Hi, I have been trying to work this out on my own now for about a week
and feel like I am so close..haha. I have samba setup as a PDC and in
theory authenticating users through openLDAP with the use of
smbldap-tools by IDEALX. I have checked the windows registry fix, but
still no luck. When I try to join the domain as root, I get the error:
"Username could not be found"
Any help would be greatly, greatly appreciated as I am at the end of my
time to get this job done. I don't need encryption and don't mind if
everything is plain text..(security not issue yet)
I have included all configs i believe are important (minus the comments
to make them shorter) please let me know if I can provide anything
else!
Thank you in advance for your time,
Ryan Taylor
rtaylor82@gmail.com
****************************** *******************
/ETC/SAMBA/SMB.CONF
**************************************************
#======================= Global Settings
====================================[global]
workgroup = BEEFY-NT
netbios name = PDC-SRV
#enable privileges = yes
interfaces = 192.168.0.69 <http://192.168.0.69/>
username map = /etc/samba/smbusers
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
#unix password sync = Yes
#passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype
new password*" %n\n"
ldap passwd sync = Yes
log level = 2
syslog = 2
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon drive = H:
logon home logon path
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
# passdb backend = ldapsam:"ldap://127.0.0.1/
ldap://slave.beefylinux.com" <ldap://slave.beefylinux.com%22>
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap admin dn = cn=Manager,dc=beefylinux,dc=com
ldap suffix = dc=beefylinux,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
#ldap ssl = start_tls
add user script = /usr/local/sbin/smbldap-useradd =m "%u"
ldap delete dn = Yes
#delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
#delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g"
"%u"
# printers configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile
folders:
preserve case = yes
short preserve case = yes
case sensitive = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = no
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U @"Domain Admins"
[printers]
comment = Network Printers
printer admin = @"Print Operators"
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
[print$]
path = /home/printers
printer admin = @"Print Operators"
guest ok = yes
browseable = Yes
read only = Yes
valid users = @"Printer Operators"
write list = @"Print Operators"
create mask = 0664
directory mask = 0775
[public]
comment = Repertoire public
path = /home/public
browseable = Yes
guest ok = Yes
read only = No
directory mask = 0775
create mask = 0664
*************************************************
/etc/LDAP.CONF
*************************************************
# @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
host 127.0.0.1 <http://127.0.0.1/>
base dc=beefylinux,dc=com
rootbinddn cn=manager,ou=DSA,dc=beefylinux,dc=com
nss_base_passwd ou=Users,dc=beefylinux,dc=com?one
nss_base_passwd ou=Computers,dc=beefylinux,dc=com?one
nss_base_shadow ou=Users,dc=beefylinux,dc=com?one
nss_base_group ou=Groups,dc=beefylinux,dc=com?one
ssl no
pam_password md5
*******************************************************
/etc/openldap/ldap.conf
*******************************************************
HOST 127.0.0.1 <http://127.0.0.1/>
BASE dc=beefylinux,dc=com
TLS_REQCERT allow
/etc/openldap/slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
database bdb
suffix "dc=beefylinux,dc=com"
rootdn "cn=Manager,dc=beefylinux,dc=com"
rootpw jomomma2
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
***************************************************************
/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf
***************************************************************
slaveDN="cn=Manager,dc=beefylinux,dc=com"
slavePw="jomomma2"
masterDN="cn=Manager,dc=beefylinux,dc=com"
masterPw="jomomma2"
***************************************************************
/etc/opt/IDEALX/smbldap-tools/smbldap.conf
***************************************************************
SID="S-1-5-21-1950905915-4285831572-4043287157"
sambaDomain="BEEFY-NT"
slaveLDAP="127.0.0.1 <http://127.0.0.1/>"
slavePort="389"
masterLDAP="127.0.0.1 <http://127.0.0.1/>"
masterPort="389"
ldapTLS="0"
verify="optional"
#cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key"
suffix="dc=beefylinux,dc=com"
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
computersdn
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
groupsdn
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member
server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
idmapdn
idmapdn="ou=Users,${suffix}"
# Where to store next uidNumber and gidNumber available for new users
and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=BEEFY-NT,${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line
if
# you don't want password to be enable for defaultMaxPasswordAge days
(be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon
home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\PDC-SRV\%U"
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon
path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\PDC-SRV\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under
dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com <http://idealx.com/>"
mailDomain="beefylinux.com <http://beefylinux.com/>"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in
smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
#smbpasswd="/opt/IDEALX/sbin/smbldap-passwd"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in
smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
*************************************************************
OTHER IMPORTANT INFORMATION
*************************************************************
[root@beefylinux certs]# vi /etc/nsswitch.conf
[root@beefylinux certs]# net getlocalsid
SID for domain PDC-SRV is: S-1-5-21-1950905915-4285831572-4043287157
[root@beefylinux certs]# ldapsearch -x "uid=root"
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: uid=root
# requesting: ALL
#
# root, Users, beefylinux.com <http://beefylinux.com/>
dn: uid=root,ou=Users,dc=beefylinux,dc=com
cn: root
sn: root
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaHomePath: \\PDC-SRV\root
sambaHomeDrive: H:
sambaProfilePath: \\PDC-SRV\profiles\root
sambaPrimaryGroupSID: S-1-5-21-1950905915-4285831572-4043287157-512
sambaSID: S-1-5-21-1950905915-4285831572-4043287157-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaPwdCanChange: 1128448503
sambaPwdMustChange: 2147483647
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1128448503
sambaAcctFlags: [U ]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@beefylinux certs]# net groupmap list
Domain Admins (S-1-5-21-1950905915-4285831572-4043287157-512) -> 512
Domain Users (S-1-5-21-1950905915-4285831572-4043287157-513) -> 513
Domain Guests (S-1-5-21-1950905915-4285831572-4043287157-514) -> 514
Domain Computers (S-1-5-21-1950905915-4285831572-4043287157-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552
*****************************************************************
Sorry for the long message, but again any help?? Thankyou!
On Tuesday 04 October 2005 15:49, Ryan Taylor wrote:> Hi, I have been trying to work this out on my own now for about a week > and feel like I am so close..haha. I have samba setup as a PDC and in > theory authenticating users through openLDAP with the use of > smbldap-tools by IDEALX. I have checked the windows registry fix, but > still no luck. When I try to join the domain as root, I get the error: > "Username could not be found" > > Any help would be greatly, greatly appreciated as I am at the end of my > time to get this job done. I don't need encryption and don't mind if > everything is plain text..(security not issue yet) > > I have included all configs i believe are important (minus the comments > to make them shorter) please let me know if I can provide anything > else!Ryan, I spent a lot of time writing a book that documents how to make Samba-3 do what users want it to do. The book is called "Samba-3 by Example". It is available from Amazon.Com and has ISBN 013188221X. Alternatively, you can download the PDF from: http://www.samba.org/samba/docs/Samba3-ByExample.pdf Chapter 5 comprehensively documents Samba-3 plus OpenLDAP. If the information does not meet your needs please let me know so I can fix it. I dispise documentation that is inadequate or ineffective, so any help you can give me to make this book more useful and more helpful is most welcome. Cheers, John T.
