Windows 
machines in the domain you are probably better off setting up the groups 
correctly rather than trying to fix it later.

Your domain controllers should belong to the "Domain Computers" group-
I don't know if any permissions are by default applied to that group.

I am assuming you at least have a domain Administrator defined?      If 
you have Windows machines in the domain, you will need the Domain Admins 
group, which is a member of the local Administrators group on any 
Windows machine that joins the domain, thereby granting the Domain 
Administrator necessary permissions on the Windows machine.    If you 
don't have windows machines, you still need your Administrator 
permissions to work properly when using the samba "net" command.


2. SIDs and RIDs

Are you creating unix accounts for the machines or users first, or is 
samba automatically allocating unix-compatible user and group id's?  Do 
you mean you want the RID to be samba_domain_sid+unix_uid?

3. PDC's and BDC's

They should join the domain.  "net getdomainsid" and "net
getlocalsid"
should show that each DC has the domain sid as its local sid.    To 
reverse the role of PDC vs BDC, you would change which machine is domain 
master in smb.conf.


4.  Ldap OU's for users and computers

In my setup, we use ldap for other stuff besides samba so all the
"unix"
users and groups and machines exist in ldap  before they are enabled in 
samba.   Samba wants a unix account to exist for computers as well as 
users.    I don't have an option to set a separate ou in smb.conf for 
machines vs users.  Instead, I have it set to "ou=accounts,...." and 
then in ldap have "ou=machines,ou=accounts" and 
"ou=people,ou=accounts"-   samba searches "ou=accounts" and
any levels
below it.


5.  User/group overlapping

If you have "local" users who sometimes need to be in LDAP groups-  
well, actually you can't but maybe you have some users defined both in 
ldap AND locally on some machines, using the same uid and password.      
Or you could just make the webserver user be an ldap only account (which 
should still be able to be in local groups)-  but then id LDAP is down 
your webserver might not run.








On 12/23/2010 04:06 AM, Christ Schlacta wrote:
> I've got a somewhat special domain (servers only, no clients, for 
> unified passwords stored in ldap and unix passwords are in there too), 
> and I'm looking at my directory and there are a few things I don't 
> quite understand, or that I need some clarification on..
>
> 1) these "Domain Admins" and "Domain Guests" and
"Domain Computers"
> groups..  do they NEED to be present?  if they have no members, is it 
> okay to delete them?  they feel like cruft...  I may someday add a 
> windows domain member workstation..  is it okay to delete them, or 
> will windows go wonky on me when the day comes?
>
> 2) Why can't I use rids that are just SID-(uid-or-gid) ?  it seems 
> that smbldap-groupadd and smbldap-useradd make every attempt to ensure 
> that all rids are unique..  so with groups and users being both in the 
> range 10K-20K, I get 
> 10000=user,10001=group,1000[2-9]=user,1001[0-5]=group,10016=system(yes, I 
> know it's a user), and so on...  why can't I use rid=(uid-or-gid)
and
> do away with the wierd 2*uid+1000 thing?
>
> 3) are PDCs and BDCs supposed to join the domain?  net join -U 
> administrator PDC joins the system as a PDC, how is that different 
> from joining as a BDC or a master?  how do I swap the roles specified 
> there later, when a PDC gets retired and a BDC is promoted to PDC and 
> a member to BDC, etc...
>
> 4) do I have to use a single ou=People, ou=Groups, ou=Machines, for 
> each type of account, or can I actually put them in something 
> resembling a hierarchy?  (if applicable, If I use a hierarchy, does 
> that have any effect on samba, or on unix?  can it be mapped to 
> "primary group" or similar?)
>
> 5) there are a few places where local groups or users need to overlap 
> with ldap users or groups..  (one system has an exclusive group 
> www-data, for example..  if I put the group in ldap, the webserver 
> user needs to join the group but the webserver user is a local 
> user...  however, if I put the group locally, a half dozen people from 
> the directory need to be put in the www-data group from the 
> directory...)  The webserver is just an example, there are others as 
> well.  how do I handle this?
>
> Thank you for reading this far.  These are all the issues I've come 
> across in setting up my test domain.  I've let my google-fu fail me 
> one too many times, and these questions answered clearly and concisely 
> are difficult to come by.  Any help you can provide me in answering 
> these questions would be a big help!
>
> Thank you again,
> Christ Schlacta