[K12OSN] SambaLDAP question

Craig White craig at tobyhouse.com
Mon Oct 1 16:29:15 UTC 2007 

On Mon, 2007-10-01 at 11:11 +0100, Brian Chivers wrote:
> Craig White wrote:
> > On Fri, 2007-09-28 at 14:04 +0100, Brian Chivers wrote:
> >> John Ingleby wrote:
> >>> We successfully joined the first XP Pro machine to our Samba LDAP
> >>> domain, but further machines simply return the error message "The
> >>> specified domain either does not exist or could not be contacted".
> >>>
> >>> We're using K12LTSP v5.0 for the classroom thin client server, with
> >>> CentOS 5 for the backend file & authentication server. With donated
> >>> machines and classes of 12-15 this seems the way to go.
> >>>
> >>> The important Windows XP Pro client registry settings are all the same,
> >>> so most likely we have somehow varied the procedure for adding machine
> >>> accounts. Can anyone point me to a detailed step-by-step howto for
> >>> adding machine accounts & joining Windows machines to the SambaLDAP
> >>> domain?
> >>>
> >>> The various LDAP-Samba HowTos are great for setting up Samba, and we
> >>> appear to have completed those steps successfully. However, I cannot
> >>> find a sufficiently detailed explanation of the subsequent steps for
> >>>
> >>> a) setting up machine accounts with SambaLDAP
> >> This should be managed using the smbldap-passwd scripts with a section like this in your smb.conf file
> >>
> >>    # use the smbldap-tools scripts
> >>    add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
> >>    #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
> >>    add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
> >>    add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
> >>    #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
> >>    add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
> >>    delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
> >>    set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
> >>
> >>
> >>> b) creating the Samba (or LDAP?) root user & password
> >> smbpasswd -a root
> >>
> >> where this is a DIFFERENT password to you linux root password
> >>
> >>> c) joining XP Pro machines to the domain 
> >> Right click on My computer, Properties, Computer Name, Then click on the change button next to the line
> >>
> >> To rename the computer or join a domain .....
> >>
> >> Hope this help at least get you started :-)
> >>
> > ----
> > above is good but I would wonder about the wisdom of having a user root
> > in LDAP or smbpasswd
> > 
> > Since OP is using LTSP-5 (CentOS-5) he is running recent samba and
> > therefore, a full set of privileges is described here:
> > http://samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html
> > 
> > and I wouldn't recommend having a user 'root' in LDAP unless you
> > definitely know what you're doing. The machine should have a local root
> > user. That local root user really doesn't need to be a samba user.
> > 
> > As described in the link above, the user Administrator should be created
> > with whatever uid, and the well-known RID of 500
> > 
> 
> You can have a different password for the root LDAP user and local "all powerful" root, there is no 
> way I'd have the same password.
> 
----
probably not worth arguing a fine point that is more or less a personal
method but having both a root user in /etc/passwd and ldap generates
confusion and also error reports in LDAP logs if nothing less.

you can have a user with a UID of 0 and it doesn't have to be named root
if that is what you want...superuser powers on various machines and not
generate the errors and the confusion.

For the purposes of LTSP, there is no need to have a user 'root' in
LDAP.

For the purposes of Samba, <= 3.0.10, there was a practical benefit of
having a 'superuser' who could create directories and join Windows
machines to the domain, but the developers of samba saw fit to remove
that requirement starting with version 3.0.11 where a Microsoft
methodology of assigning privileges to individual users became a
reasonable, practical and more secure option...that was the point of the
link that I referenced.

If you choose to keep a superuser in LDAP (uid=0), you probably don't
want to have it called 'root' and it's likely that you are either using
an old version of samba (3.0.10 or older), or simply choose convenience
over security. I'm trying to suggest better practices rather than that
which is easy.

-- 
Craig White <craig at tobyhouse.com>

More information about the K12OSN mailing list