samba - Dec 2004 - ldap configuration oddity

Hey, I am totally confused/lost/confused getting this config working.

I am trying to get samba to authenticate against LDAP.  After reading a 
bunch of docs I generated the config at the end.

When I run testparm against it I get:
Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: "ldap server"
Ignoring unknown parameter "ldap server"
   and then the rest of my config file INCLUDING 
passdb backend = ldapsam:ldaps://accounts.iwu.edu

I would suspect that LDAP support is not compiled in for this binary, 
except then testparm should complain a bit more about all my LDAP 
config settings, not just the ldap server setting.  Furthermore, I am 
using Fedora's rpm, and I think that they would either offer a LDAP 
enabled rpm or enable it themselves - I cannot locate a rpm that states 
that it is LDAP enabled, so my guess is the former.

I am using Samba version 3.0.9-1.fc3 for Fedora Core 3.
Here is my config file.
your thoughts?

--------
[global]
        server string = %h (Samba %v)

        log file = /var/log/samba/log.%m
        log level = 5
        max log size = 100

        dns proxy = No
        socket options = IPTOS_LOWDELAY TCP_NODELAY

        security = user
        obey pam restrictions = Yes
        encrypt passwords = Yes

        default = homes
        load printers = No
        show add printer wizard = No

        max disk size = 300

        invalid users = root @wheel @root
        wide links = No

        hide unreadable = Yes
        hide special files = Yes
        veto files = /,/proc,/dev,/sys,/etc,/boot,/lib,/home
        dont descend = /,/proc,/dev,/sys,/etc,/boot,/lib,/home


        ldap server = accounts.iwu.edu
        ldap admin dn = "cn=foo,ou=bar,dc=iwu,dc=edu"
        ldap suffix = dc=iwu,dc=edu
        ldap ssl = start tls
        ldap delete dn = No

        ldap filter = (&(uid=%u)(objectclass=sambaSamAccunt))
        idmap backend = ldap:ldap://accounts.iwu.edu
        ldap user suffix = ou=foo
        ldap group suffix = ou=bar

        passdb backend = ldapsam:ldaps://accounts.iwu.edu
        ldap passwd sync = Yes

[homes]
        comment = %S's Home Directory
        valid users = %S
        browseable = no
        read only = no
----------------------

>When I run testparm against it I get:
>Load smb config files from /etc/samba/smb.conf
>Unknown parameter encountered: "ldap server"
>Ignoring unknown parameter "ldap server"
>   and then the rest of my config file INCLUDING 
>passdb backend = ldapsam:ldaps://accounts.iwu.edu
>  
>
Where exactly did you read that you needed an ldap server = directive?  
Make sure that your docs aren't for an old version of samba.  I never 
used ldap with 2.2, but there may have been an option like that there.  
You can always use SWAT, naturally it will only give you directives that 
are valid for this version, of course the syntax is up to you, but 
there's help for that.

The proper syntax for 3.0.x should be something like this for a non-SSL 
server:
passdb backend = ldapsam:ldap://your.servers.fqdn

To find out what your server was compiled with, use the following command:
smbd -b

grep for LDAP in that and you will get a good idea of what came in it.  
Fedora packages are LDAP ready by default.

-- 
--
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger@ae-solutions.com

1. try without ssl (tls)

2. the ldap structure must match the structure defined in smb.conf
I loaded the following ldif file into the ldap server (ldapadd) to build 
the structure:
---------------------
dn: o=smb,dc=wohlfarth,dc=home
objectClass: organization
o: smb

dn: ou=groups,o=smb,dc=wohlfarth,dc=home
objectClass: organizationalUnit
ou: groups

dn: ou=users,o=smb,dc=wohlfarth,dc=home
objectClass: organizationalUnit
ou: users

dn: ou=machines,o=smb,dc=wohlfarth,dc=home
objectClass: organizationalUnit
ou: machines

dn: ou=idmaps,o=smb,dc=wohlfarth,dc=home
objectClass: organizationalUnit
ou: idmaps
-------------------------
The coresponding smb.conf definitions are:
-------------------------
ldap suffix = o=smb,dc=wohlfarth,dc=com
        ldap group suffix = ou=groups
        ldap machine suffix = ou=machines
        ldap user suffix = ou=users
        ldap idmap suffix = ou=idmaps
--------------------------
3. You can use smbpasswd -a -D 256 <user> to add a user. samba must not be
up and the debuging information is a good help.
4. I am using phpldapadmin (from sourceforge.net) to look into ldap - good 
tool!

hope you get a step further
regards Mathias
Mathias Wohlfarth EDV-Beratung
Thomas-Mann-Str.1
53111 Bonn
Tel.    0172 / 53 45 591
        01801 / 777 555 33 01
Fax     0228 / 9469181
Email   mathias.wohlfarth@mw-eb.de




"Patrick W. Riehecky" <prieheck@iwu.edu>
Gesendet von: samba-bounces+mathias.wohlfarth=mw-eb.de@lists.samba.org
03.12.2004 18:14
 
        An:     samba@lists.samba.org
        Kopie: 
        Thema:  [Samba] ldap configuration oddity


Hey, I am totally confused/lost/confused getting this config working.

I am trying to get samba to authenticate against LDAP.  After reading a 
bunch of docs I generated the config at the end.

When I run testparm against it I get:
Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: "ldap server"
Ignoring unknown parameter "ldap server"
   and then the rest of my config file INCLUDING 
passdb backend = ldapsam:ldaps://accounts.iwu.edu

I would suspect that LDAP support is not compiled in for this binary, 
except then testparm should complain a bit more about all my LDAP 
config settings, not just the ldap server setting.  Furthermore, I am 
using Fedora's rpm, and I think that they would either offer a LDAP 
enabled rpm or enable it themselves - I cannot locate a rpm that states 
that it is LDAP enabled, so my guess is the former.

I am using Samba version 3.0.9-1.fc3 for Fedora Core 3.
Here is my config file.
your thoughts?

--------
[global]
        server string = %h (Samba %v)

        log file = /var/log/samba/log.%m
        log level = 5
        max log size = 100

        dns proxy = No
        socket options = IPTOS_LOWDELAY TCP_NODELAY

        security = user
        obey pam restrictions = Yes
        encrypt passwords = Yes

        default = homes
        load printers = No
        show add printer wizard = No

        max disk size = 300

        invalid users = root @wheel @root
        wide links = No

        hide unreadable = Yes
        hide special files = Yes
        veto files = /,/proc,/dev,/sys,/etc,/boot,/lib,/home
        dont descend = /,/proc,/dev,/sys,/etc,/boot,/lib,/home


        ldap server = accounts.iwu.edu
        ldap admin dn = "cn=foo,ou=bar,dc=iwu,dc=edu"
        ldap suffix = dc=iwu,dc=edu
        ldap ssl = start tls
        ldap delete dn = No

        ldap filter = (&(uid=%u)(objectclass=sambaSamAccunt))
        idmap backend = ldap:ldap://accounts.iwu.edu
        ldap user suffix = ou=foo
        ldap group suffix = ou=bar

        passdb backend = ldapsam:ldaps://accounts.iwu.edu
        ldap passwd sync = Yes

[homes]
        comment = %S's Home Directory
        valid users = %S
        browseable = no
        read only = no
----------------------

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba