[KLUG Advocacy] samba and ldap and heimdal

[Adam Tauno Williams]

> > It pukes when you try to change a password?  There is a patch/hack
> > posted to the hiemdal list last week.
> I've had no issues with it after getting ldap to start with it.  Do you
> have to change passwords from a certain ap to have the puking occur.  I
> can change passwords with user manager or the passwd cli.

I've never seen the mentioned failure, but lots of other people do.  I
change ALL my passwords via exop or via-exop-via-samba

> > > Ldap Account Manager or lam
> > > http://lam.sourceforge.net/
> > > 1.  More like what I was looking for.  But it still does not seem to be
> > > quite the tool.  It does not seem to differentiate between the nt global
> > > and local groups like M$ user manager for domains connected to samba
> > > using the smbldap-tools do.  Meaning defining a group as a list of uid's
> > > for one kind of group and a list of sid's for another.
> > I've only played with LAM as its focus is too narrow for our purposes.
> > But I don't have any groups that are a 'list of sids'?
> All local groups modified through user manager for domains are using the
> sambaSIDList attribute and ignoring the member.  I'm assuming this will
> make this group useless for linux machines.  This can be seen in my
> "Backup Operators" group object as an example.

Ah.  What do these local groups actually do?  I have them (as in they
exist) but I've never seen them actually used for anything.

> > > There is another one that I have not banged my head against long enough
> > > to get to work.  This one is from the smbldap-tools people.  Is there an
> > > apache mod-auth-ldap rpm for suse?  Couldn't find it.
> > > http://www.idealx.org/prj/samba/index.en.html
> > Honestly, I think the smbldap-tools suck.
> Well of course you do.  They are perl scripts, and you despise perl.

That, and having to hack a script to get your LDAP integration to
work.... seems so very wrong.

> > :) !  And it is all just plain stupid, stupid, and more stupid.  We've
> > written a little .NET assembly that looks up the root container's etc...
> > in .... WHERE??? .... LDAP! <TA DA!>  The whole "geee, we should glue
> > this together with a crappy perl script" attitude come to enterprise
> > systems is really annoying.  I mean, if *I* could come up with a better
> > solution..... geeesh.
> > For example, "add machine script
> > = /usr/bin/mono /usr/local/bin/cifsaddmachine.exe %u *********"  where
> > "********" is the password used to bind to the DSA and the %u is the
> > name of the machine account to add.    cifsaddmachine.exe is a
> > little .NET app that is linked to our dseautomater.dll that looks up
> > config attribute value pairs in LDAP and thus the application can
> > 'learn' where to put the appropriate objects.  I'd Open Source this but
> > I REALLY REALLY don't currently have the time to deal with the
> > inevitable flood of terminally stupid questions.
> Sounds interesting!!  Ldap could be the configuration for LDAP.

Yep.

> > > Hey Adam,  You still interested in cooperating on a c# multiplatform
> > > gui?
> > Yes, and I've got bits of one called "Wolvesbane" lying about,  but I
> > won't have any free time to hack on it till April is over,  too much
> > mayhem in these parts.
> I'll see if I can devote some time to get a hello world program in c#
> and then go from there.  Hello world is sometimes harder then "war in
> peace" in a new language.

With Glade# simple UI's are easy, complicated UI's are still best banged
together by hand.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/advocacy/attachments/20050404/b47e8e41/attachment.bin