[Samba] problems on join domain on Samba3 + ldap
Vanni Della Ricca
vanni at bbs.cc.uniud.it
Fri Feb 20 10:49:23 GMT 2004
Hello,
I' have problems with samba3 + ldap PDC.
in particular can't join more then 2 workstation at domain.
i thinks that problems is on generating the UID part on SID (the final part)
the first Computer then join on domain have SID
S-1-5-21-3642312925-2943760701-1776766777-3000
the second have evere SID
S-1-5-21-3642312925-2943760701-1776766777-2052
after never workstation succeed join on domain, samba adds corectly a posix
account on LDAP directory,but not complete it with sambaSamAttributes
my configuration is
samba 3.0.2
openldap2-2.1.22
smbldap-tools-0.8.3
on SuSE 9.0
my final scenario is
1 master-ldap
10 slave-ldap with samba PDC with different domain
follow configuration files
/etc/ldap.conf
# Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1
# The distinguished name of the search base.
base ou=People,dc=xxx,dc=it
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=Manager,dc=example,dc=it
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=Manager,dc=example,dc=it
pam_password crypt
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl no
nss_base_passwd dc=xxx,dc=it
nss_base_shadow dc=xxx,dc=it
nss_base_group dc=xxx,dc=it
#ssl on
smb.conf
# Global parameters
[global]
workgroup = DEPARTMENT1
netbios name = SERVER-DEPARTMENT1
security = user
passdb backend = ldapsam:ldap://localhost
log level = 2
time server = Yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
printcap name = CUPS
add user script = /usr/local/sbin/smbldap-useradd -a %u
add machine script = /usr/local/sbin/smbldap-useradd -w %u
logon script = logon.bat
logon path = \\%L\homes\.windows_profile
logon drive = Y:
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap suffix = dc=xxx,dc=it
ldap machine suffix = ou=depart1,ou=Computers
ldap user suffix = ou=depart1,ou=People
ldap group suffix = ou=depart1,ou=Groups
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
ldap admin dn = "cn=Manager,dc=uaf,dc=it"
ldap ssl = no
printing = cups
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
[netlogon]
path = /home/netlogon
browseable = No
[profiles]
path = /home/samba-ntprof
read only = No
create mask = 0600
directory mask = 0700
browseable = No
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0640
directory mask = 0750
browseable = No
/etc/openldap/slap.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=xxx,dc=it"
rootdn "cn=Manager,dc=uaf,dc=it"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
/etc/smbtools/smbtools.conf
# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.2 2004/01/14 22:24:44 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# UID and GID starting at...
UID_START="1000"
GID_START="1000"
# Put your own SID
# to obtain this number do: net getlocalsid
SID="S-1-5-21-3642312925-2943760701-1776766777"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Ex: $slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"
# Master LDAP : needed for write operations
# Ex: $masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"
# LDAP Suffix
# Ex: $suffix=dc=xxx,dc=ORG
suffix="dc=xxx,dc=it"
# Where are stored Users
# Ex: $usersdn=ou=Users,$suffix for ou=Users,dc=xxx,dc=ORG
usersdn="ou=depart1,ou=People,dc=xxx,dc=it"
# Where are stored Computers
# Ex: $computersdn=ou=itputers,$suffix for ou=itputers,dc=xxx,dc=ORG
computersdn="ou=depart1,ou=Computer,dc=xxx,dc=it"
# Where are stored Groups
# Ex $groupsdn=ou=Groups,$suffix for ou=Groups,dc=xxx,dc=ORG
groupsdn="ou=depart1,ou=Groups,dc=xxx,dc=it"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
hash_encrypt="CRYPT"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: $userLoginShell=q(/bin/bash)
userLoginShell="/bin/bash"
# Home directory prefix (without username)
# Ex: $userHomePrefix=q(/home/)
userHomePrefix="/home/"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="553"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for $defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="55"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location without the username last extension
# (will be dynamically prepended)
# Ex: \\My-PDC-netbios-name\homes
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or desabling roaming profiles
userSmbHome="\\PDC-SMB3\homes"
# The UNC path to profiles locations without the username last extension
# (will be dynamically prepended)
# Ex: \\My-PDC-netbios-name\profiles\
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or desabling roaming profiles
userProfile=""
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: q(U:) for U:
userHomeDrive="Y:"
# The default user netlogon script name
# if not used, will be automatically username.cmd
# $userScript=startup.cmd # make sure script file is edited under dos
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if $with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer mkntpwd... most of the time, it's a wise choice :-)
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
mk_ntpasswd="/usr/local/sbin/mkntpwd"
# those next externals commands are kept fot the migration scripts and
# for the populate script: this will be updated as soon as possible
slaveURI="ldap://$slaveLDAP:$slavePort"
masterURI="ldap://$masterLDAP:$masterPort"
ldap_path="/usr/bin"
#if ( $ldapTLS eq 0 ) {
# ldap_opts=-x
#} elsif ( $ldapTLS eq 1 ) {
# $ldap_opts=-x -Z
#} else {
# die ldapTLS option must be either 0 or 1.\n
#}
#ldapmodify=/usr/bin/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' -w
'$masterPw'
and basic entry for ldap
dn: sambaDomainName=DEPARTMENT1,ou=Domains,dc=xxx,dc=it
objectClass: sambaDomain
sambaDomainName: DEPARTMENT1
sambaSID: S-1-5-21-3642312925-2943760701-1776766777
sambaAlgorithmicRidBase: 1000
structuralObjectClass: sambaDomain
entryUUID: eac2e35e-f183-1027-93fa-cac86a6d5033
creatorsName: cn=Manager,dc=xxx,dc=it
createTimestamp: 20040212084804Z
entryCSN: 2004021208:48:04Z#0x0001#0#0000
modifiersName: cn=Manager,dc=xxx,dc=it
modifyTimestamp: 20040212084804Z
dn: cn=Depart1_Guests,ou=depart1,ou=Groups,dc=xxx,dc=it
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Depart1_Guests
gidNumber: 10001
description: Depart1_Guests
sambaGroupType: 2
displayName: Depart1_Guests
structuralObjectClass: posixGroup
entryUUID: 60f48dd4-f184-1027-93ff-cac86a6d5033
creatorsName: cn=Manager,dc=xxx,dc=it
createTimestamp: 20040212085123Z
sambaSID: S-1-5-21-3642312925-2943760701-1776766777-514
entryCSN: 2004021208:52:07Z#0x0001#0#0000
modifiersName: cn=Manager,dc=xxx,dc=it
modifyTimestamp: 20040212085207Z
dn: cn=Depart1_Users,ou=depart1,ou=Groups,dc=xxx,dc=it
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Depart1_Users
gidNumber: 10002
description: Depart1_Users
sambaSID: S-1-5-21-3642312925-2943760701-1776766777-513
sambaGroupType: 2
displayName: Depart1_Users
structuralObjectClass: posixGroup
entryUUID: 8aac9a36-f184-1027-9401-cac86a6d5033
creatorsName: cn=Manager,dc=xxx,dc=it
createTimestamp: 20040212085233Z
entryCSN: 2004021208:52:33Z#0x0001#0#0000
modifiersName: cn=Manager,dc=xxx,dc=it
modifyTimestamp: 20040212085233Z
