Paul and Craig,
I finally got it working. The reason it failed before is the way I built the LDAP DIT. I also found a problem in smbldap-populate script which I will describe below.
Here were what I did:
1) run configure.pl
2) edit smbldap-populate and change the following line:
my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*),dc=(.*)$/);to:
my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*)$/);The reason is I only have a single name for my domain, i.e. "dc=mfelc". but the perl script will suppose we have exactly two names, for example, dc=idealx, dc=org. It also won't work if you have three names in your domain. (dc=mydept, dc=mycompany, dc=com)
3) run smbldap-populate it works perfectly to build the DIT
4) use smbldap-migrate-unix-accounts to migrate NIS accounts
5) use smbldap-migrate-unix-groups to migrate NIS group
this time when I use smbclient with a NIS account, the log will show wrong password. So I run smbpasswd to give this account a new samba password and run smbclient again. it works.
There are two problems here:
1) how to migrate NIS hosts into LDAP?
2) I checked the LDAP attributes and found three password fieds:
SambaLMPassword SambaNTPassword userPassword
How can I sync them so that I don't have to keep two or more password for one user account?
Best Regards,
Steve
Paul,
I downloaded smbldap-tools-0.8.7 and tried the following:
1) run configure.pl
2) initialize LDAP base and then start LDAP server dn: dc=mfelc dc: mfelc objectClass: top objectClass: domain
3) run smbldap-populate
4) run the following migration tool to import users from NIS: smbldap-migrate-unix-accounts -a -P /tmp/passwd.nis
5) run the following migration tool to import groups from NIS: smbldap-migrate-unix-groups -a -G /tmp/group.nis
6) smbldap-useradd -a -m testuser1 smbldap-passwd testuser1
6) smbclient //enzo/testuser1 -U testuser1
got the following errors:
-------------------------------------
User testuser1 in passdb, but getpwnam() fails!
[2005/03/01 18:12:11, 5] auth/auth_util.c:free_server_info(1344)
attempting to free (and zero) a server_info structure
[2005/03/01 18:12:11, 0] auth/auth_sam.c:check_sam_security(306)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
[2005/03/01 18:12:11, 5] auth/auth.c:check_ntlm_password(271)
check_ntlm_password: sam authentication for user [testuser1] FAILED with error NT_STATUS_NO_SUCH_USER
[2005/03/01 18:12:11, 3] auth/auth_winbind.c:check_winbind_security(80)
check_winbind_security: Not using winbind, requested domain [TESTDM] was for this SAM.
[2005/03/01 18:12:11, 10] auth/auth.c:check_ntlm_password(259)
check_ntlm_password: winbind had nothing to say
[2005/03/01 18:12:11, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [testuser1] -> [testuser1] FAILED with error NT_STATUS_NO_SUCH_USER
--------------------------------------------------
No idea what is missing. Thanks a lot for any hints.
Steve
Judicious snippage, post at the bottom.
I tried to let Samba authenticate against LDAP but could not figure out how to build the LDAP tree for Samba.
Fedora core 2 Samba 3.0.10 OpenLDAP 2.1.29
dc=mydomain | `--- ou=People : to store user accounts for Unix and Windows | `--- ou=Hosts : to store computer accounts for UNIXX & Windows | `--- ou=Groups : to store system groups for Unix and Windows
What I did were:
[global] workgroup = TESTDM passdb backend = ldapsam:ldap://10.10.0.101/ log level = 1 passdb:8 auth:8 domain logons = Yes wins support = Yes ldap admin dn = cn=root,dc=mydomain ldap delete dn = Yes ldap group suffix = ou=Group ldap machine suffix = ou=Hosts ldap user suffix = ou=People ldap suffix = dc=mfelc ldap passwd sync = Yes ldap ssl = no 3) start Samba server
4) run smbclient //smbserver -U myid Password: session setup failed: NT_STATUS_LOGON_FAILURE
Attached is the smbd.log, I deleted the normal log and keep failed messages as below:
check_sam_security: Couldn't find user 'szeng' in passdb file.
auth/auth.c:check_ntlm_password(271)
check_ntlm_password: sam authentication for user [szeng] FAILED with error NT_STATUS_NO_SUCH_USER
Is there anybody who might have some idea of what is wrong.
Yep. You did nothing to create the samba attributes that will have to exist in each user account for the users to log in. I suggest you read the documentation on setting up an LDAP/PDC system that is on the samba.org web site. You've missed quite a few steps here, so you may want to read it through to get a complete idea. Your solution is going to include the following:
1. Obtain and configure the smbldap-tools package.
2. Run the smbldap-populate script
3. Make sure you've got a sambaDomain (I think that's the object type) in the base of your DIT.
4. Join the machine to the domain (since you appear to want a domain setup)
4. Add samba attributes to each user's account.
Yes there are 2 #4 entries. Doesn't matter which one comes first. As far as I can remember, those will be the critical steps to not miss. If you've followed the documentation and not done those steps, you've missed something.
-- Regards,
Steve Zeng Systems Administrator Mainframe Entertainment Inc T: (604) 628-1000 ext 5293 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
