[Samba] login ldap pdc
denis.rohou at ville-lannion.fr
denis.rohou at ville-lannion.fr
Tue Apr 15 13:32:34 GMT 2008
Hello,
I install samba-ldap-pdc on a ubuntu.
I join well the domain with root user, but when I restart, root or user
login don't work.
I can access to share via network with root or user login.
when I try under winXP pro to change security of a file, I can't access to
server user list : "bad user or passwd"
I've no error in log.smbd or debug
my smb.conf
[global]
smb ports = 139
workgroup = MAILAN.LOCAL
netbios name = authlan
server string = Samba-LDAP PDC Server
domain master = Yes
local master = Yes
domain logons = Yes
os level = 64
security = milan.local
preferred master = Yes
#unix password sync = Yes
#passwd program = /usr/sbin/smbldap-passwd ?u %u
# l option ci-dessous permet de forcer un nouveau mot de passe a la
premiere connexion
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
password*" %n\n"
ldap passwd sync = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=admin,dc=mailan,dc=local
ldap suffix = dc=mailan,dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Machines
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
logon path = \\%L\profile\%U
logon drive = P:
logon home = \\%L\%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY
IPTOS_THROUGHPUT SO_KEEPALIVE
case sensitive = No
default case = lower
preserve case = yes
short preserve case = Yes
#character set = iso8859-1
#domain admin group = @admin
dns proxy = No
wins support = yes
hosts allow = 192.168. 127.
winbind use default domain = Yes
nt acl support = Yes
msdfs root = Yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
logfile = /var/log/samba/log.%m
debug level = 3
[profiles]
path = /home/export/profile
read only = no
browseable = no
guest ok = yes
profiles acls = yes
[netlogon]
path = /home/netlogon
writable = no
browseable = no
write list = Administrateur
available = no
public = no
[homes]
comment = Repertoire Personnel
browseable = No
writeable = Yes
[partage]
comment = Repertoire commun
browseable = yes
public = yes
path = /partage
writable = yes
[documents]
comment = Repertoire commun
browseable = no
public = no
path = /partage/documents
available = no
writable = no
[outils]
comment = Repertoire commun
browseable = no
public = no
path = /partage/logiciels/outils
available = no
writable = no
################################ my slapd.conf #######################
# Global Directives:
# Features to permit
allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 3
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
#######################################################################
# SSL:
# Uncomment the following lines to enable SSL and use the default
# snakeoil certificates.
#TLSCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#TLSCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Chemin vers le certificat du serveur LDAP
#TLSCertificateFile /etc/ldap/cert/servercert.pem
# Chemin vers la clef privée du serveur LDAP
#TLSCertificateKeyFile /etc/ldap/cert/serverkey.pem
# Chemin vers le certificat de la CA
#TLSCACertificateFile /etc/ldap/cert/cacert.pem
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
checkpoint 512 30
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=mailan,dc=local"
rootdn "cn=admin,dc=mailan,dc=local"
rootpw {SSHA}1PAlNaHo/U5QV8UB9M1scrEoFqGsEtvk
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
replogfile "/var/lib/ldap/replog"
replica uri=ldap://192.168.0.132:389
binddn="uid=replication,ou=users,dc=mailan,dc=local"
bindmethod=simple credentials=secofr
# bindmethod=simple credentials="{SSHA}KsGfPaQR67EKAEbW9FYvloppjVBDSk47"
# tls=yes
#
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword
by dn="cn=admin,dc=mailan,dc=local" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=mailan,dc=local" write
by dn="uid=replication,ou=users,dc=mailan,dc=local" read
by * read
thanks for your answer and sorry for my english
More information about the samba
mailing list