[KLUG Advocacy] samba and ldap and heimdal

[Dirk H Bartley]

On Mon, 2005-04-04 at 09:20 -0400, Adam Tauno Williams wrote:

> It pukes when you try to change a password?  There is a patch/hack
> posted to the hiemdal list last week.

I've had no issues with it after getting ldap to start with it.  Do you
have to change passwords from a certain ap to have the puking occur.  I
can change passwords with user manager or the passwd cli.

> > Ldap Account Manager or lam
> > http://lam.sourceforge.net/
> > 1.  More like what I was looking for.  But it still does not seem to be
> > quite the tool.  It does not seem to differentiate between the nt global
> > and local groups like M$ user manager for domains connected to samba
> > using the smbldap-tools do.  Meaning defining a group as a list of uid's
> > for one kind of group and a list of sid's for another.
> 
> I've only played with LAM as its focus is too narrow for our purposes.
> But I don't have any groups that are a 'list of sids'?

All local groups modified through user manager for domains are using the
sambaSIDList attribute and ignoring the member.  I'm assuming this will
make this group useless for linux machines.  This can be seen in my
"Backup Operators" group object as an example.

> 
> > There is another one that I have not banged my head against long enough
> > to get to work.  This one is from the smbldap-tools people.  Is there an
> > apache mod-auth-ldap rpm for suse?  Couldn't find it.
> > http://www.idealx.org/prj/samba/index.en.html
> 
> Honestly, I think the smbldap-tools suck.

Well of course you do.  They are perl scripts, and you despise perl.


> :) !  And it is all just plain stupid, stupid, and more stupid.  We've
> written a little .NET assembly that looks up the root container's etc...
> in .... WHERE??? .... LDAP! <TA DA!>  The whole "geee, we should glue
> this together with a crappy perl script" attitude come to enterprise
> systems is really annoying.  I mean, if *I* could come up with a better
> solution..... geeesh.
> 
> For example, "add machine script
> = /usr/bin/mono /usr/local/bin/cifsaddmachine.exe %u *********"  where
> "********" is the password used to bind to the DSA and the %u is the
> name of the machine account to add.    cifsaddmachine.exe is a
> little .NET app that is linked to our dseautomater.dll that looks up
> config attribute value pairs in LDAP and thus the application can
> 'learn' where to put the appropriate objects.  I'd Open Source this but
> I REALLY REALLY don't currently have the time to deal with the
> inevitable flood of terminally stupid questions.

Sounds interesting!!  Ldap could be the configuration for LDAP.

> > Hey Adam,  You still interested in cooperating on a c# multiplatform
> > gui?
> 
> Yes, and I've got bits of one called "Wolvesbane" lying about,  but I
> won't have any free time to hack on it till April is over,  too much
> mayhem in these parts.

I'll see if I can devote some time to get a hello world program in c#
and then go from there.  Hello world is sometimes harder then "war in
peace" in a new language.

Dirk