Hello everyone. Well, I have been working very hard lately, trying to get a server up to act as our Samba PDC with LDAP. So far, everything seems to be working well. I've been able to get samba 2.2.8 and openldap 2.0.27 installed with no problems. I've setup my config files (ldap.conf, slapd.conf, smb.conf) as well as added some initial entries to the LDAP directory. I've been able to add a user to the directory and set the password for that user. This is where I wanted to ask some questions: Now, let me try and explain what I want to do: As it is now, our network is setup in a workgroup, with 30+ users. I want all of our users to be able to join the Domain/Samba PDC. They will not be using roaming profiles, just login to their workstation into the Domain. What I am trying to understand is the best way to go about adding my users to the domain as well as authenticating against the domain. It may seem vague, but im a little confused here myself. I thought i'd post some of my initial entries and go from there. Here goes: # mycompany, com dn: dc=mycompany,dc=com objectClass: top objectClass: domain dc: mycompany description: mycompany comanization # Groups, mycompany, com dn: ou=Groups,dc=mycompany,dc=com objectClass: top objectClass: organizationalUnit ou: Groups description: System Groups # Users, mycompany, com dn: ou=Users,dc=mycompany,dc=com objectClass: top objectClass: organizationalUnit ou: Users description: Users of the comanization # Computers, mycompany, com dn: ou=Computers,dc=mycompany,dc=com objectClass: top objectClass: organizationalUnit ou: Computers description: Windows Domain Computers # Domain Admins, Groups, mycompany, com dn: cn=Domain Admins,ou=Groups,dc=mycompany,dc=com objectClass: posixGroup gidNumber: 200 cn: Domain Admins memberUid: administrator description: Windows Domain users # Domain Users, Groups, mycompany, com dn: cn=Domain Users,ou=Groups,dc=mycompany,dc=com objectClass: posixGroup gidNumber: 201 cn: Domain Users description: Windows Domain Users # Administrators, Groups, mycompany, com dn: cn=Administrators,ou=Groups,dc=mycompany,dc=com objectClass: posixGroup gidNumber: 220 cn: Administrators description: Windows Domain Members can administer the computer and Domain That is just some initial entries. Here is what I have questions about: I am going to have about 3-4 groups. For instance, officers, processors and admin. Now, I need to add my users to the PDC. From what I have read, not only do I need to add my users to the PDC, but a machine/computer account as well, correct? So, my question is what is the best way to add my users to the PDC and their machine accounts? Secondly, as you can see in my LDAP directory above, I have some initial entires. I am unclear as how to add my users to the server and LDAP and make sure they go into the correct group and correct part of the LDAP Directory. That make sense? For example, if I have a user named Todd that needs to go into the group "officers" how would I go about doing that? Lastly, (for now :) ) when I go around to my Windows 2000 workstations to have my users join the domain, from some prior testing, once I change it from a workgroup to a domain, a username and password box will pop up. What username and password must I use here? Is it what I have specified in my slapd.conf and smb.conf: "cn=Manager,dc=company,dc=com" I appreciate everyone's help. Thank you! Best, Jason
Lance Rathbone wrote:>> >> Hello everyone. >> >> Well, I have been working very hard lately, trying to get a server up >> to act as our Samba PDC with LDAP. So far, everything seems to be >> working well. I've been able to get samba 2.2.8 and openldap 2.0.27 >> installed with no problems. I've setup my config files (ldap.conf, >> slapd.conf, smb.conf) as well as added some initial entries to the >> LDAP directory. >> >> I've been able to add a user to the directory and set the password >> for that user. >> >> This is where I wanted to ask some questions: >> >> Now, let me try and explain what I want to do: >> >> As it is now, our network is setup in a workgroup, with 30+ users. I >> want all of our users to be able to join the Domain/Samba PDC. They >> will not be using roaming profiles, just login to their workstation >> into the Domain. >> >> What I am trying to understand is the best way to go about adding my >> users to the domain as well as authenticating against the domain. It >> may seem vague, but im a little confused here myself. >> >> I thought i'd post some of my initial entries and go from there. Here >> goes: >> >> ....... > >> >> >> That is just some initial entries. Here is what I have questions about: >> >> I am going to have about 3-4 groups. For instance, officers, >> processors