[Samba] SMB+LDAP
Hi Folks, A couple of questions about making SMB (3 or 4) authenticate to an external (anonymous) LDAP server: 1) A typical LDAP user record is below. Is there anything lacking in this record that would prevent Samba from authenticating against our LDAP server? Note the sambaSID is as is, gobblygook info: dsAttrTypeNative:eduPersonAffiliation: Employee Member dsAttrTypeNative:givenName: David dsAttrTypeNative:homeDirectory: /afs/cats.csux.edu/users/t/dsixpack dsAttrTypeNative:mail: dsixp...@csux.edu dsAttrTypeNative:objectClass: posixAccount organizationalPerson csuxPerson top sambaSamAccount person inetOrgPerson csuxMain eduPerson dsAttrTypeNative:sambaSID: S-1-5-21-XX-XX-XX dsAttrTypeNative:sn: Sixpack dsAttrTypeNative:csuxPersonGuID: G000242316 AppleMetaNodeLocation: /LDAPv3/ldap-99.soe.csux.edu AppleMetaRecordName: uid=dsixpack,ou=People,dc=crm,dc=csux,dc=edu NFSHomeDirectory: /Users/dsixpack Password: PrimaryGroupID: 12 RealName: David Sixpack RecordName: dsixpack RecordType: dsRecTypeStandard:Users UniqueID: 9239 UserShell: /bin/bash 2) Regarding the sudo smbpasswd -w secret step, does this smb user need to exist in our LDAP or that local to the machine running the SMB daemon? I wasn't clear on how this step in the process is supposed to work. 3) Is the ldap admin dn = also required? Note we have read-only access to our LDAP server, though a record could be created for us if absolutely needed. Any help or ideas MUCH appreciated! Thanks! David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB+LDAP
I have a Sun (Oracle) Directory Server directory server backend. I also use it for unix level authentication. Are you configuring samba as a domain controller or standalone server? I have uid and uidNumber attributes- you want to make sure that the samba account maps to a unix account somehow. pdbedit -Lv username will verify this. I think with an LDAP backend it will expect ldap admin dn entry. This is not usually a regular user in your company LDAP branch but is instead an administrator.Samba will need to write to LDAP if you add or remove a samba user using smbpasswd or pdbedit, or if you change a user's samba password with samba command line tools or from windows, or if you join or remove a Windows PC the domain, and if you join the samba server to the domain. (this will create domain object.s) You can of course use LDAP tools to create the user's samba attributes. I don't know how you would easily set the user's samba password. You could probably have a dummy samba machine with a local backend, set a password, then use smbpasswd -e to extract the hashed value.Maybe there are additional tools for creating an NT password hash. Machines will also have accounts with passwords. the passwords may automatically change. On 08/07/12 17:37, Frans Lanting - IT Admin wrote: Hi Folks, A couple of questions about making SMB (3 or 4) authenticate to an external (anonymous) LDAP server: 1) A typical LDAP user record is below. Is there anything lacking in this record that would prevent Samba from authenticating against our LDAP server? Note the sambaSID is as is, gobblygook info: dsAttrTypeNative:eduPersonAffiliation: Employee Member dsAttrTypeNative:givenName: David dsAttrTypeNative:homeDirectory: /afs/cats.csux.edu/users/t/dsixpack dsAttrTypeNative:mail: dsixp...@csux.edu dsAttrTypeNative:objectClass: posixAccount organizationalPerson csuxPerson top sambaSamAccount person inetOrgPerson csuxMain eduPerson dsAttrTypeNative:sambaSID: S-1-5-21-XX-XX-XX dsAttrTypeNative:sn: Sixpack dsAttrTypeNative:csuxPersonGuID: G000242316 AppleMetaNodeLocation: /LDAPv3/ldap-99.soe.csux.edu AppleMetaRecordName: uid=dsixpack,ou=People,dc=crm,dc=csux,dc=edu NFSHomeDirectory: /Users/dsixpack Password: PrimaryGroupID: 12 RealName: David Sixpack RecordName: dsixpack RecordType: dsRecTypeStandard:Users UniqueID: 9239 UserShell: /bin/bash 2) Regarding the sudo smbpasswd -w secret step, does this smb user need to exist in our LDAP or that local to the machine running the SMB daemon? I wasn't clear on how this step in the process is supposed to work. 3) Is the ldap admin dn = also required? Note we have read-only access to our LDAP server, though a record could be created for us if absolutely needed. Any help or ideas MUCH appreciated! Thanks! David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB+LDAP
You also need sambaAccountFlags: [UX] for user account and sambaAccountFlags: [W] for machine accounts. On 08/07/12 17:37, Frans Lanting - IT Admin wrote: Hi Folks, A couple of questions about making SMB (3 or 4) authenticate to an external (anonymous) LDAP server: 1) A typical LDAP user record is below. Is there anything lacking in this record that would prevent Samba from authenticating against our LDAP server? Note the sambaSID is as is, gobblygook info: dsAttrTypeNative:eduPersonAffiliation: Employee Member dsAttrTypeNative:givenName: David dsAttrTypeNative:homeDirectory: /afs/cats.csux.edu/users/t/dsixpack dsAttrTypeNative:mail: dsixp...@csux.edu dsAttrTypeNative:objectClass: posixAccount organizationalPerson csuxPerson top sambaSamAccount person inetOrgPerson csuxMain eduPerson dsAttrTypeNative:sambaSID: S-1-5-21-XX-XX-XX dsAttrTypeNative:sn: Sixpack dsAttrTypeNative:csuxPersonGuID: G000242316 AppleMetaNodeLocation: /LDAPv3/ldap-99.soe.csux.edu AppleMetaRecordName: uid=dsixpack,ou=People,dc=crm,dc=csux,dc=edu NFSHomeDirectory: /Users/dsixpack Password: PrimaryGroupID: 12 RealName: David Sixpack RecordName: dsixpack RecordType: dsRecTypeStandard:Users UniqueID: 9239 UserShell: /bin/bash 2) Regarding the sudo smbpasswd -w secret step, does this smb user need to exist in our LDAP or that local to the machine running the SMB daemon? I wasn't clear on how this step in the process is supposed to work. 3) Is the ldap admin dn = also required? Note we have read-only access to our LDAP server, though a record could be created for us if absolutely needed. Any help or ideas MUCH appreciated! Thanks! David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB+LDAP
On Tue, 2012-08-07 at 14:37 -0700, Frans Lanting - IT Admin wrote: Hi Folks, A couple of questions about making SMB (3 or 4) authenticate to an external (anonymous) LDAP server: Note we have read-only access to our LDAP server, though a record could be created for us if absolutely needed. If you are only able to get anonoymous read only access, then you won't be able to read any password hash values that you did somehow manage to get stored into the directory. In short, it isn't possible to make Samba use this LDAP server directly. Is there some Windows domain that is synchronised against this directory that your (presumably) windows clients already use? This would be what you would join Samba to. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smb + ldap: changing passwords from windows: SSHA instead of CRYPT
Dear friends, We have samba-3.0.21c-1 under RH9 + openldap 2.3.11 under FC4. When a windows user changes his password using Ctrl-Alt-Del the password is stored on ldap in SSHA format but we need to work with CRYPT because we have some apps that don't support SSHA. These are the lines related with authentication defined in smb.conf: encrypt passwords = yes ldap passwd sync = Yes passwd program = /usr/local/sbin/smbldap-passwd -u %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n passdb backend = ldapsam:ldap://ldapserver.ingeominas.gov.co/ and this is the setup in smbldap.conf: # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt=CRYPT So, I don't know why windows is changing the password in SSHA format. I appreciate your help. Pablo Chamorro -- Tel: +57 (2) 7314752/3222/2595 - Fax: +57 (2) 7310514 Carrera 31 #18-07 Parque Infantil - PO Box 1795 - Pasto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb + ldap: changing passwords from windows: SSHA instead of CRYPT
It's a openLDAP setting. in the ldap.conf has a 'pam_password', setting this to crypt may works for you. On 11/7/06, Pablo Chamorro C. [EMAIL PROTECTED] wrote: Dear friends, We have samba-3.0.21c-1 under RH9 + openldap 2.3.11 under FC4. When a windows user changes his password using Ctrl-Alt-Del the password is stored on ldap in SSHA format but we need to work with CRYPT because we have some apps that don't support SSHA. These are the lines related with authentication defined in smb.conf: encrypt passwords = yes ldap passwd sync = Yes passwd program = /usr/local/sbin/smbldap-passwd -u %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n passdb backend = ldapsam:ldap://ldapserver.ingeominas.gov.co/ and this is the setup in smbldap.conf: # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt=CRYPT So, I don't know why windows is changing the password in SSHA format. I appreciate your help. Pablo Chamorro -- Tel: +57 (2) 7314752/3222/2595 - Fax: +57 (2) 7310514 Carrera 31 #18-07 Parque Infantil - PO Box 1795 - Pasto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- *** Cleber P. de Souza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb + ldap: changing passwords from windows: SSHA instead of CRYPT
