Hi.
I have an existing departmental network based on AFS, Kerberos 5 and
LDAP. All unixes work nicely, logging in remotely. So, Samba acting
as a PDC with OpenLDAP. Now I'd like to interoperate with all windows
workstations. I chose the LDAP way, since it's the most flexible and
secure way... or at least, it seems to me more flexible than using a
single /etc/passwd file on a distributed environment.
LDAP contains a root dc=dept and we already have
groups and persons just working, and experimental hosts:
# group example
dn: cn=deptafs,ou=info,dc=dept
objectClass: top
objectClass: posixGroup
cn: diaafs
gidNumber: 10000
description: general afs group
# user example
dn: uid=doe,ou=info,dc=dept
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: John
uid: Doe
uidNumber: 10000
gidNumber: 10000
description: info will be here
title: Mr.
sn: Doe
o: MyUniversity
ou: Dept
st: State
l: City
mail: doe@dept.org
gecos: ,,,
givenName: John
displayName: John Doe
homeDirectory: /afs/my.dept.org/users/d/doe
loginShell: /bin/bash
# host example
dn: cn=host.dept.org,ou=host,dc=dept
objectClass: locality
objectClass: ipHost
objectClass: ieee802Device
objectClass: bootableDevice
ipHostNumber: 123.123.123.11
cn: host.dept.org
macAddress: 00:00:00:00:00:00
My ldap admin is cn=sysadmin and there's just a rootdn entry in
slapd.conf, the password is provided by kerberos via GSSAPI/SASL.
I've got many questions, but one important thing is not to mess with
ldap database so much... I don't like to rewrite the db from scratch.
Now my concerns :)
The smbldap-tools are of no use probably for us, since all the docs
I've read start with smbldap-populate... but I have a db just
working. So, I need to add the minimum required entries into ldap and
modify the existing names in order to make all users use the remote
profiling.
My UIDs are LDAP-only. I generate them from AFS, and so they are
unmodifiable. Of course, this shouldn't be an issue... I hope.
As long as I've understood, I must add a dn for the domain. I have no
idea how to generate a SID, and I have no idea how RidBase works with
samba if we do not use smbldap-tools. This is my example:
# TESTING, dia
dn: sambaDomainName=TESTING,dc=dept
sambaDomainName: TESTING
sambaSID: S-1-1-21-3138413446-3899332943-2322914696
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
All users must be modified using samba schema. Again. What I can do
with SIDs (user and groups)? I mean, can I use *any* sid I want from
the UID I have or I must make some kind of trick? What about LM
password and NT password? I will use, if I understand, the
userPassword field, not the other two. The profile can be put
wherever I want, if I understand... so I'd like to store them under /
afs/../username/windows, so username-dependent... this is difficult
to understand for me: how to specity a UNC path for user profiling,
given this unix pattern /afs/my.dept.org/users/d/doe, and putting
profiles under windows/ on each home directory. That's my guess,
wrong for sure:
dn: uid=doe,ou=info,dc=dept
uidNumber: 10000
gidNumber: 10000
homeDirectory: /afs/my.dept.org/users/d/doe
loginShell: /bin/bash
gecos: ,,,
description: info will be here
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: John Doe
sambaSID: S-1-5-21-4231626423-2410014848-2360679739-3000
sambaPrimaryGroupSID: S-1-5-21-4231626423-2410014848-2360679739-513
sambaLogonScript: common.bat
sambaProfilePath: \\TESTINGPDC\users\d\doe\windows
sambaHomePath: \\TESTINGPDC\users\d\doe
sambaHomeDrive: Z:
sambaLMPassword: 7584248B8D2C9F9EAAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 186CB09181E2C2ECAAC768C47C729904
sambaPwdLastSet: 1081281346
sambaPwdMustChange: 1085169346
userPassword: {SSHA}jg1v0WaeBkymhWasjeiprxzHxdmTAHd+
[global]
workgroup=TESTING
netbios name=TESTINGPDC
enable privileges=yes
server string=Samba-LDAP
ldap passwd sync=yes
passdb backend=ldapsam:ldap://ldap.dept.org/
ldap admin dn=cn=sysadmin,dc=dept
ldap suffix=dc=dept
ldap group suffix=ou=info,dc=dept
ldap user suffix=ou=info,dc=dept
ldap machine suffix=ou=host,dc=dept
ldap ssl=no
logon script=scripts\logon.bat
domain logons=yes
os level=64
preferred master=yes
domain master=yes
#[profiles]
#path=/var/local/samba/profiles
#read only=no
#create mask=0600
#directory mask=0700
#browseable=no
#guest ok=yes
#profile acls=yes
#csc policy=disable
#force user=%U
[netlogon]
path=/var/local/samba/netlogon
browseable=no
read only=yes
--
Sensei <senseiwa@tin.it>
The difference between stupidity and genius is that genius has its
limits. (A. Einstein)