Re: [Samba] Description of LDAP-attribute sambaSIDList
Thanks Tony, that really helped! :)
By syntax i mean something like this (openLDAP schema...but i need a
version for sun Directory Server 5.2).
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC
'LanManager Password' EQUALITY caseIgnoreIA5Match S
YNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE X-ORIGIN 'user
defined' )
i dont have an attribute called sambaSIDList...
By the way what is GQ? i have created my own perl scripts to do the
things i want, have made into a nice webpage for our admin team to use! :)
Regards
Tony Earnshaw wrote:
Daniel Wilson wrote:
So does this mean that everyone for example in GroupA could then also
be a member of GroupB if you added GroupA's SID into GroupB's
sambaSIDList...if so this would help us out s much as then we dont
need to keep adding people into multiple groups!
Yes, it does mean that. But this has also (always) been possible with
Posix groups (a group can be a member of another group), for Unix/Linux
groups. In this case, Hallvor Engen is saying that for Windows groups it
can be done with group SIDs. I do it for OpenLDAP with Posix groups and
MemberUid instead for Samba and that works just as well - where there's
already a Posix group..
could you give me the syntax so i can update my schema file (were
using Sun Directory Server 5.2 as our LDAP backend...)
I'm not sure what you mean by syntax. A group-mapping for the Posix
group domadm might look like:
dn: cn=domadm,ou=groups,ou=smb,dc=billy,dc=demon,dc=nl
memberUid: Administrator
memberUid: root
memberUid: billy
memberUid: tonni
description: Local Unix group
objectClass: top
objectClass: posixGroup
objectClass: uidObject
objectClass: sambaGroupMapping
uid: domadm
cn: domadm
sambaGroupType: 2
sambaSID: S-1-5-21-18666911-1472750480-3707222013-512
gidNumber: 5004
displayName: Domain Admins
sambaSIDList: S-1-5-21-18666911-1472750480-3707222013-3001
where the value for the multi-value attribute sambaSIDList (there can be
more than one attribute with different values) might be the SID for the
Windows group Administrative Staff. That might be a pure Windows group
and not be present as a Posix group.
This ldif (in the form above) would most probably not be possible to
generate on sites using the idealx scrips; I don't. And everybody would
be far better off if they got and compiled GQ and played around with it,
then they'd see this for themselves ;).
--Tonni
--
Daniel Wilson
Systems Administrator
IT Communications Service
University of Sunderland
Unit 1a Technology Park
Chester Road
Sunderland
SR2 7PT
Tel: 0191 515 2695
This e-mail contains information which is confidential and may be
privileged and is for the exclusive use of the recipient.
It is the responsibility of the recipient to ensure that this message
and its attachments are virus free.
Any views or opinions presented are solely those of the author and do
not necessarily represent those of the University, unless otherwise
specifically
stated.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
man, 25.04.2005 kl. 15.50 skrev Daniel Wilson:
Thanks Tony, that really helped! :)
Don't think it did :(
By syntax i mean something like this (openLDAP schema...but i need a
version for sun Directory Server 5.2).
Hmmm ... I run Red Hat RHAS3. In my
/usr/share/doc/samba-3.0.11/examples directory I have schemas for:
IBM-DS
IBMSecureWay
netscapeds4.x
netscapeds5.x
oc.IBM-DS
and presumably my own OpenLDAP 2.2
attributeTypes: ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC
'LanManager Password' EQUALITY caseIgnoreIA5Match S
YNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE X-ORIGIN 'user
defined' )
i dont have an attribute called sambaSIDList...
You'd presumably have to adapt one of the above to sun Directory Server
5.2 schema format.
By the way what is GQ?
www.biot.com and jump. Hope it compiles for you ;) Does on Linux 2.4.
Dunno, I don't (thank God) use Solaris any more on my sites.
i have created my own perl scripts to do the
things i want, have made into a nice webpage for our admin team to use! :)
Up to you ;)
--Tonni
--
Nothing sucksseeds like a pigeon without a beak ...
