Re: [Samba] Samba + LDAP integration
Hi, and thanks so much for your help. Just can't seem to get out of this quagmire. Did quite some reading and followed your advice. But now I still get to the same point of failing to add computers Samba *logs* say there is no connection but I can telnet to my ldap server on localhost:389 smbd.log [2008/07/31 15:06:09, 0] smbd/server.c:main(948) smbd version 3.0.28-1.el5_2.1 started. Copyright Andrew Tridgell and the Samba Team 1992-2007 [2008/07/31 15:13:24, 0] smbd/server.c:main(948) smbd version 3.0.28-1.el5_2.1 started. Copyright Andrew Tridgell and the Samba Team 1992-2007 [2008/07/31 15:47:27, 0] lib/util_sock.c:get_peer_addr(1224) getpeername failed. Error was Transport endpoint is not connected [2008/07/31 15:47:27, 0] lib/util_sock.c:get_peer_addr(1224) getpeername failed. Error was Transport endpoint is not connected Tried to redirect ldaplogs to /var/log/ without success These are my *config* files; dont seem to be able to see any error */etc/ldap.conf* -- host letter.example.org base dc=letter,dc=example,dc=org binddn cn=config bindpw mysecret rootbinddn uid=zimbra,cn=admins,cn=zimbra port 389 timelimit 120 bind_timelimit 120 bind_policy soft idle_timelimit 3600 nss_base_passwd ou=people,dc=letter,dc=example,dc=org?one nss_base_shadow ou=people,dc=letter,dc=example,dc=org?one nss_base_passwd ou=machines,dc=letter,dc=example,dc=org?one nss_base_shadow ou=machines,dc=letter,dc=example,dc=org?one nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman uri ldap://letter.example.org/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 */etc/samba/smb.conf* --- [global] workgroup = EXAMPLE netbios name = EXAMPLE_SERVER server string = Samba Server Version %v password server = ldap://letter.example.org passdb backend = ldapsam:ldap://letter.example.org guest account = games log file = /var/log/samba/%m.log max log size = 50 add user script = /usr/local/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/userdel "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/userdel "%u" "%g" add machine script = /usr/local/sbin/smbldap-useradd -w -g Workstations "%u" logon script = %u.bat logon path = \\EXAMPLE_SERVER\profiles\%U domain logons = Yes os level = 33 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=config ldap group suffix = ou=groups ldap machine suffix = ou=machines ldap suffix = dc=letter,dc=example,dc=org ldap user suffix = ou=people guest ok = Yes cups options = raw [homes] comment = Home Directories valid users = example\%S read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba guest ok = No printable = Yes browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon share modes = No [Profiles] path = /var/lib/samba/profiles read only = No profile acls = Yes */conf/slapd.conf* include "/opt/zimbra/openldap/etc/openldap/schema/core.schema" include "/opt/zimbra/openldap/etc/openldap/schema/cosine.schema" include "/opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema" include "/opt/zimbra/openldap/etc/openldap/schema/amavisd.schema" include "/opt/zimbra/openldap/etc/openldap/schema/zimbra.schema" include "/opt/zimbra/lib/conf/zimbra-ext.schema" include "/opt/zimbra/openldap/etc/openldap/schema/nis.schema" include "/opt/zimbra/openldap/etc/openldap/schema/samba.schema" threads 8 pidfile "/opt/zimbra/openldap/var/run/slapd.pid" argsfile"/opt/zimbra/openldap/var/run/slapd.args" TLSCertificateFile /opt/zimbra/conf/slapd.crt TLSCertificateKeyFile /opt/zimbra/conf/slapd.key TLSVerifyClient never modulepath /opt/zimbra/openldap/libexec/openldap moduleload back_bdb.la moduleload back_monitor.la moduleload syncprov.la moduleload accesslog.la access to dn.subtree="ou=people,dc=letter,dc=example,dc=org" by dn.children="cn=admins,cn=zimbra" write by * break access to dn.subtree="ou=groups,dc=letter,dc=example,dc=org" by dn.children="cn=admins,cn=zimbra" write by * read access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword by anonymous auth by dn.children="cn=admins,cn=zimbra" write access to dn.subtree="cn=zimbra" by dn.children="cn=admins,cn=zimbra" write access to attrs=zimbraZimletUserProperti
Re: [Samba] Samba + LDAP integration
