[Samba] LDAP issues
Alex Moen
alexm at ndtel.com
Thu Jan 26 10:59:24 MST 2012
On Jan 26, 2012, at 10:55 AM, Jürgen Echter wrote:
> Am 26.01.2012 17:51, schrieb Alex Moen:
>> Forgot to add... If I create a Unix account, and add it to the
>> local smbpasswd subsystem, it works fine. I can log in using the
>> credentials that I create. So, samba is working, and linux/ldap is
>> working, but samba/ldap has issues...
>>
>> On Jan 26, 2012, at 9:54 AM, Alex Moen wrote:
>>
>>> Centos 6
>>> Samba 3
>>> smbldap-tools installed.
>>>
>>> LDAP directory not on local host.
>>>
>>> Example user LDIF:
>>>
>>> dn: uid=testuser at mydomain.com,ou=mydomain,o=ndtc
>>> mailHost: mailserver.mydomain.com
>>> loginShell: /bin/bash
>>> gidNumber: 500
>>> uidNumber: 53112
>>> uid: testuser at mydomain.com
>>> sn: user
>>> cn: test user
>>> mail: testuser at mydomain.com
>>> homeDirectory: /cust/mydomain/users/testuser
>>> gecos: test user,,662-6123
>>> objectClass: mirapointmailuser
>>> objectClass: inetorgperson
>>> objectClass: posixAccount
>>> objectClass: shadowAccount
>>> objectClass: sambaSAMAccount
>>> sambaLogonTime: 0
>>> sambaLogoffTime: 2147483647
>>> sambaKickoffTime: 2147483647
>>> sambaPwdCanChange: 0
>>> sambaSID: S-1-5-21-3311107553-3899660464-2674327009-107224
>>> sambaAcctFlags: [UX]
>>> sambaHomeDrive: F:
>>> sambaHomePath: \\ndtc-fs\cust\mydomain\users
>>> sambaPwdLastSet: 1327615956
>>> sambaPwdMustChange: 2147483647
>>>
>>> getent passwd shows:
>>>
>>> testuser at mydomain.com:x:53112:500:test user,,662-6123:/cust/
>>> mydomain/users/testuser:/bin/bash
>>>
>>> I can ssh to the server with this account. So, the linux/ldap
>>> stuff seems to work properly.
>>>
>>> However, I cannot connect with the smb proto. Continue to get a
>>> username/password prompt.
>>>
>>> My suspicion is the "@" in the uid, which as I understand it, in
>>> the windoze world signifies a group... I think I am confusing
>>> something in the process.
>>>
>>> My question is: can Samba be configured to append the
>>> "@mydomain.com" to the username, then authenticate the user? So
>>> the user could use the testuser login via the windoze login and
>>> drive mapping processes, but Samba would actually use testuser at mydomain.com
>>> to actually authenticate?
>>>
>>> All these accounts are already in use in the LDAP directory, and
>>> so the uid cannot be changed.
>>>
>>> lmk if there's anything else needed here... I'm willing to share
>>> configs, command outputs, etc. to get this solved.
>>>
>>> TIA!
>>>
>>
> sounds if samba isn't using LDAP properly.
>
> would you mind to show us your config?
>
> greets
>
> juergen
Sure! Here it is:
[global]
workgroup = A36561
server string = My File Server
netbios name = NDTC-FS
interfaces = lo eth1
log file = /var/log/samba/log.%m
max log size = 50
ldap debug level = 1
ldap debug threshold = 5
log level = 3 all:5
security = user
passdb backend = ldapsam:ldap://66.163.128.204
ldap suffix = ou=mydomain,o=ndtc
ldap machine suffix = ou=People
ldap usersuffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,o=ndtc
ldap ssl = off
domain master = yes
domain logons = yes
wins support = yes
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[groups]
comment = Group Directories
path = /cust/mydomain/groups
guest ok = no
writable = yes
[share]
comment = Share space
path = /cust/mydomain/share
public = yes
writeable = yes
read only = no
printable = no
write list = +users
force create mode = 660
force directory mode = 770
force user = nobody
force group = nobody
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
More information about the samba
mailing list