Re: [Samba] Samba and LDAP backend - howto docs problems?
On Friday 09 April 2004 04:00, Suhaimi Jamalludin wrote:
Hi Wim Bakker,
You have to make sure that LDAP is running withi out any error.
Can you do this (note: make sure there is no ACL applied on the
slapd.conf else you wont see the out put ofyour DN):
# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
Is there any out put?
Can you please show me your smb.conf Globla config
Hai,
Yes ldapsearch gives decent output.
I found the error, I think, at least , it's working now.
I used initially ldap-2.2.8. , I reinstalled everything but now
with ldap-2.1.19 (after noticing somewhere that ldap-2.0/2.1
were tested ) and now I get users added.
The only thing I had to change from the example in chapter 2
of the reference guide was the ldap admin dn from cn=Manager
to cn=Manager,dc=unetix,dc=nl.
My smb.conf (global section):
[global]
workgroup = AMSTERDAM
netbios name = TEST
server string = Samba PDC running %v
passdb backend = ldapsam:ldap://localhost
username map = /etc/samba/smbusers
encrypt passwords = Yes
update encrypted = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192
add machine script = /usr/sbin/useradd -g machines -c Machine -d /dev/
null -s /bin/false %u$
add user script = /usr/sbin/useradd -g users -m -s /bin/false %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U\.profile
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
local master = Yes
wins support = Yes
ldap suffix = dc=unetix,dc=nl
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=People
ldap idmap suffix = ou=People
ldap admin dn = cn=Manager,dc=unetix,dc=nl
ldap filter = ((uid=%u)(objectclass=sambaSamAccount))
ldap ssl = Off
ldap passwd sync = No
idmap uid = 15000-2
idmap gid = 15000-2
winbind separator = +
admin users = @wheel
my slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd.pid
argsfile/var/run/slapd.args
databasebdb
suffix dc=unetix,dc=nl
rootdn cn=Manager,dc=unetix,dc=nl
rootpw {SSHA}4qk9y4r03iIV2ZxG0rvPdUjO4Eg2ZSCF
directory /var/openldap-data
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSIDeq
index sambaPrimaryGroupSIDeq
index sambaDomainName eq
index memberUid eq
index objectClass eq
I compiled ldap-2.1.19 with :
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
samba-3.0.3pre2 with:
./configure --with-automount --with-smbmount --with-acl-support
--with-libsmbclient --with-configdir=/etc/samba --with-logfilebase=/var/log/
samba --with-privatedir=/etc/samba/private --with-lockdir=/var/lock/samba
--with-piddir=/var/run --with-mysql-prefix=/usr/local/mysql
--with-expsam=mysql --enable-cups --with-ldap
I didn't use nss ldap and pam ldap , users I have first to add to /etc/passwd
, than I can add them with smbpasswd -a.
output ldapsearch -x -b 'dc=unetix,dc=nl' '(objectclass=*)' :
# extended LDIF
#
# LDAPv3
# base dc=unetix,dc=nl with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# unetix.nl
dn: dc=unetix,dc=nl
objectClass: dcObject
objectClass: organization
dc: unetix
o: Quenya Org Network
description: The Samba-3 Network LDAP Example
# Manager, unetix.nl
dn: cn=Manager,dc=unetix,dc=nl
objectClass: organizationalRole
cn: Manager
description: Directory Manager
# People, unetix.nl
dn: ou=People,dc=unetix,dc=nl
objectClass: top
objectClass: organizationalUnit
ou: People
# admin, People, unetix.nl
dn: cn=admin,ou=People,dc=unetix,dc=nl
cn: admin
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: e1NTSEF9NHFrOXk0cjAzaUlWMlp4RzBydlBkVWpPNEVnMlpTQ0Y=
# Groups, unetix.nl
dn: ou=Groups,dc=unetix,dc=nl
objectClass: top
objectClass: organizationalUnit
ou: Groups
# admin, Groups, unetix.nl
dn: cn=admin,ou=Groups,dc=unetix,dc=nl
cn: admin
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: e1NTSEF9NHFrOXk0cjAzaUlWMlp4RzBydlBkVWpPNEVnMlpTQ0Y=
# Computers, unetix.nl
dn: ou=Computers,dc=unetix,dc=nl
objectClass: top
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wednesday 10 March 2004 16:19, John H Terpstra wrote: The use of these tools is documented in the book version of the Samba-HOWTO-Collection, The Official Samba-3 HOWTO and Reference Guide available from Amazon.Com. There are 5 chapters that are not in the HOWTO document - these will be released on April 5th with consent from Prentice-Hall (the book publisher). Hello, I tried the example , chapter 2 from The Official Samba-3 HOWTO and Reference Guide , Big Organization , followed exactly the procedure as described in this book and get the following error: failed to bind to server with dn= cn=Manager Error: Invalid credentials Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Connection to LDAP Server failed for the 1 try! ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Failed to add entry for user gerrit. Failed to modify password entry for user gerrit - when trying to add the first user (gerrit). What is making up invalid credentials? I used openldap-2.1.19 , compiled with no options, installed it , edited the /etc/openldap/slapd.conf as described in the reference guide , edited smb.conf as described in the reference guide, (only changed the dc's to the domain the machine is in), added the initial ldif as described in the book, but , no cigar. system is slackware 9.1, db-4.2.52, samba-3.0.2a. TIA Wim Bakker -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wednesday 10 March 2004 16:19, John H Terpstra wrote: The use of these tools is documented in the book version of the Samba-HOWTO-Collection, The Official Samba-3 HOWTO and Reference Guide available from Amazon.Com. There are 5 chapters that are not in the HOWTO document - these will be released on April 5th with consent from Prentice-Hall (the book publisher). Hello, I tried the example , chapter 2 from The Official Samba-3 HOWTO and Reference Guide , Big Organization , followed exactly the procedure as described in this book and get the following error: failed to bind to server with dn= cn=Manager Error: Invalid credentials Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Connection to LDAP Server failed for the 1 try! ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Failed to add entry for user gerrit. Failed to modify password entry for user gerrit - when trying to add the first user (gerrit). What is making up invalid credentials? I used openldap-2.1.19 , compiled with no options, installed it , edited the /etc/openldap/slapd.conf as described in the reference guide , edited smb.conf as described in the reference guide, (only changed the dc's to the domain the machine is in), added the initial ldif as described in the book, but , no cigar. system is slackware 9.1, db-4.2.52, samba-3.0.2a. TIA Wim Bakker -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
Did you remember to do a smbpasswd -w manager password to store the password for the manager's dn in the secrets.tdb file? Wim Bakker wrote: On Wednesday 10 March 2004 16:19, John H Terpstra wrote: The use of these tools is documented in the book version of the Samba-HOWTO-Collection, The Official Samba-3 HOWTO and Reference Guide available from Amazon.Com. There are 5 chapters that are not in the HOWTO document - these will be released on April 5th with consent from Prentice-Hall (the book publisher). Hello, I tried the example , chapter 2 from The Official Samba-3 HOWTO and Reference Guide , Big Organization , followed exactly the procedure as described in this book and get the following error: failed to bind to server with dn= cn=Manager Error: Invalid credentials Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Connection to LDAP Server failed for the 1 try! ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Failed to add entry for user gerrit. Failed to modify password entry for user gerrit - when trying to add the first user (gerrit). What is making up invalid credentials? I used openldap-2.1.19 , compiled with no options, installed it , edited the /etc/openldap/slapd.conf as described in the reference guide , edited smb.conf as described in the reference guide, (only changed the dc's to the domain the machine is in), added the initial ldif as described in the book, but , no cigar. system is slackware 9.1, db-4.2.52, samba-3.0.2a. TIA Wim Bakker -- Paul Gienger Office:701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.commailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Thursday 08 April 2004 18:00, Paul Gienger wrote: Did you remember to do a smbpasswd -w manager password to store the password for the manager's dn in the secrets.tdb file? Yes , I did, but no succes, connection failed because of invalid credentials. I changed the following in the example as described in the reference guide though: According to the book: #ldap admin dn = cn=Manager Changed to: #ldap admin dn = cn=Manager,dc=unetix,dc=nl And after issuing again the smbpasswd -w passwd : #Setting stored password for cn=Manager,dc=unetix,dc=nl in secrets.tdb I get the following error when issuing the follwing command: [EMAIL PROTECTED]:/install/openldap-2.1.19# net groupmap list #[2004/04/08 19:44:27, 0] lib/smbldap.c:smbldap_search_domain_info(1350) # Adding domain info for UNETIX failed with NT_STATUS_UNSUCCESSFUL So, what's wrong next ? TIA Wim Bakker -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Thursday 08 April 2004 18:00, Paul Gienger wrote: Did you remember to do a smbpasswd -w manager password to store the password for the manager's dn in the secrets.tdb file? PS. issuing the following command after changing the ldap admin dn entry in smb.conf gives me this error: [EMAIL PROTECTED]:/install/openldap-2.1.19# smbpasswd -a gerrit New SMB password: Retype new SMB password: failed to add domain dn= sambaDomainName=UNETIX,dc=unetix,dc=nl with: Internal (implementation specific) error index generation failed Adding domain info for UNETIX failed with NT_STATUS_UNSUCCESSFUL Failed to initialise SAM_ACCOUNT for user gerrit. Failed to modify password entry for user gerrit - What may be causing this? TIA Wim Bakker -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
Hi Wim Bakker, You have to make sure that LDAP is running withi out any error. Can you do this (note: make sure there is no ACL applied on the slapd.conf else you wont see the out put ofyour DN): # ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts Is there any out put? Can you please show me your smb.conf Globla config Regards, Suhaimi Wim Bakker wrote: On Thursday 08 April 2004 18:00, Paul Gienger wrote: Did you remember to do a smbpasswd -w manager password to store the password for the manager's dn in the secrets.tdb file? PS. issuing the following command after changing the ldap admin dn entry in smb.conf gives me this error: [EMAIL PROTECTED]:/install/openldap-2.1.19# smbpasswd -a gerrit New SMB password: Retype new SMB password: failed to add domain dn= sambaDomainName=UNETIX,dc=unetix,dc=nl with: Internal (implementation specific) error index generation failed Adding domain info for UNETIX failed with NT_STATUS_UNSUCCESSFUL Failed to initialise SAM_ACCOUNT for user gerrit. Failed to modify password entry for user gerrit - What may be causing this? TIA Wim Bakker -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
