Re: [Samba] LDAP Idmap
Shannon Johnson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05.08.2004 22:59 To: [EMAIL PROTECTED] cc: Subject:[Samba] LDAP Idmap Hi shannon, a good start you'll find at www.idealx.org. There is a very good docu on how to setup samba3-LDAP. If you then running into problems. ask the list. Chris I'm having quite a bit of trouble getting an LDAP directory set up for the idmap backend for winbind. I've been working on it for quite a while, and haven't found any very helpful websites or anything. I've found quite a bit on how to set up a PDC using LDAP, which would be nice, but I already have the PDC... I just need LDAP to host UID's and GID's. The things I'd like to know are: 1. What should the rootdn, suffix, and indexes be in the slapd.conf? I think that the rootdn needs to match what I put in the smb.conf for the ldap admin dn, and I'm fairly sure the suffix needs to match the ldap suffix from the smb.conf... I don't have any idea about the indexes. 2. What needs to be in the ldif file to create the directory properly? I've tried several that I've found online, both from the Samba 3 By Example book, and lots of forum / mailing list posts. I'm not sure if what I've tried has been correct, but it hasn't worked yet, and this is one part I'm not sure about. 3. I think that once I get the first 2 things worked out, I just set about 6 things in my smb.conf (ldap suffix, ldap admin dn, idmap backend (which should point to ldap:ldap://127.0.0.1, if the server is running on the same machine, right?), ldap idmap suffix, idmap uid, and idmap gid), enter my password from the smbpasswd -w command, and once I restart winbind, it should automatically start filling up the directory, right? 4. Once I get the server going and filled up with UID's and GID's, for the clients, am I correct in saying that I alter the smb.conf to include the ldap suffix, ldap admin dn, idmap backend, ldap idmap suffix, idmap uid, and idmap gid, then again enter my password via smbpasswd -w, change /etc/nsswitch.conf to be passwd files ldap instead of passwd files winbind, and it should work? This isn't documented very well anywhere, so I'd appreciate any hints or suggestions anybody might have... Shannon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 GPO
Derek Harkness [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03.08.2004 20:01 To: [EMAIL PROTECTED] cc: Subject:Re: [Samba] Samba3 GPO Hi Derek, I'll tell you when I find another suggestion. I currently use Poledit to create an ntconfig.pol which works well. Of course poledit sucks major butt. So if you've got another suggestion I'd love to hear it. Derek On Aug 3, 2004, at 11:48 AM, [EMAIL PROTECTED] wrote: -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3 GPO
Hi @all, I have some question I can't find a explanation. I have a standalone Samba3 as PDC. It works perfect with LDAP. Now I want to implement Policies. 1) Is it possible to use GPO from ads ? And if so, where to store this policies. 2) Or can I only use policies created with poledit from NT4 which should be stored in NETLOGON. Any help or links about this would be apreciated. Thanks Christian Wittmer - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 + LDAP as PDC join domain problem
Jacky C.K Tsoi [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 30.07.2004 06:45 To: [EMAIL PROTECTED] cc: Subject:[Samba] Samba 3 + LDAP as PDC join domain problem Hi all, I've setup Samba 3.0.5 + OpenLDAP (ldapsam) and everything work correctly. However, while my Windows 200x workstation join the domain, I need to join it twice. Here is what I do: 1. Go to Computer properties - Computer Name - Change 2. Enter the new domain name 3. Enter Administrator and password then, it will return me that the user name cannot be found. I had the same problem. Are you using nis or only LDAP as backend ? Do you use diferent OU's for Users and Machines? (e.g. ou=People and ou=Machines)? If not using NIS. check /etc/ldap.conf and comment as follows #nss_base_shadow #nss_base_passwd because if you're using different OU's and using the above two lines uncommented. The Machine you want to join will be searched in ou=People and that's why you get an User not found. By commenting the two nss_... lines the Machine you want to join will be then searched in the correct OU. And there will be no error anymore in joining a machine to DOMAIN. I've checked the LDAP directory that the computer account is created successfully without any problem. So, I click OK again and enter the Administrator account password again, and it success. Set you LDAP to a higher LOGLEVEL and you will see what I Tried to explain. So, I'd like to know, why I need to do it twice even though the computer account is already created successfully at the fist time? Thanks a lot. No Matter Christian --- Jacky C.K Tsoi -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
