[Samba] Samba-ldap-pdc questions

Craig White craigwhite at azapple.com
Tue Jan 6 07:27:26 GMT 2004 

On Mon, 2004-01-05 at 16:50, Ron Liu wrote:
> Hi, There
> I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0.
> I used the RPMs for the installations. After setup, start both smb and ldap
> without problem. However when I tried to add users with smbpasswd -a userid,
> it gave me the following errors. Can someone point me to right direction, is
> there anything I can do to do more test and diagnosis. I've copied the error
> message, and the conf file for samba.conf and slapd.conf
> 
> Thank you for your help!
> 
> Ron Liu
> Information Technology Consultant
> Biology Department
> San Jose State University
> 408-924-4860
> rliu at email.sjsu.edu
> 
> 
> [root at ts010 openldap]# smbpasswd -a bliu
> New SMB password:
> Retype new SMB password:
> fetch_ldap_pw: neither ldap secret retrieved!
> ldap_connect_system: Failed to retrieve password from secrets.tdb
> Connection to LDAP Server failed for the 1 try!
> smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid
> credentials)
> fetch_ldap_pw: neither ldap secret retrieved!
> ldap_connect_system: Failed to retrieve password from secrets.tdb
> Connection to LDAP Server failed for the 1 try!
> smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid
> credentials)
> fetch_ldap_pw: neither ldap secret retrieved!
> ldap_connect_system: Failed to retrieve password from secrets.tdb
> Connection to LDAP Server failed for the 1 try!
> ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
> (unknown) (Invalid credentials)
> fetch_ldap_pw: neither ldap secret retrieved!
> ldap_connect_system: Failed to retrieve password from secrets.tdb
> Connection to LDAP Server failed for the 1 try!
> smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid
> credentials)
> Failed to add entry for user bliu.
> Failed to modify password entry for user bliu
> 
> 
> ********************************
> #======================= Global Settings
> =====================================
> [global]
>    workgroup = mydomain
>    netbios name = ts010
>    encrypt passwords = yes
>    passdb backend = ldapsam:ldap://localhost/
>    ldap suffix = o=mydomain,dc=mydomain,dc=com
>    ldap machine suffix = ou=Comupters
>    ldap user suffix = ou=Users
>    ldap group suffix = ou=Groups
>    ldap admin dn = "cn=tsadmin,dc=mydomain,dc=com"
> #   ldap ssl = start tls
>    ldap delete dn = no
>    server string = mydomain Samba Server
>    hosts allow = 10.101.0. 10.101.1. 127.
>    printcap name = cups
>    load printers = yes
>    printing = cups
>    log file = /var/log/samba/%m.log
>    max log size = 50
>    security = user
>    password level = 8
> ;  username level = 8
>    smb passwd file = /etc/samba/smbpasswd
>    unix password sync = Yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd *all*authentication*tokens*updated*successfully*
> ;  username map = /etc/samba/smbusers
> ;   include = /etc/samba/smb.conf.%m
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>    local master = yes
>    os level = 33
>    domain master = yes
>    preferred master = yes
>    domain logons = yes
>    logon script = scripts\logscript.bat
>    logon path = \\%L\Profiles\%U
>    logon drive = H:
>    logon home = \\%L\%U
> ; name resolve order = wins lmhosts bcast
>    wins support = yes
>    dns proxy = no
>    write list = @tsadmin
>    add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s
> /bin/false -M %u
> [home]
> ...........
> *********************************
> my slapd.conf
> ********************************
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24
> 23:19:14 kurt Exp $
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/redhat/autofs.schema
> #rliu, 12/31/03
> include         /etc/openldap/schema/samba.schema
> 
> # Allow LDAPv2 client connections.  This is NOT the default.
> allow bind_v2
> 
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral       ldap://root.openldap.org
> 
> pidfile /var/run/slapd.pid
> #argsfile       //var/run/slapd.args
> 
> # Load dynamic backend modules:
> # modulepath    /usr/sbin/openldap
> # moduleload    back_bdb.la
> # moduleload    back_ldap.la
> # moduleload    back_ldbm.la
> # moduleload    back_passwd.la
> # moduleload    back_shell.la
> 
> # The next three lines allow use of TLS for connections using a dummy test
> # certificate, but you should generate a proper certificate by changing to
> # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
> # slapd.pem so that the ldap user or group can read it.
> # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
> # TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> 
> # Sample security restrictions
> #       Require integrity protection (prevent hijacking)
> #       Require 112-bit (3DES or better) encryption for updates
> #       Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
> 
> # Sample access control policy:
> #       Root DSE: allow anyone to read it
> #       Subschema (sub)entry DSE: allow anyone to read it
> #       Other DSEs:
> #               Allow self write access
> #               Allow authenticated users read access
> #               Allow anonymous users to authenticate
> #       Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> # access to *
> #       by self write
> #       by users read
> #       by anonymous auth
> #
> # if no access controls are present, the default policy is:
> #       Allow read by all
> #
> # rootdn can always write!
> 
> #######################################################################
> # ldbm and/or bdb database definitions
> #######################################################################
> 
> database        ldbm
> suffix          "o=mydomain"
> suffix          "dc=mydomain,dc=com"
> rootdn          "cn=tsadmin,dc=mydomain,dc=com"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> # rootpw                secret
> rootpw          {SSHA}nzEMEVTSdQYIy3jLsWn4xmQLQI/Cb0Tn
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory       /var/lib/ldap/
> 
> # Indices to maintain for this database
> index objectClass                       eq,pres
> index ou,cn,mail,surname,givenname      eq,pres,sub
> index uidNumber,gidNumber,loginShell    eq,pres
> index uid,memberUid                     eq,pres,sub
> index nisMapName,nisMapEntry            eq,pres,sub
> 
> # Replicas of this database
> #replogfile /var/lib/ldap/openldap-master-replog
> #replica host=ldap-1.example.com:389 tls=yes
> #     bindmethod=sasl saslmech=GSSAPI
> #     authcId=host/ldap-master.example.com at EXAMPLE.COM
----
one more thing...

PDC ## MUST ## have a NETLOGON share

Craig

More information about the samba mailing list