I am looking for some good tools to manage Samba users in LDAP. It looks like there are several good tools mentioned on the Samba Wiki, but I am concerned mostly with the proper addition of new users to LDAP, in particular, generating unique SIDs. smbldap-useradd, for example, generates the SIDs for primary user and group based off of a simple formula based on the UID and GID, whereas Samba itself using a very simple mechanism of storing the next free RID in an LDAP attribute. Since I still plan to use the Add Computer to Domain wizard in Windows for adding computers, I am concerned that an overlap could occur between these two approaches. AFAIK, there are no SQL-like feature in LDAP like transactions, unique indices, or sequences that would allow multiple mechanisms to generate a unique SID. I wouldn't mind a tool like pdbedit which goes through Samba to update the backend db, but I want it to be scriptable and not ask for a password so I can integrate password updates with other systems such as LDAP (using userPassword) and Kerberos. -- Loren M. Lang lorenl@alzatex.com http://www.alzatex.com/ Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: 10A0 7AE2 DAF5 4780 888A 3FA4 DCEE BB39 7654 DE5B -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3157 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20081002/215cf3ce/smime.bin
Hi Loren, I don't understand what you meant by transaction, SQL, and so on, but I've been using samba and open ldap to provide single login mechanism for qmail-ldap, domain controller, squid, etc, for 2 years now and they're still running very good. I can join windows machine into the domain controller or change user's password using windows wizard. If I wanted to modify the back end database, e.g. to modify a bunch of user's attribute(s) like mailQuotaSize, I simply created a script that will create an LDIF file, and then use that LDIF file with openldap's command like ldapmodify, etc. If you don't want to type any password manually, you can append the option 'w' (for ldapmodify command), and put in your password then. To create windows user, we can use smbldap-tools. So, that's all. I hope it can help. Regards, On 10/3/08, Loren M. Lang <lorenl@alzatex.com> wrote:> I am looking for some good tools to manage Samba users in LDAP. It > looks like there are several good tools mentioned on the Samba Wiki, but > I am concerned mostly with the proper addition of new users to LDAP, in > particular, generating unique SIDs. smbldap-useradd, for example, > generates the SIDs for primary user and group based off of a simple > formula based on the UID and GID, whereas Samba itself using a very > simple mechanism of storing the next free RID in an LDAP attribute. > Since I still plan to use the Add Computer to Domain wizard in Windows > for adding computers, I am concerned that an overlap could occur between > these two approaches. AFAIK, there are no SQL-like feature in LDAP like > transactions, unique indices, or sequences that would allow multiple > mechanisms to generate a unique SID. I wouldn't mind a tool like > pdbedit which goes through Samba to update the backend db, but I want it > to be scriptable and not ask for a password so I can integrate password > updates with other systems such as LDAP (using userPassword) and > Kerberos. > -- > Loren M. Lang > lorenl@alzatex.com > http://www.alzatex.com/ > > > Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc > Fingerprint: 10A0 7AE2 DAF5 4780 888A 3FA4 DCEE BB39 7654 DE5B >
On Thu, Oct 2, 2008 at 1:29 PM, Loren M. Lang <lorenl@alzatex.com> wrote:> I am looking for some good tools to manage Samba users in LDAP. It > looks like there are several good tools mentioned on the Samba Wiki, but > I am concerned mostly with the proper addition of new users to LDAP, in > particular, generating unique SIDs. smbldap-useradd, for example, > generates the SIDs for primary user and group based off of a simple > formula based on the UID and GID, whereas Samba itself using a very > simple mechanism of storing the next free RID in an LDAP attribute. > Since I still plan to use the Add Computer to Domain wizard in Windows > for adding computers, I am concerned that an overlap could occur between > these two approaches.I use both smbldap-tools and LAM to add users and machines and there is no overlap although they do pick different ranges to assign SIDs. John