Hello and happy new year :)
I have to set up a samba server as a PDC with a openldap backend. My
openldap server is fully functionnal and it is not secured yet (so no
problems with tls). I must use debian etch or lenny.
My server's IP is 192.168.9.10/24. I have set up a dns server (bind9)
for my domain named "mik". It's a local domain for testing only.
There
is a piece of the configuration file of bind :
pdc A 192.168.9.10
_ldap._tcp.dc._msdcs IN CNAME pdc
This permits windows clients to find the pdc. When I try to join the
domain under linux, it fails. I try with "net join mik -U root" on the
pdc (no other pc than the pdc to test) and it returns :
Creation of workstation account failed
Unable to join domain MIK.
Here are the logs :
/var/log/samba/log.pdc :
[2008/01/01 11:44:47, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2008/01/01 11:44:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
init_sam_from_ldap: Entry found for user: root
[2008/01/01 11:44:47, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [root] -> [root] ->
[root] succeeded
[2008/01/01 11:44:49, 0] passdb/pdb_interface.c:pdb_default_create_user(329)
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
"pdc$"' gave 9
smbldap-useradd returns 9 when the user already exists in the directory
but it does not change anything if I delete it. It returns 0 (no
problems) but joining domain fails again. root authentification is ok :
the log is produced with the correct password; I tried with a wrong
password and it said me that the password is bad so the authentification
is ok.
/var/log/samba/log.192.168.9.10 :
[2008/01/01 11:44:46, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
get_md4pw: Workstation PDC$: no account in domain
[2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
_net_auth2: failed to get machine password for account PDC$:
NT_STATUS_ACCESS_DENIED
I don't know why it tries to find a password for a workstation. It does
not make sense for me.
It seems to be a known problem but still no answers. You can find my
configuration files in enclosives ;)
Here are the versions used of samba, openldap ans smbldap-tools :
samba:
Install? : 3.0.28-1~lenny1
Candidat : 3.0.28-1~lenny1
Table de version :
*** 3.0.28-1~lenny1 0
500 http://security.debian.org lenny/updates/main Packages
100 /var/lib/dpkg/status
3.0.27a-1 0
500 http://ftp.fr.debian.org lenny/main Packages
slapd:
Install? : 2.3.38-1+lenny1
Candidat : 2.3.38-1+lenny1
Table de version :
*** 2.3.38-1+lenny1 0
500 http://security.debian.org lenny/updates/main Packages
100 /var/lib/dpkg/status
2.3.38-1 0
500 http://ftp.fr.debian.org lenny/main Packages
smbldap-tools:
Install? : 0.9.4-1
Candidat : 0.9.4-1
Table de version :
*** 0.9.4-1 0
500 http://ftp.fr.debian.org lenny/main Packages
100 /var/lib/dpkg/status
Maybe one clue : slapd log says me that some keys are not indexed. I
don't think that it hurts (this is just for performance ?)
Do you have some tip to make the pdc functionnal ? If you need more
information, please do not hesitate to ask.
Best regards,
Micha?l Todorovic
-------------- next part --------------
# Global parameters
[global]
workgroup = mik
netbios name = PDC
security = user
enable privileges = yes
server string = Samba Server %v
encrypt passwords = Yes
min passwd length = 3
unix password sync = yes
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = "Changing *\nNew password*" %n\n "*Retype new
password*" %n\n"
log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon drive = H:
logon home =
logon path =
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=admin,dc=mik
ldap suffix = dc=mik
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
# printers configuration
#printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[netlogon]
path = /pdc/samba/netlogon/
browseable = No
read only = no
[profiles]
path = /pdc/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U "Domain Admins"
[public]
path = /tmp
guest ok = yes
browseable = Yes
writable = yes
-------------- next part --------------
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel none
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
checkpoint 512 30
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=mik"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=mik"
rootpw {SSHA}wDFytSLjQhvYo1aiIXXRXKYtnwAk6Fkk
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
index cn pres, sub, eq
index memberUid eq, subinitial
index sambaSID eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange
by dn="cn=admin,dc=mik" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=mik" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=mik" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
-------------- next part --------------
# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-2693224835-1467424543-666700523"
# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="MIK"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"
# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"
# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
#cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/etc/smbldap-tools/smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/etc/smbldap-tools/smbldap-tools.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=mik"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
usersdn
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
computersdn
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
groupsdn
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/pdc/samba/users/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon
home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\PDC\%U"
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon
path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\PDC\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under
dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
#mailDomain="idealx.com"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="1"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
-------------- next part --------------
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=mik"
slavePw="secret"
masterDN="cn=admin,dc=mik"
masterPw="secret"
Bonjour,
I have seen this behaviour myself on more than one occasion and for
different reasons.
It took some time to diagnose at first but it was an education :-)
The first thing to remember is that samba uses two methods to talk to ldap.
As far as I remember, when you first issue the join, the client tries to log
into to the domain - this fails so it tries to create an account - this is
done by samba using the method configured in smb.conf viz:
add machine script = /usr/sbin/smbldap-useradd -w "%u".
which itself uses a perl module to make the connection and which is
confirgured by the smbldap_bind.conf and smbldap.conf.
