I actually loaded another box with Fedora, and used authconfig like you
described. It worked quite well! :-)
On a slightly different note... Previously I thought I had winbind
working, but it seems I don't. I believe I put all the correct entries
in my smb.conf file... but I keep getting errors in my winbind logs.
Also, wbinfo -t and -u come back with errors. I'm probably doing
something silly, but I'm running around in mental circles trying to
figure out what it is.
appropriate smb.conf entries...
idmap domains = EPSILON
idmap config EPSILON:backend = ldap
idmap config EPSILON:readonly = no
idmap config EPSILON:default = yes
idmap config EPSILON:ldap_base_dn = ou=idmap, ....
idmap config EPSILON:ldap_user_dn = cn=admin, ...
idmap config EPSILON:ldap_url = ldap://ip-address:389
idmap config EPSILON:range = 5000-500000
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap, ....
idmap alloc config:ldap_user_dn = cn=admin, ....
idmap alloc config:ldap_url = ldap://ip-address:389
idmap alloc config:range = 5000-500000
section of log.winbindd-idmap:
[2008/01/16 19:18:43, 1] nsswitch/idmap.c:idmap_init(377)
Initializing idmap domains
[2008/01/16 19:18:43, 0] nsswitch/idmap.c:idmap_init(388)
idmap_init: Ignoring domain EPSILON
wbinfo -t:
checking the trust secret via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
Could not check secret
Adam Williams wrote:
yes, linux distros require nss_ldap and pam_ldap to authenticate linux
shell accounts against ldap. if you are using fedora/centos you can
use authconfig and select ldap and put in the required info. and
you'll need to add ldap to the passwd: shadow: and group: entries in
/etc/nsswitch.conf
authconfig will configure /etc/ldap.conf and edd the required ldap
attributes to /etc/pam.d/system-auth
not sure about freebsd but it shouldn't be too different. (famous last
words!)
to convert your existing /etc/passwd users to ldap, you can use the
PADL migration tools.
Andrew Richey wrote:
Well, it looks like I would have to use pam_ldap and nss_ldap to make
this work. Or so I think... Wondering if all the Linux distros
require these too, to authenticate off of ldap.
Andrew Richey wrote:
Hey guys,
I've gotten my samba + openldap running quite well, minus one
problem (that I know about). I've read over plenty of
documentation, the official and other wiki's and such. I believe I
have winbind working correctly, so I assume I won't have to use
external scripts to add groups/users/etc..
But isn't there something one must do in order for their OS (in my
case FreeBSD 6.2) to use my ldap server instead of /etc/passwd and
/etc/group files? I'm unable to change the Administrator users
password because I have no Unix account for it, and I assume it's
looking for that in /etc/passwd. On the same token, I can add
another user who already exists in my /etc/password (the local user
I added during the installation of FreeBSD). And it shows up
sucsessfully in my ldap server.
At first I was thinking that the ...
ldapsam:trusted= yes
ldapsam:editposix= yes
..handled this issue, via winbind. But that might be a
misunderstanding on my part. Anyone have any ideas?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