Craig White wrote: I can tell by the volume of your messages that you feel that you have a message worthy of delivery but I don't agree. You have bundled a lot of your frustration with learning LDAP into Samba and Samba doesn't require you to use LDAP at all. Obviously it doesn't require you to use LDAP, however Samba supports LDAP, and if this is the case it is not unreasonable to expect setting it up to be reasonably straightforward. If you want easy, if you want total consistency so someone without knowledge can follow your footsteps 6 months from now, you should be implementing Windows. This is the exact problem. There is another product out there that got usability right. Yes, Samba is more secure, more flexible, and more reliable, but if it cannot be set up properly, then the benefits are not accessible to people. Had you had a working knowledge of LDAP, your criticisms might be of some value but in light of the fact that you really want to vent about LDAP and how it integrates, it's meaning is lost on this samba message base. As the person who integrated mod_ldap into Apache httpd, I feel that I have quite a significant knowledge of LDAP thank you. Don't simply assume anybody with a different opinion on how something should work automatically makes them ignorant. Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
John H Terpstra wrote: 3. Just sending configuration files can actually aggrevate someone's problem. Example configuration files must be sent with clear Do this, then this, then this ... type guidance. Access to a working configuration file is probably the fastest way I find to learn a new product or service. I can look at the config file, and ask how exactly does this work, and from it get virtually all the answers I need. The fact that there is no complete smb.conf example form Samba + LDAP was a huge hinderance to my quest to get the thing right. Excessive documentation is one of the biggest problems I have found with software projects, both open source and commercial. People begin skim reading them because they just go on too long, or by the time you've reached chapter 14, you forgot that little snippet of information that was mentioned in chapter 2. Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
* Graham Leggett [EMAIL PROTECTED] nulis: Excessive documentation is one of the biggest problems I have found with software projects, both open source and commercial. People begin skim reading them because they just go on too long, or by the time you've reached chapter 14, you forgot that little snippet of information that was mentioned in chapter 2. Yes, we need a samba quick start guide, which must conform to the latest release. Who will take this project? ;-) Regards, Graham -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
* Fernando Pintabona [EMAIL PROTECTED] nulis: here: http://www.amazon.com/exec/obidos/tg/detail/-/0131472216/qid=1079009247/sr=1-1/ref=sr_1_1/103-1507164-4910244?v=glances=books A really good place to start ;) I agree, but its 384 pages is not that quick ;-p something like : http://www.openldap.org/doc/admin22/quickstart.html really quick (and dirty), but works ;) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, Mar 10, 2004 at 05:03:58PM +0200, Graham Leggett wrote: The functionality provided by smbldap-tools should be built into Samba from scratch, I don't see why there is such a need to jump through hoops like this. Hmm, wait a minute. The thing is that there are two sources of user information in this case. Samba takes care of theirs, but there is also the unix source of user information (like homeDir, uidnumber, gidnumber, etc). I think samba is just being careful to not disturb the unix part (for example, it requires ldap delete dn to be true to completely delete the user dn instead of only the samba attributes). This philosophy has its merits: only touch what is yours. But it can lead to dificulties down the road, yes. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, Mar 10, 2004 at 06:31:42PM +0200, Graham Leggett wrote: I learn however that this is _not_ so - if nss_ldap is not configured correctly, Samba + LDAP won't work. Which leads me on to ask: Why does Samba not read the LDAP configuration from ldap.conf by default, instead of asking for the same information a second time? Because I may be not using nss_ldap at all. I could be storing users in /etc/passwd as usual and only the samba attributes in LDAP. Flexibility, which comes at a price :) This is also a security issue - the root DN password for the LDAP server is stored twice. It is also a usability issue - six months from now is my replacement going to know that the LDAP password needs to be set in two places? Of course not. There is some other discussion going on which relates to this and is password policies. In the future samba may not need the ldap root password. 2) Too Much Rope When users / groups / etc are added to Samba via the normal Windows based admin tools, Samba allows the user to specify a script to do the job. This as a virtually infinitely flexible solution. But the average (99% of cases) system administrator does not need an infinitely flexible system, but rather a system that will get the job done with as little fuss as possible, and in as standard a way as possible, so that third party LDAP database editing tools need not be modified for this particular system's quirks. Perhaps a standard script included in the samba package and already configured in smb.conf would help? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, Mar 10, 2004 at 07:33:46PM +0200, Graham Leggett wrote: Your not obligated to use smbldap-tools, but I won't argue with you on that one. I'm not a big fan. Are there alternatives? Yes, more or less polished, for example: http://lam.sourceforge.net/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, Mar 10, 2004 at 05:59:14PM +, John H Terpstra wrote: What Samba should do by default is read LDAP parameters from ldap.conf, with the option to override the parameters if the admin so chooses, thus making Samba easy and straightforward for the admin to use out the box. You are assuming that Samba only needs to work with OpenLDAP. You are also assuming that ALL OpenLDAP configurations use the same directory structure. Too many assumptions. How can we implement a universal solution? What must we do to arrive at nirvana? That's something a vendor could/should do, perhaps. The vendor knows where he puts the configuration files, what they look like, etc. Out of the review process for the Samba-3 by Example book has come incessant requests (demand) for better documentation on OpenLDAP. A book called OpenLDAP by Example is presently being written. hey, great :) I hope you also touch BDB issues :) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
Norman Dressler wrote: This can also be a symptom of not having the guest account properly mapped to a nobody or similar account. Could also happen if you don't have a 'root' account in your ldap directory. You must also have the proper configurations for the Domain groups like Domain Users and Domain Guests, etc. Can you describe what proper configs for the Domain Groups means? So far the docs have told me they need to be configured properly, but then don't say how. As you can see, I had to learn the hard (best?) way -- trial and error. I've been bitten by all of them at one time or another. Have you set up your scripts? - add user script - delete user script - add machine script - add group script - delete group script - add user to group script - etc. Would it be possible to post the piece of smb.conf that shows these scripts correctly configured? So far I've found volumes of man pages for various scripts, but I have no clue on what options to pass to them so that they work. Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
John H Terpstra wrote: Have you set up your scripts? - add user script - delete user script - add machine script - add group script - delete group script - add user to group script - etc. Another ccomment on the docs - the docs for samldap do not make any mention of the smbldap-tools package, and the fact that it is required in order to produce a usable system. And neither the samba docs, nor it would seem the smbldap-tools docs make any mention of what command line settings are supposed to be used in each case. Is it possible to add a section to the docs to cover this? Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
Graham Leggett schrieb: John H Terpstra wrote: Have you set up your scripts? - add user script - delete user script - add machine script - add group script - delete group script - add user to group script - etc. Another ccomment on the docs - the docs for samldap do not make any mention of the smbldap-tools package, and the fact that it is required in order to produce a usable system. And neither the samba docs, nor it would seem the smbldap-tools docs make any mention of what command line settings are supposed to be used in each case. Is it possible to add a section to the docs to cover this? Regards, Graham -- Hi, yes the tools should be better described as they are in the smb sources i found it very hard at my first setup ldap smb. On the other Hand many setups are thinkable with ldap, a description to the ldap populate is only one way ( fast , working ) to come to a working smb ldap pdc Regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
RRuegner wrote: Hi, yes the tools should be better described as they are in the smb sources i found it very hard at my first setup ldap smb. On the other Hand many setups are thinkable with ldap, a description to the ldap populate is only one way ( fast , working ) to come to a working smb ldap pdc The LDAP capability is very useful, which is why I am trying to solve the problems, but the lack of usability is a complete showstopper. I cannot install a system that if something goes wrong in six months time, nobody will have a clue on how to fix it. I have been looking at the smbldap-tools package, and cannot believe at how difficult it is to set up. Most of the information in the smbldap_conf.pm file is already specified in the smb.conf file - this means that down the line when somebody else changes smb.conf, things will stop working, and they won't know why. The functionality provided by smbldap-tools should be built into Samba from scratch, I don't see why there is such a need to jump through hoops like this. Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, 10 Mar 2004, Graham Leggett wrote: John H Terpstra wrote: Have you set up your scripts? - add user script - delete user script - add machine script - add group script - delete group script - add user to group script - etc. Another ccomment on the docs - the docs for samldap do not make any mention of the smbldap-tools package, and the fact that it is required in order to produce a usable system. And neither the samba docs, nor it would seem the smbldap-tools docs make any mention of what command line settings are supposed to be used in each case. Well they are mentioned under Interdomain Trusts - but I admit that is very obtuse. The use of these tools is documented in the book version of the Samba-HOWTO-Collection, The Official Samba-3 HOWTO and Reference Guide available from Amazon.Com. There are 5 chapters that are not in the HOWTO document - these will be released on April 5th with consent from Prentice-Hall (the book publisher). Is it possible to add a section to the docs to cover this? Please send me your patches. If you are not comfortable sending XML document patches, send me text to apply and I will put rectify the problem. Please note that the HOWTO is a green document - this means it is continually being updated. Each reprinting of the HOWTO book has the updates in it also. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, 10 Mar 2004, Graham Leggett wrote: RRuegner wrote: Hi, yes the tools should be better described as they are in the smb sources i found it very hard at my first setup ldap smb. On the other Hand many setups are thinkable with ldap, a description to the ldap populate is only one way ( fast , working ) to come to a working smb ldap pdc The LDAP capability is very useful, which is why I am trying to solve the problems, but the lack of usability is a complete showstopper. I cannot install a system that if something goes wrong in six months time, nobody will have a clue on how to fix it. I have been looking at the smbldap-tools package, and cannot believe at how difficult it is to set up. Most of the information in the smbldap_conf.pm file is already specified in the smb.conf file - this means that down the line when somebody else changes smb.conf, things will stop working, and they won't know why. The functionality provided by smbldap-tools should be built into Samba from scratch, I don't see why there is such a need to jump through hoops like this. I agree completely! I know exactly what you mean. I have spent litterally 12 months writing Samba documentation. That has been my full time (and I mean about 18 hours per day) activity for the past year - and that is why you have the documentation that exists now. It would not have existed if someone had not written it. My main source of income for this work is from book sales, but I have also contributed it under the GPL to the Samba project. I am committed to open source and hope that users like you will help to ensure that this work can continue. How can you do that? 1. Contribute written text that can be added to improve the documentation further. 2. Buy the book versions to support the documentation work. It helps those who write documentation to eat. :) FWIW: I am working with the authors of several tools projects (smbldap-tools and LDAP Account Manager) to improve the documentation of their work also. Bear in mind that those of you using this stuff are at the leading edge. It takes more time than you can imagine to document and improve these tools. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, 10 Mar 2004, Graham Leggett wrote: RRuegner wrote: Hi, yes the tools should be better described as they are in the smb sources i found it very hard at my first setup ldap smb. On the other Hand many setups are thinkable with ldap, a description to the ldap populate is only one way ( fast , working ) to come to a working smb ldap pdc The LDAP capability is very useful, which is why I am trying to solve the problems, but the lack of usability is a complete showstopper. I cannot install a system that if something goes wrong in six months time, nobody will have a clue on how to fix it. This is completely correct. It took me 6 weeks to document, test, and validate Chapter 6 of Samba-3 by Example - and it took 50 or so pages to sufficiently describe the steps that must be followed. While entirely essential, documentation that is logical, comprehensive and comprehendable is not a trivial process. Please be patient. This is being addressed. The entire book Samba-3 by Example will be open sourced soon. I have been looking at the smbldap-tools package, and cannot believe at how difficult it is to set up. Most of the information in the smbldap_conf.pm file is already specified in the smb.conf file - this means that down the line when somebody else changes smb.conf, things will stop working, and they won't know why. The functionality provided by smbldap-tools should be built into Samba from scratch, I don't see why there is such a need to jump through hoops like this. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
John H Terpstra wrote: This is completely correct. It took me 6 weeks to document, test, and validate Chapter 6 of Samba-3 by Example - and it took 50 or so pages to sufficiently describe the steps that must be followed. While entirely essential, documentation that is logical, comprehensive and comprehendable is not a trivial process. From my experience over the last few days trying to get Samba installed, I don't think the documentation is at fault - there are some basic design flaws in Samba that you only see if you come to Samba with new eyes, ie you haven't configured Samba + LDAP before. 1) Duplicated configuration Samba's LDAP configuration exists in the smb.conf file. pam_ldap / nss_ldap's configuration exists in the ldap.conf file. As these are two separate config files, what this tells me as a new user of Samba, is that Samba's LDAP handling is completely independant of nss_ldap's LDAP handling. I learn however that this is _not_ so - if nss_ldap is not configured correctly, Samba + LDAP won't work. Which leads me on to ask: Why does Samba not read the LDAP configuration from ldap.conf by default, instead of asking for the same information a second time? This is also a security issue - the root DN password for the LDAP server is stored twice. It is also a usability issue - six months from now is my replacement going to know that the LDAP password needs to be set in two places? Of course not. Then comes smbldap-tools. This package is written in perl, which has all sorts of magic string handling available, to extract the info it needs from either ldap.conf or smb.conf. But instead - it has it's own config file, with it's own definition of the LDAP server contact details, and a _third_ copy of the LDAP root DN password. At this point, security is out the window, as is any hope that I will remember how the password is changed six months down the line. 2) Too Much Rope When users / groups / etc are added to Samba via the normal Windows based admin tools, Samba allows the user to specify a script to do the job. This as a virtually infinitely flexible solution. But the average (99% of cases) system administrator does not need an infinitely flexible system, but rather a system that will get the job done with as little fuss as possible, and in as standard a way as possible, so that third party LDAP database editing tools need not be modified for this particular system's quirks. Too much rope here is a huge hinderance - as smbldap-tools does not seem to be laid out the same way as the Samba HOWTO suggests things should be laid out (as far as I can tell anyway), I must now go into code and edit it - which means I must brush up on my perl skills again to see what is going on. To have to learn perl before you can configure something as mainstream as Samba means that something has been designed wrong. Note: I am not pointing these things out so as to knock developers of a piece of software that once it's configured correctly, works great. I am pointing these things out because as a developer, it is hard to anticipate the approach that will be taken by a new user of the software, as opposed to an experienced user of the software. Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
Adam Williams wrote: Would it be possible to post the piece of smb.conf that shows these scripts correctly configured? So far I've found volumes of man pages for various scripts, but I have no clue on what options to pass to them so that they work. The return values and parameter list are enumerated in the manual pages. In grotesque detail. The man pages tell me what is possible to do, and the list of possible things is long and detailed. I am interested instead in what is recommended that I should do. So far all I have found is a post in the archives where someone posted their config file when they were having a problem. This kind of thing should be documented somewhere. Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
This is completely correct. It took me 6 weeks to document, test, and
validate Chapter 6 of Samba-3 by Example - and it took 50 or so pages to
sufficiently describe the steps that must be followed.
While entirely essential, documentation that is logical, comprehensive and
comprehendable is not a trivial process.
From my experience over the last few days trying to get Samba
installed, I don't think the documentation is at fault - there are some
basic design flaws in Samba that you only see if you come to Samba with
new eyes, ie you haven't configured Samba + LDAP before.
I've been configuring Samba and LDAP services for years; my
interpretation of the travails of many newer users is that they don't
grasp the divisions between the relevant subsystems: LDAP, NSS, SAMBA,
etc...
1) Duplicated configuration
Samba's LDAP configuration exists in the smb.conf file. pam_ldap /
nss_ldap's configuration exists in the ldap.conf file.
As these are two separate config files, what this tells me as a new user
of Samba, is that Samba's LDAP handling is completely independant of
nss_ldap's LDAP handling.
No, it is pretty clearly stated that Samba relies on the NSS layer to be
working correctly - hence the need for an /etc/passwd entry, or a
posixAccount in LDAP, or a NIS entry, {insert wherever UID Number comes
from}, etc... This is why there is a winbind NSS module.
Maybe what we need is a good diagram.
I learn however that this is _not_ so - if nss_ldap is not configured
correctly, Samba + LDAP won't work.
Neither will much of anything else.
Which leads me on to ask: Why does
Samba not read the LDAP configuration from ldap.conf by default, instead
of asking for the same information a second time?
Because the filters, bases, etc... that Samba uses may be neccesarily
different than the ones NSS uses. NSS may be able to see content that
Samba can not.
This is also a security issue - the root DN password for the LDAP server
is stored twice. It is also a usability issue - six months from now is
my replacement going to know that the LDAP password needs to be set in
two places? Of course not.
Your ASSUMING that the passwords are the same. I expect they are not in
most large installations, and should not be in any installation. NSS
needs to read, but never write, particular information. Samba needs to
accesses different information and should not have access to data it
doesn't need, and certainly shouldn't have write access to data it
doesn't need to modify. Niether NSS nor Samba should be using the
manager dn.
Then comes smbldap-tools. This package is written in perl, which has all
sorts of magic string handling available, to extract the info it needs
from either ldap.conf or smb.conf. But instead - it has it's own config
file, with it's own definition of the LDAP server contact details, and a
_third_ copy of the LDAP root DN password. At this point, security is
out the window, as is any hope that I will remember how the password is
changed six months down the line.
Your not obligated to use smbldap-tools, but I won't argue with you on
that one. I'm not a big fan.
2) Too Much Rope
When users / groups / etc are added to Samba via the normal Windows
...
To have to learn perl before you can configure something as mainstream
as Samba means that something has been designed wrong.
You can write your own scripts in anything you like. We are currently
writing a set of modules/scripts in C#.
