From c628d7ccef99da0823dc2efe8a445aa694f42274 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 5 Mar 2005 03:51:38 +0000 Subject: Further update. More to come. (This used to be commit 1d67ac9ef1ea60a1ba695b7eebc7e00aa3d401d6) --- docs/Samba-Guide/Chap06-MakingHappyUsers.xml | 123 ++++++++++++++++++++------- 1 file changed, 92 insertions(+), 31 deletions(-) (limited to 'docs/Samba-Guide/Chap06-MakingHappyUsers.xml') diff --git a/docs/Samba-Guide/Chap06-MakingHappyUsers.xml b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml index 21a328cedb..be719ae867 100644 --- a/docs/Samba-Guide/Chap06-MakingHappyUsers.xml +++ b/docs/Samba-Guide/Chap06-MakingHappyUsers.xml @@ -11,11 +11,6 @@ Making Happy Users - -This chapter is under reconstruction/modification. The data here is incomplete at this time. -Please check back in a few days time as the contents are undergoing change. - - It has been said, A day that is without troubles is not fulfilling. Rather, give me a day of troubles well handled so that I can be content with my achievements. @@ -1090,8 +1085,43 @@ drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap This may require you to add a user and a group account for LDAP if they do not exist. + DB_CONFIG + Install the file shown in in the directory + /data/ldap. In the event that this file is added after ldap + has been started, it is possible to cause the new settings to take effect by shutting down + the LDAP server, executing the db_recover command inside the + /data/ldap directory, and then restarting the LDAP server. + + + syslog + Performance logging can be enabled and should preferrably be sent to a file on + a file system that is large enough to handle significantly sized logs. To enable + the logging at a verbose level to permit detailed analysis uncomment the entry in + the /etc/openldap/slapd.conf shown as loglevel 256. + + + + Edit the /etc/syslog.conf file to add the following at the end + of the file: + +local4.* -/data/ldap/log/openldap.log + + Note: The path /data/ldap/log should be set a a location + that is convenient and that can store a large volume of data. + + + +LDAP DB_CONFIG File + +set_cachesize 0 150000000 1 +set_lg_regionmax 262144 +set_lg_bsize 2097152 +#set_lg_dir /var/log/bdb +set_flags DB_LOG_AUTOREMOVE + + LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> @@ -1105,11 +1135,27 @@ include /etc/openldap/schema/samba3.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args +access to dn.base="" + by self write + by * auth + +access to attr=userPassword + by self write + by * auth + +access to attr=shadowLastChange + by self write + by * read + access to * - by self write - by users read + by * read by anonymous auth +#loglevel 256 + +schemacheck on +idletimeout 30 +backend bdb database bdb checkpoint 1024 5 cachesize 10000 @@ -1556,7 +1602,7 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 idmap gid10000-20000 map acl inheritYes printingcups - printer adminAdministrator, chrisr + printer adminroot, chrisr @@ -2019,7 +2065,7 @@ Starting ldap-server done Execute the script that will populate the LDAP database as shown here: -&rootprompt; ./smbldap-populate.pl +&rootprompt; ./smbldap-populate The expected output from this is: @@ -2191,11 +2237,11 @@ result: 0 Success You must now make certain that the NSS resolver can interrogate LDAP also. Execute the following commands: -&rootprompt; getent passwd | grep Administrator -Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false +&rootprompt; getent passwd | grep root +root:x:998:512:Netbios Domain Administrator:/home:/bin/false &rootprompt; getent group | grep Domain -Domain Admins:x:512:Administrator +Domain Admins:x:512:root Domain Users:x:513: Domain Guests:x:514: Domain Computers:x:553: @@ -2237,7 +2283,7 @@ Retype new SMB password: XXXXXXXX &rootprompt; getent passwd ... -Administrator:x:998:512:Netbios Domain Administrator:/home:/bin/false +root:x:998:512:Netbios Domain Administrator:/home:/bin/false nobody:x:999:514:nobody:/dev/null:/bin/false bobj:x:1000:513:System User:/home/bobj:/bin/bash stans:x:1001:513:System User:/home/stans:/bin/bash @@ -2251,17 +2297,28 @@ uid=1002(chrisr) gid=513(Domain Users) groups=513(Domain Users) - smbldap-usermod.pl + smbldap-usermod - In the above listing, you can see that the user Administrator + In the above listing, you can see that the user root has been given UID=998. This means that operations conducted from a Windows client using tools such as the Domain User Manager fails under UNIX because the management of user and group accounts requires that the UID=0. You decide to rectify this immediately as demonstrated here: &rootprompt; cd /opt/IDEALX/sbin -&rootprompt; ./smbldap-usermod.pl -u 0 Administrator +&rootprompt; ./smbldap-usermod -u 0 -d /root -s /bin/bash root + + + + + Verify that the changes just made to the root account were + accepted by executing: + +&rootprompt; getent passwd | grep root +root:x:0:0:root:/root:/bin/bash +root:x:0:512:Netbios Domain Administrator:/root:/bin/bash + This demonstrates that the changes were accepted. @@ -2296,7 +2353,7 @@ Primary Group SID: S-1-5-21-3504140859-1010554828-2431957765-513 Full Name: System User Home Directory: \\MASSIVE\homes HomeDir Drive: H: -Logon Script: chrisr.cmd +Logon Script: scripts\login.cmd Profile Path: \\MASSIVE\profiles\chrisr Domain: MEGANET2 Account desc: System User @@ -2308,19 +2365,22 @@ Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT Password last set: Wed, 17 Dec 2003 17:17:40 GMT Password can change: Wed, 17 Dec 2003 17:17:40 GMT Password must change: Mon, 18 Jan 2038 20:14:07 GMT +Last bad password : 0 +Bad password count : 0 +Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF This looks good. Of course, you fully expected that it would all work, didn't you? - smbldap-groupadd.pl + smbldap-groupadd Now you add the group accounts that are used on the Abmas network. Execute the following exactly as shown: -&rootprompt; ./smbldap-groupadd.pl -a Accounts -&rootprompt; ./smbldap-groupadd.pl -a Finances -&rootprompt; ./smbldap-groupadd.pl -a PIOps +&rootprompt; ./smbldap-groupadd -a Accounts +&rootprompt; ./smbldap-groupadd -a Finances +&rootprompt; ./smbldap-groupadd -a PIOps The addition of groups does not involve keyboard interaction, so the lack of console output is of no concern. @@ -2334,7 +2394,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT &rootprompt; getent group ... -Domain Admins:x:512:Administrator +Domain Admins:x:512:root Domain Users:x:513:bobj,stans,chrisr,maryv Domain Guests:x:514: ... @@ -2393,7 +2453,7 @@ PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps localhost interface. This requires a Domain account for the PDC. This account can be easily created by joining the PDC to the Domain by executing the following command: -&rootprompt; net rpc join -U Administrator%not24get +&rootprompt; net rpc join -U root%not24get Joined domain MEGANET2. This indicates that the Domain security account for the BDC has been correctly created. @@ -2619,7 +2679,7 @@ daemon:x:2:2:Daemon:/sbin:/bin/bash lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false ... -Administrator:x:0:512:Netbios Domain Administrator:/home:/bin/false +root:x:0:512:Netbios Domain Administrator:/root:/bin/bash nobody:x:999:514:nobody:/dev/null:/bin/false bobj:x:1000:513:System User:/home/bobj:/bin/bash stans:x:1001:513:System User:/home/stans:/bin/bash @@ -2643,7 +2703,7 @@ bin:x:1:daemon daemon:x:2: sys:x:3: ... -Domain Admins:x:512:Administrator +Domain Admins:x:512:root Domain Users:x:513:bobj,stans,chrisr,maryv,jht Domain Guests:x:514: Administrators:x:544: @@ -2699,7 +2759,7 @@ Storing SID S-1-5-21-3504140859-1010554828-2431957765 \ To join the Samba BDC to the Domain execute the following: -&rootprompt; net rpc join -U Administrator%not24get +&rootprompt; net rpc join -U root%not24get Joined domain MEGANET2. This indicates that the Domain security account for the BDC has been correctly created. @@ -2712,7 +2772,7 @@ Joined domain MEGANET2. Verify that user and group account resolution works via Samba-3 tools as follows: &rootprompt; pdbedit -L -Administrator:0:Administrator +root:0:root nobody:65534:nobody bobj:1000:System User stans:1001:System User @@ -2843,7 +2903,7 @@ smb: \> q idmap uid10000-20000 idmap gid10000-20000 printingcups - printer adminAdministrator, chrisr + printer adminroot, chrisr @@ -2881,7 +2941,7 @@ smb: \> q idmap uid10000-20000 idmap gid10000-20000 printingcups - printer adminAdministrator, chrisr + printer adminroot, chrisr @@ -2948,7 +3008,7 @@ smb: \> q browseableyes guest okno read onlyyes - write listAdministrator, chrisr + write listroot, chrisr @@ -3478,7 +3538,8 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ After the machine has re-booted, log onto the workstation as the domain - Administrator. + root (this is the Administrator account for the + operating system that is the host platform for this implementation of Samba. -- cgit