[Samba] Using the same LDAP entry for posixAccount and
sambaSamAccount with smbldap
Carlos García Recio
carlos at senado.es
Thu Feb 19 12:30:24 GMT 2004
Here we go again!
El Jueves 19 Febrero 2004 12:59, Carlos García Recio escribió:
> Here we go!
>
> El Jueves 19 Febrero 2004 12:39, Jérôme Tournier escribió:
> > Le Thu, Feb 19, 2004 at 12:07:49PM +0100, Carlos García Recio a ecrit:
> > > samba 3.0.2
> > > smbldap-tools 0.8.4
> > > RH 9
> > > nss_ldap configured
> > > pam_ldap NOT configured
> > > LDAP passwd backend
> > > winxp pro domain member
> >
> > Can you also send us your smbldap-tools configuration files, and also
> > samba and openldap (?) one ?
> > thx
> > --
> > Jérôme
# /etc/nsswitch.conf
passwd: files ldap
shadow: files
group: files ldap
# /etc/samba/smb.conf
[global]
log level = 1 passdb:5 auth:5 winbind:10
# Nombre NetBIOS de maquina y dominio
netbios name = testPDC
workgroup = test
# Definicion del backend de cuentas
passdb backend = ldapsam:ldap://localhost:389
ldap admin dn = "cn=Manager,o=senado.es"
ldap ssl = off
; Cuando borro un usuario del dominio solo quiero
; borrar sus atributos de samba, pero no elimino
; la entrada del ldap.
ldap suffix = o=senado.es
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
add user script = /usr/local/sbin/smbldap-useradd "%u"
ldap delete dn = no
#delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
# Mapeo de UID's/GID's en las maquinas UNIX del dominio
idmap backend = ldap:ldap://localhost:389
ldap idmap suffix = ou=Idmap
; Intenta sincronizar el password ldap con la password NT
ldap passwd sync = no
;username map = /etc/samba/smbusers
# Rol de PDC
security = user
encrypt passwords = yes
os level = 255
preferred master = yes
domain master = yes
local master = yes
wins support = yes
domain logons = yes
# Establecemos que los perfiles sean locales
logon path =
logon home =
logon drive =
logon script =
# Share necesario para login de los usuarios en el dominio
[netlogon]
path = /home/samba/netlogon
read only = yes
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema
#########
# SAMBA #
#########
include /usr/share/doc/samba-3.0.2a/examples/LDAP/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#pidfile //var/run/slapd.pid
#argsfile //var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile /var/lib/ldap/master-slapd.replog
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default is:
# Allow read by all
#
# rootdn can always write!
#######################################################################
# ldbm database definitions
#######################################################################
loglevel 256
database ldbm
#suffix "dc=my-domain,dc=com"
suffix "o=senado.es"
rootdn "cn=Manager,o=senado.es"
#rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com at EXAMPLE.COM
# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.6 2004/02/07 16:58:52 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# UID and GID starting at...
UID_START="1000"
GID_START="1000"
# Put your own SID
# to obtain this number do: net getlocalsid
SID="S-1-5-21-2056510298-3027076148-852687323"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"
# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="o=senado.es"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=People,o=senado.es"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=Computers,o=senado.es"
# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,o=senado.es"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
hash_encrypt="SSHA"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/false"
# Home directory prefix (without username)
# Ex: userHomePrefix="/home/"
userHomePrefix="/tmp"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="553"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
#defaultMaxPasswordAge="55"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location without the username last extension
# (will be dynamically prepended)
# Ex: \\My-PDC-netbios-name\homes
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or desabling roaming profiles
userSmbHome=""
# The UNC path to profiles locations without the username last extension
# (will be dynamically prepended)
# Ex: \\My-PDC-netbios-name\profiles\
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or desabling roaming profiles
userProfile=""
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: q(U:) for U:
userHomeDrive=""
# The default user netlogon script name
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
userScript=""
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer mkntpwd... most of the time, it's a wise choice :-)
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
mk_ntpasswd="/usr/local/sbin/mkntpwd"
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=Manager,o=senado.es"
slavePw="secret"
masterDN="cn=Manager,o=senado.es"
masterPw="secret"
dn: o=senado.es
objectClass: organization
objectClass: organization
objectClass: top
o: senado.es
dn: ou=People,o=senado.es
objectClass: organizationalUnit
ou: People
dn: ou=Groups,o=senado.es
objectClass: organizationalUnit
ou: Groups
dn: ou=Computers,o=senado.es
objectClass: organizationalUnit
ou: Computers
dn: uid=Administrador,ou=People,o=senado.es
sambaPwdLastSet: 1077009096
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 1077009096
sambaPwdMustChange: 2147483647
sambaLMPassword: F0D412BD764FFE81AAD3B435B51404EE
sambaNTPassword: 209C6174DA490CAEB422F3FA5A7AE634
sambaAcctFlags: [U ]
loginShell: /bin/false
gecos: Netbios Domain Administrator
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
homeDirectory: /tmp
sambaPrimaryGroupSID: S-1-5-21-2056510298-3027076148-852687323-512
userPassword: {SSHA}tsGSr9yQRsPT1cRjBGBCPWqbEGO/EtHR
sn: Administrador
cn: Administrador
displayName: Administrador
uid: Administrador
sambaSID: S-1-5-21-2056510298-3027076148-852687323-1000
uidNumber: 0
gidNumber: 0
dn: uid=Invitado,ou=People,o=senado.es
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NU ]
loginShell: /bin/false
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
sambaPrimaryGroupSID: S-1-5-21-2056510298-3027076148-852687323-514
sambaSID: S-1-5-21-2056510298-3027076148-852687323-501
uidNumber: 501
gidNumber: 99
sn: Invitado
cn: Invitado
displayName: Invitado
uid: Invitado
dn: cn=usuarios,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
sambaGroupType: 2
displayName: Usuarios del Dominio
sambaSID: S-1-5-21-2056510298-3027076148-852687323-513
cn: usuarios
description: Usuarios del domio NetBios
dn: cn=invitados,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-2056510298-3027076148-852687323-514
gidNumber: 99
cn: Invitados
displayName: Invitados
memberUid: Invitado
description: Usuarios invitados del dominio NetBios
dn: cn=Usuarios Avanzados,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 547
description: Netbios Domain Members can share directories and printers
sambaGroupType: 2
cn: Usuarios Avanzados
displayName: Usuarios Avanzados
sambaSID: S-1-5-21-2056510298-3027076148-852687323-547
dn: cn=Operadores de Cuenta,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
description: Netbios Domain Users to manipulate users accounts
sambaGroupType: 2
cn: Operadores de Cuenta
sambaSID: S-1-5-21-2056510298-3027076148-852687323-548
displayName: Operadores de Cuenta
dn: cn=Operadores de Servidor,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 549
description: Netbios Domain Server Operators
sambaGroupType: 2
cn: Operadores de Servidor
sambaSID: S-1-5-21-2056510298-3027076148-852687323-549
displayName: Operadores de Servidor
dn: cn=Operadores de Impresion,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
description: Netbios Domain Print Operators
sambaGroupType: 2
cn: Operadores de Impresion
sambaSID: S-1-5-21-2056510298-3027076148-852687323-550
displayName: Operadores de Impresion
dn: cn=Operadores de Copia de Seguridad,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
description: Netbios Domain Members can bypass file security to back up files
sambaGroupType: 2
cn: Operadores de Copia de Seguridad
sambaSID: S-1-5-21-2056510298-3027076148-852687323-551
displayName: Operadores de Copia de Seguridad
dn: cn=Replicador,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
description: Netbios Domain Supports file replication in a sambaDomainName
sambaGroupType: 2
cn: Replicador
displayName: Replicador
sambaSID: S-1-5-21-2056510298-3027076148-852687323-552
dn: cn=maquinas,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 553
sambaGroupType: 2
displayName: Maquinas del Dominio
sambaSID: S-1-5-21-2056510298-3027076148-852687323-553
cn: maquinas
description: Cuentas de maquinas del dominio NetBios
dn: sambaDomainName=TEST,o=senado.es
sambaDomainName: TEST
sambaSID: S-1-5-21-2056510298-3027076148-852687323
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
dn: uid=winxp$,ou=Computers,o=senado.es
objectClass: top
objectClass: posixAccount
objectClass: sambaSamAccount
cn: winxp$
uid: winxp$
gidNumber: 553
homeDirectory: /tmp
sambaPwdMustChange: 2147483647
sambaAcctFlags: [W ]
sambaPrimaryGroupSID: S-1-5-21-2056510298-3027076148-852687323-553
uidNumber: 4000
sambaSID: S-1-5-21-2056510298-3027076148-852687323-4000
sambaPwdCanChange: 1077105563
sambaLMPassword: A0EE4F6FCC250B20D355D7E01D42A574
sambaNTPassword: 312CDD18F95A1C6E4F803F5EB122FF06
sambaPwdLastSet: 1077105563
dn: cn=Administradores,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2056510298-3027076148-852687323-512
sambaGroupType: 2
cn: Administradores
displayName: Administradores
memberUid: Administrador
gidNumber: 0
More information about the samba
mailing list