[Samba] doubt in samba-ldap configuration

balijepalli srikrishnamohan bskmohan at yahoo.com
Fri Apr 21 14:02:20 GMT 2006


Hello group,

    I am trying to configure ldap backend to samba.
My samba and ldap machines are on different machines.
I am using samba3.0.22 and openldap-2.3.11.
I got two smb.conf files. 
One in /etc/samba/smb.conf and another in
/usr/share/doc/samba-3.0.22/examples/LDAP/smbldap-tools-0.9.1/smb.conf.

Now the problem is when iam using 2nd smb.conf,
smbclient is showing the share info. for any user, i
mean if we give no username and wrong passwd it is
showing shares.
But when i use the 1st smb.conf file, smbclient is
giving
NT_STATUS_FAILED error, for all ldap users.

I am giving the two files's contents here.
Pls tell me the reason why it is behaving like that.
Also i was able to add samba users into ldap servers.
Pls let  me know that existing ldap users and users i
added under objectclass sambaSambAccount are different
or same.If different, pls let me know how to give
username and password in ldif file.

contents of/etc/samba/smb.conf
-----------------------------
# This is the main Samba configuration file. You
should read the
# smb.conf(5) manual page in order to understand the
options listed
# here. Samba has a huge number of configurable
options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a #
(hash) 
# is a comment and is ignored. In this example we will
use a #
# for commentry and a ; for parts of the config file
that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run
the command "testparm"
# to check that you have not made any basic syntactic
errors. 
#
#======================= Global Settings
=====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = MYGROUP

# server string is the equivalent of the NT
Description field
   server string = Samba Server

# This option is important for security. It allows you
to restrict
# connections to machines which are on your local
network. The
# following example restricts access to two C class
networks and
# the "loopback" interface. For more examples of the
syntax see
# the smb.conf man page
;   hosts allow = 192.168.1.21 192.168.1.62 127.0.0.1

# if you want to automatically load your printer list
rather
# than setting them up individually then you'll need
this
   printcap name = /etc/printcap
   load printers = yes

# It should not be necessary to spell out the print
system type unless
# yours is non-standard. Currently supported print
systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
;   printing = bsd

# Uncomment this if you want a guest account, you must
add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each
machine
# that connects
   # log file = /var/log/samba/%m.log
# all log information in one file
   log file = /var/log/samba/log.smbd

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Security mode. Most people will want user level
security. See
# security_level.txt for details.
   security = user
# Use password server option only with security =
server
;   password server = <NT-Server-Name>

# Password Level allows matching of _n_ characters of
the password for
# all combinations of upper and lower case.
;  password level = 8
;  username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba
documentation.
# Do not enable this option unless you have read those
documents
  encrypt passwords = yes
;  smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing
from Windows to
# update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb
passwd file' above.
# NOTE2: You do NOT need these to allow workstations
to change only
#        the encrypted SMB passwords. They allow the
Unix password
#        to be kept in sync with the SMB password.
;  unix password sync = Yes
;  passwd program = /usr/bin/passwd %u
;  passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names
;  username map = /etc/samba/smbusers

# Using the following line enables you to customise
your configuration
# on a per machine basis. The %m gets replaced with
the netbios name
# of the machine that is connecting
;   include = /etc/samba/smb.conf.%m

# Most people will find that this option gives better
performance.
# See speed.txt and the manual pages for details
   socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you
must list them
# here. See the man page for details.
   ;interfaces = 192.168.1.21 192.168.1.62
192.168.12.2/24 192.168.13.2/24 

# Configure remote browse list synchronisation here
#  request announcement to, or browse list sync from:
#	a specific host or from / to a whole subnet (see
below)
;   remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets
here
;   remote announce = 192.168.1.255 192.168.2.44

# Browser Control Options:
# set local master to no if you don't want Samba to
become a master
# browser on your network. Otherwise the normal
election rules apply
;   local master = no

# OS Level determines the precedence of this server in
master browser
# elections. The default value should be reasonable
;   os level = 33

# Domain Master specifies Samba to be the Domain
Master Browser. This
# allows Samba to collate browse lists between
subnets. Don't use this
# if you already have a Windows NT domain controller
doing this job
;   domain master = yes 

# Preferred Master causes Samba to force a local
browser election on startup
# and gives it a slightly higher chance of winning the
election
;   preferred master = yes

# Enable this if you want Samba to be a domain logon
server for 
# Windows95 workstations. 
;   domain logons = yes

# if you enable domain logons then you may want a
per-machine or
# per user logon script
# run a specific logon batch file per workstation
(machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and
WinNT)
#        %L substitutes for this servers netbios name,
%U is username
#        You must uncomment the [Profiles] share below
;   logon path = \\%L\Profiles\%U

# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution
mechanism to be specified
# the default order is "host lmhosts wins bcast".
"host" means use the unix
# system gethostbyname() function call that will use
either /etc/hosts OR
# DNS or NIS depending on the settings of
/etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is
system configuration
# dependant. This parameter is most often of use to
prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses.
Use with care!
# The example below excludes use of name resolution
for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts
or via WINS.
; name resolve order = wins lmhosts bcast

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to
enable it's WINS Server
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to
be a WINS Client
#	Note: Samba can be either a WINS Server, or a WINS
Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution
queries on
# behalf of a non WINS capable client, for this to
work there must be
# at least one	WINS Server on the network. The default
is NO.
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to
resolve NetBIOS names
# via DNS nslookups. The built-in default for versions
1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = no 

# Case Preservation can be handy - system default is
_no_
# NOTE: These can be set on a per share basis
;  preserve case = no
;  short preserve case = no
# Default case is normally upper case for all DOS
files
;  default case = lower
# Be very careful with case sensitivity - it can break
things!
;  case sensitive = no

#ENTRIES ADDED FOR TESTING MYSQLi & LDAP BACKEND
;netbios name = machine
;domain logons = yes
;domain master = yes
passdb backend = ldapsam:ldap://192.168.1.21/
ldap admin dn = cn=Manager,dc=example,dc=com
;ldap ssl = start tls
ldap suffix = dc=example, dc=com
;ldap password = "secret"
;samba:mysql host = localhost
;samba:mysql user = root
;samba:mysql password = root
;samba:mysql database = samba_auth
;lanman pass column = lm_pw
;nt pass column = nt_pw
;plain pass column = NULL
#============================ Share Definitions
==============================
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

# Un-comment the following and create the netlogon
directory for Domain Logons
; [netlogon]
;   comment = Network Logon Service
;   path = /home/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no


# Un-comment the following to provide a specific
roving profile share
# the default is to use the user's home directory
;[Profiles]
;    path = /home/profiles
;    browseable = no
;    guest ok = yes


# NOTE: If you have a BSD-style print system there is
no need to 
# specifically define each individual printer
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to
print
   guest ok = no
   writable = no
   printable = yes

# This one is useful for people to share files
;[tmp]
;   comment = Temporary file space
;   path = /tmp
;   read only = no
;   public = yes

# A publicly accessible directory, but read only,
except for people in
# the "staff" group
;[public]
;   comment = Public Stuff
;   path = /home/samba
;   public = yes
;   read only = yes
;   write list = @staff

# Other examples. 
#
# A private printer, usable only by fred. Spool data
will be placed in fred's
# home directory. Note that fred must have write
access to the spool directory,
# wherever it is.
;[fredsprn]
;   comment = Fred's Printer
;   valid users = fred
;   path = /homes/fred
;   printer = freds_printer
;   public = no
;   writable = no
;   printable = yes

# A private directory, usable only by fred. Note that
fred requires write
# access to the directory.
;[fredsdir]
;   comment = Fred's Service
;   path = /usr/somewhere/private
;   valid users = fred
;   public = no
;   writable = yes
;   printable = no

# a service which has a different directory for each
machine that connects
# this allows you to tailor configurations to incoming
machines. You could
# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is
connecting.
;[pchome]
;  comment = PC Directories
;  path = /usr/pc/%m
;  public = no
;  writable = yes

# A publicly accessible directory, read/write to all
users. Note that all files
# created in the directory by users will be owned by
the default user, so
# any user with access can delete any other user's
files. Obviously this
# directory must be writable by the default user.
Another user could of course
# be specified, in which case all files would be owned
by that user instead.
;[public]
;   path = /usr/somewhere/else/public
;   public = yes
;   only guest = yes
;   writable = yes
;   printable = no

# The following two entries demonstrate how to share a
directory so that two
# users can place files there that will be owned by
the specific users. In this
# setup, the directory should be writable by both
users and should have the
# sticky bit set on it to prevent abuse. Obviously
this could be extended to
# as many users as required.
;[myshare]
;   comment = Mary's and Fred's stuff
;   path = /usr/somewhere/shared
;   valid users = mary fred
;   public = no
;   writable = yes
;   printable = no
;   create mask = 0765


Contents of
/usr/share/doc/samba-3.0.22/examples/LDAP/smbldap-tools-0.9.1/smb.conf.
------------------------------------------------------------------------
# Global parameters
[global]
	workgroup = IDEALX-NT
	netbios name = PDC-SRV
	security = user
	enable privileges = yes
	#interfaces = 192.168.5.11
	#username map = /etc/samba/smbusers
	server string = Samba Server %v
	#security = ads
	encrypt passwords = Yes
	min passwd length = 3
	#pam password change = no
	#obey pam restrictions = No
	#ldap passwd sync = Yes
;	unix password sync = Yes
;	passwd program = /opt/IDEALX/sbin/smbldap-passwd -u
%u
;	passwd chat = "Changing password for*\nNew
password*" %n\n "*Retype new password*" %n\n"
	#passwd chat debug = Yes
	log level = 0
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 100000
	time server = Yes
	socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
	mangling method = hash2
	Dos charset = 850
	Unix charset = ISO8859-1

	logon script = logon.bat
	logon drive = H:
        logon home = 
        logon path = 

	domain logons = Yes
	domain master = Yes
	os level = 65
	preferred master = Yes
	wins support = yes
	passdb backend = ldapsam:ldap://192.168.1.21/
	ldap admin dn = cn=Manager,dc=example,dc=com
	#ldap admin dn = cn=samba,ou=DSA,dc=idealx,dc=org
	;ldap suffix = dc=idealx,dc=org
    ;    ldap group suffix = ou=Groups
    ;    ldap user suffix = ou=Users
    ;    ldap machine suffix = ou=Computers
	#ldap idmap suffix = ou=Idmap
    ;    add user script =
/opt/IDEALX/sbin/smbldap-useradd -m "%u"
        #ldap delete dn = Yes
    ;    delete user script =
/opt/IDEALX/sbin/smbldap-userdel "%u"
    ;    add machine script =
/opt/IDEALX/sbin/smbldap-useradd -t 0 -w "%u"
    ;    add group script =
/opt/IDEALX/sbin/smbldap-groupadd -p "%g" 
        #delete group script =
/opt/IDEALX/sbin/smbldap-groupdel "%g"
    ;    add user to group script =
/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
    ;    delete user from group script =
/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
	;set primary group script =
/opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'

	# printers configuration
	printer admin = @"Print Operators"
	load printers = Yes
	create mask = 0640
	directory mask = 0750
	#force create mode = 0640
	#force directory mode = 0750
	nt acl support = No
	printing = cups
	printcap name = cups
	deadtime = 10
	guest account = nobody
	map to guest = Bad User
	dont descend =
/proc,/dev,/etc,/lib,/lost+found,/initrd
	show add printer wizard = yes
	; to maintain capital letters in shortcuts in any of
the profile folders:
	preserve case = yes
	short preserve case = yes
	case sensitive = no

[netlogon]
	path = /home/netlogon/
	browseable = No
	read only = yes

[profiles]
	path = /home/profiles
	read only = no
	create mask = 0600
	directory mask = 0700
	browseable = No
	guest ok = Yes
	profile acls = yes
	csc policy = disable
	# next line is a great way to secure the profiles 
	#force user = %U 
	# next line allows administrator to access all
profiles 
	#valid users = %U "Domain Admins"

[printers]
        comment = Network Printers
        printer admin = @"Print Operators"
        guest ok = yes 
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j
        # print command = /usr/bin/lpr -U%U@%M -P%p -r
%s
        # lpq command = /usr/bin/lpq -U%U@%M -P%p
        # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
        # lppause command = /usr/sbin/lpc -U%U@%M hold
%p %j
        # lpresume command = /usr/sbin/lpc -U%U@%M
release %p %j
        # queuepause command = /usr/sbin/lpc -U%U@%M
stop %p
        # queueresume command = /usr/sbin/lpc -U%U@%M
start %p

[print$]
        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the samba mailing list