On Saturday 26 July 2008 09:36:25 Mugo Martin wrote: > Hi people, > > Been doing a server installation with Samba as a primary PDC that uses an > LDAP backend on CentOS 5. > The thing is that I cannot be able to get Samba and LDAP to talk as they > should and now Im really stuck. You sure are stuck. So let's see if we can pull you out of the hole you are in. > Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents > to /etc/openldap/ldap.conf too), and smbldap.conf. > Excuse my long post; trying to be as elaborate as possible. > > smb.conf > ** > [global] > workgroup = MYDOMAIN > netbios name = MYDOMAIN What makes you believe that it is possible to operate with the domain name (workgroup) and the server name (netbios name) the same? The Samab3-HOWTO makes rather plain that this is a no-go - they must differ. Suggest you set them as: workgroup = MYDOMAIN netbios name = MYSERVER > server string = mydomain_office > passdb backend = ldapsam:ldap://server.example.org The "passwd program" and "passwd chat" parameters are not needed with the LDAP backend. Please delete them. > passwd program = /usr/local/sbin/smbldap-passwd %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *all*authentication*tokens*updated* > username map = /etc/samba/smbusers > log file = /var/log/samba/%m.log > max log size = 100 > add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g users change to: add user script = /usr/local/sbin/smbldap-useradd -m "%u" > delete user script = /usr/local/sbin/smbldap-userdel "%u" > add group script = /usr/local/sbin/smbldap-groupadd "%g" change to: add group scipt = /usr/local/sbin/smbldap-groupadd -p "%g" > delete group script = /usr/local/sbin/smbldap-groupdel "%g" > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" > "%g" > delete user from group script = /usr/local/sbin/smbldap-userdel > "%u" "%g" change to: delete user from group script = /usr/local/sbin/smbldap-userdel -x "%u" "%g" > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" > "%u" > add machine script = /usr/local/sbin/smbldap-useradd -n -c > "Workstation (%u)" -M -d /nohome -s /bin/false "%u" change to: add machine script = /usr/local/sbin/smbldap-useradd -w -g Workstations "%u" > logon script = %m.bat > logon path = \\server.example.org\%U\profile change to: logon path = \\MYSERVER\profiles\%U > domain logons = Yes > os level = 33 > preferred master = Yes > domain master = Yes > wins support = Yes > ldap admin dn = cn=config change this to the same as the value of "rootdn" from /etc/openldap/slapd.conf, eg: ldap admin dn = cn=Manager,dc=example,dc=org > ldap delete dn = Yes > ldap group suffix = ou=groups > ldap machine suffix = ou=machines > ldap passwd sync = Yes > ldap suffix = dc=example,dc=org > ldap user suffix = ou=people > idmap uid = 1000-1 > idmap gid = 1000-1 > [homes] > comment = Home Directories > valid users = DOMAIN\%S > read only = No > browseable = No > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > [netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > guest ok = Yes > share modes = No Add: [profiles] comment = Profiles Folder path = /var/lib/samba/profiles read only = no profile acls = yes Now do: root# > mkdir -p /var/lib/samba/profiles root# > chown root:users /var/lib/samba/profiles root# > chmod 2775 /var/lib/samba./profiles > smbldap.conf > > sambaDomain="MYDOMAIN" > slaveLDAP="127.0.0.1" > slavePort="389" > masterLDAP="127.0.0.1" > masterPort="389" > ldapTLS="0" > suffix="dc=example,dc=org" > usersdn="ou=people,${suffix}" > computersdn="ou=machines,${suffix}" > groupsdn="ou=groups,${suffix}" > sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}" > scope="one" > hash_encrypt="SSHA" > crypt_salt_format="%s" > userLoginShell="/bin/bash" > userHome="/home/%U" > userHomeDirectoryMode="700" > userGecos="System User" > defaultUserGid="513" > defaultComputerGid="515" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="45" > userSmbHome="" > userProfile="" > userScript="logon.bat" > mailDomain="example.org" > with_smbpasswd="0" > with_slappasswd="0" > > /etc/ldap.conf > ** > host server.example.org > base dc=example,dc=org > binddn cn=config > bindpw 1w2345FJ > rootbinddn cn=zimbra,dc=example,dc=org > > timelimit 120 > bind_timelimit 120 > bind_policy soft > idle_timelimit 3600 > > nss_base_passwd ou=people,dc=example,dc=org?one > nss_
Re: [Samba] Samba + LDAP integration
