[Samba] Samba3 by example problems

[John H Terpstra]

On Thursday 13 January 2005 09:43, Angela Williams wrote:
> Hi All,
> I am going through a setup of a test samba3 box with rh9 with my self
> rolled copy of 3.0.10. I have removed the old rpm version of samba. I
> compiled 3.0.10 with all defaults except for the install prefix which I set
> to /usr/local/samba3.

Update your smbldap-tools to the latest version from www.idealx.org.
Samba-3.0.10 is NOT compatible with version 0.8.2 that is included with the 
book. You should be using version 0.8.5.3. Also, with this version do not 
include the '.pl' part of the filename in the smb.conf file. That has changed 
since 0.8.2.

>
> I followed the steps given in Chap 6 - making users happy in the online
> html version.
> I changed a few things. Instead of MASSIVE as the PDC  name I used
> ROSSMOULD and also changed the abmas to rossmould in all the ldap configs.
> I also left off most of the shares so the my smb.conf file looks thusly
>
> --------------------------------------
> [global]
> unix charset = LOCALE
> workgroup = ROSSMOULD
> netbios name = ROSSPDC
> interfaces = eth0, lo
> bind interfaces only = Yes
> passdb backend = ldapsam:ldap://rosspdc.rossmould.biz
> username map = /usr/local/samba3/private/smbusers
> log level = 1
> syslog = 0
> log file = /var/log/samba/%m
> max log size = 50
> smb ports = 139 445
> name resolve order = wins bcast hosts
> time server = Yes
> printcap name = CUPS
> show add printer wizard = No
> add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
> delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
> add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
> delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g'
> add user to group script = /var/lib/samba/sbin/ smbldap-groupmod.pl -m '%u'
> '%g'
> delete user from group script = /var/lib/samba/sbin/ smbldap-groupmod.pl -x
> '%u' '%g'
> set primary group script = /var/lib/samba/sbin/ smbldap-usermod.pl -g '%g'
> '%u'
> add machine script = /var/lib/samba/sbin/ smbldap-useradd.pl -w '%u'
> logon script = scripts\logon.bat
> logon path = \\%L\profiles\%U
> logon drive = X:
> domain logons = Yes
> preferred master = Yes
> wins support = Yes
> ldap suffix = dc=rossmould,dc=biz
> ldap machine suffix = ou=People
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=rossmould,dc=biz
> idmap backend = ldap:ldap://rosspdc.rossmould.biz
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> map acl inherit = Yes
> printing = cups
> printer admin = Administrator, sreynolds
>
> # The shares
>
> [netlogon]
> comment = Network Logon Service
> path = /home/netlogon
> guest ok = Yes
> locking = No
>
> [profiles]
> comment = Profile Share
> path = /home/profiles
> read only = No
> profile acls = Yes
>
> [profdata]
> comment = Profile Data Share
> path = /home/profdata
> read only = No
> profile acls = Yes
>
> [print$]
> comment = Printer Drivers
> path = /home/drivers
> browseable = yes
> guest ok = no
> read only = yes
> write list = Administrator, sreynolds
>
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> browseable = No
>
> [printers]
> comment = SMB Print Spool
> path = /var/spool/samba
> guest ok = Yes
> printable = Yes
> browseable = No
>
> --------------------------------------
>
> I have found the following inconsistencies.
>
> First one was in Samba-3 PDC Configuration section 2
> root#  testparm -s > test.conf
>
> The $IPC share does not display which I assumed to be correct

Do NOT include a service definition in your smb.conf file for [IPC$]. It is 
not needed.

>
> Section 5 is also problematic.
>
> root#  smbclient -L localhost -U%
> Times out and if the smbd log is checked it falls over in trying to have
> chatties with the ldap server which is needless to say not running.
> Ofcourse the net command fails as well.
>
> I then plodded on and did the config of the ldap server and got it up and
> running. This is in LDAP Initialization and Creation of User and Group
> Accounts section 1. I used service ldap start - being redhatish
>
> I then reran the sbclient -L massive -U% command,
> Worked as advertised.
> I could then run the net command to get the SID anf put it
> into /var/lib/samba/sbin/smbldap_conf.pm
> I used the IdealX scripts that came with the 3.0.10 source and compiled
> mkntpwd just fine.

Please do NOT use the Idealx scripts that come with Samba 3.0.10 - please 
obtain a fresh current version from Idealx.Org.

>
> Next problem cropped up in adding the users with
> root#  ./smbldap-populate.pl.
> First crash was missing cpan module Net::LDAP so no probs just configured
> cpan and loaded it!
> Now the perl script ran but barfed at
> adding new entry: ou=People,dc=rossmould,dc=biz
> failed to add entry: Already exists at ./smbldap-populate.pl line 323,
> <GEN1> line 5.

Yes. That is expected since both Computer accounts and User accounts will be 
in  ou=People.

>
> The script had already added People and Groups ou's and then went on the
> add the Administrators ou after the error
>
> (Rather confusing to have this list say that having computers in their own
> ou works but a big warning in the the e-book say it does not work!)

This has been discussed ad nauseum on this list. Suggest you go back over the 
history of this discussion thread in the archives.

>
> Be that as it may i then pressed on to checking the ldap database for per
> section 5 after ldap was stopped and started.
> root#  slapcat | grep -i idmap gave no output so idmap does not exist in
> the database.

This is solved with the new Idealx smbldap-tool scripts.

> Then followed the instructions to create and ldif with the required ou for
> idmap but when I tried to run
>  ldapadd -x -D "cn=Manager,dc=rossmould,dc=biz" -w not24get
> < /etc/openldap/idmap.LDIF
> (All one line!)
> I got back
> ldap_add: Constraint violation
>         additional info: structuralObjectClass: no user modification
> allowed

Known issues. See above comment for solution.

>
> ldif_record() = 19
>
> I'm rather new to ldap and other than playing around with some basic
> settings and adding and changing records with ldapadd and ldapmodify and
> ldif files and then searching the database I've not done anything else.
>
> I could go and set slapd to debug but I'd hate to reinvent the wheel if I
> can!
>
> One added point I used just about all cut 'n paste from the html pages to
> the various config files. Even used cut 'n paste to select them! Found a
> few problems in the long lines in the smb.conf parts but vi's j phixed
> that!
>
> Please help!

I am trying to do that. :)

Cheers,
John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.