and admin. >> Now, I need to add my users to the PDC. From what I have read, not >> only do I need to add my users to the PDC, but a machine/computer >> account as well, correct? >Yes>> So, my question is what is the best way to add my users to the PDC >> and their machine accounts? >There are tools provided by PADL that simplify exporting user accounts from unix to LDAP - Are you coming from unix? have you tried them? I found that machine accounts are best added automatically using the scipts from IDEALX. (I have just been through this - some of my notes are at http://research.imb.uq.edu.au/~l.rathbone/ldap/samba_pdc.shtml. I have used a different ldap schema from you but the principles apply. Note specifically the line in smp.conf add user script = /usr/local/sbin/smbldap-useradd.pl -w %u and the note at the bottom of the page.>> >> >> Secondly, as you can see in my LDAP directory above, I have some >> initial entires. I am unclear as how to add my users to the server >> and LDAP and make sure they go into the correct group and correct >> part of the LDAP Directory. That make sense? For example, if I have a >> user named Todd that needs to go into the group "officers" how would >> I go about doing that? >A user only has there primary gid recorded in their LDAP record. So you need to know the gidNumber of that persons primary group and assign it to them. Group membership is held in the group record. example: dn: uid=b.wise,ou=Users,dc=mycompany,dc=com uid: b.wise cn: Bob Wise objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: apple-user objectClass: extensibleObject objectClass: organizationalPerson objectClass: top objectClass: sambaAccount objectClass: person sn: Wyse ..... uidNumber: 10568 gidNumber: 23456 My group records look like this (and they seem to work) dn: cn=sales,ou=Groups,dc=mycompany,dc=com objectClass: posixGroup objectClass: top cn: sales gidNumber: 23456 memberUid: a.blogg memberUid: b.wise memberUid: c.dumb>> >> >> Lastly, (for now :) ) when I go around to my Windows 2000 >> workstations to have my users join the domain, from some prior >> testing, once I change it from a workgroup to a domain, a username >> and password box will pop up. What username and password must I use >> here? Is it what I have specified in my slapd.conf and smb.conf: >> "cn=Manager,dc=company,dc=com" >No - you need to set up a normal user account in LDAP, something like "uid=root, ou=Users,dc=mycompany,dc=com" then give this user the same ACL privileges as "cn=Manager,dc=company,dc=com" (usually in slapd.conf). E.g access to dn=".*,dc=company,dc=com" by dn="uid=root, ou=Users,dc=mycompany,dc=com" write Then when prompted to join the domain, the user name would be "root" and the password is whatever you gave that root user.>> >> >> I appreciate everyone's help. >> >> Thank you! >> Best, >> >> Jason >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: http://lists.samba.org/mailman/listinfo/samba > > >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Message: 53 > Date: Thu, 15 May 2003 14:13:35 -0700 > From: Jason Williams <jwilliams@courtesymortgage.com> > Subject: [Samba] Question on LDAP+Samba+PDC > To: samba@lists.samba.org > Message-ID: > <5.1.0.14.2.20030515134252.00adfd20@pop.courtesymortgage.com> > Content-Type: text/plain; charset="us-ascii"; format=flowed > > Hello everyone. > > Well, I have been working very hard lately, trying to get a server up to > act as our Samba PDC with LDAP. So far, everything seems to be working > well. I've been able to get samba 2.2.8 and openldap 2.0.27 installedwith> no problems. I've setup my config files (ldap.conf, slapd.conf, smb.conf) > as well as added some initial entries to the LDAP directory. > > I've been able to add a user to the directory and set the password forthat> user. > > This is where I wanted to ask some questions: > > Now, let me try and explain what I want to do: > > As it is now, our network is setup in a workgroup, with 30+ users. I want > all of our users to be able to join the Domain/Samba PDC. They willnot be> using roaming profiles, just login to their workstation into the Domain. >Well, it's not necessary to use LDAP for this ...> What I am trying to understand is the best way to go about adding myusers> to the domain as well as authenticating against the domain. It may seem > vague, but im a little confused here myself. > > I thought i'd post some of my initial entries and go from there. Heregoes:> > # mycompany, com > dn: dc=mycompany,dc=com > objectClass: top > objectClass: domain > dc: mycompany > description: mycompany comanization > > # Groups, mycompany, com > dn: ou=Groups,dc=mycompany,dc=com > objectClass: top > objectClass: organizationalUnit > ou: Groups > description: System Groups > > # Users, mycompany, com > dn: ou=Users,dc=mycompany,dc=com > objectClass: top > objectClass: organizationalUnit > ou: Users > description: Users of the comanization > > # Computers, mycompany, com > dn: ou=Computers,dc=mycompany,dc=com > objectClass: top > objectClass: organizationalUnit > ou: Computers > description: Windows Domain Computers > > # Domain Admins, Groups, mycompany, com > dn: cn=Domain Admins,ou=Groups,dc=mycompany,dc=com > objectClass: posixGroup > gidNumber: 200 > cn: Domain Admins > memberUid: administrator > description: Windows Domain users > > # Domain Users, Groups, mycompany, com > dn: cn=Domain Users,ou=Groups,dc=mycompany,dc=com > objectClass: posixGroup > gidNumber: 201 > cn: Domain Users > description: Windows Domain Users > > # Administrators, Groups, mycompany, com > dn: cn=Administrators,ou=Groups,dc=mycompany,dc=com > objectClass: posixGroup > gidNumber: 220 > cn: Administrators > description: Windows Domain Members can administer the computer and Domain > > That is just some initial entries. Here is what I have questions about: > > I am going to have about 3-4 groups. For instance, officers,processors and> admin. > Now, I need to add my users to the PDC. From what I have read, notonly do> I need to add my users to the PDC, but a machine/computer account aswell,> correct? > > So, my question is what is the best way to add my users to the PDC and > their machine accounts? >IMHO, use smbldap-tools, which provides work-alike's for useradd, groupadd, usermod, groupmod, userdel, groupdel, passwd etc, but which work with Samba/LDAP accounts.> Secondly, as you can see in my LDAP directory above, I have some initial > entires. I am unclear as how to add my users to the server and LDAP and > make sure they go into the correct group and correct part of the LDAP > Directory. That make sense? For example, if I have a user named Todd that > needs to go into the group "officers" how would I go about doing that? >smbldap-usermod -G officers todd> Lastly, (for now ) when I go around to my Windows 2000 workstations to > have my users join the domain, from some prior testing, once I change it > from a workgroup to a domain, a username and password box will pop up.What> username and password must I use here? Is it what I have specified in my > slapd.conf and smb.conf: "cn=Manager,dc=company,dc=com" >It must be an account that has write access to the LDAP directory for the attributes samba needs. For the purposes of samba, you can make sure that a group can use the smbldap-tools (which has a config file determining the single dn all operations will use). As long as that group is listed in the 'domain admin group' parameter in smb.conf you they should be able to join a machine. Note, it is a unix account (thus todd), not an LDAP dn (ie uid=todd,ou=... etc). BTW, I am just about finished with my document on Samba+LDAP, you may be interested in reading it and the documents it refers to: http://ranger.dnsalias.com/samba-ldap-advanced.php BTW, you may have noticed this is all pretty easy on Mandrake ... Finally, you may want to reconsider your group names, since 1)With samba-2.2.x you can't use them from Windows anyway 2)Names with spaces always cause problems under unix (or make life more difficult) 3)Samba3 will map Windows group names to Unix group names, so Windows group names can be similar to those Windows uses, but unix will still have decent, short names without spaces. Regards, Buchan - -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+xMJKrJK6UGDSBKcRAs5/AKCwv5I5p5EuR++L58aN7wWSQKA+CwCgjUbI TLZr0BcYTDlHNdtdqWEUCmk=3IJd -----END PGP SIGNATURE-----
Just wanted to follow up here really quickly. I have been working with those idealx scripts, and they really look like they will be the answer to my questions and problems. I just have a few more questions. Obviously, with the idealx scripts, I can add my own groups as I need and place my users into the specific group with smbldap-usermod -G <group> <user> That is simple enough. That will add a user to a specific group. After that, I can set the password for the user by using smbpasswd -a <user>, correct? The next question I have is on the adding of machine accounts. Now, i've added a few lines in my smb.conf file, a script, that should automatically add a machine to the LDAP directory, correct? Here is what i've added: add user script = /usr/local/sbin/smbldap-useradd.pl -w %u passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u I've also seen this script: add user script = /usr/share/samba/scripts/smbldap-useradd.pl -w -d /dev/null -g machines -c 'Machine Account' -s /bin/false %u From what i'm guessing, the last script should add the machine accounts directly, correct? So once i've added my user to a group, set the password for the user, I should THEN be able to go to that clients machine (Win2K) and add that computer and client to the domain, correct? Thanks everyone. I really appreciate everyones help and patience. Jason
>Lance, > >I appreciate all your help. It has been great in helping me move >farther along as well as understand more. > >I've been working with the IDEALX scripts and they are working >great. However, I have a couple of questions I wanted to run by you. > >As of now, I have ou's of: ou=Computers, ou=Users, ou=Groups >I also have: cn=Domain Admins,ou=Groups > cn=Domain Users,ou=Groups > >My question(s) are: If I want to create my own groups, for example: >Loan Officers and Loan Processors, I can do that no problem. It >creates it like so: > cn=loanofficers,ou=Groups > >Thus, if I had 4-5 groups, I could create them using the IDEALX >scripts. Simple enough. > >This is where i'm a bit lost. If I create a second group, >loanprocessors, it creates the following: > >cn=loanprocessors,ou=Groups Which is correct. However, if I >compare the two of them, i'm confused in one spot: > ># loanofficers, Groups, courtesymortgage, com >dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >objectClass: posixGroup >cn: loanofficers >gidNumber: 1000 > ># loanprocessors, Groups, courtesymortgage, com >dn: cn=loanprocessors,ou=Groups,dc=courtesymortgage,dc=com >objectClass: posixGroup >cn: loanprocessors >gidNumber: 1000This is a problem - gidNumbers should be unique. Are you creating theses manually? Make sure they have different numbers. The IDEALX scripts should create unique numbers.> >Being that they both have gidNumber's of 1000, is that going to be a problem? > >Which leads to my next question. If I have a user, Jason, that needs >to be added to the group loanofficers, how can I do that with the >scripts? Is it even possible?If the group loanofficers is the primary group for the user then that user's gidNumber needs to be set to loanofficers gidNumber. In addition the memberUid of the group will contain the user's uid e.g dn: uid=f.flintstone,ou=Users,dc=courtesymortgage,dc=com uid: f.flinstone gidNumber: 1000 dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com objectClass: posixGroup cn: loanprocessors gidNumber: 1000 memberUid: f.bloggs memberUid: f.flintstone IDEALX have a script to add members to a group: smbldap-groupmod.pl -m f.flintstone loanofficers> >I hope i'm not rambling. I've been struggling to find out what the >problem is and I have not been able to find any documentation on >this. > >Thanks for your help Lance, > >CHeers, > >Jason > > > >At 09:16 AM 5/16/2003 +1000, you wrote: > >>>Lance, >>> >>>Thanks for your help. I do appreciate it. >>> >>>I have been reviewing the documentation that you sent as well as >>>the scripts from idealx. I still have a lot of questions and >>>testing to do. >>> >>>If you dont mind me asking you a couple more questions, i'd love >>>to hear your advice. >>> >>>Are you coming from unix? have you tried them? >>>The actual server I am working on is brand new. Nothing on it. All >>>of our users use Win2k Pro computers and we are setup in a >>>workgroup environment. They will all be joining the Samba PDC >>> >>>" >>> >>>This is what I currently have. I am trying to figure out how to >>>add the users and their machines to the PDC. I've tried using the >>>smbldap-adduser.pl script to add users to the PDC, and it seems to >>>work. However, I do not get the response that it has been added. >>>But if I do a search, it is added. >>> >> >>When I add a machine like that it doesn't come back with a response >>either, but what you really want to happen is to join the domain >>automatically. This is in the line add user script = >>/usr/local/sbin/smbldap-useradd.pl -w %u >> >>To test this out go to a machine (windows client) that doesn't have >>an LDAP account - delete an existing account if necessary - and try >>to join the domain from the windows client. You will be prompted >>for a username and password. (This is your LDAP "root" user with >>write acces to the LDAP directory.) >>Then it will try to join the domain. My machines take 20-30 seconds >>then come back with something about 'welcome to domain'. >>If it takes 3-4 minutes it hasn't worked! >> >> >>-- ==================================== Lance Rathbone BSc MCompStud Senior IT Officer Institute for Molecular Bioscience Queensland Bioscience Precinct Bldg 80, Services Road The University of Queensland St Lucia Qld 4072 AUSTRALIA Tel +61 7 3346 2205 http://www.imb.uq.edu.au =====================================
