Re: [Samba] Description of LDAP-attribute sambaSIDList
Thanks Tony, that really helped! :) By syntax i mean something like this (openLDAP schema...but i need a version for sun Directory Server 5.2). attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match S YNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE X-ORIGIN 'user defined' ) i dont have an attribute called sambaSIDList... By the way what is GQ? i have created my own perl scripts to do the things i want, have made into a nice webpage for our admin team to use! :) Regards Tony Earnshaw wrote: Daniel Wilson wrote: So does this mean that everyone for example in GroupA could then also be a member of GroupB if you added GroupA's SID into GroupB's sambaSIDList...if so this would help us out s much as then we dont need to keep adding people into multiple groups! Yes, it does mean that. But this has also (always) been possible with Posix groups (a group can be a member of another group), for Unix/Linux groups. In this case, Hallvor Engen is saying that for Windows groups it can be done with group SIDs. I do it for OpenLDAP with Posix groups and MemberUid instead for Samba and that works just as well - where there's already a Posix group.. could you give me the syntax so i can update my schema file (were using Sun Directory Server 5.2 as our LDAP backend...) I'm not sure what you mean by syntax. A group-mapping for the Posix group domadm might look like: dn: cn=domadm,ou=groups,ou=smb,dc=billy,dc=demon,dc=nl memberUid: Administrator memberUid: root memberUid: billy memberUid: tonni description: Local Unix group objectClass: top objectClass: posixGroup objectClass: uidObject objectClass: sambaGroupMapping uid: domadm cn: domadm sambaGroupType: 2 sambaSID: S-1-5-21-18666911-1472750480-3707222013-512 gidNumber: 5004 displayName: Domain Admins sambaSIDList: S-1-5-21-18666911-1472750480-3707222013-3001 where the value for the multi-value attribute sambaSIDList (there can be more than one attribute with different values) might be the SID for the Windows group Administrative Staff. That might be a pure Windows group and not be present as a Posix group. This ldif (in the form above) would most probably not be possible to generate on sites using the idealx scrips; I don't. And everybody would be far better off if they got and compiled GQ and played around with it, then they'd see this for themselves ;). --Tonni -- Daniel Wilson Systems Administrator IT Communications Service University of Sunderland Unit 1a Technology Park Chester Road Sunderland SR2 7PT Tel: 0191 515 2695 This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. It is the responsibility of the recipient to ensure that this message and its attachments are virus free. Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically stated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
man, 25.04.2005 kl. 15.50 skrev Daniel Wilson: Thanks Tony, that really helped! :) Don't think it did :( By syntax i mean something like this (openLDAP schema...but i need a version for sun Directory Server 5.2). Hmmm ... I run Red Hat RHAS3. In my /usr/share/doc/samba-3.0.11/examples directory I have schemas for: IBM-DS IBMSecureWay netscapeds4.x netscapeds5.x oc.IBM-DS and presumably my own OpenLDAP 2.2 attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match S YNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE X-ORIGIN 'user defined' ) i dont have an attribute called sambaSIDList... You'd presumably have to adapt one of the above to sun Directory Server 5.2 schema format. By the way what is GQ? www.biot.com and jump. Hope it compiles for you ;) Does on Linux 2.4. Dunno, I don't (thank God) use Solaris any more on my sites. i have created my own perl scripts to do the things i want, have made into a nice webpage for our admin team to use! :) Up to you ;) --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: [EMAIL PROTECTED] http://www.billy.demon.nl They'll love us, won't they? They feed us, don't they? ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
Matthias Eichler wrote: [...] We all can read. But sometimes we need others to help us to comprehend what it is that we are looking at. Have you considered that the OP is asking you for help to understand what it is he is looking at Not how to look at it. Regards Geoff Scott Ok, maybe I am just not really pointing at my problem: The post said ---cut--- sambaSIDList Description:Security ID List Usage: User applications ---cut--- and that it may be used in sambaGroupMapping-objects. Well, ok, I can list SIDs with this attribute in a Groupmapping, but what for?!? The group-object itself has a gidnumber for the unix side and a sid to map this for windows. For what do I need the sambaSIDList-attribute then?!? I really cant figure out what meaning User applications should have here for me. Well, in a Norwegian language Samba-LDAP howto by Hallvor Engen (http://www.kvarteret.no/etjenesten/e-dok/howtos/howtos/ldap-howto.html) it says: All Unix groups in LDAP can become Unix groups and vice versa. The most important point to recognize is that certain accounts (Domain Admins, Domain Users and Domain Guests) must /always/ exist, that one uses the attribute sambaSidList instead of the memberUid entries in order to list the members, and that both groups and users may be present in such a list. Using a GUI tool such as GQ helps both to visualize this and to see what objectClasses contain what attributes (and the other way around). [...] --Tonni. -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl They love us, don't they, They feed us, won't they ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
So does this mean that everyone for example in GroupA could then also be a member of GroupB if you added GroupA's SID into GroupB's sambaSIDList...if so this would help us out s much as then we dont need to keep adding people into multiple groups! could you give me the syntax so i can update my schema file (were using Sun Directory Server 5.2 as our LDAP backend...) Regards Tony Earnshaw wrote: Matthias Eichler wrote: [...] We all can read. But sometimes we need others to help us to comprehend what it is that we are looking at. Have you considered that the OP is asking you for help to understand what it is he is looking at Not how to look at it. Regards Geoff Scott Ok, maybe I am just not really pointing at my problem: The post said ---cut--- sambaSIDList Description:Security ID List Usage: User applications ---cut--- and that it may be used in sambaGroupMapping-objects. Well, ok, I can list SIDs with this attribute in a Groupmapping, but what for?!? The group-object itself has a gidnumber for the unix side and a sid to map this for windows. For what do I need the sambaSIDList-attribute then?!? I really cant figure out what meaning User applications should have here for me. Well, in a Norwegian language Samba-LDAP howto by Hallvor Engen (http://www.kvarteret.no/etjenesten/e-dok/howtos/howtos/ldap-howto.html) it says: All Unix groups in LDAP can become Unix groups and vice versa. The most important point to recognize is that certain accounts (Domain Admins, Domain Users and Domain Guests) must /always/ exist, that one uses the attribute sambaSidList instead of the memberUid entries in order to list the members, and that both groups and users may be present in such a list. Using a GUI tool such as GQ helps both to visualize this and to see what objectClasses contain what attributes (and the other way around). [...] --Tonni. -- Daniel Wilson Systems Administrator IT Communications Service University of Sunderland Unit 1a Technology Park Chester Road Sunderland SR2 7PT Tel: 0191 515 2695 This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. It is the responsibility of the recipient to ensure that this message and its attachments are virus free. Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically stated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Description of LDAP-attribute sambaSIDList
Am Freitag, den 22.04.2005, 15:53 +1000 schrieb Geoff Scott: Tony Earnshaw wrote: tor, 21.04.2005 kl. 18.40 skrev Matthias Eichler: Well thanks, but thats just the schema-file and does not really says what infomation is stored in that attribute... Nonsense. We all can read. But sometimes we need others to help us to comprehend what it is that we are looking at. Have you considered that the OP is asking you for help to understand what it is he is looking at Not how to look at it. Regards Geoff Scott Ok, maybe I am just not really pointing at my problem: The post said ---cut--- sambaSIDList Description:Security ID List Usage: User applications ---cut--- and that it may be used in sambaGroupMapping-objects. Well, ok, I can list SIDs with this attribute in a Groupmapping, but what for?!? The group-object itself has a gidnumber for the unix side and a sid to map this for windows. For what do I need the sambaSIDList-attribute then?!? I really cant figure out what meaning User applications should have here for me. Thanks for some explanation, Matthias -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
Daniel Wilson wrote: So does this mean that everyone for example in GroupA could then also be a member of GroupB if you added GroupA's SID into GroupB's sambaSIDList...if so this would help us out s much as then we dont need to keep adding people into multiple groups! Yes, it does mean that. But this has also (always) been possible with Posix groups (a group can be a member of another group), for Unix/Linux groups. In this case, Hallvor Engen is saying that for Windows groups it can be done with group SIDs. I do it for OpenLDAP with Posix groups and MemberUid instead for Samba and that works just as well - where there's already a Posix group.. could you give me the syntax so i can update my schema file (were using Sun Directory Server 5.2 as our LDAP backend...) I'm not sure what you mean by syntax. A group-mapping for the Posix group domadm might look like: dn: cn=domadm,ou=groups,ou=smb,dc=billy,dc=demon,dc=nl memberUid: Administrator memberUid: root memberUid: billy memberUid: tonni description: Local Unix group objectClass: top objectClass: posixGroup objectClass: uidObject objectClass: sambaGroupMapping uid: domadm cn: domadm sambaGroupType: 2 sambaSID: S-1-5-21-18666911-1472750480-3707222013-512 gidNumber: 5004 displayName: Domain Admins sambaSIDList: S-1-5-21-18666911-1472750480-3707222013-3001 where the value for the multi-value attribute sambaSIDList (there can be more than one attribute with different values) might be the SID for the Windows group Administrative Staff. That might be a pure Windows group and not be present as a Posix group. This ldif (in the form above) would most probably not be possible to generate on sites using the idealx scrips; I don't. And everybody would be far better off if they got and compiled GQ and played around with it, then they'd see this for themselves ;). --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl They love us, don't they, They feed us, won't they ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
tor, 21.04.2005 kl. 10.37 skrev Matthias Eichler: I found some new LDAP attributes in the latest samba.schema, that where definitely not there when setting up our environ- ment. Unfortunately I cant find any description of these attributes, especially sambaSIDList. Does anybody has an definite description of that attribute, how it is used and how it should be administered, as the latest smbldap-tools do not use it... Well, you should bet using GQ then, as any savvy OpenLDAP sysadmin should. God knows how I'd manage OpenLDAP without GQ . Thanks Bert, thanks Peter, thanks (newly) David Malcolm. sambaSIDList Description:Security ID List OID: 1.3.6.1.4.1.7165.2.1.51 Superior: Usage: User applications Equality: caseIgnoreIA5Match Ordering: Substrings: Syntax { length }: 1.3.6.1.4.1.1466.115.121.1.26{64} Used in objectclasses: sambaGroupMapping Name: sambaGroupMapping Description: Samba Group Mapping OID: 1.3.6.1.4.1.7165.2.2.4 Superior: top Kind: Auxiliary required attributes: gidNumber samba GroupType sambaSID Allowed attributes displayName description sambaSI List --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: [EMAIL PROTECTED] http://www.billy.demon.nl They love us, don't they, They feed us, won't they ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
Well thanks, but thats just the schema-file and does not really says what infomation is stored in that attribute... to be honest: gq?!? Matthias Am Donnerstag, den 21.04.2005, 17:48 +0200 schrieb Tony Earnshaw: tor, 21.04.2005 kl. 10.37 skrev Matthias Eichler: I found some new LDAP attributes in the latest samba.schema, that where definitely not there when setting up our environ- ment. Unfortunately I cant find any description of these attributes, especially sambaSIDList. Does anybody has an definite description of that attribute, how it is used and how it should be administered, as the latest smbldap-tools do not use it... Well, you should bet using GQ then, as any savvy OpenLDAP sysadmin should. God knows how I'd manage OpenLDAP without GQ . Thanks Bert, thanks Peter, thanks (newly) David Malcolm. sambaSIDList Description: Security ID List OID: 1.3.6.1.4.1.7165.2.1.51 Superior: Usage:User applications Equality: caseIgnoreIA5Match Ordering: Substrings: Syntax { length }: 1.3.6.1.4.1.1466.115.121.1.26{64} Used in objectclasses: sambaGroupMapping Name: sambaGroupMapping Description: Samba Group Mapping OID: 1.3.6.1.4.1.7165.2.2.4 Superior: top Kind: Auxiliary required attributes: gidNumber samba GroupType sambaSID Allowed attributes displayName description sambaSI List --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: [EMAIL PROTECTED] http://www.billy.demon.nl They love us, don't they, They feed us, won't they ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
tor, 21.04.2005 kl. 18.40 skrev Matthias Eichler: Well thanks, but thats just the schema-file and does not really says what infomation is stored in that attribute... Nonsense. to be honest: gq?!? You don't mean to be honest, you mean what is GQ and what does it do? We Google, don't we? From www.biot.com we jump. GQ is the definitive solution to questions such as yours, plus all definitive answers to the question: how do I manage my (Open)LDAP database? --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: [EMAIL PROTECTED] http://www.billy.demon.nl They love us, don't they, They feed us, won't they ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Description of LDAP-attribute sambaSIDList
Tony Earnshaw wrote: tor, 21.04.2005 kl. 18.40 skrev Matthias Eichler: Well thanks, but thats just the schema-file and does not really says what infomation is stored in that attribute... Nonsense. We all can read. But sometimes we need others to help us to comprehend what it is that we are looking at. Have you considered that the OP is asking you for help to understand what it is he is looking at Not how to look at it. Regards Geoff Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba