Re: [Samba] Adding LDAP Backend to Samba
Am 05.02.2011 10:33, schrieb J. Echter: Am 04.02.2011 16:40, schrieb Jorge Concha C.: On Thu, 03 Feb 2011 20:16:00 -0300, J. Echter j.ech...@elektro-mayer-echter.de wrote: User SID: S-1-5-21-3842863818-2180709222-141296495-1001 Primary Group SID:S-1-5-21-3842863818-2180709222-141296495-513 Another thing to check: User SID: S-1-5-21-3842863818-2180709222-141296495-1001 - command 'net getlocalsid' must response S-1-5-21-3842863818-2180709222-141296495 (if not, run 'net setlocalsid S-1-5-21-3842863818-2180709222-141296495'). And in your LDAP server you must to have an entry as this: sambaDomainName=your domain name with sambaSID=S-1-5-21-3842863818-2180709222-141296495 Hi, net getlocalsid show the right sid. In my LDAP there is also a sambaDomainName=workgroup. There's also the right SID in there.. can anybody tell me if my users and machines are in the right LDAP groups? i got: ou=computers, there's uid=pc1$ ou=groups, there's cn=user1 cn=pc1$ ou=idmap, is empty ou=smb-usr, there's uid=user1 also i'd like to check the logs, i got many samba related logs but don't find any hint whats going on... where could i have a look too? cheers. juergen greetings. p.s. sorry Jorge, did a quick reply. didn't want to spam you can nobody tell my where the accounts have to be in? is it correct that idmap is empty? greetings juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
On 09:57:41 wrote J. Echter: ... also i'd like to check the logs, i got many samba related logs but don't find any hint whats going on... increase the log level where could i have a look too? cheers. juergen greetings. p.s. sorry Jorge, did a quick reply. didn't want to spam you can nobody tell my where the accounts have to be in? May be, no one will do this. RTM Samba by Example at www.samba.org have the answers. Read it! I have done this and it helps me a lot. I would suggest you, to examine one of this examples on a fresh installed linux distro of your choice. is it correct that idmap is empty? It is. greetings juergen. -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
On 02/12/2011 02:16 AM, J. Echter wrote:
Am 05.02.2011 10:33, schrieb J. Echter:
...
can nobody tell my where the accounts have to be in? is it correct that
idmap is empty?
Juergen,
Manageability, performance and readability are the key reasons for
putting group accounts into an ou=groups, and for having users accounts
under ou=users, and machine accounts under another ou.
It is quite possible to store all the accounts directly off the root of
the LDAP directory - it will work if everything else is configured
correctly. This is certainly NOT a recommended configuration, but it
can work.
You need to make sure that the everything else of your configuration
is correct. If you do not understand how the pieces all fit together
life gets a bit challenging.
The following need to be configured:
You need to install and configure an NSS LDAP library. If you use
nss_ldap (from http://www.padl.com), the configuration file (ldap.conf)
must be correctly configured. This file is often located (compile time
option) in /etc.
When this has been correctly configured you will see all LDAP user
accounts when you execute:
getent passwd
You should also see all LDAP group accounts when you execute:
getent group
If these two commands do not work - you need to fix that. Samba relies
on being able to resolve POSIX user and group information by simple
calls to the getpwent() family of system calls.
Next, it is necessary to install and configure the toolset you want to
use to maintain and manage accounts in the LDAP directory. Many people
make use of the smbldap-tools package. After installation and
configuration, use the appropriate tool to validate account information.
For example:
smbldap-usershow jackb
Example:
# smbldap-tfarmer
dn: uid=tfarmer,ou=People,ou=Users,dc=world,dc=org
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: tfarmer
sn: tfarmer
givenName: tfarmer
uid: tfarmer
uidNumber: 1021
gidNumber: 513
homeDirectory: /users/tfarmer
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: tfarmer
sambaSID: S-1-5-21-726309263-4128913645-1188186429-3042
sambaPrimaryGroupSID: S-1-5-21-726309263-4128913645-1188186429-513
sambaLogonScript: scripts\logon.bat
sambaProfilePath: \\%L\profiles\tfarmer
sambaHomePath: \\SWEVWE\tfarmer
sambaHomeDrive: H:
sambaAcctFlags: [U]
sambaNTPassword: 4A9F7B6CEFB63E5733F4C44E3DD93362
sambaPwdLastSet: 1264562105
sambaPwdMustChange: 1268450105
userPassword: {SSHA}XrAzItbFAgDFa6BhdffC6s+L6QEyYbBL
shadowLastChange: 14636
shadowMax: 45
# smbldap-groupshow engineers
dn: cn=Engineers,ou=Groups,dc=world,dc=org
objectClass: posixGroup,sambaGroupMapping
cn: Engineers
gidNumber: 1009
sambaSID: S-1-5-21-726309263-4128913645-1188186429-401050
sambaGroupType: 2
displayName: Engineers
description: Finely Trained Technicians
memberUid: tfarmer,dlop,jb
It is also necessary to correctly configure Samba. Please refer to
chapter 5 of the book Samba4-ByExample available from your local
bookstore or on-line from:
http://www.samba.org/samba/Samba3-ByExample
Chapter 5 systematically steps through the process of installation and
configuration of a complete Novell SLES (OpenSUSE) -based Samba/LDAP
configuration.
The example is based on SLES, but it applies for the most part also for
RHEL and Fedora.
Cheers,
John T.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
Am 04.02.2011 16:40, schrieb Jorge Concha C.: On Thu, 03 Feb 2011 20:16:00 -0300, J. Echter j.ech...@elektro-mayer-echter.de wrote: User SID: S-1-5-21-3842863818-2180709222-141296495-1001 Primary Group SID:S-1-5-21-3842863818-2180709222-141296495-513 Another thing to check: User SID: S-1-5-21-3842863818-2180709222-141296495-1001 - command 'net getlocalsid' must response S-1-5-21-3842863818-2180709222-141296495 (if not, run 'net setlocalsid S-1-5-21-3842863818-2180709222-141296495'). And in your LDAP server you must to have an entry as this: sambaDomainName=your domain name with sambaSID=S-1-5-21-3842863818-2180709222-141296495 Hi, net getlocalsid show the right sid. In my LDAP there is also a sambaDomainName=workgroup. There's also the right SID in there.. can anybody tell me if my users and machines are in the right LDAP groups? i got: ou=computers, there's uid=pc1$ ou=groups, there's cn=user1 cn=pc1$ ou=idmap, is empty ou=smb-usr, there's uid=user1 also i'd like to check the logs, i got many samba related logs but don't find any hint whats going on... where could i have a look too? cheers. juergen greetings. p.s. sorry Jorge, did a quick reply. didn't want to spam you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
On Thu, 03 Feb 2011 20:16:00 -0300, J. Echter j.ech...@elektro-mayer-echter.de wrote: User SID: S-1-5-21-3842863818-2180709222-141296495-1001 Primary Group SID:S-1-5-21-3842863818-2180709222-141296495-513 Another thing to check: User SID: S-1-5-21-3842863818-2180709222-141296495-1001 - command 'net getlocalsid' must response S-1-5-21-3842863818-2180709222-141296495 (if not, run 'net setlocalsid S-1-5-21-3842863818-2180709222-141296495'). And in your LDAP server you must to have an entry as this: sambaDomainName=your domain name with sambaSID=S-1-5-21-3842863818-2180709222-141296495 AND: I had problems with users who do not have the attribute ambaPwdLastSet Then, all my users have sambaPwdLastSet = 1 Good Luck -- Jorge C. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
I just recently got mine set up after alot of help from this list (and a great deal of pain and persistence). I also got alot of insightful guidance from this doc: http://wiki.amahi.org/index.php/LDAP hth, - Joe If you type Google into Google, you can break the Internet. -- Jen Barber --Forwarded Message Attachment-- From: j...@cec.uchile.cl To: samba@lists.samba.org Date: Fri, 4 Feb 2011 12:40:29 -0300 Subject: Re: [Samba] Adding LDAP Backend to Samba On Thu, 03 Feb 2011 20:16:00 -0300, J. Echter wrote: User SID: S-1-5-21-3842863818-2180709222-141296495-1001 Primary Group SID:S-1-5-21-3842863818-2180709222-141296495-513 Another thing to check: User SID: S-1-5-21-3842863818-2180709222-141296495-1001 - command 'net getlocalsid' must response S-1-5-21-3842863818-2180709222-141296495 (if not, run 'net setlocalsid S-1-5-21-3842863818-2180709222-141296495'). And in your LDAP server you must to have an entry as this: sambaDomainName= with sambaSID=S-1-5-21-3842863818-2180709222-141296495 AND: I had problems with users who do not have the attribute ambaPwdLastSet Then, all my users have sambaPwdLastSet = 1 Good Luck -- Jorge C. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
Am 03.02.2011 20:26, schrieb J. Echter: Hi, im trying to use our LDAP server as backend for Samba (PDC). I used smbldap-tools to transfer samba users to our LDAP server. Now i have ou=computers, ou=idmap, ou=smb-usr and ou=groups. I added the following to my smb.conf ldap passwd sync = yes passdb backend = ldapsam:ldap://localhost ldap suffix = dc=workgroup,dc=local ldap admin dn = cn=admin,dc=workgroup,dc=local ldap machine suffix = ou=computers ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap ssl = no # Scripts for Samba to use if it creates users, groups, etc. add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' # Script that Samba users when a PC joins the domain .. # (when changing 'Computer Properties' on the PC) add machine script = /usr/sbin/smbldap-useradd -w '%u' but im still not able to login. I saw that there are users and computers all in ou=groups (cn=pc1$) and also in ou=computers (uid=pc1$) is this correcto? unfortunately i'm no samba expert either ldap :) thanks for helping. cheers juergen. sorry forgot to add some essential stuff. Samba: Version: 2:3.4.7~dfsg-1ubuntu3.3 on Ubuntu 10.04 LTS x64 thanks. :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
Does pbdedit -Lv show the users, groups and machines? On 02/03/2011 02:34 PM, J. Echter wrote: Am 03.02.2011 20:26, schrieb J. Echter: Hi, im trying to use our LDAP server as backend for Samba (PDC). I used smbldap-tools to transfer samba users to our LDAP server. Now i have ou=computers, ou=idmap, ou=smb-usr and ou=groups. I added the following to my smb.conf ldap passwd sync = yes passdb backend = ldapsam:ldap://localhost ldap suffix = dc=workgroup,dc=local ldap admin dn = cn=admin,dc=workgroup,dc=local ldap machine suffix = ou=computers ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap ssl = no # Scripts for Samba to use if it creates users, groups, etc. add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' # Script that Samba users when a PC joins the domain .. # (when changing 'Computer Properties' on the PC) add machine script = /usr/sbin/smbldap-useradd -w '%u' but im still not able to login. I saw that there are users and computers all in ou=groups (cn=pc1$) and also in ou=computers (uid=pc1$) is this correcto? unfortunately i'm no samba expert either ldap :) thanks for helping. cheers juergen. sorry forgot to add some essential stuff. Samba: Version: 2:3.4.7~dfsg-1ubuntu3.3 on Ubuntu 10.04 LTS x64 thanks. :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Adding LDAP Backend to Samba
Hi, im trying to use our LDAP server as backend for Samba (PDC). I used smbldap-tools to transfer samba users to our LDAP server. Now i have ou=computers, ou=idmap, ou=smb-usr and ou=groups. I added the following to my smb.conf ldap passwd sync = yes passdb backend = ldapsam:ldap://localhost ldap suffix = dc=workgroup,dc=local ldap admin dn = cn=admin,dc=workgroup,dc=local ldap machine suffix = ou=computers ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap ssl = no # Scripts for Samba to use if it creates users, groups, etc. add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' # Script that Samba users when a PC joins the domain .. # (when changing 'Computer Properties' on the PC) add machine script = /usr/sbin/smbldap-useradd -w '%u' but im still not able to login. I saw that there are users and computers all in ou=groups (cn=pc1$) and also in ou=computers (uid=pc1$) is this correcto? unfortunately i'm no samba expert either ldap :) thanks for helping. cheers juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
