[Samba] doubt in samba-ldap configuration
balijepalli srikrishnamohan
bskmohan at yahoo.com
Fri Apr 21 14:02:20 GMT 2006
Hello group,
I am trying to configure ldap backend to samba.
My samba and ldap machines are on different machines.
I am using samba3.0.22 and openldap-2.3.11.
I got two smb.conf files.
One in /etc/samba/smb.conf and another in
/usr/share/doc/samba-3.0.22/examples/LDAP/smbldap-tools-0.9.1/smb.conf.
Now the problem is when iam using 2nd smb.conf,
smbclient is showing the share info. for any user, i
mean if we give no username and wrong passwd it is
showing shares.
But when i use the 1st smb.conf file, smbclient is
giving
NT_STATUS_FAILED error, for all ldap users.
I am giving the two files's contents here.
Pls tell me the reason why it is behaving like that.
Also i was able to add samba users into ldap servers.
Pls let me know that existing ldap users and users i
added under objectclass sambaSambAccount are different
or same.If different, pls let me know how to give
username and password in ldif file.
contents of/etc/samba/smb.conf
-----------------------------
# This is the main Samba configuration file. You
should read the
# smb.conf(5) manual page in order to understand the
options listed
# here. Samba has a huge number of configurable
options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a #
(hash)
# is a comment and is ignored. In this example we will
use a #
# for commentry and a ; for parts of the config file
that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run
the command "testparm"
# to check that you have not made any basic syntactic
errors.
#
#======================= Global Settings
=====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = MYGROUP
# server string is the equivalent of the NT
Description field
server string = Samba Server
# This option is important for security. It allows you
to restrict
# connections to machines which are on your local
network. The
# following example restricts access to two C class
networks and
# the "loopback" interface. For more examples of the
syntax see
# the smb.conf man page
; hosts allow = 192.168.1.21 192.168.1.62 127.0.0.1
# if you want to automatically load your printer list
rather
# than setting them up individually then you'll need
this
printcap name = /etc/printcap
load printers = yes
# It should not be necessary to spell out the print
system type unless
# yours is non-standard. Currently supported print
systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
; printing = bsd
# Uncomment this if you want a guest account, you must
add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each
machine
# that connects
# log file = /var/log/samba/%m.log
# all log information in one file
log file = /var/log/samba/log.smbd
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level
security. See
# security_level.txt for details.
security = user
# Use password server option only with security =
server
; password server = <NT-Server-Name>
# Password Level allows matching of _n_ characters of
the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba
documentation.
# Do not enable this option unless you have read those
documents
encrypt passwords = yes
; smb passwd file = /etc/samba/smbpasswd
# The following are needed to allow password changing
from Windows to
# update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb
passwd file' above.
# NOTE2: You do NOT need these to allow workstations
to change only
# the encrypted SMB passwords. They allow the
Unix password
# to be kept in sync with the SMB password.
; unix password sync = Yes
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
# Unix users can map to different SMB User names
; username map = /etc/samba/smbusers
# Using the following line enables you to customise
your configuration
# on a per machine basis. The %m gets replaced with
the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m
# Most people will find that this option gives better
performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you
must list them
# here. See the man page for details.
;interfaces = 192.168.1.21 192.168.1.62
192.168.12.2/24 192.168.13.2/24
# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see
below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets
here
; remote announce = 192.168.1.255 192.168.2.44
# Browser Control Options:
# set local master to no if you don't want Samba to
become a master
# browser on your network. Otherwise the normal
election rules apply
; local master = no
# OS Level determines the precedence of this server in
master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain
Master Browser. This
# allows Samba to collate browse lists between
subnets. Don't use this
# if you already have a Windows NT domain controller
doing this job
; domain master = yes
# Preferred Master causes Samba to force a local
browser election on startup
# and gives it a slightly higher chance of winning the
election
; preferred master = yes
# Enable this if you want Samba to be a domain logon
server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a
per-machine or
# per user logon script
# run a specific logon batch file per workstation
(machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and
WinNT)
# %L substitutes for this servers netbios name,
%U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution
mechanism to be specified
# the default order is "host lmhosts wins bcast".
"host" means use the unix
# system gethostbyname() function call that will use
either /etc/hosts OR
# DNS or NIS depending on the settings of
/etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is
system configuration
# dependant. This parameter is most often of use to
prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses.
Use with care!
# The example below excludes use of name resolution
for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts
or via WINS.
