1. Domain Admins, Domain Computers etc
Those are well known groups. Do you have any windows servers or are
they just samba servers? If you have, or plan to have, any Windows
machines in the domain you are probably better off setting up the groups
correctly rather than trying to fix it later.
Your domain controllers should belong to the "Domain Computers" group-
I don't know if any permissions are by default applied to that group.
I am assuming you at least have a domain Administrator defined? If
you have Windows machines in the domain, you will need the Domain Admins
group, which is a member of the local Administrators group on any
Windows machine that joins the domain, thereby granting the Domain
Administrator necessary permissions on the Windows machine. If you
don't have windows machines, you still need your Administrator
permissions to work properly when using the samba "net" command.
2. SIDs and RIDs
Are you creating unix accounts for the machines or users first, or is
samba automatically allocating unix-compatible user and group id's? Do
you mean you want the RID to be samba_domain_sid+unix_uid?
3. PDC's and BDC's
They should join the domain. "net getdomainsid" and "net
getlocalsid"
should show that each DC has the domain sid as its local sid. To
reverse the role of PDC vs BDC, you would change which machine is domain
master in smb.conf.
4. Ldap OU's for users and computers
In my setup, we use ldap for other stuff besides samba so all the
"unix"
users and groups and machines exist in ldap before they are enabled in
samba. Samba wants a unix account to exist for computers as well as
users. I don't have an option to set a separate ou in smb.conf for
machines vs users. Instead, I have it set to "ou=accounts,...." and
then in ldap have "ou=machines,ou=accounts" and
"ou=people,ou=accounts"- samba searches "ou=accounts" and
any levels
below it.
5. User/group overlapping
If you have "local" users who sometimes need to be in LDAP groups-
well, actually you can't but maybe you have some users defined both in
ldap AND locally on some machines, using the same uid and password.
Or you could just make the webserver user be an ldap only account (which
should still be able to be in local groups)- but then id LDAP is down
your webserver might not run.
On 12/23/2010 04:06 AM, Christ Schlacta wrote:> I've got a somewhat special domain (servers only, no clients, for
> unified passwords stored in ldap and unix passwords are in there too),
> and I'm looking at my directory and there are a few things I don't
> quite understand, or that I need some clarification on..
>
> 1) these "Domain Admins" and "Domain Guests" and
"Domain Computers"
> groups.. do they NEED to be present? if they have no members, is it
> okay to delete them? they feel like cruft... I may someday add a
> windows domain member workstation.. is it okay to delete them, or
> will windows go wonky on me when the day comes?
>
> 2) Why can't I use rids that are just SID-(uid-or-gid) ? it seems
> that smbldap-groupadd and smbldap-useradd make every attempt to ensure
> that all rids are unique.. so with groups and users being both in the
> range 10K-20K, I get
> 10000=user,10001=group,1000[2-9]=user,1001[0-5]=group,10016=system(yes, I
> know it's a user), and so on... why can't I use rid=(uid-or-gid)
and
> do away with the wierd 2*uid+1000 thing?
>
> 3) are PDCs and BDCs supposed to join the domain? net join -U
> administrator PDC joins the system as a PDC, how is that different
> from joining as a BDC or a master? how do I swap the roles specified
> there later, when a PDC gets retired and a BDC is promoted to PDC and
> a member to BDC, etc...
>
> 4) do I have to use a single ou=People, ou=Groups, ou=Machines, for
> each type of account, or can I actually put them in something
> resembling a hierarchy? (if applicable, If I use a hierarchy, does
> that have any effect on samba, or on unix? can it be mapped to
> "primary group" or similar?)
>
> 5) there are a few places where local groups or users need to overlap
> with ldap users or groups.. (one system has an exclusive group
> www-data, for example.. if I put the group in ldap, the webserver
> user needs to join the group but the webserver user is a local
> user... however, if I put the group locally, a half dozen people from
> the directory need to be put in the www-data group from the
> directory...) The webserver is just an example, there are others as
> well. how do I handle this?
>
> Thank you for reading this far. These are all the issues I've come
> across in setting up my test domain. I've let my google-fu fail me
> one too many times, and these questions answered clearly and concisely
> are difficult to come by. Any help you can provide me in answering
> these questions would be a big help!
>
> Thank you again,
> Christ Schlacta