[Samba] Samba 3.0 PDC+LDAP Help in Fedora Core 1

Dr. Hansjoerg Maurer Hansjoerg.Maurer at itsd.de
Fri Jan 9 21:41:05 GMT 2004


Hi

it took some time for me to set this up to.

some hints:
-check with
net getlocalsid
if the host sid is the same as the sid in ldap
-check with
net groumap list
is the groupmapping is correct.
-check with
pdbedit -L -v -u username
for each user, if samba can reslove the sid and group sid's correctly
I noticed, that if you have one sid (group or user) twice, you
can have much trouble..
-don`t use a groupname which is equal to a username (no problem in unix,
but in windows)
-I have a groupmap
which maps
Administrator to root.
Because of the fact, that root and nobody are already in /etc/passwd
 I added a tbdsam backend, which only contains
root and nobody with the correct SID's
(I don't know, if this is the right way)
(If you do so, uncomment the user add script in smb.conf
for adding root and nobody to the tdb backend with pdbedit -b ....)
(The reason for the stuff is, that I dont want root and nobody
in /etc/passwd and ldap)
-set the debug level to 10 and watch the logs...)
-check if the smbldap-adduser skript has
allready added a machine.
The skript adds the posix attributes for the account and sambe shouls add
the rest..
-don't use filter in /etc/ldap.conf
I used to filter out the computers there (in order to not get them with
getent passwd etc) but smbldap determines the next free UID with
this. So a UID might be used twice.

-Finally I modified the smbldap-tool smbldap-useradd skript,
but I am not sure, if this is really necessary.
I am off work know.
If the above won't help you. let me know, and I sent you my modifications.

Greetings

Hansjörg
Jason P Holland sagte:
>
> Hello,
>
> I am hoping someone will offer some help.  I'm currently trying to setup a
> samba 3 PDC with LDAP authentication backend in Fedora core 1.  I've read
> loads of documentation, including
>
> http://www.hilinski.net/samba/ldap_PDC_samba.doc
> http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html
> http://samba.idealx.org/samba-ldap-howto.pdf
>
> As well as tons of posts in the mailing list archives, but I still cannot
> get this combination to work.
>
> As for the setup, I've installed Openldap 2.1.22, Samba 3.0.0,
> smbldap-tools-0.8.2.  I've run smbpasswd -w to add my slapd.conf password
> to the secrets.tdb file.  I've setup smbldap_conf.pl with my correct SID
> and ldap dn.  I've populated my ldap database using smbldap-populate.pl,
> everything shows up correctly.  I've gone in to the ldap db and fixed
> roots uid and gid as well as its sambaSID so that it can act as
> administrator.  As far as I can tell, its setup correctly.
>
> However, when I go to join a W2k Workstation client, I get "The user name
> could not be found.".  Thats using root-testing combination from my config
> files.  Samba does automatically create the machine account, that looks
> fine.  But it refuses to join the machine.  Yes, I'm aware of the registry
> hack for XP,W2K machines, and that has also been changed.
>
>
> The weird thing is from that client, who I cannot join, I can view shares
> on the PDC using root-testing user pass combination, so I know the
> authentication is working correctly through ldap.  So what does that
> user name not found error really mean?
>
> Does anyone see anything obviously wrong in my config files that would
> cause this?  I've cut them into the post below.  I would appreciate any
> help as I'm just tired of reading and just can't seem to get past adding
> a machine.  Thanks for any help...
>
> Jason
>
>
> --- begin ldap.conf ----
>
> HOST 127.0.0.1
> BASE dc=test,dc=edu
>
> ---- end ldap.conf ----
>
>
> --- begin slapd.conf ----
>
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/samba.schema
>
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
> database bdb
> suffix "dc=test,dc=edu"
> rootdn "cn=root,dc=test,dc=edu"
> rootpw testing
>
> directory /var/lib/ldap
> index objectClass eq
> index cn pres,sub,eq
> index sn pres,sub,eq
> index uid pres,sub,eq
> index displayName pres,sub,eq
> index uidNumber eq
> index gidNumber eq
> index memberUid eq
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index default sub
>
> ---- end slapd.conf ----
>
>
> ---- begin smb.conf ----
> [global]
> passdb backend = ldapsam
> ldap suffix = "dc=test,dc=edu"
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap admin dn = "cn=root,dc=test,dc=edu"
> ldap ssl = no
> idmap backend = ldap:ldap://127.0.0.1
> passwd chat debug = Yes
> passwd program =/usr/local/sbin/smbldap-passwd.pl -o %u
> passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> add machine script = /usr/local/sbin/smbldap-useradd.pl -w %m
> add user script = /usr/local/sbin/smbldap-useradd.pl -a %u
> delete user script = /usr/local/sbin/smbldap-userdel.pl %u
> add group script = /usr/local/sbin/smbldap-groupadd.pl %g
> delete group script = /usr/local/sbin/smbldap-groupdel.pl %g
> add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m %u %g
> delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x %u
> %g
> set primary group script = /usr/local/sbin/smbldap-usermod.pl -G %g %u
> workgroup = TEST
> netbios name = donald
> comment = test samba pdc
> security = user
> null passwords = yes
> encrypt passwords = yes
> logon script=logon.bat
> logon drive =
> logon path =
> domain master = yes
> domain logons = yes
> preferred master = yes
> os level = 33
> wins support = yes
> wins proxy = no
> log file = /var/log/samba/%m.log
> public = No
> browseable = yes
> writable = No
>
> ; necessary share for domain controller
> [netlogon]
> path = /netlogon
> locking = no
> read only = yes
> write list = ntadmin
>
> ;test share
> [tmp]
> writeable = yes
> public = yes
> path = /tmp
>
> [profiles]
> path = /profiles
> read only = no
> writeable = yes
> create mask = 0600
> directory mask = 0700
>
> ---- end smb.conf ---
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>


-- 
Dr. Hansjörg Maurer
itsystems Deutschland AG
Linprunstr. 10
D-80335 München
Ph/Fax +49 89 52 04 68-41/-59


More information about the samba mailing list