[idx-smbldap-tools ] RE: [Samba] Samba+LDAP - so close yet so far
:) ...STILL NOTSOLVED
Mohammad Reza
reza at mra.co.id
Thu Jul 22 08:59:51 GMT 2004
Partially Solved:
http://lists.samba.org/archive/samba/2004-May/085233.html
thanks om Wisnu...
Is there anyone succes with place Users and Computers in different ou's ?
regards
reza
-----Original Message-----
From: Mohammad Reza
Sent: Thu 7/22/2004 1:56 PM
To: Craig White; idx-smbldap-tools at lists.IDEALX.org; samba at lists.samba.org
Cc:
Subject: [idx-smbldap-tools ] RE: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOTSOLVED
> Dear lists...
>
> But this still un-solved the real problem to join w2k to samba3-ldap .
> I'm here with the same situation.
> I even switch my distro to SuSe with same result, still cant join domain.
> Please give us hint how to solve or debug this problem.
> ----
you will need to work through the examples in the Samba How-to
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/
I haven't a clue where you are at or what your problem is
Craig
My Problem is, i cant join my w2k machine to Samba-Ldap Server.
Error from w2k machine is "Logon Failure bad user name and password"
when try join with Administrator account and right passwor
My Linux is Fedora Core 2 with samba-3.0.3-5, openldap-2.1.29-1 and smbldap-tools-0.8.5-1
My configuration are:
#####smb.conf###########
# Global parameters
[global]
workgroup = MRAGROUP
netbios name = PDC-SMB3
interfaces = 172.16.0.237
username map = /etc/samba/smbusers
#admin users= @"Domain Admins"
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
#unix password sync = Yes
#passwd program = /usr/local/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
ldap passwd sync = Yes
log level = 5
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon drive = H:
logon home =
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
# passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
#ldap admin dn = cn=samba,ou=Users,dc=idealx,dc=org
ldap admin dn = cn=Manager,dc=mragroup,dc=net
ldap suffix = dc=mragroup,dc=net
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
#ldap ssl = start tls
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
# printers configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U @"Domain Admins"
[printers]
comment = Network Printers
printer admin = @"Print Operators"
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
[print$]
path = /home/printers
guest ok = No
browseable = Yes
read only = Yes
valid users = @"Print Operators"
write list = @"Print Operators"
create mask = 0664
directory mask = 0775
[public]
comment = Repertoire public
path = /home/public
browseable = Yes
guest ok = Yes
read only = No
directory mask = 0775
create mask = 0664
######openldap/slapd.conf#############
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
database ldbm
directory /var/lib/ldap
suffix "dc=mragroup,dc=net"
rootdn "cn=Manager,dc=mragroup,dc=net"
rootpw xxxxxx
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
########openldap/ldap.conf#######
HOST 127.0.0.1
BASE dc=mragroup,dc=net
########/etc/openldap.conf#######
host 127.0.0.1
base dc=mragroup,dc=net
rootbinddn cn=nssldap,ou=DSA,dc=mragroup,dc=net
nss_base_passwd dc=mragroup,dc=net?sub
nss_base_shadow dc=mragroup,dc=net?sub
nss_base_group ou=Groups,dc=mragroup,dc=net?one
ssl no
pam_password md5
#######/etc/nsswitch.conf#########
passwd: files ldap
shadow: files ldap
group: files ldap
Creating Users,Computers and Groups with smbldap-tools work fine.
#/usr/local/sbin/smbldap-usershow administrator
dn: uid=Administrator,ou=Users,dc=mragroup,dc=net
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount
gidNumber: 512
uid: Administrator
uidNumber: 0
homeDirectory: /home/Administrator
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\PDC-SMB3\home\Administrator
sambaHomeDrive: H:
sambaProfilePath: \\PDC-SMB3\home\profiles\Administrator\
sambaPrimaryGroupSID: S-1-5-21-987332969-2931392798-896433562-512
sambaSID: S-1-5-21-987332969-2931392798-896433562-2996
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: BBBDA461DC390736B8FCC6137C839435
sambaAcctFlags: [U]
sambaNTPassword: 8116801F88AC668563729B0D847B4AC4
sambaPwdLastSet: 1090472263
sambaPwdMustChange: 1094360263
userPassword: {SSHA}mNLj7lACG35dV1T5cDK7fBgjzN4y5C6H
#getent passwd | grep Administrator
Administrator:x:0:512:Netbios Domain Administrator:/home/Administrator:/bin/false
#pdbedit -Lv test
--snip--
Unix username: test
NT username: test
Account Flags: [U ]
User SID: S-1-5-21-987332969-2931392798-896433562-3000
Primary Group SID: S-1-5-21-987332969-2931392798-896433562-513
Full Name: System User
Home Directory: \\PDC-SMB3\home\test
HomeDir Drive: H:
Logon Script: logon.bat
Profile Path: \\PDC-SMB3\home\profiles\test
Domain: MRAGROUP
Account desc: System User
Workstations:
Munged dial:
Logon time: 0
Logoff time: Sat, 14 Dec 1901 03:45:51 GMT
Kickoff time: Sat, 14 Dec 1901 03:45:51 GMT
Password last set: Thu, 22 Jul 2004 11:58:12 GMT
Password can change: 0
Password must change: Sun, 05 Sep 2004 11:58:12 GMT
Last bad password : 0
Bad password count : 0
Yes, the guide said (http://idealx.org) i must place Users, and Computers in different ou's and i notice that some people place in same ou's ,since bug in samba. But even i place in same ou's, still cant join domain, with same error
Is there something i missed ? please help me
regards
reza
More information about the samba
mailing list