Hello, I have upgrade my samba PDC from 3.xx (debian lenny) to 4.1 (debian jessie). ldap and samba shares work all fine. When I try to add a user I get the following smbpasswd -a foobar New SMB password: Retype new SMB password: ldapsam_create_user: Unable to allocate a new user id: bailing out! Failed to add entry for user foobar. I found this workaround https://lists.samba.org/archive/samba/2009-October/151528.html but testparam say that WARNING: The "idmap backend" option is deprecated Unknown parameter encountered: "idmap alloc backend" Ignoring unknown parameter "idmap alloc backend" smbd -V Version 4.1.17-Debian egrep -v "(^#|^$|^;)" /etc/samba/smb.conf [global] workgroup = foo dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d os level = 255 preferred master = yes domain master = yes local master = yes vfs object = recycle recycle:repository = /home/samba/Papierkorb/%U recycle:keeptree = yes recycle:exclude = *.tmp *.temp *.swp recycle:exclude_dir = /tmp /temp recycle:touch = yes server role = classic primary domain controller encrypt passwords = true passdb backend = ldapsam:ldapi:/// ldapsam:trusted=yes ldapsam:editposix=yes ldap admin dn = cn=admin,dc=foo ldap group suffix = ou=Groups ldap machine suffix = ou=Machines ldap user suffix = ou=Users ldap suffix = dc=foo ldap ssl = off obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user domain logons = yes logon path logon script = login.bat admin users = root, Administrator, @Domain Admins, admin ;idmap uid = 10000-20000 ;idmap gid = 10000-20000 ;template shell = /bin/bash idmap alloc config:ldap_base_dn = ou=idmap,dc=foo idmap alloc config:ldap_user_dn = cn=admin,dc=foo idmap alloc config:ldap_url = ldapi:/// usershare allow guests = yes [homes] comment = Home Directories browseable = no read only = yes create mask = 0700 directory mask = 0700 valid users = %S [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes read only = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no I want to use a samba NT4 domain and no AD. Thanks for any help. Best Regards, Basti p.s. smbldap-tools works also fine
Rowland penny
2016-Apr-06 15:30 UTC
[Samba] Samba (4.1.17) ldap backend create user failed
On 06/04/16 15:23, basti wrote:> Hello, I have upgrade my samba PDC from 3.xx (debian lenny) to 4.1 (debian jessie). > ldap and samba shares work all fine. > > When I try to add a user I get the following > > smbpasswd -a foobar > New SMB password: > Retype new SMB password: > ldapsam_create_user: Unable to allocate a new user id: bailing out! > Failed to add entry for user foobar. > > I found this workaround > https://lists.samba.org/archive/samba/2009-October/151528.html > > but testparam say that > > WARNING: The "idmap backend" option is deprecated > Unknown parameter encountered: "idmap alloc backend" > Ignoring unknown parameter "idmap alloc backend" > > > smbd -V > Version 4.1.17-Debian > > egrep -v "(^#|^$|^;)" /etc/samba/smb.conf > [global] > workgroup = foo > dns proxy = no > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > os level = 255 > preferred master = yes > domain master = yes > local master = yes > > vfs object = recycle > recycle:repository = /home/samba/Papierkorb/%U > recycle:keeptree = yes > recycle:exclude = *.tmp *.temp *.swp > recycle:exclude_dir = /tmp /temp > recycle:touch = yes > > server role = classic primary domain controller > encrypt passwords = true > passdb backend = ldapsam:ldapi:/// > ldapsam:trusted=yes > ldapsam:editposix=yes > ldap admin dn = cn=admin,dc=foo > ldap group suffix = ou=Groups > ldap machine suffix = ou=Machines > ldap user suffix = ou=Users > ldap suffix = dc=foo > ldap ssl = off > obey pam restrictions = yes > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > pam password change = yes > map to guest = bad user > domain logons = yes > logon path > logon script = login.bat > admin users = root, Administrator, @Domain Admins, admin > ;idmap uid = 10000-20000 > ;idmap gid = 10000-20000 > ;template shell = /bin/bash > > idmap alloc config:ldap_base_dn = ou=idmap,dc=foo > idmap alloc config:ldap_user_dn = cn=admin,dc=foo > idmap alloc config:ldap_url = ldapi:/// > usershare allow guests = yes > > [homes] > comment = Home Directories > browseable = no > read only = yes > create mask = 0700 > directory mask = 0700 > valid users = %S > > [netlogon] > comment = Network Logon Service > path = /home/samba/netlogon > guest ok = yes > read only = yes > > [printers] > comment = All Printers > browseable = no > path = /var/spool/samba > printable = yes > guest ok = no > read only = yes > create mask = 0700 > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > browseable = yes > read only = yes > guest ok = no > > I want to use a samba NT4 domain and no AD. > Thanks for any help. > > Best Regards, Basti > > > p.s. smbldap-tools works also fine > >Hi, I did some testing recently and I got it work for me, but this was a new domain, the core part of smb.conf was this: passdb backend = ldapsam ldapsam:editposix = yes ldapsam:trusted = yes ldap admin dn = cn=admin,dc=samba,dc=tld ldap suffix = dc=samba,dc=tld ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap user suffix = ou=users idmap config *: backend = ldap idmap config *: range = 10000-19999 idmap config *: ldap_url = ldap://localhost/ idmap config *: ldap_base_dn = ou=idmap,dc=samba,dc=tld idmap config *: ldap_user_dn = cn=admin,dc=samba,dc=tld ldap delete dn = yes ldap password sync = yes idmap alloc was removed some time ago I also populated ldap by running 'net sam provision' Rowland
"net sam provision" runs without error. the error is sill present On 06.04.2016 17:30, Rowland penny wrote:> On 06/04/16 15:23, basti wrote: >> Hello, I have upgrade my samba PDC from 3.xx (debian lenny) to 4.1 >> (debian jessie). >> ldap and samba shares work all fine. >> >> When I try to add a user I get the following >> >> smbpasswd -a foobar >> New SMB password: >> Retype new SMB password: >> ldapsam_create_user: Unable to allocate a new user id: bailing out! >> Failed to add entry for user foobar. >> >> I found this workaround >> https://lists.samba.org/archive/samba/2009-October/151528.html >> >> but testparam say that >> >> WARNING: The "idmap backend" option is deprecated >> Unknown parameter encountered: "idmap alloc backend" >> Ignoring unknown parameter "idmap alloc backend" >> >> >> smbd -V >> Version 4.1.17-Debian >> >> egrep -v "(^#|^$|^;)" /etc/samba/smb.conf >> [global] >> workgroup = foo >> dns proxy = no >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog = 0 >> panic action = /usr/share/samba/panic-action %d >> os level = 255 >> preferred master = yes >> domain master = yes >> local master = yes >> >> vfs object = recycle >> recycle:repository = /home/samba/Papierkorb/%U >> recycle:keeptree = yes >> recycle:exclude = *.tmp *.temp *.swp >> recycle:exclude_dir = /tmp /temp >> recycle:touch = yes >> >> server role = classic primary domain controller >> encrypt passwords = true >> passdb backend = ldapsam:ldapi:/// >> ldapsam:trusted=yes >> ldapsam:editposix=yes >> ldap admin dn = cn=admin,dc=foo >> ldap group suffix = ou=Groups >> ldap machine suffix = ou=Machines >> ldap user suffix = ou=Users >> ldap suffix = dc=foo >> ldap ssl = off >> obey pam restrictions = yes >> unix password sync = yes >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\s*\spassword:* %n\n >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >> pam password change = yes >> map to guest = bad user >> domain logons = yes >> logon path >> logon script = login.bat >> admin users = root, Administrator, @Domain Admins, admin >> ;idmap uid = 10000-20000 >> ;idmap gid = 10000-20000 >> ;template shell = /bin/bash >> >> idmap alloc config:ldap_base_dn = ou=idmap,dc=foo >> idmap alloc config:ldap_user_dn = cn=admin,dc=foo >> idmap alloc config:ldap_url = ldapi:/// >> usershare allow guests = yes >> >> [homes] >> comment = Home Directories >> browseable = no >> read only = yes >> create mask = 0700 >> directory mask = 0700 >> valid users = %S >> >> [netlogon] >> comment = Network Logon Service >> path = /home/samba/netlogon >> guest ok = yes >> read only = yes >> >> [printers] >> comment = All Printers >> browseable = no >> path = /var/spool/samba >> printable = yes >> guest ok = no >> read only = yes >> create mask = 0700 >> >> [print$] >> comment = Printer Drivers >> path = /var/lib/samba/printers >> browseable = yes >> read only = yes >> guest ok = no >> >> I want to use a samba NT4 domain and no AD. >> Thanks for any help. >> >> Best Regards, Basti >> >> >> p.s. smbldap-tools works also fine >> >> > > Hi, I did some testing recently and I got it work for me, but this was > a new domain, the core part of smb.conf was this: > > passdb backend = ldapsam > ldapsam:editposix = yes > ldapsam:trusted = yes > ldap admin dn = cn=admin,dc=samba,dc=tld > ldap suffix = dc=samba,dc=tld > ldap group suffix = ou=groups > ldap machine suffix = ou=computers > ldap user suffix = ou=users > idmap config *: backend = ldap > idmap config *: range = 10000-19999 > idmap config *: ldap_url = ldap://localhost/ > idmap config *: ldap_base_dn = ou=idmap,dc=samba,dc=tld > idmap config *: ldap_user_dn = cn=admin,dc=samba,dc=tld > ldap delete dn = yes > ldap password sync = yes > > idmap alloc was removed some time ago > > I also populated ldap by running 'net sam provision' > > Rowland >