No This is just the section of the SMB.conf which I thought was relavent to the
LDAP/idmap issue I'm having. My samba server is a member of and AD domain
for which everything else seems to work ok, ie can logon using kerberos
authentication, set permissions against domain users/groups etc. My complete
smb.conf global sections is below,
thanks Andy.
# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
workgroup = TESTLAN
# server string is the equivalent of the NT Description field
server string = sun29
# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the HOWTO Collection for details.
security = ads
encrypt passwords = yes
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168. 192.168.2. 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = yes
# you may wish to override the location of the printcap file
; printcap name = /etc/printcap
# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
; printcap name = lpstat
# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, cups, sysv, plp, lprng, aix, hpux, qnx
; printing = cups
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /usr/local/samba/var/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; password server = <NT-Server-Name>
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
realm = TESTLAN.BBC.CO.UK
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
passdb backend = tdbsam
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/samba/lib/smb.conf.%m
# Most people will find that this option gives better performance.
# See the chapter 'Samba performance issues' in the Samba HOWTO
Collection
# and the manual pages for details.
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = 192.168.1.1
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
ldap admin dn =
"uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
ldap ssl = off
; ldap suffix = "dc=testlan,dc=bbc,dc=co,dc=uk"
winbind separator = +
winbind cache time = 10
template shell = /bin/sh
; template homedir = /home/%D/%U
idmap backend = ldap:ldap://bbcwwp-sun24.testlan.bbc.co.uk:389
ldap idmap suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk
ldap group suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk
ldap user suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk
ldap machine suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org]
Sent: 10 November 2003 21:35
To: ww m-pubsyssamba
Cc: samba@lists.samba.org
Subject: Re: [Samba] LDAP IDMAP not working
On Tue, 2003-11-11 at 00:08, ww m-pubsyssamba wrote:> Hi all,
>
> anyone able to point out why I'm not able to get samba 3.0.0 to update
my LDAP server with any idmap data? I'm using SunOne DS 5.2 LDAP server and
the following entries in my smb.conf file,
>
> ldap admin dn =
"uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
> ldap ssl = off
> ; ldap suffix = "dc=testlan,dc=bbc,dc=co,dc=uk" ** have tried
with this attribute on and off **
> winbind separator = +
> winbind cache time = 10
> template shell = /bin/sh
> ; template homedir = /home/%D/%U
> idmap backend = ldap:ldap://bbcwwp-sun24.testlan.bbc.co.uk:389
> ldap idmap suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk
> ldap group suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk
> ldap user suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk
> ldap machine suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
>
> I've successfully updated the schema with the samba bits and have
tested the admin account specified in the smb.conf using ldapsearch. I've
created both a root and admin account using smbpasswd with the correct password
for the admin account (I wasn't clear which account should be used from the
samba documentation). But my idmap OU is empty, and to be honest I can't
even see any attempts to access the LDAP server from its access logs (excepting
when testing using ldapsearch). Any help would be appreciated,
Is that the whole smb.conf? When Samba is a DC, or a standalone server,
it doesn't use IDMAP for local accounts. (Something that changed over
the course of the idmap design and implementation)
Andrew Bartlett
--
Andrew Bartlett abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet@samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
BBCi at http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.