Re: [Samba] Netware 5.0 to Samba/LDAP migration
Dean I have looked at this as well. Here is the netware info I have dug up. Netware 5.1 SP5 with NDS but no e-directory. e-directory supposedly makes it easier to interface with ldap, although since I am not running it I can't confirm that. First of all it is not possible according to Novell to be able to pull passwords from NDS. The have specifically made that intentionally difficult. I would believe it is possible to write a script to check to see if the password you know is correct, but you would have to start with a password first. So if you created a script that prompted the user for a password you could conceivably use NDS to authenticate and upon successful authentication use the entered password to update samba. Obviously this would require the participation of the user base, so I don't see it as a viable solution. I only have 50 users so I won't be testing this theory :) In any case here are two url's that might help an admin with such a project. http://developer.novell.com/research/devnotes/2000/june/03/dpv.htm http://developer.novell.com/research/devnotes/1999/november/01/dpv.htm Second the following URL is more useful, although the way Novell created it there is no direct link to the information you want, so you have to navigate to it. http://www.novell.com/documentation/nw5/docui/index.html From that link you need to select Directory Services and then LDAP Configuration. Following the information contained there I was able to configure NDS via Console One to allow plain text authentication. While I would only do this in a controlled environment, it is then possible to connect to the NDS server via openldap's ldapsearch and retrieve user information. Within the LDAP configuration in ConsoleOne you can map NDS attributes to LDAP attributes. In this way you could create an LDAP search to pull most of what you need from NDS to populate your LDAP user tree. Again you can't pull passwords, but you could pull enough information to make ldif records and thus keep yourself from having to hand-key user information. Hope this helps Matt Pusateri On 6/6/05, Dean Landry [EMAIL PROTECTED] wrote: I'd like to migrate a Netware 5.0 serve to Samba and LDAP. I'm wondering how I might export the usernames, passwords, and perhaps group memberships to the destination LDAP. If I can get the data into LDIF form, I'm okay from there. Does anyone know how the passwords in Netware 5.0 are encrypted? I hope to bring them over, but reseting the passwords is not out of the question (just inconvenient). Thanks, Dean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] some cannot join domain
On 5/22/05, Chuck Theobald [EMAIL PROTECTED] wrote: Hi, I have some machines (winXP and win2k) that cannot join my domain. Others I have joined to the domain. I am using the smbldap-tools 0.8.9 with an add machine script as follows: add machine script = /usr/local/samba/sbin/smbldap-useradd -w %u The LDAP entity gets created with objectClasses top, inetOrgPerson, and posixAccount. My impression is that samba then comes along and changes the entity, turning it into an account, sambaSamAccount object. This process has succeeded in some four machines I have tried, but other machines fail this final conversion. I get an error The user name could not be found at the machine. All of these machines were joined to the same domain previously run by Totalnet Advanced Server, so the machines themselves are configured to be capable of joining. The only pattern I can discern is that the machines on which this occurs have names of 8 characters or more, though a machine that did join the domain has a name of 8 characters, so I am not sure that this is relevant. Any ideas as to where I can look to begin to track this down? I can manually create the machine accounts, but am leary of doing so due to the requirement of having unique SIDs. Thanks, Chuck Theobald System Administrator The Robert and Beverly Lewis Center for Neuroimaging University of Oregon P: 541-346-0343 F: 541-346-0345 Chuck, I had this same problem, I would look at how your nss_ldap/nsswitch is working. Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Solved: Follow Up - Problem with groups joining domain.- LDAP