It's a openLDAP setting. in the ldap.conf has a 'pam_password', setting this to crypt may works for you. I did the change in /etc/ldap.conf, /etc/openldap/ldap.conf and /usr/local/etc/openldap/ldap.conf and restarted openldap y didn't work. How wonder how it works because I understand windows contact the PDC and the PDC is using smblda-passwd, but nothing about using pam? Could somebody explain me? What else can I try? Perhaps inserting crypt in this line of /etc/pam.d/system-auth in the PDC?: passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow sorry, I don't know much about pam. Thank you, Pablo On 11/7/06, Pablo Chamorro C. [EMAIL PROTECTED] wrote: Dear friends, We have samba-3.0.21c-1 under RH9 + openldap 2.3.11 under FC4. When a windows user changes his password using Ctrl-Alt-Del the password is stored on ldap in SSHA format but we need to work with CRYPT because we have some apps that don't support SSHA. These are the lines related with authentication defined in smb.conf: encrypt passwords = yes ldap passwd sync = Yes passwd program = /usr/local/sbin/smbldap-passwd -u %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n passdb backend = ldapsam:ldap://ldapserver.ingeominas.gov.co/ and this is the setup in smbldap.conf: # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt=CRYPT So, I don't know why windows is changing the password in SSHA format. I appreciate your help. Pablo Chamorro -- Tel: +57 (2) 7314752/3222/2595 - Fax: +57 (2) 7310514 Carrera 31 #18-07 Parque Infantil - PO Box 1795 - Pasto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Ext. 2188 (hasta el 18.nov.2006) Tel: +57 (2) 7314752/3222/2595 - Fax: +57 (2) 7310514 Carrera 31 #18-07 Parque Infantil - PO Box 1795 - Pasto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb + ldap: changing passwords from windows: SSHA instead of CRYPT
Using smbldap-tool you have to change the smbldap.conf and set hash_encrypt to CRYPT. On 11/7/06, Pablo Chamorro C. [EMAIL PROTECTED] wrote: It's a openLDAP setting. in the ldap.conf has a 'pam_password', setting this to crypt may works for you. I did the change in /etc/ldap.conf, /etc/openldap/ldap.conf and /usr/local/etc/openldap/ldap.conf and restarted openldap y didn't work. How wonder how it works because I understand windows contact the PDC and the PDC is using smblda-passwd, but nothing about using pam? Could somebody explain me? What else can I try? Perhaps inserting crypt in this line of /etc/pam.d/system-auth in the PDC?: passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow sorry, I don't know much about pam. Thank you, Pablo On 11/7/06, Pablo Chamorro C. [EMAIL PROTECTED] wrote: Dear friends, We have samba-3.0.21c-1 under RH9 + openldap 2.3.11 under FC4. When a windows user changes his password using Ctrl-Alt-Del the password is stored on ldap in SSHA format but we need to work with CRYPT because we have some apps that don't support SSHA. These are the lines related with authentication defined in smb.conf: encrypt passwords = yes ldap passwd sync = Yes passwd program = /usr/local/sbin/smbldap-passwd -u %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n passdb backend = ldapsam:ldap://ldapserver.ingeominas.gov.co/ and this is the setup in smbldap.conf: # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt=CRYPT So, I don't know why windows is changing the password in SSHA format. I appreciate your help. Pablo Chamorro -- Tel: +57 (2) 7314752/3222/2595 - Fax: +57 (2) 7310514 Carrera 31 #18-07 Parque Infantil - PO Box 1795 - Pasto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Ext. 2188 (hasta el 18.nov.2006) Tel: +57 (2) 7314752/3222/2595 - Fax: +57 (2) 7310514 Carrera 31 #18-07 Parque Infantil - PO Box 1795 - Pasto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- *** Cleber P. de Souza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb + ldap: changing passwords from windows: SSHA instead of CRYPT
Using smbldap-tool you have to change the smbldap.conf and set hash_encrypt to CRYPT. yeah, it is like that but changing the password from windows something is happening and the password end up in SSHA format. hash_encrypt=CRYPT thanks, Pablo -- Ext. 2188 (hasta el 18.nov.2006) Tel: +57 (2) 7314752/3222/2595 - Fax: +57 (2) 7310514 Carrera 31 #18-07 Parque Infantil - PO Box 1795 - Pasto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb-ldap or not to smb-ldap
