Hello all again, specially Sir Chuck Theobald :) After almost one month trying to configure my system with:
. MigrationTools-47 nss_ldap-249 pam_ldap-180 .. openldap-2.3.20 samba-3.0.22 Linux-PAM-0.80 db-4.4.20 I come here again because i could not find any information on Internet that fix my problem or helped me to see what i am doing wrong. So, let's start from the beginning. First of all, i could be authenticated and authorized by ldap and pam before using samba. Now, I'm trying to do the same with Windows-machine and using smbldap-tools to create users for both situation (posix account for linux and posix + sambasamaccount for windows) but nothing works anymore. My LDAP-tree is ok, i think. I can see it using ldasearch, edit, etc. My windows-machine recognizes samba as PDC but i can't log in even with root. Because i have a lot of configuration files maybe i'm a little bit lost. (a little.. :) ). Should i put everything here? I know that some questions don't belong here but i am afraid to ask in each group of each program (group of ldap, group of samba, group of pam, etc.) because i think they are completely integrated in my case. Before i post i will wait for your answer. If it will be ok to post here or not. My questions will be concerned about smb, ldap, dbd, pam. Thanks in advance, Marcelo On 4/20/06, Chuck Theobald <[EMAIL PROTECTED]> wrote:
Marcelo Moulin wrote: > First of all, i would like to thank you Chuck for your important help ! > Then, another questions and comments... :) My pleasure, I contribute when I can. > On 4/20/06, Chuck Theobald <[EMAIL PROTECTED]> wrote: > >>Marcelo Moulin wrote: >> >>>Hello all !! >>>I'm starting to implement one LDAP-server in my University but before >>>i would like to have some advices from experts and work in the right >>>way. >>> >>>So, let's go. >>> >>>1) All of my clients should be authenticated and authorized by the >>>server. Therefore should I install all components like open-ldap, >>>pam_ldap, nss_ldap as i read in the internet or I can install just >>>some components. I'm talking about Linux systems. >> >>To do authentication and authorization, you will need all three >>components on your clients and at least openldap on your server. You >>will need to touch four client configuration files: >> >>/etc/ldap.conf >>/etc/openldap/ldap.conf >>/etc/nsswitch.conf >>/etc/pam.d/system-auth >> >>and install your cacert.pem file (assuming you are doing secure >>connections, as you should). Note that both ldap.conf files point to >>the cacert.pem file. These locations are on a Gentoo 2.6 installation, >>the locations will be similar for other distros. > > > I'm not using any kind of CA right now because i am just wondering > about to put everything working. > I was really thinking why they use two ldap.conf. What is the big deal > ? It makes me confused. Not using secure communications to start is good, it eliminates one source of problems, but be sure to add it when everything else is working. The dual ldap.conf files have confused many more than you. This is an unfortunate circumstance, but the nss_ldap people chose ldap.conf for their config file. This is /etc/ldap.conf. Openldap uses /etc/openldap/ldap.conf. > Second, i use Gentoo too but, unfortunately , I must use Zenwalk > distro as clients and believe me it is very awful (i am sorry if > someone uses it here). But my server is SUSE. > > >>Note that, in my experience, the most finicky part of this is PAM. Each >>distro and unix flavor seems to have its own ideas about how PAM is >>configured. In my case, the system-auth file is a file used by a number >>of services. Do not promise delivery until you have the configuration >>for PAM down for all your distros. > > > PAM is really strange to install. I did everything right (i think) but > i could not find any pam.conf or even worse any pam.d/ . Should i just > copy from source and place in /etc/pam.d/ ? PAM is odd, but the installation is straightforward. You should find either /etc/pam.conf (old way) or /etc/pam.d/<whatever> (new way). Further questions on PAM should be taken to a more appropriate list. Regards, Chuck > >>>2) And what about Windows OS? I need to use SAMBA to do the same as I >>>mentioned above? >>>Is this the best way? I need to use NIS? >> >>We have Samba set up as our domain controller with: >> >> passdb backend = ldapsam:ldap://our-top-secret-machine.domain.not >> >>in the smb.conf file with other ldap parameters set appropriately. We >>create accounts using the smbldap tools, and use phpldapadmin as the >>maintenance system. >> >>Our system took months of tweaking off and on to get it all figured out. >> I hope this helps to shorten your time-to-production. >> > > It will help. Thank you very much. > > > >>Good luck, > > > hehehe.I will need that, for sure. Thanks.. :) > > > >>Chuck >> >> > > > > Regards, > > Marcelo -- Chuck Theobald System Administrator The Robert and Beverly Lewis Center for Neuroimaging University of Oregon P: 541-346-0343 F: 541-346-0345
--- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
