[Samba] Trying to configure a SAMBA 3 PDC with OpenLDAP

vegeta2 at ica.luz.ve vegeta2 at ica.luz.ve
Sun Jan 11 16:26:00 GMT 2004


Yes, I did add the $.
This is an excerpt of what I have in the LDAP server

# ica.luz.ve
dn: dc=ica,dc=luz,dc=ve
objectClass: organization
o: Instituto de Calculo Aplicado

# Personas, ica.luz.ve
dn: ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: organizationalUnit
ou: Personas

# Grupos, ica.luz.ve
dn: ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: organizationalUnit
ou: Grupos

# users, Grupos, ica.luz.ve
dn: cn=users,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
cn: users
gidNumber: 100

# z, Grupos, ica.luz.ve
dn: cn=z,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
cn: z
gidNumber: 1000

# webmasters, Grupos, ica.luz.ve
dn: cn=webmasters,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
cn: webmasters
gidNumber: 1001

# proxyuser, ica.luz.ve
dn: cn=proxyuser,dc=ica,dc=luz,dc=ve
cn: proxyuser
sn: proxyuser
objectClass: person
userPassword:: e3NoYX1wRlAzVVJxMHp3aHBscWd6eUZJbmhueENVKzg9

# guidox, Personas, ica.luz.ve
dn: uid=guidox,ou=Personas,dc=ica,dc=luz,dc=ve
cn: Guido Urdaneta
gidNumber: 100
homeDirectory: /home/guidox
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: top
objectClass: sambaSamAccount
sn: Urdaneta
uid: guidox
uidNumber: 1001
givenName: Guido
initials: gu
l: Maracaibo
mail: guidox at ica.luz.ve
mail: guidox at luz.ve
title: Profesor Agregado
homePhone: (0261) 7419559
telephoneNumber: (0261) 7598631
loginShell: /bin/bash
shadowExpire: -1
shadowInactive: -1
shadowMax: 9999
shadowMin: -1
shadowWarning: -1
shadowLastChange: 11762
shadowFlag: 7100670
employeeType: Profesor
userPassword:: Z3VpZG94
description: profesor
description: prueba1
sambaSID: S-1-5-21-3627653134-2314833119-65495969-3002
sambaPrimaryGroupSID: S-1-5-21-3627653134-2314833119-65495969-1201
displayName: Guido Urdaneta
sambaPwdCanChange: 1073791647
sambaPwdMustChange: 2147483647
sambaLMPassword: 111112550AA86F88AAD3B435B51404EE
sambaNTPassword: 76849F2B19A376BD3C88A39DB5F0FDA6
sambaPwdLastSet: 1073791647
sambaAcctFlags: [U          ]

# spintos, Personas, ica.luz.ve
dn: uid=spintos,ou=Personas,dc=ica,dc=luz,dc=ve
cn: Salvador Pintos
gidNumber: 100
homeDirectory: /home/spintos
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: top
objectClass: sambaSamAccount
sn: Pintos
uid: spintos
uidNumber: 1004
givenName: Salvador
initials: SP
mail: spintos at ica.luz.ve
userPassword:: e21kNX0vMFBuQ1VmZVZOaHIxa2gxZEJFKzN3PT0=
shadowFlag: 7100670
shadowLastChange: 11762
shadowExpire: -1
shadowInactive: -1
shadowMax: 99999
shadowMin: -1
shadowWarning: -1
loginShell: /bin/bash
sambaSID: S-1-5-21-3627653134-2314833119-65495969-3008
sambaPrimaryGroupSID: S-1-5-21-3627653134-2314833119-65495969-1201
displayName: Salvador Pintos
sambaPwdCanChange: 1073792582
sambaPwdMustChange: 2147483647
sambaLMPassword: 03F48EB3CBF200F9AAD3B435B51404EE
sambaNTPassword: 7EF3D0D24F82C675D24030805B2F95EB
sambaPwdLastSet: 1073792582
sambaAcctFlags: [U          ]



# Computadoras, ica.luz.ve
dn: ou=Computadoras,dc=ica,dc=luz,dc=ve
objectClass: organizationalUnit
objectClass: top
ou: Computadoras

# Idmap, ica.luz.ve
dn: ou=Idmap,dc=ica,dc=luz,dc=ve
objectClass: organizationalUnit
objectClass: top
ou: Idmap

# ICALUZ, ica.luz.ve
dn: sambaDomainName=ICALUZ,dc=ica,dc=luz,dc=ve
sambaDomainName: ICALUZ
sambaSID: S-1-5-21-3627653134-2314833119-65495969
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 41000
sambaNextGroupRid: 41001

# tuqueque$, Computadoras, ica.luz.ve
dn: uid=tuqueque$,ou=Computadoras,dc=ica,dc=luz,dc=ve
uid: tuqueque
cn: tuqueque
sn: el tuqueque
objectClass: person
objectClass: posixAccount
userPassword:: YXJvbWVybw==
loginShell: /bin/false
uidNumber: 2001
gidNumber: 200
homeDirectory: /dev/null

# domadmin, Grupos, ica.luz.ve
dn: cn=domadmin,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
cn: domadmin
gidNumber: 512

.

Regarding smbldap-tools, maybe I did not configure them well. The documentation is somewhat confusing. It is supposed to work with samba 3, but the docs say to put this in smb.conf
	
	domain admin group = " @"Domain Admins" "

But that parameter no longer exists in samba 3.

I configured the smbldap_conf.pm file using valid values (I beleive).
When I run

     ./smbldap-useradd.pl -w comp1

this is what i get
    failed to perform search; No such object at /root/smbldap-tools-0.8.2//smbldap_tools.pm line 156.
    failed to add entry: No such object at /root/smbldap-tools-0.8.2//smbldap_tools.pm line 304.
    Failed to initialise SAM_ACCOUNT for user comp1$.
    Failed to modify password entry for user comp1$
    Use of uninitialized value in string at ./smbldap-useradd.pl line 221.
    failed to modify entry: No DN specified at ./smbldap-useradd.pl line 226.

when I run 
     smbldap-useradd.pl -a user1

I get

    failed to perform search; No such object at /root/smbldap-tools-0.8.2//smbldap_tools.pm line 156.
    No such object at /root/smbldap-tools-0.8.2//smbldap_tools.pm line 665.

when i run 
     ./smbldap-groupadd.pl group1

i get
      No such object at /root/smbldap-tools-0.8.2//smbldap_tools.pm line 180.

I do not know if I'm doing something wrong. This package comes with very little documentation, and it is not clear that it applies to Samba 3.


Thanks in advance,
VS



El domingo 11/01/2004 a las 07:39 AM Marc Remolt escribió:
> On Sun, 11 Jan 2004 02:17:06 -0400 (VET)
> vegeta2 at ica.luz.ve wrote:
> 
> When you added the machine account by hand (the posix part), have you added the $ behind the machine name? Samba expects machines to be like 
> tuqueque$ instead of tuqueque. It's just a quick guess. 
> Btw, smbldap-tools work great for me (they automatically add all the needed groups for example - you'd like that), what exactly is your problem?
> 
> Jesore
> 
> 
> > Hello,
> > 
> > I have some problems trying to configure a PDC with OpenLDAP backend using Samba 3.0.1.
> > 
> > My LDAP server is working fine and has the samba templates.
> > 
> > I am able to configure users. The procedure I am using is I first create the user in the LDAP server using posixAccount, shadowAccount, etc. Then, as root, I write 
> > 
> >      smbpasswd -a user
> > 
> > and it works fine.
> > 
> > I get the same effect if I use 
> > 
> >      pdbedit -a -u borra
> > 
> > The user is able to mount a share in the server. At this point things are working great.
> > 
> > My first problem is that I have been unable to add machines.
> > I tried a similar procedure. First create the machine in the LDAP server (without sambaSamAccount) and then
> > 
> >      smbpasswd -m -a theMachine
> > 
> > I have tried everything including pdbedit and smbldap-tools 0.8.2.
> > I get the following errors when trying to add a machine called tuqueque using 
> > 
> >      smbpasswd -m -a tuqueque -D256
> > 
> > Netbios name list:-
> > my_netbios_names[0]="BOA"
> > Trying to load: ldapsam:ldap://localhost
> > Attempting to register passdb backend ldapsam
> > Successfully added passdb backend 'ldapsam'
> > Attempting to register passdb backend ldapsam_compat
> > Successfully added passdb backend 'ldapsam_compat'
> > Attempting to register passdb backend smbpasswd
> > Successfully added passdb backend 'smbpasswd'
> > Attempting to register passdb backend tdbsam
> > Successfully added passdb backend 'tdbsam'
> > Attempting to register passdb backend guest
> > Successfully added passdb backend 'guest'
> > Attempting to find an passdb backend to match ldapsam:ldap://localhost (ldapsam)
> > Found pdb backend ldapsam
> > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=ICALUZ))]
> > smbldap_search_suffix: searching for:[(&(objectClass=sambaDomain)(sambaDomainName=ICALUZ))]
> > smbldap_open_connection: ldap://localhost
> > smbldap_open_connection: connection opened
> > ldap_connect_system: Binding to ldap server ldap://localhost as "cn=Manager,dc=ica,dc=luz,dc=ve"
> > ldap_connect_system: succesful connection to the LDAP server
> > The LDAP server is succesful connected
> > pdb backend ldapsam:ldap://localhost has a valid init
> > Attempting to find an passdb backend to match guest (guest)
> > Found pdb backend guest
> > pdb backend guest has a valid init
> > smbldap_search_suffix: searching for:[(&(uid=tuqueque$)(objectclass=sambaSamAccount))]
> > smbldap_open: already connected to the LDAP server
> > ldapsam_getsampwnam: Unable to locate user [tuqueque$] count=0
> > Finding user tuqueque$
> > Trying _Get_Pwnam(), username as lowercase is tuqueque$
> > Trying _Get_Pwnam(), username as uppercase is TUQUEQUE$
> > Checking combinations of 0 uppercase letters in tuqueque$
> > Get_Pwnam_internals didn't find user [tuqueque$]!
> > 
> > 
> > The smbldap-tools 0.8.2 do not work at all. They do not even work for adding users (which I already solved using smbpasswd).
> > 
> > I have other questions:
> > I have read that I have to create some groups (Domain Admins, Domain Users, Domain Guests), but the procedure for doing that when using LDAP is not clear. I tried adding the groups to the LDAP server and then using something like
> > 
> >     net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin
> > 
> > I get the following message:
> > 
> >      NT Group Domain Admins doesn't exist in mapping DB
> >        
> > 
> > Can somebody help me?
> > 
> > Here is my smb.conf:
> > [global]
> > hosts allow = 172.17.6.0/255.255.255.0
> > netbios name = BOA
> > workgroup = ICALUZ
> > security = user
> > encrypt passwords = yes
> > preferred master = yes
> > domain master = yes
> > local master = yes
> > domain logons = yes
> > os level = 33
> > 
> > ldap suffix = dc=ica,dc=luz,dc=ve
> > ldap admin dn = "cn=Manager,dc=ica,dc=luz,dc=ve"
> > 
> > idmap backend = ldap:ldap://localhost
> > idmap gid = 10000-20000
> > idmap uid = 10000-20000
> > ldap idmap suffix = ou=Idmap
> > 
> > passdb backend = ldapsam:ldap://localhost
> > ldap ssl = off
> > ldap delete dn = no
> > ldap user suffix = ou=Personas
> > 
> > ldap group suffix = ou=Grupos
> > ldap machine suffix = ou=Computadoras
> > #ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
> > ldap filter = (uid=%u)
> > 
> > logon path = \\%N\profiles\%u
> > logon drive = H:
> > logon home = \\homeserver\%u\winprofile
> > logon script = logon.cmd
> > 
> > #logging
> > log level = 2
> > log file = /var/lib/samba/%m.log
> > 
> > [netlogon]
> > path = /var/lib/samba/netlogon
> > read only = yes
> > write list = ntadmin
> > 
> > [profiles]
> > path = /var/lib/samba/profiles
> > read only = no
> > create mask = 0644
> > directory mask = 0755
> > 
> > [test]
> > path=/tmp
> > writeable=yes
> > public=yes
> > 
> > 
> > I have tried to follow the documentation, but it is somewhat confising when it refers to LDAP. It is never clear whether they are talking about the new style or the old Samba 2.x style. Maybe it is not completely updated.
> > Any help is appreciated.
> > 
> > Regards,
> > VS
> > 
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 


More information about the samba mailing list