; name resolve order = wins lmhosts bcast
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to
enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to
be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS
Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution
queries on
# behalf of a non WINS capable client, for this to
work there must be
# at least one WINS Server on the network. The default
is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to
resolve NetBIOS names
# via DNS nslookups. The built-in default for versions
1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
# Case Preservation can be handy - system default is
_no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS
files
; default case = lower
# Be very careful with case sensitivity - it can break
things!
; case sensitive = no
#ENTRIES ADDED FOR TESTING MYSQLi & LDAP BACKEND
;netbios name = machine
;domain logons = yes
;domain master = yes
passdb backend = ldapsam:ldap://192.168.1.21/
ldap admin dn = cn=Manager,dc=example,dc=com
;ldap ssl = start tls
ldap suffix = dc=example, dc=com
;ldap password = "secret"
;samba:mysql host = localhost
;samba:mysql user = root
;samba:mysql password = root
;samba:mysql database = samba_auth
;lanman pass column = lm_pw
;nt pass column = nt_pw
;plain pass column = NULL
#============================ Share Definitions
==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon
directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /home/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific
roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /home/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is
no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to
print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# A publicly accessible directory, but read only,
except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; read only = yes
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data
will be placed in fred's
# home directory. Note that fred must have write
access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that
fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each
machine that connects
# this allows you to tailor configurations to incoming
machines. You could
# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is
connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all
users. Note that all files
# created in the directory by users will be owned by
the default user, so
# any user with access can delete any other user's
files. Obviously this
# directory must be writable by the default user.
Another user could of course
# be specified, in which case all files would be owned
by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a
directory so that two
# users can place files there that will be owned by
the specific users. In this
# setup, the directory should be writable by both
users and should have the
# sticky bit set on it to prevent abuse. Obviously
this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
Contents of
/usr/share/doc/samba-3.0.22/examples/LDAP/smbldap-tools-0.9.1/smb.conf.
------------------------------------------------------------------------
# Global parameters
[global]
workgroup = IDEALX-NT
netbios name = PDC-SRV
security = user
enable privileges = yes
#interfaces = 192.168.5.11
#username map = /etc/samba/smbusers
server string = Samba Server %v
#security = ads
encrypt passwords = Yes
min passwd length = 3
#pam password change = no
#obey pam restrictions = No
#ldap passwd sync = Yes
; unix password sync = Yes
; passwd program = /opt/IDEALX/sbin/smbldap-passwd -u
%u
; passwd chat = "Changing password for*\nNew
password*" %n\n "*Retype new password*" %n\n"
#passwd chat debug = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon drive = H:
logon home =
logon path =
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:ldap://192.168.1.21/
ldap admin dn = cn=Manager,dc=example,dc=com
#ldap admin dn = cn=samba,ou=DSA,dc=idealx,dc=org
;ldap suffix = dc=idealx,dc=org
; ldap group suffix = ou=Groups
; ldap user suffix = ou=Users
; ldap machine suffix = ou=Computers
#ldap idmap suffix = ou=Idmap
; add user script =
/opt/IDEALX/sbin/smbldap-useradd -m "%u"
#ldap delete dn = Yes
; delete user script =
/opt/IDEALX/sbin/smbldap-userdel "%u"
; add machine script =
/opt/IDEALX/sbin/smbldap-useradd -t 0 -w "%u"
; add group script =
/opt/IDEALX/sbin/smbldap-groupadd -p "%g"
#delete group script =
/opt/IDEALX/sbin/smbldap-groupdel "%g"
; add user to group script =
/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
; delete user from group script =
/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
;set primary group script =
/opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
# printers configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend =
/proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of
the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
#force user = %U
# next line allows administrator to access all
profiles
#valid users = %U "Domain Admins"
[printers]
comment = Network Printers
printer admin = @"Print Operators"
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
# print command = /usr/bin/lpr -U%U@%M -P%p -r
%s
# lpq command = /usr/bin/lpq -U%U@%M -P%p
# lprm command = /usr/bin/lprm -U%U@%M -P%p %j
# lppause command = /usr/sbin/lpc -U%U@%M hold
%p %j
# lpresume command = /usr/sbin/lpc -U%U@%M
release %p %j
# queuepause command = /usr/sbin/lpc -U%U@%M
stop %p
# queueresume command = /usr/sbin/lpc -U%U@%M
start %p
[print$]
path = /home/printers
guest ok = No
browseable = Yes
read only = Yes
valid users = @"Print Operators"
write list = @"Print Operators"
create mask = 0664
directory mask = 0775
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the samba
mailing list