Were the user accounts created with smbldap-tools or were the pre-existing? If they were preexisting did you reset the passwords with smbldap-passwd? You will need to do so to set the appropiate hashes in LDAP. Have you looked at the logs at all? Posting some samples from there showing the server startup and failed login would probably be helpful. --Ryan On Sat, Jul 26, 2008 at 10:36 AM, Mugo Martin <[EMAIL PROTECTED]> wrote: > Hi people, > > Been doing a server installation with Samba as a primary PDC that uses an > LDAP backend on CentOS 5. > The thing is that I cannot be able to get Samba and LDAP to talk as they > should and now Im really stuck. > Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents > to /etc/openldap/ldap.conf too), and smbldap.conf. > Excuse my long post; trying to be as elaborate as possible. > > smb.conf > ** > [global] >workgroup = MYDOMAIN >netbios name = MYDOMAIN >server string = mydomain_office >passdb backend = ldapsam:ldap://server.example.org >passwd program = /usr/local/sbin/smbldap-passwd %u >passwd chat = *New*password* %n\n *Retype*new*password* %n\n > *all*authentication*tokens*updated* >username map = /etc/samba/smbusers >log file = /var/log/samba/%m.log >max log size = 100 >add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g users >delete user script = /usr/local/sbin/smbldap-userdel "%u" >add group script = /usr/local/sbin/smbldap-groupadd "%g" >delete group script = /usr/local/sbin/smbldap-groupdel "%g" >add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" > "%g" >delete user from group script = /usr/local/sbin/smbldap-userdel "%u" > "%g" >set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" > "%u" >add machine script = /usr/local/sbin/smbldap-useradd -n -c > "Workstation (%u)" -M -d /nohome -s /bin/false "%u" >logon script = %m.bat >logon path = \\server.example.org\%U\profile >domain logons = Yes >os level = 33 >preferred master = Yes >domain master = Yes >wins support = Yes >ldap admin dn = cn=config >ldap delete dn = Yes >ldap group suffix = ou=groups >ldap machine suffix = ou=machines >ldap passwd sync = Yes >ldap suffix = dc=example,dc=org >ldap user suffix = ou=people >idmap uid = 1000-1 >idmap gid = 1000-1 > [homes] >comment = Home Directories >valid users = DOMAIN\%S >read only = No >browseable = No > [printers] >comment = All Printers >path = /var/spool/samba >printable = Yes >browseable = No > [netlogon] >comment = Network Logon Service >path = /var/lib/samba/netlogon >guest ok = Yes >share modes = No > > smbldap.conf > > sambaDomain="MYDOMAIN" > slaveLDAP="127.0.0.1" > slavePort="389" > masterLDAP="127.0.0.1" > masterPort="389" > ldapTLS="0" > suffix="dc=example,dc=org" > usersdn="ou=people,${suffix}" > computersdn="ou=machines,${suffix}" > groupsdn="ou=groups,${suffix}" > sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}" > scope="one" > hash_encrypt="SSHA" > crypt_salt_format="%s" > userLoginShell="/bin/bash" > userHome="/home/%U" > userHomeDirectoryMode="700" > userGecos="System User" > defaultUserGid="513" > defaultComputerGid="515" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="45" > userSmbHome="" > userProfile="" > userScript="logon.bat" > mailDomain="example.org" > with_smbpasswd="0" > with_slappasswd="0" > > /etc/ldap.conf > ** > host server.example.org > base dc=example,dc=org > binddn cn=config > bindpw 1w2345FJ > rootbinddn cn=zimbra,dc=example,dc=org > > timelimit 120 > bind_timelimit 120 > bind_policy soft > idle_timelimit 3600 > > nss_base_passwd ou=people,dc=example,dc=org?one > nss_base_shadow ou=people,dc=example,dc=org?one > > nss_base_group ou=groups,dc=example,dc=org?one > nss_base_hosts ou=machines,dc=example,dc=org?one > > nss_initgroups_ignoreusers > root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman > > uri ldap://server.example.org > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > > smbldap.conf > > sambaDomain="MYDOMAIN" > slaveLDAP="127.0.0.1" > slavePort="389" > masterLDAP="127.0.0.1" > masterPort="389" > ldapTLS="0" > suffix="dc=example,dc=org" > usersdn="ou=people,${suffix}" > computersdn="ou=machines,${suffix}" > groupsdn="ou=groups,${suffix}" > sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}" > scope="one" > hash_encrypt="SSHA" > crypt_salt_format="%s" > userLoginShell="/bin/bash" > userHome="/home/%U" > userHomeDirectoryMode="700" > userGecos="System User" > defaultUserGid="513" > defaultComputerGid="515" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="45" >
