Fw: [Samba] PDC/LDAP/SAMBA3/NT4

Fabio Junior fabiojr at maxwelleducacional.com.br
Mon Dec 1 21:56:46 GMT 2003 

Hy!
Excuse for the previous mail, follows correction!

I followed step by step that this in the address above.
> http://www.hilinski.net/samba/

But when I execute, 'script smbldap-populate.pl', appears the following
errors:

[root at thor sbin]# smbldap-populate.pl
Using builtin directory structure
adding new entry: dc=maxwelleducacional,dc=com,dc=br
failed to add entry: Insufficient access at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 2.
adding new entry: ou=_USERS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 3.
adding new entry: ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 4.
adding new entry: ou=_COMPUTERS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 5.
adding new entry:
uid=Administrator,ou=_USERS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 6.
adding new entry: uid=nobody,ou=_USERS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 7.
adding new entry: cn=Domain
Admins,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 8.
adding new entry: cn=Domain
Users,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 9.
adding new entry: cn=Domain
Guests,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 10.
adding new entry:
cn=Administrators,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 11.
adding new entry: cn=Users,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 12.
adding new entry: cn=Guests,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 13.
adding new entry: cn=Power
Users,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 14.
adding new entry: cn=Account
Operators,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 15.
adding new entry: cn=Server
Operators,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 16.
adding new entry: cn=Print
Operators,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 17.
adding new entry: cn=Backup
Operators,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 18.
adding new entry:
cn=Replicator,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 19.
adding new entry: cn=Domain
Computers,ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br
failed to add entry: parent does not exist at
/usr/local/sbin/smbldap-populate.pl line 273, <GEN1> line 19.
[root at thor sbin]#

What it can be this?
In annex it follows my archives of configuration. My system is 'RedHat 9.0'
with Samba-3.

[]´s
Fabio Jr.

>
> ----- Original Message ----- 
> From: "Carl J. Hilinski" <CHilinski at timespapers.com>
> To: <samba at lists.samba.org>
> Sent: Wednesday, November 26, 2003 2:52 PM
> Subject: [Samba] PDC/LDAP/SAMBA3/NT4/winbind/trusted domains corrections
>
>
> > If you wanted to follow my steps for setting up a samba PDC in a trusted
> > domain with NT4, please note that there are some corrections. I had a
> > second person follow my steps and we found some problems.
> >
> > First, the link I originally posted as incomplete. It needs a slash at
> > the end. The correct link is:
> >
> > http://www.hilinski.net/samba/
> >
> > The doc file posted there was corrected today, 11/26/2003 at 11:30 a.m.
> > est.
> >
> > I have some questions while I am posting.
> >
> > #1. If you use winbind, is there any reason to put the add machine, add
> > user, etc., scripts in smb.conf? It seems winbind doesn't bother with
> > these.
> >
> > #2. Along the same lines, if you use winbind is there any reason to do
> > the group mapping between nt groups and unix groups?
> >
> > #3. According to the docs, "winbind gid" is supposed to be a synonym for
> > "idmap ." I don't think that works in the latest prerelease code.
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
>
-------------- next part --------------
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.4.8.6 2000/09/05 17:54:38 kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE	dc=example, dc=com
#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never
HOST 127.0.0.1
BASE dc=maxwelleducacional,dc=com,dc=br
-------------- next part --------------
 $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# 
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args


#######################################################################
# ldbm database definitions
#######################################################################

database ldbm
suffix "dc=maxwelleducacional,dc=com,dc=br"
rootdn "cn=root,dc=maxwelleducacional,dc=com,dc=br"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
#rootpw {MD5}QL5OWbmiorXf+5GMDoaz1w==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
#################################################################
# Indices to maintain
## required by OpenLDAP
index objectClass eq

index cn pres,sub,eq
index sn pres,sub,eq
## required to support pdb_getsampwnam
index uid pres,sub,eq
## required to support pdb_getsambapwrid()
index displayName pres,sub,eq

## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
index uidNumber eq
index gidNumber eq
index memberUid eq

index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub

-------------- next part --------------
#!/usr/bin/perl
use strict;
package smbldap_conf;

