Re: RFT: samba-ldap
On Sun, Apr 25, 2004 at 12:18:37PM +0200, Petter Reinholdtsen wrote:
> [Finn-Arne Johansen]
> > Why do we need an ldap-enabled samba ?
>
> There are several issues I want to have in place regarding samba.
>
> I'm told that samba need to register new machines into the "domain"
> before they are given access. I believe it is best to store such
> machine info in LDAP, as we want to handle several samba servers in a
> school. It should be enough to register the machine once in the
> school, and it should then get access to all samba servers.
Samba does only need to have account information on one samba-server,
that is the samba PDC. if the PDC is a Windows machine, we don't need
to store anything on the linux boxes :)
> But I do not the samba servers to have write access to the LDAP server
> "on their own", ie without an administrator providing his LDAP admin
> password to approve the LDAP update. This means that the LDAP access
> password should not be part of the samba configuration stored on disk,
> but it should be provided by a LDAP admin every time a new machine is
> to be added to the "domain". The reason for this is that it should be
> possible to outsource the administration of the LDAP server, and I
> believe it is unlikely that a third party administrating the LDAP
> server will allow LDAP write access directly from machines outside
> their control.
The stored samba password is used whenever an administrator joins a
machine into the domain. To be able to join the machine into the
domain, one needs to be samba-root. This is a samba account, and the
password for this account is actually stored inside the LDAP db, - not
in the local /etc/shadow
If a third-party wants to dissable this, either they dont know samba,
or they have patched samba a great deal.
> Is this possible to have both?
Not to my knowledge, without patching smbpasswd in some way.
> We also want to provide packages in woody with an upgrade path into
> sarge. The samba-ldap package have a different name from the official
> package, and I believe it is unlikely that it will upgrade cleanly to
> a version of samba in sarge. Can we do it in a way that eases
> upgradability?
samba-ldap is a meta-package. It will pull in a specific version of
samba, which has been compiled with ldap-support. What we need for a
sarge release, is to drop samba-ldap in favour of samba, version 3.0.2a
or better. samba-ldap_2.2.3a-13.skolelinux.1 have dependencies on
makepasswd - to generate a random password for the smbadmin account.
tdb-tools - which delivers tdbdump, used in smbaddclient.pl to fetch
the saved password
samba (=2.2.3a-13.skolelinux.1) - which is a recompile of the version
from security.debian.org, except that it is compiled with
ldap-support.
Samba-ldap is in our cvs (skolelinux/src/samba-ldap)
samba_2.2.3a-13.skolelinux.1 is not in out cvs, but source package,
which of course includes a diff, is in our ftp at
/skolelinux/pool/local/s/samba
> What is the samba server updating in LDAP (which attributes), and
> when?
I started with an empty setup (pr47 I think).
Then added samba-ldap and wlus.
Then added an user in wlus, making sure that nscd was not running (I
think that bug is closed now)
Then I added my latop into the domain running win2k. During this
process, I had to log in to samba, using the username root, and
password was set to the same as the admin password. (Actually, the
setting of the password for the root samba-account is kind of dirty,
but it works, se explenation later...)
I rebooted, and logged in as the newly created user.
(username test1u, with firstname test1, lastname user :) )
Then to test if what smbadmin actually needed to write to the LDAP, I
joined a workgroup, and then rejoined the skolelinux-domain. The only
thing that actually changed was
ntPassword
lmPassword
lastChanged
Then I limited the access of smbadmin to only those 3 entries, and did
the same procedure again. join a workgroup, then rejoin the domain.
But then I failed to join the domain, because of not enough rights
Now how about upgrading to sarge then ?
This weekend , I took my working test main+ltsp server and added the
apt-source of sarge. Well, first of all, doing a apt-get dist-upgrade
will need a bigger /usr, a bigger /var, and will break the
installation. OpenOffice.org was uninstalled, kde was uninstalled.
samba-ldap was removed, and only samba was back. this should not be any
trouble at all, but the biggest problem is that slapd in sarge is
broken in regards to tls/ssl. I was getting some help from Andreas, but
I gave up. but tdbdump was still there, makepasswd is only used during
setup of the smbadmin account. So it looks like everything is there.
There are some changes to the samba-scheme that we will have to look
into.
There should not be a need for samba-ldap in sarge, as samba-3.0.2a
should have support for ldap backend.
Now what is dirty about setting the password of samba-root.
samba-root does not exist until we add the first user. what happens is:
smbpasswd tries to add a sambaAccount to LDAP. but as long as there is
no samba-root account, it fails. okay, then we add the
samba-root-account. Now what password should we use for this account ?
the easy solution is to use the same as the ldap-admin account, because
to add a user using wlus, we already now the password, (you just typed
it), and we set the samba-root password to be the same. Then we retry
to add the sambaAccount to the user wlus already added a posixAccount
for.
There is no trouble setting the password to something elsa than the
ldap-admin password, because it is only used when joining a machine to
the domain.
--
Finn-Arne Johansen
faj@bzz.no
http://bzz.no/
Reply to: