[Samba] User Manger for Domains can not reset user password.
Glenn Arnold
garnold at unrealsolutions.com
Sun Apr 23 02:14:50 GMT 2006
I am running RHES 3.0 with Samba 3.0.22 and Open Ldap 2.1.22 ldapsam and
when I use User Manager for Domains and try to change a user password as
root or any other Domain Admin account I get the following error: "The
following error occurred changing the properties of the user jcampbell.
The group name could not be found." When you look at groups under user
manager Domain Users is set default group. Any ideas?
Thanks
-Glenn
smb.conf
[global]
interfaces = eth*
netbios name = SERVER
workgroup = EXAMPLE
server string =
security = user
os level = 64
domain master = yes
local master = yes
preferred master = yes
time server = yes
#passdb backend = tdbsam
ldappasswd sync =yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=samba,ou=DSA,dc=example,dc=net
#ldap admin dn = cn=Manager,dc=example,dc=net
ldap suffix = dc=example,dc=net
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap ssl = no
unix extensions = yes
encrypt passwords = yes
domain logons = yes
logon script = logon.bat
logon drive = H:
logon home = \\%L\%U
logon path =
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
add user script = /usr/local/sbin/smbldap-useradd -m '%u'
delete user script = /usr/local/sbin/smbldap-userdel '%u'
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m
'%u' '%g'
delete user from group script = /usr/local/sbin/smbldap-usermod
-g '%g' '%u'
set primary group script = /usr/local/sbin/smbldap-usermod -g
'%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
logon script = logon.bat
logon path =
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
wins server = 10.100.0.10
ldap admin dn = cn=samba,ou=DSA,dc=example,dc=net
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=example,dc=net
ldap ssl = no
ldap user suffix = ou=Users
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = -
force printername = Yes
[netlogon]
path = /smbsrvr/netlogon/scripts
write list = Domain, Admins
guest ok = Yes
browseable = No
[homes]
comment = Home Directories
force group = "Domain Admins"
read only = No
create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770
veto files =
/*.mp3/*.exe/*.com/*.js/*.bat/*.cmd/*.wsh/*.scr/*.zip/.*/testfile/
browseable = No
[C$]
path = /smbsrvr
valid users = "@Domain Admins"
force group = "Domain Admins"
read only = No
create mask = 0770
directory mask = 0770
force directory mode = 0770
veto files = /fnksvc32.exe/testfile/
[tftpboot$]
path = /tftpboot
valid users = "@Domain Admins"
force group = "root"
read only = No
create mask = 0775
directory mask = 0775
force directory mode = 0775
[Apps]
path = /smbsrvr/Apps
read only = No
create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770
inherit permissions = Yes
veto files = /fnksvc32.exe/testfile/
[Students]
path = /smbsrvr/Students
force group = hsstudents
read only = No
create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770
veto files = /fnksvc32.exe/testfile/
[AdminTools$]
path = /smbsrvr/AdminTools
read only = No
veto files = /fnksvc32.exe/testfile/
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
default devmode = Yes
veto files = /fnksvc32.exe/testfile/
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root, "@@Domain Admins"
read only = No
veto files = /fnksvc32.exe/testfile/
[home$]
path = /home
valid users = "Domain Admins", +ntadmins, +root, "@MTHS-Domain
Admins", @ntadmin, @root
write list = +ntadmin, "@MTHS-Domain Admins", @ntadmin, @root
force group = "Domain Admins"
read only = No
create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770
veto files = /fnksvc32.exe/testfile/
[ezaudit]
path = /smbsrvr/ezaudit
force group = "Domain Users"
read only = No
create mask = 0777
force create mode = 0777
directory mask = 0777
force directory mode = 0777
guest ok = Yes
browseable = No
[HSGUIDANCE]
path = /smbsrvr/Guidance
read only = No
veto files = /fnksvc32.exe/testfile/
[HS PRINCIPAL]
path = /smbsrvr/hsprincipal
read only = No
veto files = /fnksvc32.exe/testfile/
[CIP]
path = /smbsrvr/CIP
read only = No
veto files = /fnksvc32.exe/testfile/
[POISE ISSUES]
path = /smbsrvr/Poise Issues
read only = No
veto files = /fnksvc32.exe/testfile/
[HSDISCIPLINE]
path = /smbsrvr/Discipline
read only = No
veto files = /fnksvc32.exe/testfile/
[YEARBOOK]
path = /smbsrvr/yearbook
valid users = @hsyearbook
