On Sat, 2005-02-12 at 15:38 -0700, John H Terpstra wrote: > > Interestingly enough, I used Gerry Carter's LDAP book which deals with > > LDAP first and then how to integrate samba (of course, this was 2.2 when > > book was published) which is clearly the approach that you and I have > > taken. > > Neither of the Samba documents in any way is meant to provide any form of > introductory coverage of LDAP. Jerry's book is a good book - I recommend it. > > I believe that Samba documentation is not the right place for LDAP basic > training. If the common consensus differs from this I am happy to receive > basic introductory LDAP info for inclusion in the document. ---- I agree ---- > > There was a brief exchange last week where John Terpstra took me to task > > for expressing my opinion that root should not be used in the DSA at all > > which goes against his advice and against the current Samba > > The is not quite my recollection Craig. > > I was addressing the need for unambiguous resolution of UIDs and GIDs to > SIDs, > and login IDs. > > If you are using LDAP and a version of Samba prior to 3.0.11 then the root > account needs to be in LDAP also. Personally speaking, this freaks me out > because I dislike having system accounts in LDAP. I believe Jerry and I are > actually in agreement here. > > Jerry chimed in to point out that with the priviliges code that is new to > Samba-3.0.11 you no longer need the root account. The core of this > functionality is documented in the current on-line version of the > Samba-HOWTO-Collection in chapter 12. ---- I see a new section in chapter 11 called 'Important Administrative Information' which is what I guess you are referring to.
I also gather that if/when http://samba.org/~jerry/Samba-Rights-HOWTO reaches commit level, adjustments will be made to the HOWTO to reflect that as well. I certainly agree with your 'unambiguous resolution of UIDs and GIDs to SIDs and login IDs and that isn't going to change with the addition of Samba-Rights as I see it...only a new mechanism that means that you don't have to try to have multiple users in DSA with uidNumber: attribute of 0 - obviously more than 1 isn't unambigous and I certainly wouldn't advocate doing so. I notice that does leave people endlessly confused though - witness David Trask last weekend where he could only get things to work with a uid=root in his 'bulk load' which used the IDEALX toolset...even knowing that IDEALX recommended against that method themselves. and if you view the following from archives... <http://lists.samba.org/archive/samba/2005-February/099983.html> you will clearly see that I was suggesting a method of unambiguous resolution of these values... > Personally, I find it easier for my state of being NOT to have root in > LDAP but have Administrator with uid=0 whereupon you stated "best advice is to have just 'root' with UID=0..." which was clearly not in line with Gerry's message in the same thread <http://lists.samba.org/archive/samba/2005-February/099988.html> where he says "Seriously though, we need to move people away from using root to join domains admins." How could people not be confused? Your best advice is to use root - Gerry's advice is to move people away from using root. Less than 40 minutes separated these messages - I do marvel at the speed with which you guys develop. ---- > > documentation but Gerry Carter piped in with his agreement to my point > > of view so evidently, there is a fundamental disagreement between them > > that hasn't been resolved with clarity for us lowly and less > > sophisticated users. > > Please go back and re-read my comments and Jerry's - we are in total > agreement > on not putting system accounts in LDAP. Why are we being mis-interpreted > again? Sheesh! ---- see above example ---- > I spent a year writing and judging from the mail I get it is all wrong and of > no use. > > Other than using this information myself in real deployments and thus seeing > it work, it appears to me that none of us will ever get it right. There is no > hope for anyone who writes documentation! Let's have a public flogging - it > is a just reward for the documenter. :) PS: That was sarcastic humor to be > sure! ---- You are a brilliant writer an excellent communicator and the documentation that is the Official Samba HOWTO is clearly the standard of open source software - by far. You are a kind, warm and generous person and the thought that I might have said anything that wounds you bothers me. Any criticism that I may have offered was only offered to make the documentation better. I don't have any skill at writing technical manuals. I have never joined samba to an AD, never used winbindd, nor do I even bein to understand SASL or Kerberos (seems to be a worthy endeavor). I am probably on the bottom rung of knowledge of OpenLDAP and my interaction with other LDAP implementations is limited to setting up imp/horde/turba to query a Novell Directory (had to use the -P 2) and that was a mighty struggle. I have enough skills to do only the barest rudiments of a section on integrating Samba into an existing DSA (I didn't even know the definition of DSA until a few weeks ago - thanks Adam). What I have learned is this...the explanation of the net group map command modified the ldapsam - I didn't understand it for quite some time. I found that using the base setup from IDEALX left me a bunch to clean up as did the net rpc vampire command as they created 'Groups' that didn't fit my intentions for the DSA. I suspect that Tonni ran into this too but I haven't compared notes. He is probably much more adept at writing this section we are talking about and is certainly more knowledgeable about all aspects of this than I, with maybe the exception being the Windows portion. I don't generally use the online version of the HOWTO - I have my 2nd printing edition by my desk (though I don't refer to it much anymore) - it has at present (because I am actually going to count them) 7 sticky notes marking relevant sections for me - just to give you an idea of the value of the book to me. With respect to your sarcasm above, I defer to your experience, your knowledge and your obvious technical writing skills and meant only to point out that I identified with Tonni's thoughts on merging Samba 3 into LDAP wasn't entirely obvious from the HOWTO. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba