I mentioned this elsewhere.
There is a very good installer script that sets up ldap for samba and allows you to have an NT styled user-level security and PDC and BDC. It is at:
http://majen.net/smbldap/
Thing is, it has never been updated for FC9, let alone FC8....
So I solicit a little help to get this running.
First I need an idea of what Amahi does when you create a user or a share. smbldap will be doing a lot more, but maybe not everything Amahi does now. And I need to know how to disable what it does to rewrite files like /etc/samba.conf
Also whatelse I might 'be stepping on' in the current Amahi.
So far, I have worked through installing rpms. Installing smbldap-tools picked up most of the various dependencies. The script also seems to want to install gcc, glibc-headers, and perl-Crypt-SSLeay which picked up a few more dependencies.
Kind of wondering why it needs gcc, but for now....
So if anyone who is familiar with scripts (I am very novice level) to get these scripts working first for FC9, then I can get it installed, and figure out how to relate this to Amahi.
Why do I feel this is worth doing, other than I have been running an NT domain in my house since the early 90s?
User level security is the first call. You want the parents shares secured from the kids. Yes Home gets some protection, but not enough.
PDC and BDC for redundancy/backup. Of course this calls for multiple servers in a home, but it is coming with mini-itx systems.
smbldap installer
Re: smbldap installer
this is a long term goal of amahi.
moving to an LDAP backend would bring a lot of benefits.
we did make an attempt to switch to that this past summer. and there is a *little* of support built in for a future ldap back-end in the amahi platform.
here are the top level concerns with ldap:
moving to an LDAP backend would bring a lot of benefits.
we did make an attempt to switch to that this past summer. and there is a *little* of support built in for a future ldap back-end in the amahi platform.
here are the top level concerns with ldap:
- the documentation is written by people from another planet. ldap is nice, no doubt, however, it's just hard to penetrate
- it tries to be all-encompassing. it wants to own everything, users, groups, etc. etc. (there is no concept of groups in amahi at the moment - anyone wanting to control groups can do it directly in linux, though)
- the last time i tried to "move" to ldap, the number of records created for a simple fresh system was about 3000. that's just staggering. not a big deal unto itself, i would just rather if it were more to the point - we don't need users like nobody or apache being managed in the DB, if possible.
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 8GB RAM, 1TBx2+3TBx1
Re: smbldap installer
I quite understand that this would be for the next version, and who knows, FC10 might settle down soon 
But yah got to start sometime.
There is a whole community that has been successful in rolling ldap up, this is the k12osn. Sometimes it is hard to get their attention,they have school networks to run, but if you go through their work there is a lot you can take away. And IDEALX is gone, but their smbldap-tools are now standard in the distro, we don't have to add them, we can just use them.
As for all the records, well I can't comment on that. Over in the wiki for the smbldap installer there are some nice bugs and notes. Like how to change the server name by unloading the whole ldap directory, making the change with sed, then reloading it!
A lot of the size of ldap, is the standard schemas that are used. But this is actually a GOOD thing, moving forward to things like srv VoIP pointers for looking up people to call them. Enterprise stuff in the past, but available enmass now.
Bottom line, I will do all I can with this. More help in cracking the scripts means I will have things up and running sooner....
But yah got to start sometime.
There is a whole community that has been successful in rolling ldap up, this is the k12osn. Sometimes it is hard to get their attention,they have school networks to run, but if you go through their work there is a lot you can take away. And IDEALX is gone, but their smbldap-tools are now standard in the distro, we don't have to add them, we can just use them.
As for all the records, well I can't comment on that. Over in the wiki for the smbldap installer there are some nice bugs and notes. Like how to change the server name by unloading the whole ldap directory, making the change with sed, then reloading it!
A lot of the size of ldap, is the standard schemas that are used. But this is actually a GOOD thing, moving forward to things like srv VoIP pointers for looking up people to call them. Enterprise stuff in the past, but available enmass now.
Bottom line, I will do all I can with this. More help in cracking the scripts means I will have things up and running sooner....
-
alawatsakima
- Posts: 3
- Joined: Thu Aug 06, 2009 10:01 am
Re: smbldap installer
As I stated in the IRC today, I would like to investigate and implement LDAP into Amahi. Samba PDC is a great tool for Windows authentication, but without Linux authentication, it's only half the solution. But my LDAP knoledge is elementary at best.
On the note of Amahi having no default group policy controls, I am wondering why that is. It seems to me that with Amahi gaining the popularity it has, and the code maturity it does, group policies are the kind of file security that naturally follows next.
I am going to be setting up a test machine running a clean install of Fedora, fire up some 389 Directory Server action, and set up Samba on it. I will then invest some time into learning the tools involved in optimizing that setup to authenticate both windows and linux clients. Once I get that functional, I will be back in IRC talking to people about adding group policies into Amahi, and then working on moving Amahi over to an LDAP backend.
I'm sure it's a lot harder than I just suggested, or it would be done by now, but I need to choose something for my entire life to be about, and this sounds as good as anything
Anyway, after that brief introduction to my maybe illconcieved plan, is there anyone interested in helping me out? I wouldn't mind someone with some LDAP or Samba experience volunteering to let me bounce ideas off of them...
On the note of Amahi having no default group policy controls, I am wondering why that is. It seems to me that with Amahi gaining the popularity it has, and the code maturity it does, group policies are the kind of file security that naturally follows next.
I am going to be setting up a test machine running a clean install of Fedora, fire up some 389 Directory Server action, and set up Samba on it. I will then invest some time into learning the tools involved in optimizing that setup to authenticate both windows and linux clients. Once I get that functional, I will be back in IRC talking to people about adding group policies into Amahi, and then working on moving Amahi over to an LDAP backend.
I'm sure it's a lot harder than I just suggested, or it would be done by now, but I need to choose something for my entire life to be about, and this sounds as good as anything
Anyway, after that brief introduction to my maybe illconcieved plan, is there anyone interested in helping me out? I wouldn't mind someone with some LDAP or Samba experience volunteering to let me bounce ideas off of them...
Re: smbldap installer
I agree with cpg that LDAP (if done properly) is a tough nut to crack. You carefully have to evaluate your schema and always be aware that the schema you choose as default will _never_ be just right for all users. Every environment has its own requirements and LDAP is built around that idea. This doesn't mean that a good schema won't fit most Amahi users tho 
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D2173656C7572206968616D41snlbxq' | dc
Galileo - HP Proliant ML110 G6 quad core Xeon 2.4GHz, 4GB RAM, 2x750GB RAID1 + 2x1TB RAID1 HDD
Galileo - HP Proliant ML110 G6 quad core Xeon 2.4GHz, 4GB RAM, 2x750GB RAID1 + 2x1TB RAID1 HDD
-
alawatsakima
- Posts: 3
- Joined: Thu Aug 06, 2009 10:01 am
Re: smbldap installer
OK, I'm posting this for 2 reasons: 1, to show that I'm still out here and still trying, and 2, in case people are following in my footsteps or possibly jump ahead of me, I want to be in constant communication. With that said, I have not tried anything yet, I have only been reading. This is mostly due to 2 issues. First, I don't currently have internet at my apartment, so installing packages is a bit tough, and second, I don't want to jump in head first without at least SOME idea of where I'm going. Those caveats said, let me continue:
As I have been warned, documentation is pretty intense; LDAP does indeed try to cover more than we need, and so filtering through the clutter is tough. Furthermore, the relevant how-to's and guides are outdated and unmaintained... The best guide I have found [1] hasn't been updated since 2006, but seeing as it's the best I've got, I'm going to walk through it, and see where it takes me. I see many man pages in my future
My plan is still to test this on a clean install of Fedora, without Amahi, on my first run. I don't want to have to worry about Amahi trying to automatically over-write my Samba config files. Once I get it running, I will test that authentication both on Windows and Linux clients. Barring any obvious errors to that end, I will assume authentication means it works... Then y'all will find me in IRC asking questions about disabling any Samba config over-writing in amahi in preparation of installing in the Real Environment
[1] http://ftp.heanet.ie/mirrors/sourceforg ... -howto.pdf
As I have been warned, documentation is pretty intense; LDAP does indeed try to cover more than we need, and so filtering through the clutter is tough. Furthermore, the relevant how-to's and guides are outdated and unmaintained... The best guide I have found [1] hasn't been updated since 2006, but seeing as it's the best I've got, I'm going to walk through it, and see where it takes me. I see many man pages in my future
My plan is still to test this on a clean install of Fedora, without Amahi, on my first run. I don't want to have to worry about Amahi trying to automatically over-write my Samba config files. Once I get it running, I will test that authentication both on Windows and Linux clients. Barring any obvious errors to that end, I will assume authentication means it works... Then y'all will find me in IRC asking questions about disabling any Samba config over-writing in amahi in preparation of installing in the Real Environment
[1] http://ftp.heanet.ie/mirrors/sourceforg ... -howto.pdf
Re: smbldap installer
very good strategy!
go one step at at time and add complexity slowly.
go one step at at time and add complexity slowly.
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 8GB RAM, 1TBx2+3TBx1
Who is online
Users browsing this forum: No registered users and 6 guests