[Samba] SAMBA/PDC + LDAP HELP please?

Ryan Taylor rtaylor82 at gmail.com
Tue Oct 4 21:49:26 GMT 2005


Hi, I have been trying to work this out on my own now for about a week
and feel like I am so close..haha. I have samba setup as a PDC and in
theory authenticating users through openLDAP with the use of
smbldap-tools by IDEALX. I have checked the windows registry fix, but
still no luck. When I try to join the domain as root, I get the error:
"Username could not be found"

Any help would be greatly, greatly appreciated as I am at the end of my
time to get this job done. I don't need encryption and don't mind if
everything is plain text..(security not issue yet)

I have included all configs i believe are important (minus the comments
to make them shorter) please let me know if I can provide anything
else!

Thank you in advance for your time,
Ryan Taylor
rtaylor82 at gmail.com

****************************** *******************
/ETC/SAMBA/SMB.CONF
**************************************************
#======================= Global Settings
=====================================
[global]
workgroup = BEEFY-NT
netbios name = PDC-SRV
#enable privileges = yes
interfaces = 192.168.0.69 <http://192.168.0.69/>
username map = /etc/samba/smbusers
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
#unix password sync = Yes
#passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype
new password*" %n\n"
ldap passwd sync = Yes
log level = 2
syslog = 2
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1

logon script = logon.bat
logon drive = H:
logon home =
logon path =

domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
# passdb backend = ldapsam:"ldap://127.0.0.1/
ldap://slave.beefylinux.com" <ldap://slave.beefylinux.com%22>
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap admin dn = cn=Manager,dc=beefylinux,dc=com
ldap suffix = dc=beefylinux,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
#ldap ssl = start_tls
add user script = /usr/local/sbin/smbldap-useradd =m "%u"
ldap delete dn = Yes
#delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
#delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g"
"%u"

# printers configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile
folders:
preserve case = yes
short preserve case = yes
case sensitive = no

idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = no

[netlogon]
path = /home/netlogon/
browseable = No
read only = yes

[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U @"Domain Admins"


[printers]
comment = Network Printers
printer admin = @"Print Operators"
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j

[print$]
path = /home/printers
printer admin = @"Print Operators"
guest ok = yes
browseable = Yes
read only = Yes
valid users = @"Printer Operators"
write list = @"Print Operators"
create mask = 0664
directory mask = 0775

[public]
comment = Repertoire public
path = /home/public
browseable = Yes
guest ok = Yes
read only = No
directory mask = 0775
create mask = 0664

*************************************************
/etc/LDAP.CONF
*************************************************
# @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
host 127.0.0.1 <http://127.0.0.1/>
base dc=beefylinux,dc=com

rootbinddn cn=manager,ou=DSA,dc=beefylinux,dc=com
nss_base_passwd ou=Users,dc=beefylinux,dc=com?one
nss_base_passwd ou=Computers,dc=beefylinux,dc=com?one

nss_base_shadow ou=Users,dc=beefylinux,dc=com?one

nss_base_group ou=Groups,dc=beefylinux,dc=com?one
ssl no
pam_password md5

*******************************************************
/etc/openldap/ldap.conf
*******************************************************
HOST 127.0.0.1 <http://127.0.0.1/>
BASE dc=beefylinux,dc=com
TLS_REQCERT allow

/etc/openldap/slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2


pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read

database bdb
suffix "dc=beefylinux,dc=com"
rootdn "cn=Manager,dc=beefylinux,dc=com"
rootpw jomomma2
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

***************************************************************
/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf
***************************************************************
slaveDN="cn=Manager,dc=beefylinux,dc=com"
slavePw="jomomma2"
masterDN="cn=Manager,dc=beefylinux,dc=com"
masterPw="jomomma2"

***************************************************************
/etc/opt/IDEALX/smbldap-tools/smbldap.conf
***************************************************************

SID="S-1-5-21-1950905915-4285831572-4043287157"
sambaDomain="BEEFY-NT"
slaveLDAP="127.0.0.1 <http://127.0.0.1/>"

slavePort="389"

masterLDAP="127.0.0.1 <http://127.0.0.1/>"

masterPort="389"

ldapTLS="0"

verify="optional"

#cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key"

suffix="dc=beefylinux,dc=com"

usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
computersdn
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
groupsdn
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member
server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
idmapdn
idmapdn="ou=Users,${suffix}"

# Where to store next uidNumber and gidNumber available for new users
and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=BEEFY-NT,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line
if
# you don't want password to be enable for defaultMaxPasswordAge days
(be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon
home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\PDC-SRV\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon
path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\PDC-SRV\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under
dos
userScript="logon.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com <http://idealx.com/>"
mailDomain="beefylinux.com <http://beefylinux.com/>"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in
smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
#smbpasswd="/opt/IDEALX/sbin/smbldap-passwd"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in
smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner
# no_banner="1"

*************************************************************
OTHER IMPORTANT INFORMATION
*************************************************************

[root at beefylinux certs]# vi /etc/nsswitch.conf
[root at beefylinux certs]# net getlocalsid
SID for domain PDC-SRV is: S-1-5-21-1950905915-4285831572-4043287157
[root at beefylinux certs]# ldapsearch -x "uid=root"
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: uid=root
# requesting: ALL
#

# root, Users, beefylinux.com <http://beefylinux.com/>
dn: uid=root,ou=Users,dc=beefylinux,dc=com
cn: root
sn: root
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaHomePath: \\PDC-SRV\root
sambaHomeDrive: H:
sambaProfilePath: \\PDC-SRV\profiles\root
sambaPrimaryGroupSID: S-1-5-21-1950905915-4285831572-4043287157-512
sambaSID: S-1-5-21-1950905915-4285831572-4043287157-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaPwdCanChange: 1128448503
sambaPwdMustChange: 2147483647
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1128448503
sambaAcctFlags: [U ]

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root at beefylinux certs]# net groupmap list
Domain Admins (S-1-5-21-1950905915-4285831572-4043287157-512) -> 512
Domain Users (S-1-5-21-1950905915-4285831572-4043287157-513) -> 513
Domain Guests (S-1-5-21-1950905915-4285831572-4043287157-514) -> 514
Domain Computers (S-1-5-21-1950905915-4285831572-4043287157-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552

*****************************************************************
Sorry for the long message, but again any help?? Thankyou!


More information about the samba mailing list