diff options
author | John Terpstra <jht@samba.org> | 2005-03-05 03:51:38 +0000 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:46:14 -0500 |
commit | c628d7ccef99da0823dc2efe8a445aa694f42274 (patch) | |
tree | 9a5f3a95bdc3879f78529f2b01aad408c430a11b | |
parent | fa085d07268066e85aba8ee8c854cad0bef5972d (diff) | |
download | samba-c628d7ccef99da0823dc2efe8a445aa694f42274.tar.gz samba-c628d7ccef99da0823dc2efe8a445aa694f42274.tar.bz2 samba-c628d7ccef99da0823dc2efe8a445aa694f42274.zip |
Further update. More to come.
(This used to be commit 1d67ac9ef1ea60a1ba695b7eebc7e00aa3d401d6)
-rw-r--r-- | docs/Samba-Guide/Chap06-MakingHappyUsers.xml | 123 |
1 files changed, 92 insertions, 31 deletions
diff --git a/docs/Samba-Guide/Chap06-MakingHappyUsers.xml b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml index 21a328cedb..be719ae867 100644 --- a/docs/Samba-Guide/Chap06-MakingHappyUsers.xml +++ b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml @@ -11,11 +11,6 @@ <chapter id="happy"> <title>Making Happy Users</title> -<note><para> -This chapter is under reconstruction/modification. The data here is incomplete at this time. -Please check back in a few days time as the contents are undergoing change. -</para></note> - <para> It has been said, <quote>A day that is without troubles is not fulfilling. Rather, give me a day of troubles well handled so that I can be content with my achievements.</quote> @@ -1090,8 +1085,43 @@ drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap This may require you to add a user and a group account for LDAP if they do not exist. </para></step> + <step><para><indexterm><primary>DB_CONFIG</primary></indexterm> + Install the file shown in <link linkend="ch6-dbconf"/> in the directory + <filename>/data/ldap</filename>. In the event that this file is added after <constant>ldap</constant> + has been started, it is possible to cause the new settings to take effect by shutting down + the <constant>LDAP</constant> server, executing the <command>db_recover</command> command inside the + <filename>/data/ldap</filename> directory, and then restarting the <constant>LDAP</constant> server. + </para></step> + + <step><para><indexterm><primary>syslog</primary></indexterm> + Performance logging can be enabled and should preferrably be sent to a file on + a file system that is large enough to handle significantly sized logs. To enable + the logging at a verbose level to permit detailed analysis uncomment the entry in + the <filename>/etc/openldap/slapd.conf</filename> shown as <quote>loglevel 256</quote>. + </para> + + <para> + Edit the <filename>/etc/syslog.conf</filename> file to add the following at the end + of the file: +<screen> +local4.* -/data/ldap/log/openldap.log +</screen> + Note: The path <filename>/data/ldap/log</filename> should be set a a location + that is convenient and that can store a large volume of data. + </para></step> + </procedure> +<example id="ch6-dbconf"> +<title>LDAP DB_CONFIG File</title> +<screen> +set_cachesize 0 150000000 1 +set_lg_regionmax 262144 +set_lg_bsize 2097152 +#set_lg_dir /var/log/bdb +set_flags DB_LOG_AUTOREMOVE +</screen> +</example> <example id="ch6-slapdconf"> <title>LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename></title> @@ -1105,11 +1135,27 @@ include /etc/openldap/schema/samba3.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args +access to dn.base="" + by self write + by * auth + +access to attr=userPassword + by self write + by * auth + +access to attr=shadowLastChange + by self write + by * read + access to * - by self write - by users read + by * read by anonymous auth +#loglevel 256 + +schemacheck on +idletimeout 30 +backend bdb database bdb checkpoint 1024 5 cachesize 10000 @@ -1556,7 +1602,7 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption> <smbconfoption><name>map acl inherit</name><value>Yes</value></smbconfoption> <smbconfoption><name>printing</name><value>cups</value></smbconfoption> - <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption> + <smbconfoption><name>printer admin</name><value>root, chrisr</value></smbconfoption> </smbconfexample> </sect2> @@ -2019,7 +2065,7 @@ Starting ldap-server done <step><para> Execute the script that will populate the LDAP database as shown here: <screen> -&rootprompt; ./smbldap-populate.pl +&rootprompt; ./smbldap-populate </screen> The expected output from this is: <screen> @@ -2191,11 +2237,11 @@ result: 0 Success You must now make certain that the NSS resolver can interrogate LDAP also. Execute the following commands: <screen> -&rootprompt; getent passwd | grep Administrator -Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false +&rootprompt; getent passwd | grep root +root:x:998:512:Netbios Domain Administrator:/home:/bin/false &rootprompt; getent group | grep Domain -Domain Admins:x:512:Administrator +Domain Admins:x:512:root Domain Users:x:513: Domain Guests:x:514: Domain Computers:x:553: @@ -2237,7 +2283,7 @@ Retype new SMB password: XXXXXXXX <screen> &rootprompt; getent passwd ... -Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false +root:x:998:512:Netbios Domain Administrator:/home:/bin/false nobody:x:999:514:nobody:/dev/null:/bin/false bobj:x:1000:513:System User:/home/bobj:/bin/bash stans:x:1001:513:System User:/home/stans:/bin/bash @@ -2251,17 +2297,28 @@ uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users) </para></step> <step><para><indexterm> - <primary>smbldap-usermod.pl</primary> + <primary>smbldap-usermod</primary> </indexterm> - In the above listing, you can see that the user <constant>Administrator</constant> + In the above listing, you can see that the user <constant>root</constant> has been given UID=998. This means that operations conducted from