[Samba] Re: LDAP weirdness
sambauser at katehok.ac93.org
Wed Oct 20 14:27:58 GMT 2004
Ilia Chipitsine wrote:
> Dear Sirs,
> I installed OpenLDAP and smbldap-tools by IDEALX.
> samba is 3.0.7, smbldap is 0.8.5
> what else did I do:
> 1) smbldap-populate
> 2) pdbedit -i smbpasswd:/usr/local/private/smbpasswd -e
> 3) smbpasswd -w <clear text password>
> what is not very clear, should I use the same Manager account or not.
It should be the password of the 'ldap admin dn' listed in your smb.conf
> however, account information was exported to LDAP successfully.
> samba is running well over that data. users can log in.
> but, when I do "net groupmap ..." I'm getting errors:
> sol# net groupmap list
> [2004/10/20 19:40:25, 0] lib/smbldap.c:smbldap_search_domain_info(1338)
> Adding domain info for SOLAR failed with NT_STATUS_UNSUCCESSFUL
This means that 'ldap admin dn' does not have write access to the tree
listed as 'ldap suffix' in your smb.conf file. You can fix it either in
slapd.conf file by adding correct 'access' statement or change 'ldap
admin dn' to the one which already have the right access.
> Domain Admins (S-1-5-21-1906877464-905504629-2230954338-512) -> 512
> Domain Users (S-1-5-21-1906877464-905504629-2230954338-513) -> school
> Domain Guests (S-1-5-21-1906877464-905504629-2230954338-514) -> 514
> Print Operators (S-1-5-32-550) -> 550
> Backup Operators (S-1-5-32-551) -> 551
> Replicators (S-1-5-32-552) -> 552
Those numbers mean that smbldap-populate expects that builtin Domain
Group SIDs should be mapped into UNIX groups with gid the same as RID
part of SID. Since you already have one of the gid's reserved for a
group named 'school' it's not a good assumption for your site. You may
want to create your own UNIX groups for 'Domain Admins' and so on and
then use 'net groupmap modify' to update the mapping.
> why pdbedit successfully migrated data, but net groupmap doesn't want to
> work with that ?
> Ilia Chipitsine
Hope it helps,
More information about the samba