[KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a
anybody?
Jim C.
members@kalamazoolinux.org
Wed, 21 Jan 2004 13:35:17 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adam Williams wrote:
|>| Don't create and administrator account. Create an administrative group
...
|>I was going to use Administrator for this. Why not?
I suppose I could use something else. I think I'll go with "Domain
Boss" or daboss or something. ;-)
| The uidNumber doesn't matter. If the RID is other than "-500" then it
...
| If Samba uses the manager dn -
| 1.) It knows your manager dn password - Do you trust Samba that much?
| 2.) A bug is Samba can smack your entire Dit. Bringing your network to
| an immediate and catastrophic halt. And not just CIFS, but (for us
| anyway) that would include e-mail, dns, dhcp, printing, intranet, VPN,
| extranet, and customer purchasing. Yikes!
| 3.) You can't use the meta-data attributes (last modifier, etc..) to see
| what objects Samba has modified, verses what objects have been modified
| by other applications - VERY handy in tracking down where a change came
| from. Otherwise it is "just changed".
OK, that sounds like a really good idea. I'll have to modify my ACLs
though. I note that the HOWTO mentions admin "Handles" and creates one
of these in each of the ou's in question, i.e. ou=People, ou=Computers,
etc. This doesn't make much sense to me though. How would samba know to
change the ou for binding?
| Looks normal.
| Ok, I still don't but the argument for a Domain Administrator account,
| but I don't see why it shouldn't work. Except isn't the Administrator
| account supposed to have a RID of 500? So SambaSID should be
| S-1-5-21-1825057718-3407101348-4194330872-500.
Isn't it a good idea at least for debug, though? That way I have one
user I KNOW is an administrator. I can always delete it and probably
will since you've sold me on that one. ;-) I'll adjust the SID and then
delete the account when I am all set up.
|>nobody
|>gidNumber: 514
|>uidNumber: 999
|>sambaPrimaryGroupSID: S-1-5-21-1825057718-3407101348-4194330872-514
|>sambaSID: S-1-5-21-1825057718-3407101348-4194330872-2998
|
|
| Ok. If you want this to be equivalent to "Domain Guest" you need a RID
| of 501. So SambaSID shold be
| S-1-5-21-1825057718-3407101348-4194330872-501
Uh... "nobody" above, is a user... Oh! There is a bit of insight.
There is both "Domain Guests" (group) and "Domain Guest" (user) on the
list from the HOWTO which I am now keeping on me desk.
|>Then I have these groups:
|>dn: cn=Domain Admins,ou=Group,dc=j9starr,dc=net
...
| Domain Computers has a mandatory RID of 515.
K. Will fix.
| Just to be clear - there doesn't need to be any correspondance between
| RID and gidNumber, or RID and uidNumber.
Right, I got that. Those scripts that you dislike keep doing this. They
actually do kinda bite. Problem is that I am writing this HOWTO so that
it maximizes automation for the less capable users. Consequently, I
need the scripts but I also need to know what is wrong with them so that
I can have these things corrected in the HOWTO. I would patch them
myself but I don't know perl. I've actually already patched them once
but that was just in regards to the location of binarys that the scripts
were calling. A no-brainer, they were set up for Redhat rather than
Mandrake. Personally, I think the script authors should have determined
this on install using the "which" command.
Another thing about the scripts is that I still need a means by which
Samba can add users etc.
- --
- -----------------------------------------------------------------
| I can be reached on the following messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com AIM: WyteLi0n ICQ: 123291844 |
|---------------------------------------------------------------|
| Y!: j_c_llings Jabber: jcllings@nureality.com |
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFADvCV57L0B7uXm9oRAqaPAJ4hUcgwng1nYKn/VY3rAwwQGiOf2wCfcQ0x
pZH6m2Tv2TUpbRFbL1gKhqE=
=a5Rr
-----END PGP SIGNATURE-----