[K12OSN] SambaLDAP question

Brian Chivers brian at portsmouth-college.ac.uk
Mon Oct 1 10:11:05 UTC 2007


Craig White wrote:
> On Fri, 2007-09-28 at 14:04 +0100, Brian Chivers wrote:
>> John Ingleby wrote:
>>> We successfully joined the first XP Pro machine to our Samba LDAP
>>> domain, but further machines simply return the error message "The
>>> specified domain either does not exist or could not be contacted".
>>>
>>> We're using K12LTSP v5.0 for the classroom thin client server, with
>>> CentOS 5 for the backend file & authentication server. With donated
>>> machines and classes of 12-15 this seems the way to go.
>>>
>>> The important Windows XP Pro client registry settings are all the same,
>>> so most likely we have somehow varied the procedure for adding machine
>>> accounts. Can anyone point me to a detailed step-by-step howto for
>>> adding machine accounts & joining Windows machines to the SambaLDAP
>>> domain?
>>>
>>> The various LDAP-Samba HowTos are great for setting up Samba, and we
>>> appear to have completed those steps successfully. However, I cannot
>>> find a sufficiently detailed explanation of the subsequent steps for
>>>
>>> a) setting up machine accounts with SambaLDAP
>> This should be managed using the smbldap-passwd scripts with a section like this in your smb.conf file
>>
>>    # use the smbldap-tools scripts
>>    add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
>>    #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
>>    add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
>>    add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
>>    #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
>>    add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
>>    delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
>>    set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
>>
>>
>>> b) creating the Samba (or LDAP?) root user & password
>> smbpasswd -a root
>>
>> where this is a DIFFERENT password to you linux root password
>>
>>> c) joining XP Pro machines to the domain 
>> Right click on My computer, Properties, Computer Name, Then click on the change button next to the line
>>
>> To rename the computer or join a domain .....
>>
>> Hope this help at least get you started :-)
>>
> ----
> above is good but I would wonder about the wisdom of having a user root
> in LDAP or smbpasswd
> 
> Since OP is using LTSP-5 (CentOS-5) he is running recent samba and
> therefore, a full set of privileges is described here:
> http://samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html
> 
> and I wouldn't recommend having a user 'root' in LDAP unless you
> definitely know what you're doing. The machine should have a local root
> user. That local root user really doesn't need to be a samba user.
> 
> As described in the link above, the user Administrator should be created
> with whatever uid, and the well-known RID of 500
> 

You can have a different password for the root LDAP user and local "all powerful" root, there is no 
way I'd have the same password.

Brian

------------------------------------------------------------------------------------------------
    The views expressed here are my own and not necessarily
 
                the views of Portsmouth College    




More information about the K12OSN mailing list