>Hello Lance! > >Ok, let me answer a few questions: > >This is a problem - gidNumbers should be unique. Are you creating >theses manually? Make sure they have different numbers. The IDEALX >scripts should create unique numbers. > >I am using the idealx scripts to create groups. I am not sure >exactly why the groups are not getting unique numbers....something I >misconfigured in smbldap_conf.pm ? I'm not sure exactly.I'm not sure what is happening here - In smbldap_conf.pm you just configure the starting gidNumber. The function called is group_add in smbldap_tools.pm. It seems strange that it is not giving you an error and not working.> >If the group loanofficers is the primary group for the user then >that user's gidNumber needs to be set to loanofficers gidNumber. >In addition the memberUid of the group will contain the user's uid > >e.g >dn: uid=f.flintstone,ou=Users,dc=courtesymortgage,dc=com >uid: f.flinstone >gidNumber: 1000 > >dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >objectClass: posixGroup >cn: loanprocessors >gidNumber: 1000 >memberUid: f.bloggs >memberUid: f.flintstone > >IDEALX have a script to add members to a group: >smbldap-groupmod.pl -m f.flintstone loanofficers > >Here is a quick snip of my stuff: > >dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >objectClass: posixGroup >cn: loanofficers >gidNumber: 1002 >memberUid: jason > >dn: uid=jason,ou=Users,dc=courtesymortgage,dc=com >cn: jason >sn: jason >uid: jason >uidNumber: 1000 >gidNumber: 1002 ><snip> > >That looks about right, yes? Jason's GID number is the same as the >GID number for LoanOfficers.Looks good to me> >Here is something that I have been curious about. It is in relation >to designing a LDAP directory. I picked up a few books on LDAP this >weekend and they are really explaining things that I understand >now...but here is something I wanted to ask: > >If you look at the DN for loanofficers and Jason: >dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >dn: uid=jason,ou=Users,dc=courtesymortgage,dc=com > >My question is this: Right now, my loanofficers as a cn (common name?) >What if I wanted to setup my structure so that I have ou=Groups and >underneath it, I have my groups that I want? Here is an example: > >dn: ou=loanofficers,ou=Groups,dc=courtesymortgage,dc=com > >Then, I would place my "loanofficers" users in that leaf. >Is that possible? >Is that a good idea or a bad idea?I see what you are trying to do but I'm not sure - it does not look good to me. I would wait for more knowledgeable responses than mine.> >I am trying to figure out the best way to manage and setup my users.... > >Any suggestions there?What's wrong with adding your users to secondary groups such as you do on unix? You enforce meaning to that group by the way you assign members to it. dn: cn=groupname,ou=Groups,dc=courtesymortgage,dc=com objectClass: posixGroup cn: loanofficers gidNumber: 1003 memberUid: jason memberUid: fred> >Thanks again. > >Cheers, > >Jason > > >At 02:24 PM 5/19/2003 +1000, you wrote: > >>>Lance, >>> >>>I appreciate all your help. It has been great in helping me move >>>farther along as well as understand more. >>> >>>I've been working with the IDEALX scripts and they are working >>>great. However, I have a couple of questions I wanted to run by >>>you. >>> >>>As of now, I have ou's of: ou=Computers, ou=Users, ou=Groups >>>I also have: cn=Domain Admins,ou=Groups >>> cn=Domain Users,ou=Groups >>> >>>My question(s) are: If I want to create my own groups, for >>>example: Loan Officers and Loan Processors, I can do that no >>>problem. It creates it like so: >>> cn=loanofficers,ou=Groups >>> >>>Thus, if I had 4-5 groups, I could create them using the IDEALX >>>scripts. Simple enough. >>> >>>This is where i'm a bit lost. If I create a second group, >>>loanprocessors, it creates the following: >>> >>>cn=loanprocessors,ou=Groups Which is correct. However, if I >>>compare the two of them, i'm confused in one spot: >>> >>># loanofficers, Groups, courtesymortgage, com >>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >>>objectClass: posixGroup >>>cn: loanofficers >>>gidNumber: 1000 >>> >>># loanprocessors, Groups, courtesymortgage, com >>>dn: cn=loanprocessors,ou=Groups,dc=courtesymortgage,dc=com >>>objectClass: posixGroup >>>cn: loanprocessors >>>gidNumber: 1000 >>> >> >>This is a problem - gidNumbers should be unique. Are you creating >>theses manually? Make sure they have different numbers. The IDEALX >>scripts should create unique numbers. >> >>> >>>Being that they both have gidNumber's of 1000, is that going to be >>>a problem? >>>Which leads to my next question. If I have a user, Jason, that >>>needs to be added to the group loanofficers, how can I do that >>>with the scripts? Is it even possible? >>> >> >>If the