Mohammad Reza
2004-Jul-22 09:18 UTC
[idx-smbldap-tools ] RE: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOTSOLVED
Partially Solved: http://lists.samba.org/archive/samba/2004-May/085233.html thanks om Wisnu... Is there anyone succes with place Users and Computers in different ou's ? regards reza -----Original Message----- From: Mohammad Reza Sent: Thu 7/22/2004 1:56 PM To: Craig White; idx-smbldap-tools@lists.IDEALX.org; samba@lists.samba.org Cc: Subject: [idx-smbldap-tools ] RE: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOTSOLVED> Dear lists... > > But this still un-solved the real problem to join w2k to samba3-ldap . > I'm here with the same situation. > I even switch my distro to SuSe with same result, still cant join domain. > Please give us hint how to solve or debug this problem. > ----you will need to work through the examples in the Samba How-to http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ I haven't a clue where you are at or what your problem is Craig My Problem is, i cant join my w2k machine to Samba-Ldap Server. Error from w2k machine is "Logon Failure bad user name and password" when try join with Administrator account and right passwor My Linux is Fedora Core 2 with samba-3.0.3-5, openldap-2.1.29-1 and smbldap-tools-0.8.5-1 My configuration are: #####smb.conf########### # Global parameters [global] workgroup = MRAGROUP netbios name = PDC-SMB3 interfaces = 172.16.0.237 username map = /etc/samba/smbusers #admin users= @"Domain Admins" server string = Samba Server %v security = user encrypt passwords = Yes min passwd length = 3 obey pam restrictions = No #unix password sync = Yes #passwd program = /usr/local/sbin/smbldap-passwd -u %u #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" ldap passwd sync = Yes log level = 5 syslog = 0 log file = /var/log/samba/log.%m max log size = 100000 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script = logon.bat logon drive = H: logon home logon path domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes passdb backend = ldapsam:ldap://127.0.0.1/ # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com" # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u)) #ldap admin dn = cn=samba,ou=Users,dc=idealx,dc=org ldap admin dn = cn=Manager,dc=mragroup,dc=net ldap suffix = dc=mragroup,dc=net ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users #ldap ssl = start tls add user script = /usr/local/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes #delete user script = /usr/local/sbin/smbldap-userdel "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" #delete group script = /usr/local/sbin/smbldap-groupdel "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" # printers configuration printer admin = @"Print Operators" load printers = Yes create mask = 0640 directory mask = 0750 nt acl support = No printing = cups printcap name = cups deadtime = 10 guest account = nobody map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes ; to maintain capital letters in shortcuts in any of the profile folders: preserve case = yes short preserve case = yes case sensitive = no [homes] comment = repertoire de %U, %u read only = No create mask = 0644 directory mask = 0775 browseable = No [netlogon] path = /home/netlogon/ browseable = No read only = yes [profiles] path = /home/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U @"Domain Admins" [printers] comment = Network Printers printer admin = @"Print Operators" guest ok = yes printable = yes path = /home/spool/ browseable = No read only = Yes printable = Yes print command = /usr/bin/lpr -P%p -r %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j [print$] path = /home/printers guest ok = No browseable = Yes read only = Yes valid users = @"Print Operators" write list = @"Print Operators" create mask = 0664 directory mask = 0775 [public] comment = Repertoire public path = /home/public browseable = Yes guest ok = Yes read only = No directory mask = 0775 create mask = 0664 ######openldap/slapd.conf############# include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema database ldbm directory /var/lib/ldap suffix "dc=mragroup,dc=net" rootdn "cn=Manager,dc=mragroup,dc=net" rootpw xxxxxx index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,sub,eq index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by * read ########openldap/ldap.conf####### HOST 127.0.0.1 BASE dc=mragroup,dc=net ########/etc/openldap.conf####### host 127.0.0.1 base dc=mragroup,dc=net rootbinddn cn=nssldap,ou=DSA,dc=mragroup,dc=net nss_base_passwd dc=mragroup,dc=net?sub nss_base_shadow dc=mragroup,dc=net?sub nss_base_group ou=Groups,dc=mragroup,dc=net?one ssl no pam_password md5 #######/etc/nsswitch.conf######### passwd: files ldap shadow: files ldap group: files ldap Creating Users,Computers and Groups with smbldap-tools work fine. #/usr/local/sbin/smbldap-usershow administrator dn: uid=Administrator,ou=Users,dc=mragroup,dc=net cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount gidNumber: 512 uid: Administrator uidNumber: 0 homeDirectory: /home/Administrator sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\PDC-SMB3\home\Administrator sambaHomeDrive: H: sambaProfilePath: \\PDC-SMB3\home\profiles\Administrator\ sambaPrimaryGroupSID: S-1-5-21-987332969-2931392798-896433562-512 sambaSID: S-1-5-21-987332969-2931392798-896433562-2996 loginShell: /bin/false gecos: Netbios Domain Administrator sambaLMPassword: BBBDA461DC390736B8FCC6137C839435 sambaAcctFlags: [U] sambaNTPassword: 8116801F88AC668563729B0D847B4AC4 sambaPwdLastSet: 1090472263 sambaPwdMustChange: 1094360263 userPassword: {SSHA}mNLj7lACG35dV1T5cDK7fBgjzN4y5C6H #getent passwd | grep Administrator Administrator:x:0:512:Netbios Domain Administrator:/home/Administrator:/bin/false #pdbedit -Lv test --snip-- Unix username: test NT username: test Account Flags: [U ] User SID: S-1-5-21-987332969-2931392798-896433562-3000 Primary Group SID: S-1-5-21-987332969-2931392798-896433562-513 Full Name: System User Home Directory: \\PDC-SMB3\home\test HomeDir Drive: H: Logon Script: logon.bat Profile Path: \\PDC-SMB3\home\profiles\test Domain: MRAGROUP Account desc: System User Workstations: Munged dial: Logon time: 0 Logoff time: Sat, 14 Dec 1901 03:45:51 GMT Kickoff time: Sat, 14 Dec 1901 03:45:51 GMT Password last set: Thu, 22 Jul 2004 11:58:12 GMT Password can change: 0 Password must change: Sun, 05 Sep 2004 11:58:12 GMT Last bad password : 0 Bad password count : 0 Yes, the guide said (http://idealx.org) i must place Users, and Computers in different ou's and i notice that some people place in same ou's ,since bug in samba. But even i place in same ou's, still cant join domain, with same error Is there something i missed ? please help me regards reza
Andre Helberg
2004-Jul-22 12:25 UTC
[Samba] Samba+LDAP - so close yet so far:) ...STILL NOTSOLVED
Hi, ldap admin dn = cn=root,dc=juwimm,dc=local ldap suffix = ou=juwidc01,dc=juwimm,dc=local ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=machines Works well with samba 3.0.2a on a suse 9.0 machine> Is there anyone succes with place Users and Computers in > different ou's ? > > regards > reza