HELP Ubuntu 12.04 LTS server, SAMBA and ldap
Charles Sampson
csampson at hisolutions.net
Thu Jul 18 08:25:23 MDT 2013
I apologize profusely for this but I am in dire need of help. I'm not a
linux/ldap/samba guru by any stretch of the imagination and have to get
a server back going ASAP. I had a Suse 9.2 server crash over the weekend
(5 days ago) which was serving the company's files and authenticating
the xp machines. I only had two pieces of information with which to
rebuild the server. I have the original USER FILES (not system files,
still on a raid array in the machine and on a rsync'd backup drive) and
I have a backup of the LDAP DATABASE from the old machine. I installed
Ubuntu 12.04 LTS server (using the same name and the same IP address), I
installed ldap and samba back to back. I found two ldap configuration
web pages that allowed me to get ldap up, authenticate to it's self,
create the structure necessary to support the samba elements in the
backup file and then import/load the backup ldap file (yes I stripped
out the elements that could not be imported) . I still have no clue what
it all means but if I issue a ldapsearch -x -LLL -b
dc=hisolutions,dc=net 'uid=csampson' cn gid the results is dn:
uid=csampson,ou=People,dc=hisolutions,dc=net cn: csampson. I then
started with the configuration of Samba. I found a tutorial that told me
how edit edit the smb.conf to authenticate with ldap and how to to share
the files on my hard drive. At one point I could actually mount the
shares samba and public but I couldn't access any folders below them
because I set them to public. But I've been trying other set-ups so now
I can't even do that. Currently if I issue the command "smbclient -L
//bert" on my server it asks for my root password and then prints
"Connection to bert failed (Error NT_STATUS_CONNECTION_REFUSED).
This is what I did and my configuration files.
sudo apt-get install slapd ldap-utils
sudo apt-get install samba
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
created a file named backend.mycompany.net.ldif that is very similar to
this:
********************************************************************
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb.la
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=comtech,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=comtech,dc=com
olcRootPW: secret
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn=”cn=admin,dc=comtech,dc=com”
write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base=”" by * read
olcAccess: to * by dn=”cn=admin,dc=comtech,dc=com” write by * read
******************************************************************************************************
Then I issued the command sudo ldapadd -Y EXTERNAL -H ldapi:/// -f
backend.mycompany.net.ldif
Then I followed the instructions on the web page
https://help.ubuntu.com/lts/serverguide/samba-ldap.html. But I skipped
the "Adding Samba LDAP objects" because the smbldap-tools folder didn't
have the configure.pl.gz file (maybe this is a problem?). And I didn't
set the password or add users because I thought this was taken care of
in the old ldap database import.
Then I stripped out the entries of the old ldap database that would not
import into the new database with:
egrep -v ldap.ldif
"^(structuralObjectClass|entryUUID|creatorsName|modifiersName|createTimestamp|modifyTimestamp|entryCSN):"
> ldap-stripped.ldif
If you really want to see that file I can email it to you but it's way
too long to post here.
I imported the old ldap database with the command :
sudo ldapadd -x -D cn=admin,dc=mycompany,dc=net -W -f ldap-stripped.ldif
And finally I have been editing the smb.conf. below is the version
without all the comments to save space.
************************************************************************************************
[global]
workgroup = HIS
server string = %h server (Samba, Bert)
; name resolve order = lmhosts host wins bcast
; interfaces = 10.0.0.4/16 eth0
; bind interfaces only = yes
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
#authentication
# LDAP SETTINGS
# should this be passdb backend = tdbsam ?
passdb backend = ldapsam:ldap://bert.hisolutions.net
ldap suffix = dc=hisolutions,dc=net
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=hisolutions,dc=net
ldap ssl = start tls
ldap passwd sync = yes
add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"
security = user
encrypt passwords = true
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
########## Domains ###########
; domain logons = yes
; logon path = \\%N\profiles\%U
; logon drive = P:
; logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password
--gecos "" %u
; add machine script = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u
; add group script = /usr/sbin/addgroup --force-badname %g
# MISC
; include = /home/samba/etc/smb.conf.%m
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
; winbind enum groups = yes
; winbind enum users = yes
; usershare max shares = 100
usershare allow guests = yes
#======================= Share Definitions =======================
;[homes]
; comment = Home Directories
; browseable = no
; read only = no
; create mask = 0700
; directory mask = 0700
; valid users = %S
[profiles]
comment = Users profiles
path = /var/raid/samba/profiles
guest ok = no
browseable = no
create mask = 0600
directory mask = 0700
[homes]
comment = home Directories
browseable = yes
read only = no
public = no
[samba]
comment = samba directory share
path = /var/raid/samba
read only = no
public = yes
writable = yes
create mask = 0765
directory mask = 0755
[public]
comment = public directory
path = /var/raid/samba/public
read only = no
public = yes
writable = yes
create mask =0765
directory mask = 0755
More information about the samba-technical
mailing list