Am 03.02.2011 20:43, schrieb Gaiseric Vandal: Does pbdedit -Lv show the users, groups and machines? Hi, no it doesn't. User Search failed! Cheers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
maybe you need to run smbpasswd -w passwd for cn=admin,dc=workgroup,dc=local On Thu, 03 Feb 2011 16:56:37 -0300, J. Echter j.ech...@elektro-mayer-echter.de wrote: Am 03.02.2011 20:43, schrieb Gaiseric Vandal: Does pbdedit -Lv show the users, groups and machines? Hi, no it doesn't. User Search failed! Cheers. -- Jorge C. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
Am 03.02.2011 22:29, schrieb Jorge Concha C.: smbpasswd -w passwd for cn=admin,dc=workgroup,dc=local sudo smbpasswd -w secret Setting stored password for cn=admin,dc=workgroup,dc=local in secrets.tdb but still no login possible. is there a specific logfile i could have a look at? i looked at some logs from samba, but didn't see anything related... cheers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
Am 03.02.2011 22:12, schrieb Gaiseric Vandal: On 02/03/2011 02:56 PM, J. Echter wrote: Am 03.02.2011 20:43, schrieb Gaiseric Vandal: Does pbdedit -Lv show the users, groups and machines? Hi, no it doesn't. User Search failed! Cheers. I don't use the ldap tools scripts, so my environment may not match yours exactly. You may also want to read through the scripts to see if they create users, computers and groups where you think they will. I don't know if the scripts check the smb.conf file - I suspect not. Sounds like your scripts are putting objects in one location, but samba expects them in another. I have my users and machines under the same suffix. You can have an ou below that suffix which would also get searched by samba. I have this since my LDAP backend also includes the unix account info- otherwise samba couldn't find the unix uid for my machine accounts. You may want to use a gui LDAP editor (e.g. apache directory studio) to get the entries into the correct location. Not sure if you can move then directly BUT you can export LDAP entries (or entire OU's) to a text file, delete the entries from ldap, edit the entries in the text file, and then reimport. yes, i also wondered if the accounts in the right position. i use phpldapadmin and could easily move entrys, but i wasn't sure if this is the right way to go... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
Am 03.02.2011 20:56, schrieb J. Echter: Am 03.02.2011 20:43, schrieb Gaiseric Vandal: Does pbdedit -Lv show the users, groups and machines? Hi, no it doesn't. User Search failed! Cheers. after using i get this with 'pbdedit -Lv' sudo pdbedit -Lv --- Unix username:bacula NT username: bacula Account Flags:[U ] User SID: S-1-5-21-3842863818-2180709222-141296495-1001 Primary Group SID:S-1-5-21-3842863818-2180709222-141296495-513 Full Name:bacula Home Directory: \\pdc\bacula HomeDir Drive:h: Logon Script: bacula.bat Profile Path: \\pdc\profile\bacula Domain: WORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Fr, 04 Feb 2011 00:11:03 CET Password can change: Fr, 04 Feb 2011 00:11:03 CET Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF only one user, but this one isnt added to samba, its the one i choose for installation of ubuntu. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
Am 04.02.2011 00:16, schrieb J. Echter: Am 03.02.2011 20:56, schrieb J. Echter: Am 03.02.2011 20:43, schrieb Gaiseric Vandal: Does pbdedit -Lv show the users, groups and machines? User Search failed! after using smbpasswd -w secret -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
