[Samba] Samba / LDAP on OpenBSD
Savaş İREZ
si at z-sistem.com
Thu Dec 9 09:02:06 GMT 2004
Hi,
I have an Open 3.5 box
What i want to do is to have a box authenticating from LDAP for
samba,smtp,pop,ftp,apache
Samba is supposed to be a PDC authenticating from LDAP.
I installed openldap-server-2.1.27 , openldap-client-2.1.27 from openbsd
packages.
Openldap has ldbm backend, and i have a directory which i can use for
smtp and pop authentication.
Bind is installed and dns records for myhost.com is working correctly.
Installed samba-3.0.9 from source with --with-ldap and --with-ldapsam
- The configuration files are at the end of the email.
Ran the smbldap-populate.pl and created the necessary directories,
when i try to create an account using smbldap-useradd.pl, it creates the
ldap entries successfuly but can not create the unix user (actually i'm
not sure if this is really necessary, since i dont want to use real
users on my system)
./smbldap-useradd.pl -a savas (smbldap-useradd savas didnt work either)
When i invoke command
# ../bin/net groupmap list
Domain Admins (S-1-5-21-4276031234-832571036-2739979074-512) -> Domain
Admins
Domain Users (S-1-5-21-4276031234-832571036-2739979074-513) -> Domain Users
Domain Guests (S-1-5-21-4276031234-832571036-2739979074-514) -> Domain
Guests
Administrators (S-1-5-21-4276031234-832571036-2739979074-544) ->
Administrators
users (S-1-5-21-4276031234-832571036-2739979074-545) -> users
Guests (S-1-5-21-4276031234-832571036-2739979074-546) -> Guests
Power Users (S-1-5-21-4276031234-832571036-2739979074-547) -> Power Users
Account Operators (S-1-5-21-4276031234-832571036-2739979074-548) ->
Account Operators
Server Operators (S-1-5-21-4276031234-832571036-2739979074-549) ->
Server Operators
Print Operators (S-1-5-21-4276031234-832571036-2739979074-550) -> Print
Operators
Backup Operators (S-1-5-21-4276031234-832571036-2739979074-551) ->
Backup Operators
Replicator (S-1-5-21-4276031234-832571036-2739979074-552) -> Replicator
Domain Computers (S-1-5-21-4276031234-832571036-2739979074-553) ->
Domain Computers
Everything seems to be fine, but when i try to join the domain using
# ../bin/net rpc join -U Administrator
Dec 9 10:44:07 ldap smbd[14294]: [2004/12/09 10:44:07, 0]
rpc_server/srv_netlog_nt.c:get_md4pw(244)
Dec 9 10:44:07 ldap smbd[14294]: [2004/12/09 10:44:07, 0]
rpc_server/srv_netlog_nt.c:get_md4pw(244)
Dec 9 10:44:07 ldap smbd[14294]: get_md4pw: Workstation LDAP$: no
account in domain
Dec 9 10:44:07 ldap smbd[14294]: get_md4pw: Workstation LDAP$: no
account in domain
Password:
Could not connect to server LDAP
The username or password was not correct.
I can use shares with users' passwords, but cant join the domain
I don't have pam nor nss, i've been trying and searching the net for a
solution but failed.
Solutions were all with pam or nss, so maybe i'm missing something which
should be done for openbsd spesifically.
Ps: If any information is missing, please letme know.
Any help will be greatly appreciated.
Thanks.
These are my conf files i used.
----- slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/qmail.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/samba.schema
#TLSCipherSuite MEDIUM
TLSCertificateFile /etc/openldap/crt.pem
TLSCertificateKeyFile /etc/openldap/key.pem
database ldbm
suffix "dc=myhost,dc=com"
rootdn "cn=admin,dc=myhost,dc=com"
rootpw "XXX"
<-------------------------------------------- hashed with SSHA
directory /usr/local/var/openldap/myhost.com
cachesize 40000
dbcachesize 60000000
#
#
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass pres,eq
# old 2.x samba attrs
index rid,primaryGroupID eq
#
index default sub
access to dn=".*dc=myhost,dc=com"
by self write
by * read
----- end of slapd.conf
----- ldap.conf
URI ldaps://ldap.myhost.com/
tls_checkpeer yes
tls_cacert /etc/ssl/private/cacert.pem
----- end of ldap.conf
----- smb.conf
[global]
netbios name = ldap
server string = Samba %v on %L
workgroup = MYHOST
; SAMBA-LDAP declarations
passdb backend = ldapsam:ldap://ldap.myhost.com/
idmap backend = ldap:ldap://ldap.myhost.com/
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap admin dn = cn=admin,dc=myhost,dc=com
ldap suffix = dc=myhost,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=People
ldap idmap suffix = ou=Idmap
ldap ssl = start tls
add machine script = /usr/local/samba/smbldap-tools/smbldap-useradd -w "%u"
add user script = /usr/local/samba/smbldap-tools/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/local/samba/smbldap-tools/smbldap-userdel "%u"
add machine script = /usr/local/samba/smbldap-tools/smbldap-useradd -w "%u"
add group script = /usr/local/samba/smbldap-tools/smbldap-groupadd -p "%g"
#delete group script = /usr/local/samba/smbldap-tools/smbldap-groupdel "%g"
add user to group script =
/usr/local/samba/smbldap-tools/smbldap-groupmod -m "% u" "%g"
delete user from group script =
/usr/local/samba/smbldap-tools/smbldap-groupmod -x "%u" "%g"
set primary group script =
/usr/local/samba/smbldap-tools/smbldap-usermod -g "%g" "%u"
os level = 65
prefered master = yes
domain master = yes
local master = yes
domain logons = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192
time server = yes
security = user
guest ok = no
invalid users = bin deamon sys man postfix mail ftp
admin users = @wheel
encrypt passwords = yes
logon path = \\%N\profiles\%u
; general logon script (in DOS format)
logon script = logon.bat
[netlogon]
path = /usr/local/samba/netlogon
guest ok = Yes
Locking = Yes
public = no
writeable = no
browsable = no
; share for storing user profiles
[profiles]
path = /usr/local/samba/profiles
writeable = yes
create mask = 0700
directory mask = 0700
browsable = no
--- end of smb.conf
--- smbldap_conf.pm
$UID_START = 2000;
$GID_START = 2000;
$SID='S-1-5-21-4276031234-832571036-2739979074';
$slaveLDAP = "127.0.0.1";
$slavePort = "389";
$masterLDAP = "127.0.0.1";
$masterPort = "389";
$ldapSSL = "1";
$suffix = "dc=myhost,dc=com";
$usersou = q(People);
$usersdn = "ou=$usersou,$suffix";
$computersou = q(People);
$computersdn = "ou=$computersou,$suffix";
$groupsou = q(Groups);
$groupsdn = "ou=$groupsou,$suffix";
$scope = "sub";
$hash_encrypt="SSHA";
$binddn = "cn=admin,$suffix";
$bindpasswd = "XXXX";
<--------------------------------------------------- My LDAP admin password
$slaveDN = $binddn;
$slavePw = $bindpasswd;
$masterDN = $binddn;
$masterPw = $bindpasswd;
$_userLoginShell = q(/bin/sh);
$_userHomePrefix = q(/home/);
$_userGecos = q(System User);
$_defaultUserGid = 513;
$_defaultComputerGid = 553;
$_userSmbHome = q(\\\\LDAP\\homes);
$_userProfile = q(\\\\LDAP\\profiles\\);
$_userHomeDrive = q(U:);
$with_smbpasswd = 0;
$smbpasswd = "/usr/bin/smbpasswd";
$mk_ntpasswd = "/sbin/mkntpwd";
$slaveURI = "ldap://$slaveLDAP:$slavePort";
$masterURI = "ldap://$masterLDAP:$masterPort";
$ldap_path = "/usr/local/bin";
#$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI -D
'$slaveDN' -w '$slavePw'";
#$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI";
$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D
'$masterDN' -w '$masterPw'";
#$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -H $masterURI -D
'$masterDN' -w '$masterPw'";
#$ldapadd = "$ldap_path/ldapadd $ldap_opts -H $masterURI -D '$masterDN'
-w '$masterPw'";
#$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -H $masterURI -D
'$masterDN' -w '$masterPw'";
#$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -H $masterURI -D
'$masterDN' -w '$masterPw'";
1;
---- end of smbldap_conf.pm
More information about the samba
mailing list