On Fri, 2006-03-31 at 16:30 +0100, Antony Gelberg wrote: Hi all, We are deploying a Linux server and desktops for a customer. We will have the users and groups in LDAP on the server, and files shared via NFS. However, one never knows if Windows desktops will be needed in the future. Is it a good idea to add users with smb-ldap even if samba is not initially used, as adding the samba attributes to an existing LDAP database is painful, and the smb-ldap created users will have the relevant POSIX credentials to be able to login anyway? Do use LDAP, having something that does the stuff is awesome. Recently The Linux Journal had a series that goes into your kind of questions and gives so very good overall answers. While I disagree with some of the implementation, Ti Leggett has done some very good work to bring things together. He brings in quite a bit of the planning and why-fors etc to the article. This is good, as many many people ignore most of these things while trying to get things working, creating a serious mess that is very discouraging. You could nearly go line for line on his configs. Ti Leggett also refers to some previous articles at the LJ, also you should be at least able to skim these referenced articles and completely understand them. If you can't or don't understand the reference articles, you need to sit down and work them out before proceeding here. Single Sign-On and the Corporate Directory, Part 1 http://www.linuxjournal.com/article/8374 Single Sign-On and the Corporate Directory, Part 2 http://www.linuxjournal.com/article/8375 Single Sign-On and the Corporate Directory, Part 3 http://www.linuxjournal.com/article/8376 Single Sign-On and the Corporate Directory, Part 4 http://www.linuxjournal.com/article/8377 A follow on from Single Sign-On and the Corporate Directory (Part 1-4), in my opinion goes very well with the previous series and may have well been intended. Using Wikis and Blogs to Ease Administration http://www.linuxjournal.com/article/8779 The last one goes into making sure you cover you assets and documentation is a wonderful thing. Using these articles as a reference for steering your decisions is a good idea. You may disagree with Ti on some things or particular items that you won't/can't/forbidden to use, but then again consider the whole picture he gives us. Good luck and hope to hear good news. -- greg, [EMAIL PROTECTED] The technology that is Stronger, Better, Faster: Linux Use Debian GNU/Linux, its a bazaar thing NOTICE: Due to Presidential Executive Orders, the National Security Agency may have read this email without warning, warrant, or notice, and certainly without probable cause. They may do this without any judicial or legislative oversight. You have no recourse nor protection. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb-ldap or not to smb-ldap
[Sorry for my previous empty post, lost it for a second.] Craig White wrote: On Fri, 2006-03-31 at 16:30 +0100, Antony Gelberg wrote: Hi all, We are deploying a Linux server and desktops for a customer. We will have the users and groups in LDAP on the server, and files shared via NFS. However, one never knows if Windows desktops will be needed in the future. Is it a good idea to add users with smb-ldap even if samba is not initially used, as adding the samba attributes to an existing LDAP database is painful, and the smb-ldap created users will have the relevant POSIX credentials to be able to login anyway? It would seem to me that a successful LDAP implementation is going to have an administrator who can script changes to the users attributes when necessary, otherwise, it's not just a down the road implementation of samba that will make things difficult. My thinking is that time spent now to acquire skill sets is better than spending time to configure an imagined samba implementation which may happen down the road. You're right, but time is not always that easy to come by and smbldap-tools is a real time-saver, being so powerful. That being said, it probably won't hurt anything to implement smbldap-tools but consider that the real issue is the tool sets you use to create/modify existing users outside of the samba realm must all anticipate the samba schema because the smbldap-tools are for samba based tools. There is no requirement to have users who aren't part of the samba realm i.e. with POSIX login only, so we can always use the smbldap-tools toolset. Or did I misunderstand your point? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb-ldap or not to smb-ldap