dn: cn=Depart1_Admins,ou=depart1,ou=Groups,dc=xxx,dc=it
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Depart1_Admins
gidNumber: 10000
description: Depart1_Admins
sambaSID: S-1-5-21-3642312925-2943760701-1776766777-512
sambaGroupType: 2
displayName: Depart1_Admins
structuralObjectClass: posixGroup
entryUUID: d0cf8466-f18d-1027-8b18-d75e5ed076c6
creatorsName: cn=Manager,dc=xxx,dc=it
createTimestamp: 20040212095856Z
entryCSN: 2004021209:58:56Z#0x0001#0#0000
modifiersName: cn=Manager,dc=xxx,dc=it
modifyTimestamp: 20040212095856Z
dn: uid=root-depart1,ou=depart1,ou=People,dc=xxx,dc=it
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: inetOrgPerson
gecos: Samba Admin
homeDirectory: /root
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
sn: ooooppppp
uid: root-Depart1
sambaPwdLastSet: 1066177062
sambaLogonTime: 0
sambaLogoffTime: 0
sambaKickoffTime: 0
sambaPwdCanChange: 1066177062
sambaPwdMustChange: 2147483647
displayName: root-depart1
cn: root-Depart1
sambaSID: S-1-5-21-3642312925-2943760701-1776766777-500
sambaPrimaryGroupSID: S-1-5-21-3642312925-2943760701-1776766777-512
sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE
sambaNTPassword: 32ED87BDB5FDC5E9CBA88547376818D4
sambaAcctFlags: [U ]
structuralObjectClass: inetOrgPerson
entryUUID: fc5bdb7e-f184-1027-9403-cac86a6d5033
creatorsName: cn=Manager,dc=xxx,dc=it
createTimestamp: 20040212085543Z
entryCSN: 2004021209:44:25Z#0x0001#0#0000
modifiersName: cn=Manager,dc=xxx,dc=it
modifyTimestamp: 20040212094425Z
dn: uid=nobody,ou=depart1,ou=People,dc=xxx,dc=it
objectClass: account
objectClass: sambaSamAccount
objectClass: posixAccount
uid: nobody
sambaPwdLastSet: 1026225030
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: Nobody
cn: Nobody
sambaSID: S-1-5-21-3642312925-2943760701-1776766777-501
sambaPrimaryGroupSID: S-1-5-21-3642312925-2943760701-1776766777-514
gecos: Nobody or Guest
homeDirectory: /
loginShell: /dev/null
uidNumber: 99
gidNumber: 99
sambaAcctFlags: [UX ]
structuralObjectClass: account
entryUUID: 11c8f49c-f185-1027-9404-cac86a6d5033
creatorsName: cn=Manager,dc=xxx,dc=it
createTimestamp: 20040212085619Z
entryCSN: 2004021208:56:19Z#0x0001#0#0000
modifiersName: cn=Manager,dc=xxx,dc=it
modifyTimestamp: 20040212085619Z
dn: uid=root,ou=depart1,ou=People,dc=xxx,dc=it
uid: root
sambaSID: S-1-5-21-3642312925-2943760701-1776766777-1000
sambaPrimaryGroupSID: S-1-5-21-3642312925-2943760701-1776766777-1001
displayName: root
sambaPwdCanChange: 1066177167
sambaPwdMustChange: 2147483647
sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE
sambaNTPassword: 32ED87BDB5FDC5E9CBA88547376818D4
sambaPwdLastSet: 1066177167
sambaAcctFlags: [U ]
objectClass: account
objectClass: sambaSamAccount
structuralObjectClass: account
entryUUID: 29b1aa0e-f185-1027-9405-cac86a6d5033
creatorsName: cn=Manager,dc=xxx,dc=it
createTimestamp: 20040212085659Z
entryCSN: 2004021209:46:10Z#0x0001#0#0000
modifiersName: cn=Manager,dc=xxx,dc=it
modifyTimestamp: 20040212094610Z
Sorry for by bad English
Vanni
--
***************************************************************
* Un Anello per domarli,Un Anello per trovarli
* Un Anello per ghermirli e nel buio incatenarli
* (J.R.R. Tolkien)
***************************************************************
* E-Mail: wally at bbs.cc.uniud.it
*
* ICQ: 43066840
* PGP_KEY
* http://tagliamento.sci.uniud.it/~dricca/vanni.asc
***************************************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : http://lists.samba.org/archive/samba/attachments/20040220/6efe7f73/attachment.bin
More information about the samba
mailing list