[Samba] 3.0.23 ldapsam:trusted=yes problem

Asier Baranguán abaranguan at elpagestion.com
Thu Mar 15 22:47:29 GMT 2007 

Hi all!

I've a running Samba PDC (LDAP backend) with windows clients. All the users 
are in the LDAP, including the 'guest' user. All except the 'root' user which 
is a regular user. Then change in the smb.conf

ldapsam:trusted = yes
ldapsam:editposix = yes

and noticed some speed-up when listing groups, look file ownerships, and so 
on. But I can't add machines to the domain: neither with the 'root' user, 
neither some users with privileges to join computers.

If I comment the ldapsam:trusted/editposix everything is fine and machines get 
added to teh domain. ¿Why? All the users are in the LDAP so ldapsam:trusted 
should work :-?

This is the smb.conf

[global]
### Identificación de la máquina
    workgroup = ELPABI
    netbios name = kasparov
    server string = PDC - Kasparov
    wins support = yes
    dns proxy = no
    #dns proxy = yes
    name resolve order = wins hosts lmhosts bcast
    time server = yes

### PDC del dominio ELPABI
    domain master = yes
    domain logons = yes
    preferred master = yes
    local master = yes
    os level = 100

# Log. Un log diferente por cada máquina que conecta
    log file = /var/log/samba/log.%m
    log level = 0
    max log size = 10000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    utmp = yes

# Verificación de usuarios y seguridad
    # Seguridad
    security = user
    encrypt passwords = true
    template shell = /bin/false
    enable privileges = yes
    obey pam restrictions = yes
    pam password change = no
    # Usuario invitado
    guest account = Invitado
    #guest account = nobody
    map to guest = Never
    # Equivalencia entre usuarios Windows y Linux
     username map = /etc/samba/smbusers
    # Sólo permitimos acceso a miembros de nuestra LAN y la VPN
    hosts deny = all
    hosts allow = 192.168.1.0/24 127.0.0.1/24
    # Dos interfaces de entrada: eth0 y tun0 (VPN)
    interfaces = kasparov/24
    bind interfaces only = yes

# Ajustes recomendados en
# http://us4.samba.org/samba/docs/man/Samba-Guide/secure.html#promisnet
    socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 
IPTOS_LOWDELAY
    #socket address = kasparov.elpagestion.com
    smb ports = 139
    keep alive = 60

### Configuración para que Samba use LDAP
    ldap passwd sync = yes
    ldap delete dn = yes
    ldap suffix = dc=ELPA,dc=BI
    ldap admin dn = cn=samba,ou=DSA,dc=ELPA,dc=BI
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Computers
    ldap idmap suffix = ou=Idmap
    ldap ssl = start_tls
    passdb backend = ldapsam:ldap://kasparov.elpabi/
    idmap backend = ldap:ldap://kasparov.elpabi/

    #ldapsam:trusted = yes
    #ldapsam:editposix = yes

### Ajustes para winbindd
    idmap uid = 10000-20000
    idmap gid = 10000-20000

### Gestión de usuarios
    # Añadir/eliminar usuarios, máquinas grupos
    add user script = /usr/sbin/smbldap-useradd -m -a "%u"
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    delete group script = /usr/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
    add machine script = /usr/sbin/smbldap-useradd -w "%u"

### Login en la red
    # Evitamos los perfiles de usuario móviles de NT/XP
    logon path =
    logon drive =
    logon home =
    logon script = LOGON.BAT

### Sistema de archivos
    # Internacionalización - páginas de códigos
    dos charset = CP850
    unix charset = ISO8859-15
    preserve case = yes
    short preserve case = yes
    case sensitive = no
    # Permisos por defecto en las carpetas
    create mask = 0640
    directory mask = 0750
    # Emulación de permisos NTFS
    nt acl support = yes
    map acl inherit = yes
    dos filemode = yes
    # Bloqueo de archivos
    strict locking = yes
    oplocks = yes
    # Si un cliente abre un archivo y escribe en él automáticamente pasa a
    # estado RO a no ser que hagamos un level2 oplocks = no
    level2 oplocks = no
    # Estos archivos no hay que intentar bloquearlos (lock)
    veto oplock files = /*.doc/*.xls/*.mdb/*.pst/
    hide dot files = yes
    #hide unreadable = yes
    veto files = /*.eml/*.nws/*.{*}/
    dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[netlogon]
    comment = Servicio de Logon en la red
    path = /home/samba/netlogon/
    browseable = no
    read only = yes


[ ... some shares ... ]

Thanks
-- 
Asier.

More information about the samba mailing list