Thank you to John Terpstra and his book "Samba-3 by Example" I have made great strides. Seems like I am one step away... which is getting the system to check ldap, which it seems to be ignoring. Has anyone has this problem? I ran "authconfig" and told it to you ldap as well as edited the nsswitch.confto "files ldap" where supposed to be. But every "getent" command just pulls system info and nothing from ldap... is this a redhat specific problem maybe? Thank you for suggestions, Ryan Taylor rtaylor82@gmail.com
More information... below is my log after running "getent group | grep Domain" thank you -ryan Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 ACCEPT from IP127.0.0.1:32894 <http://127.0.0.1:32894> (IP=0.0.0.0:389<http://0.0.0.0:389> ) Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 BIND dn="cn=Manager,ou=DSA,dc=beefylinux,dc=com" method=128 Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 RESULT tag=97 err=49 textOct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=1 UNBIND Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 closed Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 ACCEPT from IP127.0.0.1:32895 <http://127.0.0.1:32895> (IP=0.0.0.0:389<http://0.0.0.0:389> ) Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 BIND dn="cn=Manager,ou=DSA,dc=beefylinux,dc=com" method=128 Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 RESULT tag=97 err=49 textOct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=1 UNBIND Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 closed
On Wed, 2005-10-05 at 19:28 -0400, Ryan Taylor wrote:> More information... below is my log after running "getent group | grep > Domain" > thank you -ryan > > Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 ACCEPT from IP> 127.0.0.1:32894 <http://127.0.0.1:32894> (IP=0.0.0.0:389<http://0.0.0.0:389> > ) > Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 BIND > dn="cn=Manager,ou=DSA,dc=beefylinux,dc=com" method=128 > Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 RESULT tag=97 err=49 > text> Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=1 UNBIND > Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 closed > Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 ACCEPT from IP> 127.0.0.1:32895 <http://127.0.0.1:32895> (IP=0.0.0.0:389<http://0.0.0.0:389> > ) > Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 BIND > dn="cn=Manager,ou=DSA,dc=beefylinux,dc=com" method=128 > Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 RESULT tag=97 err=49 > text> Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=1 UNBIND > Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 closed---- err=49 means bad credentials smbpasswd -w Password_of_ldap_admin_as_defined_in_smb.conf Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Hi, If you are using Fedora and have selinux enabled for your build, at the console "setenforce 0", and then try getent. If successful, I would suggest modifying selinux policy to accommodate the need for access. Just a thought, Guille -----Original Message----- From: samba-bounces+guillemw=hotmail.com@lists.samba.org [mailto:samba-bounces+guillemw=hotmail.com@lists.samba.org] On Behalf Of Ryan Taylor Sent: Wednesday, October 05, 2005 4:29 PM To: samba@lists.samba.org Subject: [Samba] SAMBA/PDC + LDAP HELP please? More information... below is my log after running "getent group | grep Domain" thank you -ryan Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 ACCEPT from IP127.0.0.1:32894 <http://127.0.0.1:32894> (IP=0.0.0.0:389<http://0.0.0.0:389> ) Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 BIND dn="cn=Manager,ou=DSA,dc=beefylinux,dc=com" method=128 Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 RESULT tag=97 err=49 textOct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=1 UNBIND Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 closed Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 ACCEPT from IP127.0.0.1:32895 <http://127.0.0.1:32895> (IP=0.0.0.0:389<http://0.0.0.0:389> ) Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 BIND dn="cn=Manager,ou=DSA,dc=beefylinux,dc=com" method=128 Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 RESULT tag=97 err=49 textOct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=1 UNBIND Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 closed -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Gerald (Jerry) Carter
2005-Oct-07 18:46 UTC
wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? => For your profiles.]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tomasz Chmielewski wrote:> Gerald (Jerry) Carter schrieb: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Craig White wrote: >> >> >>> I wonder if having some sort of wiki on samba web site wouldn't be >>> useful for things like logon scripts and registry settings to be >>> shared/discussed so they had their own longevity and current >>> appropriateness as email archives don't often reflect the changing >>> nature of things and sometimes the samba documentation has different >>> objectives. >> >> >> We've talked about it before but there is a fear that a >> wiki would turn into a propogation mechanism for Samba >> urban legends. Someone (or a team of people) would need >> act as editors. Truthfully, if it were done right, it >> would be probably be a good thing. But if it weren't >> it would be a really bad thing. >> >> It's definitley too much for the developers to take on. > > IMHO Samba wiki could be a great source of info for both new and > advanced users. > > Why should Samba wiki turn into something bad, if lots of other open > source projects have wikis too, and they are useful?:-) We have a tremendous amount of urban legend on this list. Just count the number of times someone as suggested the sign-n-seal registry file for XP clients using a Samba 3.0.x server. But we have at least one volunteer, Craig. And I told him I would look into it. So we'll see what happens. Anyone else interested in monitoring/editing a wiki to ensure accurate information? cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDRsHpIR7qMdg1EfYRAqDnAKC2y+4gW5ZawOjSQ4V/h9RFEAlWkgCg1h4I 5KHpupjaqWNbMKZa95guBJ0=tieJ -----END PGP SIGNATURE-----