Craig White wrote: On Fri, 2006-03-31 at 16:30 +0100, Antony Gelberg wrote: Hi all, We are deploying a Linux server and desktops for a customer. We will have the users and groups in LDAP on the server, and files shared via NFS. However, one never knows if Windows desktops will be needed in the future. Is it a good idea to add users with smb-ldap even if samba is not initially used, as adding the samba attributes to an existing LDAP database is painful, and the smb-ldap created users will have the relevant POSIX credentials to be able to login anyway? It would seem to me that a successful LDAP implementation is going to have an administrator who can script changes to the users attributes when necessary, otherwise, it's not just a down the road implementation of samba that will make things difficult. My thinking is that time spent now to acquire skill sets is better than spending time to configure an imagined samba implementation which may happen down the road. That being said, it probably won't hurt anything to implement smbldap-tools but consider that the real issue is the tool sets you use to create/modify existing users outside of the samba realm must all anticipate the samba schema because the smbldap-tools are for samba based tools. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb-ldap or not to smb-ldap
On Sat, 2006-04-01 at 12:56 +0100, Antony Gelberg wrote: [Sorry for my previous empty post, lost it for a second.] Craig White wrote: On Fri, 2006-03-31 at 16:30 +0100, Antony Gelberg wrote: Hi all, We are deploying a Linux server and desktops for a customer. We will have the users and groups in LDAP on the server, and files shared via NFS. However, one never knows if Windows desktops will be needed in the future. Is it a good idea to add users with smb-ldap even if samba is not initially used, as adding the samba attributes to an existing LDAP database is painful, and the smb-ldap created users will have the relevant POSIX credentials to be able to login anyway? It would seem to me that a successful LDAP implementation is going to have an administrator who can script changes to the users attributes when necessary, otherwise, it's not just a down the road implementation of samba that will make things difficult. My thinking is that time spent now to acquire skill sets is better than spending time to configure an imagined samba implementation which may happen down the road. You're right, but time is not always that easy to come by and smbldap-tools is a real time-saver, being so powerful. That being said, it probably won't hurt anything to implement smbldap-tools but consider that the real issue is the tool sets you use to create/modify existing users outside of the samba realm must all anticipate the samba schema because the smbldap-tools are for samba based tools. There is no requirement to have users who aren't part of the samba realm i.e. with POSIX login only, so we can always use the smbldap-tools toolset. Or did I misunderstand your point? yeah, I think you did miss the point - not that it was very important. He's asking about pre-configuring smbldap-tools without an intention or a plan to implement for the near future as a just in case proposition because he doesn't know how to go back in add attributes/objectclasses to his existing DSA. I'm suggesting that learning to do that would likely be a better investment in time than trying to calculate what an unneeded samba setup would look like so he can configure it now in anticipation. I'm suggesting that the problem down the road won't be because he didn't configure smbldap-tools out now, but more likely to be not knowing how to manipulate the entries in LDAP on a mass scale. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smb-ldap or not to smb-ldap
Hi all, We are deploying a Linux server and desktops for a customer. We will have the users and groups in LDAP on the server, and files shared via NFS. However, one never knows if Windows desktops will be needed in the future. Is it a good idea to add users with smb-ldap even if samba is not initially used, as adding the samba attributes to an existing LDAP database is painful, and the smb-ldap created users will have the relevant POSIX credentials to be able to login anyway? Antony -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb-ldap or not to smb-ldap
