When I run net add groupmap rid=512 ntgroup="Domain Admins" UNIXgroup="ntadmins" i get this error: adding entry for group Domain Admins failed! The error isn't very specific and the log doesn't show any error. I look in the log (log level -1 in slapd.conf) and I can tell it is able to search. I can post the syslog if you need it. I think their is an error in my smb.conf. He is the global configuration [global] workgroup = WORKGROUP netbios name = backup #username map = /etc/samba/smbusers add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/useradd -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupadd %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines %u preferred master = yes domain master = yes local master = yes security = users domain logons = yes os level = 35 logon path = \\%L\profiles\%u logon drive = H: logon home = \\%L\%u\winprofile logon script = /etc/samba/logon/scripts #idmap backend = ldapsam:ldap://localhost ldap suffix = dc=sovereign ldap admin dn = "cn=Manager,ou=People,dc=sovereign" ldap ssl = no passdb backend = ldapsam:ldap://localhost ldap delete dn = no ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap winbind separator = + winbind enum users = yes template homedir = /home/winnt/%D/%U template shell = /bin/bash idmap uid = 10000-20000 idmap gid = 10000-20000 Here is the ldap-init.ldif # Samba openldap configuration file # ------------------------------------------- # Organization for Samba Base dn: dc=sovereign objectclass: dcObject objectclass: organization dc: sovereign o: sovereign network test description: ldap configuration # Organizational Role for Directory Management dn: cn=Manager,dc=sovereign objectclass: organizationalRole cn: Manager description: Manager # Setting up container for users dn: ou=People,dc=sovereign objectclass: top objectclass: organizationalUnit ou: People # Setting up admin handle for people dn: cn=admin,ou=People,dc=sovereign cn: admin objectclass: top objectclass: organizationalRole objectclass: simpleSecurityObject userPassword: ********************************* # Setting up container for groups dn: ou=Groups,dc=sovereign objectclass: top objectclass: organizationalUnit ou: Groups # Setting up admin for Groups ou dn: cn=admin,ou=Groups,dc=sovereign cn: admin objectclass: top objectclass: organizationalRole objectclass: simpleSecurityObject userPassword: ********************************* # Setting up container for computers dn: ou=Computers,dc=sovereign objectclass: top objectclass: organizationalUnit ou: Computers # Setting up admin handle for Computers OU dn: cn=admin,ou=Computers,dc=sovereign cn: admin objectclass: top objectclass: organizationalRole objectclass: simpleSecurityObject userPassword: *********************************** # Setting up container for idmap dn: ou=Idmap,dc=sovereign objectclass: top objectclass: organizationalUnit ou: Idmap # Setting up admin for Groups ou dn: cn=admin,ou=Idmap,dc=sovereign cn: admin objectclass: top objectclass: organizationalRole objectclass: simpleSecurityObject userPassword: ********************************** Gentoo box running kernel 2.6.7 I am able to add users and machine accounts. If I use tdbsam net groupmap works. Matt Hoyt _________________________________________________________________ Discover the best of the best at MSN Luxury Living. http://lexus.msn.com/
Craig White
2004-Jul-31 06:24 UTC
[Samba] Openldap samba 3.0.5 net group add does not work
On Fri, 2004-07-30 at 23:06, Matt Hoyt wrote:> When I run net add groupmap rid=512 ntgroup="Domain Admins" > UNIXgroup="ntadmins" i get this error: > adding entry for group Domain Admins failed! > > The error isn't very specific and the log doesn't show any error. I look in > the log (log level -1 in slapd.conf) and I can tell it is able to search. I > can post the syslog if you need it. I think their is an error in my > smb.conf. He is the global configuration >---- from the ldif that you included, you didn't actually have any groups. Why not try net groupmap list to see what shows up...probably no groups. You probably want to revisit the Samba 3 How-to and get a basic smbldap_populate thing going for groups Craig
Paul Gienger
2004-Jul-31 06:24 UTC
[Samba] Openldap samba 3.0.5 net group add does not work
I'm going to make an assumption here that you aren't using any Active Directory... Changes below (after correspoding lines):> [global] > workgroup = WORKGROUP > netbios name = backup > #username map = /etc/samba/smbusers> add user script = /usr/sbin/useradd -m %u > delete user script = /usr/sbin/useradd -r %u > add group script = /usr/sbin/groupadd %g > delete group script = /usr/sbin/groupadd %g > add user to group script = /usr/sbin/usermod -G %g %u > add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g > machines %uAdd quotes around your % arguments here. Even though you quote them on the command line that doesn't mean they get to the scripts that way> preferred master = yes > domain master = yes > local master = yes > security = users > domain logons = yes > os level = 35 > logon path = \\%L\profiles\%u > logon drive = H: > logon home = \\%L\%u\winprofile > logon script = /etc/samba/logon/scriptsUnrelated to your issue, but you need to specify an absolute script here, it appears you're just pointing to a directory. Either point to a global script (logon.bat) or maybe a user/group script (%u.bat). This path will also be relative to your netlogon share.> #idmap backend = ldapsam:ldap://localhostGood to comment this out, but remove it and any idmap related entries.> ldap suffix = dc=sovereign > ldap admin dn = "cn=Manager,ou=People,dc=sovereign" > ldap ssl = no > passdb backend = ldapsam:ldap://localhost > ldap delete dn = no > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap machine suffix = ou=ComputersDepending on your nss configuration, change this to ou=People. Search the archives for an explanation, you can search for me if you wish, I've responded more times than I wish to remember.> ldap idmap suffix = ou=Idmap > winbind separator = + > winbind enum users = yesThese 3 should go bye bye, as well as any other winbind related entries, at least for your PDC.> template homedir = /home/winnt/%D/%U > template shell = /bin/bash > idmap uid = 10000-20000 > idmap gid = 10000-20000delete 2x.> > Here is the ldap-init.ldif > # Samba openldap configuration file > # ------------------------------------------- > # Organization for Samba Base > dn: dc=sovereign > objectclass: dcObject > objectclass: organization > dc: sovereign > o: sovereign network test > description: ldap configuration > > # Organizational Role for Directory Management > dn: cn=Manager,dc=sovereign > objectclass: organizationalRole > cn: Manager > description: Manager > > # Setting up container for users > dn: ou=People,dc=sovereign > objectclass: top > objectclass: organizationalUnit > ou: People > > # Setting up admin handle for people > dn: cn=admin,ou=People,dc=sovereign > cn: admin > objectclass: top > objectclass: organizationalRole > objectclass: simpleSecurityObject > userPassword: ********************************* > > # Setting up container for groups > dn: ou=Groups,dc=sovereign > objectclass: top > objectclass: organizationalUnit > ou: Groups > > # Setting up admin for Groups ou > dn: cn=admin,ou=Groups,dc=sovereign > cn: admin > objectclass: top > objectclass: organizationalRole > objectclass: simpleSecurityObject > userPassword: ********************************* > > # Setting up container for computers > dn: ou=Computers,dc=sovereign > objectclass: top > objectclass: organizationalUnit > ou: Computers > > # Setting up admin handle for Computers OU > dn: cn=admin,ou=Computers,dc=sovereign > cn: admin > objectclass: top > objectclass: organizationalRole > objectclass: simpleSecurityObject > userPassword: *********************************** > > # Setting up container for idmap > dn: ou=Idmap,dc=sovereign > objectclass: top > objectclass: organizationalUnit > ou: Idmap > > # Setting up admin for Groups ou > dn: cn=admin,ou=Idmap,dc=sovereign > cn: admin > objectclass: top > objectclass: organizationalRole > objectclass: simpleSecurityObject > userPassword: ********************************** > > Gentoo box running kernel 2.6.7 > > I am able to add users and machine accounts. If I use tdbsam net > groupmap works.Curious how you have your nss configured, or if logging on actually works if you haven't toyed with it. Although chances are that if you are running gentoo you toyed with EVERYTHING. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
It still doesn't work. Do I need to download padl.com tools for transfering /etc/passwd and /etc/group to openldap? Here is my nsswitch.conf file and the last few lines for syslog showing openldap calls. /etc/nsswitch.conf: # $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $ passwd: files winbind shadow: files group: files winbind # passwd: db files nis # shadow: db files nis # group: db files nis hosts: files dns networks: files wins services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files Jul 31 12:21:39 backup slapd[13506]: conn=525 op=37 SRCH attr=sambaSID uidNumber gidNumber objectClass Jul 31 12:21:39 backup slapd[13506]: conn=525 op=37 SEARCH RESULT tag=101 err=0 nentries=0 textJul 31 12:21:39 backup slapd[13506]: conn=525 op=38 SRCH base="ou=Groups,dc=sovereign" scope=2 filter="(&(objectClass=sambaGroupMapping)(gidNumber=441))" Jul 31 12:21:39 backup slapd[13506]: conn=525 op=38 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 31 12:21:39 backup slapd[13506]: conn=525 op=38 SEARCH RESULT tag=101 err=0 nentries=0 textJul 31 12:21:39 backup slapd[13506]: conn=525 op=39 SRCH base="ou=Groups,dc=sovereign" scope=2 filter="(&(|(objectClass=posixGroup)(objectClass=sambaIdmapEntry))(gidNumber=441))" Jul 31 12:21:39 backup slapd[13506]: conn=525 op=39 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 31 12:21:39 backup slapd[13506]: conn=525 op=39 SEARCH RESULT tag=101 err=0 nentries=0 textJul 31 12:21:39 backup slapd[13506]: conn=525 op=40 SRCH base="ou=People,dc=sovereign" scope=2 filter="(&(objectClass=sambaIdmapEntry)(gidNumber=441))" Jul 31 12:21:39 backup slapd[13506]: conn=525 op=40 SRCH attr=sambaSID uidNumber gidNumber objectClass Jul 31 12:21:39 backup slapd[13506]: conn=525 op=40 SEARCH RESULT tag=101 err=0 nentries=0 textJul 31 12:21:39 backup slapd[13483]: conn=525 fd=24 closed Matt Hoyt >From: Paul Gienger <pgienger@ae-solutions.com> >To: Matt Hoyt <mrhoyt3@hotmail.com>,MailingList_Samba <samba@lists.samba.org> >Subject: Re: [Samba] Openldap samba 3.0.5 net group add does not work >Date: Sat, 31 Jul 2004 01:23:56 -0500 > >I'm going to make an assumption here that you aren't using any >Active Directory... > >Changes below (after correspoding lines): > >>[global] >>workgroup = WORKGROUP >>netbios name = backup >>#username map = /etc/samba/smbusers > > >>add user script = /usr/sbin/useradd -m %u >>delete user script = /usr/sbin/useradd -r %u >>add group script = /usr/sbin/groupadd %g >>delete group script = /usr/sbin/groupadd %g >>add user to group script = /usr/sbin/usermod -G %g %u >>add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null >>-g machines %u > >Add quotes around your % arguments here. Even though you quote them >on the command line that doesn't mean they get to the scripts that >way > >>preferred master = yes >>domain master = yes >>local master = yes >>security = users >>domain logons = yes >>os level = 35 >>logon path = \\%L\profiles\%u >>logon drive = H: >>logon home = \\%L\%u\winprofile >>logon script = /etc/samba/logon/scripts > >Unrelated to your issue, but you need to specify an absolute script >here, it appears you're just pointing to a directory. Either point >to a global script (logon.bat) or maybe a user/group script >(%u.bat). This path will also be relative to your netlogon share. > >>#idmap backend = ldapsam:ldap://localhost > >Good to comment this out, but remove it and any idmap related >entries. > >>ldap suffix = dc=sovereign >>ldap admin dn = "cn=Manager,ou=People,dc=sovereign" >>ldap ssl = no >>passdb backend = ldapsam:ldap://localhost >>ldap delete dn = no >>ldap user suffix = ou=People >>ldap group suffix = ou=Groups >>ldap machine suffix = ou=Computers > >Depending on your nss configuration, change this to ou=People. >Search the archives for an explanation, you can search for me if you >wish, I've responded more times than I wish to remember. > >>ldap idmap suffix = ou=Idmap >>winbind separator = + >>winbind enum users = yes > >These 3 should go bye bye, as well as any other winbind related >entries, at least for your PDC. > >>template homedir = /home/winnt/%D/%U >>template shell = /bin/bash >>idmap uid = 10000-20000 >>idmap gid = 10000-20000 > >delete 2x. > >> >>Here is the ldap-init.ldif >># Samba openldap configuration file >># ------------------------------------------- >># Organization for Samba Base >>dn: dc=sovereign >>objectclass: dcObject >>objectclass: organization >>dc: sovereign >>o: sovereign network test >>description: ldap configuration >> >># Organizational Role for Directory Management >>dn: cn=Manager,dc=sovereign >>objectclass: organizationalRole >>cn: Manager >>description: Manager >> >># Setting up container for users >>dn: ou=People,dc=sovereign >>objectclass: top >>objectclass: organizationalUnit >>ou: People >> >># Setting up admin handle for people >>dn: cn=admin,ou=People,dc=sovereign >>cn: admin >>objectclass: top >>objectclass: organizationalRole >>objectclass: simpleSecurityObject >>userPassword: ********************************* >> >># Setting up container for groups >>dn: ou=Groups,dc=sovereign >>objectclass: top >>objectclass: organizationalUnit >>ou: Groups >> >># Setting up admin for Groups ou >>dn: cn=admin,ou=Groups,dc=sovereign >>cn: admin >>objectclass: top >>objectclass: organizationalRole >>objectclass: simpleSecurityObject >>userPassword: ********************************* >> >># Setting up container for computers >>dn: ou=Computers,dc=sovereign >>objectclass: top >>objectclass: organizationalUnit >>ou: Computers >> >># Setting up admin handle for Computers OU >>dn: cn=admin,ou=Computers,dc=sovereign >>cn: admin >>objectclass: top >>objectclass: organizationalRole >>objectclass: simpleSecurityObject >>userPassword: *********************************** >> >># Setting up container for idmap >>dn: ou=Idmap,dc=sovereign >>objectclass: top >>objectclass: organizationalUnit >>ou: Idmap >> >># Setting up admin for Groups ou >>dn: cn=admin,ou=Idmap,dc=sovereign >>cn: admin >>objectclass: top >>objectclass: organizationalRole >>objectclass: simpleSecurityObject >>userPassword: ********************************** >> >>Gentoo box running kernel 2.6.7 >> >>I am able to add users and machine accounts. If I use tdbsam net >>groupmap works. > >Curious how you have your nss configured, or if logging on actually >works if you haven't toyed with it. Although chances are that if you >are running gentoo you toyed with EVERYTHING. > >-- >Paul Gienger Office: 701-281-1884 >Applied Engineering Inc. Information Systems Consultant >Fax: 701-281-1322 >URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com > > _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/