Just a note for the archives. My Freebsd nsswitch problems were being caused by a mis-configured nss_ldap.conf file. Everything indeed seems to be working properly now in Freebsd. On 5/5/05, Flatfender [EMAIL PROTECTED] wrote: Follow up to original post. If I created local groups and users in /etc/passwd /etc/groups I get farther along. For instance, if I have a Samba PDC with LDAP basically like I listed in my post. If I browse from a w2k pro box to the samba server without the workstation having joined the domain, I can authenticate to the samba server with a user who is not in /etc/passwd but is in LDAP. So samba is able to do the lookup via ldap. Now, if I create a posix group in ldap but not in /etc/group, I can not use net groupmap modify to modify the ntgroup to unix group mapping. But if I create the group in /etc/groups then the group mapping works. This leads me to believe either that the nsswitch/nss_ldap stuff in FreeBSD is either insufficient or not configured. Since their is so little to configure, I tend to lean towards NSSwitch not being fully implemented. Also If I try to join the domain with from a workstation that neither has a /etc/passwd account or an ldap account then, joining the domain fails, but smbldap-tools creates a workstation account in ldap with posix only attributes and no samba attributes. If I create the workstation account in /etc/passwd and then join the domain, then I can sucessfully join the domain, and smbldap tools creates an account in ldap, but this time with only samba attributes and no posix attributes. I have not tested any other group/user scenarios yet. -- Forwarded message -- From: Flatfender [EMAIL PROTECTED] Date: Apr 21, 2005 11:04 AM Subject: Problem with groups joining domain.- LDAP To: samba@lists.samba.org Software list: FreeBSD 5.3 Samba 3.0.14a nss_ldap-1.204_5 openldap-client-2.2.19 openldap-server-2.2.23 p5-perl-ldap-0.32.02 pam_ldap-1.7.6 smbldap-tools-0.8.8 samba was configured with the following options. LDAP, Cups, Winbind, utmp, popt, acl, quotas, msdfs, syslog, without_ADS I have also tried winbind_nss which I believe is a FreeBSD wrapper around the linux implentation of winbindd, but it yielded the same results. 1. ldapadd ldapserach w/tls is working fine. 2. smbldap-tools work. smbldap-populate, smbldap-migrate-unix-accounts/groups work. smbldap-useradd works. 3. smbpasswd -w has been set. What fails is joining a machine to the domain. I get the domain password is incorrect, the workstation account is created, but with posix attributes only, no samba attributes. problems with groups If I add a group to the local /etc/group file, which I don't think should have to do, but maybe this is a FreeBSD nsswitch bug? Can anyone confirm this? pw group add domadmins smbldap-groupadd -a domadmins - adds to ldap fine. net groupmap modify ntgroup=Domain Admins unixgroup=domadmins . This fails with this error message: and I get the same error message if the -a omitted from smbldap-groupadd passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2665) ldapsam_update_group_mapping_entry: No group to modify! Could not update group database net groupmap list shows all groups that are in LDAP. What I suspect is that group lookups are failing somehow, but I'm not sure. Also If I browse through network neighborhood to the samba PDC server, I can authenticate with an ordinary user and get the users home dir. So Users seem to be working. snipped. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Slightly OT: smbldap-tools/perl problem
Hello, I'm running CentoOS4 and installed smbldap-tools from Dag's repository. I configured smbldap.conf, but get the following error trying to poplulate the directroy. Anyone seen this before or have any suggestions? I tried uninstalling perl-Convert-ASN1 and reinstalling, but it didn't help. smbldap-populate -a root -k 0 -m 0 Populating LDAP directory for domain TESTDOM (S-1-5-21-230766447-445193678-2399177566) (using builtin directory structure) Use of uninitialized value in string at /usr/sbin///smbldap_tools.pm line 260. Use of uninitialized value in string at /usr/sbin///smbldap_tools.pm line 260. Bad ASN PDU at /usr/lib/perl5/vendor_perl/5.8.5/Convert/ASN1/IO.pm line 178, GEN1 line 2. Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't get samba 3.0.14a to work with ldap
On 4/22/05, rich foo [EMAIL PROTECTED] wrote: Hi... If you have successfully gotten samba 3.0.14a (or any other recent samba version) to work with ldap, can you perhaps email me your various config files so I can figure out what I am doing wrong? Any help would be greatly appreciated. I've tried every thing I can think of, but I can't get samba 3.0.14a to work with ldap. The ldap server seems to be working and smbclient seems to work for Administrator but not anyone else but I can't join any machines to the domain (XP has given me many different errors, but the most recent is the specified network name is no longer available) I am assuming that posting long messages with every config file attatched is probably not going to win me any friends, so i have put them on the web at http://thor.ssfs.org/samba/ Thanks in advance, Rich Try creating a user with the -a switch to smbldap-useradd Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with groups joining domain.- LDAP