mail: [EMAIL PROTECTED]
http://www.billy.demon.nl
They'll love us, won't they? They feed us, don't they? ...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
Matthias Eichler wrote: [...] We all can read. But sometimes we need others to help us to comprehend what it is that we are looking at. Have you considered that the OP is asking you for help to understand what it is he is looking at Not how to look at it. Regards Geoff Scott Ok, maybe I am just not really pointing at my problem: The post said ---cut--- sambaSIDList Description:Security ID List Usage: User applications ---cut--- and that it may be used in sambaGroupMapping-objects. Well, ok, I can list SIDs with this attribute in a Groupmapping, but what for?!? The group-object itself has a gidnumber for the unix side and a sid to map this for windows. For what do I need the sambaSIDList-attribute then?!? I really cant figure out what meaning User applications should have here for me. Well, in a Norwegian language Samba-LDAP howto by Hallvor Engen (http://www.kvarteret.no/etjenesten/e-dok/howtos/howtos/ldap-howto.html) it says: All Unix groups in LDAP can become Unix groups and vice versa. The most important point to recognize is that certain accounts (Domain Admins, Domain Users and Domain Guests) must /always/ exist, that one uses the attribute sambaSidList instead of the memberUid entries in order to list the members, and that both groups and users may be present in such a list. Using a GUI tool such as GQ helps both to visualize this and to see what objectClasses contain what attributes (and the other way around). [...] --Tonni. -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl They love us, don't they, They feed us, won't they ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
So does this mean that everyone for example in GroupA could then also be a member of GroupB if you added GroupA's SID into GroupB's sambaSIDList...if so this would help us out s much as then we dont need to keep adding people into multiple groups! could you give me the syntax so i can update my schema file (were using Sun Directory Server 5.2 as our LDAP backend...) Regards Tony Earnshaw wrote: Matthias Eichler wrote: [...] We all can read. But sometimes we need others to help us to comprehend what it is that we are looking at. Have you considered that the OP is asking you for help to understand what it is he is looking at Not how to look at it. Regards Geoff Scott Ok, maybe I am just not really pointing at my problem: The post said ---cut--- sambaSIDList Description:Security ID List Usage: User applications ---cut--- and that it may be used in sambaGroupMapping-objects. Well, ok, I can list SIDs with this attribute in a Groupmapping, but what for?!? The group-object itself has a gidnumber for the unix side and a sid to map this for windows. For what do I need the sambaSIDList-attribute then?!? I really cant figure out what meaning User applications should have here for me. Well, in a Norwegian language Samba-LDAP howto by Hallvor Engen (http://www.kvarteret.no/etjenesten/e-dok/howtos/howtos/ldap-howto.html) it says: All Unix groups in LDAP can become Unix groups and vice versa. The most important point to recognize is that certain accounts (Domain Admins, Domain Users and Domain Guests) must /always/ exist, that one uses the attribute sambaSidList instead of the memberUid entries in order to list the members, and that both groups and users may be present in such a list. Using a GUI tool such as GQ helps both to visualize this and to see what objectClasses contain what attributes (and the other way around). [...] --Tonni. -- Daniel Wilson Systems Administrator IT Communications Service University of Sunderland Unit 1a Technology Park Chester Road Sunderland SR2 7PT Tel: 0191 515 2695 This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. It is the responsibility of the recipient to ensure that this message and its attachments are virus free. Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically stated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Description of LDAP-attribute sambaSIDList
Am Freitag, den 22.04.2005, 15:53 +1000 schrieb Geoff Scott: Tony Earnshaw wrote: tor, 21.04.2005 kl. 18.40 skrev Matthias Eichler: Well thanks, but thats just the schema-file and does not really says what infomation is stored in that attribute... Nonsense. We all can read. But sometimes we need others to help us to comprehend what it is that we are looking at. Have you considered that the OP is asking you for help to understand what it is he is looking at Not how to look at it. Regards Geoff Scott Ok, maybe I am just not really pointing at my problem: The post said ---cut--- sambaSIDList Description:Security ID List Usage: User applications ---cut--- and that it may be used in sambaGroupMapping-objects. Well, ok, I can list SIDs with this attribute in a Groupmapping, but what for?!? The group-object itself has a gidnumber for the unix side and a sid to map this for windows. For what do I need the sambaSIDList-attribute then?!? I really cant figure out what meaning User applications should have here for me. Thanks for some explanation, Matthias -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
Daniel Wilson wrote: So does this mean that everyone for example in GroupA could then also be a member of GroupB if you added GroupA's SID into GroupB's sambaSIDList...if so this would help us out s much as then we dont need to keep adding people into multiple groups! Yes, it does mean that. But this has also (always) been possible with Posix groups (a group can be a member of another group), for Unix/Linux groups. In this case, Hallvor Engen is saying that for Windows groups it can be done with group SIDs. I do it for OpenLDAP with Posix groups and MemberUid instead for Samba and that works just as well - where there's already a Posix group.. could you give me the syntax so i can update my schema file (were using Sun Directory Server 5.2 as our LDAP backend...) I'm not sure what you mean by syntax. A group-mapping for the Posix group domadm might look like: dn: cn=domadm,ou=groups,ou=smb,dc=billy,dc=demon,dc=nl memberUid: Administrator memberUid: root memberUid: billy memberUid: tonni description: Local Unix group objectClass: top objectClass: posixGroup objectClass: uidObject objectClass: sambaGroupMapping uid: domadm cn: domadm sambaGroupType: 2 sambaSID: S-1-5-21-18666911-1472750480-3707222013-512 gidNumber: 5004 displayName: Domain Admins sambaSIDList: S-1-5-21-18666911-1472750480-3707222013-3001 where the value for the multi-value attribute sambaSIDList (there can be more than one attribute with different values) might be the SID for the Windows group Administrative Staff. That might be a pure Windows group and not be present as a Posix group. This ldif (in the form above) would most probably not be possible to generate on sites using the idealx scrips; I don't. And everybody would be far better off if they got and compiled GQ and played around with it, then they'd see this for themselves ;). --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl They love us, don't they, They feed us, won't they ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
tor, 21.04.2005 kl. 10.37 skrev Matthias Eichler:
I found some new LDAP attributes in the latest samba.schema,
that where definitely not there when setting up our environ-
ment.
