Samba-TNG                            Setting up Samba-TNG with OpenLDAP
-----------------------------------------------------------------------

 Table of Contents
-------------------
1. Introduction
2. OpenLDAP
3. Samba-TNG
4. Managing Users and Workstations
5. Mini FAQ

 2. Introduction:
------------------

A pre-requisite for this documentation is a SAMBA-TNG package.
Available binary packages can be found at:

	http://sourceforge.net/projects/samba-tng

If you intend to set up LDAP with the object-class posixAccounts
(based on RFC-2307) in combination with Samba-TNG, refer to the
related documents on the Samba-TNG Web-site:

	http://www.samba-tng.org

You find more information about an improved and more complex Samba-TNG
setup in combination with posixAccounts in the example directory
/usr/share/doc/packages/samba-tng/examples/hechenberger/, or similar,
dependent on the $DOCROOT of your distribution.

In order not to exceed up the framework of this document, we only
discuss and explain a simple basic setup of Samba-TNG with OpenLDAP.

 3. OpenLDAP
-------------

Install the OpenLDAP server package shipped with your distribution or
compile it from source.  OpenLDAP should at least be present in
version 2.0.x or higher.

As a quick-start, use the example configuration files slapd.conf.example and
ldap.conf.example included in this TNG-package.

Check these files thoroughly! In general, it should not be necessary
to change anything else than the rootdn password in sladp.conf to get
a basic Samba-TNG environment up and running.

Some binary packages of OpenLDAP use another database back-end as
configured in the default slapd.conf.example - bdb or ldbm - change
this according to your needs.

After that, start the OpenLDAP server slapd. For example:

	/etc/init.d/ldap start


Now set up a minimal directory structure for Samba-TNG.
Please use basic-users.ldif and change if needed.

The following command adds the necessary objects from the ldif file:

	ldapadd -D 'cn=root,dc=tng,dc=org' -x -W -f basic-users.ldif

You will be asked for the password which you have set before in the slapd.conf
file.

 4. Samba-TNG
--------------

Please use the example config file shipped with Samba-TNG!

Check all the options in the config file step-by-step. You will find
important notes about setting up TNG as a domain controller in it.  If
you want Samba-TNG to act as a PDC you have to change some values.

At least the Samba-TNG LDAP back-end needs the the URI of your
LDAP-Server ('ldap uri'), the suffix ('ldap suffix') and the settings
for an DN ('ldap bind as') with the corresponding password.

This DN (or call it "user") needs at least write permissions on the
LDAP tree where we have set up the basic directory structure for
Samba-TNG. Just use the "rootdn" from your slapd.conf.

The password ('ldap passwd file') must be stored in clear-text in this
file. Attention: This file should not be readable by any other user
than root!

Now start the Samba-TNG services - depending on your distribution the
init script may be installed on a different directory:
	
	/etc/init.d/samba-tng start

After setting a password for the user 'root' in the Samba-TNG domain
or workgroup, your Samba-TNG Server should be up an running. If not,
check the log files!

	
 5. User and Machine Administration
------------------------------------

If you intend to add users or machines to the Samba-TNG domain you
also need to add Unix/POSIX accounts on the host where TNG is running
for the users/workstations!

Important note: Workstations must be added with an appending '$' on the
netbios name:

	useradd 'machine$' -s /bin/false

There are some script options in smb.conf ('add user script', 'add group
script', 'add group member script' and the 'del...'). Samba-TNG will be able
to add or delete users and machines on-the-fly with this options.
Examples for these script options can be found in examples/hechenberger/, as
mentioned above.

Samba-TNG comes with a very powerful administration utility, called
"rpcclient". This tool allows you to control and manage all important
functions of your server (or use it to manage other workstations in
your network).

Examples:

1. If you are root on the host where Samba-TNG is running, you get
   a rpcclient console with:

	rpcclient -S .

2. Adding a user:

	rpcclient -S . -c 'createuser <username> -p <password>'
   
3. The following example connects the rpcclient with another workstation.
   It is not necessary that the machine is a domain controller or a samba
   server:

   	rpcclient -S <netbios name> -U <username -W <domain/workgroup>

For more details about rpcclient refer to the information in the
build-in help of rpcclient.

The following sets the password for the administrative account in the
domain, the so called "Administrator". Important note: We named
this account 'root', too (see the basic-users.ldif).
	
	rpcclient -S . -c 'samuserset root -p <password>'

This account is locked. Unlock it with the following command:

	rpcclient -S . -c 'samuserset2 root -c D'

Side note: Only the user with the uid 0 has administrative privileges
on the Samba-TNG PDC.
Users in the windows group "Domain Admins" will have Administrator
privileges on the windows workstations of this domain but no root
permissions on the PDC!

Congratulations!

Your Samba-TNG server configuration is finished!
	
 6. Mini FAQ
-------------

For the topics listed below you find more information on the Samba-TNG
web-site at http://www.samba-tng.org.

Please check the status page http://www.samba-tng.org/status.html, too!


- Adding a workstation into a domain 
  
o The same procedure as joining an M$ domain. Just add an Unix/POSIX
  Account for the machine. Read more about in chapter 5.

- Adding a user under MS Windows (usrmgr.exe)
  
o Surely, you can use the usrmgr.exe from a Windows client. Don't
  forget to add an Unix/POSIX Account! You could use the 'add user
  script' option if you won't do this by hand. Read more about in
  chapter 5.

- Inter Domain Trusts: MS PDC trusts TNG PDC
  
o Domain trusts are working reliable. Add an account for the PDC and
  the domain and set up the trust as would do it with any other PDC.  A
  brief description can be found in the text by Dan Newcombe at chapter
  "Part Five - Creating a trust" from
  http://mordor.clayton.edu/samba-tng/tng-pdc-trust.html

- Password synchronisation or Single-Source-of-Sing-On
  
o You can set up a SSOSO with Samba-TNG, nss_ldap and pam_ldap. For
  this the object-class posixAccounts from OpenLDAP (nis.schema) may be
  very helpful. There is more than only one way to get a "password
  synchronisation" - or at least one password for different platforms.

- Printing Support 

o If you need printing support you are free to test the experimental
  printing support for CUPS. For this you need to configure and compile
  Samba-TNG from source with the configure option --with-cups.  Note:
  The development of Samba-TNG is focused on the domain controller
  features. By the time of the 0.3 release there is no active
  development on printing support.

- ACL Support

o Samba-TNG in version 0.3 does not support file ACL support.

- File locking 

o File locking may be broken and was set default to 'no'. It is
  therefore not supported in version 0.3.

- Windows XP, Windows 200 and Windows NT 

o Samba-TNG can act as a PDC for the operating systems listed above. A
  more detailed status page can be found at the Samba-TNG Web-site.

=======================================================================

If you have problems, or think you have found a bug please email
a full, detailed report to:

	tng-users@samba-tng.org

Informations how to write an informative bug-report can be found at:

http://www.sqatester.com/bugsfixes/index.htm

Regards,

	The Samba-TNG Team.

