Tomak,
I just tested your settings and they seem to be working.
The auth takes much longer now, maybe because it is working.
When checking shares the getpwnam does not even get called any more.
I noticed many SMB_VFS, NT_STATUS_NO_SUCH_OBJECT in the log, I guess that let's me know VFS was complied in my binary.
How is the ldap.conf in the /etc/ directory different then the one found in /etc/openldap/
When I check the MAN page only /etc/openldap/ldap.conf comes up, I'm curious about the other options I am seeing in the other ldap.conf located in the /etc/ directory.
Most of the I can make an educated guess as to their function, but it would be nice to have a verified definition of some of these parameters.
--
Anyway thanks for your help it is greatly appreciated.
Robert
Robert Silvia wrote:
Here's my configuration:
My system auth looks like: auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so
My /etc/ldap.conf is setup as (world readable): base dc=pds-support,dc=net rootbinddn cn=nssldap,ou=DSA,dc=pds-support,dc=net nss_base_passwd dc=pds-support,dc=net?sub nss_base_shadow dc=pds-support,dc=net?sub nss_base_group ou=Groups,dc=pds-support,dc=net?one ssl no pam_password md5
and my /etc/nsswitch.conf (world readable) passwd: files ldap shadow: files ldap group: files ldap
I have /etc/ldap.secret
set to world readable atm moment with the password (I plan on changing this once I have it working)
Yeah setting Samba to work with LDAP properly can be really painful.
Could you try setting /etc/ldap.conf like below (witout ldap.secret file):
SIZELIMIT 200 TIMELIMIT 15 DEREF never
host 127.0.0.1 base dc=magista,dc=de binddn cn=Manager,dc=magista,dc=de bindpw secret-password-in-plain
pam_password exop
nss_base_passwd dc=magista,dc=de?sub nss_base_shadow dc=magista,dc=de?sub nss_base_group ou=Groups,dc=magista,dc=de?one
Tomek
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
