Re: searchable ml archives [was Re: [Samba] Fixed it myself... (ldap/winbind)]

2004-06-11 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Paul Gienger wrote:
|
| Gerald (Jerry) Carter wrote:
|
|> -BEGIN PGP SIGNED MESSAGE-
|> Hash: SHA1
|>
|> Paul Gienger wrote:
|> |
|> | Just because someone doesn't search the archives, which
|> | by the way, doesn't have a search feature, 
|>
|> For what's it's worth (from http://samba.org/samba/archives.html)
|>
|> Note: Currently the Samba mailing list archives
|> do not support searching. However, you can access
|> a searchable copy of the archives at
|> http://marc.theaimsgroup.com/, groups.google.com,
|> and mail-archive.com.
|
|
| Consider my crow eaten on that one.  The 'no built in search' is a
| complaint I have of many mailman archives, but apparently someone has
| done an end-around on my complaint...
It's not just you.  A lot of people miss that note.  We should
make it more noticable I think.


cheers, jerry
- --
Hewlett-Packard- http://www.hp.com
SAMBA Team -- http://www.samba.org
GnuPG Key   http://www.plainjoe.org/gpg_public.asc
"...a hundred billion castaways looking for a home." --- Sting
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAycagIR7qMdg1EfYRAhQhAJ9Jkont8KJtsf4U9oumG+tz4sRAYACg4YoJ
Z/oe5ve8lz4ggKQTJfh1Pls=
=B9yl
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: searchable ml archives [was Re: [Samba] Fixed it myself... (ldap/winbind)]

2004-06-11 Thread Paul Gienger 
Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Paul Gienger wrote:
|
| Just because someone doesn't search the archives, which
| by the way, doesn't have a search feature, 
For what's it's worth (from http://samba.org/samba/archives.html)
Note: Currently the Samba mailing list archives
do not support searching. However, you can access
a searchable copy of the archives at
http://marc.theaimsgroup.com/, groups.google.com,
and mail-archive.com.
Consider my crow eaten on that one.  The 'no built in search' is a 
complaint I have of many mailman archives, but apparently someone has 
done an end-around on my complaint...

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

searchable ml archives [was Re: [Samba] Fixed it myself... (ldap/winbind)]

2004-06-11 Thread Gerald (Jerry) Carter 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Paul Gienger wrote:
|
| Just because someone doesn't search the archives, which
| by the way, doesn't have a search feature, 
For what's it's worth (from http://samba.org/samba/archives.html)
Note: Currently the Samba mailing list archives
do not support searching. However, you can access
a searchable copy of the archives at
http://marc.theaimsgroup.com/, groups.google.com,
and mail-archive.com.


cheers, jerry
- --
Hewlett-Packard- http://www.hp.com
SAMBA Team -- http://www.samba.org
GnuPG Key   http://www.plainjoe.org/gpg_public.asc
"...a hundred billion castaways looking for a home." --- Sting
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAyb2JIR7qMdg1EfYRAiUAAJ4t2t72rcEgJCmR2cmGzErbbFQ67gCfWA6Q
IN9y9fowruMzWz12asUFmgA=
=Llof
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Fixed it myself... (ldap/winbind)

2004-06-11 Thread Paul Gienger 

--
I say:
--
First off, you are saying a lot that is "clearly false". LDAP can be used blindly in this case. All I needed is a way to avoid having winbind on system A from assigning UIDs on system B that is different. If the UIDs are not identical on all member unix servers, it screws up permissions on issues like NFS, which still has applications in my world.
   


That is the point of LDAP - you set it up to maintain your unix accounts
and the member machines use it for authentication. Therefore, 1 user, 1
account on all machines that use LDAP for authentication. The
alternative to LDAP for this is NIS and that is not convergent with
samba.
 

Excuse me, but the assumption that LDAP = posix account repository is so 
false it isn't even funny. Definition obtainable by STFW:

*LDAP* - Acronym for Lightweight Directory Access Protocol. It is a 
protocol for accessing information directories such as organizations, 
individuals, phone numbers, and addresses. It is based on the X.500 
directory protocols,

That doesn't say much about storing my account information.  And just so 
we're all clear on what X.500 is:
An ISO  and ITU 
 standard that defines how 
global directories should be structured. X.500 directories are 
hierarchical  with 
different levels for each category of information, such as country, 
state, and city

That being said,
We do lots of things with our ldap structure that has really nothing to 
do with authenticating users, the easiest to explain being storing 
automount information.  Sun uses it for storing lots of crap for general 
system configuration.  Some people use it for DNS.  Storing SID->UID 
mappings is no different since pam/nsswitch doesn't look directly at the 
idmap object at all to figure out what users are what number, it relies 
on the nss/pam winbind module for that, which 'can' use LDAP as a data 
store.  LDAP is just a network distributed information database, which 
happens to be used a lot for account management.

If you're going to come off like a pompus ass, please use a technically 
valid argument.  Just because someone doesn't search the archives, which 
by the way, doesn't have a search feature, and I'm pretty sure didn't 
include an ldif for a working idmap backend in the last couple of 
months, isn't a good reason to go on a flame war.

--
Paul Gienger Office:
Applied Engineering Inc. Cell:  
Information Systems Consultant   Fax:   701-281-1322
URL: www.ae-solutions.commailto:[EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Fixed it myself... (ldap/winbind)

2004-06-10 Thread Josh Skains 
Yes, your Majesty. I am so sorry to disturb your humble mailbox.
 
Next time, just ignore the post.
 
JMS

-Original Message- 
From: Craig White [mailto:[EMAIL PROTECTED] 
Sent: Thu 6/10/2004 6:20 PM 
To: Josh Skains 
Cc: [EMAIL PROTECTED] 
Subject: RE: [Samba] Fixed it myself... (ldap/winbind)



On Thu, 2004-06-10 at 14:21, Josh Skains wrote:
> You said:
> --
> Your thoughts - rely upon an assumption that is clearly false...that
> ldap is usable without understanding it, that understanding it is
> digestible in some easy form and that documentation doesn't exist.
> --
>
> I say:
> --
> First off, you are saying a lot that is "clearly false". LDAP can be used 
blindly in this case. All I needed is a way to avoid having winbind on system A from 
assigning UIDs on system B that is different. If the UIDs are not identical on all 
member unix servers, it screws up permissions on issues like NFS, which still has 
applications in my world.

That is the point of LDAP - you set it up to maintain your unix accounts
and the member machines use it for authentication. Therefore, 1 user, 1
account on all machines that use LDAP for authentication. The
alternative to LDAP for this is NIS and that is not convergent with
samba.

If you use winbind to assign uid's, they WILL be different on each
machine using winbind. Welcome to the jungle.

I'm glad for you that LDAP can be used blindly in this case. I was
hoping that you are gonna show us how, real soon now.

> I say:
> --
> Sorry, but some of us have bosses and timeframes.

Tell the boss that this is complicated stuff, that you need to learn it
to get it right. Please don't hammer us with your time frames.

> You say:
> --
> - It makes little sense to use LDAP for Samba and not local system user
> accounts, and why would you think that you can use LDAP for local
> account security without fully digesting the implications and the
> technology?
> --
>
> I say:
> --
> I don't need local accounts. I am using winbind. Did you even read my posts, 
or were you just too busy looking for someone to put down cause you are in a bad mood?

Yes, I read your posts and scratched my head because of your naivety.
But the arrogance of your suggestions wasn't something I couldn't let
pass.

If you are using winbind to get local account services for unix users,
why are you not using it (server = [domain|ads] ) for smb users? I
cannot envision a scenario where your plan makes sense.

Yes, I read your posts and thought that they were presumptuous that they
asked for LDAP help and this is a samba message base. Clue...there are
many LDAP lists that provide support of LDAP. You say, the only reason
you want to use LDAP is to interact with samba and therefore, samba
should make LDAP easy. Of course, the samba list members should help you
with your lack of understanding of LDAP too. Good luck

Craig



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Fixed it myself... (ldap/winbind)

2004-06-10 Thread Craig White 
On Thu, 2004-06-10 at 14:21, Josh Skains wrote:
> You said:
> --
> Your thoughts - rely upon an assumption that is clearly false...that
> ldap is usable without understanding it, that understanding it is
> digestible in some easy form and that documentation doesn't exist.
> --
> 
> I say:
> --
> First off, you are saying a lot that is "clearly false". LDAP can be used blindly in 
> this case. All I needed is a way to avoid having winbind on system A from assigning 
> UIDs on system B that is different. If the UIDs are not identical on all member unix 
> servers, it screws up permissions on issues like NFS, which still has applications 
> in my world.

That is the point of LDAP - you set it up to maintain your unix accounts
and the member machines use it for authentication. Therefore, 1 user, 1
account on all machines that use LDAP for authentication. The
alternative to LDAP for this is NIS and that is not convergent with
samba.

If you use winbind to assign uid's, they WILL be different on each
machine using winbind. Welcome to the jungle.

I'm glad for you that LDAP can be used blindly in this case. I was
hoping that you are gonna show us how, real soon now.

> I say:
> --
> Sorry, but some of us have bosses and timeframes. 

Tell the boss that this is complicated stuff, that you need to learn it
to get it right. Please don't hammer us with your time frames.

> You say:
> --
> - It makes little sense to use LDAP for Samba and not local system user
> accounts, and why would you think that you can use LDAP for local
> account security without fully digesting the implications and the
> technology?
> --
> 
> I say:
> --
> I don't need local accounts. I am using winbind. Did you even read my posts, or were 
> you just too busy looking for someone to put down cause you are in a bad mood?

Yes, I read your posts and scratched my head because of your naivety.
But the arrogance of your suggestions wasn't something I couldn't let
pass. 

If you are using winbind to get local account services for unix users,
why are you not using it (server = [domain|ads] ) for smb users? I
cannot envision a scenario where your plan makes sense.

Yes, I read your posts and thought that they were presumptuous that they
asked for LDAP help and this is a samba message base. Clue...there are
many LDAP lists that provide support of LDAP. You say, the only reason
you want to use LDAP is to interact with samba and therefore, samba
should make LDAP easy. Of course, the samba list members should help you
with your lack of understanding of LDAP too. Good luck

Craig

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Fixed it myself... (ldap/winbind)

2004-06-10 Thread Josh Skains 
You said:
--
Your thoughts - rely upon an assumption that is clearly false...that
ldap is usable without understanding it, that understanding it is
digestible in some easy form and that documentation doesn't exist.
--

I say:
--
First off, you are saying a lot that is "clearly false". LDAP can be used blindly in 
this case. All I needed is a way to avoid having winbind on system A from assigning 
UIDs on system B that is different. If the UIDs are not identical on all member unix 
servers, it screws up permissions on issues like NFS, which still has applications in 
my world.

I can toss water in a bucket without knowing how to chemically create the plastic.
--

You say:
--
I have posted this a few times the past 6 months but new users seem to
pop up without fully digesting the archives.
--

I say:
--
Sorry, but some of us have bosses and timeframes. Taking bits and peices of different 
cases, documents, and posts and trying to make them all fit isn't easy. I finally did 
it, and now it works fine. I also understand what I did and see that it isn't hard 
once you understand it, it's just a matter of "connecting the dots".

I have areas that you most likely aren't as good at.. You have areas that I most 
likely am not good at. If you came to me and asked me about one of my areas, I 
certainly won't be stomping around screaming the traditional "RTFM".
--

You say:
--
- LDAP is a learning curve all to it's own. It may be harder to learn
than any other that you have learned, certainly the concepts can be more
difficult to grasp than things like BIND, sendmail, apache.
--

I say:
--
Oh please. It isn't THAT complex, once you start to grasp it. Sure, I can see it 
getting more and more complex in larger applications, but sheesh, we are talking such 
a simple application here. My problem was just putting the different peices together.
--

You say:
--
- LDAP has no pat setup. There are a lot of LDAP providers (openldap,
sun, novell, etc.) and there are a number of different versions being
circulated, even by the same providers.
--

I say:
--
When someone comes in like me who doesn't have a need for LDAP in ANY OTHER 
application, then it does have a pat setup. You can say "our automated package only 
supports OpenLDAP. If you need LDAP for bigger things or want to use a different 
server, it is suggested you understand LDAP first and do the install manually".
--

You say:
--
- It makes little sense to use LDAP for Samba and not local system user
accounts, and why would you think that you can use LDAP for local
account security without fully digesting the implications and the
technology?
--

I say:
--
I don't need local accounts. I am using winbind. Did you even read my posts, or were 
you just too busy looking for someone to put down cause you are in a bad mood?
--

Whatever... Anyways

JMS
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Fixed it myself... (ldap/winbind)

2004-06-10 Thread Craig White 
On Thu, 2004-06-10 at 13:11, Josh Skains wrote:
> After much searching, research, compiling, and some guess work, I found my problem 
> was wrapped around one simple fact. I didn't have the samba.schema included.
> 
> I now have some suggestions:
> 
> 1. If you are going to force people to use something complex, DOCUMENT it. Assume 
> there are people like me who have no understanding of ldap. Even some automatic 
> script should be written for people who need LDAP for distribution but plan to use 
> LDAP for absolutely NOTHING else.
> 
> 2. Then make a simple shared daemon called "unixmapd" or something that works like 
> WINS. Everyone can attach to one simple server and see the maps... Whoever gets a 
> resolve first, adds the new entry. So if "ENG\joe" logs into server "bozo" and 
> "bozo" sees there isn't a map in the "unixmapd", then it contributes it. It's that 
> simple!
> 
> Just my thoughts,

Your thoughts - rely upon an assumption that is clearly false...that
ldap is usable without understanding it, that understanding it is
digestible in some easy form and that documentation doesn't exist.

I have posted this a few times the past 6 months but new users seem to
pop up without fully digesting the archives.

- LDAP is a learning curve all to it's own. It may be harder to learn
than any other that you have learned, certainly the concepts can be more
difficult to grasp than things like BIND, sendmail, apache.

- LDAP has no pat setup. There are a lot of LDAP providers (openldap,
sun, novell, etc.) and there are a number of different versions being
circulated, even by the same providers.

- It makes little sense to use LDAP for Samba and not local system user
accounts, and why would you think that you can use LDAP for local
account security without fully digesting the implications and the
technology?

- Once you understand LDAP, and can add, delete, search from the command
line, integrating it with samba is easy. If you don't understand LDAP,
integrating it with mail, ftp, ssh etc. is just another hurdle, just
like samba.

As for the documentation...John has written 2 excellent books, both
available at the book store and accessible in the documentation link on
the samba web site...Samba 3 HOW-TO and Samba 3 by Example

Craig

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Fixed it myself... (ldap/winbind)

2004-06-10 Thread Paul Gienger 
Josh Skains wrote:
1. If you are going to force people to use something complex, DOCUMENT it. Assume there are people like me who have no understanding of ldap. Even some automatic script should be written for people who need LDAP for distribution but plan to use LDAP for absolutely NOTHING else.
 

This part has been discussed before, and there are a whole lot of LDAP 
servers and versions that all do things differently.  Even though most 
people 'round here use openldap there are many Sun (I should know their 
server name), and other ldap servers in use, I'd be surprised if there 
aren't even a couple people here that put their idmap in their active 
directory's LDAP server.

I think that at least the 'include the schema file' part was in the 
documentation where you found the samba.schema file, but I could be 
wrong.  I'm away from my machines and documentation today :-/

--
Paul Gienger Office:701-281-1884
Applied Engineering Inc. Cell:  701-306-6254
Information Systems Consultant   Fax:   701-281-1322
URL: www.ae-solutions.commailto:[EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba