In your browser, enter the iManager URL (http://IP_or_DNS_name/nps) and log in to iManager as the eDirectory Admin user or equivalent.

If the container for your new Samba users already exists, skip to Creating eDirectory Users.

To create a context in iManager for your users, click Roles and Tasks > eDirectory Administration > Create Object > Organizational Unit and create the (OU) object before proceeding.

For more information on context requirements for the object, see the previously referenced Section A.1, Samba Enabling Problems and the Base Context for Samba Users Field.

If the users you plan to enable for Samba are already defined as eDirectory users, skip to Creating an eDirectory Group and Assigning the Users to It.

In iManager, click Roles and Tasks > Users > Create User.

Be sure to select the context you have identified for your Samba users (Step 3 in the previous section).

Specify an eDirectory password, then scroll down to see more of the dialog.

Do not set a simple password even though the interface indicates it is required for native Windows access. Enabling a user for Samba access creates a Universal Password by default, making it much easier for users to keep their passwords synchronized.

(Conditional) You can create a home directory for the user if you have an NCP volume available (either created on a traditional Linux partition or existing an NSS partition on the server).

For more information and some helpful tips, see Creating and Enabling Samba Users and Groups. See also, Samba on NSS Can Be a Good Combination for Performance.

Type (or select if defined) any other information you want associated with the user, such as Title, Telephone, etc.

Click OK.

Click Repeat Task to create another user, or click OK to finish.

If your eDirectory users are already members of a group you can enable for Linux access, skip to Enabling the Group and Users for Linux Access (LUM).

Click Groups > Create Group,

Type a name for the group.

Select a context for the group. Although Group objects are often in the same container as the User objects assigned to them, this is not required.

Click OK.

Click Modify.

Select the Members drop-down option below the page title, or in Internet Explorer, click the Members tab.

Browse to the users you want to add to the group, click each User object, then click OK.

Click Apply > OK.

Enable the group you just created for Linux access by clicking Linux User Management > Enable Groups for Linux.

In the Enable Groups page, after selecting the group, make sure that the Linux-Enable All Users in These Groups option is selected, then click Next.

Confirm that you want to enable the users for Linux by clicking Next.

On the next page, browse to and select the UNIX Workstation - server_name object of each server you want users to have Samba access to, then click OK.

UNIX Workstation objects are created in the same context as the servers they represent.

Click Next, then click Finish.

Before running smbbulkadd, you should ensure that a Samba-qualified password policy is in place. Otherwise, users are assigned a Samba-hash (Simple) password, which is not recommended. (See Section B.5.4, About Samba Hash Passwords.)

Step 2 instructs you on how to assign the default Samba policy to User object parent containers. However, you also have two other options:

Otherwise, continue with Step 2.

Assign the Samba Default Password Policy (Universal Password policy) or other Samba-qualified policy (see Samba Passwords) to the immediate parent containers (OU objects) of the users you want to enable for Samba.

Using your favorite Linux text editor (such as Kwrite or Kate), create a text file that lists the following information for each user on a separate line. Be sure to include a blank line at the end of the file as indicated:

-u username -x edir,context -p password (blank line—no text)

where username is the eDirectory username, edir,context is the full eDirectory context of the user expressed using LDAP (comma-delimited) syntax, and password is the same password used to log in to the Windows workstation.

For example, to Samba-enable three Linux-enabled eDirectory users named win1, win2, and win3 in users.doc.company, with the passwords pass1, pass2, and pass3, respectively, you could create a file named smbusers.txt in the /tmp directory with the following contents:

-u win1 -x ou=users,ou=doc,o=company -p pass1

-u win2 -x ou=users,ou=doc,o=company -p pass2

-u win3 -x ou=users,ou=doc,o=company -p pass3

(blank line—no text)

While logged in to the server as the root user, run the smbbulkadd command.

To see the various command options, enter smbbulkadd at the shell prompt.

For example, to process the smbusers.txt file mentioned in the example in Step 3, you would enter the following command at the shell prompt:

smbbulkadd -a cn=admin,o=company -w adpass -f /tmp/smbusers.txt

where adpass is the eDirectory Admin user password.

The system reports the status for each user being enabled for Samba.

Check the status reported to ensure that all users were enabled. If not, correct any errors in the smbusers.txt file, such as no blank line at the end, and run smbbulkadd again.

Users that are already enabled are ignored.

In iManager, click Samba Management > Enable Linux User for Samba.

Browse to and select a User object, then click OK.

If you see options for replacing or keeping an existing policy on the screen, skip to Step 4.

If you see only a statement about having users authenticate through eDirectory with no other text below it, then iManager has either

Click OK and skip to Step 6.

The following options appear below the statement about authenticating through eDirectory:

To understand why these options appear, continue reading. Otherwise, skip to Step 5.

When you choose to enable a User object for Samba, iManager searches eDirectory to see whether the object already has a password policy in place by checking the following objects in order:

When the search finds a password policy, it evaluates whether the policy is valid for Samba, meaning that the policy

The reason that the two options appear on the Enable Linux User for Samba screen is that iManager found an assigned password policy that is not valid for Samba.

Choose to either

Do not choose to use Samba hashes unless you fully understand the issues associated with them. For more information, see About Samba Hash Passwords.

If you are not prompted to enter a new password, skip to Step 7.

If the Universal Password has not been set previously, or if the previously assigned password policy doesn’t allow checking whether a Universal Password is already set, you are prompted to specify and confirm a password for the user.

Type and confirm the user password, matching the password you entered when creating the user in eDirectory, then click OK.

Both the eDirectory password and the Universal Password are set.

If you choose to not specify a password, you need to instruct the user to create a Universal Password by logging in to the network through iManager or using the Novell Client prior to attempting a Samba connection. Users will cannot connect until they create a Universal Password.

Click Repeat Task and repeat from Step 2 until each Samba user is enabled.

Click OK to finish.