[Samba] rpc trust gives WksQueryInfo call failed
Hello, i am trying to establish a trust from SAMBA 3.0.7 (RedHat AS3U4; same result with 3.0.9 from RedHat AS3-U5) with a NT4 domain controller. Here is the problem: [EMAIL PROTECTED] root]# net rpc trustdom establish DOM Password: Could not connect to server POMEROL [2005/06/22 09:44:11, 0] rpc_parse/parse_prs.c:prs_mem_get(537) prs_mem_get: reading data of size 4 would overrun buffer. [2005/06/22 09:44:11, 0] utils/net_rpc.c:rpc_trustdom_establish(4377) WksQueryInfo call failed. Both servers are on the same network, netbios name and domain controller are correctly resolved. People had already get this problem: i found a patch proposed by Jerry (http://lists.samba.org/archive/samba/2005-March/101572.html), but it should not be a problem for my versions. I also tried with the 3.0.13 release from samba.org and get the same result. I can't see where the problem come from as the trust can be established with another NT4 server, but NT4 administrator told me that both NT4 servers are with the same level security, same configurations (other than network)... Has anyone an idea ? Thanks ! -- Jerome -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot join SAMBA domain from XP/2K
Le Sun, Sep 19, 2004 at 10:50:34PM +0200, deff a ecrit: Yes, I did. In some other thread someone mentioned that it is mandatory to put all users and machines accounts to ou=People due to some weird samba design decision. However, it isn't mentioned in any howto, neither official nor idealx's, and samba doesn't complain about it in any way either. Too bad...for me. If i'm not out of the thread (i read it quicly), i put few words about this (and links to the samba mailing list) just before the 4.2.4 paragraph : http://samba.idealx.org/smbldap-howto.fr.html -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Vampire Migrate NT4 to Samba-LDAP PDC. Access error
Le Tue, Aug 03, 2004 at 02:47:12PM +0200, Ioan Caltun a ecrit: Error: Insufficient access at /usr/local/sbin//smbldap_tools.pm line 920. And this repeats itself for all the accounts.. Could somebody tell me why there is insufficient acces and especially for whom? As I start the actions as root :-( the script look for a priviledge account defined in smbldap_bind.conf (look in /etc/smbldap-tools). This account must have write access to the directory to be able to add new entries. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-populate issues?
Le Fri, Jul 23, 2004 at 11:17:29AM +1000, Eric J Bennett a ecrit: [EMAIL PROTECTED] root]# smbldap-populate failed to add entry: unrecognized objectClass 'sambaUnixIdPool' at failed to add entry: sambapwdlastset: attribute type undefined at failed to add entry: sambapwdlastset: attribute type undefined at failed to add entry: sambasid: attribute type undefined at It seam that the samba schema is not loaded. Check that you have the include file in smb.conf, and that the loaded schema has for example the sambaUnixIdPool objectclass defined. I think this is a ldap problem... -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pam_smbmount
Le Tue, Jul 20, 2004 at 11:17:06PM +1000, John Simovic a ecrit: Has anybody managed to get this working under linux and if not does anybody mount windows shares under linux without user intervention? yes, you can use the pam's libpam-mount module for this. Note that if you want to mount windows 2003 share, you need to patch the kernel for CIFS support, or use en 2.6 kernel. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-tools, setting password on command line?
Le Sun, Jul 11, 2004 at 10:33:58PM +0200, [EMAIL PROTECTED] a ecrit: script around these tools. I tried smbldap-passwd.pl testuser1 pass where pass contains on two lines the passwort, but thats a solution I'm not proud of, especially since I get this warning/error: fileserver:~ # /opt/samba3/sbin/smbldap-passwd.pl testuser2 testpasses You can use (with 0.8.5 or you'll have error messages with older version, altought it should work) echo -e 'password\npassword' | smbldap-passwd testuser2 -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] configuring samba-LDAP-PDC using IDEALX tools
Le Thu, Jun 17, 2004 at 09:21:46PM -0700, abebe lsslp a ecrit: failed to bind to server with dn= cn=Manager,dc=pdc,dc=wbc Error: Invalid credentials The password you defined for cn=Manager,dc=pdc,dc=wbc is invalid. Did you fix it with the command smbpasswd -w your_passwd ? [EMAIL PROTECTED] root]# smbldap-passwd administrator No such object at /usr/sbin//smbldap_tools.pm line 189, DATA line 283. be careful : the scipt and smbldap_tools.pm must be in the same directory. And the configuration files must be located in /etc/smbldap-tools/ (unless you change the path in smbldap_tools.pm in the function read_conf) -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Two questions about smbldap-tools
Le Mon, Jun 07, 2004 at 10:05:52AM -0400, Dan Hill a ecrit: 2. Is www.idealx.org still a valid site for the smbldap-tools and related info? When I go there, no matter the URL I enter, I get a login screen prompting for a username and password or a message that page can not be found on the server. if a login/password is asked to you, there's certainly a problem. In that case, please send me the url you want to access. Thanks. The smbldap-tools page is http://samba.idealx.org/ -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-populate under debian woody fails
Le Thu, Jun 03, 2004 at 12:35:32PM +0200, Marc Remolt a ecrit: The script starts adding the enties but after cn=Domain Guests,ou=Groups,dc=xyz,dc=com which is successfull the following line show up Can't call method dn on an undefined value at /usr/sbin/smbldap-populate line 341, GEN1 line 11. Which verison of the script are you using ? Can you test smbldap-populate -e /tmp/export.ldif and look if the ldif file looks good near the Domain Guests entry ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-populate under debian woody fail
Le Thu, Jun 03, 2004 at 03:50:02PM +0200, Marc Remolt a ecrit: Why are they commented in the first place, if I may ask? Because those groups are not actually used with samba -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to execute program from smbldap-passwd.pl om samba 3.0.4
Le Wed, Jun 02, 2004 at 04:21:59PM +0300, zergio a ecrit: When I run smbldap-passwd.pl script from command line it works just fine, however when samba calls it, unix and samba passwords got changed. But my code, which I added, looks like never been called at all. for smbldap-passwd.pl to be called, you need to add in smb.conf : 'unix password sync = Yes' I know this is strange for ldap backend, but the man page said that. Next, you need to patch smbldap-passwd.pl (in 3 different places) so that you have only the STDIN between stty -echo and stty echo. For example: system stty -echo; chomp($pass=STDIN); system stty echo; print \n; and not system stty -echo; chomp($pass=STDIN); print \n; system stty echo; i am sorry, i can't send a patch because i don't have old sources with me :-( -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA 3.0.4 + LDAP + usrmgr
Le Thu, May 20, 2004 at 08:55:59AM +0200, RRuegner a ecrit: add machine script = /var/lib/samba/scripts/smbldap-useradd -w %u you have to copy the script in /usr/local/sbin/ cause this is hardcoded in them use this add machine script = /usr/local/sbin/smbldap-useradd.pl -w %u Things that are hardcoded in the script are . in smbldap-passwd: the path to slappasswd . in smbldap-useradd, smbldap_tools.pm: the script to nscd init script . in smbldap_tools.pm: the path to configuration files (in /etc/smbldap-tools/) The one to take care is the last one, because if configuration's files are not in /etc/smbldap-tools/, all scripts will failed. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.4 PDC w/ LDAP - XP client
Le Wed, May 19, 2004 at 04:43:11PM +0200, Stefan G. Weichinger a ecrit: - Right now my XP-box has the registry changed (SignOrSeal ...) because I somewhere read about that. Necessary or not? (I will test that ...) No, not necessary - Should smbldap-populate get edited to create root with uidnumber=0? smbldap-populate does not create a root account. But you can use the Administrator one. I just forgot to set the uidNumber to 0 in 0.8.4 version of the script. You can set it using 'smbldap-usermod -u 0 Administrator' - Should smbldap-populate get edited to use the same ou-Container for Users AND Computers? smbldap-populate will create an ou for both users and computers. You don't need to change this script. If you want computer's account to be set in ou=Users, just modify the smbldap.conf file as follow: computersdn=ou=Users,... Note that you can use ou=Computers for computer's account: look at this: http://marc.theaimsgroup.com/?l=sambam=108439612826440w=2 -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How do I add accounts when using ldap authentication?
Le Thu, Apr 15, 2004 at 06:14:41PM -0700, K. Richard Pixley a ecrit: ldap user suffix = ou=People,dc=isw1,dc=symbol,dc=com ldap group suffix = ou=Groups,dc=isw1,dc=symbol,dc=com ldap machine suffix = ou=Computers,dc=isw1,dc=symbol,dc=com ldap suffix = dc=isw1,dc=symbol,dc=com ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) ldap passwd sync = yes Anyone see an obvious flaw in what I'm doing? Or can anyone point me toward clarifying doc? (most of this comes from the howto). ldap user suffix, ldap group suffix and ldap machine suffix must not have the suffix extension. And i think it is recommanded to comment the ldap filter directive. You must then have: ldap suffix = dc=isw1,dc=symbol,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers # ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] add machine script wont add Postfix account
Le Fri, Mar 26, 2004 at 04:06:38PM +0100, Stagiair a ecrit: When we add a client pc (win2k) to our domain everything goes well except that the add machine script wont run. A computer will be created within the lDAP directory but not with the add machine script. I don't have answer to your problem, but i have 2 remarks... socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 add user script = /usr/sbin/smbldap-useradd.pl -a -m %u add machine script = /usr/sbin/smbldap-useradd.pl -w %u delete user script = /usr/sbin/smbldap-userdel.pl -r %u add group script = /usr/sbin/smbldap-groupadd.pl %g delete group script = /usr/sbin/smbldap-groupdel.pl %g add user to group script = /usr/sbin/smbldap-usermod.pl -G %g %u Those scripts are old. You should maybe use the latest one (be careful to the configutation file: there are 2 files now located in /etc/smbldap-tools and the script does not have the .pl extension anymore) After login the following entry will be made in LDAP: uid=tmc-ontwikkelpc$,ou=computers,o=T3E,c=nl objectClass: sambaSamAccount This is a really different schema, and this is the one that we need. Anyone sees what were doing wrong? The sambaSAMAccount is added by samba itself when joining the domain. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] add machine script wont add Posix account
Le Wed, Apr 14, 2004 at 07:42:40PM +0200, Stéphane Purnelle a ecrit: If a computer is added succesfully, the next SambaSID isn't correctly computed, because the uidNumber is not changed. Do you have nss_ldap correctly configured ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap_tools
Le Mon, Apr 05, 2004 at 11:57:40AM +0200, Brendon Standing a ecrit: failed to perform search; invalid DN at /usr/share/samba/scripts//smbldap_tools.pm line 154, DATA line 283. Can't call method get_value on an undefined value at /usr/bin/smbldap-useradd line 152, DATA line 283. . does the default group defined in smbldap.conf exist (defaultUserGid=513) ? . does the NT Domain Users group mapped to a unix group of rid 513 (see option -r of smbldap-groupadd and smbldap-groupmod to set a rid) ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-tools dont handle referrals
Le Mon, Mar 22, 2004 at 06:46:54PM +0100, Matthias Eichler a ecrit: Unfortunately it seems that the smbldap-tools are not able to handle referals? I always get: ---cut--- failed to modify entry: Referral received at /usr/local/sbin/smbldap-passwd.pl line 140, STDIN line 2. Unable to change password : Referral received at /usr/local/sbin/smbldap-passwd.pl line 174, STDIN line 2. ---cut--- The smbldap-tools's configuration file allow you to specifie the master ldap server for writable operations (masterDN and masterPw). -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] probleb with 'passwd chat' and 'passwd program'
Le Wed, Feb 25, 2004 at 05:25:30PM -0800, Loc Nguyen a ecrit: remove unix password sync = yes if you're using ldap for authentication Well, i add it for the 'passwd program' to be called as root (as said in the man of smb.conf). Otherwise, it is not called. I know that i can remove this and only add 'ldap passwd sync = Yes' but i just want to understand why my script is not finished. And i also tried samba with Oracle Internet Database : everything work perfectly, exept the update of userPassword. Why ? i don't know. Samba can update all others attribut, but not this one ! That's why i also need to use an external script. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba-3.0.2 PDC LDAP: Add computer to domain issue with smbldap-tools
Le Thu, Feb 26, 2004 at 03:08:58PM +0200, David Wilson a ecrit: add users to /etc/passwd etc. and then to LDAP with smbldap-useradd -a Why don't you put the account in ldap only ? 'smbldap-useradd -a' will add a posix account in the directory: you'll then have 2 accounts with the same username ! My only problem is that I cannot seem to get a machine account added correctly. I've added the PC name to /etc/passwd etc. with useradd -s /bin/false -g computers pc1$ and also run smbldap-useradd -w pc1. When the computer attempts to join the domain it receives an unable to join domain error. It seems that smbldap-useradd -w pc1 seems to add only a posix account to the LDAP backend ?: Yes. Samba will add the sambaSAMAccoutn objectclass when joining the domain. I've missed something somewhere for sure ? Perhaps I need nss_ldap ? Yes, you nedd nss_ldap. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] probleb with 'passwd chat' and 'passwd program'
Hi ! I have a problem using an external script to change password : in smb.conf, i have : = passwd chat = Changing password for*\nNew password* %n\n \nRetype new password* %n\n = passwd chat debug = Yes = log level = 100 = unix password sync = Yes = passwd program = /usr/local/sbin/smbldap-passwd %u The script is called normally, and logs show that the passwd chat looks good as the new password (coucou) is send two times. You can find the logs bellow. But the script should normally also changed the userPassword attribut and this is not done. The smbldap-passwd script read the passwords like that (it's a perl script) : -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= system stty -echo; print New password : ; chomp($pass=STDIN); print \n; system stty echo; system echo pass=$pass /tmp/bla.txt; system stty -echo; print Retype new password : ; chomp($pass2=STDIN); print \n; system stty echo; system echo pass2=$pass2 /tmp/bla.txt; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= I added two 'echo ... /tmp/bla.txt' to see what is passed to the script. The first one is called as it should be, but the second one is never called. The end of the script is then never done : the userPassword is then never updated :-( (i am using samba 3.0.2rc2). I can find what is wrong. Anyone has an idea ? Thanks :) Here are the log of smbd : -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Invoking '/usr/local/sbin/smbldap-passwd jto' as password change program. [2004/02/25 20:33:01, 10] lib/util_sock.c:read_socket_with_timeout(263) read_socket_with_timeout: timeout read. select timed out. [2004/02/25 20:33:01, 100] smbd/chgpasswd.c:expect(274) expect: expected [Changing password for* New password*] received [Changing password for jto New password : ] match yes [2004/02/25 20:33:01, 10] smbd/chgpasswd.c:expect(285) expect: returning True [2004/02/25 20:33:01, 100] smbd/chgpasswd.c:expect(237) expect: sending [coucou ] [2004/02/25 20:33:01, 10] lib/util_sock.c:read_socket_with_timeout(263) read_socket_with_timeout: timeout read. select timed out. [2004/02/25 20:33:01, 100] smbd/chgpasswd.c:expect(274) expect: expected [ Retype new password*] received [ Retype new password : ] match yes [2004/02/25 20:33:01, 10] smbd/chgpasswd.c:expect(285) expect: returning True [2004/02/25 20:33:01, 100] smbd/chgpasswd.c:expect(237) expect: sending [coucou ] [2004/02/25 20:33:21, 3] smbd/chgpasswd.c:chat_with_program(440) chat_with_program: Password change successful for user jto -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] problems on join domain on Samba3 + ldap
Le Fri, Feb 20, 2004 at 11:49:23AM +0100, Vanni Della Ricca a ecrit: add user script = /usr/local/sbin/smbldap-useradd -a %u You do not have to set the '-a' option : add user script = /usr/local/sbin/smbldap-useradd %u Samba will add the sambaSAMAccount when joining the domain. ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) Test without the 'ldap filter' directive ... userSmbHome=\\PDC-SMB3\homes are you sure :) userSmbHome=\\SERVER-DEPARTMENT1\homes Did you configured pam ? -- Jérôme pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap
Le Thu, Feb 19, 2004 at 12:07:49PM +0100, Carlos García Recio a ecrit: samba 3.0.2 smbldap-tools 0.8.4 RH 9 nss_ldap configured pam_ldap NOT configured LDAP passwd backend winxp pro domain member Can you also send us your smbldap-tools configuration files, and also samba and openldap (?) one ? thx -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap
Le Thu, Feb 19, 2004 at 01:30:24PM +0100, Carlos García Recio a ecrit: ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) Can you try removing the filter (or comment it) ? It seem to cause some problem. I did not search the exact problem, bust there must certainly be a good way of writing the filter. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba PDC and BDC with ldap master and slave backend
Le Mon, Feb 09, 2004 at 08:35:52AM +1100, Andrew Bartlett a ecrit: = passdb backend = ldapsam:ldap://slave.quenya.org ldap://master.quenya.org; will samba store informations in the master ldap server or will it fail ? This will work fine. Samba will talk to the master for updates. Set 'ldap replication sleep' to the amount of time you expect the slave to take to catch up to reality. (Oh, and I know that's dody, but better ideas haven't yet been implemented). OK. But with the order specified in the example above (slave and then master), will samba contact first the slave and then the master if needed ? I mean, let suppose i have the 'passdb backend' defined above. If samba need to modify something, is the operation procedure like this : 1) samba contact the first ldaps server mentionned in 'passdb backend', ie the slave server 2) samba try to update the directory : that fail 3) samba try to contact the second ldap server mentionned in 'passdb backend', ie the master 4) samba try to update the master directory : succes 5) all next operations will be done first with the slave ldap server Is that the good senario ? Thanks -- Jérôme pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba PDC and BDC with ldap master and slave backend
Le Mon, Feb 09, 2004 at 07:34:38PM +0700, Beast a ecrit: Problem if master ldap is over wan and link is down. nobody will be able to change any attributes on that site. I know its not samba fault, but any advise on that setup? and if the link is down, as computers peridically changed their trust account password, what will happen if they can't do that ? They'll keep their current password, but can they keep it a long time without problem in user authentication or anything else ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba PDC and BDC with ldap master and slave backend
Hi all ! In the samba-Howto, i was looking on informations on how to set up both a samba PDC and a samba BDC controller with ldap backend. I can read: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Do not install a Samba PDC on a OpenLDAP slave server... Possible PDC/BDC plus LDAP configurations include: . PDC - LDAP master server, BDC - LDAP slave server. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= And now i am wondering this questions : . if the samba DBC contain the following configuration = passdb backend = ldapsam:ldap://slave.quenya.org ldap://master.quenya.org; will samba store informations in the master ldap server or will it fail ? Or is it necessary to put the master ldap server first like this : = passdb backend = ldapsam:ldap://master.quenya.org ldap://slave.quenya.org; . can i install a samba BDC with a ldap slave server ? Yes you will answer me but in the case where the master ldap server is unreachable, where does the samba BDC will store new informations (Machine Trust Account password for example wich are periodically changed) Thanks for any precision :) -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Still with my problem of samba 3.0.2rc2 and LDAP
Le Wed, Feb 04, 2004 at 04:48:45PM +0100, Frédéric Descamps a ecrit: uid=fred-6csvh95hqd$,ou=Computers,dc=maladree,dc=be with: Object class violation object class 'sambaSamAccount' requires attribute 'sambaSID' samba can't find the SID of the domain. Does it exist (net getlocalsid) ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP SSL
Le Wed, Feb 04, 2004 at 05:13:34PM +, Martin Ritchie a ecrit: Is anyone using samba with an openldap backend? I've been trying to get it to use a SSL connection without much success. Has anyone managed to get it all to work? i've done a quick guide. You can have a look here : http://samba.idealx.org/dist/doc/smbldap-tools007.html -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Still with my problem of samba 3.0.2rc2 and LDAP
Le Wed, Feb 04, 2004 at 05:58:32PM +0100, Frédéric Descamps a ecrit: Yes, it does : # net getlocalsid SID for domain SAMBA3 is: S-1-5-21-3737323649-216568395-2605648481 did you configured nss_ldap ? What is the samba version you are using ? I've just tested 3.0.2pre1 and 3.0.2rc2 and it works. -- Jérôme On mer, 2004-02-04 at 17:23, Jérôme Tournier wrote: Le Wed, Feb 04, 2004 at 04:48:45PM +0100, Frédéric Descamps a ecrit: uid=fred-6csvh95hqd$,ou=Computers,dc=maladree,dc=be with: Object class violation object class 'sambaSamAccount' requires attribute 'sambaSID' samba can't find the SID of the domain. Does it exist (net getlocalsid) ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.1 and LDAP
Le Wed, Feb 04, 2004 at 01:21:10PM -0800, Jeff Davis a ecrit: [EMAIL PROTECTED] root]# smbldap-useradd -am testuser2 failed to perform search; No such object at /usr/local/sbin//smbldap_tools.pm line 211, DATA line 283. No such object at /usr/local/sbin//smbldap_tools.pm line 719, DATA line 283. the problem may come from this: you want to add a windows account. The script will then use the default gidNumber defined in the smbldap.conf file. So does this group exist in the directory, and did you create the mapping (you can use the -a option of smbldap-groupadd to create an automatic group mapping) ? -- Jérome -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Oracle directory
Le Tue, Jan 27, 2004 at 07:57:03PM +1100, Andrew Bartlett a ecrit: There is nothing that prevents you from writing a pdb_oracle - I would suggest you look closely at pdb_mysql and pdb_pgsql for hints, and common code to raid. Well, i was speaking about the oracle ldap directory and searching if a schema for it was available. -- Jérôme pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC/LDAP
Le Wed, Jan 28, 2004 at 10:36:59AM +0100, asky a ecrit: Hi, I'm using Redhat 8.0, samba-3.0, openladp-2.0.25 and sambatools-0.8.3 to setup a PDC. When I run smbldap-populate I get the following error: I think that the masterDN and masterPw defined in /etc/smbldap-tools/smbldap_bind.conf does not allow the account to have write access in the directory, is he ? -- Jérôme [EMAIL PROTECTED] root]# smbldap-populate Using builtin directory structure adding new entry: dc=nijacol,dc=net failed to add entry: Already exists at /usr/local/sbin/smbldap-populate line 384, GEN1 line 2. adding new entry: ou=Users,dc=nijacol,dc=net failed to add entry: Already exists at /usr/local/sbin/smbldap-populate line 384, GEN1 line 3. adding new entry: ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, GEN1 line 4. adding new entry: ou=Computers,dc=nijacol,dc=net failed to add entry: Already exists at /usr/local/sbin/smbldap-populate line 384, GEN1 line 5. adding new entry: uid=Administrators,ou=Users,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, GEN1 line 6. adding new entry: uid=nobody,ou=Users,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, GEN1 line 7. adding new entry: cn=Domain Admins,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, GEN1 line 8. adding new entry: cn=Domain Users,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, GEN1 line 9. adding new entry: cn=Domain Guests,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, GEN1 line 16. adding new entry: cn=Print Operators,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, GEN1 line 17. adding new entry: cn=Backup Operators,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, GEN1 line 18. adding new entry: cn=Replicator,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, GEN1 line 19. adding new entry: cn=Domain Computers,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, GEN1 line 19. [EMAIL PROTECTED] root]# Also, when I shutdown, I can only login from single user mode after disabling services using authconfig (ldap etc). I know I'm not doing something right but I just can't figure it out . Any help would be appreciated. Asky -- This message has been scanned for viruses and dangerous content by Nijacol Email Protection Service ([EMAIL PROTECTED]), and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to setup a TLS session
Le Tue, Jan 27, 2004 at 12:09:22PM +0100, patrice raby a ecrit: Hi all, I'm trying to configure Samba with ldap support, i have compiled samba with ldap... openldap seems to work fine, users can connect with ssh but when they try to connect to samba, i have the following error message: [2004/01/27 12:20:40, 0] passdb/pdb_ldap.c:ldap_open_connection(129) Failed to setup a TLS session Is your ldap server configured to accept TLS session (did you create certificates) ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] after switching to ldap, cannot net groupmap stuff
Le Mon, Jan 26, 2004 at 03:28:29AM -0500, John H. a ecrit: ldap suffix = dc=INTRANET You must have ldap suffix = dc=INTRANET -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and Oracle directory
Hello ! Does anyone already configured samba 3 with Oracle directory ? Is it possible ? Does anyone has any link to an existing schema ? Thanks for any comment :) -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-tools 8.3 populate errors
Le Sat, Jan 17, 2004 at 04:00:23PM +0100, Manfred Odenstein a ecrit: The tgz file is incomplete, I've notced this too. The rpm is complete, so I've downloaded the rpm file instead, unpacked it, and copied the scripts to their respective location. Yes, you are write. The archive now include the file. My system is now runnung, but I think there are some bugs in the populate script, e.g. the SID of the Administrator account should end with -500 as I know, because it's predefinded. Any comment from the author ??? 500 is the well-known RID for the domain administrator, not for the administrator account, am i wrong ? and please take care of the default groups in the smbldap.conf file, default machine account points to Print Operators (550) should be Domain Computers (553). Yes, fixed. I've also changed the gidNumber and uidNumber of the guest account and Domain Guest group to the default values of my system (SuSE9) after this all worked correctly except some log-entries . Failed to open group mapping database and failed to decode PDU Do you always have this error messages ? With every scripts ? Thanks for your report ! -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbldap-tools: cvs version
Hi! i just want to warn everybody that wants to get the latest CVS version of the smbldap-tools ! The cvs version of the smbldap-tools has changed. Read the INSTALL file before upgrading because name's scripts have changed and also their location: . Configuration file is now split in two files = /etc/smbldap-tools/smbldap.conf : globals parameters = /etc/smbldap-tools/smbldap_bind.conf: connection parameters to the directory . All the scripts have the .pl extansion removed: update the smb.conf file . There's a script configure.pl to help you setting up both of the configuration files (smbldap.conf and smbldap_bind.conf must first be present in the /etc/smbldap-tools/ before calling the configure.pl script) I will create a new rpm package in the next days. It will be available on our site (http://samba.idealx.org). If you have time to test it, any feedback is welcome of course ! -- Jérôme pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-tools problem with Samba 3.0.1/LDAP 2.1.22/Fedora Core 1
Le Fri, Jan 09, 2004 at 06:21:48PM -0500, Data Control Systems Inc. - Mike Elkevizth a ecrit: I'm trying to setup a samba PDC/BDC with disconnected auth. and am stuck at step one because I can't get smbldap-tools to work right. First when I do a smbldap-useradd.pl -a test, it works fine. ldapsearch shows the entry properly. Then I try smbldap-usershow.pl or smbldap-userdel.pl or any other one for that matter and they all fail with a user test does not exist! Also if I do a smbldap-useradd.pl -w ... for a workstation add it adds the workstation to the directory, but doesn't add any samba entries (SambaSamAccount, etc.). Please someone help, I've been working on this for quite a while and really need to get it working soon. The -w option of smbldap-useradd.pl add a workstation account. But the sambaSAMAccount is added by samba when joining the domain. If you can't show a user you just added, i suppose you did not configured nss_ldap. Use the authconfig utility for that. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.1/Solaris 9 - smbldap dots in usernames
Le Tue, Dec 30, 2003 at 09:31:17PM +1100, Chew, Darren a ecrit:
Is it possible to vampire across dots in usernames? I got over 1000
accounts with dots in them eg. firstname.lastname
The smbldap-tools (version 0.8.2) don't seem to like adding users and
groups with dots in them.
Yes, you are right. If you really need this, you can use this patch to
correct the problem. But i think that windows does not like that !
--
Jérôme Tournier IDEALX SAS
Administrateur Systèmes 15-17 Avenue de Segur
[EMAIL PROTECTED] 75007 PARIS
Tel.: 01 44 42 00 53 Fax.: 01 44 42 00 01
gpg key ID: 0xDA962B24 (pgp.mit.edu)
--- smbldap-useradd.pl.orig 2003-12-30 11:46:47.0 +0100
+++ smbldap-useradd.pl 2003-12-30 11:46:51.0 +0100
@@ -128,7 +128,7 @@ if (!defined($userGidNumber)) {
my $userName = $ARGV[0];
# untaint $userName (can finish with one or two $)
-if ($userName =~ /^([\w -]+\$?)$/) {
+if ($userName =~ /^([\w -.]+\$?)$/) {
$userName = $1;
} else {
print $0: illegal username\n;
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap Tools problem
Le Mon, Dec 22, 2003 at 11:25:27AM +0100, [EMAIL PROTECTED] a ecrit: Hi all! I want to thanks all people here for their help, good job guys! :o) And nox, it's my question: I'm using smbldap-tools 0.8.2 from samba.idealx.org. In all the docs I read about it, I read that I must put these lines in smb.conf: passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u passwd chat = *new*password* %n\n *new*password* %n\n *successfully* I'll have a look at the script. In any case, it is not useful to call this script. You can leave the default value and set: ldap passwd sync = Yes -- Jérôme Tournier IDEALX SAS Administrateur Systèmes 15-17 Avenue de Segur [EMAIL PROTECTED] 75007 PARIS Tel.: 01 44 42 00 53 Fax.: 01 44 42 00 01 gpg key ID: 0xDA962B24 (pgp.mit.edu) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: adding machines to the domain with Samba 3.0.0
Le Thu, Dec 11, 2003 at 10:06:17PM -0600, Andrew Gaffney a ecrit: admin users = @domainadmins This will allow any user in the domainadmins group join machines to the domain. You've got the wrong option. That option allows the specified users to connect as if they were root on that share. It is not the same as the 'domain admin group' option in 2.2.x. This option is not the same of 'domain admin group' in 2.2.X but it allow it's membre to join computer to the domain. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP help
Le Mon, Dec 08, 2003 at 02:15:41PM +0100, [EMAIL PROTECTED] a ecrit: Could you send the testparm output ? The samba.shema is in ldap conf and in the correct directory ? And is it the schema for samba3 (and not samba2) ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP help
Le Mon, Dec 08, 2003 at 09:36:16AM -0500, Andre Cameron a ecrit: I am trying to use an existing Netscape LDAP server, I have not added a schema as I do not want to store any information in LDAP I just want SAMBA to authenticate using existing LDAP users... Samba uses special attributes (defined in the samba3 schema) to authenticate a user. So you need to include the shema. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Fw: [Samba] PDC/LDAP/SAMBA3/NT4
Le Mon, Dec 01, 2003 at 07:56:46PM -0200, Fabio Junior a ecrit: failed to add entry: Insufficient access at /usr/local/sbin/smbldap-populate.pl line 273, GEN1 line 2. adding new entry: ou=_USERS_,dc=maxwelleducacional,dc=com,dc=br adding new entry: ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br adding new entry: ou=_COMPUTERS_,dc=maxwelleducacional,dc=com,dc=br in smbldap_conf.pm . check if the 'binddn' and 'bindpassword' are priviledge login and password that can allow modifications in the directory . replace _USERS_, _GROUPS_ and _COMPUTERS_ with an appropriate ou like 'Users', 'Groups' and 'Computers' -- Jérôme Tournier IDEALX SAS Administrateur Systèmes 15-17 Avenue de Segur [EMAIL PROTECTED] 75007 PARIS Tel.: 01 44 42 00 53 Fax.: 01 44 42 00 01 gpg key ID: 0xDA962B24 (pgp.mit.edu) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: AW: [Samba] smbtools, existing users, etc...
Hello Jerome, thanx for your help. Is the 0.8.1 version of smbldap tools already patched or do I have to patch it myself. If so - please write me a few lines how to do it, and which files to patch. no, it is not. You'll find attached the latest scripts (hope the attechment will succeed this time). I havent been working with smbldap-tools, but I want to try them out. Do they work on SuSE Linux? Yes of course. You just need perl and Net::LDAP Can I call your script everytime my user changes his password though my php-backend? Yes. Are the passwords going to be changed then, although the user exists in posixAccount and samba.schema?? or easier - what happens when I use this script twice for a user that already exists? Is it going to change his password or am I going to get an error? Every time you use the smbldap-password.pl script, all of userPassword, ntPassword and lmPassword will be updated. If you add the sambaSAMAccount to an existing user and want to change all of the 3 passwords, you can use $ smbldap-usermod.pl -a -P (..options..) user -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA 3.0.0 PDC + LDAP - Adding Computer Account
# data$, Computers, firerun, net dn: uid=data$,ou=Computers,dc=firerun,dc=net uid: data$ cn: Computer Account objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount uidNumber: 1007 gidNumber: 1003 homeDirectory: /dev/null gecos: Computer Account loginShell: /sbin/nologin description: Computer Account shadowLastChange: 12372 shadowMin: 0 shadowMax: 9 shadowWarning: 7 You don't have the attribute sambaAcctFlags ? sambaAcctFlags: [W ] -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
There's no option today to add the sambaSAMAccount objectclass to an existing user. But this can be quickly done. I just not have enought time to do it now. I've had a new option '-a' to smbldap-usermod.pl to add the sambaSAMAccount to a unix user. You can find it attached to this mail. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
No attachment received Oups, sorry ;-) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
Still none, seems the list manager removes the attachments
Well, i don't understand... I think that the problem come from me.
