[Samba] having problems with samba 3 + net groupmap
asky
asky at datasphir.com
Thu May 6 14:35:51 GMT 2004
Hi,
Could somebody help me out, here. I have samba-3.02a, openldap-2.1.25 on
mandrake 10 and I´m trying to setup a pdc. This is what I´ve done so far:
1. configured ldap both for server and client thats slapd.conf,
ldap.conf and ldap.secret
2. edited pam.d/samba
3. edited nsswitch.conf
4. configured samba - smb.conf
5. added the ldap password to secrets.tdb
6. configured smbldap-tools using the configure.pl script ( smbldap.conf
and smbldap_bind.conf)
7. populated the ldap db using the smbldap-populate script
Everything works ok up to this point but when I try to use the net tools
to manage groups I come up with these errors:
***[root at pdc root]# net groupmap modify ntgroup="Administrators"
unixgroup="domadmin"
*[2004/05/06 09:25:14, 0]
passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2015)
ldapsam_update_group_mapping_entry: No group to modify!
Could not update group database
*
[root at pdc root]# net groupmap add rid=513 unixgroup="users" type=domain
ntgroup="Domain Users"*
adding entry for group Domain Users failed!
I have this when do a net groupmap list:
Domain Admins (S-1-5-21-405122049-3903294769-2376448101-512) -> Domain
Admins
users (S-1-5-21-405122049-3903294769-2376448101-545) -> Domain Users
Domain Guests (S-1-5-21-405122049-3903294769-2376448101-514) -> Domain
Guests
Administrators (S-1-5-21-405122049-3903294769-2376448101-544) ->
Administrators
users (S-1-5-21-405122049-3903294769-2376448101-545) -> Users
Guests (S-1-5-21-405122049-3903294769-2376448101-546) -> Guests
Power Users (S-1-5-21-405122049-3903294769-2376448101-547) -> Power Users
Account Operators (S-1-5-21-405122049-3903294769-2376448101-548) ->
Account Operators
Server Operators (S-1-5-21-405122049-3903294769-2376448101-549) ->
Server Operators
Print Operators (S-1-5-21-405122049-3903294769-2376448101-550) -> Print
Operators
Backup Operators (S-1-5-21-405122049-3903294769-2376448101-551) ->
Backup Operators
Replicator (S-1-5-21-405122049-3903294769-2376448101-552) -> Replicator
Domain Computers (S-1-5-21-405122049-3903294769-2376448101-553) ->
Domain Computers
I did some basic testing and got the following:
*[root at pdc root]# smbclient -L localhost -U%*
Domain=[NIJACOL] OS=[Unix] Server=[Samba 3.0.2a]
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
print$ Disk
pdf-generator Printer PDF Generator (only valid users)
public Disk Repertoire public
IPC$ IPC IPC Service (Samba Server 3.0.2a)
ADMIN$ IPC IPC Service (Samba Server 3.0.2a)
Domain=[NIJACOL] OS=[Unix] Server=[Samba 3.0.2a]
Server Comment
--------- -------
ADMIN-DEPT-DSL Admin Department, DSL
EC13 Scanner_Color Printer
EC6
PDC Samba Server 3.0.2a
SERVER2
Workgroup Master
--------- -------
NIJACOL PDC
SUSE MAIL
*[root at pdc root]# smbclient3 '\\PDC\printer$' -U Administrator*
Password:
tree connect failed: Call returned zero bytes (EOF)
Here are my configuration files:
*/etc/ldap.conf file*
host pdc.nijacol.net
base dc=nijacol,dc=net
rootbinddn cn=root,dc=nijacol,dc=net
scope one
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
pam_password md5
nss_base_passwd ou=people,dc=nijacol,dc=net?one
nss_base_shadow ou=People,dc=nijacol,dc=net?one
nss_base_group ou=Groups,dc=nijacol,dc=net?one
nss_base_hosts ou=Hosts,dc=nijacol,dc=net?one
ssl off
*/etc/openldap/slapd.conf file
*include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
include /usr/share/openldap/schema/corba.schema
include /usr/share/openldap/schema/inetorgperson.schema
include /usr/share/openldap/schema/misc.schema
include /usr/share/openldap/schema/nis.schema
include /usr/share/openldap/schema/openldap.schema
include /usr/share/doc/samba-doc-3.0.2a/examples/LDAP/samba.schema
*
*# Define global ACLs to disable default read access.
