reetings List,
I am a newbie in this list so please be indulgent.
I am actually about running a samba (PDC) with OpenLDAP in Debian. I
installed it (Samba) and configured it, but it didn't still work. Here are
some outputs:
from *net getlocalsid*
csiidebian:~# net getlocalsid
[2010/03/29 17:57:33, 0] lib/smbldap.c:1086(smbldap_connect_system)
failed to bind to server ldap://127.0.0.1 with
dn="cn=admin,dc=csimaroc,dc=net" Error: Invalid credentials
(unknown)
SID for domain CSIDEBIAN is: S-1-5-21-2033656986-2476707763-2123375676
csidebian:~#
it still give me the wrong SID.
When I tried to add or search some entry in the Ldap DB, it gave me the
following error: "
ldap_sasl_interactive_bind_s: Invalid credentials (49)", I d like to notify
that I have the same password for samba admin and ldap admin (smbpasswd and
slappasswd). I was been in this error since 2 weeks so please help me, it
makes me crazy!
Here are my configuration files :
*etc/samba/smb.conf*
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[global]
workgroup = CSIMAROC
server string = csidebian
netbios name = CSIDEBIAN
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://127.0.0.1
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u "%u"
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel %u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
domain logons = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap suffix = dc=csimaroc,dc=net
ldap admin dn = cn=admin,dc=csimaroc,dc=net
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap user suffix = ou=users
panic action = /usr/share/samba/panic-action %d
ldap ssl = off
encrypt passwords = yes
[homes]
comment = Home Directories
valid users = %S
create mask = 0700
directory mask = 0700
browseable = No
browsable = No
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = Yes
share modes = No
[profiles]
comment = Users profiles
path = /home/samba/profiles
create mask = 0600
directory mask = 0700
browseable = No
browsable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
browseable = No
browsable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/*etc/ldap/slapd.conf*
# This is the main slapd configuration file. See slapd.conf(5) for more
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
database hdb
# The base of your directory in database #1
suffix "dc=csimaroc,dc=net"
rootdn "cn=admin,dc=csimaroc,dc=net"
rootpw {SSHA}L0puRf7u2ASeTVeRziR/s1JZQUQpCaQ0
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
access to attrs=userPassword
by dn="cn=admin,dc=csimaroc,dc=net" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=csimaroc,dc=net" write
by * read
*/etc/ldap/ldap.conf*
BASE dc=csimaroc,dc=net>
> URI ldap://127.0.0.1/
>
> ssl no
>
> rootbinddn cn=admin,dc=csimaroc,dc=net
>
> bindpw ldapadmin
>
>
>
/etc/smbldap-tools/smbldap.conf
SID="S-1-5-21-2252255531-4061614174-2474224977"
# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="DOMSMB"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP=127.0.0.1
# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP=127.0.0.1
# Master LDAP port
# If not defined, parameter is set to "389"
#masterPort="389"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
ldapTLS="0"
# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
ldapSSL="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
#cafile="/root/certs/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/root/certs/ldap.csimaroc.net.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/root/keys/ldap.csimaroc.net.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=csimaroc,dc=net"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
usersdn
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
computersdn
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
groupsdn
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for
idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and
groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon
home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\PDC-SRV\%U"
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon
path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\PDC-SRV\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under
dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="csimaroc.info"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm)
but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
*/etc/smbldap-tools/smbldap_bind.conf*
*
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
masterDN="cn=admin,dc=csimaroc,dc=net"
masterPw="ldapadmin"
slaveDN="cn=admin,dc=csimaroc,dc=net"
slavePw="ldapadmin"
Thank u all for your help.
Best regards.
*
--
-----------------------------------------------------------------
|JJohnny RANDRIAMAMPIONONA |
| Phone: +212663682554 |
| National School of Applied Sciences |
| 1818 TANGIER 90000 |
|----------------------------------------------------------------|