[Samba] using ldap only idmap
Mariano Absatz
el.baby at gmail.com
Sun Oct 18 09:56:05 MDT 2009
On Sun, Oct 18, 2009 at 07:52, Bruno MACADRE
<bruno.macadre at univ-rouen.fr> wrote:
> I don't see any of the add ... script in your smb.conf (especially the add
> machine script in your case). I don't know if it's the problem but i think
> it would be usefull to tell smbd how to add machine if its name don't exist
> in the LDAP...
The point is that when you have "ldapsam:editposix = yes" enabled,
you should NOT need those... you're actually telling samba to handle
LDAP modifications directly... in fact, when I run "net rpc join" from
a samba server, it DID add the machine to LDAP by itself...
>
> Mariano Absatz a écrit :
>>
>> Can anyone help me on this? I'm really stuck...
>>
>> On Thu, Oct 15, 2009 at 16:58, Mariano Absatz <el.baby at gmail.com> wrote:
>>
>>>
>>> Hi,
>>>
>>> I'm trying to make a "pure ldap" setup, whereas users, groups, id
>>> mappings
>>> and everything that is supported with LDAP be in the LDAP tree and
>>> managed
>>> directly by samba.
>>>
>>> That is, I'm using:
>>>
>>> ldapsam:trusted = yes
>>> ldapsam:editposix = yes
>>>
>>> And NOT using smbldap-*.
>>>
>>> My smb.conf is here: http://wiki.clueless.com.ar/SambaLdap/smb.conf-PDC
>>>
>>> I created the LDAP tree root (o=midominio) and all its branches
>>> (ou=people;
>>> ou=groups; ou= hosts and ou=idmap).
>>>
>>> I ran "net sam provision" to fill in the basic values.
>>>
>>> I stored the secrets in secrets.tdb:
>>> # smbpasswd -w ldap_admin_password
>>> # net idmap secret midominio ldap_admin_password
>>> # net idmap secret alloc ldap_admin_password
>>>
>>> I was able to join a samba server to the domain (net rpc join -S miserver
>>> -UAdministrator).
>>>
>>> However, when I try to join an XP host to the domain, I get an error
>>> (IIRC
>>> it's "An attached device is not functionning") in the workstation and the
>>> samba logs show the following:
>>>
>>> [2009/10/15 11:17:47, 0] passdb/pdb_ldap.c:ldapsam_create_user(5119)
>>> ldapsam_create_user: Unable to allocate a new user id: bailing out!
>>>
>>> The user I'm using to bind to the LDAP server is the LDAP administrator
>>> and
>>> it does have permissions on all the tree (in particular, within
>>> "ou=idmap,o=midominio")...
>>>
>>> I manually added an entry for the workstation's account posix data, then
>>> issued "smbpasswd -a workstation$"
>>>
>>> THEN I could join the domain...
>>>
>>> Clearly, I have something misconfigured regarding ldap/idmap/alloc, but I
>>> can't find enough information to do it right.
>>>
>>> Any help REALLY appreciated...
>>>
>>
>>
>>
>>
>
>
--
Mariano Absatz - El Baby
www.clueless.com.ar
More information about the samba
mailing list