[Samba] Samba and Ldap Groups
Kristyan Osborne
kris at longhill.brighton-hove.sch.uk
Wed Apr 9 15:27:27 GMT 2003
Hi,
running the command:
ldapsearch -h 10.108.3.6 -x -b 'dc=longhill,dc=brighton-hove,dc=sch,dc=uk' -s sub '(objectclass=*)' uid
returns all the entries in the ldap directory when run by root or any other user.
This leads me to believe that there is nothing wrong with the LDAP side.
I have attached my slapd.conf and smb.conf files so people can have a look and see what they think.
Cheers
Kristyan Osborne
-----Original Message-----
From: Bradley W. Langhorst [mailto:brad at langhorst.com]
Sent: Wed 09/04/2003 14:54
To: Kristyan Osborne
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba and Ldap Groups
On Wed, 2003-04-09 at 03:44, Kristyan Osborne wrote:
> Hi,
>
> Still no luck, I have given access to everything in the LDAP directory to everyone and I still get the same error message. Do I need to specify somewhere/somehow if normal users and access the LDAP directory??
>
> >[2003/04/08 13:30:19, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(2198)
> > ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (Insufficient access)ldapsam_open: cannot access LDAP when not root..
> >[2003/04/08 13:30:19, 0] passdb/pdb_ldap.c:ldapsam_retry_open(509)
> > Connection to LDAP Server failed for the 1 try!
> >[2003/04/08 13:30:19, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2567)
> > LDAP search failed: Insufficient access
> >[2003/04/08 13:30:19, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2629)
> > Unable to open passdb
>
start debugging ldap using the command line tools (not samba)
does ldapsearch -x work?
post relevant sections of your smb.conf file and your slapd.conf file
maybe I'll see an error.
did you set the ldap admin password in samba
smbpasswd -w i think
brad
--
Bradley W. Langhorst <brad at langhorst.com>
-------------- next part --------------
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/reg.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
password-hash {CRYPT}
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to * by * write
#access to dn="" by * read
#access to dn="" by * write
#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
# Allow write by all
#
# rootdn can always write!
#defaultaccess write
access to attribute=userPassword,lmPassword,ntPassword
by peername="IP=127\.0\.0\.1" dn="cn=root,dc=longhill,dc=brighton-hove,dc=sch,dc=uk" write
by peername="IP=127\.0\.0\.1" anonymous auth
by peername="IP=10\.108\.10\.149" anonymous auth
by peername="IP=10\.108\.10\.149" dn="cn=root,dc=longhill,dc=brighton-hove,dc=sch,dc=uk" write
by ssf=112 dn="cn=root,dc=longhill,dc=brighton-hove,dc=sch,dc=uk" write
by ssf=112 anonymous auth
by self write
by * none
access to *
by peername="IP=127\.0\.0\.1" dn="cn=root,dc=longhill,dc=brighton-hove,dc=sch,dc=uk" write
by peername="IP=10\.108\.10\.149" dn="cn=root,dc=longhill,dc=brighton-hove,dc=sch,dc=uk" write
by ssf=112 dn="cn=root,dc=longhill,dc=brighton-hove,dc=sch,dc=uk" write
by * read
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=longhill,dc=brighton-hove,dc=sch,dc=uk"
suffix "o=Longhill High School,c=UK"
rootdn "cn=root,dc=longhill,dc=brighton-hove,dc=sch,dc=uk"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/local/var/openldap-ldbm
# Indices to maintain
index primaryGroupID eq
index rid eq
index uid eq
index uidNumber eq
index gidNumber eq
index cn eq
index objectClass eq
index default eq
sizelimit 5000
# replica biT
#updatedn "cn=root,dc=longhill,dc=brighton-hove,dc=sch,dc=uk"
#updateref ldap://ds1
-------------- next part --------------
#======================= Global Settings =====================================
[global]
netbios name = MCTPDC
server string = Longhill Home Directories (%v,%h)
workgroup = test
socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=4096
name resolve order = lmhosts host bcast
os level = 65
domain master = yes
domain logons = yes
local master = yes
preferred master = yes
guest ok = yes
#NO LONGER NEEDED
#logon script = %G.BAT
#TIME SERVER STUFF
time server = yes
time offset = 60
#Uncomment the following line for BST
#time offset = 0
security = user
password level = 3
guest account = nobody
read size = 16384
max xmit = 65520
load printers = no
printing = bsd
printcap name = /etc/printcap
debug level = 1
log file = /usr/local/samba/var/log.%m
max log size = 200
deadtime = 1
hosts allow = 10.108. 127.
encrypt passwords = yes
#NO LONGER SUPPORTED
#domain admin group = @domadm
#domain admin group = @users
;domain groups = @users @author @students
#NO LONGER NEEDED
#logon drive = w:
#logon path = \\%L\Profiles
#logon home = \\%L\%U
#unix password sync = yes
#passwd program = /usr/local/sbin/passsync -username=%u
#passwd chat = "*Old*Password:*" %o\n "*New*Password:*" %n\n "*Password*changed*"
#passwd chat debug = yes
#log level = 101
#NT Stuff
nt pipe support = yes
#Uncomment for pre alpha 19
#use spnego = no
preserve case = yes
case sensitive = no
allow trusted domains = yes
#Automation of additional machines to domain
#NO LONGER SUPPORTED
#add user script = /usr/local/samba/bin/addmachine.pl -name=%m
add machine script = /usr/local/sbin/smbldap-useradd.pl -w %m
#LDAP Stuff
ldap server = 10.108.3.6
passdb backend = ldapsam:ldap://pc406.longhill.brighton-hove.sch.uk/
ldap admin dn = "cn=root,dc=longhill,dc=brighton-hove,dc=sch,dc=uk"
ldap ssl = no
#ldap filter = "ou=Groups,dc=longhill,dc=brighton-hove,dc=sch,dc=uk"
#Uncomment for pre alpha 19
ldap suffix = "dc=longhill,dc=brighton-hove,dc=sch,dc=uk"
ldap user suffix = "ou=Users,dc=longhill,dc=brighton-hove,dc=sch,dc=uk"
ldap machine suffix = "ou=Computers,dc=longhill,dc=brighton-hove,dc=sch,dc=uk"
#ldap passwd sync = Only
ldap trust ids =yes
#============================ Share Definitions ==============================
[netlogon]
comment = Network Logon
path = /usr/local/samba/lib/netlogon
browseable = yes
guest ok = yes
writeable = yes
locking = no
public = no
admin users = kris
#root preexec = /usr/local/samba/bin/chkprofile %u %G %H
#root preexec = /usr/local/samba/bin/test %H
veto files = /*.eml/*.nwc/*.nws/riched20.dll/
delete veto files = true
[homes]
comment = Home Directories
browseable = no
valid users = %S
invalid users = root
hide dot files = yes
writable = yes
dont descend = profile
veto files = /*.eml/*.nwc/*.nws/riched20.dll/
delete veto files = true
[admin]
comment = Admin Staff
browseable = yes
path = /home/shares/admin
valid users = +admin,+smt,+finance,james
create mask = 0770
directory mask = 0770
force group = admin
writeable = no
write list = +admin,+finance,james
veto files = /*.eml/*.nwc/*.nws/riched20.dll/
delete veto files = true
[finance]
comment = Finance Staff
browseable = yes
path = /home/shares/finance
valid users = +finance,jimmy
create mask = 0770
directory mask = 0770
force group = finance
writeable = yes
veto files = /*.eml/*.nwc/*.nws/riched20.dll/
delete veto files = true
[premises]
comment = Finance-Premises
browseable = yes
path = /home/shares/premises
valid users = ianbolin,+finance,kris,jimmy
create mask = 0770
directory mask = 0770
force group = staff
writeable = yes
veto files = /*.eml/*.nwc/*.nws/riched20.dll/
delete veto files = true
[NRA]
comment = Record of Achievement
browseable = yes
path = /home/shares/NRA
create mask = 0775
valid users = +students,+staff
force group = students
guest ok = no
writeable = yes
veto files = /*.eml/*.nwc/*.nws/riched20.dll/
delete veto files = true
# [SIMS]
# comment = SIMS
# browseable = yes
# path = /SIMS
# create mask = 0770
# directory mask = 0770
# valid users = +staff
# force group = staff
# guest ok = no
# writeable = yes
# veto files = /*.eml/*.nwc/*.nws/riched20.dll/
# delete veto files = true
# write list = +staff
# [Profiles]
# browseable = no
# path = /home/staff/james/profile
# create mask = 0777
# locking = no
# guest ok = no
# writeable = yes
# nt acl support = yes
# veto files = /*.eml/*.nwc/*.nws/riched20.dll/
# delete veto files = true
# [everyone]
# comment = Everyone
# browsable = yes
# writable = yes
# path = /home
# valid users = kris,alex,james
# admin users = kris,alex,james
# force user = root
# veto files = /*.eml/*.nwc/*.nws/riched20.dll/
# delete veto files = true
[LHSregShell]
comment = LHSregShell
browsable = yes
path = /usr/local/samba/lib/LHSregShell
admin users = kris
writable = yes
create mask = 755
veto files = /*.eml/*.nwc/*.nws/riched20.dll/
delete veto files = true
[netbench]
path = /netbench
read only = no
guest ok = yes
create mask = 777
More information about the samba
mailing list