[KLUG Advocacy] samba and ldap and heimdal

[Dirk Hamsun Bartley]

Samba and ldap and heimdal.

I used my own presentation material on heimdal and ldap and then working
on samba configs to get a system working as a test pdc.  The big fun I
had was getting the smbk5pwd overlay compiled and loading into ldap, but
it is in and working.

What I find to be lacking is good administration tools.  I've tried a
couple.

gosa
1 requires a slew of schemas for the purpose of administering samba
accounts.
2 looks like it is designed to have users sign in and administer thier
own accounts instead of an admin to administer accounts

Microsoft User Manager for domains.
1.  Yes, this is working.  The smbldap-tools work, but required some
modifications to work correctly.  It's kind of interesting using user
manager for domains to add a user and then logging into a linux console
with that password.  The bad side is that when you add a user you have
to add the user with no info, accept an error, refresh and then edit the
added user.

Ldap Account Manager or lam
http://lam.sourceforge.net/
1.  More like what I was looking for.  But it still does not seem to be
quite the tool.  It does not seem to differentiate between the nt global
and local groups like M$ user manager for domains connected to samba
using the smbldap-tools do.  Meaning defining a group as a list of uid's
for one kind of group and a list of sid's for another.

There is another one that I have not banged my head against long enough
to get to work.  This one is from the smbldap-tools people.  Is there an
apache mod-auth-ldap rpm for suse?  Couldn't find it.
http://www.idealx.org/prj/samba/index.en.html

Nobody seems to be consistent with anyone else on how to store the info
in ldap either.  I hacked smbldap-tools to add and delete the member and
memberUid attributes at the same time.  After all, ldap balks at having
a group with the group of names objectclass without a member.  Yet
nothing but nss looks at member.

My major complaint is that at this point in the evolution of samba with
ldap there should be a major player in administration that just does not
seem to exist.  A real pity.  There should also be a major player in the
separate tools working together.

I could not find Adam's ldap clients presentation to look at the effort
that the swat people are working on???

Also setup is a pain.  You have to have the same information about base
dn's for people and groups in samba and once again in the configs for
smbldap-tools.  It's like there needs to be a complicated overbearing
perl script or make file from hell to generate the ldap portion of an
smb.conf slapd.conf and related includes and the smb-ldap.config file. 
Major pain in the tuccus.

samba and ldap and kerberos will never gain the market share that it can
until installation and administration become more wizardish.  Dare I say
like a m$ install.  Did I just say that??

Dirk

Hey Adam,  You still interested in cooperating on a c# multiplatform
gui?