In most cases, your users will have separate unix and windows
passwords. Assuming you have password sync working (various ways to do
this) this will still appear to be a single password to the users.
Use something like Apache Directory Studio to verify that you can login
to LDAP with the credentials specified to samba.
My smb.conf includes
-----------------------------------------------------------------------------------------------
workgroup = MYDOMAIN
server string = myserver
netbios name = MYSERVER
passdb backend = ldapsam:ldap://myldapserver.mydomain.com
domain logons = yes
preferred master = yes
domain master = yes
local master = yes
dns proxy = No
wins support = yes
ldap suffix=o=mydomain.com
ldap user suffix=ou=people
ldap machine suffix=ou=people
ldap admin dn="cn=Directory Manager"
ldap ssl = no
ldap passwd sync = no
passwd program = /etc/samba/smbldappasswd.sh %u
passwd chat =*New* %n\n *changed*
unix password sync = yes
[netlogon]
comment = Network Logon Service
path = /export/samba/netlogon
read only = no
guest ok = Yes
share modes = No
write list = @Administrators
-----------------------------------------------------------------------------------------------
the ldap admin is the built in default ldap admin on my server.
You may need to explicitly create unix groups and group mappings for
well know windows groups
net groupmap add ntgroup="Domain Admins" unixgroup=100512 rid=512
type=domain
net groupmap add ntgroup="Domain Users" unixgroup=100513 rid=513
net groupmap add ntgroup="Domain Guests" unixgroup=100514 rid=514
net groupmap add ntgroup="Domain Computers" unixgroup=100515 rid=515
net groupmap add ntgroup="Domain Controllers" unixgroup=100516 rid=516
You also need to create a unix account for the Administrator.
will need unix and samba accts for each machine, include the PDC
# smbpasswd -a -m MACHINENAME
And I think you need to join the domain
net rpc join -S MYSERVER -W MYDOMAIN -U Administrator
My PDC is a solaris server. I think on linux machines you may NOT want
to include the quotes in the ldap admin acct name.
I couldn't get ldap password sync to work- so I use standard unix pw
sync which calls an external script to handle setting the ldap pw's.
On 06/03/2011 10:46 PM, Clayton Hill wrote:
Hi all,
Please help Ive been wasting days at this...
I am not trying to create a PDC, I am not joining an active directory, I am
not needing samba schema in my openldap (or do I?), I am not trying to use
winbind and idmaps for translations from SID to UID/GID, I just want my
samba server which shares linux home directories to authenticate
user+password against my existing linux based openldap server.
These are already POSIX accounts on the openldap server, so the UID and GID
need no translation AFAIK
All I want to do is have users log into the samba share with their openldap
Linux accounts.
unfortunately this is not working... at all.
Samba ver:
samba3x-3.3.8-0.52.el5_5.2
openldap ver:
2.3 (shouldnt matter)
my smb.conf :
-----------------------------------------------------------------------------------
[global]
server string = %h server
passdb backend = ldapsam:ldap://ldap.domain.com
*# looks like this syntax is deprecated. Whats the correct syntax? *smb.conf
manpage is not making sense to me....
security = user
ldap passwd sync = yes
# is this needed?
ldap ssl = no
ldap admin dn = cn=superadmin,dc=domain,dc=com
ldap suffix = dc=domain,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
[Shared]
comment = Shared Directories
path = /shared
read only = No
create mask = 0600
directory mask = 0700
--------------------------------------------------------------------------------------------------------------
I then did
smbpasswd -w myadmindnpasswd
Im super confused as to why the above syntax isnt sufficient, and the howtos
out there are all not very helpful and use depricated syntax....
log level 2 snippet:
-------------------------------------------------------------------------------------------------------------------------------------------
[2011/06/03 19:25:00, 2] lib/smbldap_util.c:smbldap_search_domain_info(277)
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=SV3))]
[2011/06/03 19:25:00, 2] lib/smbldap.c:smbldap_open_connection(796)
smbldap_open_connection: connection opened
[2011/06/03 19:25:00, 1] lib/smbldap_util.c:add_new_domain_info(233)
add_new_domain_info: failed to add domain dn=
sambaDomainName=SV3,dc=domain,dc=com with: Invalid DN syntax
invalid DN
[2011/06/03 19:25:00, 0] lib/smbldap_util.c:smbldap_search_domain_info(310)
smbldap_search_domain_info: Adding domain info for SV3 failed with
NT_STATUS_UNSUCCESSFUL
[2011/06/03 19:25:00, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(6259)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new
users/groups, and will risk BDCs having inconsistant SIDs
-------------------------------------------------------------------------------------------------------------------------------------------
this doesnt look good at all... btw the samba server's hostname is SV3, why
is it using the syntax "domain dn= sambaDomainName=SV3,dc=domain,dc=com "
this seems to no jive with what is in the smb.conf file, and I have no such
entry for the hostname of this samba server "SV3" or the string "dn=
sambaDomainName" specified anywhere in the configuration... I could of
course be interpreting this log incorrectly..
please help! :-)
Cheers,
-Clayton
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
