samba - Oct 2003 - Samba entries in the LDAP tree, help!

I can NOT find any information on how to get the following into the LDAP tree
(and where they should be located) from the documentation. I am definitely an
LDAP beginner and assembling the tree from reading schema's is still over my
head. I am able to connect to samba using only LDAP authentication and can add
users, but that is all I can successfully do, "net groupmap add",
"net group" returns nothing, "pdbedit -L" etc. fail
miserably because I don't have everything I need in the tree (which I can
see from setting the debugging to 2)it isn't finding these entries because I
don't know where to put them and how this thing structurally should be laid
out. Specifically where do the following fit into the LDAP tree;
sambaGroupMapping, sambaUnixIdPool, sambaIdmapEntry (automatically created?),
and sambaSidEntry.
I used the IdealX smbldap-populate.pl tool to get the basic structure there and
have at least gotten the User authentication portion working.  But if someone
could give me a clue of where to look (if I somehow missed it in the documents,
but I don't see how because I read it from cover to cover) and/or how to get
started on the rest of this, I would be eternally grateful.
So far the tree looks approximately as so;

dc=3Dvogeleusa, dc=3Dcom
|_cn=3Droot 
|_ou=3DComputers (as created by smbldap-populate.pl, no entries here yet)
|_ou=3DGroups (as created by smbldap-populate.pl)
    |_cn=3DDomain Admins
      .......
|_ou=3DUsers (as created by smbldap-populate.pl)
    |_uid=3DAdministrator
    |_uid=3Droot
    |_uid=3Dtestuser
      ........
|_sambaDomainName(sambaDomain)=3DVOGELEUSA (created automatically by pdbedit or
a net command, I have forgotten which)

I would greatly appreciate any help as I have been working on TRYING to get LDAP
and Samba to work together for over a week now and have had only minor luck in
getting the two to cooperate.  Samba 3 does work fine with smbpasswd, I would
just like to use LDAP exclusively for single sign.

Ed Asbury
Systems Admin/Programmer
Vogele America, Inc.

I'm curious, the samba.schema is for Samba 2.0.  Is there a new Schema 
for Samba 3.0 that includes ACLs?

Ed Asbury wrote:
> I can NOT find any information on how to get the following into the LDAP
tree (and where they should be located) from the documentation. I am definitely
an LDAP beginner and assembling the tree from reading schema's is still over
my head. I am able to connect to samba using only LDAP authentication and can
add users, but that is all I can successfully do, "net groupmap add",
"net group" returns nothing, "pdbedit -L" etc. fail
miserably because I don't have everything I need in the tree (which I can
see from setting the debugging to 2)it isn't finding these entries because I
don't know where to put them and how this thing structurally should be laid
out. Specifically where do the following fit into the LDAP tree;
sambaGroupMapping, sambaUnixIdPool, sambaIdmapEntry (automatically created?),
and sambaSidEntry.
> I used the IdealX smbldap-populate.pl tool to get the basic structure there
and have at least gotten the User authentication portion working.  But if
someone could give me a clue of where to look (if I somehow missed it in the
documents, but I don't see how because I read it from cover to cover) and/or
how to get started on the rest of this, I would be eternally grateful.
> So far the tree looks approximately as so;
> 
> dc=vogeleusa, dc=com
> |_cn=root 
> |_ou=Computers (as created by smbldap-populate.pl, no entries here yet)
> |_ou=Groups (as created by smbldap-populate.pl)
>     |_cn=Domain Admins
>       .......
> |_ou=Users (as created by smbldap-populate.pl)
>     |_uid=Administrator
>     |_uid=root
>     |_uid=testuser
>       ........
> |_sambaDomainName(sambaDomain)=VOGELEUSA (created automatically by pdbedit
or a net command, I have forgotten which)
> 
> I would greatly appreciate any help as I have been working on TRYING to get
LDAP and Samba to work together for over a week now and have had only minor luck
in getting the two to cooperate.  Samba 3 does work fine with smbpasswd, I would
just like to use LDAP exclusively for single sign.
> 
> Ed Asbury
> Systems Admin/Programmer
> Vogele America, Inc.
>

hi ed,

wiped out your post cause something went wrong with your line wrapping, 
it would have been a pain to read. Sorry for that.

To give you some Information. A typical user entry in LDAP looks like this:

# pkoelle, Users, samba, nil.b17
dn: uid=pkoelle,ou=Users,ou=samba,dc=nil,dc=b17
uid: pkoelle
sambaSID: S-1-5-21-1363009748-3475195204-773963872-3000
displayName: pkoelle
sambaAcctFlags: [U          ]
objectClass: sambaSamAccount
objectClass: account
objectClass: top
sambaPrimaryGroupSID: S-1-5-21-1363009748-3475195204-773963872-512
sambaNTPassword: xxxxxxxxxxxxxxx
sambaLMPassword: xxxxxxxxxxxxxx
sambaPwdCanChange: 1065274530
sambaPwdLastSet: 1065274530
sambaPwdMustChange: 1067088930

Note that this are only (and not all) samba attributes and 
objectclasses, there have to be a corresponding posixAccount somewhere 
in the DIT accessible by getent().

And a group:

# NTdomadms, groups, samba, nil.b17
dn: cn=NTdomadms,ou=groups,ou=samba,dc=nil,dc=b17
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: NTdomadms
gidNumber: 10008
sambaSID: S-1-5-21-1363009748-3475195204-773963872-512
sambaGroupType: 2
displayName: Domain Administrators
memberUid: NTadmin
memberUid: pkoelle

This is basically a normal posixGroup, augmented by the 
sambaGroupmapping attributes sambaSID, sambaGroupType and displayName. 
Note that the SID is set to the "well known SID" of "Domain 
Administrators" group. You may use the "net groupmap" set of
commands to
get this mapping or populate your DIT from appropriate LDIF's.

It would be helpful to see the ldap related lines of your smb.conf, and 
a few error messages (from net groupmap) or logs.

hth
  Paul