include /etc/openldap/slapd.access.conf
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/ldap/slapd.pid
argsfile /var/run/ldap/slapd.args
modulepath /usr/lib/openldap
# ldbm database definitions
database ldbm
suffix "dc=nijacol,dc=net"
rootdn "cn=root,dc=nijacol,dc=net"
rootpw {MD5}G8u9oftfrVzk7wt0OLaffQ==
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
# logging
loglevel 256
*/etc/openldap/slapd.access.conf file
*# Basic ACL
access to dn=".*,dc=nijacol,dc=net"
attr=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=root,dc=nijacol,dc=net" write
by self write
by anonymous auth
by * none
access to dn=".*,dc=nijacol,dc=net"
attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
by dn="cn=root,dc=nijacol,dc=net" write
by * read
access to dn=".*,dc=nijacol,dc=net" attr=mail
by dn="cn=root,dc=nijacol,dc=net" write
by self write
by * read
access to dn=".*,ou=People,dc=nijacol,dc=net"
by * read
access to dn=".*,dc=nijacol,dc=net"
by self write
by * read
*/etc/samba/smb.conf file
*[global]
workgroup = nijacol
netbios name = pdc
interfaces =
#username map = /etc/samba/smbusers
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 5
obey pam restrictions = No
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
ldap passwd sync = Yes
unix password sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
smb passwd file = /etc/samba/smbpasswd
hosts allow = 127.0.0.1 192.168.1 192.168.0 192.168.3
wins support = Yes
dns proxy = No
logon script = %U.bat
[global]
workgroup = nijacol
netbios name = pdc
interfaces =
#username map = /etc/samba/smbusers
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 5
obey pam restrictions = No
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
ldap passwd sync = Yes
unix password sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
smb passwd file = /etc/samba/smbpasswd
hosts allow = 127.0.0.1 192.168.1 192.168.0 192.168.3
wins support = Yes
dns proxy = No
logon script = %U.bat
logon path = \\%L\Profiles\%U
logon drive = X:
domain logons = Yes
domain master = Yes
os level = 85
prefered master = yes
local master = Yes
wins support = Yes
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = Yes
winbind enum groups = Yes
passdb backend = ldapsam:ldap://localhost:389
ldap admin dn = cn=root,dc=nijacol,dc=net
ldap suffix = dc=nijacol,dc=net
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=People
ldap ssl = No
add user script = /usr/local/sbin/smbldap-useradd.pl -m '%u'
# delete user script = /usr/local/sbin/smbldap-userdel.pl %u
add group script = /usr/local/sbin/smbldap-groupadd.pl -p '%g'
#delete group script = /usr/local/sbin/smbldap-groupdel.pl '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m
'%g' '%u'
delete user from group script = /usr/local/sbin/smbldap-groupmod.pl
-x '%g' '%u'
set primary group script = /usr/local/sbin/smbldap-usermod.pl -g '%g'
'%u'
add machine script = /usr/local/sbin/smbldap-useradd.pl -w '%u'
#printer configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = cups
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/initrd
show add printer wizard = Yes
preserve case = Yes
short preserve case = Yes
case sensitive = No
#============================ Share Definitions
==============================
[homes]
comment = Home Directories
read only = No
create mask = 0644
directory mask = 0775
browseable = no
writable = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
[Profiles]
path = /var/lib/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U "Domain Admins"
*/etc/samba/smbldap file
*
# UID and GID starting at...
UID_START="1000"
GID_START="1000"
SID="S-1-5-21-405122049-3903294769-2376448101"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
suffix="dc=nijacol,dc=net"
usersdn="ou=People,dc=nijacol,dc=net"
computersdn="ou=Computers,dc=nijacol,dc=net"
groupsdn="ou=Groups,dc=nijacol,dc=net"
scope="sub"
hash_encrypt="MD5"
userLoginShell="/bin/bash"
userHomePrefix="/home/"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="553"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\pdc\\home"
userProfile=""
userHomeDrive="X:"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
mk_ntpasswd="/usr/local/sbin/mkntpwd"
slaveURI="ldap://$slaveLDAP:$slavePort"
masterURI="ldap://$masterLDAP:$masterPort"
ldap_path="/usr/bin"
*/etc/smbldap-tools/smbldap_bind.conf file
*
slaveDN="cn=root,dc=nijacol,dc=net"
slavePw="nethawk"
masterDN="cn=root,dc=nijacol,dc=net"
masterPw="nethawk"
One other thing, apart from the pam.d/samba file do I have to edit the
pam.d/sys-auth file to include the pam_ldap.so module, cause when i do
that, i find out that ldap dies on me and i can logon to the box.
Thanks in advance for any help.
Asky
More information about the samba
mailing list