Re: [Samba] Samba/LDAP/PDC Questions
Hello Eric,
I just want to make sure we are on the same page.
After vampiring, I got all the user accounts, computer accounts,
groups, and membership created correctly.
For somereason, the login is disabled. Once I do smbpasswd -e
userid, I am able to login to that account with the right password. So
the NT password migratted OK.
smbPassword field only contains '{Crypt}x' but once I copied the
hashed password from NIS map to that field prefixed with {Crypt}, I
can also login to the Unix account.
All together it means that I have ways to make sure the user
authentication will work fine with Windows and Unix login. But at what
point and in what way the password synchronization work and in what
direction?
The only remaining obatacle is that the computer authentication failed.
The comptuer cannot loginto the doamin unless I rejoin it to the domain. I
think this is where you failed also.
I wonder if there is anyway to get all the computer account hash in text
format from the original NT PDC and just write script to stick the hash to
the corresponding smbNTPassword field, just like what I did with the
userPassword field. Any suggestion.
Finally, I did get some kind of smbNTPassword during vampiring, does it
at least look right? Is there anyway I can compare it to the original on
the NT Server? Here is my machine account looks like:
Thanks!
--- Kang Sun
dn: uid=KSUN$,ou=People,dc=ab,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: KSUN$
sn: KSUN$
uid: KSUN$
uidNumber: 1801
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
sambaSID: S-1-5-21-72881033-379349262-1855928443-4737
displayName: KSUN$
sambaLogonTime: 1090863161
sambaNTPassword: BCE2D22F8B6638F72008CA16CDEA1F4D
sambaPwdLastSet: 1089841247
sambaAcctFlags: [W ]
gidNumber: 1000
sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-515
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Attempting vampire here when everything else works results in user
accounts being created in the LDAP directory (and with a slight ugly
hackish modification to the idealx smbldap-useradd script, posix
accounts being created) and NTLM password hashes being set in the LDAP
tree, and computer accounts being created *but* here is the catch, the
NTLM password hashes for computer accounts are not created.
So if we think of it as a four step process;
1. Create user accounts *OK*
2. Set user account password hashes *OK*
3. Create Machine accounts *OK*
4. Set Machine account password hashes *FAIL*
Of course I'm not bothering to mention the other stuff that it does
cause it's all a bit of black magic to me, but you get the general idea,
it creates user groups as well and associates the appropriate accounts
with the appropriate groups and handles the Unix UID / GID mapping to
the NT equivalent security information.
I'm trying to get more information on the entire process to provide
debug logs to the samba team et al, but I've just been flat out on other
stuff in the meantime which unfortunately has a higher priority than
this at the moment, but I'll endeavour to get the diagnostic info asap,
if someone else wanted to do it before me though, I assume the
interesting stuff would be;
smbd -d 10 -i smbd.log 21
tcpdump packet capture of traffic between NT PDC and Linux vampire process
strace -f net rpc vampire -S pdc -U administrator%password vampire.log
21
And try to make sure you're not broadcasting your password hashes in
potentially public bug logs. ^^
What I can tell you from looking at the process so far, is that the NT
PDC is *definitely* providing machine account password hashes, it just
appears that whatever samba should be doing with them, it is not.
Best of luck
Regards
Eric J Bennett
Paul Gienger wrote:
| I'm not at all experienced with the vampire command, but I believe it is
| supposed to bring passwords over. Perhaps someone can interject here
| who does know what they're talking about???
|
| (note: bringing back on list from an accidental, i suspect, pm)
|
| Kang Sun wrote:
|
|
| Hello Paul,
|
| I have questions on migration. Some other people like Eric
| Bennet and Mike Brodbelt posted the similar questions. But I cannot
| find a definite answer to this question: would vampiring using
| samba/ldap/smbldap-tools actually migrates passwords at all?
|
| If the add user/machine script from smb.conf is the only
| tool vampiring process is calling, it certainly won't create password.
| Below are the conversation between me and Mike. I hope you can help us.
|
| -- Kang
|
| Kang Sun wrote:
| Hello Mike,
|
| I did similar things and have similar problems.
| I looked at the ldap database, the migration did nothing but get all
| the
| names of users and machines.
| If the smbldap-* scripts are the only things vampire process is
| calling, I
| don't see how would it would get anything else.
|
| Agreed, although when migrating with a
Re: [Samba] Samba/LDAP/PDC Questions
I'm not at all experienced with the vampire command, but I believe it is
supposed to bring passwords over. Perhaps someone can interject here
who does know what they're talking about???
