[Samba] Openldap samba 3.0.5 net group add does not work
Paul Gienger
pgienger at ae-solutions.com
Sun Aug 1 00:17:06 GMT 2004
Matt Hoyt wrote:
> It still doesn't work. Do I need to download padl.com tools for
> transfering /etc/passwd and /etc/group to openldap? Here is my
> nsswitch.conf file and the last few lines for syslog showing openldap
> calls.
Well you don't really have to add the posix info to ldap, but it's
really counterintuitive to split your samba storage and posix info, at
least in a pure *NIX controlled world. You would also need to configure
your nsswitch to auth by ldap, and not winbind!!
Craig made a good point that your LDIF doesn't have any groups, but then
again, if you're trying to keep it in /etc/group that makes sense.
I suggest you back up and take a run at it like so.
1. Get your system authenticating with ldap data store
- read a bit of documentation on LDAP
- take out the user/group info you added from /etc/passwd and
/etc/group (and maybe /etc/shadow).
- move said info to ldap
- do what the docs say to do for getting auth to work
2. Add samba
That's the end of the on task suggestions, I was going to make a rant,
but I'll save that for another day, when I'm not sunburned :-P and
therefore can handle the flamewar.
>
> /etc/nsswitch.conf:
> # $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4
> 2002/11/18 19:39:22 azarah Exp $
>
> passwd: files winbind
> shadow: files
> group: files winbind
>
> # passwd: db files nis
> # shadow: db files nis
> # group: db files nis
>
> hosts: files dns
> networks: files wins
>
> services: db files
> protocols: db files
> rpc: db files
> ethers: db files
> netmasks: files
> netgroup: files
> bootparams: files
>
> automount: files
> aliases: files
>
> Jul 31 12:21:39 backup slapd[13506]: conn=525 op=37 SRCH attr=sambaSID
> uidNumber gidNumber objectClass
> Jul 31 12:21:39 backup slapd[13506]: conn=525 op=37 SEARCH RESULT
> tag=101 err=0 nentries=0 text=
> Jul 31 12:21:39 backup slapd[13506]: conn=525 op=38 SRCH
> base="ou=Groups,dc=sovereign" scope=2
> filter="(&(objectClass=sambaGroupMapping)(gidNumber=441))"
> Jul 31 12:21:39 backup slapd[13506]: conn=525 op=38 SRCH
> attr=gidNumber sambaSID sambaGroupType sambaSIDList description
> displayName cn objectClass
> Jul 31 12:21:39 backup slapd[13506]: conn=525 op=38 SEARCH RESULT
> tag=101 err=0 nentries=0 text=
> Jul 31 12:21:39 backup slapd[13506]: conn=525 op=39 SRCH
> base="ou=Groups,dc=sovereign" scope=2
> filter="(&(|(objectClass=posixGroup)(objectClass=sambaIdmapEntry))(gidNumber=441))"
>
> Jul 31 12:21:39 backup slapd[13506]: conn=525 op=39 SRCH
> attr=gidNumber sambaSID sambaGroupType sambaSIDList description
> displayName cn objectClass
> Jul 31 12:21:39 backup slapd[13506]: conn=525 op=39 SEARCH RESULT
> tag=101 err=0 nentries=0 text=
> Jul 31 12:21:39 backup slapd[13506]: conn=525 op=40 SRCH
> base="ou=People,dc=sovereign" scope=2
> filter="(&(objectClass=sambaIdmapEntry)(gidNumber=441))"
> Jul 31 12:21:39 backup slapd[13506]: conn=525 op=40 SRCH attr=sambaSID
> uidNumber gidNumber objectClass
> Jul 31 12:21:39 backup slapd[13506]: conn=525 op=40 SEARCH RESULT
> tag=101 err=0 nentries=0 text=
> Jul 31 12:21:39 backup slapd[13483]: conn=525 fd=24 closed
>
>
> Matt Hoyt
>
>
>
>
> >From: Paul Gienger <pgienger at ae-solutions.com>
> >To: Matt Hoyt <mrhoyt3 at hotmail.com>,MailingList_Samba
> <samba at lists.samba.org>
> >Subject: Re: [Samba] Openldap samba 3.0.5 net group add does not work
> >Date: Sat, 31 Jul 2004 01:23:56 -0500
> >
> >I'm going to make an assumption here that you aren't using any
> >Active Directory...
