[Samba] problem with smbd

Bruno Steven aspenbr at gmail.com
Fri Oct 9 14:27:58 MDT 2009 

I dont´t know if "ldap admin dn"  have full permission so I pasted follow my
slapd.conf
I think by ACL that ldap admin have full permission , What do you think ?

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
#include         /etc/openldap/schema/krb5-kdc.schema
include         /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/lib/openldap

# modules available in openldap-servers-overlays RPM package:
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on

# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# Polirica de acesso
 access to dn.base="" by * read
 access to dn.base="cn=Subschema" by * read
 access to *
        by self write
        by users read
        by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# Administrador do dominio LDAP


#######Kerberos
#sasl-realm LABCOM.UNASP
#sasl-host AmbLivre.labcom.unasp

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb

##############################################################
#Administrador do dominio LDAP

#############################################################
suffix          "dc=AMBLIVRE,DC=COM"
rootdn          "cn=adm,dc=AMBLIVRE,DC=COM"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg

rootpw                  {SSHA}lqHhIv2nvxmf0FAVDnbe3OdSU+AJ8pFi
#rootpw {KERBEROS}ldap at LABCOM.UNASP



# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database

index objectClass,uidNumber,gidNumber   eq
index cn,sn,uid,displayNAme             pres,sub,eq
index memberUid,mail,givenname          eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName     eq

# Indice antigo
#index  objectClass,uid,uidNumber,gidNumber,memberuid,sambaSID  eq
#index  cn,mail,surname,givenname
eq,subinitial

#indice mais natigo
# Linha nova indices
#index objectClass                       eq,pres
#index ou,cn,mail,surname,givenname      eq,pres,sub
#index uidNumber,gidNumber,loginShell    eq,pres
#index uid,memberUid                     eq,pres,sub
#index nisMapName,nisMapEntry            eq,pres,sub

# Valor alterado para os do livro
#index  objectClass     eq
#index  uid,mail        eq

#index  cn,surname,givenname    eq,sub


# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com at EXAMPLE.COM

#CHAVE criptografa
#TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
#TLSCertificateFile /etc/openldap/chaves/servercert.pem
#TLSCertificateKeyFile /etc/openldap/chaves/serverkey.pem

#Politicas de acesso para o Kerberos
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by self write
        by anonymous auth
        by * none

access to *
       by * read

#access to *
#       by dn="cn=adm,dc=amblivre,dc=com" write
#       by * read

#access to attrs=cn,gibenName, sn, krbNAme,krb5PrincipalNAme, gecos
#       by dn="cn=adm,dc=labcom,dc=unasp" write
#       by dn="uid=ldap.+\+realm=LABCOM.UNASP" write
#       by self write
#       by * read

#access to attr=loginShell , gecos
#       by dn="cn=adm,dc=labcom,dc=unasp" write
#        by dn="uid=ldap.+\+realm=LABCOM.UNASP" write
#        by self write
#        by * read

#access to attr=userPassword
#       by dn="cn=adm,dc=labcom,dc=unasp" write
#        by dn="uid=ldap.+\+realm=LABCOM.UNASP" write
#        by anonymous auth
#        by * read
:

#access to *
#       by dn="cn=adm,dc=labcom,dc=unasp" write
#        by dn="uid=ldap.+\+realm=LABCOM.UNASP" write
#        by self write
#        by * read








On Thu, Oct 8, 2009 at 4:31 AM, Bruno MACADRE
<bruno.macadre at univ-rouen.fr>wrote:

> Bruno Steven a écrit :
> > Ok , I fix but when started the smbd show other problem
> >
> > [2009/10/07 15:19:47, 1] passdb/pdb_ldap.c:pdb_init_ldapsam(5720)
> >   pdb_init_ldapsam: Resetting SID for domain AMBLIVRE.COM
> > <http://AMBLIVRE.COM> based on pdb_ldap results
> > S-1-5-21-755328524-3875606875-861347881 ->
> > S-1-5-21-1644746683-2480834100-523333597
> > [2009/10/07 15:19:47, 1] passdb/pdb_ldap.c:pdb_init_ldapsam(5727)
> >   New global sam SID: S-1-5-21-1644746683-2480834100-523333597
> > [2009/10/07 15:19:47, 0] services/services_db.c:svcctl_init_keys(420)
> >   svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)
> > [2009/10/07 15:19:47, 0] smbd/server.c:main(1057)
> >   ERROR: failed to setup guest info.
> >
> > This problem have relation with SSL other thing ?
> >
> > On Wed, Oct 7, 2009 at 6:28 PM, Bruno MACADRE
> > <bruno.macadre at univ-rouen.fr <mailto:bruno.macadre at univ-rouen.fr>>
> wrote:
> >
> >     Hi,
> >
> >       This message indicate that you have forget to "tell" your LDAP
> >     admin password to SAMBA
> >
> >       You just need to give the password for the ldap admin user you
> >     specify in your smb.conf (ldap admin dn), using this command :
> >
> >       # smbpasswd -w ldap_admin_password
> >       or if you prefer
> >       # smbpasswd -W (you'll be prompted for the ldap admin password
> >     twice) !
> >
> >       Regards,
> >       Bruno
> >
> >      Bruno Steven a écrit :
> >
> >         Hello
> >
> >         I try intregate LDAP more SAMBA , when I start the process smbd
> >         -D show the
> >         message follow
> >
> >
> >         [2009/10/07 14:58:12, 0]
> lib/smbldap.c:smbldap_connect_system(942)
> >          ldap_connect_system: Failed to retrieve password from
> secrets.tdb
> >         [2009/10/07 14:58:12, 0] smbd/server.c:main(1057)
> >          ERROR: failed to setup guest info.
> >
> >         Somebody can explain the message , I don´t understand this
> message.
> >
> >         Thanks ..
> >
> >
> >
> >
> >
> >
> >
> > --
> > Bruno Steven - Administrador de sistemas.
> > LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
> > https://www.lpi.org/caf/Xamman/certification
> >
> > MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
> > https://mcp.microsoft.com/authenticate/validatemcp.aspx
>
> Are you sure that the "ldap admin dn" you've supplied have full access
> over your LDAP ?
>
>
> --
>
> Bruno MACADRE
> -------------------------------------------------------------------
>  Ingénieur Systèmes et Réseau     | Systems and Network Engineer
>  Département Informatique         | Department of computer science
>  Responsable Réseau et Téléphonie | Telecom and Network Manager
>  Université de Rouen              | University of Rouen
> -------------------------------------------------------------------
> Coordonnées / Contact :
>        Université de Rouen
>        Faculté des Sciences et Techniques - Madrillet
>        Avenue de l'Université - BP12
>        76801 St Etienne du Rouvray CEDEX
>        FRANCE
>
>        Tél : +33 (0)2-32-95-51-86
>        Fax : +33 (0)2-32-95-51-87
> -------------------------------------------------------------------
>
>


-- 
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx

More information about the samba mailing list