Could somebody help me out, here. I have samba-3.02a, openldap-2.1.25 on mandrake 10 and I´m trying to setup a pdc. This is what I´ve done so far:
1. configured ldap both for server and client thats slapd.conf, ldap.conf and ldap.secret
2. edited pam.d/samba
3. edited nsswitch.conf
4. configured samba - smb.conf
5. added the ldap password to secrets.tdb
6. configured smbldap-tools using the configure.pl script ( smbldap.conf and smbldap_bind.conf)
7. populated the ldap db using the smbldap-populate script
Everything works ok up to this point but when I try to use the net tools to manage groups I come up with these errors:
[EMAIL PROTECTED] root]# net groupmap modify ntgroup="Administrators" unixgroup="domadmin"
*[2004/05/06 09:25:14, 0] passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2015)
ldapsam_update_group_mapping_entry: No group to modify!
Could not update group database
*
[EMAIL PROTECTED] root]# net groupmap add rid=513 unixgroup="users" type=domain ntgroup="Domain Users"*
adding entry for group Domain Users failed!
I have this when do a net groupmap list:
Domain Admins (S-1-5-21-405122049-3903294769-2376448101-512) -> Domain Admins
users (S-1-5-21-405122049-3903294769-2376448101-545) -> Domain Users
Domain Guests (S-1-5-21-405122049-3903294769-2376448101-514) -> Domain Guests
Administrators (S-1-5-21-405122049-3903294769-2376448101-544) -> Administrators
users (S-1-5-21-405122049-3903294769-2376448101-545) -> Users
Guests (S-1-5-21-405122049-3903294769-2376448101-546) -> Guests
Power Users (S-1-5-21-405122049-3903294769-2376448101-547) -> Power Users
Account Operators (S-1-5-21-405122049-3903294769-2376448101-548) -> Account Operators
Server Operators (S-1-5-21-405122049-3903294769-2376448101-549) -> Server Operators
Print Operators (S-1-5-21-405122049-3903294769-2376448101-550) -> Print Operators
Backup Operators (S-1-5-21-405122049-3903294769-2376448101-551) -> Backup Operators
Replicator (S-1-5-21-405122049-3903294769-2376448101-552) -> Replicator
Domain Computers (S-1-5-21-405122049-3903294769-2376448101-553) -> Domain Computers
I did some basic testing and got the following: [EMAIL PROTECTED] root]# smbclient -L localhost -U%* Domain=[NIJACOL] OS=[Unix] Server=[Samba 3.0.2a]
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
print$ Disk
pdf-generator Printer PDF Generator (only valid users)
public Disk Repertoire public
IPC$ IPC IPC Service (Samba Server 3.0.2a)
ADMIN$ IPC IPC Service (Samba Server 3.0.2a)
Domain=[NIJACOL] OS=[Unix] Server=[Samba 3.0.2a] Server Comment
--------- -------
ADMIN-DEPT-DSL Admin Department, DSL
EC13 Scanner_Color Printer
EC6
PDC Samba Server 3.0.2a
SERVER2 Workgroup Master
--------- -------
NIJACOL PDC
SUSE MAIL[EMAIL PROTECTED] root]# smbclient3 '\\PDC\printer$' -U Administrator* Password: tree connect failed: Call returned zero bytes (EOF)
Here are my configuration files:
*/etc/ldap.conf file* host pdc.nijacol.net base dc=nijacol,dc=net
rootbinddn cn=root,dc=nijacol,dc=net scope one pam_filter objectclass=posixaccount pam_login_attribute uid pam_member_attribute gid pam_password md5 nss_base_passwd ou=people,dc=nijacol,dc=net?one nss_base_shadow ou=People,dc=nijacol,dc=net?one nss_base_group ou=Groups,dc=nijacol,dc=net?one nss_base_hosts ou=Hosts,dc=nijacol,dc=net?one ssl off
*/etc/openldap/slapd.conf file *include /usr/share/openldap/schema/core.schema include /usr/share/openldap/schema/cosine.schema include /usr/share/openldap/schema/corba.schema include /usr/share/openldap/schema/inetorgperson.schema include /usr/share/openldap/schema/misc.schema include /usr/share/openldap/schema/nis.schema include /usr/share/openldap/schema/openldap.schema include /usr/share/doc/samba-doc-3.0.2a/examples/LDAP/samba.schema * *# Define global ACLs to disable default read access. include /etc/openldap/slapd.access.conf # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args
modulepath /usr/lib/openldap
# ldbm database definitions
database ldbm
suffix "dc=nijacol,dc=net"
rootdn "cn=root,dc=nijacol,dc=net"
rootpw {MD5}G8u9oftfrVzk7wt0OLaffQ==
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
# logging
loglevel 256*/etc/openldap/slapd.access.conf file
*# Basic ACL
access to dn=".*,dc=nijacol,dc=net" attr=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=root,dc=nijacol,dc=net" write
by self write
by anonymous auth
by * none
access to dn=".*,dc=nijacol,dc=net" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
by dn="cn=root,dc=nijacol,dc=net" write
by * read
access to dn=".*,dc=nijacol,dc=net" attr=mail
by dn="cn=root,dc=nijacol,dc=net" write
by self write
by * readaccess to dn=".*,ou=People,dc=nijacol,dc=net"
by * readaccess to dn=".*,dc=nijacol,dc=net"
by self write
by * read*/etc/samba/smb.conf file *[global]
workgroup = nijacol
netbios name = pdc
interfaces =
#username map = /etc/samba/smbusers
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 5
obey pam restrictions = No
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
ldap passwd sync = Yes
unix password sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
smb passwd file = /etc/samba/smbpasswd
hosts allow = 127.0.0.1 192.168.1 192.168.0 192.168.3
wins support = Yes
dns proxy = No
logon script = %U.bat [global]
workgroup = nijacol
netbios name = pdc
interfaces =
#username map = /etc/samba/smbusers
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 5
obey pam restrictions = No
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
ldap passwd sync = Yes
unix password sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
smb passwd file = /etc/samba/smbpasswd
hosts allow = 127.0.0.1 192.168.1 192.168.0 192.168.3
wins support = Yes
dns proxy = No
logon script = %U.bat logon path = \\%L\Profiles\%U logon drive = X:
domain logons = Yes domain master = Yes os level = 85 prefered master = yes local master = Yes wins support = Yes
winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = Yes winbind enum groups = Yes
passdb backend = ldapsam:ldap://localhost:389 ldap admin dn = cn=root,dc=nijacol,dc=net ldap suffix = dc=nijacol,dc=net ldap group suffix = ou=Groups ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap idmap suffix = ou=People ldap ssl = No
add user script = /usr/local/sbin/smbldap-useradd.pl -m '%u'
# delete user script = /usr/local/sbin/smbldap-userdel.pl %u
add group script = /usr/local/sbin/smbldap-groupadd.pl -p '%g'
#delete group script = /usr/local/sbin/smbldap-groupdel.pl '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m '%g' '%u'
delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x '%g' '%u'
set primary group script = /usr/local/sbin/smbldap-usermod.pl -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd.pl -w '%u'
#printer configuration printer admin = @"Print Operators" load printers = Yes create mask = 0640 directory mask = 0750 nt acl support = No printing = cups printcap name = cups deadtime = cups guest account = nobody map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/initrd show add printer wizard = Yes preserve case = Yes short preserve case = Yes case sensitive = No
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
read only = No
create mask = 0644
directory mask = 0775
browseable = no
writable = yes
[netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = yes writable = no
[Profiles] path = /var/lib/samba/profiles read only = No create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = Yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U "Domain Admins"
*/etc/samba/smbldap file * # UID and GID starting at... UID_START="1000" GID_START="1000" SID="S-1-5-21-405122049-3903294769-2376448101" slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" ldapTLS="0" suffix="dc=nijacol,dc=net" usersdn="ou=People,dc=nijacol,dc=net" computersdn="ou=Computers,dc=nijacol,dc=net" groupsdn="ou=Groups,dc=nijacol,dc=net" scope="sub" hash_encrypt="MD5" userLoginShell="/bin/bash" userHomePrefix="/home/" userGecos="System User" defaultUserGid="513" defaultComputerGid="553" skeletonDir="/etc/skel" defaultMaxPasswordAge="45" userSmbHome="\\pdc\\home" userProfile="" userHomeDrive="X:" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" mk_ntpasswd="/usr/local/sbin/mkntpwd" slaveURI="ldap://$slaveLDAP:$slavePort"; masterURI="ldap://$masterLDAP:$masterPort"; ldap_path="/usr/bin"
*/etc/smbldap-tools/smbldap_bind.conf file * slaveDN="cn=root,dc=nijacol,dc=net" slavePw="nethawk" masterDN="cn=root,dc=nijacol,dc=net" masterPw="nethawk"
One other thing, apart from the pam.d/samba file do I have to edit the pam.d/sys-auth file to include the pam_ldap.so module, cause when i do that, i find out that ldap dies on me and i can logon to the box.
Thanks in advance for any help.
Asky
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