group loanofficers is the primary group for the user then >>that user's gidNumber needs to be set to loanofficers gidNumber. >>In addition the memberUid of the group will contain the user's uid >> >>e.g >>dn: uid=f.flintstone,ou=Users,dc=courtesymortgage,dc=com >>uid: f.flinstone >>gidNumber: 1000 >> >>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >>objectClass: posixGroup >>cn: loanprocessors >>gidNumber: 1000 >>memberUid: f.bloggs >>memberUid: f.flintstone >> >>IDEALX have a script to add members to a group: >>smbldap-groupmod.pl -m f.flintstone loanofficers >> >> >>> >>>I hope i'm not rambling. I've been struggling to find out what the >>>problem is and I have not been able to find any documentation on >>>this. >>> >>>Thanks for your help Lance, >>> >>>CHeers, >>> >>>Jason >>> >>> >>> >>>At 09:16 AM 5/16/2003 +1000, you wrote: >>> >>>>>Lance, >>>>> >>>>>Thanks for your help. I do appreciate it. >>>>> >>>>>I have been reviewing the documentation that you sent as well as >>>>>the scripts from idealx. I still have a lot of questions and >>>>>testing to do. >>>>> >>>>>If you dont mind me asking you a couple more questions, i'd love >>>>>to hear your advice. >>>>> >>>>>Are you coming from unix? have you tried them? >>>>>The actual server I am working on is brand new. Nothing on it. >>>>>All of our users use Win2k Pro computers and we are setup in a >>>>>workgroup environment. They will all be joining the Samba PDC >>>>> >>>>>" >>>>> >>>>>This is what I currently have. I am trying to figure out how to >>>>>add the users and their machines to the PDC. I've tried using >>>>>the smbldap-adduser.pl script to add users to the PDC, and it >>>>>seems to work. However, I do not get the response that it has >>>>>been added. But if I do a search, it is added. >>>>> >>>> >>>>When I add a machine like that it doesn't come back with a >>>>response either, but what you really want to happen is to join >>>>the domain automatically. This is in the line add user script >>>>= /usr/local/sbin/smbldap-useradd.pl -w %u >>>> >>>>To test this out go to a machine (windows client) that doesn't >>>>have an LDAP account - delete an existing account if necessary - >>>>and try to join the domain from the windows client. You will be >>>>prompted for a username and password. (This is your LDAP "root" >>>>user with write acces to the LDAP directory.) >>>>Then it will try to join the domain. My machines take 20-30 >>>>seconds then come back with something about 'welcome to domain'. >>>>If it takes 3-4 minutes it hasn't worked! >>>> >>>> >>>>-- ==================================== Lance Rathbone BSc MCompStud Senior IT Officer Institute for Molecular Bioscience Queensland Bioscience Precinct Bldg 80, Services Road The University of Queensland St Lucia Qld 4072 AUSTRALIA Tel +61 7 3346 2205 http://www.imb.uq.edu.au =====================================
>Hello again Lance! > >Well, lets see. Im not exactly sure why the gidNumbers were >incorrect before. I did a few tests and then it started to work >correctly. That seems to be ok.Good> >What's wrong with adding your users to secondary groups such as you >do on unix? >You enforce meaning to that group by the way you assign members to it. >dn: cn=groupname,ou=Groups,dc=courtesymortgage,dc=com >objectClass: posixGroup >cn: loanofficers >gidNumber: 1003 >memberUid: jason >memberUid: fred > >This is something I have thought about doing quite a bit recently. >However, i'm hoping that management will let me make the decisionis >on how to design this. > >I think I may go this route. Just add the group to be under GROUPS, >then make people members of the groupname by issuing: > >smbldap-usermod.pl -G <groupname> <user> > >Should work ok.>The only thing i've been thinking of doing is adding another OU >called devices. Inside there, i could put information on our >printers, servers etc. > >At this point, I would imagine it is about personal preference. > >Also, I remember asking you about creating a user that would be used >to join computers to the domain. Correct me if im wrong, but I >should create a username of my choice...Yes - the user that is used to join computers to the domain just needs to have write access to the LDAP directory e.g access to dn=".