samba - Apr 2004 - Yet Another LDAP Question

Hi All,

I know this must have been discussed around here a million times, but I really 
didn't find this info anywhere else and I'm on a deadline here.

I already have an FC1 server with a working LDAP directory  in production. The 
same server runs a Samba PDC, but not with LDAP functionality yet. 

All I need to know right now is if I have to include some standard user and 
group accounts, like Adminstrator and such. Also,how do I generate the NT and 
Lanman password hashes so I can include them in the uses' ldifs?

And please, don't point me to that Samba-LDAP howto 'cause it did
nothing but
confuse me more.

Thanks,

-- 
Jean Krebs Fonseca
jean@totaldata.com.br
Total Data Information Solutions
www.totaldata.com.br

I don't think you 'have' to, but you'll get more functionality
if you do.

You should go grab the newest idealx LDAP management scripts, you don't 
say what version of samba you have, but the scripts are probably newer 
than what you have if you installed from the RPM that came with the base 
Fedora install.  There's a script in that set called something like 
smbldap-populate that will create all the users and groups you need for 
Windows equivilency.  You will also want to delete the old ones when you 
put the new in place.  At some point they changed from *.pl to just * 
for the script names.

Make sure you edit the config files in the smbldap-tools package before 
you start monkeying with them, particularly the LDAP container names and 
your domain SID.


Jean Krebs Fonseca wrote:
>Hi All,
>
>I know this must have been discussed around here a million times, but I
really
>didn't find this info anywhere else and I'm on a deadline here.
>
>I already have an FC1 server with a working LDAP directory  in production.
The
>same server runs a Samba PDC, but not with LDAP functionality yet. 
>
>All I need to know right now is if I have to include some standard user and 
>group accounts, like Adminstrator and such. Also,how do I generate the NT
and
>Lanman password hashes so I can include them in the uses' ldifs?
>
>And please, don't point me to that Samba-LDAP howto 'cause it did
nothing but
>confuse me more.
>
>Thanks,
>
>  
>
-- 
Paul Gienger                     Office:		701-281-1884
Applied Engineering Inc.         Cell:			701-306-6254
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jean Krebs Fonseca ?rta:
| Hi All,
|
| I know this must have been discussed around here a million times, but
I really
| didn't find this info anywhere else and I'm on a deadline here.
|
| I already have an FC1 server with a working LDAP directory  in
production. The
| same server runs a Samba PDC, but not with LDAP functionality yet.
|
| All I need to know right now is if I have to include some standard
user and
| group accounts, like Adminstrator and such. Also,how do I generate the
NT and
| Lanman password hashes so I can include them in the uses' ldifs?
|
| And please, don't point me to that Samba-LDAP howto 'cause it did
nothing but
| confuse me more.
|
| Thanks,
|

You can use mkntpwd tool to generate LMPassword and NTPassword hashes, I
do so. Attached you will find my root accounts ldif (Passwords removed
;-) ). You will find that it has lots of Objectclasses not necessarily
needed for Unix shell or Samba. Take care to use the Samba3 schema
/usr/share/doc/samba..../examples/LDAP/....
Anyway if you configure the ldap backend in Samba and SmbLDAP tools,
then a simple pdbedit operation could do the migration to ldapsam.

Cheers

Geza
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAjVdV/PxuIn+i1pIRAtWAAJ0fMwkhFRsx5wcFQ6bVI1yAFi+n7gCfQik2
7ha1Kgx+WzSrJn6907RnO4w=nkZG
-----END PGP SIGNATURE-----
-------------- next part --------------
dn: uid=root,ou=People,dc=kzsdabas,dc=hu
mailHost: mail.kzsdabas.sulinet.hu
objectClass: mailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: kerberosSecurityObject
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowMax: 60
shadowWarning: 7
shadowInactive: 30
loginShell: /bin/bash
uidNumber: 0
homeDirectory: /root
cn: LDAP's Fake root Account
cn: root
sn: LDAP's Fake root Account
displayName: LDAP's Fake root Account
gecos: LDAP's Fake root Account
shadowLastChange: 12013
sambaPwdMustChange: 2147483647
sambaAcctFlags: [U          ]
sambaPwdCanChange: 1080799858
sambaLogonTime: 2147483647
sambaNTPassword: **********REMOVED*********
sambaPwdLastSet: 1080799858
sambaLogoffTime: 2147483647
sambaLMPassword: **********REMOVED*********
sambaKickoffTime: 2147483647
gidNumber: 4
sambaSID: S-1-5-21-2107120446-224765601-1821260193-500
mail: root@kzsdabas.sulinet.hu
mailForwardingAddress: root@mail.kzsdabas.sulinet.hu
uid: root
krbName: root@KZSDABAS.HU
sambaPrimaryGroupSID: S-1-5-21-2107120446-224765601-1821260193-512
userPassword: {CRYPT}$1$**********REMOVED*********