Software list: FreeBSD 5.3 Samba 3.0.14a nss_ldap-1.204_5 openldap-client-2.2.19 openldap-server-2.2.23 p5-perl-ldap-0.32.02 pam_ldap-1.7.6 smbldap-tools-0.8.8 samba was configured with the following options. LDAP, Cups, Winbind, utmp, popt, acl, quotas, msdfs, syslog, without_ADS I have also tried winbind_nss which I believe is a FreeBSD wrapper around the linux implentation of winbindd, but it yielded the same results. 1. ldapadd ldapserach w/tls is working fine. 2. smbldap-tools work. smbldap-populate, smbldap-migrate-unix-accounts/groups work. smbldap-useradd works. 3. smbpasswd -w has been set. What fails is joining a machine to the domain. I get the domain password is incorrect, the workstation account is created, but with posix attributes only, no samba attributes. problems with groups If I add a group to the local /etc/group file, which I don't think should have to do, but maybe this is a FreeBSD nsswitch bug? Can anyone confirm this? pw group add domadmins smbldap-groupadd -a domadmins - adds to ldap fine. net groupmap modify ntgroup=Domain Admins unixgroup=domadmins . This fails with this error message: and I get the same error message if the -a omitted from smbldap-groupadd passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2665) ldapsam_update_group_mapping_entry: No group to modify! Could not update group database net groupmap list shows all groups that are in LDAP. What I suspect is that group lookups are failing somehow, but I'm not sure. Also If I browse through network neighborhood to the samba PDC server, I can authenticate with an ordinary user and get the users home dir. So Users seem to be working. Here is my smb.conf, my smblap.conf and my ldap.conf serf# testparm -s Load smb config files from /usr/local/etc/smb.conf Processing section [homes] Processing section [netlogon] Processing section [Profiles] Processing section [printers] Loaded services file OK. # Global parameters [global] dos charset = 850 unix charset = ISO8859-1 workgroup = IMSDOM server string = Samba Server [%v] map to guest = Bad User passdb backend = ldapsam:ldap://serf.ims-tpa.com username map = /usr/local/etc/smbusers log level = 5 syslog = 0 log file = /var/log/samba/log.%m max log size = 50 time server = Yes deadtime = 10 printcap name = /etc/printcap add user script = /usr/local/sbin/smbldap-useradd -m %u add group script = /usr/local/sbin/smbldap-groupadd -p %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u add machine script = /usr/local/sbin/smbldap-useradd -w %u logon path = logon drive = T: logon home = \\%L\home\%u domain logons = Yes os level = 33 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Manager,dc=ims-tpa,dc=com ldap delete dn = Yes ldap group suffix = ou=Groups ldap machine suffix = ou=Users ldap passwd sync = Yes ldap suffix = dc=ims-tpa,dc=com ldap ssl = start tls ldap user suffix = ou=Users idmap backend = ldap:ldap://serf.ims-tpa.com idmap uid = 1000-2 idmap gid = 1000-2 winbind separator = ^ printer admin = @Print Operators create mask = 0640 directory mask = 0750 hosts allow = 192.168.0., 127. nt acl support = No case sensitive = No dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd [homes] comment = Home Directories read only = No browseable = No [netlogon] comment = Network Logon Service path = /usr/local/samba/netlogon guest ok = Yes share modes = No [Profiles] path = /usr/local/samba/profiles read only = No guest ok = Yes browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No serf# less /usr/local/etc/smbldap-tools/smbldap.conf # $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ # $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $ # General Configuration SID=S-1-5-21-1642798596-2503770835-627191294 ## # # LDAP Configuration # ## # Ex: slaveLDAP=127.0.0.1 # slaveLDAP=127.0.0.1 # slavePort=389 # Master LDAP : needed for write operations # Ex: masterLDAP=127.0.0.1 # masterLDAP=127.0.0.1 masterLDAP=serf.ims-tpa.com masterPort=389 ldapTLS=1 verify=require cafile=/usr/local/certs/cacert.pem clientcert= clientkey=
Re: [Samba] Repeat Review Request
On 4/14/05, John H Terpstra [EMAIL PROTECTED] wrote: Folks, I like criticism! Please give me lots of it - particularly in respect of the updated Samba-Guide. It should now be up on the Samba mirror sites. You can download it from: http://www.samba.org/samba/docs/Samba-Guide.pdf I have incorporated all feedback into this book. Did I get it right this time or should I give up? So far, not a word of feedback is deafening! Is it worth my effort to continue updating this book or is this a waste of time? - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 John, It is certainly not a waste of time! As regards to the samba-guide, the flow seems fine and thing are in a logical order. I quick perusal of the samba update process seems good, although I need to read it again. One chapter I was disappointed in was the Netware migration chapter. I guess I was expecting some way to extract out the Netware info, even if it was from a third party. This chapter basically just seemed to reiterate building a server from scratch and asking the user what their password was? Maybe I missed something. In any case I for one appreciate all your effort. I bought a copy of The Official Samba-3 HOWTO Reference, when it first came out. I am still working through both guides and hope to be able to give you more feedback. I'm not sure right now if the problems I'm having are related to lack of info, distribution choice(FreeBSD) or just density on my part. Again thank you for your effort and contributions, especially how many questions you answer on the mailing list. A big kudos's to the whole Samba team for their mailing list participation. Matt Pusateri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] PDC Problems(winbind, joining domain, net groupmap, etc), FreeBSD 5.3, LDAP