a Windows client using tools such as the Domain User Manager fails under UNIX because the management of user and group accounts requires that the UID=0. You decide to rectify this immediately as demonstrated here: <screen> &rootprompt; cd /opt/IDEALX/sbin -&rootprompt; ./smbldap-usermod.pl -u 0 Administrator +&rootprompt; ./smbldap-usermod -u 0 -d /root -s /bin/bash root +</screen> + </para></step> + + <step><para> + Verify that the changes just made to the <constant>root</constant> account were + accepted by executing: +<screen> +&rootprompt; getent passwd | grep root +root:x:0:0:root:/root:/bin/bash +root:x:0:512:Netbios Domain Administrator:/root:/bin/bash </screen> + This demonstrates that the changes were accepted. </para></step> <step><para> @@ -2296,7 +2353,7 @@ Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513 Full Name: System User Home Directory: \\MASSIVE\homes HomeDir Drive: H: -Logon Script: chrisr.cmd +Logon Script: scripts\login.cmd Profile Path: \\MASSIVE\profiles\chrisr Domain: MEGANET2 Account desc: System User @@ -2308,19 +2365,22 @@ Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT Password last set: Wed, 17 Dec 2003 17:17:40 GMT Password can change: Wed, 17 Dec 2003 17:17:40 GMT Password must change: Mon, 18 Jan 2038 20:14:07 GMT +Last bad password : 0 +Bad password count : 0 +Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF </screen> This looks good. Of course, you fully expected that it would all work, didn't you? </para></step> <step><para><indexterm> - <primary>smbldap-groupadd.pl</primary> + <primary>smbldap-groupadd</primary> </indexterm> Now you add the group accounts that are used on the Abmas network. Execute the following exactly as shown: <screen> -&rootprompt; ./smbldap-groupadd.pl -a Accounts -&rootprompt; ./smbldap-groupadd.pl -a Finances -&rootprompt; ./smbldap-groupadd.pl -a PIOps +&rootprompt; ./smbldap-groupadd -a Accounts +&rootprompt; ./smbldap-groupadd -a Finances +&rootprompt; ./smbldap-groupadd -a PIOps </screen> The addition of groups does not involve keyboard interaction, so the lack of console output is of no concern. @@ -2334,7 +2394,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT <screen> &rootprompt; getent group ... -Domain Admins:x:512:Administrator +Domain Admins:x:512:root Domain Users:x:513:bobj,stans,chrisr,maryv Domain Guests:x:514: ... @@ -2393,7 +2453,7 @@ PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps localhost interface. This requires a Domain account for the PDC. This account can be easily created by joining the PDC to the Domain by executing the following command: <screen> -&rootprompt; net rpc join -U Administrator%not24get +&rootprompt; net rpc join -U root%not24get Joined domain MEGANET2. </screen> This indicates that the Domain security account for the BDC has been correctly created. @@ -2619,7 +2679,7 @@ daemon:x:2:2:Daemon:/sbin:/bin/bash lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false ... -Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false +root:x:0:512:Netbios Domain Administrator:/root:/bin/bash nobody:x:999:514:nobody:/dev/null:/bin/false bobj:x:1000:513:System User:/home/bobj:/bin/bash stans:x:1001:513:System User:/home/stans:/bin/bash @@ -2643,7 +2703,7 @@ bin:x:1:daemon daemon:x:2: sys:x:3: ... -Domain Admins:x:512:Administrator +Domain Admins:x:512:root Domain Users:x:513:bobj,stans,chrisr,maryv,jht Domain Guests:x:514: Administrators:x:544: @@ -2699,7 +2759,7 @@ Storing SID S-1-5-21-3504140859-1010554828-2431957765 \ <step><para> To join the Samba BDC to the Domain execute the following: <screen> -&rootprompt; net rpc join -U Administrator%not24get +&rootprompt; net rpc join -U root%not24get Joined domain MEGANET2. </screen> This indicates that the Domain security account for the BDC has been correctly created. @@ -2712,7 +2772,7 @@ Joined domain MEGANET2. Verify that user and group account resolution works via Samba-3 tools as follows: <screen> &rootprompt; pdbedit -L -Administrator:0:Administrator +root:0:root nobody:65534:nobody bobj:1000:System User stans:1001:System User @@ -2843,7 +2903,7 @@ smb: \> q <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption> <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption> <smbconfoption><name>printing</name><value>cups</value></smbconfoption> - <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption> + <smbconfoption><name>printer admin</name><value>root, chrisr</value></smbconfoption> </smbconfexample> @@ -2881,7 +2941,7 @@ smb: \> q <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption> <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption> <smbconfoption><name>printing</name><value>cups</value></smbconfoption> - <smbconfoption><name>printer admin</name><value>Administrator, chrisr</value></smbconfoption> + <smbconfoption><name>printer admin</name><value>root, chrisr</value></smbconfoption> </smbconfexample> @@ -2948,7 +3008,7 @@ smb: \> q <smbconfoption><name>browseable</name><value>yes</value></smbconfoption> <smbconfoption><name>guest ok</name><value>no</value></smbconfoption> <smbconfoption><name>read only</name><value>yes</value></smbconfoption> - <smbconfoption><name>write list</name><value>Administrator, chrisr</value></smbconfoption> + <smbconfoption><name>write list</name><value>root, chrisr</value></smbconfoption> </smbconfexample> <example id="ch6-ldifadd"> @@ -3478,7 +3538,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ <step><para> After the machine has re-booted, log onto the workstation as the domain - <constant>Administrator</constant>. + <constant>root</constant> (this is the Administrator account for the + operating system that is the host platform for this implementation of Samba. </para></step> <step><para> |