Once your system is ready to support your Samba users on LDAP, the decision must be made as to how you want to manage your samba resources. While it is possible to use pdbedit to manage your samba network, other tools exist to help you in your administration task.

IDEALX

The tool of choice for many has been the perl scripts written by IDEALX. These scripts help to automate many of the network tasks such as populating the initial LDAP tree, creating the initial linkages for the Domain Administration accounts and groups, user modifications and even user password changes.
Using the idealx scripts means customizing a few script configuration files and configuring your samba server's config file (smb.conf) to point to the scripts. The smb.conf parameters can include options that look like the following:
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "u"
Important Note: The smbldap-populate script seems to only create an LDAP tree where the "People", "Groups", "Computers", and "idmap" subtrees are directly underneath the toplevel of the LDAP tree. Therefore, "ou=People,dc=example,dc=lan" would populate with no errors, but "ou=People,ou=sales,dc=example,dc=lan" would cause smbldap-populate to error out. The fix is to pre-populate the base subtree paths so that smbldap-populate will have the proper base into which it can create the People", "Groups", "Computers", and "idmap" subtrees. Visit the IdealX Walkthrough for an example of this process.

Automated installers

Samba/Ldap Installer is an easy to use Samba/LDAP installation and configuration tool that will work for certain distributions.

Ldapsam_editposix

Starting with Samba 3.0.23, an extension (Ldapsam_editposix) was added to samba to allow the samba server to manage the POSIX account information for the samba users. In addition to providing a means of automatically creating and linking the required users and groups, the lds:ep extensions also removes the need to use external scripts to synchronize the SMB and POSIX information. In addition to being able to just use the pdbedit utility to manage all aspects of your samba users, the NT4 User Manager (usermgr.exe) can be used to add and modify users as well as groups and group memberships.
Notes:
  • Documentation and a 'net sam provision' bugfix for lds:ep will be included in the 3.0.25 version of samba.
  • The 'net sam provision' command will create the necessary base subtree structure along with the appropriate user, group, computer, and idmap subtrees using the following options that are provided in the smb.conf file.
    ldap suffix =
    ldap suffix =
    ldap group suffix
    ldap user suffix =
    ldap machine suffix =
    ldap idmap suffix =

Webmin

The Webmin utility can be configured to add posix LDAP Users and Groups to your LDAP tree. Be aware that there was a visual bug in Webmin prior to version 1.320 that improperly caused the system to display group information from the same context as the User's context when no groups existed. . The bug was corrected in version 1.320.
For reference purposes only, there are a few notes listed in the Webmin Walkthrough.

NT User Manager for Domains

The utilities used to administer an NT style PDC are contained on the WINNT4.0 Resource Kit. The tools may be also be downloaded from the MS Knowledgebase article #173673.

NT Policy Editor

The Windows Workstation Resource Kit contains the POLEDIT.EXE ]] file that is used to create system policies and can be downloaded from the MS Knowledgebase article #173673.


Page last modified by September 27, 2007, at 05:22 PM