summaryrefslogtreecommitdiffstats
path: root/examples/LDAP/smbldap-tools/INFRASTRUCTURE
diff options
context:
space:
mode:
Diffstat (limited to 'examples/LDAP/smbldap-tools/INFRASTRUCTURE')
-rw-r--r--examples/LDAP/smbldap-tools/INFRASTRUCTURE93
1 files changed, 0 insertions, 93 deletions
diff --git a/examples/LDAP/smbldap-tools/INFRASTRUCTURE b/examples/LDAP/smbldap-tools/INFRASTRUCTURE
deleted file mode 100644
index 8ea07ead44b..00000000000
--- a/examples/LDAP/smbldap-tools/INFRASTRUCTURE
+++ /dev/null
@@ -1,93 +0,0 @@
-# $Source: /home/cvs/samba/examples/LDAP/smbldap-tools/INFRASTRUCTURE,v $
-#
-## Some notes about the architecture
-
-
-Global Architecture for smbdlap-tools
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-smbldap-tools help you manage users and groups for Unix and Samba,
-using LDAP. They may be used in any context, and are kept relatively
-simplier enought to let you customize them to you needs.
-
-They need the following objectClasses to work:
- . sambaAccount: from samba.schema for Samba 2.2 branch
- . posixAccount and posixGroup : from nis.schema
- . organizationalUnit and dcObject: from core.schema
-
-They will probably use in a near future some additional objectClasses
-to support :
- . mail features (sendmail/postfix/qmail/courier).
- . conform to RFC2307 best practices (and so some maps too like merging
- Netbios computers (sambaAccounts) with ipHosts
-
-For ease of visualization of the LDAP objects by human standards, we
-used a DIT like this one :
- . dc=IDEALX,dc=org : the company/organization suffix
- . ou=Users : to store users accounts
- . ou=Computers : to store computers accounts
- . ou=Groups : to store system groups
-Of course, you're free to use a different naming scheme and DIT (see
-smbldap_conf.pm).
-
-
-Built in groups initial population
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-smbldap-populate.pl populate the LDAP directory with some built in groups
-using gidNumber according to Well Know RID of Windows NT4 Srv. In fact, As
-far a Samba 2.2.x is concerned, only the 'Domain Admins' (gidNumber 512) have
-real inpact on the Samba and Windows population. To activate this group as
-the Domain Administrators Group, use the following smb.conf directive (see
-man smb.conf for more):
-
- domain admin group = " @"Domain Admins" "
-
-However, to make pdb_ldap accept bind without being uid=0, a quick and
-dirty patch must be applied to 2.2.4 (see samba-2.2.4-ldapbindnotuid0.patch).
-This patch is Q&D because the check is there because Samba store admin
-credentials to establish the LDAP connection. The uid == 0 check was to
-ensure that a normal user could not get write access to the LDAP backend.
-A more logical situation should be done for 2.2.5 by checking if the user
-is a member of the domain admin group (reported to Jerremy and Gerald
-2002-05-28).
-
-Other built in groups are really cosmetic ones with Samba 2.2.x. We did not
-removed them because one of these days, we whish to use Samba 3.0 where
-Windows Group Support should be operational.
-
-Why these specific gidNumbers ?
-It's about unix/windows mapping of numerical ids with Samba. Ids below 1024
-are NT special ids. In fact, 512 is the RID (Windows uid/gid) for the
-"Domain Administrators" NT group. The magic number is found in Samba sources
-and possibly other Samba/Windows documentations.
-
-The goal is to have a set of Unix users who are Domain Administrators and can
-modify Samba datas (eg. LDAP content), with commandline tools or within
-Windows via Samba.
-
-Say you want to add a NT4 ws to an NT domain (controlled by a samba/ldap
-server). You give the domain administrator's login and password in the
-appropriate ws settings, then the ws contacts the samba server, which checks
-the credentials and use them as unix user to run the smbldap-tools (if I
-remember). Giving 512 as a RID to a LDAP entry marks it as a domain admin
-for Samba (thus Windows). Using nss_ldap, you also have an account with
-gid 512.
-
-
-Known BUGS and WORKAROUND used
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-
-The 2.2.2 has at least a bug : rid/primaryGroupID are read as hex in LDAP,
-but written as decimal. Fixed in CVS by reading as decimal. By default
-smbldap-useradd.pl writes decimal to LDAP. Use -x to support the odd
-behaviour.
-
-The samba-2.2.4-ldapbindnotuid0.patch is not a perfect solution however
-as the check is there because Samba store admin credentials to establish the
-LDAP connection. The uid == 0 check was to ensure that a normal user could
-not get write access to the LDAP backend. A more logical situation should be
-done for 2.2.5 by checking if the user is a member of the domain admin group
-(reported to Jerremy and Gerald 2002-05-28).
-
-# - The End
generated by cgit (git 2.34.1) at 2024-06-12 05:15:47 +0000