Guys , I still got stuck at the "net groupmap add " Please have a look what I've done wrong or miss any prerequisite steps.
Below this is where I got stuck: [EMAIL PROTECTED] /opt/fedora-ds/slapd-tompdc]# smbpasswd -w myldapadminpassword Setting stored password for "cn=manager,dc=mycompany,dc=com" in secrets.tdb [EMAIL PROTECTED] /opt/fedora-ds/slapd-tompdc]# service smb restart Shutting down SMB services: [ OK ] Shutting down NMB services: [ OK ] Starting SMB services: [ OK ] Starting NMB services: [ OK ] [EMAIL PROTECTED] groupadd domainadmins [EMAIL PROTECTED] /opt/fedora-ds/slapd-tompdc]# net groupmap add rid=2512 ntgroup='Domain Admins' unixgroup='domainadmins' type=d [2008/03/11 16:18:26, 0] lib/smbldap.c:smbldap_connect_system(977) failed to bind to server ldap://192.168.1.7 with dn="cn=manager,dc=mycompany,dc=com" Error: No such object adding entry for group Domain Admins failed! *** I already have populated ldap directory with dc=mycomputer,dc=com *** Added domain into ldap directory This is my ldap directory -com ====================================================== This my smb.conf [global] workgroup = MYDOMAIN security = user passdb backend = ldapsam:ldap://192.168.1.7 ldap admin dn = cn=manager,dc=mycompany,dc=com ldap suffix = dc=mycompany,dc=com ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups log file = /var/log/%m.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 33 domain logons = yes domain master = yes local master = yes preferred master = yes wins support = yes logon home = \\%L\%u\profiles logon path = \\%L\profiles\%u logon drive = H: template shell = /bin/false winbind use default domain = no [netlogon] path = /var/lib/samba/netlogon read only = yes browsable = no [profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700 [homes] browsable = no writable = yes Please advise. Thank you and Best Regards, Tom John H Terpstra wrote: > On Wednesday 05 March 2008 12:32:14 am suphakit Chamwuthipricha wrote: > >> Hi >> I am new to linux & Samba. I would like to setup Samba as a >> domain controller and using Fedora-ds for authentication. >> > > That is a VERY ambitious project fro someone who is new to Linux and new to > Samba. It is a little bit like picking up a manual on brain surgery and > going straight into the operating theatre. > > Please note that Linux and Samba are potentially complex tools. While most > simple things can be done with little effort, getting into technically > complex areas like directory services and domain control takes you into a > very specialized realm for which a good deal of understanding is important. > > >> I have read some documents from www.samba.org but I am still in >> the mist. >> > > Most people on this list are very happy to help someone who is new to the > game. When posting questions, it is good etiquet to keep the overall message > short and to provide enough information so that others can see that you have > prepared yourself as much as you could. > > Please don't say "some information" - spell it out. Which documents did you > read? > > >> Here is my dumb questions about Samba as follows. >> > > Well, here are my simple answers - but I suspect they will nto help you too > much. > > >> 1. Is CENTOS4.6+SAMBA3.0.25 as PDC +FEDORA-DS possible? >> > > Samba can use most LDAP servers. It is certainly possible to use Fedora-DS. > > >> 2. Is this HOWTO from >> http://directory.fedoraproject.org/wiki/Howto:Samba sufficient >> information? please suggest more >> > > That is not a Samba document. I suspect that very few people on this list > would have seen that document, but I may be wrong. > > I checked the information on the Fedora Project Wiki - it looks quite enough > to get a system running - if you know what you are doing. > > I would recommend that you start with the "Samba3-ByExample" book. Work your > way through chapters 1-5. What you learn will help you when you are ready for > more complex projects. > > If you have a problem with any of the examples in the book - ask for help on > this list. > > >> 3. Since I tried to integrate Samba+Fedora-ds ,I am always stuck >> at this step "net groupmap add". >> > > If this command fails, it means that you most likely have a communication > problem with the LDAP server. > > >> Does these command need to be done? What will happen if we >> skip them? >> > > Yes, they are necessary. If you don't do this there will be no Windows > groups > for your Windows clients. > > >> # net groupmap add rid=2512 ntgroup='Domain Admins' >> unixgroup='Domain Admins' >> # net groupmap add rid=2513 ntgroup='Domain Users' >> unixgroup='Domain Users' >> # net groupmap add rid=2514 ntgroup='Domain Guests' >> unixgroup='Domain Guests' >> # net groupmap add rid=2515 ntgroup='Domain Computers' >> unixgroup='Domain Computers' >> >> 3.1 Linux won't allow me to add