[KLUG Advocacy] samba and ldap and heimdal

[Adam Tauno Williams]

> I used my own presentation material on heimdal and ldap and then working
> on samba configs to get a system working as a test pdc.  The big fun I
> had was getting the smbk5pwd overlay compiled and loading into ldap, but
> it is in and working.

It pukes when you try to change a password?  There is a patch/hack
posted to the hiemdal list last week.

> What I find to be lacking is good administration tools.  I've tried a
> couple.
> Microsoft User Manager for domains.
> 1.  Yes, this is working.  The smbldap-tools work, but required some
> modifications to work correctly.  It's kind of interesting using user
> manager for domains to add a user and then logging into a linux console
> with that password.  The bad side is that when you add a user you have
> to add the user with no info, accept an error, refresh and then edit the
> added user.

Yep, I've found this to be basically useless.  It doesn't let you edit
much of the information.

> Ldap Account Manager or lam
> http://lam.sourceforge.net/
> 1.  More like what I was looking for.  But it still does not seem to be
> quite the tool.  It does not seem to differentiate between the nt global
> and local groups like M$ user manager for domains connected to samba
> using the smbldap-tools do.  Meaning defining a group as a list of uid's
> for one kind of group and a list of sid's for another.

I've only played with LAM as its focus is too narrow for our purposes.
But I don't have any groups that are a 'list of sids'?

> There is another one that I have not banged my head against long enough
> to get to work.  This one is from the smbldap-tools people.  Is there an
> apache mod-auth-ldap rpm for suse?  Couldn't find it.
> http://www.idealx.org/prj/samba/index.en.html

Honestly, I think the smbldap-tools suck.

> Nobody seems to be consistent with anyone else on how to store the info
> in ldap either.  I hacked smbldap-tools to add and delete the member and
> memberUid attributes at the same time.  After all, ldap balks at having
> a group with the group of names objectclass without a member.  Yet
> nothing but nss looks at member.

Yep.  groupOfNames requires a member, an empty group cannot exist.
Dumb, yes.  It is a crazy hold-over from X.500.  I've not used
smbldap-tools much but you should hack it to always leave some dn in
member, such as the administrative dn.

> My major complaint is that at this point in the evolution of samba with
> ldap there should be a major player in administration that just does not
> seem to exist.  A real pity.  There should also be a major player in the
> separate tools working together.

Yep.

> I could not find Adam's ldap clients presentation to look at the effort
> that the swat people are working on???

I think that was LAM.  I'll try to get the presentations uploaded today
(Sigh, not only is everyone on vacation but they decided it was a good
time to remodel the offices too;  they are currently at the sledge
hammer phase.)

> Also setup is a pain.  You have to have the same information about base
> dn's for people and groups in samba and once again in the configs for
> smbldap-tools.  It's like there needs to be a complicated overbearing
> perl script or make file from hell to generate the ldap portion of an
> smb.conf slapd.conf and related includes and the smb-ldap.config file. 
> Major pain in the tuccus.

:) !  And it is all just plain stupid, stupid, and more stupid.  We've
written a little .NET assembly that looks up the root container's etc...
in .... WHERE??? .... LDAP! <TA DA!>  The whole "geee, we should glue
this together with a crappy perl script" attitude come to enterprise
systems is really annoying.  I mean, if *I* could come up with a better
solution..... geeesh.

For example, "add machine script
= /usr/bin/mono /usr/local/bin/cifsaddmachine.exe %u *********"  where
"********" is the password used to bind to the DSA and the %u is the
name of the machine account to add.    cifsaddmachine.exe is a
little .NET app that is linked to our dseautomater.dll that looks up
config attribute value pairs in LDAP and thus the application can
'learn' where to put the appropriate objects.  I'd Open Source this but
I REALLY REALLY don't currently have the time to deal with the
inevitable flood of terminally stupid questions.

It isn't perfect because (a) I suck as a programmer (b) it can't do SRV
lookups to locate the server and (c) it can't read the password from the
Samba TDB files (which would be ideal).  Know of b & c and this would be
really cool.

> samba and ldap and kerberos will never gain the market share that it can
> until installation and administration become more wizardish.  Dare I say
> like a m$ install.  Did I just say that??

You did, and you're correct.

> Hey Adam,  You still interested in cooperating on a c# multiplatform
> gui?

Yes, and I've got bits of one called "Wolvesbane" lying about,  but I
won't have any free time to hack on it till April is over,  too much
mayhem in these parts.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/advocacy/attachments/20050404/2f42f4db/attachment.bin