Hi. I have an existing departmental network based on AFS, Kerberos 5 and LDAP. All unixes work nicely, logging in remotely. So, Samba acting as a PDC with OpenLDAP. Now I'd like to interoperate with all windows workstations. I chose the LDAP way, since it's the most flexible and secure way... or at least, it seems to me more flexible than using a single /etc/passwd file on a distributed environment. LDAP contains a root dc=dept and we already have groups and persons just working, and experimental hosts: # group example dn: cn=deptafs,ou=info,dc=dept objectClass: top objectClass: posixGroup cn: diaafs gidNumber: 10000 description: general afs group # user example dn: uid=doe,ou=info,dc=dept objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson cn: John uid: Doe uidNumber: 10000 gidNumber: 10000 description: info will be here title: Mr. sn: Doe o: MyUniversity ou: Dept st: State l: City mail: doe@dept.org gecos: ,,, givenName: John displayName: John Doe homeDirectory: /afs/my.dept.org/users/d/doe loginShell: /bin/bash # host example dn: cn=host.dept.org,ou=host,dc=dept objectClass: locality objectClass: ipHost objectClass: ieee802Device objectClass: bootableDevice ipHostNumber: 123.123.123.11 cn: host.dept.org macAddress: 00:00:00:00:00:00 My ldap admin is cn=sysadmin and there's just a rootdn entry in slapd.conf, the password is provided by kerberos via GSSAPI/SASL. I've got many questions, but one important thing is not to mess with ldap database so much... I don't like to rewrite the db from scratch. Now my concerns :) The smbldap-tools are of no use probably for us, since all the docs I've read start with smbldap-populate... but I have a db just working. So, I need to add the minimum required entries into ldap and modify the existing names in order to make all users use the remote profiling. My UIDs are LDAP-only. I generate them from AFS, and so they are unmodifiable. Of course, this shouldn't be an issue... I hope. As long as I've understood, I must add a dn for the domain. I have no idea how to generate a SID, and I have no idea how RidBase works with samba if we do not use smbldap-tools. This is my example: # TESTING, dia dn: sambaDomainName=TESTING,dc=dept sambaDomainName: TESTING sambaSID: S-1-1-21-3138413446-3899332943-2322914696 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain All users must be modified using samba schema. Again. What I can do with SIDs (user and groups)? I mean, can I use *any* sid I want from the UID I have or I must make some kind of trick? What about LM password and NT password? I will use, if I understand, the userPassword field, not the other two. The profile can be put wherever I want, if I understand... so I'd like to store them under / afs/../username/windows, so username-dependent... this is difficult to understand for me: how to specity a UNC path for user profiling, given this unix pattern /afs/my.dept.org/users/d/doe, and putting profiles under windows/ on each home directory. That's my guess, wrong for sure: dn: uid=doe,ou=info,dc=dept uidNumber: 10000 gidNumber: 10000 homeDirectory: /afs/my.dept.org/users/d/doe loginShell: /bin/bash gecos: ,,, description: info will be here sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: John Doe sambaSID: S-1-5-21-4231626423-2410014848-2360679739-3000 sambaPrimaryGroupSID: S-1-5-21-4231626423-2410014848-2360679739-513 sambaLogonScript: common.bat sambaProfilePath: \\TESTINGPDC\users\d\doe\windows sambaHomePath: \\TESTINGPDC\users\d\doe sambaHomeDrive: Z: sambaLMPassword: 7584248B8D2C9F9EAAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: 186CB09181E2C2ECAAC768C47C729904 sambaPwdLastSet: 1081281346 sambaPwdMustChange: 1085169346 userPassword: {SSHA}jg1v0WaeBkymhWasjeiprxzHxdmTAHd+ [global] workgroup=TESTING netbios name=TESTINGPDC enable privileges=yes server string=Samba-LDAP ldap passwd sync=yes passdb backend=ldapsam:ldap://ldap.dept.org/ ldap admin dn=cn=sysadmin,dc=dept ldap suffix=dc=dept ldap group suffix=ou=info,dc=dept ldap user suffix=ou=info,dc=dept ldap machine suffix=ou=host,dc=dept ldap ssl=no logon script=scripts\logon.bat domain logons=yes os level=64 preferred master=yes domain master=yes #[profiles] #path=/var/local/samba/profiles #read only=no #create mask=0600 #directory mask=0700 #browseable=no #guest ok=yes #profile acls=yes #csc policy=disable #force user=%U [netlogon] path=/var/local/samba/netlogon browseable=no read only=yes -- Sensei <senseiwa@tin.it> The difference between stupidity and genius is that genius has its limits. (A. Einstein)