Hello - I'm not sure if this is the right place to ask, so if not I will be grateful to learn of a more appropriate mailing list. I have a Slackware box (2.6.26 kernel) running Samba 3.0.25b (yes, I know, I'll upgrade soon). This machine provides DC functionality for several Windows XP workstations in my house. I recently changed the backend password database to OpenLDAP (v2.3.33) specifically because I wanted to start introducing Linux clients to the domain as well. I thought everything went well with the database migration, and all the XP clients seemed to continue to interact with the DC normally (it may be relevant here to note that I only use local profiles on the workstations, and no roaming profiles at all). I brought up a Debian (v4.0.x) workstation, and am having problems authenticating on it with a valid domain username. My experiences are causing me to question whether I fully understand my own OpenLDAP implementation and Samba reconfiguration, along with the necessary additions of things like NSS, PAM, etc. I'd like to have a fairly detailed discussion of configurations and steps for just about all of these things, which is why I'm not sure this is exactly the right mailing list. I'd also be very willing to take a discussion offline to e-mail with anyone who may be willing to help out. So, before I post stuff that may be wildly off-topic, I thought I'd ask. Please let me know.
Dave, I went through the same process that you did, for the same reason if I understand you right - I wanted to have one central user database for authenticating both Windows clients and Linux (ie. posix) clients. My (Samba/Posix) LDAP server is implemented on Hardy Xubuntu and I use the smbldap-tools commands for creating user accounts, changing passwords, etc. and avoid using any other commands, but use Luma to check the LDAP data and change simple attribute values. I have recorded the process that I used in https://help.ubuntu.com/community/OpenLDAP-SambaPDC-OrgInfo-Posix . Maybe this might be of some help. Regards, David Collins --------- Forwarded message ---------- From: "Dave Beach" <drbeach@rogers.com> To: <samba@lists.samba.org> Date: Thu, 2 Oct 2008 10:11:42 -0400 Subject: [Samba] Samba & LDAP, with XP and Linux clients Hello - I'm not sure if this is the right place to ask, so if not I will be grateful to learn of a more appropriate mailing list. I have a Slackware box (2.6.26 kernel) running Samba 3.0.25b (yes, I know, I'll upgrade soon). This machine provides DC functionality for several Windows XP workstations in my house. I recently changed the backend password database to OpenLDAP (v2.3.33) specifically because I wanted to start introducing Linux clients to the domain as well. I thought everything went well with the database migration, and all the XP clients seemed to continue to interact with the DC normally (it may be relevant here to note that I only use local profiles on the workstations, and no roaming profiles at all). I brought up a Debian (v4.0.x) workstation, and am having problems authenticating on it with a valid domain username. My experiences are causing me to question whether I fully understand my own OpenLDAP implementation and Samba reconfiguration, along with the necessary additions of things like NSS, PAM, etc. I'd like to have a fairly detailed discussion of configurations and steps for just about all of these things, which is why I'm not sure this is exactly the right mailing list. I'd also be very willing to take a discussion offline to e-mail with anyone who may be willing to help out. So, before I post stuff that may be wildly off-topic, I thought I'd ask. Please let me know.
Hello list! I believe I may not have a Samba problem, but rather an LDAP directory problem. I'm hoping to be redirected towards a more appropriate mailing list to which I can post. I have a Slackware server running Samba and OpenLDAP, and my WinXP clients authenticate just fine. I migrated from an smbpasswd backend to OpenLDAP with a BD backend some time ago, using the migration tools provided with smbldap-tools. Everything has been working fine. I now want to bring a Ubuntu workstation online, and authenticate to the same LDAP database. I've understood that my previous approach was wrong (trying to somehow get the Ubuntu box to join the domain), and that I instead need to use nss and pam to point directly to the LDAP database on the Slackware server. So far, so good. Ubuntu packages sourced and installed. Executing "getent group" on the Ubuntu client produces the expected results. Executing "getent passwd" does not; it only shows me a subset of the user accounts (notably, not my own account which was created prior to migration). Fiddling about with a couple of Windows-based ldap query clients, I can see that there seem to be some differences between accounts that were created pre-migration and those created post-migration. As an example, accounts created post-migration seem to have different "objectClass" attributes and values associated with them than do accounts created pre-migration - and the post-migration accounts are all visible with "getent passwd" on the Ubuntu client. Also, the pre-migration accounts have the "account" objectClass associated with them, while the post-migration accounts have the "person" objectClass associated with them. The post-migration accounts also seem to have the "posixAccount" object class associated with them. There are other differences, but these strike me (in my ignorance) as possibly being the source of the problem. In case it isn't obvious, I have zero LDAP experience other than this futzing around I'm doing. It seems fairly obvious that I need to somehow alter the pre-migration accounts in some way to make them more like the post-migration accounts, such that I can then log onto the Ubuntu client with the same user ID with which I log onto the WinXp clients. I'm reluctant to do much so far, in fear that I'll manage to irreparably damage the pre-migration accounts (somehow lose the SID, etc) such that they'll need to be re-created, with all the pain that entails on the WinXP clients (I use local profiles only on the WinXP boxes). So, as I said, probably not a Samba problem per se. Would someone be so kind as to suggest the proper list in which I can post this problem? Thanks very much in advance.
Hi,> Executing "getent group" on the Ubuntu client produces the expected results. > Executing "getent passwd" does not; it only shows me a subset of the user > accounts (notably, not my own account which was created prior to migration).I am running successfully with the user accounts having the objectClass: inetOrgPerson posixAccount shadowAccount top I think that posixAccount is necessary. Typically, objectClass person is not what you jneed to store a Unix account, you need to have home directory, shell, uid number, gid number, etc. and password to authenticate a Unix user with LDAP. Adding an objectClass or Attributes to an enxisting entry of your LDAP will not break anything that is already working. Bests, Olivier
To add a bit more, my users typically look like:
dn: uid=a103,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: a103
sn: xxxxx
uid: a103
uidNumber: 5072
gidNumber: 95
homeDirectory: /home/a103
loginShell: /bin/sh
mail: a103@cs.ait.ac.th
givenName: xxxx
gecos: xxxx yyyyyyyy
userPassword: {md5}xxxxxxxxxx=sambaSID: S-1-5-21-xxxxx-yyyyy-zzzzz-11144
sambaAcctFlags: [U ]
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1243416344
sambaNTPassword: yyyyyyyyy
I think that Unix and samba authentication will not work with anything
less. sambaLMPassord will be necessary too for Win9x/Me
authentication.
Olivier
Hello list! I have a Samba PDC with an LDAP backend password database, against which WinXP clients authenticate. I also have a Ubuntu workstation, which authenticates directly to the same LDAP password database (no Samba). I now wish to have the WinXP clients be able to map shares on the Ubuntu workstation, so I obviously need to get Samba working on it. I can slog through the technical details, but I want to make sure I have the concept properly figured out - will the Ubuntu workstation be a "member server", configured as such per the Samba documentation using Winbind, or is there a different way I should be thinking about this? Thanks for any general pointers.
> I have a Samba PDC with an LDAP backend password database, against which > WinXP clients authenticate. I also have a Ubuntu workstation, which > authenticates directly to the same LDAP password database (no Samba). > > I now wish to have the WinXP clients be able to map shares on the Ubuntu > workstation, so I obviously need to get Samba working on it. I can slog > through the technical details, but I want to make sure I have the concept > properly figured out - will the Ubuntu workstation be a "member server", > configured as such per the Samba documentation using Winbind, or is there a > different way I should be thinking about this? > > Thanks for any general pointers. >That is what I have with my samba setup. I mean I have a PDC, a BDC, 3 to 5 LDAP servers and 5 or so member servers. On my PDC and BDC there are no real file shares. The member servers have that. My member servers have winbind. John
Possibly Parallel Threads
- Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap
- problem joining computer to domain
- S4 Cannot Unlock Account
- one day AD use -> samba-tool dbcheck reports "Normalisation error for attribute 'objectClass'"
- Joining a Windows XP pc to Samba / LDAP domain