Goal: Have Samba operate as a PDC using LDAP as its passwd backend. Be able to have W2K servers as member servers. Note: I have not posted any .conf files, because I not sure what files would be relavent in seeing. Since somethings are working and somethings are not. Software list: Samba 3.0.12 nss_ldap-1.204_5 openldap-client-2.2.19 openldap-server-2.2.23 p5-perl-ldap-0.32.02 pam_ldap-1.7.6 smbldap-tools-0.8.8 What works: Openldap seems to be working fine, and I can use SSH IMAP with LDAP user credentials. ldapsearch work with starttls. smbldap scripts from idealx seem to work(also with starttls). smbldap-populate worked fine. as well as smbldap-useradd. If I browse network neigborhood with a w2k client I can authenticate to a users home share that is in LDAP. What doesn't work: wbinfo -g shows: BUILTIN^administrators BUILTIN^account operators BUILTIN^print operators BUILTIN^backup operators BUILTIN^replicators I would have expected it to show the domain name instead of BUILTIN, which makes me think the ldap lookup is failing wbinfo -u shows: Error looking up domain users Also when I try to join a W2K Pro worksation to the domain using the root account/password it fails with the username cannot be found error message. But the add machine script partially works. smbldap-useradd -w adds the posix attributes to the ldap directory but the samba attributes are missing. I have workstations being added to the ou=computer section in ldap, and I have my ldap.conf and nss_ldap.con set to point to a level above ou=Users and ou=computers for the passwd side of things so that they should be properly found when descending the ldap tree. trying to add or modify group mappings with net groupmap add or net groupmap modify fails. Since getent isn't implemented in FreeBSD, I am using pw group show -a and pw user show -a This enumerates local files but nothing from LDAP. One thing I have noticed about the idealx smbldap scripts is that they will write a partial record to ldap even if part of the script fails. Also, I thought I read at one point that the nsswitch implementation in FreeBSD is missing some components so user and groups still need to be in local /etc/group /etc/passwd files. Can anyone confirm the status of this? I think I am a little unsure of how to handle both unix and nt groups in an ldap implementation. If anyone has any ideas on where to begin trouble shooting this, I would appreciate it. Thank You, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC + LDAP without local Unix accounts?
Related to this topic, I haven't followed the developments in Samba/FreeBSD for 6 months or so. Does Samba 3.0.10/FreeBSD 5.3 work with LDAP/NSSwitch/Winbind. I know at one point the getgrent/getpwent stuff didn't work so you couldn't enumerate native windows groups. Has all this been fixed? I would like to begin building a new samba box but don't want to waste my time on this combination to find out it still doesn't work Thank you, Matt Pusateri On Wed, 19 Jan 2005 22:05:56 -0500, Adam Tauno Williams [EMAIL PROTECTED] wrote: We are trying to use Samba 3.0.10 running on FreeBSD 5.3 to replace a legacy NT4 PDC. Our goal is to use LDAP to centralize all user information and authentication on the network. To that end, we've set up Samba to use LDAP for authentication of all the Windows users. This is working, but Samba seems to require that all Windows account have a matching Unix account as well. YES This would be fine, except that all of the user profile directories and Samba shares are hosted on a separate machine, making the Unix accounts superfluous. (As far as I know.) If at all possible, we'd like to avoid having to maintain user accounts on both the LDAP server and the Samba PDC. I had entertained the idea of using an LDAP PAM module simulate the Unix accounts, but this is looking more and more like the wrong way to go about it as PAM seems tied strictly to authentication and Samba already handles that part. Your confusing PAM and NSS. So to summarize, I'd like to know if a Samba PDC can be authenticate users via an LDAP backand without having to contain local Unix accounts for those users as well. You need to have a 'Unix' account; but your using LDAP, so it doesn't need to be 'local'. I confess to not being a Windows or Samba guru, but I have read a lot of documentation and none of it has shed any light on this particular problem. If there's an easy and obvious way to do this, it has eluded me. NSS, you probably don't need PAM. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba