Hi all! I've a running Samba PDC (LDAP backend) with windows clients. All the users are in the LDAP, including the 'guest' user. All except the 'root' user which is a regular user. Then change in the smb.conf ldapsam:trusted = yes ldapsam:editposix = yes and noticed some speed-up when listing groups, look file ownerships, and so on. But I can't add machines to the domain: neither with the 'root' user, neither some users with privileges to join computers. If I comment the ldapsam:trusted/editposix everything is fine and machines get added to teh domain. ?Why? All the users are in the LDAP so ldapsam:trusted should work :-? This is the smb.conf [global] ### Identificaci?n de la m?quina workgroup = ELPABI netbios name = kasparov server string = PDC - Kasparov wins support = yes dns proxy = no #dns proxy = yes name resolve order = wins hosts lmhosts bcast time server = yes ### PDC del dominio ELPABI domain master = yes domain logons = yes preferred master = yes local master = yes os level = 100 # Log. Un log diferente por cada m?quina que conecta log file = /var/log/samba/log.%m log level = 0 max log size = 10000 syslog = 0 panic action = /usr/share/samba/panic-action %d utmp = yes # Verificaci?n de usuarios y seguridad # Seguridad security = user encrypt passwords = true template shell = /bin/false enable privileges = yes obey pam restrictions = yes pam password change = no # Usuario invitado guest account = Invitado #guest account = nobody map to guest = Never # Equivalencia entre usuarios Windows y Linux username map = /etc/samba/smbusers # S?lo permitimos acceso a miembros de nuestra LAN y la VPN hosts deny = all hosts allow = 192.168.1.0/24 127.0.0.1/24 # Dos interfaces de entrada: eth0 y tun0 (VPN) interfaces = kasparov/24 bind interfaces only = yes # Ajustes recomendados en # http://us4.samba.org/samba/docs/man/Samba-Guide/secure.html#promisnet socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 IPTOS_LOWDELAY #socket address = kasparov.elpagestion.com smb ports = 139 keep alive = 60 ### Configuraci?n para que Samba use LDAP ldap passwd sync = yes ldap delete dn = yes ldap suffix = dc=ELPA,dc=BI ldap admin dn = cn=samba,ou=DSA,dc=ELPA,dc=BI ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap ssl = start_tls passdb backend = ldapsam:ldap://kasparov.elpabi/ idmap backend = ldap:ldap://kasparov.elpabi/ #ldapsam:trusted = yes #ldapsam:editposix = yes ### Ajustes para winbindd idmap uid = 10000-20000 idmap gid = 10000-20000 ### Gesti?n de usuarios # A?adir/eliminar usuarios, m?quinas grupos add user script = /usr/sbin/smbldap-useradd -m -a "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" ### Login en la red # Evitamos los perfiles de usuario m?viles de NT/XP logon path logon drive logon home logon script = LOGON.BAT ### Sistema de archivos # Internacionalizaci?n - p?ginas de c?digos dos charset = CP850 unix charset = ISO8859-15 preserve case = yes short preserve case = yes case sensitive = no # Permisos por defecto en las carpetas create mask = 0640 directory mask = 0750 # Emulaci?n de permisos NTFS nt acl support = yes map acl inherit = yes dos filemode = yes # Bloqueo de archivos strict locking = yes oplocks = yes # Si un cliente abre un archivo y escribe en ?l autom?ticamente pasa a # estado RO a no ser que hagamos un level2 oplocks = no level2 oplocks = no # Estos archivos no hay que intentar bloquearlos (lock) veto oplock files = /*.doc/*.xls/*.mdb/*.pst/ hide dot files = yes #hide unreadable = yes veto files = /*.eml/*.nws/*.{*}/ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd [netlogon] comment = Servicio de Logon en la red path = /home/samba/netlogon/ browseable = no read only = yes [ ... some shares ... ] Thanks -- Asier.
hi, unfortunately no answer to your question but where did you find this parameter and what does it do> ldapsam:editposix = yes??? thx! -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399
Carlos Eduardo Pedroza Santiviago
2007-Mar-19 12:58 UTC
[Samba] 3.0.23 ldapsam:trusted=yes problem
Hi, On 3/15/07, Asier Barangu?n <abaranguan@elpagestion.com> wrote:> Hi all! > > I've a running Samba PDC (LDAP backend) with windows clients. All the users > are in the LDAP, including the 'guest' user. All except the 'root' user which > is a regular user. Then change in the smb.conf > > ldapsam:trusted = yes > ldapsam:editposix = yes > > and noticed some speed-up when listing groups, look file ownerships, and so > on. But I can't add machines to the domain: neither with the 'root' user, > neither some users with privileges to join computers. > > If I comment the ldapsam:trusted/editposix everything is fine and machines get > added to teh domain. ?Why? All the users are in the LDAP so ldapsam:trusted > should work :-? >IIRC, when you use the editposix flag, samba tries to manage all user/groups functions and doesn't use the smbldap scripts you've defnied. But i don't know if this is already finished. Maybe simo can answer this? For now, just use ldapsam:trusted, since it will speed things a lot. -- Carlos Eduardo Pedroza Santiviago
Reasonably Related Threads
- Problem with Samba PDC, W2k SP4 + rollup clients, user accounts
- net rpc rights ¿problem?
- Samba 4.7 and Editposix/Trusted Ldapsam extension support.
- ldapsam:editposix with inetOrgPerson objectClass for users
- Samba 4.7 and Editposix/Trusted Ldapsam extension support.