force group = hsyearbook
read only = No
create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770
veto files = /fnksvc32.exe/testfile/
[MTM]
path = /smbsrvr/Apps/Mtm
valid users = @hsbuilding, "@Domain Admins"
force group = hsbuilding
read only = No
create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770
[INSTALL]
comment = Mt. Healthy Software
path = /smbsrvr/Install
write list = root, "@Domain Admins"
force group = Domain Admins
read only = No
create mask = 0775
force create mode = 0775
directory mask = 0775
force directory mode = 0775
veto files = /fnksvc32.exe/testfile/
[hsstudents]
path = /home/hsstudents
read only = No
veto files = /fnksvc32.exe/testfile/
[hsstaff]
path = /home/hsstaff
read only = No
veto files = /fnksvc32.exe/testfile/
[hsbuilding]
path = /home/hsbuilding
read only = No
veto files = /fnksvc32.exe/testfile/
[staffback$]
path = /home/staffback
valid users = @hsstaff
force group = hsstaff
read only = No
create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770
veto files = /fnksvc32.exe/testfile/
ldap.conf
HOST 127.0.0.1
BASE dc=example,dc=net
rootbinddn cn=nssldap,ou=DSA,dc=example,dc=net
nss_base_passwd dc=example,dc=net?sub
nss_base_shadow dc=example,dc=net?sub
nss_base_group ou=Groups,dc=example,dc=net?one
ssl no
pam_password md5
slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
#include /etc/openldap/schema/redhat/autofs.schema
#include /etc/openldap/schema/redhat/kerberosobject.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#pidfile //var/run/slapd.pid
#argsfile //var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile /var/lib/ldap/master-slapd.replog
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#
# The next three lines allow use of TLS for connections using a dummy
test
# certificate, but you should generate a proper certificate by changing
to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions
on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
#
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# rootdn can always write!
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,samba
PwdMustChange
by dn="cn=samba,ou=DSA,dc=example,dc=net" write
by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
by dn="cn=nssldap,ou=DSA,dc=example,dc=net" write
by self write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can
answer correctly
access to
attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,m
emberUid,loginshell
by dn="cn=samba,ou=DSA,dc=example,dc=net" write
by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
by * read
# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber
by dn="cn=samba,ou=DSA,dc=example,dc=net" write
by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
by self write
by * read
# some attributes need to be writable for samba
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,
sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sa
mbaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,s
ambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,s
ambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sa
mbaNextUserRid,sambaAlgorithmicRidBase
by dn="cn=samba,ou=DSA,dc=example,dc=net" write
by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
by self read
by * none
# samba need to be able to create the samba domain account
access to dn.base="dc=example,dc=net"
by dn="cn=samba,ou=DSA,dc=example,dc=net" write
by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=example,dc=net"
by dn="cn=samba,ou=DSA,dc=example,dc=net" write
by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=example,dc=net"
by dn="cn=samba,ou=DSA,dc=example,dc=net" write
by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=example,dc=net"
by dn="cn=samba,ou=DSA,dc=example,dc=net" write
by dn="cn=smbldap-tools,ou=DSA,dc=example,dc=net" write
by * none
# this can be omitted but we leave it: there could be other branch
# in the directory
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=example,dc=net"
#suffix "o=My Organization Name,c=US"
rootdn "cn=Manager,dc=example,dc=net"
rootdn "cn=Manager,dc=example,dc=net"
rootpw {SSHA}rCWryJIyAP66u64ALA6gRREQ7j2bJH0T
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
#performance mods
loglevel 256
sizelimit 100000
cachesize 100000
dbcachesize 30000000
# Indices to maintain
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
More information about the samba
mailing list