Data Control Systems Inc. - Mike Elkevizth
2004-Jan-09 23:22 UTC
[Samba] smbldap-tools problem with Samba 3.0.1/LDAP 2.1.22/Fedora Core 1
I'm trying to setup a samba PDC/BDC with disconnected auth. and am stuck at step one because I can't get smbldap-tools to work right. First when I do a smbldap-useradd.pl -a test, it works fine. ldapsearch shows the entry properly. Then I try smbldap-usershow.pl or smbldap-userdel.pl or any other one for that matter and they all fail with a "user test does not exist"! Also if I do a smbldap-useradd.pl -w ... for a workstation add it adds the workstation to the directory, but doesn't add any samba entries (SambaSamAccount, etc.). Please someone help, I've been working on this for quite a while and really need to get it working soon. Thanks, Mike PS tried smbldap-useradd -a -w ... also and it did not work either which really should never need to be anyhow as the only reason to add a workstation account with smbldap would be for samba anyhow. SMB.CONF File [global] # Basic settings workgroup = dcs netbios name = Dcs004 server string = Rittman Server security = user # Network settings time server = yes wins support = yes name resolve order = wins lmhosts bcast socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 hosts allow = 127.0.0.1 192.168.5.0/255.255.255.192 192.168.5.128/255.255.255.192 192.168.5.192/255.255.255.192 # Domain control options os level = 99 local master = yes preferred master = yes domain master = yes domain logons = yes logon script = %U.bat logon path = \\%L\profile\ # Password change and create options for domain control unix password sync = yes ldap passwd sync = yes passwd chat = *new*password* %n\n *new*password* %n\n *successfully* encrypt passwords = yes passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u ;add machine script = /usr/share/samba/scripts/smbldap-useradd.pl -w -d /dev/null -g machines -c 'Machine Account' -s /bin/false %u ;add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u' ;delete user script = /usr/share/samba/scripts/smbldap-userdel.pl '%u' ;add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl -m '%u' '%g' ;delete user from group script /usr/share/samba/scripts/smbldap-groupmod.pl -x '%u' '%g' ;set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -g '%g' '%u' ;add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g' && /usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print $2}' ;delete group script = /usr/share/samba/scripts/smbldap-userdel.pl '%g' # LDAP settings passdb backend = ldapsam ldap ssl = no ldap admin dn = cn=sambauser,dc=dcs ldap suffix = dc=dcs ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=IDMap # Log settings log level = 3 log file = /var/log/samba/log.%m max log size = 50 ....Shares SLAPD.CONF File # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Define global ACLs to disable default read access. include /etc/openldap/slapd.access.conf # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid #argsfile //var/run/slapd.args # Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. #TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt #TLSCertificateFile /usr/share/ssl/certs/slapd.pem #TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem TLSCACertificateFile /usr/share/ssl/certs/cacert.pem TLSCertificateFile /usr/share/ssl/certs/slapdcrt.pem TLSCertificateKeyFile /usr/share/ssl/certs/slapdkey.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy is: # Allow read by all # # rootdn can always write! ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database ldbm suffix "dc=dcs" rootdn "cn=root,dc=dcs" rootpw {MD5}42yH/6KRY4GNICdbwU1OTg= # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 tls=yes # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM
Jérôme Tournier
2004-Jan-11 16:25 UTC
[Samba] smbldap-tools problem with Samba 3.0.1/LDAP 2.1.22/Fedora Core 1
Le Fri, Jan 09, 2004 at 06:21:48PM -0500, Data Control Systems Inc. - Mike Elkevizth a ecrit:> I'm trying to setup a samba PDC/BDC with disconnected auth. and am stuck at > step one because I can't get smbldap-tools to work right. First when I do a > smbldap-useradd.pl -a test, it works fine. ldapsearch shows the entry > properly. Then I try smbldap-usershow.pl or smbldap-userdel.pl or any other > one for that matter and they all fail with a "user test does not exist"! > Also if I do a smbldap-useradd.pl -w ... for a workstation add it adds the > workstation to the directory, but doesn't add any samba entries > (SambaSamAccount, etc.). Please someone help, I've been working on this for > quite a while and really need to get it working soon.The -w option of smbldap-useradd.pl add a workstation account. But the sambaSAMAccount is added by samba when joining the domain. If you can't show a user you just added, i suppose you did not configured nss_ldap. Use the authconfig utility for that. -- J?r?me