[KLUG Members] Help for upgrade to
Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Adam Williams
members@kalamazoolinux.org
Wed, 21 Jan 2004 22:01:36 -0500
> | Looks normal.
> | Ok, I still don't but the argument for a Domain Administrator account,
> | but I don't see why it shouldn't work. Except isn't the Administrator
> | account supposed to have a RID of 500? So SambaSID should be
> | S-1-5-21-1825057718-3407101348-4194330872-500.
> Isn't it a good idea at least for debug, though? That way I have one
> user I KNOW is an administrator. I can always delete it and probably
> will since you've sold me on that one. ;-) I'll adjust the SID and then
> delete the account when I am all set up.
Could be. I just add myself ("awilliam") to the Admin group.
> |>nobody
> |>gidNumber: 514
> |>uidNumber: 999
> |>sambaPrimaryGroupSID: S-1-5-21-1825057718-3407101348-4194330872-514
> |>sambaSID: S-1-5-21-1825057718-3407101348-4194330872-2998
> | Ok. If you want this to be equivalent to "Domain Guest" you need a RID
> | of 501. So SambaSID shold be
> | S-1-5-21-1825057718-3407101348-4194330872-501
> Uh... "nobody" above, is a user... Oh! There is a bit of insight.
> There is both "Domain Guests" (group) and "Domain Guest" (user) on the
> list from the HOWTO which I am now keeping on me desk.
Yes, their terminology isn't exactly helpful or lucid.
> | Just to be clear - there doesn't need to be any correspondance between
> | RID and gidNumber, or RID and uidNumber.
> Right, I got that. Those scripts that you dislike keep doing this. They
> actually do kinda bite. Problem is that I am writing this HOWTO so that
> it maximizes automation for the less capable users. Consequently, I
> need the scripts but I also need to know what is wrong with them so that
> I can have these things corrected in the HOWTO. I would patch them
> myself but I don't know perl. I've actually already patched them once
> but that was just in regards to the location of binarys that the scripts
> were calling. A no-brainer, they were set up for Redhat rather than
> Mandrake. Personally, I think the script authors should have determined
> this on install using the "which" command.
Personally I just have a skeleton Dit, and use sed to rewrite the base -
$ cat skel.ldif | sed "s/dc=whitemice,dc=org/dc=foo,dc=bar/g" >
foo.bar.ldif
$ slapadd -n1 < foo.bar.ldif
$ slapindex -n1
$ chown ldap.ldap /var/lib/ldap/*
$ service ldap start
- then I proceed to tweak according to site, do group mappings, and what
not. Don't really see the need for elaborate scripts.
But of course I'm on all RedHat boxes so I know the uidNumbers, etc...
all match up.
> Another thing about the scripts is that I still need a means by which
> Samba can add users etc.
We create users via an intranet application, using Domain User Manager
is still kinda flakey. Hopefully it will be happy in 3.0.2, when I'll
knock off some C# programs to glue it together via the Samba hooks.