After much searching, research, compiling, and some guess work, I found my problem was wrapped around one simple fact. I didn't have the samba.schema included. I now have some suggestions: 1. If you are going to force people to use something complex, DOCUMENT it. Assume there are people like me who have no understanding of ldap. Even some automatic script should be written for people who need LDAP for distribution but plan to use LDAP for absolutely NOTHING else. 2. Then make a simple shared daemon called "unixmapd" or something that works like WINS. Everyone can attach to one simple server and see the maps... Whoever gets a resolve first, adds the new entry. So if "ENG\joe" logs into server "bozo" and "bozo" sees there isn't a map in the "unixmapd", then it contributes it. It's that simple! Just my thoughts, JMS
Josh Skains wrote:>1. If you are going to force people to use something complex, DOCUMENT it. Assume there are people like me who have no understanding of ldap. Even some automatic script should be written for people who need LDAP for distribution but plan to use LDAP for absolutely NOTHING else. > >This part has been discussed before, and there are a whole lot of LDAP servers and versions that all do things differently. Even though most people 'round here use openldap there are many Sun (I should know their server name), and other ldap servers in use, I'd be surprised if there aren't even a couple people here that put their idmap in their active directory's LDAP server. I think that at least the 'include the schema file' part was in the documentation where you found the samba.schema file, but I could be wrong. I'm away from my machines and documentation today :-/ -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto:pgienger@ae-solutions.com
On Thu, 2004-06-10 at 13:11, Josh Skains wrote:> After much searching, research, compiling, and some guess work, I found my problem was wrapped around one simple fact. I didn't have the samba.schema included. > > I now have some suggestions: > > 1. If you are going to force people to use something complex, DOCUMENT it. Assume there are people like me who have no understanding of ldap. Even some automatic script should be written for people who need LDAP for distribution but plan to use LDAP for absolutely NOTHING else. > > 2. Then make a simple shared daemon called "unixmapd" or something that works like WINS. Everyone can attach to one simple server and see the maps... Whoever gets a resolve first, adds the new entry. So if "ENG\joe" logs into server "bozo" and "bozo" sees there isn't a map in the "unixmapd", then it contributes it. It's that simple! > > Just my thoughts,---- Your thoughts - rely upon an assumption that is clearly false...that ldap is usable without understanding it, that understanding it is digestible in some easy form and that documentation doesn't exist. I have posted this a few times the past 6 months but new users seem to pop up without fully digesting the archives. - LDAP is a learning curve all to it's own. It may be harder to learn than any other that you have learned, certainly the concepts can be more difficult to grasp than things like BIND, sendmail, apache. - LDAP has no pat setup. There are a lot of LDAP providers (openldap, sun, novell, etc.) and there are a number of different versions being circulated, even by the same providers. - It makes little sense to use LDAP for Samba and not local system user accounts, and why would you think that you can use LDAP for local account security without fully digesting the implications and the technology? - Once you understand LDAP, and can add, delete, search from the command line, integrating it with samba is easy. If you don't understand LDAP, integrating it with mail, ftp, ssh etc. is just another hurdle, just like samba. As for the documentation...John has written 2 excellent books, both available at the book store and accessible in the documentation link on the samba web site...Samba 3 HOW-TO and Samba 3 by Example Craig
You said: -------------- Your thoughts - rely upon an assumption that is clearly false...that ldap is usable without understanding it, that understanding it is digestible in some easy form and that documentation doesn't exist. -------------- I say: -------------- First off, you are saying a lot that is "clearly false". LDAP can be used blindly in this case. All I needed is a way to avoid having winbind on system A from assigning UIDs on system B that is different. If the UIDs are not identical on all member unix servers, it screws up permissions on issues like NFS, which still has applications in my world. I can toss water in a bucket without knowing how to chemically create the plastic. -------------- You say: -------------- I have posted this a few times the past 6 months but new users seem to pop up without fully digesting the archives. -------------- I say: -------------- Sorry, but some of us have bosses and timeframes. Taking bits and peices of different cases, documents, and posts and trying to make them all fit isn't easy. I finally did it, and now it works fine. I also understand what I did and see that it isn't hard once you understand it, it's just a matter of "connecting the dots". I have areas that you most likely aren't as good at.. You have areas that I most likely am not good at. If you came to me and asked me about one of my areas, I certainly won't be stomping around screaming the traditional "RTFM". -------------- You say: -------------- - LDAP is a learning curve all to it's own. It may be harder to learn than any other that you have learned, certainly the concepts can be more difficult to grasp than things like BIND, sendmail, apache. -------------- I say: -------------- Oh please. It isn't THAT complex, once you start to grasp it. Sure, I can see it getting more and more complex in larger applications, but sheesh, we are talking such a simple application here. My problem was just putting the different peices together. -------------- You say: -------------- - LDAP has no pat setup. There are a lot of LDAP providers (openldap, sun, novell, etc.) and there are a number of different versions being circulated, even by the same providers. -------------- I say: -------------- When someone comes in like me who doesn't have a need for LDAP in ANY OTHER application, then it does have a pat setup. You can say "our automated package only supports OpenLDAP. If you need LDAP for bigger things or want to use a different server, it is suggested you understand LDAP first and do the install manually". -------------- You say: -------------- - It makes little sense to use LDAP for Samba and not local system user accounts, and why would you think that you can use LDAP for local account security without fully digesting the implications and the technology? -------------- I say: -------------- I don't need local accounts. I am using winbind. Did you even read my posts, or were you just too busy looking for someone to put down cause you are in a bad mood? -------------- Whatever... Anyways.... JMS
Yes, your Majesty. I am so sorry to disturb your humble mailbox. Next time, just ignore the post. JMS -----Original Message----- From: Craig White [mailto:craigwhite@azapple.com] Sent: Thu 6/10/2004 6:20 PM To: Josh Skains Cc: samba@lists.samba.org Subject: RE: [Samba] Fixed it myself... (ldap/winbind) On Thu, 2004-06-10 at 14:21, Josh Skains wrote: > You said: > -------------- > Your thoughts - rely upon an assumption that is clearly false...that > ldap is usable without understanding it, that understanding it is > digestible in some easy form and that documentation doesn't exist. > -------------- > > I say: > -------------- > First off, you are saying a lot that is "clearly false". LDAP can be used blindly in this case. All I needed is a way to avoid having winbind on system A from assigning UIDs on system B that is different. If the UIDs are not identical on all member unix servers, it screws up permissions on issues like NFS, which still has applications in my world. ---- That is the point of LDAP - you set it up to maintain your unix accounts and the member machines use it for authentication. Therefore, 1 user, 1 account on all machines that use LDAP for authentication. The alternative to LDAP for this is NIS and that is not convergent with samba. If you use winbind to assign uid's, they WILL be different on each machine using winbind. Welcome to the jungle. I'm glad for you that LDAP can be used blindly in this case. I was hoping that you are gonna show us how, real soon now. ---- > I say: > -------------- > Sorry, but some of us have bosses and timeframes. ---- Tell the boss that this is complicated stuff, that you need to learn it to get it right. Please don't hammer us with your time frames. ---- > You say: > -------------- > - It makes little sense to use LDAP for Samba and not local system user > accounts, and why would you think that you can use LDAP for local > account security without fully digesting the implications and the > technology? > -------------- > > I say: > -------------- > I don't need local accounts. I am using winbind. Did you even read my posts, or were you just too busy looking for someone to put down cause you are in a bad mood? ---- Yes, I read your posts and scratched my head because of your naivety. But the arrogance of your suggestions wasn't something I couldn't let pass. If you are using winbind to get local account services for unix users, why are you not using it (server = [domain|ads] ) for smb users? I cannot envision a scenario where your plan makes sense. Yes, I read your posts and thought that they were presumptuous that they asked for LDAP help and this is a samba message base. Clue...there are many LDAP lists that provide support of LDAP. You say, the only reason you want to use LDAP is to interact with samba and therefore, samba should make LDAP easy. Of course, the samba list members should help you with your lack of understanding of LDAP too. Good luck Craig