*,dc=courtesymortgage,dc=com" attr=userPassword by dn="cn=Manager,dc=courtesymortgage,dc=com" write by uid=f.flintstone,ou=Users,dc=courtesymortgage,dc=com write by self write by * auth where f.flintstone is a valid user> >I think I have this right...let me show you: > ># Administrators, Groups, courtesymortgage, com >dn: cn=Administrators,ou=Groups,dc=courtesymortgage,dc=com >objectClass: posixGroup >gidNumber: 220 >cn: Administrators >description: Windows Domain Members can administer the computer and Domain >memberUid: ldapadmin > ># ldapadmin, Users, courtesymortgage, com >dn: uid=ldapadmin,ou=Users,dc=courtesymortgage,dc=com >objectClass: inetOrgPerson >objectClass: posixAccount >cn: ldapadmin >sn: ldapadmin >uid: ldapadmin >uidNumber: 1000 >gidNumber: 1002 >homeDirectory: /home/ldapadmin >loginShell: /bin/bash >gecos: System User >description: System User > >ldapadmin to adminster, added to the Administrators group. Then, I >add @Administrators domain admin group = @Administrators in smb.conf > > >My ACL in slapd.conf: > >access to dn=".*,dc=courtesymortgage,dc=com" attr=userPassword > by dn="cn=Manager,dc=courtesymortgage,dc=com" write > by self write > by * auth > >access to dn=".*,dc=courtesymortgage,dc=com" > by dn="uid=ldapadmin,ou=Users,dc=courtesymortgage,dc=com" write > >access to dn=".*,dc=courtesymortgage,dc=com" attr=mail > by dn="cn=Manager,dc=courtesymortgage,dc=com" write > by self write > by * read > >access to dn=".*,ou=People,dc=courtesymortgage,dc=com" > by * read > >access to dn=".*,dc=courtesymortgage,dc=com" > by self write > by * read > >Look good? Bad? horrible? > >Last question....you are from Australia? What part if you dont mind me asking?Brisbane, Queensland> >Thank you. > >Best, > >Jason >At 08:20 AM 5/20/2003 +1000, you wrote: > >>>Hello Lance! >>> >>>Ok, let me answer a few questions: >>> >>>This is a problem - gidNumbers should be unique. Are you creating >>>theses manually? Make sure they have different numbers. The IDEALX >>>scripts should create unique numbers. >>>I am using the idealx scripts to create groups. I am not sure >>>exactly why the groups are not getting unique numbers....something >>>I misconfigured in smbldap_conf.pm ? I'm not sure exactly. >>> >> >>I'm not sure what is happening here - In smbldap_conf.pm you just >>configure the starting gidNumber. The function called is group_add >>in smbldap_tools.pm. It seems strange that it is not giving you an >>error and not working. >> >>> >>>If the group loanofficers is the primary group for the user then >>>that user's gidNumber needs to be set to loanofficers gidNumber. >>>In addition the memberUid of the group will contain the user's uid >>> >>>e.g >>>dn: uid=f.flintstone,ou=Users,dc=courtesymortgage,dc=com >>>uid: f.flinstone >>>gidNumber: 1000 >>> >>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >>>objectClass: posixGroup >>>cn: loanprocessors >>>gidNumber: 1000 >>>memberUid: f.bloggs >>>memberUid: f.flintstone >>> >>>IDEALX have a script to add members to a group: >>>smbldap-groupmod.pl -m f.flintstone loanofficers >>> >>>Here is a quick snip of my stuff: >>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >>>objectClass: posixGroup >>>cn: loanofficers >>>gidNumber: 1002 >>>memberUid: jason >>> >>>dn: uid=jason,ou=Users,dc=courtesymortgage,dc=com >>>cn: jason >>>sn: jason >>>uid: jason >>>uidNumber: 1000 >>>gidNumber: 1002 >>><snip> >>> >>>That looks about right, yes? Jason's GID number is the same as the >>>GID number for LoanOfficers. >>> >> >>Looks good to me >> >>> >>>Here is something that I have been curious about. It is in >>>relation to designing a LDAP directory. I picked up a few books on >>>LDAP this weekend and they are really explaining things that I >>>understand now...but here is something I wanted to ask: >>>If you look at the DN for loanofficers and Jason: >>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >>>dn: uid=jason,ou=Users,dc=courtesymortgage,dc=com >>> >>>My question is this: Right now, my loanofficers as a cn (common name?) >>>What if I wanted to setup my structure so that I have ou=Groups >>>and underneath it, I have my groups that I want? Here is an >>>example: >>>dn: ou=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >>> >>>Then, I would place my "loanofficers" users in that leaf. >>>Is that possible? >>>Is that a good idea or a bad idea? >>> >> >>I see what you are trying to do but I'm not sure - it does not look >>good to me. I would wait for more knowledgeable responses than mine. >> >>> >>>I am trying to figure out the best way to manage and setup my users.... >>> >>>Any suggestions there? >>> >> >>What's wrong with adding your users to secondary groups such as you >>do on unix? >>You enforce meaning to that group by the way you assign members to it. >>dn: cn=groupname,ou=Groups,dc=courtesymortgage,dc=com >>objectClass: posixGroup >>cn: loanofficers >>gidNumber: 1003 >>memberUid: jason >>memberUid: fred >> >>> >>>Thanks again. >>> >>>Cheers, >>> >>>Jason >>> >>> >>>At 02:24 PM 5/19/2003 +1000, you wrote: >>> >>>>>Lance, >>>>> >>>>>I appreciate all your help. It has been great in helping me move >>>>>farther along as well as understand more. >>>>> >>>>>I've been working