[K12OSN] killing Active Directory - direction needed for Samba/LDAP installer

[Jim Kronebusch]

> If we could develop the Samba/LDAP Installer to make it drop-dead 
> easy to configure and manage multi-platform, multi-site user 
> authentication, I think we will have taken a great step forward.

I found Webmin to be the easiest tool to setup and use (after tracking down
the correct settings of course).  The only piece missing was getting the bulk
add tool in webmin to create samba accounts.  So I used it in conjunction with
the bulk-add scripts.  I will paste my email from August below for information
if anyone wants to test it out.  

I did look into FDS like Eric mentioned.  Wow!  Looks like it would do
everything under the sun, all you need is a team of 12 highly trained
scientists and 6 months to get it configured.  In my opinion this solution is
light years away from easy.

I have ran into 6 installs in the last couple of months that I could have put
Linux as the main server if only I could give them a foolproof replacement for
AD.  What is there right now just needs to get the bulk-add for Webmin to
create samba users.  The other piece is a backup module.  I want to have a
module that give me a button (say in the LDAP screen of Webmin) called "Backup
SMB/LDAP".  This button runs some magic scripts in the background and backs up
all config files, users, user folders, profiles, etc based off the current
config into a giant gzip file into whatever directory I specify.  Then in the
event of catastrophic failure I can build a new server with a basic OS, go to
my Webmin LDAP module and click the other magic button "Restore SMB/LDAP"
which asks me where my giant gzip file is and whalla!  I have my users,
groups, machines, folders, profiles, etc restored.  

If these couple things were worked out I think we would have AD hands down. 
Most places I run into that use AD don't need multi-site setups with thousands
of users.  I think that could be secondary.  I think a simple management tool
for what exists along with a backup plan for failure are most important,
improvements for larger sites secondary.  Without the first it won't be
adopted by the larger site anyway.

-----------Post from August on configuring Webmin------------

You can add/modify/delete users and groups from the LDAP Users and
groups module.  Below I will show my settings for the module as
configured for version 2.0-alpha of the smb/ldap installer scripts.  The
add users via batch section is all that needs work now.  It appears to
leave out the Samba account options when run.  I emailed Jamie Cameron
to see if he can let me know how to make this work.  Anyhow with the
settings below I am able to login via Linux, via a OSX LDAP enabled
machine, and join a Windows Machine to the domain and login.  I will
list only fields where I have made changes from the default.  This is
also with the newest stable version of webmin.  Disk quotas will also be
able to be managed via the Webmin Disk Quota module, provided that under
the Disk and Network Filesystems you have enable User or Group quotas,
and subsequently enabled Disk Quotas under the Disk Quotas module. 

Also in discussion with Jamie Cameron I was informed that the variables
${USER} and ${UID} can be used to substitute username and user id
respectively anywhere in the webmin module configuration.

Here goes:

Linux LDAP NSS library config file: /etc/ldap.conf
Bind to LDAP server as: cn=manager,dc=yourdomain,dc=org
Credentials for bind name above: On first access click Set to and enter
your smb/ldap password as set during script installation, after first
entry leave set to Don’t change
Base for users: ou=Users,dc=yourdomain,dc=org
Base for groups: ou=Groups,dc=yourdomain,dc=org
Other objectClasses to add to new users: top inetOrgPerson
Full path to slappasswd program: /usr/sbin/slappasswd
LDAP properties for all new users: sn: ${USER}
Lowest UID for new users: 1000
Default primary group for new users: Domain Users
Default secondary groups for new users: Domain Users
Default shell for new users: /bin/bash
LDAP object class for Samba users: sambaSamAccount
Enabled Samba account by default?: Yes
Domain SID for Samba3: S-1-5-21-699950680-3956470712-3012135405 (Please
use your own sambaSID here :-)
LDAP properties for new Samba users:
sambaLogonScript: startup.bat
sambaProfilePath: \\YOURDOMAIN-PDC\profiles\${USER}
sambaHomePath: \\YOURDOMAIN-PDC\homes\${USER}
sambaHomeDrive: X:
LDAP object class for Samba groups: sambaGroupMapping

Well I hope that helps others out to get webmin working.  For now this
will at least work with using the command line bulk-add scripts to add
the largest population, then webmin for smaller changes.  I will post
out if I get a fix from Jamie.  Or if anyone else tries this let me know
if you can get the batch import to work.

Also I found that to get default OSX settings out you can create a
Library folder in /etc/skel and copy the files you want to default into
that folder.  Say you create a custom dock you can take Macintosh
HD:Users:test user:Library:Preferences:com.apple.dock.plist and move it
to /etc/skel/Library/Preferences/com.apple.dock.plist on the linux
server and all new users will receive the custom dock.

Also since OSX and Linux use the same desktop folder and same /home by
default I will try to create scripts make the windows desktop point to
/home/user/desktop and to point My Documents to /home/user.  This should
make profile roaming seamless between Ops.  I think I can for the most
part use the scripts posted in the last couple weeks.

----------------End post from August----------------

-- 
This message has been scanned for viruses and
dangerous content by the Cotter Technology 
Department, and is believed to be clean.