(note: bringing back on list from an accidental, i suspect, pm)
Kang Sun wrote:
Hello Paul,
I have questions on migration. Some other people like Eric
Bennet and Mike Brodbelt posted the similar questions. But I cannot
find a definite answer to this question: would vampiring using
samba/ldap/smbldap-tools actually migrates passwords at all?
If the add user/machine script from smb.conf is the only
tool vampiring process is calling, it certainly won't create password.
Below are the conversation between me and Mike. I hope you can help us.
-- Kang
Kang Sun wrote:
Hello Mike,
I did similar things and have similar problems.
I looked at the ldap database, the migration did nothing but get all the
names of users and machines.
If the smbldap-* scripts are the only things vampire process is
calling, I
don't see how would it would get anything else.
Agreed, although when migrating with a tdbsam backend, the vampire
process will populate the tdbsam with NT passwords and suchlike, but
also runs the useradd scripts to add the posix users, so I thought that
there may be some other data that Samba puts into LDAP directly, not via
invoking the scripts.
The documentation from John Terpstra's book (available online at
http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828)
suggests that the process should work with an LDAP backend, but I'm
currently at a loss to see howm and I'm unable to replicate this, even
on a test network, with various versions of the Idealx smbldap-tools. It
doesn't appear to work as advertised at the moment.
After vampiring,
1. All the computer accounts and user accounts (posixAccount as
well) are
created just like being created by by smbldap-useradd, with the default
parameters as defined in the smbldap.conf or smbldap_config.pm, eg,
profiles, logon scripts, etc, user name, etc.
Yes, this seems to work when run from the command line. Vampiring seems
to throw up some errors that I've not tracked down yet though.
2. Users lost its domain membership. Every user accounts are now
belonging
to Domain Users group. No one in Domain Admins group except
Administrator.
The migration process must have done more than just calling these
smbldap-tools scripts, but I just don't see the effect.
What do you see if you do
smbldap-usershow userid or machinename$ ?
# smbldap-usershow detritus
dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk
objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSAMAccount
cn: rwind
sn: rwind
uid: rwind
uidNumber: 1006
gidNumber: 513
homeDirectory: /home/rwind
loginShell: /bin/bash
gecos: System User
description: System User
userPassword: {crypt}x
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: System User
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-2704678572-2069052080-1039482078-3012
sambaLMPassword: XXX
sambaPrimaryGroupSID: S-1-5-21-2704678572-2069052080-1039482078-513
sambaProfilePath: \\TALITHA\profiles\rwind
sambaHomePath: \\TALITHA\home\rwind
sambaHomeDrive: M:
sambaNTPassword: XXX
# smbldap-usershow quirm$
dn: uid=quirm$,ou=Computers,dc=acu,dc=ac,dc=uk
objectClass: top,inetOrgPerson,posixAccount
cn: quirm$
sn: quirm$
uid: quirm$
uidNumber: 1013
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
or smbldap-groupshow groupid ?
# smbldap-groupshow Domain Admins
dn: cn=Domain Admins,ou=Groups,dc=acu,dc=ac,dc=uk
objectClass: posixGroup,sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Administrator
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2704678572-2069052080-1039482078-512
sambaGroupType: 2
displayName: Domain Admins
So all that seems to have worked. It's just that some of the information
hasn't migrated across, and in the context of a transparent migration
off the NT4 server, the information that hasn't propagated is a
showstopper. Despite reading all the docs I can lay hands on, I still
can't see why, and the vampire process is not transparent to me - the
docs just assume it'll work completely or not at all - there's nothing
to tell one how to try and troubleshoot it if it half works, which is
what's happening for me.