On Fri, 2006-03-31 at 16:30 +0100, Antony Gelberg wrote: Hi all, We are deploying a Linux server and desktops for a customer. We will have the users and groups in LDAP on the server, and files shared via NFS. However, one never knows if Windows desktops will be needed in the future. Is it a good idea to add users with smb-ldap even if samba is not initially used, as adding the samba attributes to an existing LDAP database is painful, and the smb-ldap created users will have the relevant POSIX credentials to be able to login anyway? It would seem to me that a successful LDAP implementation is going to have an administrator who can script changes to the users attributes when necessary, otherwise, it's not just a down the road implementation of samba that will make things difficult. My thinking is that time spent now to acquire skill sets is better than spending time to configure an imagined samba implementation which may happen down the road. That being said, it probably won't hurt anything to implement smbldap-tools but consider that the real issue is the tool sets you use to create/modify existing users outside of the samba realm must all anticipate the samba schema because the smbldap-tools are for samba based tools. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb-ldap or not to smb-ldap
On Fri, 31 Mar 2006, Antony Gelberg wrote: We are deploying a Linux server and desktops for a customer. We will have the users and groups in LDAP on the server, and files shared via NFS. However, one never knows if Windows desktops will be needed in the future. Is it a good idea to add users with smb-ldap even if samba is not initially used, as adding the samba attributes to an existing LDAP database is painful, and the smb-ldap created users will have the relevant POSIX credentials to be able to login anyway? we have this configuration. We had some windows boxes, which used samba. Our database was an ldap backend. We now use the ldap backend for everything including global address book, proxy authentication, email, intranet application etc.. Having an ldap backend is very useful -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SMB/LDAP: Confused...
Hi. I have an existing departmental network based on AFS, Kerberos 5 and LDAP. All unixes work nicely, logging in remotely. So, Samba acting as a PDC with OpenLDAP. Now I'd like to interoperate with all windows workstations. I chose the LDAP way, since it's the most flexible and secure way... or at least, it seems to me more flexible than using a single /etc/passwd file on a distributed environment. LDAP contains a rootdc=dept and we already have groups and persons just working, and experimental hosts: # group example dn: cn=deptafs,ou=info,dc=dept objectClass: top objectClass: posixGroup cn: diaafs gidNumber: 1 description: general afs group # user example dn: uid=doe,ou=info,dc=dept objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson cn: John uid: Doe uidNumber: 1 gidNumber: 1 description: info will be here title: Mr. sn: Doe o: MyUniversity ou: Dept st: State l: City mail: [EMAIL PROTECTED] gecos: ,,, givenName: John displayName: John Doe homeDirectory: /afs/my.dept.org/users/d/doe loginShell: /bin/bash # host example dn: cn=host.dept.org,ou=host,dc=dept objectClass: locality objectClass: ipHost objectClass: ieee802Device objectClass: bootableDevice ipHostNumber: 123.123.123.11 cn: host.dept.org macAddress: 00:00:00:00:00:00 My ldap admin is cn=sysadmin and there's just a rootdn entry in slapd.conf, the password is provided by kerberos via GSSAPI/SASL. I've got many questions, but one important thing is not to mess with ldap database so much... I don't like to rewrite the db from scratch. Now my concerns :) The smbldap-tools are of no use probably for us, since all the docs I've read start with smbldap-populate... but I have a db just working. So, I need to add the minimum required entries into ldap and modify the existing names in order to make all users use the remote profiling. My UIDs are LDAP-only. I generate them from AFS, and so they are unmodifiable. Of course, this shouldn't be an issue... I hope. As long as I've understood, I must add a dn for the domain. I have no idea how to generate a SID, and I have no idea