ldap and active directory configuration
Malcolm Bodger
M.Bodger at westminster.ac.uk
Thu Jul 15 01:21:59 MDT 2010
Hi Scott,
I'm hoping yourself, or someone on this list, might be able to help me with this ongoing problem.
I've now moved on from ldap and have configured my server to authenticate to active directory. I can ssh to the box and login using AD and local accounts, but I get errors when trying to access my shared drive. On my PC the error contains the message: 'No process is on the other end of the pipe.' I'm not creating any samba users, but I've configured samba to create local home areas, which it does for any new users.
My smb.conf, it's been a bit mangled in attempt to get it to work:
[global]
realm = INTRANET.WMIN.AC.UK
workgroup = INTRANET
netbios name = isls-fs1
netbios aliases = isls-fs1
server string = %h server (Samba, Ubuntu)
map to guest = Never
obey pam restrictions = no
password server = isls-int-dc-6
passdb backend = tdbsam
security = ADS
pam password change = no
passwd program =
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = no
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
local master = No
domain master = No
dns proxy = No
wins server = isls-int-dc-6
#ldap ssl = yes
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
invalid users = root
idmap uid = 500-1000000
idmap gid = 500-1000000
#winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = yes
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
template homedir = /home/%D/%U
template shell = /bin/bash
#nt pipe support = no
#name resolve order = wins host bcast
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[PSI]
comment = psi shared area
path = /PSI
# public = No
# valid users = @"INTRANET+Domain Users"
#valid users = %S
read only = No
browseable = No
wide links = No
guest ok = yes
[homes]
comment = Unix homes
path = /home
# valid users = %S
read only = no
browseable = yes
It used to work when configured for local users, but now I'm not able to access the drive for local, nor AD users.
Thanks,
Malcolm.
This e-mail and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must not copy or show them to anyone, nor should you take any action based on them, other than to notify the error by replying to the sender.
________________________________
From: Malcolm Bodger
Sent: Fri 02/07/2010 14:42
To: Scott Grizzard; Malcolm Bodger
Cc: samba-technical at lists.samba.org
Subject: RE: ldap and active directory configuration
Hi Scott,
Thanks for this very useful information and it's giving me an insight into Samba. Our eDirectory has about 100,000 accounts and stores UID, GID, username and password etc etc. It's used for Windows, Mac and Unix. The ldap lookup does not require an admin password. We have a need to provide a read write filesystem to a group of project users and benefit from samba's auditing. Also, we want to restrict access to particular groups and use the eDirectory to authenticate users. I will check out your suggestions and post my smb.conf.
Thanks.
Regards,
Malcolm.
This e-mail and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must not copy or show them to anyone, nor should you take any action based on them, other than to notify the error by replying to the sender.
________________________________
From: Scott Grizzard [mailto:scott at scottgrizzard.com]
Sent: Fri 02/07/2010 12:28
To: Malcolm Bodger
Cc: samba-technical at lists.samba.org
Subject: Re: ldap and active directory configuration
Ah...I see what you are trying to do...
The problem is passwords: you need some way to store the Windows
passwords for the users; which are different than the Linux passwords.
Are you storing passwords on your eDirectory or not? eDirectory has
Samba extensions, etc, and there is documentation on how to do it
(http://www.novell.com/coolsolutions/appnote/11788.html). If all you
need from eDirectory is whether the account is still active or not,
you can either extend eDirectory to support Samba, or you can set up
Samba with the LDAP backend as a separate server, and write a script
that queries eDirectory for account status once a day, updating your
Samba's LDAP, activating and deactivating accounts as needed. I once
had a similar situation where my script went the other way, disabling
users from our "other systems" once they were deactivated in Samba.
Those are just some thoughts...it might help if you detailed your
current setup to the mailing list (existing directories, dependencies,
etc)...if your payroll system simply sends out LDAP queries, it might
be faster to use OpenLDAP and replace eDirectory.
On Fri, Jul 2, 2010 at 6:09 AM, Malcolm Bodger
<M.Bodger at westminster.ac.uk> wrote:
> Hi Scott,
>
> Thanks for this. I've gone through the documents for configuring LDAP and it
> appears to want to make samba a domain controller on a new ldap database.
> All our users authenticate to our existing edirectory, which is updated by a
> feed from our payroll system. I want to authenticate our existing users to
> our ldap(edirectory) to access the samba share. I don't want to create an
> admin user for samba. The ubuntu box already authenticates users to our ldap
> server. Is there no easy way to do this?
>
> Thanks.
> Regards,
> Malcolm.
>
> This e-mail and its attachments are intended for the above named only and
> may be confidential. If they have come to you in error you must not copy or
> show them to anyone, nor should you take any action based on them, other
> than to notify the error by replying to the sender.
>
> ________________________________
> From: Scott Grizzard [mailto:scott at scottgrizzard.com]
> Sent: Thu 01/07/2010 13:14
> To: Malcolm Bodger
> Cc: samba-technical at lists.samba.org
> Subject: Re: ldap and active directory configuration
>
> Google "ubuntu samba domain member server". Also, you migtht want to use
> OpenSuse instaed...it is a bit more intuitive for Windows power users than
> Ubuntu, and easier to integrate into a Windows domain.
>
> ------
> Scott Grizzard
> http://www.scottgrizzard.net/
>
> On Jul 1, 2010 6:35 AM, "Malcolm Bodger" <M.Bodger at westminster.ac.uk> wrote:
>
> Hi,
>
> I'm new to this list, so this is my first email.
>
> I've installed Samba on a Ubuntu server and I want to share a file system,
> but I don't want the filesystem to be public, I need users to authenticate
> to access the shared file system.
>
> My Ubuntu server is configured to accept user logins authenticating to our
> LDAP server, so I thought this would be easy - how wrong can one be.
> So, can anyone tell me how to get samba to authenticate users to ldap,
> without making changes to the ldap server?
>
> Or, would it be easier to user Active Directory?
>
> Thanks,
> Malcolm.
>
>
>
> This e-mail and its attachments are intended for the above named only and
> may be confidential. If they have come to you in error you must not copy or
> show them to anyone, nor should you take any action based on them, other
> than to notify the error by replying to the sender.
>
>
>
> --
> The University of Westminster is a charity and a company limited by
> guarantee. Registration number: 977818 England. Registered Office:
> 309 Regent Street, London W1B 2UW, UK.
>
> The University of Westminster is a charity and a company
> limited by guarantee. Registration number: 977818 England.
> Registered Office: 309 Regent Street, London W1B 2UW.
>
----
Scott Grizzard
Scott at ScottGrizzard.net
http://www.ScottGrizzard.net/
--
The University of Westminster is a charity and a company limited by
guarantee. Registration number: 977818 England. Registered Office:
309 Regent Street, London W1B 2UW, UK.
More information about the samba-technical
mailing list