Mike.
ForwardSourceID:NT9A52
Eric J Bennett [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
Hi all,
I'm really lost here, I do net rpc vampire and it works perfectly for
user accounts (sets NTLM pass etc) and creates machine accounts, but
fails to allocate their password hashes, I think it's calling the
smbldap-useradd utility to add accounts for machines, but I don't see
why this would make the hashes transfer for users but not machines?
Any help much appreciated.
Regards
Eric Bennett
--
To
Re: [Samba] Samba/LDAP/PDC Questions
oops - meant to send to list On Mon, 2004-07-26 at 07:23, Paul Gienger wrote: I'm not at all experienced with the vampire command, but I believe it is supposed to bring passwords over. Perhaps someone can interject here who does know what they're talking about??? (note: bringing back on list from an accidental, i suspect, pm) my experience with vampire command is that it is tricky and needs to be isolated so that your ldap isn't trashed. Thus prior to running net rpc vampire etc. - you should slapcat your ldap so you can trash the resulting ldap, slapadd the entries back in and try again after fixing things that don't work. Also, you need to REALLY follow the instructions to the TEE - no shortcuts as any misconfiguration will cause it to fail. Join the domain - set the localsid - set smb.conf to a BDC type configuration. These steps are absolutely vital in addition to having ldap properly configured in smbldap, smb.conf etc. The first few efforts will almost always fail because of all of the necessary details. But to affirm, yes, net rpc vampire process works, user accounts and groups, machine accounts and passwords can all be migrated. After vampire migration, elevate settings on samba so that the system becomes PDC and start samba services and turn netlogon service on NT4 system off. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP/PDC Questions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Attempting vampire here when everything else works results in user
accounts being created in the LDAP directory (and with a slight ugly
hackish modification to the idealx smbldap-useradd script, posix
accounts being created) and NTLM password hashes being set in the LDAP
tree, and computer accounts being created *but* here is the catch, the
NTLM password hashes for computer accounts are not created.
So if we think of it as a four step process;
1. Create user accounts *OK*
2. Set user account password hashes *OK*
3. Create Machine accounts *OK*
4. Set Machine account password hashes *FAIL*
Of course I'm not bothering to mention the other stuff that it does
cause it's all a bit of black magic to me, but you get the general idea,
it creates user groups as well and associates the appropriate accounts
with the appropriate groups and handles the Unix UID / GID mapping to
the NT equivalent security information.
I'm trying to get more information on the entire process to provide
debug logs to the samba team et al, but I've just been flat out on other
stuff in the meantime which unfortunately has a higher priority than
this at the moment, but I'll endeavour to get the diagnostic info asap,
if someone else wanted to do it before me though, I assume the
interesting stuff would be;
smbd -d 10 -i smbd.log 21
tcpdump packet capture of traffic between NT PDC and Linux vampire process
strace -f net rpc vampire -S pdc -U administrator%password vampire.log
21
And try to make sure you're not broadcasting your password hashes in
potentially public bug logs. ^^
What I can tell you from looking at the process so far, is that the NT
PDC is *definitely* providing machine account password hashes, it just
appears that whatever samba should be doing with them, it is not.
Best of luck
Regards
Eric J Bennett
Paul Gienger wrote:
| I'm not at all experienced with the vampire command, but I believe it is
| supposed to bring passwords over. Perhaps someone can interject here
| who does know what they're talking about???
|
| (note: bringing back on list from an accidental, i suspect, pm)
|
| Kang Sun wrote:
|
|
| Hello Paul,
|
| I have questions on migration. Some other people like Eric
| Bennet and Mike Brodbelt posted the similar questions. But I cannot
| find a definite answer to this question: would vampiring using
| samba/ldap/smbldap-tools actually migrates passwords at all?
|
| If the add user/machine script from smb.conf is the only
| tool vampiring process is calling, it certainly won't create password.
| Below are the conversation between me and Mike. I hope you can help us.
|
| -- Kang
|
| Kang Sun wrote:
| Hello Mike,
|
| I did similar things and have similar problems.
| I looked at the ldap database, the migration did nothing but get all
| the
| names of users and machines.
| If the smbldap-* scripts are the only things vampire process is
| calling, I
| don't see how would it would get anything else.
|
| Agreed, although when migrating with a tdbsam backend, the vampire
| process will populate the tdbsam with NT passwords and suchlike, but
| also runs the useradd scripts to add the posix users, so I thought that
| there may be some other data that Samba puts into LDAP directly, not via
| invoking the scripts.
|
| The documentation from John Terpstra's book (available online at
| http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828)
| suggests that the process should work with an LDAP backend, but I'm
| currently at a loss to see howm and I'm unable to replicate this, even
| on a test network, with various versions of the Idealx smbldap-tools. It
| doesn't appear to work as advertised at the moment.
|
| After vampiring,
|
| 1. All the computer accounts and user accounts (posixAccount as
| well) are
| created just like being created by by smbldap-useradd, with the default
| parameters as defined in the smbldap.conf or smbldap_config.pm, eg,
| profiles, logon scripts, etc, user name, etc.
|
| Yes, this seems to work when run from the command line. Vampiring seems
| to throw up some errors that I've not tracked down yet though.
|
| 2. Users lost its domain membership. Every user accounts are now
| belonging
| to Domain Users group. No one in Domain Admins group except
| Administrator.
|
| The migration process must have done more than just calling these
| smbldap-tools scripts, but I just don't see the effect.
|
| What do you see if you do
| smbldap-usershow userid or machinename$ ?
|
| # smbldap-usershow detritus
| dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk
| objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSAMAccount
| cn: rwind
| sn: rwind
| uid: rwind
| uidNumber: 1006
| gidNumber: 513
| homeDirectory: /home/rwind
| loginShell: /bin/bash
| gecos: System User
| description: System User
| userPassword: {crypt}x
| sambaPwdLastSet: 0
| sambaLogonTime: 0
| sambaLogoffTime: 2147483647
| sambaKickoffTime:
[Samba] Samba/LDAP/PDC Questions
Greetings!
I created a Samba/OpenLDAP/smbldap-tools Primary Domain Controller. So far
I am able to do the folowing:
1. Using USRMGR,EXE to administrating users and groups.
2. Adding Windows 2000, XP workstation on the fly.
3. PDBEDIT/SMBLDAP-TOOLS/GQ all works as they suppose to.
4. LDAP autheticate unix accounts.
However, I am not able to to the following:
1. Cannot joint an NT machine (SP6a) into the domwin. It keeps
saying that the Machine account is not available or not accessible even
if I manually added the machine account manually using smbldap-useradd
NT$.
2. Cannot use SRVMGR.EXE to add machine to domain. It complains
Access Denied, though I can do other things like change the permission
of a share etc.
3. Cannot join an existing domain after I configure it as a BDC
with the PDC's SID. It complains Failed to setup BDC creds.
It looks like the communication between samba and openldap is OK since I
can managing user/group with USRMGR.EXE. However, a few questions puzzles
me:
1. In what situtation do I need People group as the group for
machines?
2. Should the PDC itself be in the ldap backend database?
3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot log
in to the dmain anymore. It said User does not exist.
Here are the specs of my setup:
Fedora 2 (kernel 2.6.5-1.358)
samba-3.0.3-5
openldap-2.1.29-1
smbldap-tools-0.8.5-1.1.fc2.dag
### /etc/samba/smb.conf #
[global]
workgroup = ab
netbios name = pdc
username map = /etc/samba/smbusers
admin users= @Domain Admins
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
time server = Yes
mangling method = hash2
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=ab,dc=com
ldap suffix = dc=ab,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap ssl = no
add user script = /usr/sbin/smbldap-useradd -m %u
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel %u
add machine script = /usr/sbin/smbldap-useradd -w %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u
%g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U Domain Admins
# /etc/openldap/slap.conf
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/slapd.pid
databaseldbm
suffix dc=ab,dc=com
rootdn cn=Manager,dc=ab,dc=com
rootpw some secret
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShelleq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntryeq,pres,sub
# /etc/smbldap-tools/smbldap.conf
SID=S-1-5-21-324808091-3910462042-2848579765
slaveLDAP=127.0.0.1
slavePort=389
masterLDAP=127.0.0.1
masterPort=389
ldapTLS=0
suffix=dc=ab,dc=com
usersdn=ou=Users,${suffix}
computersdn=ou=Computers,${suffix}
groupsdn=ou=Groups,${suffix}
idmapdn=ou=Idmap,${suffix}
sambaUnixIdPooldn=cn=NextFreeUnixId,${suffix}
scope=sub
hash_encrypt=SSHA
crypt_salt_format=%s
Re: [Samba] Samba/LDAP/PDC Questions
1. In what situtation do I need People group as the group for
machines?
Always. Until they fix the bug/design issue that is.
2. Should the PDC itself be in the ldap backend database?
I haven't found a good reason that it 'has' to in my tests.
3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot log
in to the dmain anymore. It said User does not exist.
Can you expand on this a bit more? From what you've said (which isn't
much) it almost sounds like you didn't have ldap working as the posix
auth system before you layered on samba.
Here are the specs of my setup:
Fedora 2 (kernel 2.6.5-1.358)
samba-3.0.3-5
openldap-2.1.29-1
smbldap-tools-0.8.5-1.1.fc2.dag
### /etc/samba/smb.conf #
[global]
workgroup = ab
netbios name = pdc
username map = /etc/samba/smbusers
admin users= @Domain Admins
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
time server = Yes
mangling method = hash2
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=ab,dc=com
ldap suffix = dc=ab,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap ssl = no
add user script = /usr/sbin/smbldap-useradd -m %u
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel %u
add machine script = /usr/sbin/smbldap-useradd -w %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u
%g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U Domain Admins
# /etc/openldap/slap.conf
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/slapd.pid
databaseldbm
suffix dc=ab,dc=com
rootdn cn=Manager,dc=ab,dc=com
rootpw some secret
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShelleq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntryeq,pres,sub
# /etc/smbldap-tools/smbldap.conf
SID=S-1-5-21-324808091-3910462042-2848579765
slaveLDAP=127.0.0.1
slavePort=389
masterLDAP=127.0.0.1
masterPort=389
ldapTLS=0
suffix=dc=ab,dc=com
usersdn=ou=Users,${suffix}
computersdn=ou=Computers,${suffix}
groupsdn=ou=Groups,${suffix}
idmapdn=ou=Idmap,${suffix}
sambaUnixIdPooldn=cn=NextFreeUnixId,${suffix}
scope=sub
hash_encrypt=SSHA
crypt_salt_format=%s
userLoginShell=/bin/tcsh
userHome=/u/%U
userGecos=System User
defaultUserGid=513
defaultComputerGid=515
skeletonDir=/etc/skel
userSmbHome=\\pdc\%U
userProfile=
userHomeDrive=H:
with_smbpasswd=0
smbpasswd=/usr/bin/smbpasswd
/etc/ldap.conf
#
host 127.0.0.1
base dc=ab,dc=com
# nss_base_passwdou=Users,dc=ab,dc=com?one
# nss_base_shadowou=Users,dc=ab,dc=com?one
# nss_base_group ou=Group,dc=ab,dc=com?one
ssl no
pam_password md5
--- Kang Sun
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc.
Information Systems Consultant Fax:701-281-1322
URL: www.ae-solutions.commailto: [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:
Re: [Samba] Samba-ldap-pdc questions
On Mon, 5 Jan 2004, Ron Liu wrote: Hi, There I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. I used the RPMs for the installations. After setup, start both smb and ldap without problem. However when I tried to add users with smbpasswd -a userid, it gave me the following errors. Can someone point me to right direction, is there anything I can do to do more test and diagnosis. I've copied the error message, and the conf file for samba.conf and slapd.conf Did you store the LDAP admin password in secrets.tdb? smbpasswd -w 'secret' - John T. Thank you for your help! Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] [EMAIL PROTECTED] openldap]# smbpasswd -a bliu New SMB password: Retype new SMB password: fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Failed to add entry for user bliu. Failed to modify password entry for user bliu #=== Global Settings = [global] workgroup = mydomain netbios name = ts010 encrypt passwords = yes passdb backend = ldapsam:ldap://localhost/ ldap suffix = o=mydomain,dc=mydomain,dc=com ldap machine suffix = ou=Comupters ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=tsadmin,dc=mydomain,dc=com # ldap ssl = start tls ldap delete dn = no server string = mydomain Samba Server hosts allow = 10.101.0. 10.101.1. 127. printcap name = cups load printers = yes printing = cups log file = /var/log/samba/%m.log max log size = 50 security = user password level = 8 ; username level = 8 smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd *all*authentication*tokens*updated*successfully* ; username map = /etc/samba/smbusers ; include = /etc/samba/smb.conf.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon script = scripts\logscript.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U ; name resolve order = wins lmhosts bcast wins support = yes dns proxy = no write list = @tsadmin add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u [home] ... * my slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema #rliu, 12/31/03 include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid #argsfile //var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleloadback_shell.la # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running make slapd.pem, and fixing permissions on # slapd.pem so that the ldap user or group can read it. #
Re: [Samba] Samba-ldap-pdc questions
On Mon, 2004-01-05 at 16:50, Ron Liu wrote: Hi, There I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. I used the RPMs for the installations. After setup, start both smb and ldap without problem. However when I tried to add users with smbpasswd -a userid, it gave me the following errors. Can someone point me to right direction, is there anything I can do to do more test and diagnosis. I've copied the error message, and the conf file for samba.conf and slapd.conf Thank you for your help! Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] [EMAIL PROTECTED] openldap]# smbpasswd -a bliu New SMB password: Retype new SMB password: fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Failed to add entry for user bliu. Failed to modify password entry for user bliu #=== Global Settings = [global] workgroup = mydomain netbios name = ts010 encrypt passwords = yes passdb backend = ldapsam:ldap://localhost/ ldap suffix = o=mydomain,dc=mydomain,dc=com ldap machine suffix = ou=Comupters ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=tsadmin,dc=mydomain,dc=com # ldap ssl = start tls ldap delete dn = no server string = mydomain Samba Server hosts allow = 10.101.0. 10.101.1. 127. printcap name = cups load printers = yes printing = cups log file = /var/log/samba/%m.log max log size = 50 security = user password level = 8 ; username level = 8 smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd *all*authentication*tokens*updated*successfully* ; username map = /etc/samba/smbusers ; include = /etc/samba/smb.conf.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon script = scripts\logscript.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U ; name resolve order = wins lmhosts bcast wins support = yes dns proxy = no write list = @tsadmin add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u [home] ... * my slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema #rliu, 12/31/03 include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid #argsfile //var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleloadback_shell.la # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running make slapd.pem, and fixing permissions on # slapd.pem so that the ldap user or group can read it. # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # TLSCertificateFile
Re: [Samba] Samba-ldap-pdc questions
