Sophie: smbldap-tools-0.9.9-8.mga7 armv7hl

smbldap-tools-0.9.9-8.mga7.armv7hl.rpm

# $Id: INFRA 85 2011-07-14 09:24:46Z fumiyas $
#
## Some notes about the architecture


Global Architecture for smbdlap-tools
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

smbldap-tools help you manage users and groups for Unix and Samba,
using LDAP. They may be used in any context, and are kept relatively
simplier enought to let you customize them to you needs.

They need the following objectClasses to work:
 . sambaSamAccount: from samba.schema for Samba 3.2 or later
 . posixAccount and posixGroup : from nis.schema
 . organizationalUnit and dcObject: from core.schema

They will probably use in a near future some additional objectClasses
to support :
 . mail features (sendmail/postfix/qmail/courier).
 . conform to RFC2307 best practices (and so some maps too like merging
   NetBIOS computers (sambaSamAccount) with ipHosts

For ease of visualization of the LDAP objects by human standards, we
used a DIT like this one :
 . dc=example,dc=com : the company/organization suffix
	. ou=Users : to store users accounts
	. ou=Computers : to store computers accounts
	. ou=Groups : to store system groups
Of course, you're free to use a different naming scheme and DIT (see
smbldap.conf).


Built in groups initial population
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

smbldap-populate populate the LDAP directory with some built in groups
using gidNumber according to Well Know RID of Windows NT 4 Server. In fact,
As far a Samba 3 is concerned, only the 'Domain Admins' (gidNumber 512) have
real inpact on the Samba and Windows population. To activate this group as
the Domain Administrators Group, use the following smb.conf directive (see
man smb.conf for more):

	domain admin group = " @"Domain Admins" "

Other built in groups are really cosmetic ones with Samba 2.2.x. We did not
removed them because one of these days, we whish to use Samba 3.0 where
Windows Group Support should be operational.

Why these specific gidNumbers ?
It's about Unix/Windows mapping of numerical IDs with Samba. IDs below 1024
are NT special IDs. In fact, 512 is the RID (Windows UID/GID) for the
"Domain Administrators" NT group. The magic number is found in Samba sources
and possibly other Samba/Windows documentations.

The goal is to have a set of Unix users who are Domain Administrators and
can modify Samba datas (eg. LDAP content), with commandline tools or within
Windows via Samba.

Say you want to add a Windows to an NT domain (controlled by a Samba/LDAP
server). You give the domain administrator's login and password in the
appropriate Windows settings, then the Windows contacts the Samba server,
which checks the credentials and use them as unix user to run the smbldap-tools
(if I remember). Giving 512 as a RID to a LDAP entry marks it as a domain
admin for Samba (thus Windows). Using nss_ldap, you also have an account
with GID 512.


Known BUGS and WORKAROUND used
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Not known.