[Samba] Samba + LDAP integration
Mugo Martin
mmuchira at gmail.com
Thu Jul 31 13:46:59 GMT 2008
Hi, and thanks so much for your help.
Just can't seem to get out of this quagmire. Did quite some reading and
followed your advice. But now I still get to the same point of failing to
add computers
Samba *logs* say there is no connection but I can telnet to my ldap server
on localhost:389
smbd.log
[2008/07/31 15:06:09, 0] smbd/server.c:main(948)
smbd version 3.0.28-1.el5_2.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2007
[2008/07/31 15:13:24, 0] smbd/server.c:main(948)
smbd version 3.0.28-1.el5_2.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2007
[2008/07/31 15:47:27, 0] lib/util_sock.c:get_peer_addr(1224)
getpeername failed. Error was Transport endpoint is not connected
[2008/07/31 15:47:27, 0] lib/util_sock.c:get_peer_addr(1224)
getpeername failed. Error was Transport endpoint is not connected
Tried to redirect ldaplogs to /var/log/ without success
These are my *config* files; dont seem to be able to see any error
*/etc/ldap.conf*
--------------
host letter.example.org
base dc=letter,dc=example,dc=org
binddn cn=config
bindpw mysecret
rootbinddn uid=zimbra,cn=admins,cn=zimbra
port 389
timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
nss_base_passwd ou=people,dc=letter,dc=example,dc=org?one
nss_base_shadow ou=people,dc=letter,dc=example,dc=org?one
nss_base_passwd ou=machines,dc=letter,dc=example,dc=org?one
nss_base_shadow ou=machines,dc=letter,dc=example,dc=org?one
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
uri ldap://letter.example.org/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
*/etc/samba/smb.conf*
-------------------
[global]
workgroup = EXAMPLE
netbios name = EXAMPLE_SERVER
server string = Samba Server Version %v
password server = ldap://letter.example.org
passdb backend = ldapsam:ldap://letter.example.org
guest account = games
log file = /var/log/samba/%m.log
max log size = 50
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/groupdel "%g"
delete user from group script = /usr/sbin/userdel "%u" "%g"
add machine script = /usr/local/sbin/smbldap-useradd -w -g
Workstations "%u"
logon script = %u.bat
logon path = \\EXAMPLE_SERVER\profiles\%U
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=config
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap suffix = dc=letter,dc=example,dc=org
ldap user suffix = ou=people
guest ok = Yes
cups options = raw
[homes]
comment = Home Directories
valid users = example\%S
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = No
printable = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
share modes = No
[Profiles]
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
*/conf/slapd.conf*
----------------
include "/opt/zimbra/openldap/etc/openldap/schema/core.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/cosine.schema"
include
"/opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/amavisd.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/zimbra.schema"
include "/opt/zimbra/lib/conf/zimbra-ext.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/nis.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/samba.schema"
threads 8
pidfile "/opt/zimbra/openldap/var/run/slapd.pid"
argsfile "/opt/zimbra/openldap/var/run/slapd.args"
TLSCertificateFile /opt/zimbra/conf/slapd.crt
TLSCertificateKeyFile /opt/zimbra/conf/slapd.key
TLSVerifyClient never
modulepath /opt/zimbra/openldap/libexec/openldap
moduleload back_bdb.la
moduleload back_monitor.la
moduleload syncprov.la
moduleload accesslog.la
access to dn.subtree="ou=people,dc=letter,dc=example,dc=org"
by dn.children="cn=admins,cn=zimbra" write
by * break
access to dn.subtree="ou=groups,dc=letter,dc=example,dc=org"
by dn.children="cn=admins,cn=zimbra" write
by * read
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword
by anonymous auth
by dn.children="cn=admins,cn=zimbra" write
access to dn.subtree="cn=zimbra"
by dn.children="cn=admins,cn=zimbra" write
access to
attrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zimbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,zimbraIsAdminAccount,zimbraAuthLdapSearchBindPassword
by dn.children="cn=admins,cn=zimbra" write