I'll copy-paste the patch bellow:
diff -rup sbin.orig/smbldap-usermod.pl sbin/smbldap-usermod.pl
--- sbin.orig/smbldap-usermod.pl2003-11-18 10:02:12.0 +0100
+++ sbin/smbldap-usermod.pl 2003-11-18 09:56:27.0 +0100
@@ -37,7 +37,7 @@ use Getopt::Std;
my %Options;
my $nscd_status;
-my $ok = getopts('A:B:C:D:E:F:H:IJN:S:me:f:u:g:G:d:l:s:c:ok:?h', \%Options);
+my $ok = getopts('A:B:C:D:E:F:H:IJN:S:ame:f:u:g:G:d:l:s:c:ok:?h', \%Options);
if ( (!$ok) || (@ARGV 1) || ($Options{'?'}) || ($Options{'h'}) ) {
print Usage: $0 [-awmugdsckxABCDEFGHI?h] username\n;
print Available options are:\n;
@@ -54,6 +54,7 @@ if ( (!$ok) || (@ARGV 1) || ($Options{
print -Ncanonical name\n;
print -Ssurname\n;
print For samba users:\n;
+ print -aadd sambaSAMAccount objectclass\n;
print -eexpire date (\-MM-DD HH:MM:SS\)\n;
print -Acan change password ? 0 if no, 1 if yes\n;
print -Bmust change password ? 0 if no, 1 if yes\n;
@@ -93,6 +94,34 @@ my $dn= $user_entry-dn();
my $tmp;
my @mods;
+if (defined($tmp = $Options{'a'})) {
+ # Let's connect to the directory first
+ my $ldap_master=connect_ldap_master();
+my $winmagic = 2147483647;
+my $valpwdcanchange = 0;
+my $valpwdmustchange = $winmagic;
+my $valpwdlastset = 0;
+my $valacctflags = [UX];
+ my $user_entry=read_user_entry($user);
+ my $uidNumber = $user_entry-get_value('uidNumber');
+ my $userRid = 2 * $uidNumber + 1000;
+ # apply changes
+ my $modify = $ldap_master-modify ( $dn,
+
changes = [
+
add = [objectClass = 'sambaSAMAccount'],
+
add = [sambaPwdLastSet = $valpwdlastset],
+
add = [sambaLogonTime = '0'],
+
add = [sambaLogoffTime = '2147483647'],
+
add = [sambaKickoffTime = '2147483647'],
+
add = [sambaPwdCanChange = $valpwdcanchange],
+
add = [sambaPwdMustChange = $valpwdmustchange],
+
add = [displayName = $_userGecos],
+
add = [sambaSID= $SID-$userRid],
+
add = [sambaAcctFlags = $valacctflags],
+
]
+ );
+ $modify-code warn failed to modify entry: , $modify-error ;
+}
# Process options
my $changed_uid;
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbtools, existing users, etc...
Hello. Hi ! Is it possible to add samba part of user account to the already existing user account in LDAP? My response is only available if you use the smbldap-tools. Yes you can. If you applied the patch i post this morning to the latest scripts (look at cvs.idealx.org), you can use the following command to add the sambaSAMAccount objectclass to the user 'user'. $ smbldap-usermod.pl -a user The sambaSID attribute will be calculated as 2*uidNumber+1000. You can also add more informations: -aadd sambaSAMAccount objectclass -eexpire date (-MM-DD HH:MM:SS) -Acan change password ? 0 if no, 1 if yes -Bmust change password ? 0 if no, 1 if yes -CsambaHomePath (SMB home share, like '\\PDC-SRV\homes') -DsambaHomeDrive (letter associated with home share, like 'H:') -EsambaLogonScript (DOS script to execute on login) -FsambaProfilePath (profile directory, like '\\PDC-SRV\profiles\foo') -HsambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]') -Idisable an user. Can't be used with -H or -J -Jenable an user. Can't be used with -H or -I For example: $ smbldap-usermod.pl -a -E script.cmd user What if my user changes his password ( by using a web php-backend ), is samba password automatically changed, or do I have to change it manually? No it is not. Can can calculate the lmPassword and ntPassword, and patch your php-backend to update le attributes. Or can can use smbldap-passwd.pl that update both unix password and win32 passwords. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Fwd: Re: [Samba] smbpasswd fails to add machine account with ldapsam
Does the order of the directives make a difference? In other words, would the above work if I had put the ldap suffix FIRST? Yes, i thinks that 'ldap suffix' must be set first -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
this means I can not use this script as user add script in smb.conf. Yes you can, but without the -a option: add user script = /usr/local/sbin/smbldap-useradd.pl -m %u -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
The only difference here is that it creates the home directory but still posixAccount. Yes you are write This makes creating a new user a 2 step: 1-smbldap-useradd.pl 2- smbpasswd The script will add the the posixAccount for your user, and samba will automatically add the sambaSAMAccount. also I get an error /usr/local/sbin/smbldap-useradd.pl: group 513 doesn't exist which I don not understand You don't have a group with gidNumber 513 in your directory (this is the default group defined in the smbldap_conf.pm file). -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
How will samba do that, or more accurately when ? Well, if you need the 'add user script', this is because you want to create a user with a tool like 'User Manager'. So, when creating a user from User Manager, samba will call the script to create the posix part of the account, and will then add the samba part. Of course, you can create the account in a shell (with both the posixAccount and the sambaSAMAccount) using the command 'smbldap-useradd.pl -a user'. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
Well, this script does not add sambaSAMAccount in my case and I do not know why Which version of smbldap-tools are you using ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
it is 0.8.1 This version should add the sambaSAMAccount. The problem is somewhere else. You shoul tried starting openldap in command line: slapd -u ldap -d -1 and see if samba's attributes are given to the server... -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
Ahhh...but what if the posixAccount already exists? This is the issue I've run in to. I migrated my /etc/passwd accounts to LDAP and am now attempting to add sambaSAMAccount information to those accounts. If I try to run 'smbldap-useradd.pl -a ExistingPosixUser', I get an error saying that the user already exists. There's no option today to add the sambaSAMAccount objectclass to an existing user. But this can be quickly done. I just not have enought time to do it now. I suppose I could delete the user and then recreate it with the above command line, but that shouldn't be necessary (in my eyes at least). A second question. I'd like to have the NTpasswords (for samba) and the posix passwords ( for Unix logins and such) be different. How do I accomplish that? Can smbpasswd be used (once the sambaSAMAccount portion is created) be used to change ONLY the smb password and smbldap-passwd.pl be used to change ONLY the unix posix password? Well, you have to be sure that the smb.conf does not include 'ldap password sync = Yes' (to be certain, you can add 'ldap password sync = No'). So when a 'samba user' will change his password, he will change only the lmpassword and ntpassword attributes. Now for unix users: the 'smbldap-password.pl' command will change both windows passwords and unix password. If you have configured pam and nss_ldap, you should better user the 'password' command that can change a ldap password. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbpasswd problem
# smbpasswd -x administrator ldapsam_delete_entry: Could not delete attributes for uid=administrator,ou=Users,dc=my-domain,dc=com, error: Object class violation (object class 'account' requires attribute 'uid') J'ai le même problème, et je ne comprens pas pourquoi. Par contre, si tu souhaites supprimer complètement le compte (même le compte unix), ajoute la directive suivante au smb.conf, et 'pdbedit -x user' passe: ldap delete dn = Yes -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error when creating user with Samba 3.0 LDAP
Le Sun, Oct 12, 2003 at 10:44:08PM +0200, Nicko a ecrit:
But when i triy to add user with smbpasswd ou pdbedit i get these errors in
debug mode (this user is an unix user).
