[KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?

[Adam Williams]

> K, now I can understand why groupmaps might be needed.  For example
> you might need them if your LDAP system was not also being used for
> Linux authentication.
> So here is the question:  Would it be more advisable to migrate
> required Linux system accounts and groups to the LDAP server or to map
> to them?  

Oh!  Use LDAP or don't.  Having things locatable by both libnss_files
and libnss_ldap is BAD BAD BAD news.  That way lies bloody carnival
death.  I have "root" in both, and everything else is carefully one or
the other.

> Hmmm... you know I don't think I've ever seen a case where a
> group belonged to a group and having two groups used for the same

Something like an NIS triple?  I can be done.  I don't.  You get
potential group-loops (grd contains sales which contains grd....) and it
is just way to confusing.

> thing is redundant. Consequently, I think that it would be best to
> map than to have two groups in the LDAP db.  Does this seem correct?

We call it "migrate" :)

> Hmm... On second thought, my experimentation here seems to indicate
> that groupmaps cannot be established with the net3 command unless both
> the posix group and the Samba group exist in the LDAP database.

Yes.  Your SAM groups and posix Groups must exist in the same backend;
actually not quite true, but unless you want to take a 400 level NSS
theology course, just accept it as a truism.

> This would make having those system accounts such as nobody and
> nogroup in the LDAP database mandatory.  mmm... 

Yes.

> I suppose I could just
> wack the data in with gq, it would take and work but I couldn't manage
> it from remote or anything.

There is a directory call Migration installed with most openldap-server
packages.  It contains scripts that will turn your /etc/passwd,
/etc/group, etc... into LDIF files for loading and use with the NSS LDAP
module.  Note:  these scripts work about as well as the idealx ones
(i.e. not so much) - but they are better than nothing.  You'll almost
certainly need to tweak them.  Since every site has uniquenesses there
is (and really can be) no "canned" solution.