abebe lsslp [EMAIL PROTECTED] 30.07.2004 01:35 To: [EMAIL PROTECTED] cc: Subject:Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED Hey Christian, Thanks for your response and your willingness to help me out! However, I am so excited to tell you that I have been able to join the domain for right now. As you said, commenting out root=administrator in '/etc/samba/smbusers' and then 'smbpasswd -a administrator' fixed the problem. #nss_base_passwd ou=People,dc=icw,dc=com?sub # uncomment when usin NIS #nss_base_shadow ou=People,dc=icw,dc=com?sub # uncomment when using NIS :)) Don't you have to have the n 'nss_base_shadow'? Only when your using NIS. The problem is when joining Machine to Domain samba searches in ou=Peolple because of nss_base_shadow|passwd And I read this in the smbldap-tools Mailinglist (www.idealx.org) nss_base_group ou=Groups,dc=icw,dc=com?sub nss_base_hosts ou=Machines,dc=icw,dc=com?sub What version did the samba team fix the ou= Machines for hosts? I started manage LDAP with LAM and there are Machines and not Computers so I stayed on Machines. Now I make quick mods on LDAP with phpMyLDAPAdmin it's great. I will contact you if I have trouble with this as I configure Samba+LDAP on the production box. OK Thanks again, Ambex Chris Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba3 - LDAP - USRMGR.EXE
Jim C. [EMAIL PROTECTED] 29.07.2004 21:09 To: [EMAIL PROTECTED] cc: Subject:Re: [Samba] Re: Samba3 - LDAP - USRMGR.EXE It may have been fixed but in 3.0.2a there is a bug having to do with the users OU. Due to this bug, we have to put users and machines in the same OU. Can't wait till they fix that one. I'm using 3.0.4. And it works fine for me with two OU's, ou=Machines and ou=People Chris Jim C. [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 28.07.2004 18:05 To: [EMAIL PROTECTED] cc: Subject:[Samba] Re: Samba3 - LDAP - USRMGR.EXE Post your add user script line from smb.conf You might be missing a flag or something. add user script = smbldap-useradd -m %u My line in was correct but /etc/ldap.conf was not. The problem was that LDAP searches the Machine in ou=People but it should search in ou=Machines. So I had to modifiy /etc/ldap.conf as following ---snip # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be 'd with the # default filter. # You can omit the suffix eg: # nss_base_passwd ou=People, # to append the default base DN but this # may incur a small performance impact. #nss_base_passwdou=People,dc=icw,dc=com?sub #nss_base_shadowou=People,dc=icw,dc=com?sub nss_base_group ou=Groups,dc=icw,dc=com?sub nss_base_hosts ou=Machines,dc=icw,dc=com?sub I needed to comment nss_base_passwd, nss_base_shadow ( not using NIS , Jerome Tournier) Now it works without any problems Thanks Christian -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
abebe lsslp [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 28.07.2004 22:11 To: Samba Samba [EMAIL PROTECTED] cc: Subject:Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED Back to the real deal... I have decided not to assume anything and to take it step by step :) Craig..I have followed your advice and I am using 'people' instead of 'Computers'. OK, if you store Computers and Users in ou=People that's ok NOTE: - Have 'root= administrator' in /etc/samba/smbusers no remove it - Have done the appropriate chages to the xp registery You do not need any modifications [EMAIL PROTECTED] root]# smbldap-usershow administrator dn: uid=Administrator,ou=Users,dc=wbcoll,dc=edu I think you use ou=People ?! cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount gidNumber: 512 uid: Administrator uidNumber: 0 homeDirectory: /home/ sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\EAGLEX\homes sambaHomeDrive: H: sambaPrimaryGroupSID: S-1-5-21-3864350619-1217412381-2490860374-512 sambaSID: S-1-5-21-3864350619-1217412381-2490860374-2996 loginShell: /bin/false gecos: Netbios Domain Administrator sambaAcctFlags: [U] sambaPwdMustChange: 1098811932 sambaLMPassword: F70389E8F4B94063AAD3B435B51404EE sambaPwdLastSet: 1091035932 sambaNTPassword: 60BED106E19D7A3F919FA1919125FFBA userPassword: {SSHA}3zMR3Ds/5knGujxtByOIYPjl0mVBhJgr ERROR: (having trouble joining XP (xptest) to domain). The following error occured attempting to join the domain AGUILAS: 'Access is denied.' Error is shown in the LOG And here is part of the error message in 'xptest.log': [2004/07/28 13:59:39, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2004/07/28 13:59:39, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] Here is the error. Remove usermapping in smbusers. Administrator should not be mapped to root !!! [2004/07/28 13:59:39, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/07/28 13:59:39, 3] smbd/uid.c:push_conn_ctx(364) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/07/28 13:59:39, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/07/28 13:59:39, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/07/28 13:59:39, 3] auth/auth_sam.c:check_sam_security(202) check_sam_security: Couldn't find user 'root' in passdb file. [2004/07/28 13:59:39, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [AGUILAS] was for this SAM. [2004/07/28 13:59:39, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [administrator] - [root] FAILED with error NT_STATUS_NO_SUCH_USER [2004/07/28 13:59:39, 3] smbd/sesssetup.c:do_map_to_guest(41) No such user administrator [AGUILAS] - using guest account QUESTION: 1) Do I have to add 'smbpasswd -a root' or 'smbpasswd -a administrator'? No. See comment in LOG 2) NT_STATUS_NO_SUCH_USER ? 