[Samba] question concerning ldapsam:editposix - winbind problems!
Andrew Richey
ar2748 at columbia.edu
Thu Jan 17 13:45:01 GMT 2008
I actually loaded another box with Fedora, and used authconfig like you
described. It worked quite well! :-)
On a slightly different note... Previously I thought I had winbind
working, but it seems I don't. I believe I put all the correct entries
in my smb.conf file... but I keep getting errors in my winbind logs.
Also, wbinfo -t and -u come back with errors. I'm probably doing
something silly, but I'm running around in mental circles trying to
figure out what it is.
appropriate smb.conf entries...
idmap domains = EPSILON
idmap config EPSILON:backend = ldap
idmap config EPSILON:readonly = no
idmap config EPSILON:default = yes
idmap config EPSILON:ldap_base_dn = ou=idmap, ....
idmap config EPSILON:ldap_user_dn = cn=admin, ...
idmap config EPSILON:ldap_url = ldap://ip-address:389
idmap config EPSILON:range = 5000-500000
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap, ....
idmap alloc config:ldap_user_dn = cn=admin, ....
idmap alloc config:ldap_url = ldap://ip-address:389
idmap alloc config:range = 5000-500000
section of log.winbindd-idmap:
[2008/01/16 19:18:43, 1] nsswitch/idmap.c:idmap_init(377)
Initializing idmap domains
[2008/01/16 19:18:43, 0] nsswitch/idmap.c:idmap_init(388)
idmap_init: Ignoring domain EPSILON
wbinfo -t:
checking the trust secret via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
Could not check secret
Adam Williams wrote:
> yes, linux distros require nss_ldap and pam_ldap to authenticate linux
> shell accounts against ldap. if you are using fedora/centos you can
> use authconfig and select ldap and put in the required info. and
> you'll need to add ldap to the passwd: shadow: and group: entries in
> /etc/nsswitch.conf
>
> authconfig will configure /etc/ldap.conf and edd the required ldap
> attributes to /etc/pam.d/system-auth
>
> not sure about freebsd but it shouldn't be too different. (famous last
> words!)
>
> to convert your existing /etc/passwd users to ldap, you can use the
> PADL migration tools.
>
> Andrew Richey wrote:
>> Well, it looks like I would have to use pam_ldap and nss_ldap to make
>> this work. Or so I think... Wondering if all the Linux distros
>> require these too, to authenticate off of ldap.
>>
>> Andrew Richey wrote:
>>> Hey guys,
>>>
>>> I've gotten my samba + openldap running quite well, minus one
>>> problem (that I know about). I've read over plenty of
>>> documentation, the official and other wiki's and such. I believe I
>>> have winbind working correctly, so I assume I won't have to use
>>> external scripts to add groups/users/etc..
>>>
>>> But isn't there something one must do in order for their OS (in my
>>> case FreeBSD 6.2) to use my ldap server instead of /etc/passwd and
>>> /etc/group files? I'm unable to change the Administrator users
>>> password because I have no Unix account for it, and I assume it's
>>> looking for that in /etc/passwd. On the same token, I can add
>>> another user who already exists in my /etc/password (the local user
>>> I added during the installation of FreeBSD). And it shows up
>>> sucsessfully in my ldap server.
>>>
>>> At first I was thinking that the ...
>>>
>>> ldapsam:trusted= yes
>>> ldapsam:editposix= yes
>>>
>>> ..handled this issue, via winbind. But that might be a
>>> misunderstanding on my part. Anyone have any ideas?
>
More information about the samba
mailing list