I believe the README is out of date.  Their website says that something 
like .80 and up work on 3.x.  I have used .84 to populate a 3.0.2 server 
just fine making only configuration changes like server locations, 
containers, and domain SID.  I did have to hack one script for my 
purposes, but that was only because my primary ldap server is over a 
greater-latency-than-local-lan link and replication takes a couple seconds.


Jean Krebs Fonseca wrote:
>I have downloaded the updated set of scripts, but the readme file says they 
>should be modified to work with Samba 3 (I have 3.0.2), since they have been
>made for Samba 2.2 Is this information outdated?
>
>On Monday 26 April 2004 15:44, you wrote:
>  
>
>>I don't think you 'have' to, but you'll get more
functionality if you do.
>>
>>You should go grab the newest idealx LDAP management scripts, you
don't
>>say what version of samba you have, but the scripts are probably newer
>>than what you have if you installed from the RPM that came with the base
>>Fedora install.  There's a script in that set called something like
>>smbldap-populate that will create all the users and groups you need for
>>Windows equivilency.  You will also want to delete the old ones when you
>>put the new in place.  At some point they changed from *.pl to just *
>>for the script names.
>>
>>Make sure you edit the config files in the smbldap-tools package before
>>you start monkeying with them, particularly the LDAP container names and
>>your domain SID.
>>
>>Jean Krebs Fonseca wrote:
>>    
>>
>>>Hi All,
>>>
>>>I know this must have been discussed around here a million times,
but I
>>>really didn't find this info anywhere else and I'm on a
deadline here.
>>>
>>>I already have an FC1 server with a working LDAP directory  in
production.
>>>The same server runs a Samba PDC, but not with LDAP functionality
yet.
>>>
>>>All I need to know right now is if I have to include some standard
user
>>>and group accounts, like Adminstrator and such. Also,how do I
generate
>>>the NT and Lanman password hashes so I can include them in the
uses'
>>>ldifs?
>>>
>>>And please, don't point me to that Samba-LDAP howto 'cause
it did nothing
>>>but confuse me more.
>>>
>>>Thanks,
>>>      
>>>
>
>  
>
-- 
Paul Gienger                     Office:		701-281-1884
Applied Engineering Inc.         Cell:			701-306-6254
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com

Jean Krebs Fonseca schrieb:
> Hi All,
> 
> I know this must have been discussed around here a million times, but I
really
> didn't find this info anywhere else and I'm on a deadline here.
> 
> I already have an FC1 server with a working LDAP directory  in production.
The
> same server runs a Samba PDC, but not with LDAP functionality yet. 
> 
> All I need to know right now is if I have to include some standard user and
> group accounts, like Adminstrator and such. Also,how do I generate the NT
and
> Lanman password hashes so I can include them in the uses' ldifs?
> 
> And please, don't point me to that Samba-LDAP howto 'cause it did
nothing but
> confuse me more.
> 
> Thanks,
> 
hi, sorry but you have to mess with ldap,
if you have a existing ldap server , you have to integrate samba schema 
first and then setup users , groups, computers,
but this can be done in many ways, i recommend to try ldap tools from 
idealix also included in the src of samba in a variation,
perhaps you can do a dump of your ldap to a testmachine and play around 
with this scripts having secure your runnig ldap will not be touched.
but you will have to read howtos
regards