On Mon, 2004-01-05 at 16:50, Ron Liu wrote: Hi, There I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. I used the RPMs for the installations. After setup, start both smb and ldap without problem. However when I tried to add users with smbpasswd -a userid, it gave me the following errors. Can someone point me to right direction, is there anything I can do to do more test and diagnosis. I've copied the error message, and the conf file for samba.conf and slapd.conf Thank you for your help! Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] [EMAIL PROTECTED] openldap]# smbpasswd -a bliu New SMB password: Retype new SMB password: fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Failed to add entry for user bliu. Failed to modify password entry for user bliu #=== Global Settings = [global] workgroup = mydomain netbios name = ts010 encrypt passwords = yes passdb backend = ldapsam:ldap://localhost/ ldap suffix = o=mydomain,dc=mydomain,dc=com ldap machine suffix = ou=Comupters ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=tsadmin,dc=mydomain,dc=com # ldap ssl = start tls ldap delete dn = no server string = mydomain Samba Server hosts allow = 10.101.0. 10.101.1. 127. printcap name = cups load printers = yes printing = cups log file = /var/log/samba/%m.log max log size = 50 security = user password level = 8 ; username level = 8 smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd *all*authentication*tokens*updated*successfully* ; username map = /etc/samba/smbusers ; include = /etc/samba/smb.conf.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon script = scripts\logscript.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U ; name resolve order = wins lmhosts bcast wins support = yes dns proxy = no write list = @tsadmin add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u [home] ... * my slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema #rliu, 12/31/03 include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid #argsfile //var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleloadback_shell.la # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running make slapd.pem, and fixing permissions on # slapd.pem so that the ldap user or group can read it. # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # TLSCertificateFile
Re: [Samba] Samba-ldap-pdc questions
You need to set ldap admin passowd like this. smbpasswd -w ldap admin passwd to create the domain user account use smbldap-useradd.pl command. SR Hi, There I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. I used the RPMs for the installations. After setup, start both smb and ldap without problem. However when I tried to add users with smbpasswd -a userid, it gave me the following errors. Can someone point me to right direction, is there anything I can do to do more test and diagnosis. I've copied the error message, and the conf file for samba.conf and slapd.conf Thank you for your help! Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] [EMAIL PROTECTED] openldap]# smbpasswd -a bliu New SMB password: Retype new SMB password: fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Failed to add entry for user bliu. Failed to modify password entry for user bliu #=== Global Settings = [global] workgroup = mydomain netbios name = ts010 encrypt passwords = yes passdb backend = ldapsam:ldap://localhost/ ldap suffix = o=mydomain,dc=mydomain,dc=com ldap machine suffix = ou=Comupters ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=tsadmin,dc=mydomain,dc=com # ldap ssl = start tls ldap delete dn = no server string = mydomain Samba Server hosts allow = 10.101.0. 10.101.1. 127. printcap name = cups load printers = yes printing = cups log file = /var/log/samba/%m.log max log size = 50 security = user password level = 8 ; username level = 8 smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd *all*authentication*tokens*updated*successfully* ; username map = /etc/samba/smbusers ; include = /etc/samba/smb.conf.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon script = scripts\logscript.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U ; name resolve order = wins lmhosts bcast wins support = yes dns proxy = no write list = @tsadmin add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u [home] ... * my slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema #rliu, 12/31/03 include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid #argsfile //var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleloadback_shell.la # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running make slapd.pem, and fixing permissions on # slapd.pem so that the ldap user or
Re: [Samba] Samba-ldap-pdc questions
You have more than one suffix in slapd.conf - why? The one you use in smb.conf ist a
mixture of the two - that doesn't work. Use one of them - the one under which your
user data is stored.