Note: I am not pointing these things out so as to knock developers of a
piece of software that once it's configured correctly, works great. I am
pointing these things out because as a developer, it is hard to
anticipate the approach that will be taken by a new user of the
software, as opposed to an experienced user of the software.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
Adam Williams wrote: I've been configuring Samba and LDAP services for years; my interpretation of the travails of many newer users is that they don't grasp the divisions between the relevant subsystems: LDAP, NSS, SAMBA, etc... This is largely because the distinctions are not clear. It should not be necessary for a Samba installation to take days, as this one has, even by an experienced Unix administrator, as I am. I have had significant experience with LDAP, but not with Samba and LDAP together, and I am still struggling. No, it is pretty clearly stated that Samba relies on the NSS layer to be working correctly I am sure it's clearly stated - somewhere. I didn't see it in the docs I was reading though. Which leads me on to ask: Why does Samba not read the LDAP configuration from ldap.conf by default, instead of asking for the same information a second time? Because the filters, bases, etc... that Samba uses may be neccesarily different than the ones NSS uses. NSS may be able to see content that Samba can not. Which brings me back to too much rope. Yes, about 1% of admins are going to want a complex system, and might want to have setups where the Samba attributes and the posix attributes are read by different users, but 99% of cases will be where there is a system user of some kind that can query the directory. I see no need for the posix subsystem and the samba subsystem to use separate LDAP accounts. What Samba should do by default is read LDAP parameters from ldap.conf, with the option to override the parameters if the admin so chooses, thus making Samba easy and straightforward for the admin to use out the box. Your ASSUMING that the passwords are the same. I expect they are not in most large installations, and should not be in any installation. NSS needs to read, but never write, particular information. Samba needs to accesses different information and should not have access to data it doesn't need, and certainly shouldn't have write access to data it doesn't need to modify. Niether NSS nor Samba should be using the manager dn. And you are assuming they are different. Why should the system be any more complex than it needs to be? The pam_ldap stuff is really simple. It defines a DN to bind to to perform everyday user based read only searches, as well as a DN to bind to when doing potential admin work requiring write access, such as changing passwords or adding users. Defining different DNs to the above for Samba to do almost identical tasks is just making the job harder than it needs to be. Your not obligated to use smbldap-tools, but I won't argue with you on that one. I'm not a big fan. Are there alternatives? 2) Too Much Rope When users / groups / etc are added to Samba via the normal Windows ... To have to learn perl before you can configure something as mainstream as Samba means that something has been designed wrong. You can write your own scripts in anything you like. We are currently writing a set of modules/scripts in C#. There are many things I can do with Samba, the majority of which are simply not worth doing - I could just deploy a Windows machine and achieve the task at hand in one tenth of the time, and just put up with the instability of the platform. The unnecessary complexity of the typical Samba installation negates most of the advantages of Samba's stability, because problems introduced by complexity are experienced as stability problems, and we're back to square one. Samba's usability is a big issue - An admin cannot be expected to take days of research, hours and hours of reading manuals, and the obligatory trips to Google to achieve what a Windows admin can do in a few clicks of a mouse. Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
John H Terpstra wrote: Samba's LDAP configuration exists in the smb.conf file. pam_ldap / nss_ldap's configuration exists in the ldap.conf file. Samba works with OpenLDAP, Sun iPlanet (Identity Server), IBM Tivoli Directory server, CA's product, Novell eDirectory, etc. So precisely how do you suggest we integrate all of these plus Samba so there is no duplication _AND_ so that the resulting code can be maintained? All the software you've listed are LDAP servers, I was referring to nss_ldap, an LDAP client whose config is found in /etc/ldap.conf, which as you explain below is required for a proper functioning Samba + LDAP system. I understand that nss_ldap runs on a number of platforms, which means it is reasonably safe to assume that /etc/ldap.conf will be there, and if it's not there, the existing LDAP config directives can be used as a fallback, or Samba can be taught other places to look for the system's LDAP config. In my opinion, Samba has to remain independant of ALL system tools. I agree, but Samba requires nss_ldap - if Samba is to maintain a separate LDAP config from nss_ldap, then I would say that Samba should not need the services of nss_ldap - it should be able to query this information for itself. Given that Samba is Open Source software, who has responisbility to affect perfect integration? How will all the projects get integrated security and authentication support? Just remember: - The Samba-Team is not a massive corporation - We do not control any other project we may depend on So precisely HOW can we solve all these difficulties? I can not provide a better answer, other than the need for Open Source and Commercial open public software standards - something I am already working towards privately. By starting to address the fact that Samba is IMHO unnecessarily complex. Work should be done on finding ways to simplify the config and the operation of Samba, by looking for duplication and over-complex elements, and finding elegant ways to simplify them. Samba's ability to perform useful things doesn't amount to anything, if it takes a PHD to figure out how those useful things work. The HOWTO is a document that aims to expound HOW the tools can be used. The Samba-3 by Example book aims to provide working solutions. It is unrealistic to attempt to do both in one book. Even as it is, the HOWTO is too big. The major improvement I have planned for the HOWTO is improved indexing - in time this will happen. As to content - please contribute. I think it would be far more valuable to spend time simplifying the software rather than trying to add even more documentation, of which there is already a significant amount. Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, 10 Mar 2004, Graham Leggett wrote: Adam Williams wrote: I've been configuring Samba and LDAP services for years; my interpretation of the travails of many newer users is that they don't grasp the divisions between the relevant subsystems: LDAP, NSS, SAMBA, etc... This is largely because the distinctions are not clear. It should not be necessary for a Samba installation to take days, as this one has, even by an experienced Unix administrator, as I am. I have had significant experience with LDAP, but not with Samba and LDAP together, and I am still struggling. We feel your learning curve pain with you. How can we solve this? What specifically should be done to eliminate the pain? Who should do this and how? You may want to take this discussion to Samba-Technical. Better still, come along to the SambaXP Conference in Germany: (see: http://www.sambaxp.org) Bring it up there and get access to a forum that can material affect a solution to this problem. No, it is pretty clearly stated that Samba relies on the NSS layer to be working correctly I am sure it's clearly stated - somewhere. I didn't see it in the docs I was reading though. Which leads me on to ask: Why does Samba not read the LDAP configuration from ldap.conf by default, instead of asking for the same information a second time? Because the filters, bases, etc... that Samba uses may be neccesarily different than the ones NSS uses. NSS may be able to see content that Samba can not. Which brings me back to too much rope. Yes, about 1% of admins are going to want a complex system, and might want to have setups where the Samba attributes and the posix attributes are read by different users, but 99% of cases will be where there is a system user of some kind that can query the directory. I see no need for the posix subsystem and the samba subsystem to use separate LDAP accounts. What Samba should do by default is read LDAP parameters from ldap.conf, with the option to override the parameters if the admin so chooses, thus making Samba easy and straightforward for the admin to use out the box. You are assuming that Samba only needs to work with OpenLDAP. You are also assuming that ALL OpenLDAP configurations use the same directory structure. Too many assumptions. How can we implement a universal solution? What must we do to arrive at nirvana? Your ASSUMING that the passwords are the same. I expect they are not in most large installations, and should not be in any installation. NSS needs to read, but never write, particular information. Samba needs to accesses different information and should not have access to data it doesn't need, and certainly shouldn't have write access to data it doesn't need to modify. Niether NSS nor Samba should be using the manager dn. And you are assuming they are different. Why should the system be any more complex than it needs to be? That is an administrator decision that Samba can not impose. The pam_ldap stuff is really simple. It defines a DN to bind to to perform everyday user based read only searches, as well as a DN to bind to when doing potential admin work requiring write access, such as changing passwords or adding users. Defining different DNs to the above for Samba to do almost identical tasks is just making the job harder than it needs to be. Again, your assumption is that Samba only needs to work with OpenLDAP. Samba has to work with many LDAP servers. This adds considerable complexity. Your not obligated to use smbldap-tools, but I won't argue with you on that one. I'm not a big fan. Are there alternatives? Yes. Discussed in the Samba-3 by Example book - which will be released to open source as soon as I get the OK to do so. 2) Too Much Rope When users / groups / etc are added to Samba via the normal Windows ... To have to learn perl before you can configure something as mainstream as Samba means that something has been designed wrong. You can write your own scripts in anything you like. We are currently writing a set of modules/scripts in C#. There are many things I can do with Samba, the majority of which are simply not worth doing - I could just deploy a Windows machine and achieve the task at hand in one tenth of the time, and just put up with the instability of the platform. The unnecessary complexity of the typical Samba installation negates most of the advantages of Samba's stability, because problems introduced by complexity are experienced as stability problems, and we're back to square one. And every constraint we put into Samba results in feedback that we just lost another user site because we have tightened the noose. This is open source software. We try NOT to limit the usability of Samba. Samba's usability is a big issue - An admin cannot be expected to take days of research, hours and hours of reading manuals, and the obligatory trips to Google to achieve what a
