[Bug 575] Need newer Samba-Version to enable LDAP-Support

To: nobody@skolelinux.no
Subject: [Bug 575] Need newer Samba-Version to enable LDAP-Support
From: bugzilla-skolelinux@developer.skolelinux.no
Date: Sat, 3 Apr 2004 22:30:35 +0200 (CEST)
Message-id: <[🔎] 20040403203035.E8FED24285@developer.skolelinux.no>

http://bugs.skolelinux.no/show_bug.cgi?id=575

faj@bzz.no changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |faj@bzz.no



------- Additional Comments From faj@bzz.no  2004-04-03 22:30 -------
We have at the moment a non-ldap-enabled samba that are included on the CD, and
that are installed by default.

This version is possible to use, but the samba passwords will then reside in
/etc/samba/smbpasswd. There will have to be some changes to the smb.conf as
well, as the version that gets installed now, takes for granted that there is a
ldap-enabled samba. 

by now we have 3-5 different solutions to the samba package: 

2.2.3a-12.3 which was a part of woody
2.2.3a-13 which is availible through security.debian
2.2.8 from woody-test
2.2.8 from http://debian.rfc3514.org/
2.2.3a-13.skolelinux.1 which is the one from security.debian.org, only
                       recompiled with ldap-support. 

What problems do we have with samba: 
- not ldap-enabled: this is the case with the one from woody, and the one from
security.d.o
- root/admin password sent in cleartext: This was a problem with the 2.2.8
version from woody-test. 
- security bugs: the version in woody, and the 2.2.8 from woody-test has
security problems, Thats why security.d.o released 2.2.3a-13. NOt sure about the
version on rfc3514.org. 
- not on *.skolelinux.no: We need to provide a working solution at least in the
apt-source, but it would also be nive to have it on the CD. 

Max have provided a solution on rfc3614.org, but we _need_ a solution on the
skolelinux.no apt-source. Also we need a solution that is maintainable. The
security team need to be able to get hold of the sources. This means either that
the sources is in cvs.skolelinux.no or alioth.debian.org, or that the packages
are uploaded with full sources as a tar.gz together with a diff.gz file. 
Max have also provided a howto on how to use the package. We need something that
 installs out of the box, whithout the need to patch files. 

To me, it looks like we have 3 solutions: 
- neglect the need of samba package. (we can't do that)
- use a newer version than 2.2.3a-13, maybe even 3.0.x, but then we need someone
who takes on the responibility of patching and providing security updates. 
- use a ldap-enabled version of 2.2.3a-13

We had a student group doing some work on windows/max/skolelinux integration,
that found a need of having a newer version of than 2.2.3. I hav tried to find
out why, and since i did not find any reason, I did a recompile of 2.2.3-13 from
security.d.o. 

What I've found is this: 
 One needs to add the smbadmin user to the ldap-db. I think Max have provided a
good solution to this. We also needs to store the smbadmin password so that
smbpasswd can use it to modify the ldap-db.
 One needs an samba-root-user in the ldap-db to add win2k (and winXP)
workstation to the skolelinux domain. To add the machines, they need a
posixAccount, which should have their login shell set to /bin/false, the
password is kind of unknown, and is not needed. this account also needs to be an
 sambaAccount. 

what I did when I tested the package is the following: 
- Did a clean main-server install
- Added samba-2.2.3a-13.skolelinux.1 (and common as well) 
- created an ldif that added the smbadmin account to ldap. 
- Set the password of smbadmin using 
 "/usr/share/debian-edu-config/tools/passwd smbadmin"
- store the same password using "smbpasswd -w <password>"
- created the samba-root-ldap-user with "smbpasswd -a root"
- added a group in /etc/group by using "addgroup --gid 71 smb-mach". I guess
this account should be created in ldap...
- added the win2k workstation account. This should be don in the ldap, but for
test purpose I used /etc/passwd, and created it using 
 "adduser --force-badname --no-create-home --home /var \
          --shell /bin/false --disabled-password --gid 71 fajx300$"
- Added the samba ldap workstation account by using "smbpasswd -am fajx300"

Then I logged in with Win2k, added the machine into the domain, using the root
account. 

I Tried to use a different user than the root user, which is defined as an admin
user in smb.conf, but then I get "wrong password length". I had to use the root
account. I don't think that the password of the root account needs to be the
same as the smbadmin. 





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Reply to:

Prev by Date: Re: Easy Administration of KDE Settings? (Suggestions)
Next by Date: Re: School admin tools....
Previous by thread: [Bug 575] Need newer Samba-Version to enable LDAP-Support
Next by thread: [Bug 575] Need newer Samba-Version to enable LDAP-Support
Index(es):
- Date
- Thread