with the IDEALX scripts and they are working >>>>>great. However, I have a couple of questions I wanted to run by >>>>>you. >>>>> >>>>>As of now, I have ou's of: ou=Computers, ou=Users, ou=Groups >>>>>I also have: cn=Domain Admins,ou=Groups >>>>> cn=Domain Users,ou=Groups >>>>> >>>>>My question(s) are: If I want to create my own groups, for >>>>>example: Loan Officers and Loan Processors, I can do that no >>>>>problem. It creates it like so: >>>>> cn=loanofficers,ou=Groups >>>>> >>>>>Thus, if I had 4-5 groups, I could create them using the IDEALX >>>>>scripts. Simple enough. >>>>> >>>>>This is where i'm a bit lost. If I create a second group, >>>>>loanprocessors, it creates the following: >>>>> >>>>>cn=loanprocessors,ou=Groups Which is correct. However, if I >>>>>compare the two of them, i'm confused in one spot: >>>>> >>>>># loanofficers, Groups, courtesymortgage, com >>>>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >>>>>objectClass: posixGroup >>>>>cn: loanofficers >>>>>gidNumber: 1000 >>>>> >>>>># loanprocessors, Groups, courtesymortgage, com >>>>>dn: cn=loanprocessors,ou=Groups,dc=courtesymortgage,dc=com >>>>>objectClass: posixGroup >>>>>cn: loanprocessors >>>>>gidNumber: 1000 >>>>> >>>> >>>>This is a problem - gidNumbers should be unique. Are you creating >>>>theses manually? Make sure they have different numbers. The >>>>IDEALX scripts should create unique numbers. >>>> >>>>> >>>>>Being that they both have gidNumber's of 1000, is that going to >>>>>be a problem? >>>>>Which leads to my next question. If I have a user, Jason, that >>>>>needs to be added to the group loanofficers, how can I do that >>>>>with the scripts? Is it even possible? >>>>> >>>> >>>>If the group loanofficers is the primary group for the user then >>>>that user's gidNumber needs to be set to loanofficers gidNumber. >>>>In addition the memberUid of the group will contain the user's uid >>>> >>>>e.g >>>>dn: uid=f.flintstone,ou=Users,dc=courtesymortgage,dc=com >>>>uid: f.flinstone >>>>gidNumber: 1000 >>>> >>>>dn: cn=loanofficers,ou=Groups,dc=courtesymortgage,dc=com >>>>objectClass: posixGroup >>>>cn: loanprocessors >>>>gidNumber: 1000 >>>>memberUid: f.bloggs >>>>memberUid: f.flintstone >>>> >>>>IDEALX have a script to add members to a group: >>>>smbldap-groupmod.pl -m f.flintstone loanofficers >>>> >>>> >>>>> >>>>>I hope i'm not rambling. I've been struggling to find out what >>>>>the problem is and I have not been able to find any >>>>>documentation on this. >>>>> >>>>>Thanks for your help Lance, >>>>> >>>>>CHeers, >>>>> >>>>>Jason >>>>> >>>>> >>>>> >>>>>At 09:16 AM 5/16/2003 +1000, you wrote: >>>>> >>>>>>>Lance, >>>>>>> >>>>>>>Thanks for your help. I do appreciate it. >>>>>>> >>>>>>>I have been reviewing the documentation that you sent as well >>>>>>>as the scripts from idealx. I still have a lot of questions >>>>>>>and testing to do. >>>>>>> >>>>>>>If you dont mind me asking you a couple more questions, i'd >>>>>>>love to hear your advice. >>>>>>> >>>>>>>Are you coming from unix? have you tried them? >>>>>>>The actual server I am working on is brand new. Nothing on it. >>>>>>>All of our users use Win2k Pro computers and we are setup in a >>>>>>>workgroup environment. They will all be joining the Samba PDC >>>>>>> >>>>>>>" >>>>>>> >>>>>>>This is what I currently have. I am trying to figure out how >>>>>>>to add the users and their machines to the PDC. I've tried >>>>>>>using the smbldap-adduser.pl script to add users to the PDC, >>>>>>>and it seems to work. However, I do not get the response that >>>>>>>it has been added. But if I do a search, it is added. >>>>>>> >>>>>> >>>>>>When I add a machine like that it doesn't come back with a >>>>>>response either, but what you really want to happen is to join >>>>>>the domain automatically. This is in the line add user >>>>>>script = /usr/local/sbin/smbldap-useradd.pl -w %u >>>>>> >>>>>>To test this out go to a machine (windows client) that doesn't >>>>>>have an LDAP account - delete an existing account if necessary >>>>>>- and try to join the domain from the windows client. You will >>>>>>be prompted for a username and password. (This is your LDAP >>>>>>"root" user with write acces to the LDAP directory.) >>>>>>Then it will try to join the domain. My machines take 20-30 >>>>>>seconds then come back with something about 'welcome to domain'. >>>>>>If it takes 3-4 minutes it hasn't worked! >>>>>> >>>>>> >>>>>>-- ==================================== Lance Rathbone BSc MCompStud Senior IT Officer Institute for Molecular Bioscience Queensland Bioscience Precinct Bldg 80, Services Road The University of Queensland St Lucia Qld 4072 AUSTRALIA Tel +61 7 3346 2205 http://www.imb.uq.edu.au =====================================