[Samba] Samba + LDAP integration
Ryan Bair
ryandbair at gmail.com
Sat Jul 26 15:03:32 GMT 2008
Were the user accounts created with smbldap-tools or were the
pre-existing? If they were preexisting did you reset the passwords
with smbldap-passwd? You will need to do so to set the appropiate
hashes in LDAP.
Have you looked at the logs at all? Posting some samples from there
showing the server startup and failed login would probably be helpful.
--Ryan
On Sat, Jul 26, 2008 at 10:36 AM, Mugo Martin <mmuchira at gmail.com> wrote:
> Hi people,
>
> Been doing a server installation with Samba as a primary PDC that uses an
> LDAP backend on CentOS 5.
> The thing is that I cannot be able to get Samba and LDAP to talk as they
> should and now Im really stuck.
> Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents
> to /etc/openldap/ldap.conf too), and smbldap.conf.
> Excuse my long post; trying to be as elaborate as possible.
>
> smb.conf
> **********
> [global]
> workgroup = MYDOMAIN
> netbios name = MYDOMAIN
> server string = mydomain_office
> passdb backend = ldapsam:ldap://server.example.org
> passwd program = /usr/local/sbin/smbldap-passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *all*authentication*tokens*updated*
> username map = /etc/samba/smbusers
> log file = /var/log/samba/%m.log
> max log size = 100
> add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g users
> delete user script = /usr/local/sbin/smbldap-userdel "%u"
> add group script = /usr/local/sbin/smbldap-groupadd "%g"
> delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> "%g"
> delete user from group script = /usr/local/sbin/smbldap-userdel "%u"
> "%g"
> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> "%u"
> add machine script = /usr/local/sbin/smbldap-useradd -n -c
> "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
> logon script = %m.bat
> logon path = \\server.example.org\%U\profile
> domain logons = Yes
> os level = 33
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> ldap admin dn = cn=config
> ldap delete dn = Yes
> ldap group suffix = ou=groups
> ldap machine suffix = ou=machines
> ldap passwd sync = Yes
> ldap suffix = dc=example,dc=org
> ldap user suffix = ou=people
> idmap uid = 1000-19999
> idmap gid = 1000-19999
> [homes]
> comment = Home Directories
> valid users = DOMAIN\%S
> read only = No
> browseable = No
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = Yes
> share modes = No
>
> smbldap.conf
> ************
> sambaDomain="MYDOMAIN"
> slaveLDAP="127.0.0.1"
> slavePort="389"
> masterLDAP="127.0.0.1"
> masterPort="389"
> ldapTLS="0"
> suffix="dc=example,dc=org"
> usersdn="ou=people,${suffix}"
> computersdn="ou=machines,${suffix}"
> groupsdn="ou=groups,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
> scope="one"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
> userSmbHome=""
> userProfile=""
> userScript="logon.bat"
> mailDomain="example.org"
> with_smbpasswd="0"
> with_slappasswd="0"
>
> /etc/ldap.conf
> **********************
> host server.example.org
> base dc=example,dc=org
> binddn cn=config
> bindpw 1w2345FJ
> rootbinddn cn=zimbra,dc=example,dc=org
>
> timelimit 120
> bind_timelimit 120
> bind_policy soft
> idle_timelimit 3600
>
> nss_base_passwd ou=people,dc=example,dc=org?one
> nss_base_shadow ou=people,dc=example,dc=org?one
>
> nss_base_group ou=groups,dc=example,dc=org?one
> nss_base_hosts ou=machines,dc=example,dc=org?one
>
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>
> uri ldap://server.example.org
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
>
> smbldap.conf
> ************
> sambaDomain="MYDOMAIN"
> slaveLDAP="127.0.0.1"
> slavePort="389"
> masterLDAP="127.0.0.1"
> masterPort="389"
> ldapTLS="0"
> suffix="dc=example,dc=org"
> usersdn="ou=people,${suffix}"
> computersdn="ou=machines,${suffix}"
> groupsdn="ou=groups,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
> scope="one"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
> userSmbHome=""
> userProfile=""
> userScript="logon.bat"
> mailDomain="example.org"
> with_smbpasswd="0"
> with_slappasswd="0"
>
> smbldap_bind.conf
> *****************
> slaveDN="cn=config,dc=example,dc=org"
> slavePw="1w2345FJ"
> masterDN="cn=config,dc=example,dc=org"
> masterPw="1w2345FJ"
>
> The strange thing is that I can join a computer to the Domain, but only
> using the Samba+samba_root_passwd. I can even see the computer entry in the
> LDAP database when I run ldapsearch.
> However, I cannot or log in to the domain with credentials in LDAP. Also I
> cannot add machines to domain using privileged accounts stored in LDAP.
> Strangely though, Samba commands
> getent group
> and
> getent passwd
> work just fine (obtain info in ldap) when Im user zimbra, but not as root
> (yes user root); running these as root returns only system records in
> /etc/passwd & /smbpasswd.
> I think that I have done everything correctly including running the command
> smbpasswd -w 1w2345FJ
> for samba to connect to LDAP and putting the same password in
> smbldap_bind.conf defined for "cn=config"
> My diagnosis so far is that there is something not working in smbldap-tools
>
> Please advice, will appreciate.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list