Once the script has been called, samba checks that it worked using the
nssldap libraries.
Here, samba does the equivalent of:
getent passwd MyMachineName
Try running this - there are so many reasons it could fail - does it work
from the command line?
As you haven't included this in your description, I presume that it's
the
bit you overlooked.
It is configured using ldap.conf - I found that these are in /etc and
/etc/openldap so I hard linked to make one file.
I am going to work now - let us know if you need more help with that file.
Bonne Ann?e !
Regards,
Quinn
On 01/01/2008, Micha?l Todorovic <michael.todorovic@free.fr>
wrote:>
> Hello and happy new year :)
>
> I have to set up a samba server as a PDC with a openldap backend. My
> openldap server is fully functionnal and it is not secured yet (so no
> problems with tls). I must use debian etch or lenny.
> My server's IP is 192.168.9.10/24. I have set up a dns server (bind9)
> for my domain named "mik". It's a local domain for testing
only. There
> is a piece of the configuration file of bind :
> pdc A 192.168.9.10
> _ldap._tcp.dc._msdcs IN CNAME pdc
> This permits windows clients to find the pdc. When I try to join the
> domain under linux, it fails. I try with "net join mik -U root"
on the
> pdc (no other pc than the pdc to test) and it returns :
> Creation of workstation account failed
> Unable to join domain MIK.
> Here are the logs :
> /var/log/samba/log.pdc :
> [2008/01/01 11:44:47, 2] lib/smbldap.c:smbldap_open_connection(786)
> smbldap_open_connection: connection opened
> [2008/01/01 11:44:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
> init_sam_from_ldap: Entry found for user: root
> [2008/01/01 11:44:47, 2] auth/auth.c:check_ntlm_password(309)
> check_ntlm_password: authentication for user [root] -> [root] ->
> [root] succeeded
> [2008/01/01 11:44:49, 0]
> passdb/pdb_interface.c:pdb_default_create_user(329)
> _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
> "pdc$"' gave 9
>
> smbldap-useradd returns 9 when the user already exists in the directory
> but it does not change anything if I delete it. It returns 0 (no
> problems) but joining domain fails again. root authentification is ok :
> the log is produced with the correct password; I tried with a wrong
> password and it said me that the password is bad so the authentification
> is ok.
>
> /var/log/samba/log.192.168.9.10 :
> [2008/01/01 11:44:46, 2] lib/smbldap.c:smbldap_open_connection(786)
> smbldap_open_connection: connection opened
> [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
> get_md4pw: Workstation PDC$: no account in domain
> [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
> _net_auth2: failed to get machine password for account PDC$:
> NT_STATUS_ACCESS_DENIED
>
> I don't know why it tries to find a password for a workstation. It does
> not make sense for me.
>
> It seems to be a known problem but still no answers. You can find my
> configuration files in enclosives ;)
>
> Here are the versions used of samba, openldap ans smbldap-tools :
> samba:
> Install? : 3.0.28-1~lenny1
> Candidat : 3.0.28-1~lenny1
> Table de version :
> *** 3.0.28-1~lenny1 0
> 500 http://security.debian.org lenny/updates/main Packages
> 100 /var/lib/dpkg/status
> 3.0.27a-1 0
> 500 http://ftp.fr.debian.org lenny/main Packages
>
> slapd:
> Install? : 2.3.38-1+lenny1
> Candidat : 2.3.38-1+lenny1
> Table de version :
> *** 2.3.38-1+lenny1 0
> 500 http://security.debian.org lenny/updates/main Packages
> 100 /var/lib/dpkg/status
> 2.3.38-1 0
> 500 http://ftp.fr.debian.org lenny/main Packages
>
> smbldap-tools:
> Install? : 0.9.4-1
> Candidat : 0.9.4-1
> Table de version :
> *** 0.9.4-1 0
> 500 http://ftp.fr.debian.org lenny/main Packages
> 100 /var/lib/dpkg/status
>
>
> Maybe one clue : slapd log says me that some keys are not indexed. I
> don't think that it hurts (this is just for performance ?)
>
> Do you have some tip to make the pdc functionnal ? If you need more
> information, please do not hesitate to ask.
> Best regards,
>
> Micha?l Todorovic
>
>
> # Global parameters
> [global]
> workgroup = mik
> netbios name = PDC
> security = user
> enable privileges = yes
> server string = Samba Server %v
> encrypt passwords = Yes
> min passwd length = 3
>
> unix password sync = yes
> ldap passwd sync = yes
> passwd program = /usr/sbin/smbldap-passwd -u "%u"
> passwd chat = "Changing *\nNew password*" %n\n
"*Retype new
> password*" %n\n"
>
> log level = 2
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 100000
> time server = Yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> mangling method = hash2
> Dos charset = 850
> Unix charset = ISO8859-1
>
> logon script = logon.bat
> logon drive = H:
> logon home > logon path >
> domain logons = Yes
> domain master = Yes
> os level = 65
> preferred master = Yes
> wins support = yes
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=admin,dc=mik
> ldap suffix = dc=mik
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m
"%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
> "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g
'%g' '%u'
>
> # printers configuration
> #printer admin = @"Print Operators"
> load printers = Yes
> create mask = 0640
> directory mask = 0750
> #force create mode = 0640
> #force directory mode = 0750
> nt acl support = No
> deadtime = 10
> guest account = nobody
> map to guest = Bad User
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> show add printer wizard = yes
> ; to maintain capital letters in shortcuts in any of the profile
> folders:
> preserve case = yes
> short preserve case = yes
> case sensitive = no
>
> [netlogon]
> path = /pdc/samba/netlogon/
> browseable = No
> read only = no
>
> [profiles]
> path = /pdc/samba/profiles
> read only = no
> create mask = 0600
> directory mask = 0700
> browseable = No
> guest ok = Yes
> profile acls = yes
> csc policy = disable
> # next line is a great way to secure the profiles
> force user = %U
> # next line allows administrator to access all profiles
> valid users = %U "Domain Admins"
>
> [public]
> path = /tmp
> guest ok = yes
> browseable = Yes
> writable = yes
>
> # This is the main slapd configuration file. See slapd.conf(5) for more
> # info on the configuration options.
>
> #######################################################################
> # Global Directives:
>
> # Features to permit
> #allow bind_v2
>
> # Schema and objectClass definitions
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/inetorgperson.schema
> include /etc/ldap/schema/samba.schema
>
> # Where the pid file is put. The init.d script
> # will not stop the server if you change this.
> pidfile /var/run/slapd/slapd.pid
>
> # List of arguments that were passed to the server
> argsfile /var/run/slapd/slapd.args
>
> # Read slapd.conf(5) for possible values
> loglevel none
>
> # Where the dynamically loaded modules are stored
> modulepath /usr/lib/ldap
> moduleload back_bdb
>
> # The maximum number of entries that is returned for a search operation
> sizelimit 500
>
> # The tool-threads parameter sets the actual amount of cpu's that is
used
> # for indexing.
> tool-threads 1
>
> #######################################################################
> # Specific Backend Directives for bdb:
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> backend bdb
> checkpoint 512 30
>
> #######################################################################
> # Specific Backend Directives for 'other':
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> #backend <other>
>
> #######################################################################
> # Specific Directives for database #1, of type bdb:
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> database bdb
>
> # The base of your directory in database #1
> suffix "dc=mik"
>
> # rootdn directive for specifying a superuser on the database. This is
> needed
> # for syncrepl.
> rootdn "cn=admin,dc=mik"
> rootpw {SSHA}wDFytSLjQhvYo1aiIXXRXKYtnwAk6Fkk
>
> # Where the database file are physically stored for database #1
> directory "/var/lib/ldap"
>
> # For the Debian package we use 2MB as default but be sure to update this
> # value if you have plenty of RAM
> dbconfig set_cachesize 0 2097152 0
>
> # Sven Hartge reported that he had to set this value incredibly high
> # to get slapd running at all. See http://bugs.debian.org/303057
> # for more information.
>
> # Number of objects that can be locked at the same time.
> dbconfig set_lk_max_objects 1500
> # Number of locks (both requested and granted)
> dbconfig set_lk_max_locks 1500
> # Number of lockers
> dbconfig set_lk_max_lockers 1500
>
> # Indexing options for database #1
> index objectClass eq
> index cn pres, sub, eq
> index memberUid eq, subinitial
> index sambaSID eq
>
> # Save the time that the entry gets modified, for database #1
> lastmod on
>
> # Where to store the replica logs for database #1
> # replogfile /var/lib/ldap/replog
>
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> access to
> attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange
> by dn="cn=admin,dc=mik" write
> by anonymous auth
> by self write
> by * none
>
> # Ensure read access to the base for things like
> # supportedSASLMechanisms. Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
>
> # The admin dn has full write access, everyone else
> # can read everything.
> access to *
> by dn="cn=admin,dc=mik" write
> by * read
>
> # For Netscape Roaming support, each user gets a roaming
> # profile for which they have write access to
> #access to dn=".*,ou=Roaming,o=morsnet"
> # by dn="cn=admin,dc=mik" write
> # by dnattr=owner write
>
> #######################################################################
> # Specific Directives for database #2, of type 'other' (can be bdb
too):
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> #database <other>
>
> # The base of your directory for database #2
> #suffix "dc=debian,dc=org"
>
> # $Source: $
> # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
> #
> # smbldap-tools.conf : Q & D configuration file for smbldap-tools
>
> # This code was developped by IDEALX (http://IDEALX.org/) and
> # contributors (their names can be found in the CONTRIBUTORS file).
> #
> # Copyright (C) 2001-2002 IDEALX
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of the GNU General Public License
> # as published by the Free Software Foundation; either version 2
> # of the License, or (at your option) any later version.
> #
> # This program is distributed in the hope that it will be useful,
> # but WITHOUT ANY WARRANTY; without even the implied warranty of
> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> # GNU General Public License for more details.
> #
> # You should have received a copy of the GNU General Public License
> # along with this program; if not, write to the Free Software
> # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
> # USA.
>
> # Purpose :
> # . be the configuration file for all smbldap-tools scripts
>
>
>
##############################################################################
> #
> # General Configuration
> #
>
>
##############################################################################
>
> # Put your own SID. To obtain this number do: "net getlocalsid".
> # If not defined, parameter is taking from "net getlocalsid"
return
> SID="S-1-5-21-2693224835-1467424543-666700523"
>
> # Domain name the Samba server is in charged.
> # If not defined, parameter is taking from smb.conf configuration file
> # Ex: sambaDomain="IDEALX-NT"
> sambaDomain="MIK"
>
>
>
##############################################################################
> #
> # LDAP Configuration
> #
>
>
##############################################################################
>
> # Notes: to use to dual ldap servers backend for Samba, you must patch
> # Samba with the dual-head patch from IDEALX. If not using this patch
> # just use the same server for slaveLDAP and masterLDAP.
> # Those two servers declarations can also be used when you have
> # . one master LDAP server where all writing operations must be done
> # . one slave LDAP server where all reading operations must be done
> # (typically a replication directory)
>
> # Slave LDAP server
> # Ex: slaveLDAP=127.0.0.1
> # If not defined, parameter is set to "127.0.0.1"
> slaveLDAP="127.0.0.1"
>
> # Slave LDAP port
> # If not defined, parameter is set to "389"
> slavePort="389"
>
> # Master LDAP server: needed for write operations
> # Ex: masterLDAP=127.0.0.1
> # If not defined, parameter is set to "127.0.0.1"
> masterLDAP="127.0.0.1"
>
> # Master LDAP port
> # If not defined, parameter is set to "389"
> masterPort="389"
>
> # Use TLS for LDAP
> # If set to 1, this option will use start_tls for connection
> # (you should also used the port 389)
> # If not defined, parameter is set to "1"
> ldapTLS="0"
>
> # How to verify the server's certificate (none, optional or require)
> # see "man Net::LDAP" in start_tls section for more details
> verify="require"
>
> # CA certificate
> # see "man Net::LDAP" in start_tls section for more details
> #cafile="/etc/smbldap-tools/ca.pem"
>
> # certificate to use to connect to the ldap server
> # see "man Net::LDAP" in start_tls section for more details
> #clientcert="/etc/smbldap-tools/smbldap-tools.pem"
>
> # key certificate to use to connect to the ldap server
> # see "man Net::LDAP" in start_tls section for more details
> #clientkey="/etc/smbldap-tools/smbldap-tools.key"
>
> # LDAP Suffix
> # Ex: suffix=dc=IDEALX,dc=ORG
> suffix="dc=mik"
>
> # Where are stored Users
> # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn
for
> usersdn
> usersdn="ou=Users,${suffix}"
>
> # Where are stored Computers
> # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn
for
> computersdn
> computersdn="ou=Computers,${suffix}"
>
> # Where are stored Groups
> # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn
for
> groupsdn
> groupsdn="ou=Groups,${suffix}"
>
> # Where are stored Idmap entries (used if samba is a domain member server)
> # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn
for
> idmapdn
> idmapdn="ou=Idmap,${suffix}"
>
> # Where to store next uidNumber and gidNumber available for new users and
> groups
> # If not defined, entries are stored in sambaDomainName object.
> # Ex:
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
> # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
>
> # Default scope Used
> scope="sub"
>
> # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
> hash_encrypt="SSHA"
>
> # if hash_encrypt is set to CRYPT, you may set a salt format.
> # default is "%s", but many systems will generate MD5 hashed
> # passwords if you use "$1$%.8s". This parameter is optional!
> crypt_salt_format="%s"
>
>
>
##############################################################################
> #
> # Unix Accounts Configuration
> #
>
>
##############################################################################
>
> # Login defs
> # Default Login Shell
> # Ex: userLoginShell="/bin/bash"
> userLoginShell="/bin/bash"
>
> # Home directory
> # Ex: userHome="/home/%U"
> userHome="/pdc/samba/users/%U"
>
> # Default mode used for user homeDirectory
> userHomeDirectoryMode="700"
>
> # Gecos
> userGecos="System User"
>
> # Default User (POSIX and Samba) GID
> defaultUserGid="513"
>
> # Default Computer (Samba) GID
> defaultComputerGid="515"
>
> # Skel dir
> skeletonDir="/etc/skel"
>
> # Default password validation time (time in days) Comment the next line if
> # you don't want password to be enable for defaultMaxPasswordAge days
(be
> # careful to the sambaPwdMustChange attribute's value)
> defaultMaxPasswordAge="45"
>
>
>
##############################################################################
> #
> # SAMBA Configuration
> #
>
>
##############################################################################
>
> # The UNC path to home drives location (%U username substitution)
> # Just set it to a null string if you want to use the smb.conf 'logon
> home'
> # directive and/or disable roaming profiles
> # Ex: userSmbHome="\\PDC-SMB3\%U"
> userSmbHome="\\PDC\%U"
>
> # The UNC path to profiles locations (%U username substitution)
> # Just set it to a null string if you want to use the smb.conf 'logon
> path'
> # directive and/or disable roaming profiles
> # Ex: userProfile="\\PDC-SMB3\profiles\%U"
> userProfile="\\PDC\profiles\%U"
>
> # The default Home Drive Letter mapping
> # (will be automatically mapped at logon time if home directory exist)
> # Ex: userHomeDrive="H:"
> userHomeDrive="H:"
>
> # The default user netlogon script name (%U username substitution)
> # if not used, will be automatically username.cmd
> # make sure script file is edited under dos
> # Ex: userScript="startup.cmd" # make sure script file is edited
under dos
> userScript="logon.bat"
>
> # Domain appended to the users "mail"-attribute
> # when smbldap-useradd -M is used
> # Ex: mailDomain="idealx.com"
> #mailDomain="idealx.com"
>
>
>
##############################################################################
> #
> # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
> #
>
>
##############################################################################
>
> # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm)
> but
> # prefer Crypt::SmbHash library
> with_smbpasswd="1"
> smbpasswd="/usr/bin/smbpasswd"
>
> # Allows not to use slappasswd (if with_slappasswd == 0 in
> smbldap_conf.pm)
> # but prefer Crypt:: libraries
> with_slappasswd="0"
> slappasswd="/usr/sbin/slappasswd"
>
> # comment out the following line to get rid of the default banner
> # no_banner="1"
>
>
> ############################
> # Credential Configuration #
> ############################
> # Notes: you can specify two differents configuration if you use a
> # master ldap for writing access and a slave ldap server for reading
> access
> # By default, we will use the same DN (so it will work for standard Samba
> # release)
> slaveDN="cn=admin,dc=mik"
> slavePw="secret"
> masterDN="cn=admin,dc=mik"
> masterPw="secret"
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
Hello and sorry for the late answer,
I tried to change "add machine script" line but this is not the
solution I think
: smbldap-useradd returns 0 when computer does not exist in the ldap directory.
Even if I change the line, it always returns 9 when the computer account already
exists.
getent passwd machine_account$ returns nothing because I don't use nss nor
pam
for the moment. I'll try later but last time I tried ldap/samba, nss worked
like
a charm :) Joining domain (for windows clients) didn't work.
I tried to search in phpldapadmin what was the difference between a computer
account and a user account. My computer account does not have any
sambaSamAccount, just posixAccount ! I think it cannot work like this because
windows clients needs a sambaSamAccount. I tried to add the sambaSamAccount
property to my computer account. PhpLdapAdmin guessed me to put SambaSID
(SID+group number). I tried again to join the domain (with net join and windows
client) and it worked !
Now I am looking for ways to modify the machine adding method in order to put
sambaSamAccount automatically. I don't know if this is normal or if it's
a bug
but it works :)
Merci
Regards,
Micha?l Todorovic
-----------------------------------------
Selon Quinn Fissler <qfissler@gmail.com>:
Bonjour,
I have seen this behaviour myself on more than one occasion and for
different reasons.
It took some time to diagnose at first but it was an education :-)
The first thing to remember is that samba uses two methods to talk to ldap.
As far as I remember, when you first issue the join, the client tries to log
into to the domain - this fails so it tries to create an account - this is
done by samba using the method configured in smb.conf viz:
add machine script = /usr/sbin/smbldap-useradd -w "%u".
which itself uses a perl module to make the connection and which is
confirgured by the smbldap_bind.conf and smbldap.conf.
Once the script has been called, samba checks that it worked using the
nssldap libraries.
Here, samba does the equivalent of:
getent passwd MyMachineName
Try running this - there are so many reasons it could fail - does it work
from the command line?
As you haven't included this in your description, I presume that it's
the
bit you overlooked.
It is configured using ldap.conf - I found that these are in /etc and
/etc/openldap so I hard linked to make one file.
I am going to work now - let us know if you need more help with that file.
Bonne Ann?e !
Regards,
Quinn
On 01/01/2008, Micha?l Todorovic <michael.todorovic@free.fr> wrote:
>
> Hello and happy new year :)
>
> I have to set up a samba server as a PDC with a openldap backend. My
> openldap server is fully functionnal and it is not secured yet (so no
> problems with tls). I must use debian etch or lenny.
> My server's IP is 192.168.9.10/24. I have set up a dns server (bind9)
> for my domain named "mik". It's a local domain for testing
only. There
> is a piece of the configuration file of bind :
> pdc A 192.168.9.10
> _ldap._tcp.dc._msdcs IN CNAME pdc
> This permits windows clients to find the pdc. When I try to join the
> domain under linux, it fails. I try with "net join mik -U root"
on the
> pdc (no other pc than the pdc to test) and it returns :
> Creation of workstation account failed
> Unable to join domain MIK.
> Here are the logs :
> /var/log/samba/log.pdc :
> [2008/01/01 11:44:47, 2] lib/smbldap.c:smbldap_open_connection(786)
> smbldap_open_connection: connection opened
> [2008/01/01 11:44:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
> init_sam_from_ldap: Entry found for user: root
> [2008/01/01 11:44:47, 2] auth/auth.c:check_ntlm_password(309)
> check_ntlm_password: authentication for user [root] -> [root] ->
> [root] succeeded
> [2008/01/01 11:44:49, 0]
> passdb/pdb_interface.c:pdb_default_create_user(329)
> _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
> "pdc$"' gave 9
>
> smbldap-useradd returns 9 when the user already exists in the directory
> but it does not change anything if I delete it. It returns 0 (no
> problems) but joining domain fails again. root authentification is ok :
> the log is produced with the correct password; I tried with a wrong
> password and it said me that the password is bad so the authentification
> is ok.
>
> /var/log/samba/log.192.168.9.10 :
> [2008/01/01 11:44:46, 2] lib/smbldap.c:smbldap_open_connection(786)
> smbldap_open_connection: connection opened
> [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
> get_md4pw: Workstation PDC$: no account in domain
> [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
> _net_auth2: failed to get machine password for account PDC$:
> NT_STATUS_ACCESS_DENIED
>
> I don't know why it tries to find a password for a workstation. It
does
> not make sense for me.
>
> It seems to be a known problem but still no answers. You can find my
> configuration files in enclosives ;)
>
> Here are the versions used of samba, openldap ans smbldap-tools :
> samba:
> Install? : 3.0.28-1~lenny1
> Candidat : 3.0.28-1~lenny1
> Table de version :
> *** 3.0.28-1~lenny1 0
> 500 http://security.debian.org lenny/updates/main Packages
> 100 /var/lib/dpkg/status
> 3.0.27a-1 0
> 500 http://ftp.fr.debian.org lenny/main Packages
>
> slapd:
> Install? : 2.3.38-1+lenny1
> Candidat : 2.3.38-1+lenny1
> Table de version :
> *** 2.3.38-1+lenny1 0
> 500 http://security.debian.org lenny/updates/main Packages
> 100 /var/lib/dpkg/status
> 2.3.38-1 0
> 500 http://ftp.fr.debian.org lenny/main Packages
>
> smbldap-tools:
> Install? : 0.9.4-1
> Candidat : 0.9.4-1
> Table de version :
> *** 0.9.4-1 0
> 500 http://ftp.fr.debian.org lenny/main Packages
> 100 /var/lib/dpkg/status
>
>
> Maybe one clue : slapd log says me that some keys are not indexed. I
> don't think that it hurts (this is just for performance ?)
>
> Do you have some tip to make the pdc functionnal ? If you need more
> information, please do not hesitate to ask.
> Best regards,
>
> Micha?l Todorovic
>
>
> # Global parameters
> [global]
> workgroup = mik
> netbios name = PDC
> security = user
> enable privileges = yes
> server string = Samba Server %v
> encrypt passwords = Yes
> min passwd length = 3
>
> unix password sync = yes
> ldap passwd sync = yes
> passwd program = /usr/sbin/smbldap-passwd -u "%u"
> passwd chat = "Changing *\nNew password*" %n\n
"*Retype new
> password*" %n\n"
>
> log level = 2
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 100000
> time server = Yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> mangling method = hash2
> Dos charset = 850
> Unix charset = ISO8859-1
>
> logon script = logon.bat
> logon drive = H:
> logon home > logon path >
> domain logons = Yes
> domain master = Yes
> os level = 65
> preferred master = Yes
> wins support = yes
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=admin,dc=mik
> ldap suffix = dc=mik
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m
"%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
> "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g
'%g' '%u'
>
> # printers configuration
> #printer admin = @"Print Operators"
> load printers = Yes
> create mask = 0640
> directory mask = 0750
> #force create mode = 0640
> #force directory mode = 0750
> nt acl support = No
> deadtime = 10
> guest account = nobody
> map to guest = Bad User
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> show add printer wizard = yes
> ; to maintain capital letters in shortcuts in any of the profile
> folders:
> preserve case = yes
> short preserve case = yes
> case sensitive = no
>
> [netlogon]
> path = /pdc/samba/netlogon/
> browseable = No
> read only = no
>
> [profiles]
> path = /pdc/samba/profiles
> read only = no
> create mask = 0600
> directory mask = 0700
> browseable = No
> guest ok = Yes
> profile acls = yes
> csc policy = disable
> # next line is a great way to secure the profiles
> force user = %U
> # next line allows administrator to access all profiles
> valid users = %U "Domain Admins"
>
> [public]
> path = /tmp
> guest ok = yes
> browseable = Yes
> writable = yes
>
> # This is the main slapd configuration file. See slapd.conf(5) for more
> # info on the configuration options.
>
> #######################################################################
> # Global Directives:
>
> # Features to permit
> #allow bind_v2
>
> # Schema and objectClass definitions
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/inetorgperson.schema
> include /etc/ldap/schema/samba.schema
>
> # Where the pid file is put. The init.d script
> # will not stop the server if you change this.
> pidfile /var/run/slapd/slapd.pid
>
> # List of arguments that were passed to the server
> argsfile /var/run/slapd/slapd.args
>
> # Read slapd.conf(5) for possible values
> loglevel none
>
> # Where the dynamically loaded modules are stored
> modulepath /usr/lib/ldap
> moduleload back_bdb
>
> # The maximum number of entries that is returned for a search operation
> sizelimit 500
>
> # The tool-threads parameter sets the actual amount of cpu's that is
used
> # for indexing.
> tool-threads 1
>
> #######################################################################
> # Specific Backend Directives for bdb:
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> backend bdb
> checkpoint 512 30
>
> #######################################################################
> # Specific Backend Directives for 'other':
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> #backend <other>
>
> #######################################################################
> # Specific Directives for database #1, of type bdb:
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> database bdb
>
> # The base of your directory in database #1
> suffix "dc=mik"
>
> # rootdn directive for specifying a superuser on the database. This is
> needed
> # for syncrepl.
> rootdn "cn=admin,dc=mik"
> rootpw {SSHA}wDFytSLjQhvYo1aiIXXRXKYtnwAk6Fkk
>
> # Where the database file are physically stored for database #1
> directory "/var/lib/ldap"
>
> # For the Debian package we use 2MB as default but be sure to update this
> # value if you have plenty of RAM
> dbconfig set_cachesize 0 2097152 0
>
> # Sven Hartge reported that he had to set this value incredibly high
> # to get slapd running at all. See http://bugs.debian.org/303057
> # for more information.
>
> # Number of objects that can be locked at the same time.
> dbconfig set_lk_max_objects 1500
> # Number of locks (both requested and granted)
> dbconfig set_lk_max_locks 1500
> # Number of lockers
> dbconfig set_lk_max_lockers 1500
>
> # Indexing options for database #1
> index objectClass eq
> index cn pres, sub, eq
> index memberUid eq, subinitial
> index sambaSID eq
>
> # Save the time that the entry gets modified, for database #1
> lastmod on
>
> # Where to store the replica logs for database #1
> # replogfile /var/lib/ldap/replog
>
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> access to
> attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange
> by dn="cn=admin,dc=mik" write
> by anonymous auth
> by self write
> by * none
>
> # Ensure read access to the base for things like
> # supportedSASLMechanisms. Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
>
> # The admin dn has full write access, everyone else
> # can read everything.
> access to *
> by dn="cn=admin,dc=mik" write
> by * read
>
> # For Netscape Roaming support, each user gets a roaming
> # profile for which they have write access to
> #access to dn=".*,ou=Roaming,o=morsnet"
> # by dn="cn=admin,dc=mik" write
> # by dnattr=owner write
>
> #######################################################################
> # Specific Directives for database #2, of type 'other' (can be bdb
too):
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> #database <other>
>
> # The base of your directory for database #2
> #suffix "dc=debian,dc=org"
>
> # $Source: $
> # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
> #
> # smbldap-tools.conf : Q & D configuration file for smbldap-tools
>
> # This code was developped by IDEALX (http://IDEALX.org/) and
> # contributors (their names can be found in the CONTRIBUTORS file).
> #
> # Copyright (C) 2001-2002 IDEALX
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of the GNU General Public License
> # as published by the Free Software Foundation; either version 2
> # of the License, or (at your option) any later version.
> #
> # This program is distributed in the hope that it will be useful,
> # but WITHOUT ANY WARRANTY; without even the implied warranty of
> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> # GNU General Public License for more details.
> #
> # You should have received a copy of the GNU General Public License
> # along with this program; if not, write to the Free Software
> # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
> # USA.
>
> # Purpose :
> # . be the configuration file for all smbldap-tools scripts
>
>
>
##############################################################################
> #
> # General Configuration
> #
>
>
##############################################################################
>
> # Put your own SID. To obtain this number do: "net getlocalsid".
> # If not defined, parameter is taking from "net getlocalsid"
return
> SID="S-1-5-21-2693224835-1467424543-666700523"
>
> # Domain name the Samba server is in charged.
> # If not defined, parameter is taking from smb.conf configuration file
> # Ex: sambaDomain="IDEALX-NT"
> sambaDomain="MIK"
>
>
>
##############################################################################
> #
> # LDAP Configuration
> #
>
>
##############################################################################
>
> # Notes: to use to dual ldap servers backend for Samba, you must patch
> # Samba with the dual-head patch from IDEALX. If not using this patch
> # just use the same server for slaveLDAP and masterLDAP.
> # Those two servers declarations can also be used when you have
> # . one master LDAP server where all writing operations must be done
> # . one slave LDAP server where all reading operations must be done
> # (typically a replication directory)
>
> # Slave LDAP server
> # Ex: slaveLDAP=127.0.0.1
> # If not defined, parameter is set to "127.0.0.1"
> slaveLDAP="127.0.0.1"
>
> # Slave LDAP port
> # If not defined, parameter is set to "389"
> slavePort="389"
>
> # Master LDAP server: needed for write operations
> # Ex: masterLDAP=127.0.0.1
> # If not defined, parameter is set to "127.0.0.1"
> masterLDAP="127.0.0.1"
>
> # Master LDAP port
> # If not defined, parameter is set to "389"
> masterPort="389"
>
> # Use TLS for LDAP
> # If set to 1, this option will use start_tls for connection
> # (you should also used the port 389)
> # If not defined, parameter is set to "1"
> ldapTLS="0"
>
> # How to verify the server's certificate (none, optional or require)
> # see "man Net::LDAP" in start_tls section for more details
> verify="require"
>
> # CA certificate
> # see "man Net::LDAP" in start_tls section for more details
> #cafile="/etc/smbldap-tools/ca.pem"
>
> # certificate to use to connect to the ldap server
> # see "man Net::LDAP" in start_tls section for more details
> #clientcert="/etc/smbldap-tools/smbldap-tools.pem"
>
> # key certificate to use to connect to the ldap server
> # see "man Net::LDAP" in start_tls section for more details
> #clientkey="/etc/smbldap-tools/smbldap-tools.key"
>
> # LDAP Suffix
> # Ex: suffix=dc=IDEALX,dc=ORG
> suffix="dc=mik"
>
> # Where are stored Users
> # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn
for
> usersdn
> usersdn="ou=Users,${suffix}"
>
> # Where are stored Computers
> # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn
for
> computersdn
> computersdn="ou=Computers,${suffix}"
>
> # Where are stored Groups
> # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn
for
> groupsdn
> groupsdn="ou=Groups,${suffix}"
>
> # Where are stored Idmap entries (used if samba is a domain member server)
> # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn
for
> idmapdn
> idmapdn="ou=Idmap,${suffix}"
>
> # Where to store next uidNumber and gidNumber available for new users and
> groups
> # If not defined, entries are stored in sambaDomainName object.
> # Ex:
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
> # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
>
> # Default scope Used
> scope="sub"
>
> # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
> hash_encrypt="SSHA"
>
> # if hash_encrypt is set to CRYPT, you may set a salt format.
> # default is "%s", but many systems will generate MD5 hashed
> # passwords if you use "$1$%.8s". This parameter is optional!
> crypt_salt_format="%s"
>
>
>
##############################################################################
> #
> # Unix Accounts Configuration
> #
>
>
##############################################################################
>
> # Login defs
> # Default Login Shell
> # Ex: userLoginShell="/bin/bash"
> userLoginShell="/bin/bash"
>
> # Home directory
> # Ex: userHome="/home/%U"
> userHome="/pdc/samba/users/%U"
>
> # Default mode used for user homeDirectory
> userHomeDirectoryMode="700"
>
> # Gecos
> userGecos="System User"
>
> # Default User (POSIX and Samba) GID
> defaultUserGid="513"
>
> # Default Computer (Samba) GID
> defaultComputerGid="515"
>
> # Skel dir
> skeletonDir="/etc/skel"
>
> # Default password validation time (time in days) Comment the next line if
> # you don't want password to be enable for defaultMaxPasswordAge days
(be
> # careful to the sambaPwdMustChange attribute's value)
> defaultMaxPasswordAge="45"
>
>
>
##############################################################################
> #
> # SAMBA Configuration
> #
>
>
##############################################################################
>
> # The UNC path to home drives location (%U username substitution)
> # Just set it to a null string if you want to use the smb.conf 'logon
> home'
> # directive and/or disable roaming profiles
> # Ex: userSmbHome="\\PDC-SMB3\%U"
> userSmbHome="\\PDC\%U"
>
> # The UNC path to profiles locations (%U username substitution)
> # Just set it to a null string if you want to use the smb.conf 'logon
> path'
> # directive and/or disable roaming profiles
> # Ex: userProfile="\\PDC-SMB3\profiles\%U"
> userProfile="\\PDC\profiles\%U"
>
> # The default Home Drive Letter mapping
> # (will be automatically mapped at logon time if home directory exist)
> # Ex: userHomeDrive="H:"
> userHomeDrive="H:"
>
> # The default user netlogon script name (%U username substitution)
> # if not used, will be automatically username.cmd
> # make sure script file is edited under dos
> # Ex: userScript="startup.cmd" # make sure script file is edited
under dos
> userScript="logon.bat"
>
> # Domain appended to the users "mail"-attribute
> # when smbldap-useradd -M is used
> # Ex: mailDomain="idealx.com"
> #mailDomain="idealx.com"
>
>
>
##############################################################################
> #
> # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
> #
>
>
##############################################################################
>
> # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm)
> but
> # prefer Crypt::SmbHash library
> with_smbpasswd="1"
> smbpasswd="/usr/bin/smbpasswd"
>
> # Allows not to use slappasswd (if with_slappasswd == 0 in
> smbldap_conf.pm)
> # but prefer Crypt:: libraries
> with_slappasswd="0"
> slappasswd="/usr/sbin/slappasswd"
>
> # comment out the following line to get rid of the default banner
> # no_banner="1"
>
>
> ############################
> # Credential Configuration #
> ############################
> # Notes: you can specify two differents configuration if you use a
> # master ldap for writing access and a slave ldap server for reading
> access
> # By default, we will use the same DN (so it will work for standard Samba
> # release)
> slaveDN="cn=admin,dc=mik"
> slavePw="secret"
> masterDN="cn=admin,dc=mik"
> masterPw="secret"
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>