Re: [Samba] LDAP issues
To follow up and finalize, this is now SOLVED. Thank you for your feedback on how you solved your issue. Without feedback, we wouldn't be able to learn all that we can learn and we wouldn't fully benefit from the experience of others. First of all, I am using the IDEALX scripts (renamed now to smbldap-tools, but the IDEALX names sticks for backwards compatibility, apparently; they're located at http://sourceforge.net/projects/smbldap-tools/). As indicated on the page you just quoted, the new home of the smbldap-tools project is now: https://gna.org/projects/smbldap-tools/ The most recent packages, smbldap-tools-0.9.7-1, date from 26-Sep-2011. Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
I didn't go too deeply on your issue, but it seems to me that since you have: ldap user suffix = ou=People You cannot simply have: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc But should have instead: dn: uid=testu...@mydomain.com,ou=People,ou=mydomain,o=ndtc Am I wrong? Nope. You're right. I have removed the ou=People line. Still no joy. I suppose that you cannot simply remove it. You have to tell Samba where the user's container resides. Judging from your LDIF, your users seem to reside directly on ou=mydomain? Maybe you should look at the whole ldap arrangement... The structure just doesn't seem right... I hear you, but this existing structure is in production, and has been for several years. It isn't really going to change now, without really causing a whole lot of trouble. New information: I finally got the username to be recognized. I have added username map = /etc/samba/usermap.txt in smb.conf, and added the entry al...@mydomain.com = alexm in usermap.txt. Eureka! The logs show that Get_Pwnam_internals did find user [al...@mydomain.com ]!. Now, I just have to figure out how to make the groups work... I have about 50 groups that I need to process. When I try to add a new group using the smbldap-tool smbldap-addgroup, I get an error stating failed to add entry: Attribute is not allowed : cn at /usr/ share/perl5/vendor_perl/smbldap_tools.pm line 789.. For some reason, it does not like the cn that is trying to be added to the dn: ou=Groups,ou=ndtel,o=ndtc, objectClass: organizationalUnit, ou: Groups organizational unit. Now, an OU is not allowed to have a cn, that's part of an organizational role or organizational person. So, I'll have to do some troubleshooting to find out what they intended, and make their scripts work properly. The docs aren't very up-to- date, so I'm fighting that a little. Thanks for all the help so far, everyone... To follow up and finalize, this is now SOLVED. First of all, I am using the IDEALX scripts (renamed now to smbldap- tools, but the IDEALX names sticks for backwards compatibility, apparently; they're located at http://sourceforge.net/projects/smbldap-tools/) . The ldap server I am using is an OpenLDAP-based server made by Mirapoint. Now, the scripts have a couple of changes that need to be done in order for them to work with, at least, this incarnation of OpenLDAP. Here are the diffs, if anyone wants them: diff /usr/share/perl5/vendor_perl/smbldap_tools.pm.org /usr/share/ perl5/vendor_perl/smbldap_tools.pm 783c783 objectClass = [ 'top', 'posixGroup' ], --- objectClass = [ 'top', 'organizationalRole', 'posixGroup' ], diff /opt/IDEALX/sbin/smbldap-populate.org /opt/IDEALX/sbin/smbldap- populate 312c312 objectClass = [qw(top posixGroup sambaGroupMapping)], --- objectClass = [qw(top organizationalRole posixGroup sambaGroupMapping)], 324c324 objectClass = [qw(top posixGroup sambaGroupMapping)], --- objectClass = [qw(top organizationalRole posixGroup sambaGroupMapping)], 335c335 objectClass = [qw(top posixGroup sambaGroupMapping)], --- objectClass = [qw(top organizationalRole posixGroup sambaGroupMapping)], 346c346 objectClass = [qw(top posixGroup sambaGroupMapping)], --- objectClass = [qw(top organizationalRole posixGroup sambaGroupMapping)], 357c357 objectClass = [qw(top posixGroup sambaGroupMapping)], --- objectClass = [qw(top organizationalRole posixGroup sambaGroupMapping)], 402c402 objectClass = [qw(top posixGroup sambaGroupMapping)], --- objectClass = [qw(top organizationalRole posixGroup sambaGroupMapping)], 424c424 objectClass = [qw(top posixGroup sambaGroupMapping)], --- objectClass = [qw(top organizationalRole posixGroup sambaGroupMapping)], 435c435 objectClass = [qw(top posixGroup sambaGroupMapping)], --- objectClass = [qw(top organizationalRole posixGroup sambaGroupMapping)], 446c446 objectClass = [qw(top posixGroup sambaGroupMapping)], --- objectClass = [qw(top organizationalRole posixGroup sambaGroupMapping)], As you can see, I had to add the organizationalRole ou to each group instance. That's because, in at least the Mirapoint implementation of OpenLDAP, the posixGroup schema does not allow a cn value... Or, maybe I added it when I set the server up (it was about 3 years ago, and I haven't had to touch it since), the posixGroup schema I used was old/broken/incomplete/outdated, take your pick. Regardless of the cause, rather than change the posixGroup schema on the server, I took the easier (for me!) route of fixing the scripts to work with my ldap server. OK, once that was done, all the smbldap group commands worked. I was able to add the groups that my user needed. Then, it was just a matter of changing (syncing? updating? creating?) the samba user password, and everything was working. So, the
[Samba] LDAP issues
Centos 6 Samba 3 smbldap-tools installed. LDAP directory not on local host. Example user LDIF: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc mailHost: mailserver.mydomain.com loginShell: /bin/bash gidNumber: 500 uidNumber: 53112 uid: testu...@mydomain.com sn: user cn: test user mail: testu...@mydomain.com homeDirectory: /cust/mydomain/users/testuser gecos: test user,,662-6123 objectClass: mirapointmailuser objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSAMAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-3311107553-3899660464-2674327009-107224 sambaAcctFlags: [UX] sambaHomeDrive: F: sambaHomePath: \\ndtc-fs\cust\mydomain\users sambaPwdLastSet: 1327615956 sambaPwdMustChange: 2147483647 getent passwd shows: testu...@mydomain.com:x:53112:500:test user,,662-6123:/cust/mydomain/ users/testuser:/bin/bash I can ssh to the server with this account. So, the linux/ldap stuff seems to work properly. However, I cannot connect with the smb proto. Continue to get a username/password prompt. My suspicion is the @ in the uid, which as I understand it, in the windoze world signifies a group... I think I am confusing something in the process. My question is: can Samba be configured to append the @mydomain.com to the username, then authenticate the user? So the user could use the testuser login via the windoze login and drive mapping processes, but Samba would actually use testu...@mydomain.com to actually authenticate? All these accounts are already in use in the LDAP directory, and so the uid cannot be changed. lmk if there's anything else needed here... I'm willing to share configs, command outputs, etc. to get this solved. TIA! Alex Moen Network Services Technician II North Dakota Telephone Company 701-662-6481 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
Forgot to add... If I create a Unix account, and add it to the local smbpasswd subsystem, it works fine. I can log in using the credentials that I create. So, samba is working, and linux/ldap is working, but samba/ldap has issues... Alex Moen Network Services Technician II North Dakota Telephone Company 701-662-6481 On Jan 26, 2012, at 9:54 AM, Alex Moen wrote: Centos 6 Samba 3 smbldap-tools installed. LDAP directory not on local host. Example user LDIF: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc mailHost: mailserver.mydomain.com loginShell: /bin/bash gidNumber: 500 uidNumber: 53112 uid: testu...@mydomain.com sn: user cn: test user mail: testu...@mydomain.com homeDirectory: /cust/mydomain/users/testuser gecos: test user,,662-6123 objectClass: mirapointmailuser objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSAMAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-3311107553-3899660464-2674327009-107224 sambaAcctFlags: [UX] sambaHomeDrive: F: sambaHomePath: \\ndtc-fs\cust\mydomain\users sambaPwdLastSet: 1327615956 sambaPwdMustChange: 2147483647 getent passwd shows: testu...@mydomain.com:x:53112:500:test user,,662-6123:/cust/mydomain/ users/testuser:/bin/bash I can ssh to the server with this account. So, the linux/ldap stuff seems to work properly. However, I cannot connect with the smb proto. Continue to get a username/password prompt. My suspicion is the @ in the uid, which as I understand it, in the windoze world signifies a group... I think I am confusing something in the process. My question is: can Samba be configured to append the @mydomain.com to the username, then authenticate the user? So the user could use the testuser login via the windoze login and drive mapping processes, but Samba would actually use testu...@mydomain.com to actually authenticate? All these accounts are already in use in the LDAP directory, and so the uid cannot be changed. lmk if there's anything else needed here... I'm willing to share configs, command outputs, etc. to get this solved. TIA! Alex Moen Network Services Technician II North Dakota Telephone Company 701-662-6481 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
Am 26.01.2012 17:51, schrieb Alex Moen: Forgot to add... If I create a Unix account, and add it to the local smbpasswd subsystem, it works fine. I can log in using the credentials that I create. So, samba is working, and linux/ldap is working, but samba/ldap has issues... Alex Moen Network Services Technician II North Dakota Telephone Company 701-662-6481 On Jan 26, 2012, at 9:54 AM, Alex Moen wrote: Centos 6 Samba 3 smbldap-tools installed. LDAP directory not on local host. Example user LDIF: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc mailHost: mailserver.mydomain.com loginShell: /bin/bash gidNumber: 500 uidNumber: 53112 uid: testu...@mydomain.com sn: user cn: test user mail: testu...@mydomain.com homeDirectory: /cust/mydomain/users/testuser gecos: test user,,662-6123 objectClass: mirapointmailuser objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSAMAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-3311107553-3899660464-2674327009-107224 sambaAcctFlags: [UX] sambaHomeDrive: F: sambaHomePath: \\ndtc-fs\cust\mydomain\users sambaPwdLastSet: 1327615956 sambaPwdMustChange: 2147483647 getent passwd shows: testu...@mydomain.com:x:53112:500:test user,,662-6123:/cust/mydomain/users/testuser:/bin/bash I can ssh to the server with this account. So, the linux/ldap stuff seems to work properly. However, I cannot connect with the smb proto. Continue to get a username/password prompt. My suspicion is the @ in the uid, which as I understand it, in the windoze world signifies a group... I think I am confusing something in the process. My question is: can Samba be configured to append the @mydomain.com to the username, then authenticate the user? So the user could use the testuser login via the windoze login and drive mapping processes, but Samba would actually use testu...@mydomain.com to actually authenticate? All these accounts are already in use in the LDAP directory, and so the uid cannot be changed. lmk if there's anything else needed here... I'm willing to share configs, command outputs, etc. to get this solved. TIA! Alex Moen Network Services Technician II North Dakota Telephone Company 701-662-6481 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba sounds if samba isn't using LDAP properly. would you mind to show us your config? greets juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
On Jan 26, 2012, at 10:55 AM, Jürgen Echter wrote: Am 26.01.2012 17:51, schrieb Alex Moen: Forgot to add... If I create a Unix account, and add it to the local smbpasswd subsystem, it works fine. I can log in using the credentials that I create. So, samba is working, and linux/ldap is working, but samba/ldap has issues... On Jan 26, 2012, at 9:54 AM, Alex Moen wrote: Centos 6 Samba 3 smbldap-tools installed. LDAP directory not on local host. Example user LDIF: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc mailHost: mailserver.mydomain.com loginShell: /bin/bash gidNumber: 500 uidNumber: 53112 uid: testu...@mydomain.com sn: user cn: test user mail: testu...@mydomain.com homeDirectory: /cust/mydomain/users/testuser gecos: test user,,662-6123 objectClass: mirapointmailuser objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSAMAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-3311107553-3899660464-2674327009-107224 sambaAcctFlags: [UX] sambaHomeDrive: F: sambaHomePath: \\ndtc-fs\cust\mydomain\users sambaPwdLastSet: 1327615956 sambaPwdMustChange: 2147483647 getent passwd shows: testu...@mydomain.com:x:53112:500:test user,,662-6123:/cust/ mydomain/users/testuser:/bin/bash I can ssh to the server with this account. So, the linux/ldap stuff seems to work properly. However, I cannot connect with the smb proto. Continue to get a username/password prompt. My suspicion is the @ in the uid, which as I understand it, in the windoze world signifies a group... I think I am confusing something in the process. My question is: can Samba be configured to append the @mydomain.com to the username, then authenticate the user? So the user could use the testuser login via the windoze login and drive mapping processes, but Samba would actually use testu...@mydomain.com to actually authenticate? All these accounts are already in use in the LDAP directory, and so the uid cannot be changed. lmk if there's anything else needed here... I'm willing to share configs, command outputs, etc. to get this solved. TIA! sounds if samba isn't using LDAP properly. would you mind to show us your config? greets juergen Sure! Here it is: [global] workgroup = A36561 server string = My File Server netbios name = NDTC-FS interfaces = lo eth1 log file = /var/log/samba/log.%m max log size = 50 ldap debug level = 1 ldap debug threshold = 5 log level = 3 all:5 security = user passdb backend = ldapsam:ldap://66.163.128.204 ldap suffix = ou=mydomain,o=ndtc ldap machine suffix = ou=People ldap usersuffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,o=ndtc ldap ssl = off domain master = yes domain logons = yes wins support = yes load printers = yes cups options = raw [homes] comment = Home Directories browseable = no writable = yes [groups] comment = Group Directories path = /cust/mydomain/groups guest ok = no writable = yes [share] comment = Share space path = /cust/mydomain/share public = yes writeable = yes read only = no printable = no write list = +users force create mode = 660 force directory mode = 770 force user = nobody force group = nobody [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
On Jan 26, 2012, at 12:42 PM, Jorge Concha C. wrote: On Thu, 26 Jan 2012 14:59:24 -0300, Alex Moen al...@ndtel.com wrote: ldap usersuffix = ou=People maybe the problem is: this line must be ldap user suffix = ou=People Sorry, my english is not good. -- Jorge C. OK, fixed that, but it didn't help... Same issue. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
On Thu, 26 Jan 2012 14:59:24 -0300, Alex Moen al...@ndtel.com wrote: ldap usersuffix = ou=People maybe the problem is: this line must be ldap user suffix = ou=People Sorry, my english is not good. -- Jorge C. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
Ok, I think that is the @ in the UID. Try creating a user without the @ and test the sambaconf with this. On Thu, 26 Jan 2012 15:46:30 -0300, Alex Moen al...@ndtel.com wrote: On Jan 26, 2012, at 12:42 PM, Jorge Concha C. wrote: On Thu, 26 Jan 2012 14:59:24 -0300, Alex Moen al...@ndtel.com wrote: ldap usersuffix = ou=People maybe the problem is: this line must be ldap user suffix = ou=People Sorry, my english is not good. -- Jorge C. OK, fixed that, but it didn't help... Same issue. Alex -- Jorge C. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
I didn't go too deeply on your issue, but it seems to me that since you have: ldap user suffix = ou=People You cannot simply have: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc But should have instead: dn: uid=testu...@mydomain.com,ou=People,ou=mydomain,o=ndtc Am I wrong? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
I didn't go too deeply on your issue, but it seems to me that since you have: ldap user suffix = ou=People You cannot simply have: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc But should have instead: dn: uid=testu...@mydomain.com,ou=People,ou=mydomain,o=ndtc Am I wrong? Nope. You're right. I have removed the ou=People line. Still no joy. I suppose that you cannot simply remove it. You have to tell Samba where the user's container resides. Judging from your LDIF, your users seem to reside directly on ou=mydomain? Maybe you should look at the whole ldap arrangement... The structure just doesn't seem right... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
I didn't go too deeply on your issue, but it seems to me that since you have: ldap user suffix = ou=People You cannot simply have: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc But should have instead: dn: uid=testu...@mydomain.com,ou=People,ou=mydomain,o=ndtc Am I wrong? Nope. You're right. I have removed the ou=People line. Still no joy. I suppose that you cannot simply remove it. You have to tell Samba where the user's container resides. Judging from your LDIF, your users seem to reside directly on ou=mydomain? Maybe you should look at the whole ldap arrangement... The structure just doesn't seem right... I hear you, but this existing structure is in production, and has been for several years. It isn't really going to change now, without really causing a whole lot of trouble. New information: I finally got the username to be recognized. I have added username map = /etc/samba/usermap.txt in smb.conf, and added the entry al...@mydomain.com = alexm in usermap.txt. Eureka! The logs show that Get_Pwnam_internals did find user [al...@mydomain.com]!. Now, I just have to figure out how to make the groups work... I have about 50 groups that I need to process. When I try to add a new group using the smbldap-tool smbldap-addgroup, I get an error stating failed to add entry: Attribute is not allowed : cn at /usr/share/ perl5/vendor_perl/smbldap_tools.pm line 789.. For some reason, it does not like the cn that is trying to be added to the dn: ou=Groups,ou=ndtel,o=ndtc, objectClass: organizationalUnit, ou: Groups organizational unit. Now, an OU is not allowed to have a cn, that's part of an organizational role or organizational person. So, I'll have to do some troubleshooting to find out what they intended, and make their scripts work properly. The docs aren't very up-to-date, so I'm fighting that a little. Thanks for all the help so far, everyone... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + ldap issues
Hey All I am having a problems with using openldap and samba. We have been having issues with samba passwords expiring and I have tried several things to resolve the issues. The ldap server was setup using the smbldap-tools. When the password expires the only thing I have been able to do is to reset the password. I have tried the smbldap-usemod -B -1 username to disable the SambaPwdMustChange. Also tried to set the SambaAcctFlags to UX. We set this ldap server up in hurry and did not have a chance to implement a proper password policy. This is using the stock version of Samba and LDAP that came with RHEL5. John Allgood Senior Systems Administrator Turbo, division of OHL 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878 jallg...@ohl.commailto:jallg...@ohl.com www.ohl.comhttp://www.ohl.com __ This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