# $Dource: $
# $Id: smbldap_conf.pm,v 1.20 2003/09/17 14:03:54 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

#  Purpose :
#       . be the configuration file for all smbldap-tools scripts

use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS
$UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP
$slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd
$ldap_path $ldap_opts $ldapmodify $suffix $usersdn $computersdn
$groupsdn $scope $binddn $bindpasswd
$slaveDN $slavePw $masterDN $masterPw
$_userLoginShell $_userHomePrefix $_userGecos
$_defaultUserGid $_defaultComputerGid
$_skeletonDir $_userSmbHome
$_userProfile $_userHomeDrive
$_userScript $usersou $computersou $groupsou $SID $hash_encrypt
);

use Exporter;
$VERSION = 1.00;
@ISA = qw(Exporter);

@EXPORT = qw(
$UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP
$slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd
$ldap_path $ldap_opts $ldapmodify $suffix $usersdn
$computersdn $groupsdn $scope $binddn $bindpasswd
$slaveDN $slavePw $masterDN $masterPw
$_userLoginShell $_userHomePrefix $_userGecos
$_defaultUserGid $_defaultComputerGid $_skeletonDir 
$_userSmbHome $_userProfile $_userHomeDrive $_userScript
$usersou $computersou $groupsou $SID $hash_encrypt
);


##############################################################################
#
# General Configuration
#
##############################################################################

# UID and GID starting at...
$UID_START = 1000;
$GID_START = 1000;

# Put your own SID
# to obtain this number do: "net getlocalsid"
$SID='S-1-5-21-4087699067-707074128-1351698229';

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have 
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Ex: $slaveLDAP = "127.0.0.1";
$slaveLDAP = "127.0.0.1";
$slavePort = "389";

# Master LDAP : needed for write operations
# Ex: $masterLDAP = "127.0.0.1";
$masterLDAP = "127.0.0.1";
$masterPort = "389";

# Use SSL for LDAP
# If set to "1", this option will use start_tls for connection
# (you should also used the port 389)
$ldapSSL = "0";

# LDAP Suffix
# Ex: $suffix = "dc=IDEALX,dc=ORG";
$suffix = "dc=maxwelleducacional,dc=com,dc=br";


# Where are stored Users
# Ex: $usersdn = "ou=Users,$suffix"; for ou=Users,dc=IDEALX,dc=ORG
$usersou = q(_USERS_);
$usersdn = "ou=$usersou,$suffix";

# Where are stored Computers
# Ex: $computersdn = "ou=Computers,$suffix"; for ou=Computers,dc=IDEALX,dc=ORG
$computersou = q(_COMPUTERS_);
$computersdn = "ou=$computersou,$suffix";

# Where are stored Groups
# Ex $groupsdn = "ou=Groups,$suffix"; for ou=Groups,dc=IDEALX,dc=ORG
$groupsou = q(_GROUPS_);
$groupsdn = "ou=$groupsou,$suffix";

# Default scope Used
$scope = "sub";

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
$hash_encrypt="SSHA";

############################
# Credential Configuration #
############################
# Bind DN used 
# Ex: $binddn = "cn=Manager,$suffix"; for cn=Manager,dc=IDEALX,dc=org
$binddn = "cn=Manager,$suffix";

# Bind DN passwd used
# Ex: $bindpasswd = 'secret'; for 'secret'
$bindpasswd = "secret";

# Notes: if using dual ldap patch, you can specify to different configuration
# By default, we will use the same DN (so it will work for standard Samba 
# release)
$slaveDN = $binddn;
$slavePw = $bindpasswd;
$masterDN = $binddn;
$masterPw = $bindpasswd;

##############################################################################
# 
# Unix Accounts Configuration
# 
##############################################################################

# Login defs
# Default Login Shell
# Ex: $_userLoginShell = q(/bin/bash);
$_userLoginShell = q(_LOGINSHELL_);

# Home directory prefix (without username)
# Ex: $_userHomePrefix = q(/home/);
$_userHomePrefix = q(_HOMEPREFIX_);

# Gecos
$_userGecos = q(System User);

# Default User (POSIX and Samba) GID
$_defaultUserGid = 513;

# Default Computer (Samba) GID
$_defaultComputerGid = 553;

# Skel dir
$_skeletonDir = q(/etc/skel);

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location without the username last extension
# (will be dynamically prepended)
# Ex: q(\\\\My-PDC-netbios-name\\homes) for \\My-PDC-netbios-name\homes
$_userSmbHome = q(\\\\_PDCNAME_\\homes);