how RidBase works with samba if we do not use smbldap-tools. This is my example: # TESTING, dia dn: sambaDomainName=TESTING,dc=dept sambaDomainName: TESTING sambaSID: S-1-1-21-3138413446-3899332943-2322914696 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain All users must be modified using samba schema. Again. What I can do with SIDs (user and groups)? I mean, can I use *any* sid I want from the UID I have or I must make some kind of trick? What about LM password and NT password? I will use, if I understand, the userPassword field, not the other two. The profile can be put wherever I want, if I understand... so I'd like to store them under / afs/../username/windows, so username-dependent... this is difficult to understand for me: how to specity a UNC path for user profiling, given this unix pattern /afs/my.dept.org/users/d/doe, and putting profiles under windows/ on each home directory. That's my guess, wrong for sure: dn: uid=doe,ou=info,dc=dept uidNumber: 1 gidNumber: 1 homeDirectory: /afs/my.dept.org/users/d/doe loginShell: /bin/bash gecos: ,,, description: info will be here sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: John Doe sambaSID: S-1-5-21-4231626423-2410014848-2360679739-3000 sambaPrimaryGroupSID: S-1-5-21-4231626423-2410014848-2360679739-513 sambaLogonScript: common.bat sambaProfilePath: \\TESTINGPDC\users\d\doe\windows sambaHomePath: \\TESTINGPDC\users\d\doe sambaHomeDrive: Z: sambaLMPassword: 7584248B8D2C9F9EAAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: 186CB09181E2C2ECAAC768C47C729904 sambaPwdLastSet: 1081281346 sambaPwdMustChange: 1085169346 userPassword: {SSHA}jg1v0WaeBkymhWasjeiprxzHxdmTAHd+ [global] workgroup=TESTING netbios name=TESTINGPDC enable privileges=yes server string=Samba-LDAP ldap passwd sync=yes passdb backend=ldapsam:ldap://ldap.dept.org/ ldap admin dn=cn=sysadmin,dc=dept ldap suffix=dc=dept ldap group suffix=ou=info,dc=dept ldap user suffix=ou=info,dc=dept ldap machine suffix=ou=host,dc=dept ldap ssl=no logon script=scripts\logon.bat domain logons=yes os level=64 preferred master=yes domain master=yes #[profiles] #path=/var/local/samba/profiles #read only=no #create mask=0600 #directory mask=0700 #browseable=no #guest ok=yes #profile acls=yes #csc policy=disable #force user=%U [netlogon] path=/var/local/samba/netlogon browseable=no read only=yes -- Sensei [EMAIL PROTECTED] The difference between stupidity and genius is that genius has its limits. (A. Einstein) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SMB+LDAP Question ...
Greetings ... I have a quick question, which I hope will get a straight and quick answer. I am moving my system from flat files to LDAP. I have had my users in LDAP for a while, but then found that my computer accounts for Win2K in still in passwd. My question is, what are the bare minume LDAP attribs that I need for them to contiune to work? But I don't think I am going to get that answered, so, do I need a Unix password for computers? I would just like to keep as little info my LDAP as possible .. I still believe the smallest amount of common info is best. Thanks. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SMB+LDAP Question ...
Message: 18 Date: Wed, 15 Jan 2003 15:58:41 +0200 From: C.Lee Taylor [EMAIL PROTECTED] Organization: LeeNX To: [EMAIL PROTECTED] Subject: [Samba] SMB+LDAP Question ... Greetings ... I have a quick question, which I hope will get a straight and quick answer. I am moving my system from flat files to LDAP. I have had my users in LDAP for a while, but then found that my computer accounts for Win2K in still in passwd. My question is, what are the bare minume LDAP attribs that I need for them to contiune to work? AFAIK, just sambaAccount and related items. But I don't think I am going to get that answered, so, do I need a Unix password for computers? No. I would just like to keep as little info my LDAP as possible .. I still believe the smallest amount of common info is best. In the end, in 2.2.x and non-NUA sam backends in 3.0alpha, you need the following to work on any DC: $ getent passwd machine$ So, on your DCs, you either need a unix account for the machine in /etc/passwd, or an LDAP account with posixAccount and sambaAccount BTW, see examples/LDAP/import_smbpasswd.pl in the samba docs if you hanen't yet. Should work for importing machine accounts. Buchan -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SMB+LDAP Question ...
