[KLUG Members] Help for upgrade to Samba
3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Adam Williams
members@kalamazoolinux.org
Wed, 21 Jan 2004 07:29:42 -0500
> | Don't create and administrator account. Create an administrative group
> Right but someone has to belong to that group so that at least one user
> has admin privledges.
You have ********CIFS****** Administrator privilages by virtue of
belonging to the Administrators group (the group with a SID with a RID
of -512).
No one in the group needs to be root, the group needs no root member.
There is no fundamental correspondence between UN*X root and CIFS
Administrator.
> I was going to use Administrator for this. Why not?
Because there simply is no point in doing so, it simply confuses the
issue (IMHO).
> Note below that "Administrator" has a uid/rid of something other
> than 500/1000.
The uidNumber doesn't matter. If the RID is other than "-500" then it
simply is NOT a "Domain Administrator" account, no matter what you
*name* it. SID || "-500" is the Domain Administrator, like uidNumber 0
is UN*X the root account, the name is just a traditional thing.
> | mapped to the Administrators built in and set the sambaSID of root to
> Is that "Administrators" literally or are you referring to the required
> group "Admins"? (That is "required" in accordance with the docs last
> sent which I've been reading. ) Note: This db also does Linux auth.
You need to map "Domain Administrators" ****CIFS**** group to a valid
POSIX group. What group you use is irrelevant. I already had a POSIX
group I used to give certain users extra oooomph, so I just used that.
The gidNumber of that group doesn't matter. You just have to make that
a POSIX group a Samba domain group with the correct sambaSID (SID ||
"-512")
> I would also like some clarification of this "root" account. The dn
> used to access the LDAP database administratively is
> cn=root,dc=j9starr,dc=net. However there is no actual posix or samba
> user named "cn=root,ou=People,dc=j9starr,dc=net". From what it seems
> like you are telling me, I must first add one.
No, the manager dn specified in slapd.conf corresponds to no user. The
LDAP Dit exists below the level of any concept of "user" so a magickal
one-dn-to-rule-them-all is created to allow you to unjam yourself when
you jack up your access control rules so bad you can't manage the DSA as
your regular user DN.
Samba should have a simpleSecurityObject which it uses to bind to the
DSA - an account object with a password known only to Samba (via
smbpasswd -w). Samba should not use the manager dn - nothing should use
the manager dn - because then you're storing your manager dn password
somewhere (very very bad).
Something like -
dn: uid=CIFSDC,ou=System Accounts,o=Morrison Industries, c=US
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
uid: CIFSDC
l: Grand Rapids
o: Morrison Industries
ou: Grand Rapids
userPassword: {MD5}8dOuXMl7lZY0SPX9zGukFw==
This gives Samba a bind credential, but no actual user account.
If Samba uses the manager dn -
1.) It knows your manager dn password - Do you trust Samba that much?
2.) A bug is Samba can smack your entire Dit. Bringing your network to
an immediate and catastrophic halt. And not just CIFS, but (for us
anyway) that would include e-mail, dns, dhcp, printing, intranet, VPN,
extranet, and customer purchasing. Yikes!
3.) You can't use the meta-data attributes (last modifier, etc..) to see
what objects Samba has modified, verses what objects have been modified
by other applications - VERY handy in tracking down where a change came
from. Otherwise it is "just changed".
> | the builtin RID of the domain administrator.
> Current structure:
> dn: sambaDomainName=J9STARR,dc=j9starr,dc=net
> sambaDomainName: J9STARR
> sambaSID: S-1-5-21-1825057718-3407101348-4194330872
> sambaAlgorithmicRidBase: 1000
> objectClass: sambaDomain
Looks normal.
> In "ou=People,dc=j9star,dc=net" I have:
> Administrator
> gidNumber: 512
> uidNumber: 998
> sambaPrimaryGroupSID: S-1-5-21-1825057718-3407101348-4194330872-512
> sambaSID: S-1-5-21-1825057718-3407101348-4194330872-2996
> etc...
Ok, I still don't but the argument for a Domain Administrator account,
but I don't see why it shouldn't work. Except isn't the Administrator
account supposed to have a RID of 500? So SambaSID should be
S-1-5-21-1825057718-3407101348-4194330872-500.
> nobody
> gidNumber: 514
> uidNumber: 999
> sambaPrimaryGroupSID: S-1-5-21-1825057718-3407101348-4194330872-514
> sambaSID: S-1-5-21-1825057718-3407101348-4194330872-2998
Ok. If you want this to be equivalent to "Domain Guest" you need a RID
of 501. So SambaSID shold be
S-1-5-21-1825057718-3407101348-4194330872-501
> Then I have these groups:
> dn: cn=Domain Admins,ou=Group,dc=j9starr,dc=net
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> memberUid: Administrator
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-1825057718-3407101348-4194330872-512
> sambaGroupType: 2
> displayName: Domain Admins
Right, this looks OK.
> dn: cn=Domain Users,ou=Group,dc=j9starr,dc=net
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 513
> cn: Domain Users
> description: Netbios Domain Users
> sambaSID: S-1-5-21-1825057718-3407101348-4194330872-513
> sambaGroupType: 2
> displayName: Domain Users
Yep.
And we are checking that these gidNumbers don't overlap with anything in
/etc/group?
> dn: cn=Domain Guests,ou=Group,dc=j9starr,dc=net
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 514
> cn: Domain Guests
> description: Netbios Domain Guests Users
> sambaSID: S-1-5-21-1825057718-3407101348-4194330872-514
> sambaGroupType: 2
> displayName: Domain Guests
Right.
> dn: cn=Domain Computers,ou=Group,dc=j9starr,dc=net
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 553
> cn: Domain Computers
> description: Netbios Domain Computers accounts
> sambaSID: S-1-5-21-1825057718-3407101348-4194330872-553
> sambaGroupType: 2
> displayName: Domain Computers
Domain Computers has a mandatory RID of 515.
Just to be clear - there doesn't need to be any correspondance between
RID and gidNumber, or RID and uidNumber.