# The UNC path to profiles locations without the username last extension
# (will be dynamically prepended)
# Ex: q(\\\\My-PDC-netbios-name\\profiles\\) for \\My-PDC-netbios-name\profiles
$_userProfile = q(\\\\_PDCNAME_\\profiles\\);

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: q(U:) for U:
$_userHomeDrive = q(_HOMEDRIVE_);

# The default user netlogon script name
# if not used, will be automatically username.cmd
# $_userScript = q(startup.cmd); # make sure script file is edited under dos


##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if $with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer mkntpwd... most of the time, it's a wise choice :-) 
$with_smbpasswd = 0;
$smbpasswd = "/usr/bin/smbpasswd";
$mk_ntpasswd = "/usr/local/sbin/mkntpwd";

# those next externals commands are kept fot the migration scripts and
# for the populate script: this will be updated as soon as possible
$slaveURI = "ldap://$slaveLDAP:$slavePort";
$masterURI = "ldap://$masterLDAP:$masterPort";

$ldap_path = "/usr/bin";

if ( $ldapSSL eq "0" ) {
	$ldap_opts = "-x";
} elsif ( $ldapSSL eq "1" ) {
	$ldap_opts = "-x -Z";
} else {
	die "ldapSSL option must be either 0 or 1.\n";
}

#$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI -D '$slaveDN' -w '$slavePw'";
#$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI";
$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'";
#$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'";
#$ldapadd = "$ldap_path/ldapadd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'";
#$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'";
#$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'";



1;

# - The End
-------------- next part --------------
# CTI, Universidad de Navarra
# Ignacio Coupeau 001011.01;
#
[global]
passdb backend = ldapsam
ldap suffix = dc=maxwelleducacional,dc=com,dc=br
ldap machine suffix = ou=COMPUTERS
ldap user suffix = ou=USERS
ldap admin dn = "cn=root,dc=maxwelleducacional,dc=com,dc=br"
#not using ssl because this is all happening on the localhost
ldap ssl = no
#ldap ssl = Yes
#ldap ssl = start tls
idmap backend = ldap:ldap://127.0.0.1
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind gid = 10000-20000
idmap uid = 10000-20000

passwd chat debug = Yes
passwd program =/usr/local/sbin/smbldap-passwd.pl -o %u
passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*

#mentioned that these options improve performance
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 

######################################################################
######################User Add Scripts################################
add machine script = /usr/local/sbin/smbldap-useradd.pl -w %ms"
add user script = /usr/local/sbin/smbldap-useradd.pl -a %u
delete user script = /usr/local/sbin/smbldap-userdel.pl %u
add group script = /usr/local/sbin/smbldap-groupadd.pl %g
delete group script = /usr/local/sbin/smbldap-groupdel.pl %g
add user to group script = /usr/local/sbin/smbldap-groupmod.pl" -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x %u %g
set primary group script = /usr/local/sbin/smbldap-usermod.pl -G %g %u
#####################################################################

workgroup = MAXWELLEDUCACIONAL
netbios name = Thor 
comment = Samba-PDC Server
security = user
null passwords = yes
encrypt passwords = yes
logon script=logon.bat

### These left Blank will force local profiles but will not override LDAP config
##if set LDAP takes precedence.
logon drive =
logon path =


domain master = yes
domain logons = yes
preferred master = yes
os level = 33

wins support = no 
wins proxy = no

log file = /var/log/samba/%m.log

public = No
browseable = yes
writable = No

; necessary share for domain controller
[netlogon]
path = /home/netlogon
locking = no
read only = yes
write list = ntadmin 

;test share
[tmp]
	writeable = yes
	public = yes
	path = /tmp

[profiles]
path = /home/profiles
read only = no
writeable = yes
create mask = 0600
directory mask = 0700

[dogbreath]
	valid users = @NTHOME+wopwhippers
	writeable = yes
	path = /home/connor

More information about the samba mailing list