Flatfender
2005-May-05 19:34 UTC
[Samba] Fwd: Follow Up - Problem with groups & joining domain.- LDAP
Follow up to original post. If I created local groups and users in /etc/passwd & /etc/groups I get farther along. For instance, if I have a Samba PDC with LDAP basically like I listed in my post. If I browse from a w2k pro box to the samba server without the workstation having joined the domain, I can authenticate to the samba server with a user who is not in /etc/passwd but is in LDAP. So samba is able to do the lookup via ldap. Now, if I create a posix group in ldap but not in /etc/group, I can not use "net groupmap modify" to modify the ntgroup to unix group mapping. But if I create the group in /etc/groups then the group mapping works. This leads me to believe either that the nsswitch/nss_ldap stuff in FreeBSD is either insufficient or not configured. Since their is so little to configure, I tend to lean towards NSSwitch not being fully implemented. Also If I try to join the domain with from a workstation that neither has a /etc/passwd account or an ldap account then, joining the domain fails, but smbldap-tools creates a workstation account in ldap with posix only attributes and no samba attributes. If I create the workstation account in /etc/passwd and then join the domain, then I can sucessfully join the domain, and smbldap tools creates an account in ldap, but this time with only samba attributes and no posix attributes. I have not tested any other group/user scenarios yet. ---------- Forwarded message ---------- From: Flatfender <flatfender@gmail.com> Date: Apr 21, 2005 11:04 AM Subject: Problem with groups & joining domain.- LDAP To: samba@lists.samba.org Software list: FreeBSD 5.3 Samba 3.0.14a nss_ldap-1.204_5 openldap-client-2.2.19 openldap-server-2.2.23 p5-perl-ldap-0.32.02 pam_ldap-1.7.6 smbldap-tools-0.8.8 samba was configured with the following options. LDAP, Cups, Winbind, utmp, popt, acl, quotas, msdfs, syslog, without_ADS I have also tried winbind_nss which I believe is a FreeBSD wrapper around the linux implentation of winbindd, but it yielded the same results. 1. ldapadd & ldapserach w/tls is working fine. 2. smbldap-tools work. smbldap-populate, smbldap-migrate-unix-accounts/groups work. smbldap-useradd works. 3. smbpasswd -w has been set. What fails is joining a machine to the domain. I get the domain password is incorrect, the workstation account is created, but with posix attributes only, no samba attributes. problems with groups If I add a group to the local /etc/group file, which I don't think should have to do, but maybe this is a FreeBSD nsswitch bug? Can anyone confirm this? pw group add domadmins smbldap-groupadd -a domadmins - adds to ldap fine. net groupmap modify ntgroup="Domain Admins" unixgroup=domadmins . This fails with this error message: and I get the same error message if the -a omitted from smbldap-groupadd passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2665) ldapsam_update_group_mapping_entry: No group to modify! Could not update group database net groupmap list shows all groups that are in LDAP. What I suspect is that group lookups are failing somehow, but I'm not sure. Also If I browse through network neighborhood to the samba PDC server, I can authenticate with an ordinary user and get the users home dir. So Users seem to be working. Here is my smb.conf, my smblap.conf and my ldap.conf serf# testparm -s Load smb config files from /usr/local/etc/smb.conf Processing section "[homes]" Processing section "[netlogon]" Processing section "[Profiles]" Processing section "[printers]" Loaded services file OK. # Global parameters [global] dos charset = 850 unix charset = ISO8859-1 workgroup = IMSDOM server string = Samba Server [%v] map to guest = Bad User passdb backend = ldapsam:ldap://serf.ims-tpa.com username map = /usr/local/etc/smbusers log level = 5 syslog = 0 log file = /var/log/samba/log.%m max log size = 50 time server = Yes deadtime = 10 printcap name = /etc/printcap add user script = /usr/local/sbin/smbldap-useradd -m "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" logon path logon drive = T: logon home = \\%L\home\%u domain logons = Yes os level = 33 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Manager,dc=ims-tpa,dc=com ldap delete dn = Yes ldap group suffix = ou=Groups ldap machine suffix = ou=Users ldap passwd sync = Yes ldap suffix = dc=ims-tpa,dc=com ldap ssl = start tls ldap user suffix = ou=Users idmap backend = ldap:ldap://serf.ims-tpa.com idmap uid = 1000-20000 idmap gid = 1000-20000 winbind separator = ^ printer admin = "@Print Operators" create mask = 0640 directory mask = 0750 hosts allow = 192.168.0., 127. nt acl support = No case sensitive = No dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd [homes] comment = Home Directories read only = No browseable = No [netlogon] comment = Network Logon Service path = /usr/local/samba/netlogon guest ok = Yes share modes = No [Profiles] path = /usr/local/samba/profiles read only = No guest ok = Yes browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No serf# less /usr/local/etc/smbldap-tools/smbldap.conf # $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ # $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $ # General Configuration SID="S-1-5-21-1642798596-2503770835-627191294" ############################################################################## # # LDAP Configuration # ############################################################################## # Ex: slaveLDAP=127.0.0.1 # slaveLDAP="127.0.0.1" # slavePort="389" # Master LDAP : needed for write operations # Ex: masterLDAP=127.0.0.1 # masterLDAP="127.0.0.1" masterLDAP="serf.ims-tpa.com" masterPort="389" ldapTLS="1" verify="require" cafile="/usr/local/certs/cacert.pem" clientcert="" clientkey="" # LDAP Suffix suffix="dc=ims-tpa,dc=com" usersdn="ou=Users,${suffix}" computersdn="ou=Users,${suffix}" groupsdn="ou=Groups,${suffix}" idmapdn="ou=Idmap,${suffix}" # Where to store next uidNumber and gidNumber available sambaUnixIdPooldn="sambaDomainName=IMSDOM,${suffix}" # Default scope Used scope="sub" # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt="SSHA" # if hash_encrypt is set to CRYPT, you may set a salt format. # default is "%s", but many systems will generate MD5 hashed # passwords if you use "$1$%.8s". This parameter is optional! crypt_salt_format="%s" ############################################################################## # # Unix Accounts Configuration # ############################################################################## userLoginShell="/bin/csh" userHome="/home/%U" # Gecos userGecos="System User" # Default User (POSIX and Samba) GID defaultUserGid="513" # Default Computer (Samba) GID defaultComputerGid="515" # Skel dir skeletonDir="/etc/skel" defaultMaxPasswordAge="99" ############################################################################## # # SAMBA Configuration # ############################################################################## userSmbHome="" userHomeDrive="T:" userScript="" # mailDomain="ims-tpa.com" ############################################################################## # # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) # ############################################################################## # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but # prefer Crypt::SmbHash library with_smbpasswd="1" smbpasswd="/usr/bin/smbpasswd" # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) # but prefer Crypt:: libraries with_slappasswd="0" slappasswd="/usr/sbin/slappasswd" (END) serf# less /etc/ldap.conf # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $ host serf.ims-tpa.com # The distinguished name of the search base. base dc=ims-tpa,dc=com # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. # uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator loglevel 256 logfile /var/log/ldap.log # The LDAP version to use (defaults to 3 # if supported by client library) # ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=padl,dc=com # The credentials to bind with. # Optional: default is no credential. # bindpw secret # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) # rootbinddn cn=Manager,dc=ims-tpa,dc=com # The port. # Optional: default is 389. port 389 # The search scope. scope sub #scope one #scope base # Search timelimit # timelimit 30 # Bind/connect timelimit # bind_timelimit 30 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. # bind_policy hard # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. # idle_timelimit 3600 # Filter to AND with uid=%s # pam_filter objectclass=account # The user ID attribute (defaults to uid) # pam_login_attribute uid # Search the root DSE for the password policy (works # with Netscape Directory Server) # pam_lookup_policy yes # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. # pam_check_host_attr yes # Check the 'authorizedService' attribute for access # control # Default is no; if set to yes, and the user has no # value for the authorizedService attribute, and # pam_ldap is configured for account management # (authorization) then the user will not be allowed # to login. #pam_check_service_attr yes # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com # Group member attribute #pam_member_attribute uniquemember # Specify a minium or maximum UID number allowed #pam_min_uid 0 #pam_max_uid 0 # Template login attribute, default template user # (can be overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # # If you are using XAD, you can set pam_password # to racf, ad, or exop. Make sure that you have # SSL enabled. # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password clear # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape # Directory Server if you're using the UNIX-Crypt # hash mechanism and not using the NT Synchronization # service. #pam_password crypt # Remove old password first, then update in # cleartext. Necessary for use with Novell # Directory Services (NDS) #pam_password nds # RACF is an alias for the above. For use with # IBM RACF #pam_password racf # Update Active Directory password, by # creating Unicode password and updating # unicodePwd attribute. #pam_password ad # Use the OpenLDAP password change # extended operation to update the password. #pam_password exop # Redirect users to a URL or somesuch on password # changes. #pam_password_prohibit_message Please visit http://internal to change your password. # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. # You can omit the suffix eg: # nss_base_passwd ou=People, # to append the default base DN but this # may incur a small performance impact. # nss_base_passwd ou=People,dc=ims-tpa,dc=com?one # nss_base_shadow ou=People,dc=ims-tpa,dc=com?one # nss_base_group ou=Group,dc=ims-tpa,dc=com?one #nss_base_hosts ou=Hosts,dc=padl,dc=com?one #nss_base_services ou=Services,dc=padl,dc=com?one #nss_base_networks ou=Networks,dc=padl,dc=com?one #nss_base_protocols ou=Protocols,dc=padl,dc=com?one #nss_base_rpc ou=Rpc,dc=padl,dc=com?one #nss_base_ethers ou=Ethers,dc=padl,dc=com?one #nss_base_netmasks ou=Networks,dc=padl,dc=com?ne #nss_base_bootparams ou=Ethers,dc=padl,dc=com?one #nss_base_aliases ou=Aliases,dc=padl,dc=com?one #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one nss_base_passwd ou=Users,dc=ims-tpa,dc=com?sub nss_base_passwd dc=ims-tpa,dc=com?sub # nss_base_shadow dc=ims-tpa,dc=com?sub nss_base_group ou=Groups,dc=ims-tpa,dc=com?sub # attribute/objectclass mapping # Syntax: #nss_map_attribute rfc2307attribute mapped_attribute #nss_map_objectclass rfc2307objectclass mapped_objectclass # configure --enable-authpassword is no longer supported # AuthPassword mappings #nss_map_attribute userPassword authPassword # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl start_tls # ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is "no" tls_checkpeer no TLS_REQCERT allow # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" # tls_cacertfile /etc/ssl/ca.cert # tls_cacertdir /etc/ssl/certs # tls_cacertdir /usr/local/certs/demoCA # tls_cacertfile /usr/local/certs/servercert.pem # tls_cacertfile /usr/local/certs/cacert.pem tls_cacert /usr/local/certs/cacert.pem # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax tls_ciphers HIGH:MEDIUM:SSLv2 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5 (END)
Tony Earnshaw
2005-May-05 21:06 UTC
[Samba] Fwd: Follow Up - Problem with groups & joining domain.- LDAP
tor, 05.05.2005 kl. 21.34 skrev Flatfender:> If I created local groups and users in /etc/passwd & > /etc/groups I get farther along. > > For instance, if I have a Samba PDC with LDAP basically like I listed > in my post. If I browse from a w2k pro box to the samba server > without the workstation having joined the domain, I can authenticate > to the samba server with a user who is not in /etc/passwd but is in > LDAP. So samba is able to do the lookup via ldap. > > Now, if I create a posix group in ldap but not in /etc/group, I can > not use "net groupmap modify" to modify the ntgroup to unix group > mapping. But if I create the group in /etc/groups then the group > mapping works. This leads me to believe either that the > nsswitch/nss_ldap stuff in FreeBSD is either insufficient or not > configured. Since their is so little to configure, I tend to lean > towards NSSwitch not being fully implemented.FWIW (and it's probably not going to help you) I read your post and tried 'net groupmap modify' on my RHAS3/OpenLDAP 2.2.24 test rig. All my Samba 3.0.14a stuff is in LDAP. 'net groupmap modify ntgroup="Domain Admins" unixgroup=katter' (i.e. "cats", it was domadm) and it *added* a new NT groupmapping, for Domain Admins beside the old groupmapping and changed the "katter" group RID from 3009 to 512 as well as changing displayName from "Domain Katter" to "Domain Admins". Then I wanted to change it back again from the command line, but no no. It couldn't find "Domain Admins" in the database, it said. Thank God I use GQ to manage LDAP, so I could see what was going on. Changing the RID and displayName in GQ got it back to the original state.> Also If I try to join the domain with from a workstation that neither > has a /etc/passwd account or an ldap account then, joining the domain > fails, but smbldap-tools creates a workstation account in ldap with > posix only attributes and no samba attributes. > > If I create the workstation account in /etc/passwd and then join the > domain, then I can sucessfully join the domain, and smbldap tools > creates an account in ldap, but this time with only samba attributes > and no posix attributes.I don't use those scripts. I use LDAP for far too many other things besides Samba and my DIT is completely different from what Idealx would like for me. If you use the Idealx adduser script to make a posixAccount entry, try smbpasswd or pdbedit after that to make the sambaSamAccount modifications. The only trouble is, that you can't make LDAP records on the fly, that way. Actually, the Samba tools are brilliant and *they* can cope with my non-Idealx DIT more than well enough. I use smbpasswd on my rigs, called out of shell scripts, for adding users and machines. What you describe /would/ point to the nss libraries on your FreeBSD rig. Maybe others with the same OS could comment, and someone like Padl's Luke Howard on the Padl nssldap@padl.com mailing list would surely know, since it's mainly he who writes the nss_ldap software.> I have not tested any other group/user scenarios yet.Well I have. I have Samba 3.0.11 with LDAP (RHAS3 again) on a zero-maintenance production rig running at a reasonably large high school site in Amsterdam. It's taken over from an NT4 PDC that continually clapped out. --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: tonye@billy.demon.nl http://www.billy.demon.nl They'll love us, won't they? They feed us, don't they? ...
Flatfender
2005-May-19 13:23 UTC
[Samba] Re: Solved: Follow Up - Problem with groups & joining domain.- LDAP
Just a note for the archives. My Freebsd nsswitch problems were being caused by a mis-configured nss_ldap.conf file. Everything indeed seems to be working properly now in Freebsd. On 5/5/05, Flatfender <flatfender@gmail.com> wrote:> Follow up to original post. > > If I created local groups and users in /etc/passwd & > /etc/groups I get farther along. > > For instance, if I have a Samba PDC with LDAP basically like I listed > in my post. If I browse from a w2k pro box to the samba server > without the workstation having joined the domain, I can authenticate > to the samba server with a user who is not in /etc/passwd but is in > LDAP. So samba is able to do the lookup via ldap. > > Now, if I create a posix group in ldap but not in /etc/group, I can > not use "net groupmap modify" to modify the ntgroup to unix group > mapping. But if I create the group in /etc/groups then the group > mapping works. This leads me to believe either that the > nsswitch/nss_ldap stuff in FreeBSD is either insufficient or not > configured. Since their is so little to configure, I tend to lean > towards NSSwitch not being fully implemented. > > Also If I try to join the domain with from a workstation that neither > has a /etc/passwd account or an ldap account then, joining the domain > fails, but smbldap-tools creates a workstation account in ldap with > posix only attributes and no samba attributes. > > If I create the workstation account in /etc/passwd and then join the > domain, then I can sucessfully join the domain, and smbldap tools > creates an account in ldap, but this time with only samba attributes > and no posix attributes. > > I have not tested any other group/user scenarios yet. > ---------- Forwarded message ---------- > From: Flatfender <flatfender@gmail.com> > Date: Apr 21, 2005 11:04 AM > Subject: Problem with groups & joining domain.- LDAP > To: samba@lists.samba.org > > > Software list: > > FreeBSD 5.3 > Samba 3.0.14a > nss_ldap-1.204_5 > openldap-client-2.2.19 > openldap-server-2.2.23 > p5-perl-ldap-0.32.02 > pam_ldap-1.7.6 > smbldap-tools-0.8.8 > > samba was configured with the following options. LDAP, Cups, Winbind, > utmp, popt, acl, quotas, msdfs, syslog, without_ADS > > I have also tried winbind_nss which I believe is a FreeBSD wrapper > around the linux implentation of winbindd, but it yielded the same > results. > > 1. ldapadd & ldapserach w/tls is working fine. > 2. smbldap-tools work. smbldap-populate, > smbldap-migrate-unix-accounts/groups work. smbldap-useradd works. > 3. smbpasswd -w has been set. > > What fails is joining a machine to the domain. I get the domain > password is incorrect, the workstation account is created, but with > posix attributes only, no samba attributes. > > problems with groups > If I add a group to the local /etc/group file, which I don't think > should have to do, but maybe this is a FreeBSD nsswitch bug? Can > anyone confirm this? > > pw group add domadmins > smbldap-groupadd -a domadmins - adds to ldap fine. > net groupmap modify ntgroup="Domain Admins" unixgroup=domadmins . This > fails with this error message: and I get the same error message if > the -a omitted from smbldap-groupadd > > passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2665) > ldapsam_update_group_mapping_entry: No group to modify! > Could not update group database > > net groupmap list shows all groups that are in LDAP. > > What I suspect is that group lookups are failing somehow, but I'm not > sure. Also If I browse through network neighborhood to the samba PDC > server, I can authenticate with an ordinary user and get the users > home dir. So Users seem to be working.snipped.