[Samba] Samba + LDAP integration
Hi people, Been doing a server installation with Samba as a primary PDC that uses an LDAP backend on CentOS 5. The thing is that I cannot be able to get Samba and LDAP to talk as they should and now Im really stuck. Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents to /etc/openldap/ldap.conf too), and smbldap.conf. Excuse my long post; trying to be as elaborate as possible. smb.conf ** [global] workgroup = MYDOMAIN netbios name = MYDOMAIN server string = mydomain_office passdb backend = ldapsam:ldap://server.example.org passwd program = /usr/local/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* username map = /etc/samba/smbusers log file = /var/log/samba/%m.log max log size = 100 add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g users delete user script = /usr/local/sbin/smbldap-userdel "%u" add group script = /usr/local/sbin/smbldap-groupadd "%g" delete group script = /usr/local/sbin/smbldap-groupdel "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-userdel "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/local/sbin/smbldap-useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" logon script = %m.bat logon path = \\server.example.org\%U\profile domain logons = Yes os level = 33 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=config ldap delete dn = Yes ldap group suffix = ou=groups ldap machine suffix = ou=machines ldap passwd sync = Yes ldap suffix = dc=example,dc=org ldap user suffix = ou=people idmap uid = 1000-1 idmap gid = 1000-1 [homes] comment = Home Directories valid users = DOMAIN\%S read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes share modes = No smbldap.conf sambaDomain="MYDOMAIN" slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" ldapTLS="0" suffix="dc=example,dc=org" usersdn="ou=people,${suffix}" computersdn="ou=machines,${suffix}" groupsdn="ou=groups,${suffix}" sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}" scope="one" hash_encrypt="SSHA" crypt_salt_format="%s" userLoginShell="/bin/bash" userHome="/home/%U" userHomeDirectoryMode="700" userGecos="System User" defaultUserGid="513" defaultComputerGid="515" skeletonDir="/etc/skel" defaultMaxPasswordAge="45" userSmbHome="" userProfile="" userScript="logon.bat" mailDomain="example.org" with_smbpasswd="0" with_slappasswd="0" /etc/ldap.conf ** host server.example.org base dc=example,dc=org binddn cn=config bindpw 1w2345FJ rootbinddn cn=zimbra,dc=example,dc=org timelimit 120 bind_timelimit 120 bind_policy soft idle_timelimit 3600 nss_base_passwd ou=people,dc=example,dc=org?one nss_base_shadow ou=people,dc=example,dc=org?one nss_base_group ou=groups,dc=example,dc=org?one nss_base_hosts ou=machines,dc=example,dc=org?one nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman uri ldap://server.example.org ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 smbldap.conf sambaDomain="MYDOMAIN" slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" ldapTLS="0" suffix="dc=example,dc=org" usersdn="ou=people,${suffix}" computersdn="ou=machines,${suffix}" groupsdn="ou=groups,${suffix}" sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}" scope="one" hash_encrypt="SSHA" crypt_salt_format="%s" userLoginShell="/bin/bash" userHome="/home/%U" userHomeDirectoryMode="700" userGecos="System User" defaultUserGid="513" defaultComputerGid="515" skeletonDir="/etc/skel" defaultMaxPasswordAge="45" userSmbHome="" userProfile="" userScript="logon.bat" mailDomain="example.org" with_smbpasswd="0" with_slappasswd="0" smbldap_bind.conf * slaveDN="cn=config,dc=example,dc=org" slavePw="1w2345FJ" masterDN="cn=config,dc=example,dc=org" masterPw="1w2345FJ" The strange thing is that I can join a computer to the Domain, but only using the Samba+samba_root_passwd. I can even see the computer entry in the LDAP database when I run ldapsearch. However, I cannot or log in to the domain with credentials in LDAP. Also I cannot add machines to domain using privileged accounts stored in LDAP. Strangely though, Samba commands getent group and getent passwd work just