Jesore
[global]
workgroup = mydomain
netbios name = ts010
encrypt passwords = yes
passdb backend = ldapsam:ldap://localhost/
ldap suffix = o=mydomain,dc=mydomain,dc=com
ldap machine suffix = ou=Comupters
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=tsadmin,dc=mydomain,dc=com
# ldap ssl = start tls
ldap delete dn = no
%n\n
databaseldbm
suffix o=mydomain
suffix dc=mydomain,dc=com
rootdn cn=tsadmin,dc=mydomain,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpwsecret
rootpw {SSHA}nzEMEVTSdQYIy3jLsWn4xmQLQI/Cb0Tn
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap/
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba-ldap-pdc questions
Thank you all for your help 1. I do have a netlogon share in smb.conf. samba pdc works well if I use smbpasswd backend. I did used: smbpasswd -w ROOT_DN_PASSWORD to setup the ldap rootdn password. Also I used ldappasswd to generate the encrypted rootpw entry for slapd.conf. Is this necessary? Thanks Ron -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, January 05, 2004 11:26 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Samba-ldap-pdc questions On Mon, 2004-01-05 at 16:50, Ron Liu wrote: Hi, There I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. I used the RPMs for the installations. After setup, start both smb and ldap without problem. However when I tried to add users with smbpasswd -a userid, it gave me the following errors. Can someone point me to right direction, is there anything I can do to do more test and diagnosis. I've copied the error message, and the conf file for samba.conf and slapd.conf Thank you for your help! Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] [EMAIL PROTECTED] openldap]# smbpasswd -a bliu New SMB password: Retype new SMB password: fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Failed to add entry for user bliu. Failed to modify password entry for user bliu #=== Global Settings = [global] workgroup = mydomain netbios name = ts010 encrypt passwords = yes passdb backend = ldapsam:ldap://localhost/ ldap suffix = o=mydomain,dc=mydomain,dc=com ldap machine suffix = ou=Comupters ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=tsadmin,dc=mydomain,dc=com # ldap ssl = start tls ldap delete dn = no server string = mydomain Samba Server hosts allow = 10.101.0. 10.101.1. 127. printcap name = cups load printers = yes printing = cups log file = /var/log/samba/%m.log max log size = 50 security = user password level = 8 ; username level = 8 smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd *all*authentication*tokens*updated*successfully* ; username map = /etc/samba/smbusers ; include = /etc/samba/smb.conf.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon script = scripts\logscript.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U ; name resolve order = wins lmhosts bcast wins support = yes dns proxy = no write list = @tsadmin add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u [home] ... * my slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema #rliu, 12/31/03 include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid #argsfile //var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleload
Re: [Samba] Samba-ldap-pdc questions
You have more than one suffix in slapd.conf - why? The one you use in smb.conf ist a
mixture of the two - that doesn't work. Use one of them - the one under which your
user data is stored.
Multiple suffixes for a single database is supported in OpenLDAP until
very recently, (don't know exact version), when it was dropped because
'it didn't make sense'. At least thats my understanding of the
situation. Wether or not it makes sense in this persons circustance is
another issue altogether.
databaseldbm
suffix o=mydomain
suffix dc=mydomain,dc=com
rootdn cn=tsadmin,dc=mydomain,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpwsecret
rootpw {SSHA}nzEMEVTSdQYIy3jLsWn4xmQLQI/Cb0Tn
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap/
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-ldap-pdc questions
Hi, There I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. I used the RPMs for the installations. After setup, start both smb and ldap without problem. However when I tried to add users with smbpasswd -a userid, it gave me the following errors. Can someone point me to right direction, is there anything I can do to do more test and diagnosis. I've copied the error message, and the conf file for samba.conf and slapd.conf Thank you for your help! Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] [EMAIL PROTECTED] openldap]# smbpasswd -a bliu New SMB password: Retype new SMB password: fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Failed to add entry for user bliu. Failed to modify password entry for user bliu #=== Global Settings = [global] workgroup = mydomain netbios name = ts010 encrypt passwords = yes passdb backend = ldapsam:ldap://localhost/ ldap suffix = o=mydomain,dc=mydomain,dc=com ldap machine suffix = ou=Comupters ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=tsadmin,dc=mydomain,dc=com # ldap ssl = start tls ldap delete dn = no server string = mydomain Samba Server hosts allow = 10.101.0. 10.101.1. 127. printcap name = cups load printers = yes printing = cups log file = /var/log/samba/%m.log max log size = 50 security = user password level = 8 ; username level = 8 smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd *all*authentication*tokens*updated*successfully* ; username map = /etc/samba/smbusers ; include = /etc/samba/smb.conf.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon script = scripts\logscript.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U ; name resolve order = wins lmhosts bcast wins support = yes dns proxy = no write list = @tsadmin add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u [home] ... * my slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema #rliu, 12/31/03 include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid #argsfile //var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleloadback_shell.la # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running make slapd.pem, and fixing permissions on # slapd.pem so that the ldap user or group can read it. # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) #