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, 10 Mar 2004, Graham Leggett wrote: John H Terpstra wrote: Samba's LDAP configuration exists in the smb.conf file. pam_ldap / nss_ldap's configuration exists in the ldap.conf file. Samba works with OpenLDAP, Sun iPlanet (Identity Server), IBM Tivoli Directory server, CA's product, Novell eDirectory, etc. So precisely how do you suggest we integrate all of these plus Samba so there is no duplication _AND_ so that the resulting code can be maintained? All the software you've listed are LDAP servers, I was referring to nss_ldap, an LDAP client whose config is found in /etc/ldap.conf, which as you explain below is required for a proper functioning Samba + LDAP system. I understand that nss_ldap runs on a number of platforms, which means it is reasonably safe to assume that /etc/ldap.conf will be there, and if it's not there, the existing LDAP config directives can be used as a fallback, or Samba can be taught other places to look for the system's LDAP config. This gets very complex. The nss_ldap ldap.conf file has so far been located in: /etc/ldap.conf /etc/openldap/ldap.conf /opt/nss_ldap/ldap.con /lib/nss_ldap/ldap.con /usr/local/etc/ldap.conf just from sites and systems I have had to deal with. In my opinion, Samba has to remain independant of ALL system tools. I agree, but Samba requires nss_ldap - if Samba is to maintain a separate LDAP config from nss_ldap, then I would say that Samba should not need the services of nss_ldap - it should be able to query this information for itself. Nope. I covered that already. If Samba deals with identity resolution directly then that will impose a priority that may invalidate particular site needs to use NIS or some other form of identity resolution. Consider the site that wants NSS operation: passwd: ldap files nis winbind A premeditated Samba based solution adds complexity and limits use. What we have now permits the administrator to use the this type of solution. Given that Samba is Open Source software, who has responisbility to affect perfect integration? How will all the projects get integrated security and authentication support? Just remember: - The Samba-Team is not a massive corporation - We do not control any other project we may depend on So precisely HOW can we solve all these difficulties? I can not provide a better answer, other than the need for Open Source and Commercial open public software standards - something I am already working towards privately. By starting to address the fact that Samba is IMHO unnecessarily complex. Work should be done on finding ways to simplify the config and the operation of Samba, by looking for duplication and over-complex elements, and finding elegant ways to simplify them. Samba's ability to perform useful things doesn't amount to anything, if it takes a PHD to figure out how those useful things work. In fairness, I believe the Samba-Team are doing this all the time. But every time we add functionality it takes a while to arrive at sensible defaults. Just look over the history of the project - you will see that many things that once had to be condigured now default to sensible values. We are addressing specifically new bleeding edge issues here. The HOWTO is a document that aims to expound HOW the tools can be used. The Samba-3 by Example book aims to provide working solutions. It is unrealistic to attempt to do both in one book. Even as it is, the HOWTO is too big. The major improvement I have planned for the HOWTO is improved indexing - in time this will happen. As to content - please contribute. I think it would be far more valuable to spend time simplifying the software rather than trying to add even more documentation, of which there is already a significant amount. That is happening, as I said above. Each of us who contributes to Samba has to find some way to sustain our activities. I would encourage you to contribute both ideas and code as your circumstances permit. I appreciate the voice you have given this. Cheers, John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
John H Terpstra wrote: We feel your learning curve pain with you. How can we solve this? What specifically should be done to eliminate the pain? Who should do this and how? Simplify simply simplify - Henry David Thoreau. You are assuming that Samba only needs to work with OpenLDAP. Not so: [EMAIL PROTECTED] root]# rpm -q -f /etc/ldap.conf nss_ldap-207-5 The config file to which I refer is part of nss_ldap, and has nothing to do with OpenLDAP whatsoever. You are also assuming that ALL OpenLDAP configurations use the same directory structure. Too many assumptions. How can we implement a universal solution? What must we do to arrive at nirvana? 1) Eliminate the duplication through the use of sensible defaults. A sensible default for most of the LDAP setup is to read it from /etc/ldap.conf, or wherever else this file lives on other platforms. If Samba has a dependancy on nss_ldap, it makes sense to use the information in nss_ldap's config files. 2) Have sensible config files None of the ldap config directives appear in the default smb.conf file as shipped with v3.0.2 (which could be Redhat's idea, I don't know). So to set up LDAP, it's off to the HOWTO. Much of the setup pain can be largely reduced if config directives lived in the config file commented out, ready to be put into action if the admin so wanted, along with some sensible comments exaplining what each one does. An example of such a config appears in the HOWTO, but it's incomplete, as it excludes any mention of the add * script parameters. The first time I heard they existed was when you asked if I had set them up on this list. And you are assuming they are different. Why should the system be any more complex than it needs to be? That is an administrator decision that Samba can not impose. Samba need not impose, but through a sensible default, it can suggest a recommended configuration. I find it very frustrating when I get to configure some software and it tells me so what would you like to do?. Being a new user of that software, my most sensible answer is what would you recommend I do?. To which the software replies anything at all, I can do anything at all. Samba + LDAP is usually practically deployed with a third party LDAP maintenance package. If a suggested layout for the LDAP server existed that made it easier for the maintenance package and Samba to be looking in the same place for things, it would save the administrator a lot of time. Yes, I would like the rope to be able to change my mind, if I didn't agree with the layout of the directory by default, however I want at least a suggested default layout so I can start with something. And every constraint we put into Samba results in feedback that we just lost another user site because we have tightened the noose. This is open source software. We try NOT to limit the usability of Samba. How many sites has Samba lost simply because the admin couldn't get their head around the software in a reasonable amount of time? There are other solutions available in the marketplace, with their own advantages and disadvantages. Then suggest a better solution please. 1) Sensible defaults 2) Elimination of duplicated config where possible, with the option to override this behaviour if the admin needs to 3) Elimination of hacks to add users, instead having a proper user adding component built into Samba, that can be enabled if needed. 4) Be consistent. The default LDAP layoput for Samba in the HOWTO, and the default layout for smbldap-tools do not seem to be the same (though my perl is bad, so I'm not sure). Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
We feel your learning curve pain with you. How can we solve this? What specifically should be done to eliminate the pain? Who should do this and how? Simplify simply simplify - Henry David Thoreau. You are assuming that Samba only needs to work with OpenLDAP. [EMAIL PROTECTED] root]# rpm -q -f /etc/ldap.conf nss_ldap-207-5 The config file to which I refer is part of nss_ldap, and has nothing to do with OpenLDAP whatsoever. And some platforms (AIX and others) don't have that file at all. One possible solution is the use of SRV records. NSS supports these for automatically locating the appropriate DSA(s), in which case /etc/ldap.conf can be eliminated altogether. Hey, why can't Samba locate a DSA using SRV and load it's entire config from the DSA? :) And eliminate smb.conf. assuming that ALL OpenLDAP configurations use the same directory structure. Too many assumptions. How can we implement a universal solution? What must we do to arrive at nirvana? 1) Eliminate the duplication through the use of sensible defaults. A sensible default for most of the LDAP setup is to read it from /etc/ldap.conf, or wherever else this file lives on other platforms. If your on Linux using OpenLDAP libraries installed from standard packages.That would be a suprisingly small percentage of cases I suspect. None of the ldap config directives appear in the default smb.conf file as shipped with v3.0.2 (which could be Redhat's idea, I don't know). So to set up LDAP, it's off to the HOWTO. Yep, that default file is the distributions thing. An example of such a config appears in the HOWTO, but it's incomplete, as it excludes any mention of the add * script parameters. The first time I heard they existed was when you asked if I had set them up on this list. I'm just have to disagree, I think the add * scripts are features rather prominantely in the HOWTO collection. And you are assuming they are different. Why should the system be any more complex than it needs to be? Security. NSS has no reason to ever modify the DSA contents, Samba does - that alone makes them radically different. How many sites has Samba lost simply because the admin couldn't get their head around the software in a reasonable amount of time? There are other solutions available in the marketplace, with their own advantages and disadvantages. Just FYI, I spent six months just reading and studying LDAP, then nine months just building the directory services infrastructure, and THEN added Samba (that was 2.2.1a + a patch, the first LDAP enabled Samba). And I though that timeline was pretty tight.This is not simple stuff, lots of NT admins are still fighting with the migration to Active Directory, and ask any old Novell-ites about the move to NDS. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
I find it very frustrating when I get to configure some software and it tells me so what would you like to do?. Being a new user of that software, my most sensible answer is what would you recommend I do?. To which the software replies anything at all, I can do anything at all. Samba + LDAP is usually practically deployed with a third party LDAP maintenance package. If a suggested layout for the LDAP server existed that made it easier for the maintenance package and Samba to be looking in the same place for things, it would save the administrator a lot of time. Yes, I would like the rope to be able to change my mind, if I didn't agree with the layout of the directory by default, however I want at least a suggested default layout so I can start with something. If your interested in the layout of the DSA, etc... and some examples you can look at - ftp://ftp.kalamazoolinux.org/pub/pdf/EDManual.pdf - thats a copy of most of our internal documentation. The copy is old at this point, but maybe helpful with such things. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
A diagram would be nice. Are you aware of any? I'm one of the newbees
that has spent untold hours reading Official Samba-3 cover to cover,
reading howtos sample configurations without getting an operational
LDAP system to show for my efforts. I finally got a Qmail / Courier /
Squirrelmail / LDAP system up running, but that's another story...
It should be clear to all of us that LDAP is an area of great interest
and dissatisfaction with regard to the SAMBA project. For proof, count
the number of Samba List server messages that deal with LDAP. Just for
fun, I ran following Google search: http://tinyurl.com/3yfbk
Over 1000 messages were found. I couldn't find another topic with same
number of hits.
Samba-3 by Example better be good!
Adam Williams wrote:
This is completely correct. It took me 6 weeks to document, test, and
validate Chapter 6 of Samba-3 by Example - and it took 50 or so pages to
sufficiently describe the steps that must be followed.
While entirely essential, documentation that is logical, comprehensive and
comprehendable is not a trivial process.
From my experience over the last few days trying to get Samba
installed, I don't think the documentation is at fault - there are some
basic design flaws in Samba that you only see if you come to Samba with
new eyes, ie you haven't configured Samba + LDAP before.
I've been configuring Samba and LDAP services for years; my
interpretation of the travails of many newer users is that they don't
grasp the divisions between the relevant subsystems: LDAP, NSS, SAMBA,
etc...
1) Duplicated configuration
Samba's LDAP configuration exists in the smb.conf file. pam_ldap /
nss_ldap's configuration exists in the ldap.conf file.
As these are two separate config files, what this tells me as a new user
of Samba, is that Samba's LDAP handling is completely independant of
nss_ldap's LDAP handling.
No, it is pretty clearly stated that Samba relies on the NSS layer to be
working correctly - hence the need for an /etc/passwd entry, or a
posixAccount in LDAP, or a NIS entry, {insert wherever UID Number comes
from}, etc... This is why there is a winbind NSS module.
Maybe what we need is a good diagram.
I learn however that this is _not_ so - if nss_ldap is not configured
correctly, Samba + LDAP won't work.
Neither will much of anything else.
Which leads me on to ask: Why does
Samba not read the LDAP configuration from ldap.conf by default, instead
of asking for the same information a second time?
Because the filters, bases, etc... that Samba uses may be neccesarily
different than the ones NSS uses. NSS may be able to see content that
Samba can not.
This is also a security issue - the root DN password for the LDAP server
is stored twice. It is also a usability issue - six months from now is
my replacement going to know that the LDAP password needs to be set in
two places? Of course not.
Your ASSUMING that the passwords are the same. I expect they are not in
most large installations, and should not be in any installation. NSS
needs to read, but never write, particular information. Samba needs to
accesses different information and should not have access to data it
doesn't need, and certainly shouldn't have write access to data it
doesn't need to modify. Niether NSS nor Samba should be using the
manager dn.
Then comes smbldap-tools. This package is written in perl, which has all
sorts of magic string handling available, to extract the info it needs
from either ldap.conf or smb.conf. But instead - it has it's own config
file, with it's own definition of the LDAP server contact details, and a
_third_ copy of the LDAP root DN password. At this point, security is
out the window, as is any hope that I will remember how the password is
changed six months down the line.