Unfortunately I cant find any description of these attributes,
especially sambaSIDList.
Does anybody has an definite description of that attribute,
how it is used and how it should be administered, as the latest
smbldap-tools do not use it...
Well, you should bet using GQ then, as any savvy OpenLDAP sysadmin
should. God knows how I'd manage OpenLDAP without GQ . Thanks Bert,
thanks Peter, thanks (newly) David Malcolm.
sambaSIDList
Description:Security ID List
OID: 1.3.6.1.4.1.7165.2.1.51
Superior:
Usage: User applications
Equality: caseIgnoreIA5Match
Ordering:
Substrings:
Syntax { length }: 1.3.6.1.4.1.1466.115.121.1.26{64}
Used in objectclasses: sambaGroupMapping
Name: sambaGroupMapping
Description: Samba Group Mapping
OID: 1.3.6.1.4.1.7165.2.2.4
Superior: top
Kind: Auxiliary
required attributes:
gidNumber
samba GroupType
sambaSID
Allowed attributes
displayName
description
sambaSI List
--Tonni
--
Nothing sucksseeds like a pigeon without a beak ...
mail: [EMAIL PROTECTED]
http://www.billy.demon.nl
They love us, don't they, They feed us, won't they ...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
Well thanks, but thats just the schema-file and does not
really says what infomation is stored in that attribute...
to be honest: gq?!?
Matthias
Am Donnerstag, den 21.04.2005, 17:48 +0200 schrieb Tony Earnshaw:
tor, 21.04.2005 kl. 10.37 skrev Matthias Eichler:
I found some new LDAP attributes in the latest samba.schema,
that where definitely not there when setting up our environ-
ment.
Unfortunately I cant find any description of these attributes,
especially sambaSIDList.
Does anybody has an definite description of that attribute,
how it is used and how it should be administered, as the latest
smbldap-tools do not use it...
Well, you should bet using GQ then, as any savvy OpenLDAP sysadmin
should. God knows how I'd manage OpenLDAP without GQ . Thanks Bert,
thanks Peter, thanks (newly) David Malcolm.
sambaSIDList
Description: Security ID List
OID: 1.3.6.1.4.1.7165.2.1.51
Superior:
Usage:User applications
Equality: caseIgnoreIA5Match
Ordering:
Substrings:
Syntax { length }: 1.3.6.1.4.1.1466.115.121.1.26{64}
Used in objectclasses: sambaGroupMapping
Name: sambaGroupMapping
Description: Samba Group Mapping
OID: 1.3.6.1.4.1.7165.2.2.4
Superior: top
Kind: Auxiliary
required attributes:
gidNumber
samba GroupType
sambaSID
Allowed attributes
displayName
description
sambaSI List
--Tonni
--
Nothing sucksseeds like a pigeon without a beak ...
mail: [EMAIL PROTECTED]
http://www.billy.demon.nl
They love us, don't they, They feed us, won't they ...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Description of LDAP-attribute sambaSIDList
tor, 21.04.2005 kl. 18.40 skrev Matthias Eichler: Well thanks, but thats just the schema-file and does not really says what infomation is stored in that attribute... Nonsense. to be honest: gq?!? You don't mean to be honest, you mean what is GQ and what does it do? We Google, don't we? From www.biot.com we jump. GQ is the definitive solution to questions such as yours, plus all definitive answers to the question: how do I manage my (Open)LDAP database? --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: [EMAIL PROTECTED] http://www.billy.demon.nl They love us, don't they, They feed us, won't they ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Description of LDAP-attribute sambaSIDList
Tony Earnshaw wrote: tor, 21.04.2005 kl. 18.40 skrev Matthias Eichler: Well thanks, but thats just the schema-file and does not really says what infomation is stored in that attribute... Nonsense. We all can read. But sometimes we need others to help us to comprehend what it is that we are looking at. Have you considered that the OP is asking you for help to understand what it is he is looking at Not how to look at it. Regards Geoff Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
