[Samba] Samba 3.0.28a and LDAP on ubuntu 8.04
Marcello Lupo
mlist at itspecialist.it
Wed Aug 25 09:12:43 MDT 2010
Hi to all,
i'm facing some problem of integration with LDAP on the release in object.
In my scenario i want to use Samba + LDAP to have all servers on the network to have all same UID and GID for all the shares on all Linux servers (included the shares on the main PDC server).
Clients are mixed Windows and Linux.
Samba + LDAP on the ubuntu server is acting as PDC for the domain (no windows servers on the domain) and all the other linux server should take the UID and GID form the PDC using samba+winbind using idmap backend on LDAP.
What is happening is that i'm not able to have the PDC to join in the domain itself. Not even the wbinfo -u and wbinfo -t are working. Only the wbinfo -g is returning :
BUILTIN/users
BUILTIN/administrators
I was able to let the PDC join the domain (net rpc join) only after an upgrade of the samba packages through an apt-get install of samba packages itself.
I saw during the process that the system performed something like an initialization of the passdb.tdb and secrets.tdb putting all the system and ldap users (recovered form the ldap DB) in it.
After this join i tried to change some UID in the LDAP DB nut the OS was still taking the UID in the passdb.tdb and no the new one i updated in the LDAP.
I'm wondering if this is correct and eventually how to reproduce this kind of initialization if it is correct. I'm trying every time to start form scratch and understand the way it works deleting all the content of the samba files (/var/lib/samba and var/run/samba) .
As i know samba + LDAP should rely only on LDAP DB except for the LDAP Admin DN password that should be saved in the secrets.tdb with smbpasswd -w command. I understood that no use of passdb.tdb is made in LDAP config. Correct me if i'm wrong please.
I used smbldap tools to populate the LDAP.
I need that the PDC use winbind and idmap itself to get UID and GID of domain users so to have all aligned.
If i put the ldap parameter in /etc/nsswitch.conf the resolution of UID and GID work perfectly (getent passwd and group) . If i put winbind it is not working.
This is my config :
[global]
log level = 100
workgroup = DOMAIN
server string = %h New Samba server
wins support = yes
dns proxy = no
interfaces = eth0
bind interfaces only = true
log file = /var/log/samba/log.%m
max log size = 10000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
passdb backend = ldapsam:ldap://localhost:389
ldap suffix = dc=domain,dc=locale
ldap delete dn = yes
ldap admin dn = cn=admin,dc=domain,dc=locale
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap passwd sync = Yes
ldapsam:trusted=yes
ldapsam:editposix=yes
idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://localhost:389/
idmap alloc config:ldap_base_dn = ou=Idmap,dc=domain,dc=locale
idmap backend = ldap:ldap://localhost:389
idmap uid = 10000-20000
idmap gid = 500-20000
idmap domains = BUILTIN DOMAIN
idmap config DOMAIN:backend = ldap
idmap config DOMAIN:readonly = no
idmap config DOMAIN:default = yes
idmap config BUILTIN:backend = ldap
idmap config BUILTIN:readonly = no
idmap config BUILTIN:default = no
template shell = /bin/bash
template homedir = /home/users/%U
obey pam restrictions = no
guest account = nobody
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
lanman auth = no
unix password sync = no
pam password change = no
map to guest = bad user
domain logons = yes
logon path = \\%L\profiles\%U\.win-profile\%a
logon drive = H:
logon home = \\%L\profiles\%U\.win-profile\%a
logon script = %m.bat
socket options = TCP_NODELAY
domain master = yes
preferred master =yes
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = no
winbind separator = /
usershare allow guests = yes
Any hint?
Thank you all.
Bye,
Marcello
More information about the samba
mailing list