I am moving my system from flat files to LDAP. I have had my users in LDAP for a while, but then found that my computer accounts for Win2K in still in passwd. My question is, what are the bare minume LDAP attribs that I need for them to contiune to work? AFAIK, just sambaAccount and related items. Mmm, you see, if you have the /etc/passwd entery and do a smbpasswd -a -m with LDAP, it creates the sambaAccount stuff in LDAP, but if I delete the /etc/passwd without moving it into LDAP, the computer will not logon the PDC/Network. So now I have a few machine accounts which I want to move into LDAP, so I would like to know what I need, at least from and LDAP point of view ... In the end, in 2.2.x and non-NUA sam backends in 3.0alpha, you need the following to work on any DC: $ getent passwd machine$ So, on your DCs, you either need a unix account for the machine in /etc/passwd, or an LDAP account with posixAccount and sambaAccount Okay, but what does Samba 2.2 need with posixAccount? I mean, it does not need a homedir for anything. It does not need the Unix password stuff. I currently use the gid, but if it's in LDAP, I don't think I need that either. BTW, see examples/LDAP/import_smbpasswd.pl in the samba docs if you hanen't yet. Should work for importing machine accounts. But I would think that import_smbpasswd.pl is for importing smbpasswd, I need to bring in the passwd, that is why I am asking ... Again, thanks for your input. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SMB+LDAP Question ...
C.Lee Taylor wrote: AFAIK, just sambaAccount and related items. Mmm, you see, if you have the /etc/passwd entery and do a smbpasswd -a -m with LDAP, it creates the sambaAccount stuff in LDAP, but if I delete the /etc/passwd without moving it into LDAP, the computer will not logon the PDC/Network. So are you saying you have machines that are in LDAP, have no posixAccount in LDAP, no entry in smbpasswd, but have an entry in passwd? So now I have a few machine accounts which I want to move into LDAP, so I would like to know what I need, at least from and LDAP point of view ... In the end, in 2.2.x and non-NUA sam backends in 3.0alpha, you need the following to work on any DC: $ getent passwd machine$ So, on your DCs, you either need a unix account for the machine in /etc/passwd, or an LDAP account with posixAccount and sambaAccount Okay, but what does Samba 2.2 need with posixAccount? I mean, it does not need a homedir for anything. It does not need the Unix password stuff. I currently use the gid, but if it's in LDAP, I don't think I need that either. But gidNumber is an attribute of posixAccount, as is uid (and uidNumber). getent passwd won't return (under normal circumstances) an LDAP entry that doesn't have objectclass:posixAccount. AFAIK, samba checks the equivalent c call (getpwent) unless using one of the NUA backends. BTW, see examples/LDAP/import_smbpasswd.pl in the samba docs if you hanen't yet. Should work for importing machine accounts. But I would think that import_smbpasswd.pl is for importing smbpasswd, I need to bring in the passwd, that is why I am asking ... Well, what you *realy* want is LDAP acounts for machines that exist in smbpasswd but not in LDAP? Extract the entries from smbpasswd for those machines, and then run the script ... On Mandrake, that would be: $ /usr/share/samba/scripts/import_smbpasswd.pl /path/to/modified/smbpasswd Anyway, we've had some issues migrating DCs ... am not entirely convinced smbpasswd -S really works ... but it could be other issues. At least when we are done, we will know that nothing more resides in files, since the new machine does everything via LDAP. Buchan -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SMB LDAP tools
Gregory Chagnon wrote: Hi- I'm using the SMB ldap tools to add entries to my ldap database for use with Samba. Does anyone know how I can create the userPassword field with PHP? I've tried a few things, but none of them worked. Thanks!! -Greg Depends on what you want to use as algorithm. But it works simply: just do $userPassword = {crypt}.crypt( $clearPassword ); Markus Schabel ++ | TGM - Die Schule der Technik | | IT-Service | | A-1200 Wien, Wexstrasse 19-23 | | Tel.: +43(1)33126/316 Fax: +43(1)33126/154 | | eMail: [EMAIL PROTECTED]| ++ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] SMB LDAP tools
Hi- I'm using the SMB ldap tools to add entries to my ldap database for use with Samba. Does anyone know how I can create the userPassword field with PHP? I've tried a few things, but none of them worked. Thanks!! -Greg _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba