Hi people,
Been doing a server installation with Samba as a primary PDC that uses an
LDAP backend on CentOS 5.
The thing is that I cannot be able to get Samba and LDAP to talk as they
should and now Im really stuck.
Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents
to /etc/openldap/ldap.conf too), and smbldap.conf.
Excuse my long post; trying to be as elaborate as possible.
smb.conf
**********
[global]
workgroup = MYDOMAIN
netbios name = MYDOMAIN
server string = mydomain_office
passdb backend = ldapsam:ldap://server.example.org
passwd program = /usr/local/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
username map = /etc/samba/smbusers
log file = /var/log/samba/%m.log
max log size = 100
add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g
users
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add group script = /usr/local/sbin/smbldap-groupadd "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u"
"%g"
delete user from group script = /usr/local/sbin/smbldap-userdel
"%u"
"%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g"
"%u"
add machine script = /usr/local/sbin/smbldap-useradd -n -c
"Workstation (%u)" -M -d /nohome -s /bin/false "%u"
logon script = %m.bat
logon path = \\server.example.org\%U\profile
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=config
ldap delete dn = Yes
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap passwd sync = Yes
ldap suffix = dc=example,dc=org
ldap user suffix = ou=people
idmap uid = 1000-19999
idmap gid = 1000-19999
[homes]
comment = Home Directories
valid users = DOMAIN\%S
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
share modes = No
smbldap.conf
************
sambaDomain="MYDOMAIN"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
suffix="dc=example,dc=org"
usersdn="ou=people,${suffix}"
computersdn="ou=machines,${suffix}"
groupsdn="ou=groups,${suffix}"
sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
scope="one"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userScript="logon.bat"
mailDomain="example.org"
with_smbpasswd="0"
with_slappasswd="0"
/etc/ldap.conf
**********************
host server.example.org
base dc=example,dc=org
binddn cn=config
bindpw 1w2345FJ
rootbinddn cn=zimbra,dc=example,dc=org
timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
nss_base_passwd ou=people,dc=example,dc=org?one
nss_base_shadow ou=people,dc=example,dc=org?one
nss_base_group ou=groups,dc=example,dc=org?one
nss_base_hosts ou=machines,dc=example,dc=org?one
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
uri ldap://server.example.org
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
smbldap.conf
************
sambaDomain="MYDOMAIN"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
suffix="dc=example,dc=org"
usersdn="ou=people,${suffix}"
computersdn="ou=machines,${suffix}"
groupsdn="ou=groups,${suffix}"
sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
scope="one"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userScript="logon.bat"
mailDomain="example.org"
with_smbpasswd="0"
with_slappasswd="0"
smbldap_bind.conf
*****************
slaveDN="cn=config,dc=example,dc=org"
slavePw="1w2345FJ"
masterDN="cn=config,dc=example,dc=org"
masterPw="1w2345FJ"
The strange thing is that I can join a computer to the Domain, but only
using the Samba+samba_root_passwd. I can even see the computer entry in the
LDAP database when I run ldapsearch.
However, I cannot or log in to the domain with credentials in LDAP. Also I
cannot add machines to domain using privileged accounts stored in LDAP.
Strangely though, Samba commands
getent group
and
getent passwd
work just fine (obtain info in ldap) when Im user zimbra, but not as root
(yes user root); running these as root returns only system records in
/etc/passwd & /smbpasswd.
I think that I have done everything correctly including running the command
smbpasswd -w 1w2345FJ
for samba to connect to LDAP and putting the same password in
smbldap_bind.conf defined for "cn=config"
My diagnosis so far is that there is something not working in smbldap-tools
Please advice, will appreciate.
Were the user accounts created with smbldap-tools or were the pre-existing? If they were preexisting did you reset the passwords with smbldap-passwd? You will need to do so to set the appropiate hashes in LDAP. Have you looked at the logs at all? Posting some samples from there showing the server startup and failed login would probably be helpful. --Ryan On Sat, Jul 26, 2008 at 10:36 AM, Mugo Martin <mmuchira@gmail.com> wrote:> Hi people, > > Been doing a server installation with Samba as a primary PDC that uses an > LDAP backend on CentOS 5. > The thing is that I cannot be able to get Samba and LDAP to talk as they > should and now Im really stuck. > Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents > to /etc/openldap/ldap.conf too), and smbldap.conf. > Excuse my long post; trying to be as elaborate as possible. > > smb.conf > ********** > [global] > workgroup = MYDOMAIN > netbios name = MYDOMAIN > server string = mydomain_office > passdb backend = ldapsam:ldap://server.example.org > passwd program = /usr/local/sbin/smbldap-passwd %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *all*authentication*tokens*updated* > username map = /etc/samba/smbusers > log file = /var/log/samba/%m.log > max log size = 100 > add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g users > delete user script = /usr/local/sbin/smbldap-userdel "%u" > add group script = /usr/local/sbin/smbldap-groupadd "%g" > delete group script = /usr/local/sbin/smbldap-groupdel "%g" > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" > "%g" > delete user from group script = /usr/local/sbin/smbldap-userdel "%u" > "%g" > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" > "%u" > add machine script = /usr/local/sbin/smbldap-useradd -n -c > "Workstation (%u)" -M -d /nohome -s /bin/false "%u" > logon script = %m.bat > logon path = \\server.example.org\%U\profile > domain logons = Yes > os level = 33 > preferred master = Yes > domain master = Yes > wins support = Yes > ldap admin dn = cn=config > ldap delete dn = Yes > ldap group suffix = ou=groups > ldap machine suffix = ou=machines > ldap passwd sync = Yes > ldap suffix = dc=example,dc=org > ldap user suffix = ou=people > idmap uid = 1000-19999 > idmap gid = 1000-19999 > [homes] > comment = Home Directories > valid users = DOMAIN\%S > read only = No > browseable = No > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > [netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > guest ok = Yes > share modes = No > > smbldap.conf > ************ > sambaDomain="MYDOMAIN" > slaveLDAP="127.0.0.1" > slavePort="389" > masterLDAP="127.0.0.1" > masterPort="389" > ldapTLS="0" > suffix="dc=example,dc=org" > usersdn="ou=people,${suffix}" > computersdn="ou=machines,${suffix}" > groupsdn="ou=groups,${suffix}" > sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}" > scope="one" > hash_encrypt="SSHA" > crypt_salt_format="%s" > userLoginShell="/bin/bash" > userHome="/home/%U" > userHomeDirectoryMode="700" > userGecos="System User" > defaultUserGid="513" > defaultComputerGid="515" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="45" > userSmbHome="" > userProfile="" > userScript="logon.bat" > mailDomain="example.org" > with_smbpasswd="0" > with_slappasswd="0" > > /etc/ldap.conf > ********************** > host server.example.org > base dc=example,dc=org > binddn cn=config > bindpw 1w2345FJ > rootbinddn cn=zimbra,dc=example,dc=org > > timelimit 120 > bind_timelimit 120 > bind_policy soft > idle_timelimit 3600 > > nss_base_passwd ou=people,dc=example,dc=org?one > nss_base_shadow ou=people,dc=example,dc=org?one > > nss_base_group ou=groups,dc=example,dc=org?one > nss_base_hosts ou=machines,dc=example,dc=org?one > > nss_initgroups_ignoreusers > root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman > > uri ldap://server.example.org > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > > smbldap.conf > ************ > sambaDomain="MYDOMAIN" > slaveLDAP="127.0.0.1" > slavePort="389" > masterLDAP="127.0.0.1" > masterPort="389" > ldapTLS="0" > suffix="dc=example,dc=org" > usersdn="ou=people,${suffix}" > computersdn="ou=machines,${suffix}" > groupsdn="ou=groups,${suffix}" > sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}" > scope="one" > hash_encrypt="SSHA" > crypt_salt_format="%s" > userLoginShell="/bin/bash" > userHome="/home/%U" > userHomeDirectoryMode="700" > userGecos="System User" > defaultUserGid="513" > defaultComputerGid="515" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="45" > userSmbHome="" > userProfile="" > userScript="logon.bat" > mailDomain="example.org" > with_smbpasswd="0" > with_slappasswd="0" > > smbldap_bind.conf > ***************** > slaveDN="cn=config,dc=example,dc=org" > slavePw="1w2345FJ" > masterDN="cn=config,dc=example,dc=org" > masterPw="1w2345FJ" > > The strange thing is that I can join a computer to the Domain, but only > using the Samba+samba_root_passwd. I can even see the computer entry in the > LDAP database when I run ldapsearch. > However, I cannot or log in to the domain with credentials in LDAP. Also I > cannot add machines to domain using privileged accounts stored in LDAP. > Strangely though, Samba commands > getent group > and > getent passwd > work just fine (obtain info in ldap) when Im user zimbra, but not as root > (yes user root); running these as root returns only system records in > /etc/passwd & /smbpasswd. > I think that I have done everything correctly including running the command > smbpasswd -w 1w2345FJ > for samba to connect to LDAP and putting the same password in > smbldap_bind.conf defined for "cn=config" > My diagnosis so far is that there is something not working in smbldap-tools > > Please advice, will appreciate. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >
On Saturday 26 July 2008 09:36:25 Mugo Martin wrote:> Hi people, > > Been doing a server installation with Samba as a primary PDC that uses an > LDAP backend on CentOS 5. > The thing is that I cannot be able to get Samba and LDAP to talk as they > should and now Im really stuck.You sure are stuck. So let's see if we can pull you out of the hole you are in.> Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents > to /etc/openldap/ldap.conf too), and smbldap.conf. > Excuse my long post; trying to be as elaborate as possible. > > smb.conf > ********** > [global] > workgroup = MYDOMAIN > netbios name = MYDOMAINWhat makes you believe that it is possible to operate with the domain name (workgroup) and the server name (netbios name) the same? The Samab3-HOWTO makes rather plain that this is a no-go - they must differ. Suggest you set them as: workgroup = MYDOMAIN netbios name = MYSERVER> server string = mydomain_office > passdb backend = ldapsam:ldap://server.example.orgThe "passwd program" and "passwd chat" parameters are not needed with the LDAP backend. Please delete them.> passwd program = /usr/local/sbin/smbldap-passwd %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *all*authentication*tokens*updated*> username map = /etc/samba/smbusers > log file = /var/log/samba/%m.log > max log size = 100> add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g userschange to: add user script = /usr/local/sbin/smbldap-useradd -m "%u"> delete user script = /usr/local/sbin/smbldap-userdel "%u" > add group script = /usr/local/sbin/smbldap-groupadd "%g"change to: add group scipt = /usr/local/sbin/smbldap-groupadd -p "%g"> delete group script = /usr/local/sbin/smbldap-groupdel "%g" > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" > "%g" > delete user from group script = /usr/local/sbin/smbldap-userdel > "%u" "%g"change to: delete user from group script = /usr/local/sbin/smbldap-userdel -x "%u" "%g"> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" > "%u" > add machine script = /usr/local/sbin/smbldap-useradd -n -c > "Workstation (%u)" -M -d /nohome -s /bin/false "%u"change to: add machine script = /usr/local/sbin/smbldap-useradd -w -g Workstations "%u"> logon script = %m.bat > logon path = \\server.example.org\%U\profilechange to: logon path = \\MYSERVER\profiles\%U> domain logons = Yes > os level = 33 > preferred master = Yes > domain master = Yes > wins support = Yes> ldap admin dn = cn=configchange this to the same as the value of "rootdn" from /etc/openldap/slapd.conf, eg: ldap admin dn = cn=Manager,dc=example,dc=org> ldap delete dn = Yes > ldap group suffix = ou=groups > ldap machine suffix = ou=machines > ldap passwd sync = Yes > ldap suffix = dc=example,dc=org > ldap user suffix = ou=people > idmap uid = 1000-19999 > idmap gid = 1000-19999 > [homes] > comment = Home Directories > valid users = DOMAIN\%S > read only = No > browseable = No > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > [netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > guest ok = Yes > share modes = NoAdd: [profiles] comment = Profiles Folder path = /var/lib/samba/profiles read only = no profile acls = yes Now do: root# > mkdir -p /var/lib/samba/profiles root# > chown root:users /var/lib/samba/profiles root# > chmod 2775 /var/lib/samba./profiles> smbldap.conf > ************ > sambaDomain="MYDOMAIN" > slaveLDAP="127.0.0.1" > slavePort="389" > masterLDAP="127.0.0.1" > masterPort="389" > ldapTLS="0" > suffix="dc=example,dc=org" > usersdn="ou=people,${suffix}" > computersdn="ou=machines,${suffix}" > groupsdn="ou=groups,${suffix}" > sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}" > scope="one" > hash_encrypt="SSHA" > crypt_salt_format="%s" > userLoginShell="/bin/bash" > userHome="/home/%U" > userHomeDirectoryMode="700" > userGecos="System User" > defaultUserGid="513" > defaultComputerGid="515" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="45" > userSmbHome="" > userProfile="" > userScript="logon.bat" > mailDomain="example.org" > with_smbpasswd="0" > with_slappasswd="0" > > /etc/ldap.conf > ********************** > host server.example.org > base dc=example,dc=org > binddn cn=config > bindpw 1w2345FJ > rootbinddn cn=zimbra,dc=example,dc=org > > timelimit 120 > bind_timelimit 120 > bind_policy soft > idle_timelimit 3600 > > nss_base_passwd ou=people,dc=example,dc=org?one > nss_base_shadow ou=people,dc=example,dc=org?oneAdd: nss_base_passwd ou=machines,dc=example,dc=org?one nss_base_shadow ou=machines,dc=example,dc=org?one> > nss_base_group ou=groups,dc=example,dc=org?oneNot this one! That will not work! Remove it.> nss_base_hosts ou=machines,dc=example,dc=org?one > > nss_initgroups_ignoreusers > root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman > > uri ldap://server.example.org > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5You are repeating yourself here, it is already shown above.> smbldap.conf > ************ > sambaDomain="MYDOMAIN" > slaveLDAP="127.0.0.1" > slavePort="389" > masterLDAP="127.0.0.1" > masterPort="389" > ldapTLS="0" > suffix="dc=example,dc=org" > usersdn="ou=people,${suffix}" > computersdn="ou=machines,${suffix}" > groupsdn="ou=groups,${suffix}" > sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}" > scope="one" > hash_encrypt="SSHA" > crypt_salt_format="%s" > userLoginShell="/bin/bash" > userHome="/home/%U" > userHomeDirectoryMode="700" > userGecos="System User" > defaultUserGid="513" > defaultComputerGid="515" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="45" > userSmbHome="" > userProfile="" > userScript="logon.bat" > mailDomain="example.org" > with_smbpasswd="0" > with_slappasswd="0" > > smbldap_bind.conf > *****************These DN's need to point to the same value as the "rootdn" from slapd.conf.> slaveDN="cn=config,dc=example,dc=org" > slavePw="1w2345FJ" > masterDN="cn=config,dc=example,dc=org" > masterPw="1w2345FJ" > > The strange thing is that I can join a computer to the Domain, but only > using the Samba+samba_root_passwd. I can even see the computer entry in the > LDAP database when I run ldapsearch. > However, I cannot or log in to the domain with credentials in LDAP. Also I > cannot add machines to domain using privileged accounts stored in LDAP. > Strangely though, Samba commands > getent group > and > getent passwd > work just fine (obtain info in ldap) when Im user zimbra, but not as root > (yes user root); running these as root returns only system records in > /etc/passwd & /smbpasswd. > I think that I have done everything correctly including running the command > smbpasswd -w 1w2345FJ > for samba to connect to LDAP and putting the same password in > smbldap_bind.conf defined for "cn=config" > My diagnosis so far is that there is something not working in smbldap-tools > > Please advice, will appreciate.Please follow the documentation in Samba3-ByExample, chapter 5. http://www.samba.org/samba/docs/Samba3-ByExample.pdf Let me know of anything that does not work. Cheers, John T. -- John H Terpstra Samba-Team Member Phone: +1 (512) 970-0256 Author: The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X