[Samba] 3.0.23 ldapsam:trusted=yes problem
Asier Baranguán
abaranguan at elpagestion.com
Thu Mar 15 22:47:29 GMT 2007
Hi all!
I've a running Samba PDC (LDAP backend) with windows clients. All the users
are in the LDAP, including the 'guest' user. All except the 'root' user which
is a regular user. Then change in the smb.conf
ldapsam:trusted = yes
ldapsam:editposix = yes
and noticed some speed-up when listing groups, look file ownerships, and so
on. But I can't add machines to the domain: neither with the 'root' user,
neither some users with privileges to join computers.
If I comment the ldapsam:trusted/editposix everything is fine and machines get
added to teh domain. ¿Why? All the users are in the LDAP so ldapsam:trusted
should work :-?
This is the smb.conf
[global]
### Identificación de la máquina
workgroup = ELPABI
netbios name = kasparov
server string = PDC - Kasparov
wins support = yes
dns proxy = no
#dns proxy = yes
name resolve order = wins hosts lmhosts bcast
time server = yes
### PDC del dominio ELPABI
domain master = yes
domain logons = yes
preferred master = yes
local master = yes
os level = 100
# Log. Un log diferente por cada máquina que conecta
log file = /var/log/samba/log.%m
log level = 0
max log size = 10000
syslog = 0
panic action = /usr/share/samba/panic-action %d
utmp = yes
# Verificación de usuarios y seguridad
# Seguridad
security = user
encrypt passwords = true
template shell = /bin/false
enable privileges = yes
obey pam restrictions = yes
pam password change = no
# Usuario invitado
guest account = Invitado
#guest account = nobody
map to guest = Never
# Equivalencia entre usuarios Windows y Linux
username map = /etc/samba/smbusers
# Sólo permitimos acceso a miembros de nuestra LAN y la VPN
hosts deny = all
hosts allow = 192.168.1.0/24 127.0.0.1/24
# Dos interfaces de entrada: eth0 y tun0 (VPN)
interfaces = kasparov/24
bind interfaces only = yes
# Ajustes recomendados en
# http://us4.samba.org/samba/docs/man/Samba-Guide/secure.html#promisnet
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536
IPTOS_LOWDELAY
#socket address = kasparov.elpagestion.com
smb ports = 139
keep alive = 60
### Configuración para que Samba use LDAP
ldap passwd sync = yes
ldap delete dn = yes
ldap suffix = dc=ELPA,dc=BI
ldap admin dn = cn=samba,ou=DSA,dc=ELPA,dc=BI
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap ssl = start_tls
passdb backend = ldapsam:ldap://kasparov.elpabi/
idmap backend = ldap:ldap://kasparov.elpabi/
#ldapsam:trusted = yes
#ldapsam:editposix = yes
### Ajustes para winbindd
idmap uid = 10000-20000
idmap gid = 10000-20000
### Gestión de usuarios
# Añadir/eliminar usuarios, máquinas grupos
add user script = /usr/sbin/smbldap-useradd -m -a "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
### Login en la red
# Evitamos los perfiles de usuario móviles de NT/XP
logon path =
logon drive =
logon home =
logon script = LOGON.BAT
### Sistema de archivos
# Internacionalización - páginas de códigos
dos charset = CP850
unix charset = ISO8859-15
preserve case = yes
short preserve case = yes
case sensitive = no
# Permisos por defecto en las carpetas
create mask = 0640
directory mask = 0750
# Emulación de permisos NTFS
nt acl support = yes
map acl inherit = yes
dos filemode = yes
# Bloqueo de archivos
strict locking = yes
oplocks = yes
# Si un cliente abre un archivo y escribe en él automáticamente pasa a
# estado RO a no ser que hagamos un level2 oplocks = no
level2 oplocks = no
# Estos archivos no hay que intentar bloquearlos (lock)
veto oplock files = /*.doc/*.xls/*.mdb/*.pst/
hide dot files = yes
#hide unreadable = yes
veto files = /*.eml/*.nws/*.{*}/
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
[netlogon]
comment = Servicio de Logon en la red
path = /home/samba/netlogon/
browseable = no
read only = yes
[ ... some shares ... ]
Thanks
--
Asier.
More information about the samba
mailing list