[Samba] Re: LDAP violation ?
Jerome Pramondon
jpramondon at alicante.fr
Fri Apr 9 12:17:33 GMT 2004
Thanks for your help,
Please See below
Andrew Bartlett wrote:
>On Fri, Apr 09, 2004 at 12:56:35PM +0200, M. Vancl wrote:
>
>
>>"Jerome Pramondon" <jpramondon at alicante.fr> wrote:
>>
>>
>>
>>>The problem is when I start addind users using the 'smbpasswd' command.
>>>I get an objectclass violation which says it cannot modify the
>>>'userPassword' attribute.
>>>After some searching, I noticed the 'userPassword' attribute was only
>>>defined in the 'PosixAccount' objectclass. If I use a LDAP browser to
>>>look what's in my directory, I see the user account, but he only has the
>>>'SambaSamAccount' objectclass.
>>>So it seems completly correct : if the 'PosixAccount' objectclass is not
>>>added, then how could the 'userPassword' attribute be used in that
>>>object ...
>>>Then why the command does not add that objectclass ?
>>>
>>>
>>I'm not sure, but I think smbpasswd is not useable for ldap backend and you
>>must use some more sofisticated program for it (e.g. IDEALX smbldap-tools
>>http://samba.idealx.org/).
>>
>>
>
>No, smbpasswd will handle all of the Samba backends.
>
Yes, I configured the users and groups management scripts in the
smb.conf. That why smbpasswd is using smbldap-useradd in fact. Am I right ?
>The issue here is that the 'ldap password sync' option is being used (hint - always post your smb.conf), and the user entries do not permit the setting of an LDAP password.
>
Sorry, here it is :
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2004/04/07 19:53:42
# Global parameters
[global]
unix charset = ISO8859-1
workgroup = INTRALICANTE.FR
server string = Samba Server %v
map to guest = Bad User
passdb backend = ldapsam:ldap://192.168.1.53:389
log level = 2
log file = /var/log/samba/log.%m
max log size = 1000
debug hires timestamp = Yes
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
add user script = /usr/bin/smbldap-useradd -m -a
delete user script = /usr/bin/smbldap-userdel
add group script = /usr/bin/smbldap-groupadd -p
delete group script = /usr/bin/smbldap-groupdel
add user to group script = /usr/bin/smbldap-groupmod -m
delete user from group script = /usr/bin/smbldap-groupmod -x
add machine script = /usr/bin/smbldap-useradd -w
logon script = logon.bat
logon path =
logon home =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
ldap suffix = ou=Samba,dc=Alicante,dc=fr
ldap machine suffix = ou=computers
ldap user suffix = ou=accounts
ldap group suffix = ou=groups
ldap admin dn = cn=Manager,dc=Alicante,dc=fr
ldap ssl = no
ldap passwd sync = Yes
ldap delete dn = Yes
printer admin = @adm
printing = cups
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
print command = lpr-cups -P %p -o raw %s -r # using client side
printer drivers.
browseable = No
[print$]
path = /var/lib/samba/printers
write list = @adm, root
inherit permissions = Yes
guest ok = Yes
[pdf-generator]
comment = PDF Generator (only valid users)
path = /var/tmp
printable = Yes
print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m
%I "%J" &
[homes]
valid users = %S
read only = No
browseable = No
[netlogon]
path = /home/netlogon
browseable = No
[public]
comment = R?épertoire Public
path = /home/public
read only = No
guest ok = Yes
[%U]
comment = R?épertoire priv?é de %U
path = /home/%U
invalid users = nobody, guest
read only = No
>(The exact requirements differ between directory servers, but for
>OpenLDAP, your uses must have a posixAccount or simpleSecurityObject
>objectclass, to allow userPassword to be set).
>
ok, I knew I could it this way (that suppose I already have users in the
directory), but what if I want to have separate entries for users and
samba account in the directory ?
something like :
dn: uid=jpramondon,ou=samba,dc=alicante,dc=fr
objectclass: account
objectclass: posixaccount
objectclass: sambSamAccount
uid: jpramondon
userpassword: ...
...
and
dn: cn=jérôme pramondon,ou=users,dc=alicante,dc=fr
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: jérôme pramondon
...
I saw something like that somewhere ...
Here's why I want to have it this way : this could prevent me to have
too much administrative tasks by having only one command to add a user.
(smbpasswd -a user)
Is smbpasswd able to add that kind of entry (the samba account one, not
the user) with both sambaSamAccount and PosixAccount (in order to
prevent from getting that objectclass violation error) ?
Could you help ?
Thanx so much
Jérôme
More information about the samba
mailing list