Data Control Systems Inc. - Mike Elkevizth
2004-Jan-09 23:22 UTC
[Samba] smbldap-tools problem with Samba 3.0.1/LDAP 2.1.22/Fedora Core 1
I'm trying to setup a samba PDC/BDC with disconnected auth. and am stuck at
step one because I can't get smbldap-tools to work right. First when I do a
smbldap-useradd.pl -a test, it works fine. ldapsearch shows the entry
properly. Then I try smbldap-usershow.pl or smbldap-userdel.pl or any other
one for that matter and they all fail with a "user test does not
exist"!
Also if I do a smbldap-useradd.pl -w ... for a workstation add it adds the
workstation to the directory, but doesn't add any samba entries
(SambaSamAccount, etc.). Please someone help, I've been working on this for
quite a while and really need to get it working soon.
Thanks,
Mike
PS tried smbldap-useradd -a -w ... also and it did not work either which
really should never need to be anyhow as the only reason to add a
workstation account with smbldap would be for samba anyhow.
SMB.CONF File
[global]
# Basic settings
workgroup = dcs
netbios name = Dcs004
server string = Rittman Server
security = user
# Network settings
time server = yes
wins support = yes
name resolve order = wins lmhosts bcast
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
hosts allow = 127.0.0.1 192.168.5.0/255.255.255.192
192.168.5.128/255.255.255.192 192.168.5.192/255.255.255.192
# Domain control options
os level = 99
local master = yes
preferred master = yes
domain master = yes
domain logons = yes
logon script = %U.bat
logon path = \\%L\profile\
# Password change and create options for domain control
unix password sync = yes
ldap passwd sync = yes
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
encrypt passwords = yes
passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
;add machine script = /usr/share/samba/scripts/smbldap-useradd.pl -w -d
/dev/null -g machines -c 'Machine Account' -s /bin/false %u
;add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'
;delete user script = /usr/share/samba/scripts/smbldap-userdel.pl '%u'
;add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl -m
'%u' '%g'
;delete user from group script /usr/share/samba/scripts/smbldap-groupmod.pl -x
'%u' '%g'
;set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -g
'%g' '%u'
;add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g'
&&
/usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print
$2}'
;delete group script = /usr/share/samba/scripts/smbldap-userdel.pl '%g'
# LDAP settings
passdb backend = ldapsam
ldap ssl = no
ldap admin dn = cn=sambauser,dc=dcs
ldap suffix = dc=dcs
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=IDMap
# Log settings
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
....Shares
SLAPD.CONF File
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24
23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Define global ACLs to disable default read access.
include /etc/openldap/slapd.access.conf
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd.pid
#argsfile //var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing
permissions on
# slapd.pem so that the ldap user or group can read it.
#TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
#TLSCertificateFile /usr/share/ssl/certs/slapd.pem
#TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
TLSCACertificateFile /usr/share/ssl/certs/cacert.pem
TLSCertificateFile /usr/share/ssl/certs/slapdcrt.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapdkey.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database ldbm
suffix "dc=dcs"
rootdn "cn=root,dc=dcs"
rootpw {MD5}42yH/6KRY4GNICdbwU1OTg=
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 tls=yes
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
Jérôme Tournier
2004-Jan-11 16:25 UTC
[Samba] smbldap-tools problem with Samba 3.0.1/LDAP 2.1.22/Fedora Core 1
Le Fri, Jan 09, 2004 at 06:21:48PM -0500, Data Control Systems Inc. - Mike Elkevizth a ecrit:> I'm trying to setup a samba PDC/BDC with disconnected auth. and am stuck at > step one because I can't get smbldap-tools to work right. First when I do a > smbldap-useradd.pl -a test, it works fine. ldapsearch shows the entry > properly. Then I try smbldap-usershow.pl or smbldap-userdel.pl or any other > one for that matter and they all fail with a "user test does not exist"! > Also if I do a smbldap-useradd.pl -w ... for a workstation add it adds the > workstation to the directory, but doesn't add any samba entries > (SambaSamAccount, etc.). Please someone help, I've been working on this for > quite a while and really need to get it working soon.The -w option of smbldap-useradd.pl add a workstation account. But the sambaSAMAccount is added by samba when joining the domain. If you can't show a user you just added, i suppose you did not configured nss_ldap. Use the authconfig utility for that. -- J?r?me