> >
> >Changes below (after correspoding lines):
> >
> >>[global]
> >>workgroup = WORKGROUP
> >>netbios name = backup
> >>#username map = /etc/samba/smbusers
> >
> >
> >>add user script = /usr/sbin/useradd -m %u
> >>delete user script = /usr/sbin/useradd -r %u
> >>add group script = /usr/sbin/groupadd %g
> >>delete group script = /usr/sbin/groupadd %g
> >>add user to group script = /usr/sbin/usermod -G %g %u
> >>add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null
> >>-g machines %u
> >
> >Add quotes around your % arguments here. Even though you quote them
> >on the command line that doesn't mean they get to the scripts that
> >way
> >
> >>preferred master = yes
> >>domain master = yes
> >>local master = yes
> >>security = users
> >>domain logons = yes
> >>os level = 35
> >>logon path = \\%L\profiles\%u
> >>logon drive = H:
> >>logon home = \\%L\%u\winprofile
> >>logon script = /etc/samba/logon/scripts
> >
> >Unrelated to your issue, but you need to specify an absolute script
> >here, it appears you're just pointing to a directory. Either point
> >to a global script (logon.bat) or maybe a user/group script
> >(%u.bat). This path will also be relative to your netlogon share.
> >
> >>#idmap backend = ldapsam:ldap://localhost
> >
> >Good to comment this out, but remove it and any idmap related
> >entries.
> >
> >>ldap suffix = dc=sovereign
> >>ldap admin dn = "cn=Manager,ou=People,dc=sovereign"
> >>ldap ssl = no
> >>passdb backend = ldapsam:ldap://localhost
> >>ldap delete dn = no
> >>ldap user suffix = ou=People
> >>ldap group suffix = ou=Groups
> >>ldap machine suffix = ou=Computers
> >
> >Depending on your nss configuration, change this to ou=People.
> >Search the archives for an explanation, you can search for me if you
> >wish, I've responded more times than I wish to remember.
> >
> >>ldap idmap suffix = ou=Idmap
> >>winbind separator = +
> >>winbind enum users = yes
> >
> >These 3 should go bye bye, as well as any other winbind related
> >entries, at least for your PDC.
> >
> >>template homedir = /home/winnt/%D/%U
> >>template shell = /bin/bash
> >>idmap uid = 10000-20000
> >>idmap gid = 10000-20000
> >
> >delete 2x.
> >
> >>
> >>Here is the ldap-init.ldif
> >># Samba openldap configuration file
> >># -------------------------------------------
> >># Organization for Samba Base
> >>dn: dc=sovereign
> >>objectclass: dcObject
> >>objectclass: organization
> >>dc: sovereign
> >>o: sovereign network test
> >>description: ldap configuration
> >>
> >># Organizational Role for Directory Management
> >>dn: cn=Manager,dc=sovereign
> >>objectclass: organizationalRole
> >>cn: Manager
> >>description: Manager
> >>
> >># Setting up container for users
> >>dn: ou=People,dc=sovereign
> >>objectclass: top
> >>objectclass: organizationalUnit
> >>ou: People
> >>
> >># Setting up admin handle for people
> >>dn: cn=admin,ou=People,dc=sovereign
> >>cn: admin
> >>objectclass: top
> >>objectclass: organizationalRole
> >>objectclass: simpleSecurityObject
> >>userPassword: *********************************
> >>
> >># Setting up container for groups
> >>dn: ou=Groups,dc=sovereign
> >>objectclass: top
> >>objectclass: organizationalUnit
> >>ou: Groups
> >>
> >># Setting up admin for Groups ou
> >>dn: cn=admin,ou=Groups,dc=sovereign
> >>cn: admin
> >>objectclass: top
> >>objectclass: organizationalRole
> >>objectclass: simpleSecurityObject
> >>userPassword: *********************************
> >>
> >># Setting up container for computers
> >>dn: ou=Computers,dc=sovereign
> >>objectclass: top
> >>objectclass: organizationalUnit
> >>ou: Computers
> >>
> >># Setting up admin handle for Computers OU
> >>dn: cn=admin,ou=Computers,dc=sovereign
> >>cn: admin
> >>objectclass: top
> >>objectclass: organizationalRole
> >>objectclass: simpleSecurityObject
> >>userPassword: ***********************************
> >>
> >># Setting up container for idmap
> >>dn: ou=Idmap,dc=sovereign
> >>objectclass: top
> >>objectclass: organizationalUnit
> >>ou: Idmap
> >>
> >># Setting up admin for Groups ou
> >>dn: cn=admin,ou=Idmap,dc=sovereign
> >>cn: admin
> >>objectclass: top
> >>objectclass: organizationalRole
> >>objectclass: simpleSecurityObject
> >>userPassword: **********************************
> >>
> >>Gentoo box running kernel 2.6.7
> >>
> >>I am able to add users and machine accounts. If I use tdbsam net
> >>groupmap works.
> >
> >Curious how you have your nss configured, or if logging on actually
> >works if you haven't toyed with it. Although chances are that if you
> >are running gentoo you toyed with EVERYTHING.
> >
> >--
> >Paul Gienger Office: 701-281-1884
> >Applied Engineering Inc. Information Systems Consultant
> >Fax: 701-281-1322
> >URL: www.ae-solutions.com mailto: pgienger at ae-solutions.com
> >
> >
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
> FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc.
Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto: pgienger at ae-solutions.com
More information about the samba
mailing list