[KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?

Adam Williams members@kalamazoolinux.org
Wed, 14 Jan 2004 07:38:38 -0500

Previous message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Next message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> | |My condolances. :) I think my quality of life would be higher if I
> | |didn't so readily understand the above,  or in fact, if I had no idea
> | |what a CIFS Domain was......
> | OK, so I am trying to get my ldap database structure straight.
> I think I've got some kind of success but it still gives "Access
> denied" when trying to add a machine to the domain.
> I've made the following changes:
> # Global parameters
> [global]
> ~    ldap idmap suffix = ou=Idmap
> ~    idmap backend = ldap:ldap://localhost
> ~    idmap uid = 10000-20000
> ~    idmap gid = 10000-20000
> ~    printer admin = @adm, '@Domain Admins'
> I did add the Idmap ou but the system doesn't seem to be using it for
> anything. 

Right, idMap is used by winbind.

> I note that I have a new critter called sambaDomainName now.  

Excellent.

> I also found it strange that in some places in the docs it talks about ou=Idmap
> and yet in smb.conf ldap idmap suffix is set to cn=Idmap. 

Report any documentation inconsistency.  Maintaining a large document on
something complex like Samba is *HARD*.  Really hard,  keeping internal
consistancy as things are changed is tedious.  But Mr. Terpstra is very
good about fixing inconsistiencies when reported.

>It is, of course, commented out but this still seems
> strange.  Is it an ou or is it a cn?  

Well, it could be either;  whatever you set it to.  Traditionally LDAP
uses the "organizationalUnit" (i.e. ou) objectclass as a container
object since there is no explicit 'container' object, unlike the NDS and
AD implementations.  But unless you have content rules (not supported by
OpenLDAP), SLAPI mechanisms (OpenLDAP 2.2.x) or some clever access rules
- any object may have subordinates, that is, be a container.

> Note that the IDEALX scripts added the following users and groups:
> Users:
> Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false
> nobody:x:999:514:nobody:/dev/null:/bin/false

I've never used the idealx scripts,  and from all the posts I see about
people trying to use them, I'm developing an unfavorable opinion.

There is no reason whatsoever that I can see for createing the two user
accounts you list above. 

Administrator = root

Your system almost certainly already has a nobody/guest account.  I can
only imagine what having two "nobody" accounts might do.

> Groups:
> Domain Admins:x:512:Administrator
> Domain Users:x:513:
> Domain Guests:x:514:
> Administrators:x:544:Administrator
> Users:x:545:
> Guests:x:546:nobody
> Power Users:x:547:
> Account Operators:x:548:
> Server Operators:x:549:
> Print Operators:x:550:
> Backup Operators:x:551:
> Replicator:x:552:
> Domain Computers:x:553:

And your sure these gids don't overlap with existing groups?

> Also delving into groupmaps produced some problems:
> [root@enigma samba3]# net3 groupmap list
> Domain Admins (S-1-5-21-1825057718-3407101348-4194330872-512) ->
> Domain Admins
> Domain Users (S-1-5-21-1825057718-3407101348-4194330872-513) -> Domain
> Users
> Domain Guests (S-1-5-21-1825057718-3407101348-4194330872-514) ->
> Domain Guests
> Administrators (S-1-5-21-1825057718-3407101348-4194330872-544) ->
> Administrators
> users (S-1-5-21-1825057718-3407101348-4194330872-545) -> Users
> Guests (S-1-5-21-1825057718-3407101348-4194330872-546) -> Guests
> Power Users (S-1-5-21-1825057718-3407101348-4194330872-547) -> Power Users
> Account Operators (S-1-5-21-1825057718-3407101348-4194330872-548) ->
> Account Operators
> Server Operators (S-1-5-21-1825057718-3407101348-4194330872-549) ->
> Server Operators
> Print Operators (S-1-5-21-1825057718-3407101348-4194330872-550) ->
> Print Operators
> Backup Operators (S-1-5-21-1825057718-3407101348-4194330872-551) ->
> Backup Operators
> Replicator (S-1-5-21-1825057718-3407101348-4194330872-552) -> Replicator
> Domain Computers (S-1-5-21-1825057718-3407101348-4194330872-553) ->
> Domain Computers
> Domain Guests (S-1-5-21-1825057718-3407101348-4194330872-514) -> nobody
> Domain Admins (S-1-5-21-1825057718-3407101348-4194330872-512) -> root
> Domain Users (S-1-5-21-1825057718-3407101348-4194330872-513) -> dusers
> [root@enigma samba3]#
> As can be seen, I've got some dupes here because of my experimenting
> with commands.  

Yep, those will drive you crazt.  You need to nuke those.

> I think these settings are in the secrets.tdb file and not the ldap
> server because I was messing with this before I setup Idmap. 

Groups mappings aren't in secrets.tdb.  But if you nuke it Samba will
dutifully recreate it, shouldn't be a problem.

> Is there a way to remove the duplicates?  
> I keep getting:
> [2004/01/13 23:04:50, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(269)
> ~  ldapsam_delete_entry: Entry must exist exactly once!
> Failed to removing group S-1-5-21-1825057718-3407101348-4194330872-512
> from the mapping db!

Mm.  I've never had a duplicate (I live in trembling fear of them).  You
should be able to go into ou=Groups with an LDAP tool an zap the
duplicate group objects.

Previous message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Next message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]