Your not obligated to use smbldap-tools, but I won't argue with you on
that one. I'm not a big fan.
2) Too Much Rope
When users / groups / etc are added to Samba via the normal Windows
...
To have to learn perl before you can configure something as mainstream
as Samba means that something has been designed wrong.
You can write your own scripts in anything you like. We are currently
writing a set of modules/scripts in C#.
Note: I am not pointing these things out so as to knock developers of a
piece of software that once it's configured correctly, works great. I am
pointing these things out because as a developer, it is hard to
anticipate the approach that will be taken by a new user of the
software, as opposed to an experienced user of the software.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
John H Terpstra wrote: Samba's LDAP configuration exists in the smb.conf file. pam_ldap / nss_ldap's configuration exists in the ldap.conf file. Samba works with OpenLDAP, Sun iPlanet (Identity Server), IBM Tivoli Directory server, CA's product, Novell eDirectory, etc. So precisely how do you suggest we integrate all of these plus Samba so there is no duplication _AND_ so that the resulting code can be maintained? All the software you've listed are LDAP servers, I was referring to nss_ldap, an LDAP client whose config is found in /etc/ldap.conf, which as you explain below is required for a proper functioning Samba + LDAP system. I understand that nss_ldap runs on a number of platforms, which means it is reasonably safe to assume that /etc/ldap.conf will be there, and if it's not there, the existing LDAP config directives can be used as a fallback, or Samba can be taught other places to look for the system's LDAP config. N it is not safe. For example on a linux machine the original ldap.conf that openldap uses is in /etc/openldap/ldap.conf while the one that nss_ldap uses is in /etc/ldap.conf and if you install them both you will see the two files are different. So you need to link them together or put the appropriate entries on both. Also Solaris has its own inplementation of nss_ldap and it uses: /var/ldap/ldap_client_file which does not resemble at all your typical ldap.conf. I would say the best way to do it is to let the end user know that before they install samba, they either need to have the machine that will be doing samba correctly configured as an ldap client or warn them that all information uid/gid information on that machine must be the same in nis (if that machine is part of a nis domain or locally in /etc/passwd /etc/group) and ldap. I noticed this problem while testing openldap/samba on my network. My test system is a server that is still a nis client. And so if the ids are not the same on things like group things break, like smbpasswd -a -m and also other things like net groupmap add, etc because samba looks at the ids from nis and not the ones from ldap even if all the ldap info is correctly entered in the smb.conf file. My $.2 Diego In my opinion, Samba has to remain independant of ALL system tools. I agree, but Samba requires nss_ldap - if Samba is to maintain a separate LDAP config from nss_ldap, then I would say that Samba should not need the services of nss_ldap - it should be able to query this information for itself. Given that Samba is Open Source software, who has responisbility to affect perfect integration? How will all the projects get integrated security and authentication support? Just remember: - The Samba-Team is not a massive corporation - We do not control any other project we may depend on So precisely HOW can we solve all these difficulties? I can not provide a better answer, other than the need for Open Source and Commercial open public software standards - something I am already working towards privately. By starting to address the fact that Samba is IMHO unnecessarily complex. Work should be done on finding ways to simplify the config and the operation of Samba, by looking for duplication and over-complex elements, and finding elegant ways to simplify them. Samba's ability to perform useful things doesn't amount to anything, if it takes a PHD to figure out how those useful things work. The HOWTO is a document that aims to expound HOW the tools can be used. The Samba-3 by Example book aims to provide working solutions. It is unrealistic to attempt to do both in one book. Even as it is, the HOWTO is too big. The major improvement I have planned for the HOWTO is improved indexing - in time this will happen. As to content - please contribute. I think it would be far more valuable to spend time simplifying the software rather than trying to add even more documentation, of which there is already a significant amount. Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
A diagram would be nice. Are you aware of any? I'm one of the newbees that has spent untold hours reading Official Samba-3 cover to cover, reading howtos sample configurations without getting an operational LDAP system to show for my efforts. I finally got a Qmail / Courier / Squirrelmail / LDAP system up running, but that's another story... It should be clear to all of us that LDAP is an area of great interest and dissatisfaction with regard to the SAMBA project. Maybe these links will help somebody Alot of general LDAP information - ftp://ftp.kalamazoolinux.org/pub/pdf/ldapv3.pdf And example for laying out a directory, lots of notes on schema, and some other stuff someone looking for conceptual ideas might find handy (this is merely internal documentation made public). - ftp://ftp.kalamazoolinux.org/pub/pdf/EDManual.pdf This goes over all(?) the new ldap directives added in 3.0.x, was an introduction to Samba 3.0.x for people running 2.2.x - ftp://ftp.kalamazoolinux.org/pub/pdf/Samba3-WhatsNew.sxi.pdf Not really relevant to LDAP but contains some pretty clever and overlooked stuff (IMO anyway) - ftp://ftp.kalamazoolinux.org/pub/pdf/AbusingWin32.pdf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | I am sure it's clearly stated - somewhere. I didn't see it in the docs I | was reading though. I would LOVE a set of docs with lots of diagrams and fairly comprehensive indices for doing lookups. A picture truly is worth a thousand words. Ten thousand if you can find it in 30 seconds or less. An HTML/htdig based concordance setup might help out the onliners and could also be used as a basis for building really good indexes for DTF (a book, i.e. Dead Tree Format). Another trick I use is a an email template. I have one for Java installation on Mandrake, for example. I edit the templates as I answer ~ questions and that way I reduce the amount of actual writing I do. A 'diagram contest' could be held with the offer of a reward of some type for the person drawing the largest number of diagrams useful for the docs. Doesn't have to be anything huge. Jim C. - -- - - | I can be reached on the following messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAT4JO57L0B7uXm9oRAk1HAJ9gL+hmesW8Md3Ld6xtBDN7Y7zh2gCfayqW mB2PufayMxRdyFxL+aYDzaU= =d4NJ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wednesday 10 March 2004 12:55 pm, Graham Leggett wrote: John H Terpstra wrote: Samba's LDAP configuration exists in the smb.conf file. pam_ldap / nss_ldap's configuration exists in the ldap.conf file. Samba works with OpenLDAP, Sun iPlanet (Identity Server), IBM Tivoli Directory server, CA's product, Novell eDirectory, etc. So precisely how do you suggest we integrate all of these plus Samba so there is no duplication _AND_ so that the resulting code can be maintained? All the software you've listed are LDAP servers, I was referring to nss_ldap, an LDAP client whose config is found in /etc/ldap.conf, which as you explain below is required for a proper functioning Samba + LDAP system. I understand that nss_ldap runs on a number of platforms, which means it is reasonably safe to assume that /etc/ldap.conf will be there, and if it's not there, the existing LDAP config directives can be used as a fallback, or Samba can be taught other places to look for the system's LDAP config. In my opinion, Samba has to remain independant of ALL system tools. I agree, but Samba requires nss_ldap - if Samba is to maintain a separate LDAP config from nss_ldap, then I would say that Samba should not need the services of nss_ldap - it should be able to query this information for itself. I have to agree with Graham. nss_ldap is a dependency for many reasons. First and formost is to control access to your files at the unix level. Without relating the samba groups to posix groups in some fashion, you either have to open your files up to the world with no security or your users won't be able to access them. As an example, Domain Users in the Samba world tells Samba that these users are part of its domain. Fine, but without it corresponding as a posix group AND being recognized from the same repository like ldap (through nss_ldap), you won't access any files with that membership. I've always had to get my LDAP working on the OS level first, then work on the Samba side. Norm -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It does seem odd that there is no ./configure for smbldap. It could be used to parse ldap.conf/smb.conf and reduce the number of config files in the short term. ... and what about something like this: Startup: Check for ldap changes in ldap.conf/smb.conf Rebuild the smbldap_conf.pm ELSE continue as normal Shutdown: Perhaps save ldap state data, if necessary, for startup comparison? - -- - - | I can be reached on the following messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAT4jy57L0B7uXm9oRAt+UAJoC2SZtkAh/OKMzoZw943Ia8ffR2ACdGw4i 1v+Fc6wObjSnXk+vFeDqGiA= =KKXg -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
Graham Leggett schrieb: RRuegner wrote: Hi, yes the tools should be better described as they are in the smb sources i found it very hard at my first setup ldap smb. On the other Hand many setups are thinkable with ldap, a description to the ldap populate is only one way ( fast , working ) to come to a working smb ldap pdc The LDAP capability is very useful, which is why I am trying to solve the problems, but the lack of usability is a complete showstopper. I cannot install a system that if something goes wrong in six months time, nobody will have a clue on how to fix it. I have been looking at the smbldap-tools package, and cannot believe at how difficult it is to set up. Most of the information in the smbldap_conf.pm file is already specified in the smb.conf file - this means that down the line when somebody else changes smb.conf, things will stop working, and they won't know why. The functionality provided by smbldap-tools should be built into Samba from scratch, I don't see why there is such a need to jump through hoops like this. Regards, Graham -- Hi, as you heard the new Book is on the way , samba is very dynamic this times so i found that this running in a very short time if you think about the big work about doku is to do. i just setup a big smb ldap bdc vpn enviroment , and my failures give me more understand to ldap and windows . But all info is just right now on the web , for sure in different places i had to read technet , ldap faq and idealix doku so iam happy to see the book. After all i will have to write a doku to my setup system which will host over 500 users , but now as iam going to all my failures i am not afraid to write it. And i have to do it in german and in english have you ever tried to translate tec things in german *grins. dont be afraid , all the stuff i tested worked very nice so push your work and make users happy with their brand new samba. Regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, 2004-03-10 at 11:33, Graham Leggett wrote: John H Terpstra wrote: We feel your learning curve pain with you. How can we solve this? What specifically should be done to eliminate the pain? Who should do this and how? Simplify simply simplify - Henry David Thoreau. You are assuming that Samba only needs to work with OpenLDAP. Not so: [EMAIL PROTECTED] root]# rpm -q -f /etc/ldap.conf nss_ldap-207-5 The config file to which I refer is part of nss_ldap, and has nothing to do with OpenLDAP whatsoever. You are also assuming that ALL OpenLDAP configurations use the same directory structure. Too many assumptions. How can we implement a universal solution? What must we do to arrive at nirvana? 