unix group name with space >> like Domain Admins ,can we change to DomainAdmins (no space) >> as I tried to add unix group DomainAdmins in linux box >> and run the command , It is failed. >> > > Some Linux implementations do not permit upper case characters or spaces in > the Linux group name. In your situation, these groups should be added to the > LDAP directory. The limitation on group names does not exist with the LDAP > backend. > > >> # net groupmap add rid=2512 ntgroup='Domain Admins' >> unixgroup='DomainAdmins' >> >> I also noticed that this somehow relates to smb.conf file >> Some source says: >> ldap admin dn = cn=Directory Manager >> or >> ldap admin dn = cn=Directory Manager,dc=mycompany,dc=com >> >> 3.1.1 If I use this one ldap dn = cn=Directory Manager >> The result of net groupmap show failed to add >> group map >> > > You may need to specify the ldap admin dn as "cn=Directory > Manager,dc=mycompany,dc=com" - note the double quotes. > > >> 3.1.2 If I use this one ldap admin dn = cn=Directory >> Manager,dc=mycompany,dc=com >> The result of net groupmap show cannot find object >> "cn=Directory Manager,dc=mycompany,dc=com" >> > > Did you add that object to the LDAP directory first? This was one of the > steps > in populating your Fedora-DS directory. > > >> 3.2 Where does the command looks for ntgroup="Domain Admins' >> to map with unixgroup=Domain Admins >> > > In the LDAP directory. > > >> 3.3 Some source say the net group map should add type=d at >> the end of the line ,is it true? >> > > Sure, but it is the default anyhow. > > >> # net groupmap add rid=2512 ntgroup='Domain Admins' >> unixgroup='Domain Admins' type=d >> 4. Does this line in my smb.conf look ok? (I installed Samba >> & Fedora-ds in same machine) >> passdb backend = ldapsam:ldap://192.168.100.7 >> > > If the LDAP server is on the same system I'd use: > passdb backend = ldapsam:ldap://127.0.0.1 > > Also, make sure that the LDAP server is listening on port 389. > > >> 5. Does these line need to be included in smb.conf file? >> What will happen if we don't include them? >> ldap idmap suffix = ou=Users >> ldap passed sync = Yes >> > > For starters, the IDMAP entry should not go into the Users dsa. > Check "Samba3ByExample" for a fulyl worked example of how to set up a Samba > server with a local LDAP server. The local LDAP server the example users is > OpenLDAP - but the basics are the same. > > >> 6. Does user add scripts need to be included in smb.conf file? >> How it works and when these lines are used. >> What will happen if we don't include them. >> > > Yes. These are used by Samba to manage LDAP directory objects. > > >> # Useradd scripts >> add user script = >> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m %u >> delete user script = >> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-userdel -r %u >> add group script = >> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupadd %g >> delete group script = >> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupdel %g >> add user to group script >> =/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-groupmod >> -G %g %u >> add machine script = >> /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-useradd -w %u >> idmap uid = 15000-20000 >> idmap gid = 15000-20000 >> passwd program >> =/usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-passwd %u >> >> 7. What does this command do? Do we have to do this with >> every users? >> # pdbedit -U $( net getlocalsid | sed 's/SID for >> domain YOURWORKGROUP is: //' )-500 -u Administrator -r >> > > It creates the SambaSAM account attributes for the Windows network > Administrator account. It relys on having a correct LDAP entry for the POSIX > portion of the user account you previously migrated to LDAP from the entry: > > Administrator:x:0:0:Samba Admin:/root:/bin/bash > > This is all shown clearly in the instructions on the Fedora Wiki. > > >> 8. In many HOWTO from website ,they state about PAM and NSS >> config with ldap ,do we need it ,can we skip this? >> > > Absolutely essential if you use LDAP to store your POSIX accounts. This is > clearly covered in both the HOWTO document and in the Samba3-ByExample book. > Please let me know what is not clear in these documents. > > >> 9. I hardly find the instruction on how to set up Samba as >> PDC + Fedora-ds ,please advise] >> > > Well, that is not really a Samba matter - it is one covered on the Fedora > site > and by the Fedora community. If someone were to write up appropriate > documentation I will gladly add it to the Samba3-HOWTO document. > > >> Thank you and Best Regards, >> Tom >> > > I hope this helps. > > - John T. > > ---------------------------------------------------------------------- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com/tag/1
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
