1# $Source: /ramdisk/repositories/20_cvs_clean_up/2011-02-11_sj/src/router/samba/samba-3.0.25b/examples/LDAP/smbldap-tools-0.9.2/INFRA,v $ 2# 3## Some notes about the architecture 4 5 6Global Architecture for smbdlap-tools 7=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 8 9smbldap-tools help you manage users and groups for Unix and Samba, 10using LDAP. They may be used in any context, and are kept relatively 11simplier enought to let you customize them to you needs. 12 13They need the following objectClasses to work: 14 . sambaAccount: from samba.schema for Samba 2.2 branch 15 . posixAccount and posixGroup : from nis.schema 16 . organizationalUnit and dcObject: from core.schema 17 18They will probably use in a near future some additional objectClasses 19to support : 20 . mail features (sendmail/postfix/qmail/courier). 21 . conform to RFC2307 best practices (and so some maps too like merging 22 Netbios computers (sambaAccounts) with ipHosts 23 24For ease of visualization of the LDAP objects by human standards, we 25used a DIT like this one : 26 . dc=IDEALX,dc=org : the company/organization suffix 27 . ou=Users : to store users accounts 28 . ou=Computers : to store computers accounts 29 . ou=Groups : to store system groups 30Of course, you're free to use a different naming scheme and DIT (see 31smbldap_conf.pm). 32 33 34Built in groups initial population 35=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 36 37smbldap-populate.pl populate the LDAP directory with some built in groups 38using gidNumber according to Well Know RID of Windows NT4 Srv. In fact, As 39far a Samba 2.2.x is concerned, only the 'Domain Admins' (gidNumber 512) have 40real inpact on the Samba and Windows population. To activate this group as 41the Domain Administrators Group, use the following smb.conf directive (see 42man smb.conf for more): 43 44 domain admin group = " @"Domain Admins" " 45 46However, to make pdb_ldap accept bind without being uid=0, a quick and 47dirty patch must be applied to 2.2.4 (see samba-2.2.4-ldapbindnotuid0.patch). 48This patch is Q&D because the check is there because Samba store admin 49credentials to establish the LDAP connection. The uid == 0 check was to 50ensure that a normal user could not get write access to the LDAP backend. 51A more logical situation should be done for 2.2.5 by checking if the user 52is a member of the domain admin group (reported to Jerremy and Gerald 532002-05-28). 54 55Other built in groups are really cosmetic ones with Samba 2.2.x. We did not 56removed them because one of these days, we whish to use Samba 3.0 where 57Windows Group Support should be operational. 58 59Why these specific gidNumbers ? 60It's about unix/windows mapping of numerical ids with Samba. Ids below 1024 61are NT special ids. In fact, 512 is the RID (Windows uid/gid) for the 62"Domain Administrators" NT group. The magic number is found in Samba sources 63and possibly other Samba/Windows documentations. 64 65The goal is to have a set of Unix users who are Domain Administrators and can 66modify Samba datas (eg. LDAP content), with commandline tools or within 67Windows via Samba. 68 69Say you want to add a NT4 ws to an NT domain (controlled by a samba/ldap 70server). You give the domain administrator's login and password in the 71appropriate ws settings, then the ws contacts the samba server, which checks 72the credentials and use them as unix user to run the smbldap-tools (if I 73remember). Giving 512 as a RID to a LDAP entry marks it as a domain admin 74for Samba (thus Windows). Using nss_ldap, you also have an account with 75gid 512. 76 77 78Known BUGS and WORKAROUND used 79=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 80 81The 2.2.2 has at least a bug : rid/primaryGroupID are read as hex in LDAP, 82but written as decimal. Fixed in CVS by reading as decimal. By default 83smbldap-useradd.pl writes decimal to LDAP. Use -x to support the odd 84behaviour. 85 86The samba-2.2.4-ldapbindnotuid0.patch is not a perfect solution however 87as the check is there because Samba store admin credentials to establish the 88LDAP connection. The uid == 0 check was to ensure that a normal user could 89not get write access to the LDAP backend. A more logical situation should be 90done for 2.2.5 by checking if the user is a member of the domain admin group 91(reported to Jerremy and Gerald 2002-05-28). 92 93# - The End 94