[Samba] Samba-ldap-pdc questions
Ron Liu
rliu at email.sjsu.edu
Tue Jan 6 16:58:56 GMT 2004
Thank you all for your help
1. I do have a netlogon share in smb.conf. samba pdc works well if I use
smbpasswd backend.
I did used:
smbpasswd -w ROOT_DN_PASSWORD to setup the ldap rootdn password.
Also I used ldappasswd to generate the encrypted rootpw entry for
slapd.conf. Is this necessary?
Thanks
Ron
-----Original Message-----
From: Craig White [mailto:craigwhite at azapple.com]
Sent: Monday, January 05, 2004 11:26 PM
To: rliu at email.sjsu.edu
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba-ldap-pdc questions
On Mon, 2004-01-05 at 16:50, Ron Liu wrote:
> Hi, There
> I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0.
> I used the RPMs for the installations. After setup, start both smb and
ldap
> without problem. However when I tried to add users with smbpasswd -a
userid,
> it gave me the following errors. Can someone point me to right direction,
is
> there anything I can do to do more test and diagnosis. I've copied the
error
> message, and the conf file for samba.conf and slapd.conf
>
> Thank you for your help!
>
> Ron Liu
> Information Technology Consultant
> Biology Department
> San Jose State University
> 408-924-4860
> rliu at email.sjsu.edu
>
>
> [root at ts010 openldap]# smbpasswd -a bliu
> New SMB password:
> Retype new SMB password:
> fetch_ldap_pw: neither ldap secret retrieved!
> ldap_connect_system: Failed to retrieve password from secrets.tdb
> Connection to LDAP Server failed for the 1 try!
> smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid
> credentials)
> fetch_ldap_pw: neither ldap secret retrieved!
> ldap_connect_system: Failed to retrieve password from secrets.tdb
> Connection to LDAP Server failed for the 1 try!
> smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid
> credentials)
> fetch_ldap_pw: neither ldap secret retrieved!
> ldap_connect_system: Failed to retrieve password from secrets.tdb
> Connection to LDAP Server failed for the 1 try!
> ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
> (unknown) (Invalid credentials)
> fetch_ldap_pw: neither ldap secret retrieved!
> ldap_connect_system: Failed to retrieve password from secrets.tdb
> Connection to LDAP Server failed for the 1 try!
> smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid
> credentials)
> Failed to add entry for user bliu.
> Failed to modify password entry for user bliu
>
>
> ********************************
> #======================= Global Settings
> =====================================
> [global]
> workgroup = mydomain
> netbios name = ts010
> encrypt passwords = yes
> passdb backend = ldapsam:ldap://localhost/
> ldap suffix = o=mydomain,dc=mydomain,dc=com
> ldap machine suffix = ou=Comupters
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap admin dn = "cn=tsadmin,dc=mydomain,dc=com"
> # ldap ssl = start tls
> ldap delete dn = no
> server string = mydomain Samba Server
> hosts allow = 10.101.0. 10.101.1. 127.
> printcap name = cups
> load printers = yes
> printing = cups
> log file = /var/log/samba/%m.log
> max log size = 50
> security = user
> password level = 8
> ; username level = 8
> smb passwd file = /etc/samba/smbpasswd
> unix password sync = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd *all*authentication*tokens*updated*successfully*
> ; username map = /etc/samba/smbusers
> ; include = /etc/samba/smb.conf.%m
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> local master = yes
> os level = 33
> domain master = yes
> preferred master = yes
> domain logons = yes
> logon script = scripts\logscript.bat
> logon path = \\%L\Profiles\%U
> logon drive = H:
> logon home = \\%L\%U
> ; name resolve order = wins lmhosts bcast
> wins support = yes
> dns proxy = no
> write list = @tsadmin
> add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s
> /bin/false -M %u
> [home]
> ...........
> *********************************
> my slapd.conf
> ********************************
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24
> 23:19:14 kurt Exp $
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/redhat/autofs.schema
> #rliu, 12/31/03
> include /etc/openldap/schema/samba.schema
>
> # Allow LDAPv2 client connections. This is NOT the default.
> allow bind_v2
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> pidfile /var/run/slapd.pid
> #argsfile //var/run/slapd.args
>
> # Load dynamic backend modules:
> # modulepath /usr/sbin/openldap
> # moduleload back_bdb.la
> # moduleload back_ldap.la
> # moduleload back_ldbm.la
> # moduleload back_passwd.la
> # moduleload back_shell.la
>
> # The next three lines allow use of TLS for connections using a dummy test
> # certificate, but you should generate a proper certificate by changing to
> # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions
on
> # slapd.pem so that the ldap user or group can read it.
> # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
> # TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
>
> # Sample security restrictions
> # Require integrity protection (prevent hijacking)
> # Require 112-bit (3DES or better) encryption for updates
> # Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
>
> # Sample access control policy:
> # Root DSE: allow anyone to read it
> # Subschema (sub)entry DSE: allow anyone to read it
> # Other DSEs:
> # Allow self write access
> # Allow authenticated users read access
> # Allow anonymous users to authenticate
> # Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> # access to *
> # by self write
> # by users read
> # by anonymous auth
> #
> # if no access controls are present, the default policy is:
> # Allow read by all
> #
> # rootdn can always write!
>
> #######################################################################
> # ldbm and/or bdb database definitions
> #######################################################################
>
> database ldbm
> suffix "o=mydomain"
> suffix "dc=mydomain,dc=com"
> rootdn "cn=tsadmin,dc=mydomain,dc=com"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> # rootpw secret
> rootpw {SSHA}nzEMEVTSdQYIy3jLsWn4xmQLQI/Cb0Tn
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory /var/lib/ldap/
>
> # Indices to maintain for this database
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
> index nisMapName,nisMapEntry eq,pres,sub
>
> # Replicas of this database
> #replogfile /var/lib/ldap/openldap-master-replog
> #replica host=ldap-1.example.com:389 tls=yes
> # bindmethod=sasl saslmech=GSSAPI
> # authcId=host/ldap-master.example.com at EXAMPLE.COM
----
really gonna need to learn LDAP to make this work - no shortcuts are
gonna make it happen...
I think you need one suffix in slapd.conf
suffix in smb.conf needs to match
rootdn password has to be set in samba...
smbpasswd -w ROOT_DN_PASSWORD
good luck
Craig
More information about the samba
mailing list