'pdbedit -LV administrator' shows that the user exist Try 'smbclient -L [YOURHOST] -UAdministrator%password' where password is the the password you gave Administrator you can check if you can access shares on your samba 3) do 'root' and 'administrator' have to have the same password? No, Admnistrator only need to have the uid=0, and he has it. If you have 2 ou, one for Users and one for Computers then you need to have /etc/ldap.conf like as following. This is a must have when not using NIS # # This is the configuration file for the LDAP nameservice # switch library, the LDAP PAM module and the shadow package. # .snip # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be 'd with the # default filter. # You can omit the suffix eg: # nss_base_passwd ou=People, # to append the default base DN but this # may incur a small performance impact. #nss_base_passwdou=People,dc=icw,dc=com?sub # uncomment when usin NIS #nss_base_shadowou=People,dc=icw,dc=com?sub # uncomment when using NIS nss_base_group ou=Groups,dc=icw,dc=com?sub nss_base_hosts ou=Machines,dc=icw,dc=com?sub When any other Questions will come along, just mail me. Christian - Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba3 - LDAP - USRMGR.EXE
Jim C. [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 28.07.2004 18:05 To: [EMAIL PROTECTED] cc: Subject:[Samba] Re: Samba3 - LDAP - USRMGR.EXE Post your add user script line from smb.conf You might be missing a flag or something. add user script = smbldap-useradd -m %u My line in was correct but /etc/ldap.conf was not. The problem was that LDAP searches the Machine in ou=People but it should search in ou=Machines. So I had to modifiy /etc/ldap.conf as following ---snip # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be 'd with the # default filter. # You can omit the suffix eg: # nss_base_passwd ou=People, # to append the default base DN but this # may incur a small performance impact. #nss_base_passwdou=People,dc=icw,dc=com?sub #nss_base_shadowou=People,dc=icw,dc=com?sub nss_base_group ou=Groups,dc=icw,dc=com?sub nss_base_hosts ou=Machines,dc=icw,dc=com?sub I needed to comment nss_base_passwd, nss_base_shadow ( not using NIS , Jerome Tournier) Now it works without any problems Thanks Christian -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining Domain
[EMAIL PROTECTED] (gbengadada) Sent by: [EMAIL PROTECTED] 29.07.2004 11:42 To: [EMAIL PROTECTED] cc: Subject:[Samba] Joining Domain Good Day, I downloaded samba-2.2.9, installed and configuted it on a Solaris 5.7 system. I have configured it as a PDC, however whenever i try to join the domain i have created, Windows ask that i enter a username and password authorized to join systems to the domain. Normally with a Windows 2000 server entering the administrators username and password will do it, however I get this error message: The following error occured attempting to join the domain sambadomain.net: Logon failure:unknown user name or bad password. How can i correct this error. If you try to use Administrator for joining machine to domain you should have a User Administrator on Unix-side with uid=0. And don't forget to add Administrator to smbpasswd if you use this file as backend. Then it should work. Thanks for your anticipated co-operation No problem. Christian --- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba3 - LDAP - USRMGR.EXE
Kang Sun [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 27.07.2004 16:00 To: [EMAIL PROTECTED] cc: Subject:[Samba] Re: Samba3 - LDAP - USRMGR.EXE Hi Kang Sun, Just a hunch, I didnot test myself. In your smb.conf, did you set the add user script to add posix account as well as Windows account? If so, there might be a problem. From what I read and understand, the script suppose to add Posix account only, and samba will add the Windows account. If the Windows account is I tested it and if I add a user via USRMGR there is only a posix account in LDAP, but samba did not add the samba specific data to ldap. I only get an error like User not found And I could not find any error in log.smbd. added by the add user script, then Samba has to delete it or modify it, which it might not have the previlege or some error comes up that does not mean what it says. Hope this helps! Any other idea ? Thanks Chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Changing password problem
Hi stephane, did you try ldap passwd sync = yes for me it worked. Christian Wittmer - Büro/Office: +49 (0) 6227/385-120 Email: [EMAIL PROTECTED] InterComponentWare AG Otto-Hahn-Strasse 3 69190 Walldorf Zentrale/Main: +49 (6227) 385-100 http://www.intercomponentware.com http://www.lifesensor.com [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 27.07.2004 12:49 To: [EMAIL PROTECTED] cc: Subject:[Samba] Changing password problem Hi, When a client try to change password : if sambaPwdCanChange = 2147483647 and sambaPwdMustChange = 1090923529 (for example) Samba would not change the password : I can find in log : user xxx cannot change password now, must wait until ven, 13 déc 1901 21:45:51 GMT But, if I set the sambaPwdCanChange to 0, the password is changed but, the sambaPwdMustChange is not updated to next date. I use LDAP and password policy. The unix password sync = no Can anyone answer to this problem ? Thank you Stéphane Purnelle --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 - LDAP - USRMGR.EXE
boka [EMAIL PROTECTED] 27.07.2004 12:50 To: [EMAIL PROTECTED] cc: Subject:Re: [Samba] Samba3 - LDAP - USRMGR.EXE could You send me solution if You will get any ? shure, if i'll have one. greetz chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba