[Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
José Ildefonso Camargo Tolosa
icamargo at merkurio.com.ve
Sun Jul 18 02:38:51 GMT 2004
Hi!
Try this:
In /etc/ldap.conf:
scope sub (uncomment it).
In:
nss_base_passwd ou=Users,dc=wbcoll,dc=edu?one
nss_base_shadow ou=Users,dc=wbcoll,dc=edu?one
nss_base_group ou=Groups,dc=wbcoll,dc=edu?one
Try:
nss_base_passwd dc=wbcoll,dc=edu?sub
nss_base_shadow dc=wbcoll,dc=edu?sub
nss_base_group ou=Groups,dc=wbcoll,dc=edu?one
Not sure right now, but I have a /etc/libnss-ldap.conf, I made the same
modifications to it.
With this you can keep your computers in another ou. I did something
different:
nss_base_passwd ou=Accounts,dc=merkurio,dc=int?sub
nss_base_shadow ou=Accounts,dc=merkurio,dc=int?sub
nss_base_group ou=Groups,dc=merkurio,dc=int?one
And under Accounts (ou=People,ou=Accounts,....) I created the users, and
under ou=Computers,ou=Accounts, I pointed to the machines suffix in the
smb.conf (my smb.conf), but it is some tricky to get it work with the
smbldap-populate.
[global]
workgroup = MERKURIO.INT
interfaces = eth0, lo
bind interfaces only = Yes
min passwd length = 7
passdb backend = ldapsam:ldap://ldap.merkurio.int
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
min protocol = LANMAN2
time server = Yes
server signing = auto
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
domain logons = Yes
os level = 40
preferred master = Yes
domain master = Yes
ldap suffix = dc=merkurio,dc=int
ldap machine suffix = ou=Computers,ou=Accounts
ldap user suffix = ou=People,ou=Accounts
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=merkurio,dc=int
ldap ssl = start tls
ldap passwd sync = Yes
ldap delete dn = Yes
[netlogon]
path = /var/lib/samba/netlogon
browseable = No
[homes]
read only = No
browseable = No
[cosa]
path = /home/ftp/
[profile]
path = /samba/profile
read only = No
profile acls = Yes
browseable = No
The tls requires that the cert is correctly emited (ie, host name should
match the cert's cn). I hasn't tested this config completly (I need to
test the password change from win workstations).
Hope this helped,
Sincerely,
Ildefonso Camargo
Craig White wrote:
>On Fri, 2004-07-16 at 13:39, abebe lsslp wrote:
>
>
>>Hey Craig,
>>Here is what's happening. I've got nothing, but
>>headache from looking at log level 10, but finally I
>>finished going over it. For those of you who have not
>>been following, check
>>http://150.208.105.24/smbldap-pdc.html
>>
>>
>>
>>>----
>>>
>>>
>>>>smbd/process.c:timeout_processing(1332)
>>>> timeout_processing: End of file from client
>>>>
>>>>
>>>(client
>>>
>>>
>>>>has disconnected).
>>>>
>>>>
>>>You are attempting to join WinXP to domain, are
>>>asked for the
>>>name/password/domain of a user who has sufficient
>>>privileges to add a
>>>machine to the domain and it fails to finish? The
>>>machine is indeed
>>>added to LDAP - that's all I can figure out from
>>>your email.
>>>
>>>First off - my understanding is that Machine
>>>accounts should still be
>>>located in the People subtree and not in the
>>>Computers subtree because
>>>subsequent searches will not locate it there. If
>>>this has been fixed,
>>>I'm sure someone will correct me.
>>>
>>>
>>>
>>I have tried it your way as well.
>>
>># 1
>>Changeed the Entry in '/etc/ldap.conf' to
>>
>>nss_base_passwd ou=People,dc=wbcoll,dc=edu?one
>>nss_base_shadow ou=People,dc=wbcoll,dc=edu?one
>>nss_base_group ou=Groups,dc=wbcoll,dc=edu?one
>>
>>#2
>>changed the entry in '/etc/samba/smb.conf' file, I
>>changed
>>
>>ldap machine suffix = ou=People
>>
>>#3
>>and finally, the entry in
>>'/etc/smbldap-tools/smbldap.conf'
>>
>># Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
>>computersdn="ou=People,dc=wbcoll,dc=edu"
>>
>>However, I am sure the "ou =Computers" entry works. A
>>lot of documentations, including idealx.org would have
>>corrected their documentations if it wasn't so.
>>
>>
>>
>>>Secondly - ldap log?
>>>
>>>
>>I couldn't find any hint that leads me to believe the
>>ldap doesn't work, but you might see something I
>>don't. you will find the whole 'slapd.log' file here:
>>http://150.208.105.24/smbldap-pdc/. (there are also
>>log files for the xp machine. ('winxp.log.html' is log
>>level 10 and 'winxp_log.html' is log level 3). Log
>>level 10 doesn't really tell me anything log level 3
>>doesn't.
>>
>>
>----
>SID's don't match...
>
>dn: uid=Administrator,ou=Users,dc=wbcoll,dc=edu
><snip>
>sambaPrimaryGroupSID: S-1-5-21-952094410-1508517273-1204454084-512
>sambaSID: S-1-5-21-952094410-1508517273-1204454084-2996
>
>pdbedit -Lv testuser1
><snip>
>User SID: S-1-5-21-1414736517-1990894286-2385622597-3000
>Primary Group SID: S-1-5-21-1414736517-1990894286-2385622597-513
>
>Who knows which SID is in smbldap_conf and which SID is in dn=SambaDomainName,dc=wbcoll,dc=edu
>
>This should be one of the first things you check.
>
>Also - just for a point of reference (not that what I do is at all correct or even recommended by the many people that know way more than I do), I set the primary posix gid for all users to a posix labeled group and my /etc/samba/smbusers looks like this:
># cat /etc/samba/smbusers
># Unix_name = SMB_name1 SMB_name2 ...
>root = Administrator administrator admin
>nobody = guest pcguest smbguest
>
>I hope this helps.
>
>Craig
>
>
>
More information about the samba
mailing list