Hi, im trying to use our LDAP server as backend for Samba (PDC). I used smbldap-tools to transfer samba users to our LDAP server. Now i have ou=computers, ou=idmap, ou=smb-usr and ou=groups. I added the following to my smb.conf ldap passwd sync = yes passdb backend = ldapsam:ldap://localhost ldap suffix = dc=workgroup,dc=local ldap admin dn = cn=admin,dc=workgroup,dc=local ldap machine suffix = ou=computers ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap ssl = no # Scripts for Samba to use if it creates users, groups, etc. add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' # Script that Samba users when a PC joins the domain .. # (when changing 'Computer Properties' on the PC) add machine script = /usr/sbin/smbldap-useradd -w '%u' but im still not able to login. I saw that there are users and computers all in ou=groups (cn=pc1$) and also in ou=computers (uid=pc1$) is this correcto? unfortunately i'm no samba expert either ldap :) thanks for helping. cheers juergen.
Am 03.02.2011 20:26, schrieb J. Echter:> Hi, > > im trying to use our LDAP server as backend for Samba (PDC). > > I used smbldap-tools to transfer samba users to our LDAP server. > > Now i have ou=computers, ou=idmap, ou=smb-usr and ou=groups. > > I added the following to my smb.conf > > ldap passwd sync = yes > passdb backend = ldapsam:ldap://localhost > ldap suffix = dc=workgroup,dc=local > ldap admin dn = cn=admin,dc=workgroup,dc=local > ldap machine suffix = ou=computers > ldap user suffix = ou=smb-usr > ldap group suffix = ou=groups > ldap idmap suffix = ou=idmap > ldap ssl = no > # Scripts for Samba to use if it creates users, groups, etc. > add user script = /usr/sbin/smbldap-useradd -m '%u' > delete user script = /usr/sbin/smbldap-userdel %u > add group script = /usr/sbin/smbldap-groupadd -p '%g' > delete group script = /usr/sbin/smbldap-groupdel '%g' > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > # Script that Samba users when a PC joins the domain .. > # (when changing 'Computer Properties' on the PC) > add machine script = /usr/sbin/smbldap-useradd -w '%u' > > but im still not able to login. > > I saw that there are users and computers all in ou=groups (cn=pc1$) and > also in ou=computers (uid=pc1$) is this correcto? > > unfortunately i'm no samba expert either ldap :) > > > thanks for helping. > > cheers > > juergen.sorry forgot to add some essential stuff. Samba: Version: 2:3.4.7~dfsg-1ubuntu3.3 on Ubuntu 10.04 LTS x64 thanks. :)
Am 03.02.2011 22:12, schrieb Gaiseric Vandal:> On 02/03/2011 02:56 PM, J. Echter wrote: >> Am 03.02.2011 20:43, schrieb Gaiseric Vandal: >> >>> Does "pbdedit -Lv" show the users, groups and machines? >>> >> Hi, >> >> no it doesn't. >> >> User Search failed! >> >> Cheers. >> > I don't use the ldap tools scripts, so my environment may not match > yours exactly. You may also want to read through the scripts to see > if they create users, computers and groups where you think they will. > I don't know if the scripts check the smb.conf file - I suspect not. > > Sounds like your scripts are putting objects in one location, but > samba expects them in another. > > I have my users and machines under the same suffix. You can have an > ou below that suffix which would also get searched by samba. I have > this since my LDAP backend also includes the "unix" account info- > otherwise samba couldn't find the unix uid for my machine accounts. > > You may want to use a gui LDAP editor (e.g. apache directory studio) > to get the entries into the correct location. Not sure if you can > move then directly BUT you can export LDAP entries (or entire OU's) to > a text file, delete the entries from ldap, edit the entries in the > text file, and then reimport. > >yes, i also wondered if the accounts in the right position. i use phpldapadmin and could easily move entrys, but i wasn't sure if this is the right way to go...
I just recently got mine set up after alot of help from this list (and a great deal of pain and persistence).? I also got alot of insightful guidance from this doc: http://wiki.amahi.org/index.php/LDAP hth, ?- Joe If you type "Google" into Google, you can break the Internet. -- Jen Barber --Forwarded Message Attachment-- From: jac at cec.uchile.cl To: samba at lists.samba.org Date: Fri, 4 Feb 2011 12:40:29 -0300 Subject: Re: [Samba] Adding LDAP Backend to Samba On Thu, 03 Feb 2011 20:16:00 -0300, J. Echter wrote:> User SID: S-1-5-21-3842863818-2180709222-141296495-1001 > Primary Group SID: S-1-5-21-3842863818-2180709222-141296495-513Another thing to check: User SID: S-1-5-21-3842863818-2180709222-141296495-1001 -> command 'net getlocalsid' must response S-1-5-21-3842863818-2180709222-141296495 (if not, run 'net setlocalsid S-1-5-21-3842863818-2180709222-141296495'). And in your LDAP server you must to have an entry as this: sambaDomainNamewith sambaSID=S-1-5-21-3842863818-2180709222-141296495 AND: I had problems with users who do not have the attribute ambaPwdLastSet Then, all my users have sambaPwdLastSet = 1 Good Luck -- Jorge C.
Apparently Analagous Threads
- samba 3 - getting rid of some logfile errors
- Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
- Samba-3.0.2 PDC LDAP: Add computer to domain issue with smbldap-tools
- When im login the error: "A device attached to the system is not functioning"
- Fwd: Re: Problem with Samba - Openldap and domain autentication of Windows XP