[Samba] login ldap pdc

denis.rohou at ville-lannion.fr denis.rohou at ville-lannion.fr
Tue Apr 15 13:32:34 GMT 2008 

Hello,
I install  samba-ldap-pdc on a ubuntu.
I join well the domain with root user, but when I restart, root or user
login don't work.

I can access to share via network with root or user login.
when I try under winXP pro to change security of a file, I can't access to
server user list : "bad user or passwd"
I've no error in log.smbd or debug
my smb.conf
[global]
smb ports  = 139
workgroup = MAILAN.LOCAL
netbios name = authlan
server string = Samba-LDAP PDC Server
domain master = Yes
local master = Yes
domain logons = Yes
os level = 64
security = milan.local
preferred master = Yes
#unix password sync = Yes
#passwd program = /usr/sbin/smbldap-passwd ?u %u
# l option ci-dessous permet de forcer un nouveau mot de passe a la
premiere connexion
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
password*" %n\n"
ldap passwd sync = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=admin,dc=mailan,dc=local
ldap suffix = dc=mailan,dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Machines
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
logon path = \\%L\profile\%U
logon drive = P:
logon home = \\%L\%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY
IPTOS_THROUGHPUT SO_KEEPALIVE
case sensitive = No
default case = lower
preserve case = yes
short preserve case = Yes
#character set = iso8859-1
#domain admin group = @admin
dns proxy = No
wins support = yes
hosts allow = 192.168. 127.
winbind use default domain = Yes
nt acl support = Yes
msdfs root = Yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
logfile = /var/log/samba/log.%m
debug level = 3

[profiles]
path = /home/export/profile
read only = no
browseable = no
guest ok = yes
profiles acls = yes

[netlogon]
path = /home/netlogon
writable = no
browseable = no
write list = Administrateur
available = no
public = no

[homes]
comment = Repertoire Personnel
browseable = No
writeable = Yes

[partage]
comment = Repertoire commun
browseable = yes
public = yes
path = /partage
writable = yes

[documents]
comment = Repertoire commun
browseable = no
public = no
path = /partage/documents
available = no
writable = no

[outils]
comment = Repertoire commun
browseable = no
public = no
path = /partage/logiciels/outils
available = no
writable = no


################################ my slapd.conf #######################

# Global Directives:

# Features to permit
allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel        3

# Where the dynamically loaded modules are stored
modulepath	/usr/lib/ldap
moduleload	back_bdb

#######################################################################
# SSL:
# Uncomment the following lines to enable SSL and use the default
# snakeoil certificates.
#TLSCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
#TLSCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
# Chemin vers le certificat du serveur LDAP
#TLSCertificateFile      /etc/ldap/cert/servercert.pem
# Chemin vers la clef privée du serveur LDAP
#TLSCertificateKeyFile   /etc/ldap/cert/serverkey.pem
# Chemin vers le certificat de la CA
#TLSCACertificateFile    /etc/ldap/cert/cacert.pem
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend		bdb
checkpoint 512 30

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend		<other>

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "dc=mailan,dc=local"
rootdn          "cn=admin,dc=mailan,dc=local"
rootpw          {SSHA}1PAlNaHo/U5QV8UB9M1scrEoFqGsEtvk
# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# Indexing options for database #1
index           objectClass eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
replogfile	"/var/lib/ldap/replog"

replica uri=ldap://192.168.0.132:389
	binddn="uid=replication,ou=users,dc=mailan,dc=local"
       bindmethod=simple credentials=secofr
#	bindmethod=simple credentials="{SSHA}KsGfPaQR67EKAEbW9FYvloppjVBDSk47"
#	tls=yes
#


# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword
        by dn="cn=admin,dc=mailan,dc=local" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=mailan,dc=local" write
        by dn="uid=replication,ou=users,dc=mailan,dc=local" read
        by * read


thanks for your answer and sorry for my english

More information about the samba mailing list