Greetings...
I'm struggling trying to set up a samba 3.0.23c PDC with ldap
backend. The server is Fedora 5, OpenLdap version 2.3.19-4.
I've got it so smbd and nmbd start properly and I can use a windows
box and see the domain using srvmgr.exe and usrmgr.exe. I'm then
able to signon from a windows XP computer with the command
net use \\pdcserver\ipc$ /user:root rootpassword
Some things that aren't working right... please excuse the long post
but I thought I'd try to include some relevant files before being
asked, to save some trouble.
1) some of the groups defined in ldap do not show up in usrmgr.exe.
net groupmap list produces
Domain Admins (S-1-5-21-2256156769-696857544-2990674152-512) -> Domain Admins
Domain Users (S-1-5-21-2256156769-696857544-2990674152-513) -> Domain Users
Domain Guests (S-1-5-21-2256156769-696857544-2990674152-514) -> Domain Guests
Domain Computers (S-1-5-21-2256156769-696857544-2990674152-515) ->
Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
but usrmgr.exe omits Administrators and all the other ones listed
above after it.
the ldap log file logs this (among other things) when refreshing usrmgr.exe
Oct 24 14:30:59 pdcserver slapd[18335]: <= bdb_substring_candidates:
(sambaSID) index_param failed (18)
2) when viewing the domain in srvmgr.exe I see the PDC when I list
all computers in the domain (although it's currently the only
computer just as I would expect) and the type column is filled in
with "Windows NT Primary" just as I expect. When enable the setting
called "Show Domain Members Only" the list is empty.
When I do this the ldap logfile logs this...
Oct 24 14:15:04 pdcserver slapd[18335]: conn=48 op=62 SRCH
base="ou=Group,dc=som,dc=com" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(|(displayName=servers)(cn=servers)))"
I have no servers entries under the Group section in my ldap tree, so
how does that get put in there?
I'd prefer not to use ldap for anything other than samba related
users. Linux users should not by default get access. I'm hoping
this means I don't have to mess with Pam, is that correct?
Here's the config files...
#my /etc/ldap.conf file
host pdcserver.meds.cwru.edu
base dc=som,dc=com
binddn cn=Manager,dc=som,dc=com
bindpw <password removed>
rootbinddn cn=Manager,dc=som,dc=com
bind_timelimit 30
idle_timelimit 3600
pam_password exop
nss_base_passwd ou=People,dc=som,dc=com?one
nss_base_shadow ou=People,dc=som,dc=com?one
nss_base_group ou=Group,dc=som,dc=com?one
nss_initgroups_ignoreusers root,ldap
ssl off
tls_cacertfile /etc/pki/tls/certs/hypothalamus.cer
====#my nsswitch.conf file
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns wins
networks: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: files
automount: files
aliases: files
======#my smb.conf file
[global]
client ntlmv2 auth = yes
client lanman auth = no
ntlm auth = no
lanman auth = no
workgroup = SOMtest
netbios name = pdcserver
passdb backend = ldapsam:ldap://pdcserver.meds.cwru.edu
domain master = Yes
domain logons = Yes
logon path = ""
lm announce = No
wins server = 129.22.4.10 129.22.4.11
wins support = no
name resolve order = wins host
add user script = /usr/sbin/smbldap-useradd -m '%u'
add group script = /usr/sbin/smbldap-groupadd '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
ldap admin dn = cn=Manager,dc=som,dc=com
ldap suffix = dc=som,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=People
log level = 3
load printers = no
idmap backend = ldap:ldap://pdcserver.meds.cwru.edu
username map = /etc/samba/smbusers
[netlogon]
comment = netlogon share
path = /home/netlogon
read only = yes
===# my slapd.conf file
loglevel 256
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/tls/certs/hypothalamus.cer
TLSCertificateFile /etc/pki/tls/certs/brain-new.cer
TLSCertificateKeyFile /etc/pki/tls/private/privkey.pem
TLSCRLCheck none
database bdb
suffix "dc=som,dc=com"
rootdn "cn=Manager,dc=som,dc=com"
rootpw <password removed>
checkpoint 1024 5
directory /var/lib/ldap
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaSIDList eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index sambaGroupType eq
index default sub
====#my /etc/samba/smbusers file
root = administrator admin
nobody = guest pcguest smbguest
Hi Bob
I have the exact same error with users and groups created using
smbldap-useradd /group add ETC ETC I can only see the same group as you
from windows. when using LDAP browser = all users and groups are shown.
If i use windows to Unix mapping tool net rpc ....... then i can see the
group from Windows usermanager (see chapter 13 in the official samba guide
- samba howto collection)
- Please notify me if you get a solution to this problem
Venlig hilsen/Best regards
Silas Wind
---------------------------------------
Clipper Group A/S
Harbour House
Sundkrogsgade 21
DK-2100 Copenhagen
---------------------------------------------
Main : +45 4911 8090
Cell : +45 3038 5090
Fax : +45 4911 8001
www.clipper-group.com
IM Jabber id: swi@clipper-it.com
---------------------------------------------
Project Lead (ITA)
Bob Hetzel
<beh@case.edu>
Sent by: To
samba-bounces+swi samba@lists.samba.org
=clipper-group.co cc
m@lists.samba.org
Subject
[Samba] samba pdc with ldap backend
24-10-2006 21:47 setup problems
Greetings...
I'm struggling trying to set up a samba 3.0.23c PDC with ldap
backend. The server is Fedora 5, OpenLdap version 2.3.19-4.
I've got it so smbd and nmbd start properly and I can use a windows
box and see the domain using srvmgr.exe and usrmgr.exe. I'm then
able to signon from a windows XP computer with the command
net use \\pdcserver\ipc$ /user:root rootpassword
Some things that aren't working right... please excuse the long post
but I thought I'd try to include some relevant files before being
asked, to save some trouble.
1) some of the groups defined in ldap do not show up in usrmgr.exe.
net groupmap list produces
Domain Admins (S-1-5-21-2256156769-696857544-2990674152-512) -> Domain
Admins
Domain Users (S-1-5-21-2256156769-696857544-2990674152-513) -> Domain Users
Domain Guests (S-1-5-21-2256156769-696857544-2990674152-514) -> Domain
Guests
Domain Computers (S-1-5-21-2256156769-696857544-2990674152-515) ->
Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
but usrmgr.exe omits Administrators and all the other ones listed
above after it.
the ldap log file logs this (among other things) when refreshing usrmgr.exe
Oct 24 14:30:59 pdcserver slapd[18335]: <= bdb_substring_candidates:
(sambaSID) index_param failed (18)
2) when viewing the domain in srvmgr.exe I see the PDC when I list
all computers in the domain (although it's currently the only
computer just as I would expect) and the type column is filled in
with "Windows NT Primary" just as I expect. When enable the setting
called "Show Domain Members Only" the list is empty.
When I do this the ldap logfile logs this...
Oct 24 14:15:04 pdcserver slapd[18335]: conn=48 op=62 SRCH
base="ou=Group,dc=som,dc=com" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(|(displayName=servers)(cn=servers)))"
I have no servers entries under the Group section in my ldap tree, so
how does that get put in there?
I'd prefer not to use ldap for anything other than samba related
users. Linux users should not by default get access. I'm hoping
this means I don't have to mess with Pam, is that correct?
Here's the config files...
#my /etc/ldap.conf file
host pdcserver.meds.cwru.edu
base dc=som,dc=com
binddn cn=Manager,dc=som,dc=com
bindpw <password removed>
rootbinddn cn=Manager,dc=som,dc=com
bind_timelimit 30
idle_timelimit 3600
pam_password exop
nss_base_passwd ou=People,dc=som,dc=com?one
nss_base_shadow ou=People,dc=som,dc=com?one
nss_base_group ou=Group,dc=som,dc=com?one
nss_initgroups_ignoreusers root,ldap
ssl off
tls_cacertfile /etc/pki/tls/certs/hypothalamus.cer
====#my nsswitch.conf file
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns wins
networks: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: files
automount: files
aliases: files
======#my smb.conf file
[global]
client ntlmv2 auth = yes
client lanman auth = no
ntlm auth = no
lanman auth = no
workgroup = SOMtest
netbios name = pdcserver
passdb backend = ldapsam:ldap://pdcserver.meds.cwru.edu
domain master = Yes
domain logons = Yes
logon path = ""
lm announce = No
wins server = 129.22.4.10 129.22.4.11
wins support = no
name resolve order = wins host
add user script = /usr/sbin/smbldap-useradd -m '%u'
add group script = /usr/sbin/smbldap-groupadd '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
ldap admin dn = cn=Manager,dc=som,dc=com
ldap suffix = dc=som,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=People
log level = 3
load printers = no
idmap backend = ldap:ldap://pdcserver.meds.cwru.edu
username map = /etc/samba/smbusers
[netlogon]
comment = netlogon share
path = /home/netlogon
read only = yes
===# my slapd.conf file
loglevel 256
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/tls/certs/hypothalamus.cer
TLSCertificateFile /etc/pki/tls/certs/brain-new.cer
TLSCertificateKeyFile /etc/pki/tls/private/privkey.pem
TLSCRLCheck none
database bdb
suffix "dc=som,dc=com"
rootdn "cn=Manager,dc=som,dc=com"
rootpw <password removed>
checkpoint 1024 5
directory /var/lib/ldap
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaSIDList eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index sambaGroupType eq
index default sub
====#my /etc/samba/smbusers file
root = administrator admin
nobody = guest pcguest smbguest
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba