[Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED

José Ildefonso Camargo Tolosa icamargo at merkurio.com.ve
Sun Jul 18 02:38:51 GMT 2004 

Hi!

Try this:

In /etc/ldap.conf:

scope sub  (uncomment it).

In:

nss_base_passwd	ou=Users,dc=wbcoll,dc=edu?one
nss_base_shadow	ou=Users,dc=wbcoll,dc=edu?one
nss_base_group	ou=Groups,dc=wbcoll,dc=edu?one

Try:

nss_base_passwd	dc=wbcoll,dc=edu?sub
nss_base_shadow	dc=wbcoll,dc=edu?sub
nss_base_group	ou=Groups,dc=wbcoll,dc=edu?one

Not sure right now, but I have a /etc/libnss-ldap.conf, I made the same 
modifications to it.

With this you can keep your computers in another ou.  I did something 
different:

nss_base_passwd ou=Accounts,dc=merkurio,dc=int?sub
nss_base_shadow ou=Accounts,dc=merkurio,dc=int?sub
nss_base_group          ou=Groups,dc=merkurio,dc=int?one

And under Accounts (ou=People,ou=Accounts,....) I created the users, and 
under ou=Computers,ou=Accounts, I pointed to the machines suffix in the 
smb.conf (my smb.conf), but it is some tricky to get it work with the 
smbldap-populate.

[global]
        workgroup = MERKURIO.INT
        interfaces = eth0, lo
        bind interfaces only = Yes
        min passwd length = 7
        passdb backend = ldapsam:ldap://ldap.merkurio.int
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        min protocol = LANMAN2
        time server = Yes
        server signing = auto
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        domain logons = Yes
        os level = 40
        preferred master = Yes
        domain master = Yes
        ldap suffix = dc=merkurio,dc=int
        ldap machine suffix = ou=Computers,ou=Accounts
        ldap user suffix = ou=People,ou=Accounts
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=admin,dc=merkurio,dc=int
        ldap ssl = start tls
        ldap passwd sync = Yes
        ldap delete dn = Yes

[netlogon]
        path = /var/lib/samba/netlogon
        browseable = No

[homes]
        read only = No
        browseable = No

[cosa]
        path = /home/ftp/

[profile]
        path = /samba/profile
        read only = No
        profile acls = Yes
        browseable = No

The tls requires that the cert is correctly emited (ie, host name should 
match the cert's cn).  I hasn't tested this config completly (I need to 
test the password change from win workstations).

Hope this helped,

Sincerely,

Ildefonso Camargo

Craig White wrote:

>On Fri, 2004-07-16 at 13:39, abebe lsslp wrote:
>  
>
>>Hey Craig, 
>>Here is what's happening. I've got nothing, but
>>headache from looking at log level 10, but finally I
>>finished going over it. For those of you who have not
>>been following, check
>>http://150.208.105.24/smbldap-pdc.html
>>
>>    
>>
>>>----
>>>      
>>>
>>>>smbd/process.c:timeout_processing(1332)
>>>>  timeout_processing: End of file from client
>>>>        
>>>>
>>>(client
>>>      
>>>
>>>>has disconnected).
>>>>        
>>>>
>>>You are attempting to join WinXP to domain, are
>>>asked for the
>>>name/password/domain of a user who has sufficient
>>>privileges to add a
>>>machine to the domain and it fails to finish? The
>>>machine is indeed
>>>added to LDAP - that's all I can figure out from
>>>your email.
>>>
>>>First off - my understanding is that Machine
>>>accounts should still be
>>>located in the People subtree and not in the
>>>Computers subtree because
>>>subsequent searches will not locate it there. If
>>>this has been fixed,
>>>I'm sure someone will correct me.
>>>
>>>      
>>>
>>I have tried it your way as well. 
>>
>># 1
>>Changeed the Entry in '/etc/ldap.conf' to 
>>
>>nss_base_passwd ou=People,dc=wbcoll,dc=edu?one
>>nss_base_shadow ou=People,dc=wbcoll,dc=edu?one
>>nss_base_group  ou=Groups,dc=wbcoll,dc=edu?one
>>
>>#2
>>changed the entry in '/etc/samba/smb.conf' file, I
>>changed 
>>
>>ldap machine suffix = ou=People
>>
>>#3
>>and finally, the entry in
>>'/etc/smbldap-tools/smbldap.conf'
>>
>># Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
>>computersdn="ou=People,dc=wbcoll,dc=edu"
>>
>>However, I am sure the "ou =Computers" entry works. A
>>lot of documentations, including idealx.org would have
>>corrected their documentations if it wasn't so.  
>>
>>    
>>
>>>Secondly - ldap log?
>>>      
>>>
>>I couldn't find any hint that leads me to believe the
>>ldap doesn't work, but you might see something I
>>don't.  you will find the whole 'slapd.log' file here:
>>http://150.208.105.24/smbldap-pdc/. (there are also
>>log files for the xp machine. ('winxp.log.html' is log
>>level 10 and 'winxp_log.html' is log level 3). Log
>>level 10 doesn't really tell me anything log level 3
>>doesn't.    
>>    
>>
>----
>SID's don't match...
>
>dn: uid=Administrator,ou=Users,dc=wbcoll,dc=edu
><snip>
>sambaPrimaryGroupSID: S-1-5-21-952094410-1508517273-1204454084-512
>sambaSID: S-1-5-21-952094410-1508517273-1204454084-2996
>
>pdbedit -Lv testuser1
><snip>
>User SID:             S-1-5-21-1414736517-1990894286-2385622597-3000
>Primary Group SID:    S-1-5-21-1414736517-1990894286-2385622597-513
>
>Who knows which SID is in smbldap_conf and which SID is in dn=SambaDomainName,dc=wbcoll,dc=edu
>
>This should be one of the first things you check.
>
>Also - just for a point of reference (not that what I do is at all correct or even recommended by the many people that know way more than I do), I set the primary posix gid for all users to a posix labeled group and my /etc/samba/smbusers looks like this:
># cat /etc/samba/smbusers
># Unix_name = SMB_name1 SMB_name2 ...
>root = Administrator administrator admin
>nobody = guest pcguest smbguest
>
>I hope this helps.
>
>Craig
>
>  
>

More information about the samba mailing list