[Samba] Re: help with LDAP and Samba
Alexander E. Patrakov
patrakov at ums.usu.ru
Sat Aug 14 03:49:43 GMT 2004
Andre Cameron wrote:
> Hello Everyone,
>
> I am having some trouble and would greatly appreciate some assistance.
> I apologize if this has been on the list before I am however down to two
> hours before due date. I have use samba before with no problems but
> this is the first time I have had to do it with LDAP. The problem is no
> users appear to be authenticating and there are no errors in the logs.
> I followed the online tutorials and tried several variations to no
> avail. I would REALLY appreciate it if someone who has a working
> samba/OpenLDAP enviroment could take a moment to assist me.
The main problem is that different tutorials don't mix with each other,
and there is no error-free tutorial. The best one is from The Official
Samba-3 HOWTO and Reference Guide.
> below is my config for review:
>
> [global]
>
> workgroup = ventus.local
> server string = Ventus Samba Server
> hosts allow = 172.28.0. 127.
OK so far...
> printcap name = /etc/printcap
Oh, you don't use CUPS? bad... the default is printcap name = cups
> load printers = yes
This is the default and can be omitted
> log file = /var/log/samba/%m.log
> max log size = 50
OK
> passdb backend = ldapsam:ldap://192.168.1.243/
> ldap suffix = o=ventusnetworks.com,dc=na
OK
> ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
This is probably the curlpit - the working default is:
ldap filter = (uid=%u)
> ldap machine suffix = ou=computers,o=ventusnetworks.com,dc=na
> ldap user suffix = o=ventusnetworks.com,dc=na
> ldap admin dn = "cn=Manager,dc=na"
I assume that all those entries exist and that you didn't forget to run
smbpass -w managerpassword
> ldap delete dn = yes
OK
> security = user
This is the default
> null passwords = Yes
Hm... Ok
> encrypt passwords = yes
This is the default
> unix password sync = Yes
You don't need that in LDAP setup if you keep posix account information
in LDAP using posixAccount objectclass, like LAM does. You probably want
unix password sync = no, ldap password sync = yes and also mention
pam_smbpass.so in /etc/pam.d/* and also install nss-ldap.
Also you forgot to mention IDEALX scripts for adding users and group
into LDAP, like:
add user script = /var/lib/samba/smbldap/smbldap-useradd.pl -m '%u'
delete user script = /var/lib/samba/smbldap/smbldap-userdel.pl %u
add group script = /var/lib/samba/smbldap/smbldap-groupadd.pl -p '%g'
delete group script = /var/lib/samba/smbldap/smbldap-groupdel.pl '%g'
add user to group script = /var/lib/samba/smbldap/smbldap-groupmod.pl \
-m '%g' '%u'
delete user from group script = \
/var/lib/samba/smbldap/smbldap-groupmod.pl -x '%g' '%u'
set primary group script = /var/lib/samba/smbldap/smbldap-usermod.pl \
-g '%g' '%u'
add machine script = /var/lib/samba/smbldap/smbldap-useradd.pl -w '%u'
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
Not needed, since the password is kept in LDAP
>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
Overconfiguration
>
> local master = yes
> os level = 255
> domain master = yes
> preferred master = yes
> domain logons = yes
OK
> logon script = %m.bat
> logon script = %U.bat
You can't have two logon scripts. Do you actually use them?
> logon path = \\%L\Profiles\%U
> logon drive = U:
>
> name resolve order = wins lmhosts bcast
> wins support = yes
> dns proxy = no
Looks right.
>
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/false
> winbind use default domain = no
I don't understand this idmap stuff. I know that it is needed when your
SAMBA server is a member of a Windows-controlled domain, because there
are no other sources of uids. But your situation is different, your PDC
is SAMBA. I really don't know what should be done here in ihis case. My
PDC doesn't use this winbindd/idmap stuff at all, because uids are in
posixAccounts in LDAP.
The rest of your file looks OK. I post my own smb.conf for comparison.
--
Alexander E. Patrakov
-------------- next part --------------
[global]
debug level = 0
dos charset = CP866
unix charset = UTF-8
workgroup = DOMAIN
netbios name = CONTROLLER
interfaces = lo,eth1
bind interfaces only = yes
passdb backend = ldapsam:ldap://127.0.0.1
# Warning: I don't run winbindd. and don't understand the following
# four lines. I also don't understand if they are needed at all.
algorithmic rid base = 10000
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap backend = ldap:ldap://127.0.0.1
domain master = yes
local master = yes
preferred master = yes
os level = 65
security = user
guest account = Guest
template primary group = Domain Users
domain logons = yes
logon path = \\%L\profiles\%U
add user script = /var/lib/samba/smbldap/smbldap-useradd.pl -m '%u'
delete user script = /var/lib/samba/smbldap/smbldap-userdel.pl %u
add group script = /var/lib/samba/smbldap/smbldap-groupadd.pl -p '%g'
delete group script = /var/lib/samba/smbldap/smbldap-groupdel.pl '%g'
add user to group script = /var/lib/samba/smbldap/smbldap-groupmod.pl -m '%g' '%u'
delete user from group script = /var/lib/samba/smbldap/smbldap-groupmod.pl -x '%g' '%u'
set primary group script = /var/lib/samba/smbldap/smbldap-usermod.pl -g '%g' '%u'
add machine script = /var/lib/samba/smbldap/smbldap-useradd.pl -w '%u'
ldap suffix = dc=dialog,dc=usu,dc=ru
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = uid=Samba,ou=Security,dc=dialog,dc=usu,dc=ru
ldap ssl = no
ldap passwd sync = Yes
[netlogon]
path = /var/lib/samba/netlogon
writable = no
browsable = no
[profiles]
; you might wish to use a different directory for your
; Windows NT/2000/XP roaming profiles
path = /var/lib/samba/profiles
browsable = no
writable = yes
create mask = 0600
directory mask = 0700
[homes]
read only = no
browsable = no
guest ok = no
map archive = yes
[tmp]
path=/tmp/samba
browsable = yes
read only = no
guest ok = yes
More information about the samba
mailing list