--SNIP--
ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No
such object)ldapsam_search_one_group: Query was: ou=Groups,
((objectClass=sambaGroupMapping)(gidNumber=100))
--SNIP--
Where does the unix user part is defined ? in the directory ?
I think you should better specifie a default gidNumber for the users to
be 513 for 'Domain Users' ($_defaultUserGid = 513 in the smbldap_conf.pm).
If you installed the Idealx's tools, why don't you use the
'smbldap-useradd.pl -a user' instead of smbpasswd or pdedit ?
btw, i have attached to this mail the last updated script of
smbldap-populate.pl that created the ldap directory structure, and that
included the mapping of the groups.
--
Jérôme Tournier IDEALX SAS
Administrateur Systèmes 15-17 Avenue de Segur
[EMAIL PROTECTED] 75007 PARIS
Tel.: 01 44 42 00 37 Fax.: 01 44 42 00 37
gpg key ID: 0xDA962B24
#!/usr/bin/perl -w
# Populate a LDAP base for Samba-LDAP usage
#
# $Id: smbldap-populate.pl,v 1.18 2003/09/19 12:36:44 jtournier Exp $
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . Create an initial LDAP database suitable for Samba 2.2
# . For lazy people, replace ldapadd (with only an ldif parameter)
use strict;
use FindBin;
use FindBin qw($RealBin);
use lib $RealBin/;
use smbldap_tools;
use smbldap_conf;
use Getopt::Std;
use Net::LDAP::LDIF;
use vars qw(%oc);
# objectclass of the suffix
%oc = (
ou = organizationalUnit,
o = organization,
dc = dcObject,
);
my %Options;
my $ok = getopts('a:b:?', \%Options);
if ( (!$ok) || ($Options{'?'}) ) {
print Usage: $0 [-ab?] [ldif]\n;
print -a administrator login name (default: Administrator)\n;
print -b guest login name (default: nobody)\n;
print -? show this help message\n;
print ldif file to add to ldap (default: suffix, Groups,;
print Users, Computers and builtin users )\n;
exit (1);
}
my $_ldifName;
my $tmp_ldif_file=/tmp/$$.ldif;
if (@ARGV = 1) {
$_ldifName = $ARGV[0];
}
my $adminName = $Options{'a'};
if (!defined($adminName)) {
$adminName = Administrator;
}
my $guestName = $Options{'b'};
if (!defined($guestName)) {
$guestName = nobody;
}
if (!defined($_ldifName)) {
my $attr;
my $val;
my $objcl;
print Using builtin directory structure\n;
if ($suffix =~ m/([^=]+)=([^,]+)/) {
$attr = $1;
$val = $2;
$objcl = $oc{$attr} if (exists $oc{$attr});
if (!defined($objcl)) {
$objcl = myhardcodedobjectclass;
}
} else {
die can't extract first attr and value from suffix $suffix;
}
#print $attr=$val\n;
my ($organisation,$ext) = ($suffix =~ m/dc=(\w+),dc=(\w+)$/);
#my $FILE=|cat;
my $FILE=$tmp_ldif_file;
open (FILE, $FILE) || die Can't open file $FILE: $!\n;
print FILE EOF;
dn: $suffix
objectClass: $objcl
objectclass: organization
$attr: $val
o: $organisation
dn: $usersdn
objectClass: organizationalUnit
ou: $usersou
dn: $groupsdn
objectClass: organizationalUnit
ou: $groupsou
dn: $computersdn
objectClass: organizationalUnit
ou: $computersou
dn: uid=$adminName,$usersdn
cn: $adminName
sn: $adminName
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
gidNumber: 512
uid: $adminName
uidNumber: 998
homeDirectory: $_userHomePrefix
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: $_userSmbHome
sambaHomeDrive: $_userHomeDrive
sambaProfilePath: $_userProfile
sambaPrimaryGroupSID: $SID-512
sambaLMPassword: XXX
sambaNTPassword: XXX
sambaAcctFlags: [U ]
sambaSID: $SID-2996
loginShell: /bin/false
gecos: Netbios Domain Administrator
dn: uid=$guestName,$usersdn
cn: $guestName
sn: $guestName
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
gidNumber: 514
uid: $guestName
uidNumber: 999
homeDirectory: /dev
Re: [Samba] smbldap-tools updates (diffs)
| I have found the smbldap-tools provided in the samba 3 tarball to have a | few glitches with the samba 3 schema. I have made my changes and 'diffed' | them with the source. There are also updates available on our cvs server. See http://cvs.idealx.org (only the cvs server is updated. don't download the RPMS packages). export CVSROOT=:ext:[EMAIL PROTECTED]:/opt/cvs/ cvs co samba -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba-ldap and password expiration
Hello every body, i am using samba (2.2.8a) with ldap support. In the samba.schema, there are special attributes relatives to the user passord: pwdMustChange, pwdCanChange, kickoffTime, logoffTime, logonTime and pwdLastSet. All the samba's documentations i can found described those attributes as currently unused, execpt the last one that represent the time modification since 1970. But what do the others attributes are for ? Can they be used and how ? For example, i found that pwdMustChange can be used to force user to change his password. It seems that if i set pwdMustChange to epoch time+20, the user will have to change his password in 20s. And again in 20s ... So can i force a user to change his password in n secondes, but more later ? Thanks a lot -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
