[Samba] confusion and problem with Samba v3.3.8 as PDC with ldapsam backend

Tue Jan 18 15:05:23 MST 2011

On Tuesday 18 January 2011 4:39:39 pm Alex Crow 
wrote:
> On 18/01/11 21:08, Jon Detert wrote:
> > On Tue, Jan 18, 2011 at 2:35 PM, Gaiseric
> > Vandal
> >
> > <gaiseric.vandal at gmail.com>  wrote:
> >> Nt- I don't use the "ldapsam:editposix"
> >> option myself, if I understand it correctly
> >> it means you don't have to precreate the
> >> underlying unix accounts.
> >
> > That is my understanding as well.  I've never
> > used it before, however.
>
> I've not tried it, I'm not even sure if it
> really works. Has anyone on the list used such
> a config in production?
>
> >> However,  I believe you still need to do the
> >> following
> >>
> >>     Create a samba Administrator account
> >>     Create samba Domain Admins and Domain
> >> Users groups. Explicitly specify the uid or
> >> username for the "guest" user. Set ldap
> >> password for the idmap backend (net idmap
> >> secret thedomain  xxxx )
> >
> > the log messages tend to support this belief.
>
> You can create them yourself, but if you want
> an easier life, see the end of this post
> (smbldap-tools)
>
> >> "smbpasswd -w" sets the ldap password samba
> >> to access ldap for users and groups. But
> >> idmap needs the ldap password set as well
> >> eg.
>
> It doesn't. smbpasswd -w is sufficient.
>
> > I don't understand that.  There is no
> > separate idmap process, afaik. Why can't the
> > 'idmap' functionality get the same ldap
> > credentials that smbd and winbindd evidently
> > get from the smb.conf and the secrets.tdb
> > files?
> >
> >>         net idmap secret MYDOMAIN  xxxx
> >>     net idmap secret alloc  xxxx
>
> You do *not* need this is the you are not using
> explicit idmap alloc, just the default idmap
> range. idmap alloc is apparently not working.
>
> > In any case, I tried the above, and got the
> > same error for both command :
> >
> > "The only currently supported backend is
> > LDAP"
> >
> > My smb.conf has a line expressly saying
> > "idmap backend = ldap:ldap://localhost".  
> > Does smbd have to be running before running
> > the 'net idmap' commands?  If so, I'm
> > screwed, cuz now that I fixed the 'out=IDmap'
> > typo, smbd dies immediately after trying to
> > start it.
>
> You should leave the config as is.
>
> smbd really should not die. Are you sure smbd
> is not still running? Did you join your own
> domain on the PDC (eg net rpc join -S
> localhost)?
>
> > Ideas?
> >
> > Thanks,
> >
> > Jon
>
> I think you need to use the smbldap-tools. Once
> configured correctly they will prepopulate your
> LDAP tree for for you. There should be packages
> in the repos for most distros.
>
> Cheers
>
> Alex
>

I'd underscore Alex's last comment - use 
smbldap-tools.  

A lot of tutorials have you add an smb.conf 
directives such as:

add user script 
= /usr/local/sbin/smbldap-useradd -m %u

If you install the tools via RPM, change those 
directives to read:

add user script = /usr/sbin/smbldap-useradd -m %u

Again, HTH.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.