On Tuesday 18 January 2011 4:39:39 pm Alex Crow wrote: > On 18/01/11 21:08, Jon Detert wrote: > > On Tue, Jan 18, 2011 at 2:35 PM, Gaiseric > > Vandal > > > > <[email protected]> wrote: > >> Nt- I don't use the "ldapsam:editposix" > >> option myself, if I understand it correctly > >> it means you don't have to precreate the > >> underlying unix accounts. > > > > That is my understanding as well. I've never > > used it before, however. > > I've not tried it, I'm not even sure if it > really works. Has anyone on the list used such > a config in production? > > >> However, I believe you still need to do the > >> following > >> > >> Create a samba Administrator account > >> Create samba Domain Admins and Domain > >> Users groups. Explicitly specify the uid or > >> username for the "guest" user. Set ldap > >> password for the idmap backend (net idmap > >> secret thedomain xxxx ) > > > > the log messages tend to support this belief. > > You can create them yourself, but if you want > an easier life, see the end of this post > (smbldap-tools) > > >> "smbpasswd -w" sets the ldap password samba > >> to access ldap for users and groups. But > >> idmap needs the ldap password set as well > >> eg. > > It doesn't. smbpasswd -w is sufficient. > > > I don't understand that. There is no > > separate idmap process, afaik. Why can't the > > 'idmap' functionality get the same ldap > > credentials that smbd and winbindd evidently > > get from the smb.conf and the secrets.tdb > > files? > > > >> net idmap secret MYDOMAIN xxxx > >> net idmap secret alloc xxxx > > You do *not* need this is the you are not using > explicit idmap alloc, just the default idmap > range. idmap alloc is apparently not working. > > > In any case, I tried the above, and got the > > same error for both command : > > > > "The only currently supported backend is > > LDAP" > > > > My smb.conf has a line expressly saying > > "idmap backend = ldap:ldap://localhost";. > > Does smbd have to be running before running > > the 'net idmap' commands? If so, I'm > > screwed, cuz now that I fixed the 'out=IDmap' > > typo, smbd dies immediately after trying to > > start it. > > You should leave the config as is. > > smbd really should not die. Are you sure smbd > is not still running? Did you join your own > domain on the PDC (eg net rpc join -S > localhost)? > > > Ideas? > > > > Thanks, > > > > Jon > > I think you need to use the smbldap-tools. Once > configured correctly they will prepopulate your > LDAP tree for for you. There should be packages > in the repos for most distros. > > Cheers > > Alex >
I'd underscore Alex's last comment - use smbldap-tools. A lot of tutorials have you add an smb.conf directives such as: add user script = /usr/local/sbin/smbldap-useradd -m %u If you install the tools via RPM, change those directives to read: add user script = /usr/sbin/smbldap-useradd -m %u Again, HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
