[Fedora-directory-users] Samba & Fedora Directory Server Integration

[Del]

Oscar A. Valdez wrote:
> I've followed the Samba & Fedora Directory Server Integration How-To
> located at http://directory.fedora.redhat.com/wiki/Howto:Samba , and I'm
> about to upload my user accounts into the DS. I have two questions
> before I proceed, though:

You may want to read this for some further background information:

http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html

> 1) At the end of the How-To, a "testuser" is added to the Samba server
> with the "smbpasswd -a" command. Wouldn't the DS make the user accounts
> visible to the Samba server, making it unecessary to add them via
> smbpasswd? If it's really necessary to add the accounts via smbpasswd,
> then the DS isn't really a backend to the Samba Server: they would be
> acting in parallel.

What's happening here (and relatively simple and not entirely correct
language, because it's not really explained in depth above) is:  Samba
knows your root DN and bind password for your LDAP server.  Samba
therefore knows how to add users to LDAP.  Samba has a couple of
object classes and attributes that it needs, and will therefore use
these object classes and attributes on every user object that it
creates.  So you may as well let Samba create the users in your
LDAP server.

Sure, you could do it yourself using any old LDAP tool.  But you may
as well let Samba do it, either from the command line using smbpasswd -a
or using the user manager for domains tool.

At the very least let Samba create a few accounts for you and have a
look at the structure of those accounts in detail before you use another
LDAP tool.  LAM (http://lam.sourceforge.net/) will be able to add the
attributes required by Samba as well, but I'd make a few accounts using
Samba and then some using LAM to compare the two before relying on LAM.
Same goes for any other LDAP account management tool you choose to use,
whether it's a pre-done or roll-your-own.

> 2) The section on ldapsam of "The Official Samba-3 HOWTO and Reference
> Guide" 
> (http://us4.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2559672)
> mentions quite a few attributes for the sambaSamAccount ObjectClass,
> such as sambaLogonTime, sambaLMPassword, sambaPrimaryGroupSID,
> sambaAcctFlags, logoffTime, sambaKickoffTime, sambaPwdLastSet, sambaSID,
> sambaPwdCanChange, sambaPwdMustChange, and sambaNTPassword, that are not
> present in the ldif files generated by the openldap migrate_passwd.pl
> script recommended by the How-To. How should these attributes be added,
> if one follows the How-To?

/usr/share/doc/samba-*/LDAP/samba.schema (or wherever your Samba
documentation is installed on your distro).

Either create the attributes manually, or use the ol-schema-migrate.pl
script in the FDS wiki to convert it to a FDS compatible schema file,
and then install it into your /opt/fedora-ds/slapd-`hostname -s`/config/schema/
directory as 61samba.ldif

-- 
Del