I dont´t know if "ldap admin dn" have full permission so I pasted follow my slapd.conf I think by ACL that ldap admin have full permission , What do you think ?
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema #include /etc/openldap/schema/krb5-kdc.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/lib/openldap # modules available in openldap-servers-overlays RPM package: # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la # moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # modules available in openldap-servers-sql RPM package: # moduleload back_sql.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # Polirica de acesso access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to * by self write by users read by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # Administrador do dominio LDAP #######Kerberos #sasl-realm LABCOM.UNASP #sasl-host AmbLivre.labcom.unasp ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb ############################################################## #Administrador do dominio LDAP ############################################################# suffix "dc=AMBLIVRE,DC=COM" rootdn "cn=adm,dc=AMBLIVRE,DC=COM" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw {SSHA}lqHhIv2nvxmf0FAVDnbe3OdSU+AJ8pFi #rootpw {kerberos}[email protected] # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayNAme pres,sub,eq index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq # Indice antigo #index objectClass,uid,uidNumber,gidNumber,memberuid,sambaSID eq #index cn,mail,surname,givenname eq,subinitial #indice mais natigo # Linha nova indices #index objectClass eq,pres #index ou,cn,mail,surname,givenname eq,pres,sub #index uidNumber,gidNumber,loginShell eq,pres #index uid,memberUid eq,pres,sub #index nisMapName,nisMapEntry eq,pres,sub # Valor alterado para os do livro #index objectClass eq #index uid,mail eq #index cn,surname,givenname eq,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/[email protected] #CHAVE criptografa #TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA #TLSCertificateFile /etc/openldap/chaves/servercert.pem #TLSCertificateKeyFile /etc/openldap/chaves/serverkey.pem #Politicas de acesso para o Kerberos access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by * read #access to * # by dn="cn=adm,dc=amblivre,dc=com" write # by * read #access to attrs=cn,gibenName, sn, krbNAme,krb5PrincipalNAme, gecos # by dn="cn=adm,dc=labcom,dc=unasp" write # by dn="uid=ldap.+\+realm=LABCOM.UNASP" write # by self write # by * read #access to attr=loginShell , gecos # by dn="cn=adm,dc=labcom,dc=unasp" write # by dn="uid=ldap.+\+realm=LABCOM.UNASP" write # by self write # by * read #access to attr=userPassword # by dn="cn=adm,dc=labcom,dc=unasp" write # by dn="uid=ldap.+\+realm=LABCOM.UNASP" write # by anonymous auth # by * read : #access to * # by dn="cn=adm,dc=labcom,dc=unasp" write # by dn="uid=ldap.+\+realm=LABCOM.UNASP" write # by self write # by * read On Thu, Oct 8, 2009 at 4:31 AM, Bruno MACADRE <[email protected]>wrote: > Bruno Steven a écrit : > > Ok , I fix but when started the smbd show other problem > > > > [2009/10/07 15:19:47, 1] passdb/pdb_ldap.c:pdb_init_ldapsam(5720) > > pdb_init_ldapsam: Resetting SID for domain AMBLIVRE.COM > > <http://AMBLIVRE.COM> based on pdb_ldap results > > S-1-5-21-755328524-3875606875-861347881 -> > > S-1-5-21-1644746683-2480834100-523333597 > > [2009/10/07 15:19:47, 1] passdb/pdb_ldap.c:pdb_init_ldapsam(5727) > > New global sam SID: S-1-5-21-1644746683-2480834100-523333597 > > [2009/10/07 15:19:47, 0] services/services_db.c:svcctl_init_keys(420) > > svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED) > > [2009/10/07 15:19:47, 0] smbd/server.c:main(1057) > > ERROR: failed to setup guest info. > > > > This problem have relation with SSL other thing ? > > > > On Wed, Oct 7, 2009 at 6:28 PM, Bruno MACADRE > > <[email protected] <mailto:[email protected]>> > wrote: > > > > Hi, > > > > This message indicate that you have forget to "tell" your LDAP > > admin password to SAMBA > > > > You just need to give the password for the ldap admin user you > > specify in your smb.conf (ldap admin dn), using this command : > > > > # smbpasswd -w ldap_admin_password > > or if you prefer > > # smbpasswd -W (you'll be prompted for the ldap admin password > > twice) ! > > > > Regards, > > Bruno > > > > Bruno Steven a écrit : > > > > Hello > > > > I try intregate LDAP more SAMBA , when I start the process smbd > > -D show the > > message follow > > > > > > [2009/10/07 14:58:12, 0] > lib/smbldap.c:smbldap_connect_system(942) > > ldap_connect_system: Failed to retrieve password from > secrets.tdb > > [2009/10/07 14:58:12, 0] smbd/server.c:main(1057) > > ERROR: failed to setup guest info. > > > > Somebody can explain the message , I don´t understand this > message. > > > > Thanks .. > > > > > > > > > > > > > > > > -- > > Bruno Steven - Administrador de sistemas. > > LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 > > https://www.lpi.org/caf/Xamman/certification > > > > MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 > > https://mcp.microsoft.com/authenticate/validatemcp.aspx > > Are you sure that the "ldap admin dn" you've supplied have full access > over your LDAP ? > > > -- > > Bruno MACADRE > ------------------------------------------------------------------- > Ingénieur Systèmes et Réseau | Systems and Network Engineer > Département Informatique | Department of computer science > Responsable Réseau et Téléphonie | Telecom and Network Manager > Université de Rouen | University of Rouen > ------------------------------------------------------------------- > Coordonnées / Contact : > Université de Rouen > Faculté des Sciences et Techniques - Madrillet > Avenue de l'Université - BP12 > 76801 St Etienne du Rouvray CEDEX > FRANCE > > Tél : +33 (0)2-32-95-51-86 > Fax : +33 (0)2-32-95-51-87 > ------------------------------------------------------------------- > > -- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
