[Samba] problem with smbd
Bruno Steven
aspenbr at gmail.com
Fri Oct 9 14:27:58 MDT 2009
I dont´t know if "ldap admin dn" have full permission so I pasted follow my
slapd.conf
I think by ACL that ldap admin have full permission , What do you think ?
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
#include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib/openldap
# modules available in openldap-servers-overlays RPM package:
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# Polirica de acesso
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# Administrador do dominio LDAP
#######Kerberos
#sasl-realm LABCOM.UNASP
#sasl-host AmbLivre.labcom.unasp
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
##############################################################
#Administrador do dominio LDAP
#############################################################
suffix "dc=AMBLIVRE,DC=COM"
rootdn "cn=adm,dc=AMBLIVRE,DC=COM"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}lqHhIv2nvxmf0FAVDnbe3OdSU+AJ8pFi
#rootpw {KERBEROS}ldap at LABCOM.UNASP
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayNAme pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
# Indice antigo
#index objectClass,uid,uidNumber,gidNumber,memberuid,sambaSID eq
#index cn,mail,surname,givenname
eq,subinitial
#indice mais natigo
# Linha nova indices
#index objectClass eq,pres
#index ou,cn,mail,surname,givenname eq,pres,sub
#index uidNumber,gidNumber,loginShell eq,pres
#index uid,memberUid eq,pres,sub
#index nisMapName,nisMapEntry eq,pres,sub
# Valor alterado para os do livro
#index objectClass eq
#index uid,mail eq
#index cn,surname,givenname eq,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com at EXAMPLE.COM
#CHAVE criptografa
#TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
#TLSCertificateFile /etc/openldap/chaves/servercert.pem
#TLSCertificateKeyFile /etc/openldap/chaves/serverkey.pem
#Politicas de acesso para o Kerberos
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
#access to *
# by dn="cn=adm,dc=amblivre,dc=com" write
# by * read
#access to attrs=cn,gibenName, sn, krbNAme,krb5PrincipalNAme, gecos
# by dn="cn=adm,dc=labcom,dc=unasp" write
# by dn="uid=ldap.+\+realm=LABCOM.UNASP" write
# by self write
# by * read
#access to attr=loginShell , gecos
# by dn="cn=adm,dc=labcom,dc=unasp" write
# by dn="uid=ldap.+\+realm=LABCOM.UNASP" write
# by self write
# by * read
#access to attr=userPassword
# by dn="cn=adm,dc=labcom,dc=unasp" write
# by dn="uid=ldap.+\+realm=LABCOM.UNASP" write
# by anonymous auth
# by * read
:
#access to *
# by dn="cn=adm,dc=labcom,dc=unasp" write
# by dn="uid=ldap.+\+realm=LABCOM.UNASP" write
# by self write
# by * read
On Thu, Oct 8, 2009 at 4:31 AM, Bruno MACADRE
<bruno.macadre at univ-rouen.fr>wrote:
> Bruno Steven a écrit :
> > Ok , I fix but when started the smbd show other problem
> >
> > [2009/10/07 15:19:47, 1] passdb/pdb_ldap.c:pdb_init_ldapsam(5720)
> > pdb_init_ldapsam: Resetting SID for domain AMBLIVRE.COM
> > <http://AMBLIVRE.COM> based on pdb_ldap results
> > S-1-5-21-755328524-3875606875-861347881 ->
> > S-1-5-21-1644746683-2480834100-523333597
> > [2009/10/07 15:19:47, 1] passdb/pdb_ldap.c:pdb_init_ldapsam(5727)
> > New global sam SID: S-1-5-21-1644746683-2480834100-523333597
> > [2009/10/07 15:19:47, 0] services/services_db.c:svcctl_init_keys(420)
> > svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)
> > [2009/10/07 15:19:47, 0] smbd/server.c:main(1057)
> > ERROR: failed to setup guest info.
> >
> > This problem have relation with SSL other thing ?
> >
> > On Wed, Oct 7, 2009 at 6:28 PM, Bruno MACADRE
> > <bruno.macadre at univ-rouen.fr <mailto:bruno.macadre at univ-rouen.fr>>
> wrote:
> >
> > Hi,
> >
> > This message indicate that you have forget to "tell" your LDAP
> > admin password to SAMBA
> >
> > You just need to give the password for the ldap admin user you
> > specify in your smb.conf (ldap admin dn), using this command :
> >
> > # smbpasswd -w ldap_admin_password
> > or if you prefer
> > # smbpasswd -W (you'll be prompted for the ldap admin password
> > twice) !
> >
> > Regards,
> > Bruno
> >
> > Bruno Steven a écrit :
> >
> > Hello
> >
> > I try intregate LDAP more SAMBA , when I start the process smbd
> > -D show the
> > message follow
> >
> >
> > [2009/10/07 14:58:12, 0]
> lib/smbldap.c:smbldap_connect_system(942)
> > ldap_connect_system: Failed to retrieve password from
> secrets.tdb
> > [2009/10/07 14:58:12, 0] smbd/server.c:main(1057)
> > ERROR: failed to setup guest info.
> >
> > Somebody can explain the message , I don´t understand this
> message.
> >
> > Thanks ..
> >
> >
> >
> >
> >
> >
> >
> > --
> > Bruno Steven - Administrador de sistemas.
> > LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
> > https://www.lpi.org/caf/Xamman/certification
> >
> > MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
> > https://mcp.microsoft.com/authenticate/validatemcp.aspx
>
> Are you sure that the "ldap admin dn" you've supplied have full access
> over your LDAP ?
>
>
> --
>
> Bruno MACADRE
> -------------------------------------------------------------------
> Ingénieur Systèmes et Réseau | Systems and Network Engineer
> Département Informatique | Department of computer science
> Responsable Réseau et Téléphonie | Telecom and Network Manager
> Université de Rouen | University of Rouen
> -------------------------------------------------------------------
> Coordonnées / Contact :
> Université de Rouen
> Faculté des Sciences et Techniques - Madrillet
> Avenue de l'Université - BP12
> 76801 St Etienne du Rouvray CEDEX
> FRANCE
>
> Tél : +33 (0)2-32-95-51-86
> Fax : +33 (0)2-32-95-51-87
> -------------------------------------------------------------------
>
>
--
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification
MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx
More information about the samba
mailing list