[KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?

Jim C. members@kalamazoolinux.org
Wed, 21 Jan 2004 13:35:17 -0800

Previous message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Next message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam Williams wrote:
|>| Don't create and administrator account.  Create an administrative group
...
|>I was going to use Administrator for this.  Why not?

I suppose I could use something else.  I think I'll go with "Domain
Boss" or daboss or something. ;-)

| The uidNumber doesn't matter.  If the RID is other than "-500" then it
...
| If Samba uses the manager dn -
| 1.) It knows your manager dn password - Do you trust Samba that much?
| 2.) A bug is Samba can smack your entire Dit.  Bringing your network to
| an immediate and catastrophic halt.  And not just CIFS, but (for us
| anyway) that would include e-mail, dns, dhcp, printing, intranet, VPN,
| extranet, and customer purchasing.  Yikes!
| 3.) You can't use the meta-data attributes (last modifier, etc..) to see
| what objects Samba has modified, verses what objects have been modified
| by other applications - VERY handy in tracking down where a change came
| from.  Otherwise it is "just changed".

OK, that sounds like a really good idea. I'll have to modify my ACLs
though.  I note that the HOWTO mentions admin "Handles" and creates one
of these in each of the ou's in question, i.e. ou=People, ou=Computers,
etc.  This doesn't make much sense to me though. How would samba know to
change the ou for binding?

| Looks normal.
| Ok, I still don't but the argument for a Domain Administrator account,
| but I don't see why it shouldn't work.  Except isn't the Administrator
| account supposed to have a RID of 500?  So SambaSID should be
| S-1-5-21-1825057718-3407101348-4194330872-500.

Isn't it a good idea at least for debug, though?  That way I have one
user I KNOW is an administrator. I can always delete it and probably
will since you've sold me on that one. ;-)  I'll adjust the SID and then
delete the account when I am all set up.

|>nobody
|>gidNumber: 514
|>uidNumber: 999
|>sambaPrimaryGroupSID: S-1-5-21-1825057718-3407101348-4194330872-514
|>sambaSID: S-1-5-21-1825057718-3407101348-4194330872-2998
|
|
| Ok.  If you want this to be equivalent to "Domain Guest" you need a RID
| of 501.  So SambaSID shold be
| S-1-5-21-1825057718-3407101348-4194330872-501

Uh... "nobody" above, is a user... Oh!  There is a bit of insight.
There is both "Domain Guests" (group) and "Domain Guest" (user) on the
list from the HOWTO which I am now keeping on me desk.

|>Then I have these groups:
|>dn: cn=Domain Admins,ou=Group,dc=j9starr,dc=net
...
| Domain Computers has a mandatory RID of 515.

K.  Will fix.

| Just to be clear - there doesn't need to be any correspondance between
| RID and gidNumber, or RID and uidNumber.

Right, I got that.  Those scripts that you dislike keep doing this. They
actually do kinda bite.  Problem is that I am writing this HOWTO so that
it maximizes automation for the less capable users.  Consequently, I
need the scripts but I also need to know what is wrong with them so that
I can have these things corrected in the HOWTO.  I would patch them
myself but I don't know perl. I've actually already patched them once
but that was just in regards to the location of binarys that the scripts
were calling.  A no-brainer, they were set up for Redhat rather than
Mandrake.  Personally, I think the script authors should have determined
this on install using the "which" command.

Another thing about the scripts is that I still need a means by which
Samba can add users etc.

- --

- -----------------------------------------------------------------
| I can be reached on the following messenger services:		|
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings@nureality.com	|
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFADvCV57L0B7uXm9oRAqaPAJ4hUcgwng1nYKn/VY3rAwwQGiOf2wCfcQ0x
pZH6m2Tv2TUpbRFbL1gKhqE=
=a5Rr
-----END PGP SIGNATURE-----

Previous message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Next message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]