1) Eliminate the duplication through the use of sensible defaults. A sensible default for most of the LDAP setup is to read it from /etc/ldap.conf, or wherever else this file lives on other platforms. If Samba has a dependancy on nss_ldap, it makes sense to use the information in nss_ldap's config files. 2) Have sensible config files None of the ldap config directives appear in the default smb.conf file as shipped with v3.0.2 (which could be Redhat's idea, I don't know). So to set up LDAP, it's off to the HOWTO. Much of the setup pain can be largely reduced if config directives lived in the config file commented out, ready to be put into action if the admin so wanted, along with some sensible comments exaplining what each one does. An example of such a config appears in the HOWTO, but it's incomplete, as it excludes any mention of the add * script parameters. The first time I heard they existed was when you asked if I had set them up on this list. And you are assuming they are different. Why should the system be any more complex than it needs to be? That is an administrator decision that Samba can not impose. Samba need not impose, but through a sensible default, it can suggest a recommended configuration. I find it very frustrating when I get to configure some software and it tells me so what would you like to do?. Being a new user of that software, my most sensible answer is what would you recommend I do?. To which the software replies anything at all, I can do anything at all. Samba + LDAP is usually practically deployed with a third party LDAP maintenance package. If a suggested layout for the LDAP server existed that made it easier for the maintenance package and Samba to be looking in the same place for things, it would save the administrator a lot of time. Yes, I would like the rope to be able to change my mind, if I didn't agree with the layout of the directory by default, however I want at least a suggested default layout so I can start with something. And every constraint we put into Samba results in feedback that we just lost another user site because we have tightened the noose. This is open source software. We try NOT to limit the usability of Samba. How many sites has Samba lost simply because the admin couldn't get their head around the software in a reasonable amount of time? There are other solutions available in the marketplace, with their own advantages and disadvantages. Then suggest a better solution please. 1) Sensible defaults 2) Elimination of duplicated config where possible, with the option to override this behaviour if the admin needs to 3) Elimination of hacks to add users, instead having a proper user adding component built into Samba, that can be enabled if needed. 4) Be consistent. The default LDAP layoput for Samba in the HOWTO, and the default layout for smbldap-tools do not seem to be the same (though my perl is bad, so I'm not sure). I can tell by the volume of your messages that you feel that you have a message worthy of delivery but I don't agree. You have bundled a lot of your frustration with learning LDAP into Samba and Samba doesn't require you to use LDAP at all. If you used smbpasswd or tdb backend, you wouldn't be going through this at all. I am amazed that I stupidly thought the same things that you did...that I pretty much already knew samba 2.2x and that the changes in 3.0 would be minimal and all I needed was to get LDAP working with samba. But LDAP is far more of a beast than I had ever dreamed and even though it appears to be much of the same, samba 3 was a tremendous upgrade to 2.2x - That meant all the things I assumed to be manageable were not skills easily acquired at all. Finally, I took a week or so out to learn LDAP and get that set up and authenticating before I worried about integrating with Samba. I can't imagine many people having much success trying to get both up and running simultaneously. I am presuming that you are suffering from your own realistic expectations as I had to suffer mine. LDAP is an incredibly flexible, powerful and potent tool but it is not easily mastered - not with openldap, not
Re: [Samba] Samba and LDAP backend - howto docs problems?
Craig, Thanks for your well thought out illumination on this. Your comments are right on. I must confess that I was out to draw out from our users what their experience and frustrations are. As you know, I encourage feedback. Feedback demonstrates how users approach the problem of digging themselves out of a dark hole. While we are in a hole, there is no light and all logic escapes us. Because we do not understand the right terms yet, we cannot find anything that we might be looking for. Disparate software applications that are completely un-related and do not work the way we want appear to violate our sense of justice. In the end we want to get even with the foolhardy critters that wrote the software. One user wrote to me claiming that Samba is the first open source application that forces its users to use LDAP. Well, you know that is not true. LDAP seems like the right thing to replace MS Active Directory so that proves that you need LDAP - so the thinking goes. So in wrapping up, here is what I have learned from the feedback: 1. There is a need for two types of information: - Purely informative about HOW something works - Purely example of how to implement a solution 2. Example implementation information needs to be painfully clear and comprehensive. 3. Just sending configuration files can actually aggrevate someone's problem. Example configuration files must be sent with clear Do this, then this, then this ... type guidance. 4. One of the most important aspects of a book is the Index at the rear of the book. I hope that Samba-3 by Example will meet with more positive approval as a result of implementing the lessons learned from feedback. Now so far as changes to how Samba works goes, the forum for making any points for adoption in Samba are: a) The Samba-Technical mailing list ([EMAIL PROTECTED]) b) The #samba-technical IRC channel c) Bug reports to https://bugzilla.samba.org Oh, before I forget: If you absolutely want someone to seriously consider your recommendations/bug report/complaints - Bugzilla is your vehicle. Craig, again thanks for crystallizing the issues. Cheers, John T. On Wed, 10 Mar 2004, Craig White wrote: I can tell by the volume of your messages that you feel that you have a message worthy of delivery but I don't agree. You have bundled a lot of your frustration with learning LDAP into Samba and Samba doesn't require you to use LDAP at all. If you used smbpasswd or tdb backend, you wouldn't be going through this at all. I am amazed that I stupidly thought the same things that you did...that I pretty much already knew samba 2.2x and that the changes in 3.0 would be minimal and all I needed was to get LDAP working with samba. But LDAP is far more of a beast than I had ever dreamed and even though it appears to be much of the same, samba 3 was a tremendous upgrade to 2.2x - That meant all the things I assumed to be manageable were not skills easily acquired at all. Finally, I took a week or so out to learn LDAP and get that set up and authenticating before I worried about integrating with Samba. I can't imagine many people having much success trying to get both up and running simultaneously. I am presuming that you are suffering from your own realistic expectations as I had to suffer mine. LDAP is an incredibly flexible, powerful and potent tool but it is not easily mastered - not with openldap, not with SunOne, not with Windows. The expectation in all things LDAP is that the system administrator will take great pains to have a working system, a reasonably good understanding of ACL's for security, a plan for maintaining interactivity with the underlying authentication systems and the wherewithall to stitch LDAP together with other software that may require sips from the LDAP fountain. If you want easy, if you want total consistency so someone without knowledge can follow your footsteps 6 months from now, you should be implementing Windows. smbldap tools isn't part of the samba software package, I believe you know this now so your criticism of the lack of documentation in the samba package was off base. A system administrator with knowledge of LDAP would understand that and most will write their own scripts because if there's one thing that's certain about LDAP implementations, there isn't much that is standard. Had you had a working knowledge of LDAP, your criticisms might be of some value but in light of the fact that you really want to vent about LDAP and how it integrates, it's meaning is lost on this samba message base. You don't need to use LDAP to use Samba, in fact, the other backends (omitting sql for this discussion), will be much simpler and probably more to your liking. Your last bit of frustration about the consistency (or lack thereof) between smbldap-tools, smb.conf, ldap.conf is really more about your distro (RH AS 3) as they have configured the defaults (or failed
[Samba] Samba and LDAP backend - howto docs problems?
Hi all,
I have followed the instructions at
http://samba.mirror.ac.uk/samba/docs/man/passdb.html in an attempt to
set up a Samba v3.0.2 (supplied by Redhat as part of RHEL v3.0) PDC.
I have got as far as trying to get a windows 2k box to join this new
domain that I have created, however this fails with the error Logon
failure: unknown user name or password.
Samba itself logs nothing of this failure.
Looking at the LDAP logs, I see that Samba is trying to do the following
LDAP search:
(((uid=admin)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))
This search fails, because the ldif displayed in the howto does not
include the sambaSamAccount objectclass in the admin object:
dn: cn=admin,ou=People,dc=quenya,dc=org
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
Does anyone have any step by step instructions for getting a Win2k box
to join a Samba domain that is known to work?
Regards,
Graham
--
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, 10 Mar 2004, Graham Leggett wrote:
Hi all,
I have followed the instructions at
http://samba.mirror.ac.uk/samba/docs/man/passdb.html in an attempt to
Ok. I am one of the authors of that. It should work. Email me you
smb.conf file and I will try to help.
set up a Samba v3.0.2 (supplied by Redhat as part of RHEL v3.0) PDC.
I have got as far as trying to get a windows 2k box to join this new
domain that I have created, however this fails with the error Logon
failure: unknown user name or password.
Samba itself logs nothing of this failure.
Looking at the LDAP logs, I see that Samba is trying to do the following
LDAP search:
(((uid=admin)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))
This search fails, because the ldif displayed in the howto does not
include the sambaSamAccount objectclass in the admin object:
dn: cn=admin,ou=People,dc=quenya,dc=org
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
Does anyone have any step by step instructions for getting a Win2k box
to join a Samba domain that is known to work?
Fully documented step-by-step instructions that work with SuSE and Red Hat
are in the new book Samba-3 by Example - can be ordered from Amazon.Com
now. Will ship starting March 26th.
Have you also checked chapter 2 of TOSHARG (The Official Samba-3 HOWTO and
Reference Guide)? While not as comprehensive as the new book, this chapter
was the seed that started the avalance of the Give us more ... litany
that resulted in Samba-3 by Example.
Have you set up your scripts?
- add user script
- delete user script
- add machine script
- add group script
- delete group script
- add user to group script
- etc.