by * none
access to attrs=objectclass
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read
by dn.exact="uid=zmamavis,cn=appaccts,cn=zimbra" read
by * read
access to attrs=amavisAccount
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmamavis,cn=appaccts,cn=zimbra" read
by * break
access to attrs=mail
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmamavis,cn=appaccts,cn=zimbra" read
by * break
access to attrs=zimbraAllowFromAddress
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read
access to filter=(!(zimbraHideInGal=TRUE))
attrs=cn,co,company,dc,displayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postalCode,sn,st,street,streetAddress,telephoneNumber,title,uid
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read
by * read
access to
attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCanonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,zimbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,zimbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliveryDisabled
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read
by * read
access to attrs=entry
by dn.children="cn=admins,cn=zimbra" write
by * read
database config
rootpw {SSHA}SpVR7qIkga7IB+6fKiYrYPzNE0Vj4bxl
database monitor
rootdn "cn=config"
access to dn.children="cn=monitor"
by dn.children="cn=admins,cn=zimbra" read
database bdb
suffix ""
rootdn "cn=config"
cachesize 10000
idlcachesize 10000
checkpoint 64 5
directory "/opt/zimbra/openldap-data"
index objectClass eq
index zimbraForeignPrincipal eq
index zimbraYahooId eq
index zimbraId eq
index zimbraVirtualHostname eq
index zimbraVirtualIPAddress eq
index zimbraAuthKerberos5Realm eq
index zimbraMailCatchAllAddress eq,sub
index zimbraMailDeliveryAddress eq,sub
index zimbraMailForwardingAddress eq
index zimbraMailAlias eq,sub
index zimbraMailTransport eq
index zimbraDomainName eq,sub
index zimbraShareInfo sub
index uid pres,eq
index mail pres,eq,sub
index cn pres,eq,sub
index displayName pres,eq,sub
index sn pres,eq,sub
index gn pres,eq,sub
index zimbraCalResSite eq,sub
index zimbraCalResBuilding eq,sub
index zimbraCalResFloor eq,sub
index zimbraCalResRoom eq,sub
index zimbraCalResCapacity eq
index entryUUID eq
index entryCSN eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
sizelimit unlimited
timelimit unlimited
*/etc/smbldap-tools/smbldap_bind.conf*
------------------------------------
slaveDN="cn=config"
slavePw="mysecret"
masterDN="cn=config"
masterPw="mysecret"
-Know this is repitition but put it anyway for smbldap-tools
*/etc/smbldap-tools/smbldap_bind.conf*
------------------------------------
SID="S-1-5-21-2983891234-811595315-1297521234"
sambaDomain="EXAMPLE"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
suffix="dc=letter,dc=example,dc=org"
usersdn="ou=people,${suffix}"
computersdn="ou=machines,${suffix}"
groupsdn="ou=groups,${suffix}"
sambaUnixIdPooldn="sambaDomainName=example,${suffix}"
scope="one"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userScript="logon.bat"
mailDomain="example.org"
with_smbpasswd="0"
with_slappasswd="0"
*/etc/nsswitch.conf*
------------------
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
*/etc/pam.d/system-auth*
----------------------
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
*/etc/ldap.secret*
----------------
mysecret
Copied the schema files to ldap schema folder and done the following too
smbpasswd -a root
type:
smbpasswd -w mysecret
Someone kindly assist. Im running openldap, samba 3.0.28, smbldap-tools
0.9.2 on Centos 5 Linux.
Yours,
Martin.
On Sat, Jul 26, 2008 at 6:24 PM, John H Terpstra <jht at samba.org> wrote:
> On Saturday 26 July 2008 09:36:25 Mugo Martin wrote:
> > Hi people,
> >
> > Been doing a server installation with Samba as a primary PDC that uses an
> > LDAP backend on CentOS 5.
> > The thing is that I cannot be able to get Samba and LDAP to talk as they
> > should and now Im really stuck.
>
> You sure are stuck. So let's see if we can pull you out of the hole you
> are
> in.
>
> > Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its
> contents
> > to /etc/openldap/ldap.conf too), and smbldap.conf.
> > Excuse my long post; trying to be as elaborate as possible.
> >
> > smb.conf
> > **********
> > [global]
> > workgroup = MYDOMAIN
> > netbios name = MYDOMAIN
>
> What makes you believe that it is possible to operate with the domain name
> (workgroup) and the server name (netbios name) the same? The Samab3-HOWTO
> makes rather plain that this is a no-go - they must differ.
>
> Suggest you set them as:
> workgroup = MYDOMAIN
> netbios name = MYSERVER
>
> > server string = mydomain_office
> > passdb backend = ldapsam:ldap://server.example.org
>
> The "passwd program" and "passwd chat" parameters are not needed with the
> LDAP
> backend. Please delete them.
> > passwd program = /usr/local/sbin/smbldap-passwd %u
> > passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> > *all*authentication*tokens*updated*
>
> > username map = /etc/samba/smbusers
> > log file = /var/log/samba/%m.log
> > max log size = 100
>
> > add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g
> users
> change to:
> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>
> > delete user script = /usr/local/sbin/smbldap-userdel "%u"
> > add group script = /usr/local/sbin/smbldap-groupadd "%g"
> change to:
> add group scipt = /usr/local/sbin/smbldap-groupadd -p "%g"
>
> > delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> > add user to group script = /usr/local/sbin/smbldap-groupmod -m
> "%u"
> > "%g"
> > delete user from group script = /usr/local/sbin/smbldap-userdel
> > "%u" "%g"
> change to:
> delete user from group script = /usr/local/sbin/smbldap-userdel -x
> "%u" "%g"
>
> > set primary group script = /usr/local/sbin/smbldap-usermod -g
> "%g"
> > "%u"
> > add machine script = /usr/local/sbin/smbldap-useradd -n -c
> > "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
> change to:
> add machine script = /usr/local/sbin/smbldap-useradd -w -g
> Workstations "%u"
>
> > logon script = %m.bat
> > logon path = \\server.example.org\%U\profile
> change to:
> logon path = \\MYSERVER\profiles\%U
>
> > domain logons = Yes
> > os level = 33
> > preferred master = Yes
> > domain master = Yes
> > wins support = Yes
>
> > ldap admin dn = cn=config
> change this to the same as the value of "rootdn"
> from /etc/openldap/slapd.conf, eg:
> ldap admin dn = cn=Manager,dc=example,dc=org
>
> > ldap delete dn = Yes
> > ldap group suffix = ou=groups
> > ldap machine suffix = ou=machines
> > ldap passwd sync = Yes
> > ldap suffix = dc=example,dc=org
> > ldap user suffix = ou=people
> > idmap uid = 1000-19999
> > idmap gid = 1000-19999
> > [homes]
> > comment = Home Directories
> > valid users = DOMAIN\%S
> > read only = No
> > browseable = No
> > [printers]
> > comment = All Printers
> > path = /var/spool/samba
> > printable = Yes
> > browseable = No
> > [netlogon]
> > comment = Network Logon Service
> > path = /var/lib/samba/netlogon
> > guest ok = Yes
> > share modes = No
> Add:
> [profiles]
> comment = Profiles Folder
> path = /var/lib/samba/profiles
> read only = no
> profile acls = yes
>
>
> Now do:
> root# > mkdir -p /var/lib/samba/profiles
> root# > chown root:users /var/lib/samba/profiles
> root# > chmod 2775 /var/lib/samba./profiles
>
> > smbldap.conf
> > ************
> > sambaDomain="MYDOMAIN"
> > slaveLDAP="127.0.0.1"
> > slavePort="389"
> > masterLDAP="127.0.0.1"
> > masterPort="389"
> > ldapTLS="0"
> > suffix="dc=example,dc=org"
> > usersdn="ou=people,${suffix}"
> > computersdn="ou=machines,${suffix}"
> > groupsdn="ou=groups,${suffix}"
> > sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
> > scope="one"
> > hash_encrypt="SSHA"
> > crypt_salt_format="%s"
> > userLoginShell="/bin/bash"
> > userHome="/home/%U"
> > userHomeDirectoryMode="700"
> > userGecos="System User"
> > defaultUserGid="513"
> > defaultComputerGid="515"
> > skeletonDir="/etc/skel"
> > defaultMaxPasswordAge="45"
> > userSmbHome=""
> > userProfile=""
> > userScript="logon.bat"
> > mailDomain="example.org"
> > with_smbpasswd="0"
> > with_slappasswd="0"
> >
> > /etc/ldap.conf
> > **********************
> > host server.example.org
> > base dc=example,dc=org
> > binddn cn=config
> > bindpw 1w2345FJ
> > rootbinddn cn=zimbra,dc=example,dc=org
> >
> > timelimit 120
> > bind_timelimit 120
> > bind_policy soft
> > idle_timelimit 3600
> >
> > nss_base_passwd ou=people,dc=example,dc=org?one
> > nss_base_shadow ou=people,dc=example,dc=org?one
> Add:
> nss_base_passwd ou=machines,dc=example,dc=org?one
> nss_base_shadow ou=machines,dc=example,dc=org?one
>
> >
> > nss_base_group ou=groups,dc=example,dc=org?one
>
> Not this one! That will not work! Remove it.
> > nss_base_hosts ou=machines,dc=example,dc=org?one
> >
> > nss_initgroups_ignoreusers
> > root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
> >
> > uri ldap://server.example.org
> > ssl no
> > tls_cacertdir /etc/openldap/cacerts
> > pam_password md5
>
>
> You are repeating yourself here, it is already shown above.
> > smbldap.conf
> > ************
> > sambaDomain="MYDOMAIN"
> > slaveLDAP="127.0.0.1"
> > slavePort="389"
> > masterLDAP="127.0.0.1"
> > masterPort="389"
> > ldapTLS="0"
> > suffix="dc=example,dc=org"
> > usersdn="ou=people,${suffix}"
> > computersdn="ou=machines,${suffix}"
> > groupsdn="ou=groups,${suffix}"
> > sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
> > scope="one"
> > hash_encrypt="SSHA"
> > crypt_salt_format="%s"
> > userLoginShell="/bin/bash"
> > userHome="/home/%U"
> > userHomeDirectoryMode="700"
> > userGecos="System User"
> > defaultUserGid="513"
> > defaultComputerGid="515"
> > skeletonDir="/etc/skel"
> > defaultMaxPasswordAge="45"
> > userSmbHome=""
> > userProfile=""
> > userScript="logon.bat"
> > mailDomain="example.org"
> > with_smbpasswd="0"
> > with_slappasswd="0"
> >
> > smbldap_bind.conf
> > *****************
>
> These DN's need to point to the same value as the "rootdn" from slapd.conf.
> > slaveDN="cn=config,dc=example,dc=org"
> > slavePw="1w2345FJ"
> > masterDN="cn=config,dc=example,dc=org"
> > masterPw="1w2345FJ"
> >
> > The strange thing is that I can join a computer to the Domain, but only
> > using the Samba+samba_root_passwd. I can even see the computer entry in
> the
> > LDAP database when I run ldapsearch.
> > However, I cannot or log in to the domain with credentials in LDAP. Also
> I
> > cannot add machines to domain using privileged accounts stored in LDAP.
> > Strangely though, Samba commands
> > getent group
> > and
> > getent passwd
> > work just fine (obtain info in ldap) when Im user zimbra, but not as root
> > (yes user root); running these as root returns only system records in
> > /etc/passwd & /smbpasswd.
> > I think that I have done everything correctly including running the
> command
> > smbpasswd -w 1w2345FJ
> > for samba to connect to LDAP and putting the same password in
> > smbldap_bind.conf defined for "cn=config"
> > My diagnosis so far is that there is something not working in
> smbldap-tools
> >
> > Please advice, will appreciate.
>
> Please follow the documentation in Samba3-ByExample, chapter 5.
> http://www.samba.org/samba/docs/Samba3-ByExample.pdf
>
> Let me know of anything that does not work.
>
> Cheers,
> John T.
> --
> John H Terpstra
> Samba-Team Member
> Phone: +1 (512) 970-0256
>
> Author:
> The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
> Samba-3 by Example, 2 Ed., ISBN: 0131882221X
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list