Have you test driven each manually to prove that it works?
Have you configured nss_ldap and proven that it works?
ie: getent passwd
getent group
Does:
pdbedit -Lw
list the users in the old smbpasswd format?
Many, many more questions ... what have you done to demonstrate that each
element of your configuration works?
Cheers,
John T.
--
John H Terpstra
Email: [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
I also noticed this problem. I do not know why it happens, but did
noticed the following which may help:
I already have a few machines in an old samba-2.2.8 production
environment. Those machines are already in dns, nis netgoups, etc.
My new samba 3.0.2a does not restrict to any hosts yet. So if I run the
command:
/opt/local/samba/bin/smbpasswd -a -m mathpc22$ Then it succeds:
oak:/etc/openldap/ldif # /opt/local/samba/bin/smbpasswd -a -m mathpc22$
Added user mathpc22$.
while if I use a new hostname not listed in my dns/netgroups tables then
it fails
oak:/tmp/samba-3.0.2/source # /opt/local/samba/bin/smbpasswd -a -m diego
Failed to initialise SAM_ACCOUNT for user diego$.
Failed to modify password entry for user diego$
I am leaving the office right (oh man is 7pm, another 12 hour work day)
now so I will try to find out if it wants the machine in dns or netgroups
and will post again to the list to let you know what I find out.
Diego
On Tue, 9 Mar 2004, John H Terpstra wrote:
On Wed, 10 Mar 2004, Graham Leggett wrote:
Hi all,
I have followed the instructions at
http://samba.mirror.ac.uk/samba/docs/man/passdb.html in an attempt to
Ok. I am one of the authors of that. It should work. Email me you
smb.conf file and I will try to help.
set up a Samba v3.0.2 (supplied by Redhat as part of RHEL v3.0) PDC.
I have got as far as trying to get a windows 2k box to join this new
domain that I have created, however this fails with the error Logon
failure: unknown user name or password.
Samba itself logs nothing of this failure.
Looking at the LDAP logs, I see that Samba is trying to do the following
LDAP search:
(((uid=admin)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))
This search fails, because the ldif displayed in the howto does not
include the sambaSamAccount objectclass in the admin object:
dn: cn=admin,ou=People,dc=quenya,dc=org
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
Does anyone have any step by step instructions for getting a Win2k box
to join a Samba domain that is known to work?
Fully documented step-by-step instructions that work with SuSE and Red Hat
are in the new book Samba-3 by Example - can be ordered from Amazon.Com
now. Will ship starting March 26th.
Have you also checked chapter 2 of TOSHARG (The Official Samba-3 HOWTO and
Reference Guide)? While not as comprehensive as the new book, this chapter
was the seed that started the avalance of the Give us more ... litany
that resulted in Samba-3 by Example.
Have you set up your scripts?
- add user script
- delete user script
- add machine script
- add group script
- delete group script
- add user to group script
- etc.
Have you test driven each manually to prove that it works?
Have you configured nss_ldap and proven that it works?
ie: getent passwd
getent group
Does:
pdbedit -Lw
list the users in the old smbpasswd format?
Many, many more questions ... what have you done to demonstrate that each
element of your configuration works?
Cheers,
John T.
--
John H Terpstra
Email: [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
John H Terpstra wrote: Looking at the LDAP logs, I see that Samba is trying to do the following LDAP search: (((uid=admin)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount)) This search fails, because the ldif displayed in the howto does not include the sambaSamAccount objectclass in the admin object: It seems the docs are describing setup for Samba v2.2, while I am using v3.0. Are there docs for v3.0 anywhere? Have you also checked chapter 2 of TOSHARG (The Official Samba-3 HOWTO and Reference Guide)? I think so. The docs I am looking at are at http://samba.mirror.ac.uk/samba/docs/man/, which is apparently what you're referring to, though the docs seem to be for v2.2. Have you set up your scripts? - add user script - delete user script - add machine script - add group script - delete group script - add user to group script - etc. Have you test driven each manually to prove that it works? There is no reference to scripts in the docs for samldap, and I see no error messages saying that anything is missing. Have you configured nss_ldap and proven that it works? ie: getent passwd getent group Not yet - I don't want to fiddle with anything unix wise until I get Samba working. Is it required for Samba to work? Does: pdbedit -Lw list the users in the old smbpasswd format? No, it returns nothing (an empty list). Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
On Wed, 10 Mar 2004, Graham Leggett wrote: John H Terpstra wrote: Looking at the LDAP logs, I see that Samba is trying to do the following LDAP search: (((uid=admin)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount)) This search fails, because the ldif displayed in the howto does not include the sambaSamAccount objectclass in the admin object: It seems the docs are describing setup for Samba v2.2, while I am using v3.0. What in particular makes you think that these are Samba-2.2 docs? What have we messed up this time? - John T. Are there docs for v3.0 anywhere? Have you also checked chapter 2 of TOSHARG (The Official Samba-3 HOWTO and Reference Guide)? I think so. The docs I am looking at are at http://samba.mirror.ac.uk/samba/docs/man/, which is apparently what you're referring to, though the docs seem to be for v2.2. Have you set up your scripts? - add user script - delete user script - add machine script - add group script - delete group script - add user to group script - etc. Have you test driven each manually to prove that it works? There is no reference to scripts in the docs for samldap, and I see no error messages saying that anything is missing. Have you configured nss_ldap and proven that it works? ie: getent passwd getent group Not yet - I don't want to fiddle with anything unix wise until I get Samba working. Is it required for Samba to work? Does: pdbedit -Lw list the users in the old smbpasswd format? No, it returns nothing (an empty list). Regards, Graham -- -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
John H Terpstra wrote: What in particular makes you think that these are Samba-2.2 docs? What have we messed up this time? The docs refer to the sambaAccount objectclass, instead of the sambaSamAccount objectclass. In the migrating from v2.2 to v3.0 section, it describes how the schema has changed from v2.2 to v3.0, and how sambaAccount is now sambaSamAccount. This is also confirmed in the v3.0 samba.schema file, which has deprecated sambaAccount. In my case I am not doing any migration, but trying to install a v3.0 PDC from scratch. I uncovered the migration docs by accident. Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
I had this problem too and found the solution. In your LDAP directory, you
should have a domain entry for your domain. Make sure the sambaSID of that
domain matches the first part of the sambaSID of the user you are using to
connect with. This is assuming you are using the new schema.
This can also be a symptom of not having the guest account properly mapped to
a nobody or similar account. Could also happen if you don't have a 'root'
account in your ldap directory. You must also have the proper configurations
for the Domain groups like Domain Users and Domain Guests, etc.
As you can see, I had to learn the hard (best?) way -- trial and error. I've
been bitten by all of them at one time or another.
Norm
On Tuesday 09 March 2004 06:36 pm, John H Terpstra wrote:
On Wed, 10 Mar 2004, Graham Leggett wrote:
Hi all,
I have followed the instructions at
http://samba.mirror.ac.uk/samba/docs/man/passdb.html in an attempt to
Ok. I am one of the authors of that. It should work. Email me you
smb.conf file and I will try to help.
set up a Samba v3.0.2 (supplied by Redhat as part of RHEL v3.0) PDC.
I have got as far as trying to get a windows 2k box to join this new
domain that I have created, however this fails with the error Logon
failure: unknown user name or password.
Samba itself logs nothing of this failure.
Looking at the LDAP logs, I see that Samba is trying to do the following
LDAP search:
(((uid=admin)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount
))
This search fails, because the ldif displayed in the howto does not
include the sambaSamAccount objectclass in the admin object:
dn: cn=admin,ou=People,dc=quenya,dc=org
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
Does anyone have any step by step instructions for getting a Win2k box
to join a Samba domain that is known to work?
Fully documented step-by-step instructions that work with SuSE and Red Hat
are in the new book Samba-3 by Example - can be ordered from Amazon.Com
now. Will ship starting March 26th.
Have you also checked chapter 2 of TOSHARG (The Official Samba-3 HOWTO and
Reference Guide)? While not as comprehensive as the new book, this chapter
was the seed that started the avalance of the Give us more ... litany
that resulted in Samba-3 by Example.
Have you set up your scripts?
- add user script
- delete user script
- add machine script
- add group script
- delete group script
- add user to group script
- etc.
Have you test driven each manually to prove that it works?
Have you configured nss_ldap and proven that it works?
ie: getent passwd
getent group
Does:
pdbedit -Lw
list the users in the old smbpasswd format?
Many, many more questions ... what have you done to demonstrate that each
element of your configuration works?
Cheers,
John T.
--
John H Terpstra
Email: [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
Hi It happened to me for the windows xp and I had to install some patches to amke it work..don know for win 2k. Aman Graham Leggett wrote: John H Terpstra wrote: Looking at the LDAP logs, I see that Samba is trying to do the following LDAP search: (((uid=admin)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount)) This search fails, because the ldif displayed in the howto does not include the sambaSamAccount objectclass in the admin object: It seems the docs are describing setup for Samba v2.2, while I am using v3.0. Are there docs for v3.0 anywhere? Have you also checked chapter 2 of TOSHARG (The Official Samba-3 HOWTO and Reference Guide)? I think so. The docs I am looking at are at http://samba.mirror.ac.uk/samba/docs/man/, which is apparently what you're referring to, though the docs seem to be for v2.2. Have you set up your scripts? - add user script - delete user script - add machine script - add group script - delete group script - add user to group script - etc. Have you test driven each manually to prove that it works? There is no reference to scripts in the docs for samldap, and I see no error messages saying that anything is missing. Have you configured nss_ldap and proven that it works? ie: getent passwd getent group Not yet - I don't want to fiddle with anything unix wise until I get Samba working. Is it required for Samba to work? Does: pdbedit -Lw list the users in the old smbpasswd format? No, it returns nothing (an empty list). Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
