On 5/23/07, Cristian Sandescu <[EMAIL PROTECTED]> wrote:
Salutare,
Incerc sa pun un Active Directory pe un Samba3 cu LDAP.
Am urmat directiile date de
http://www.debianfordummies.org/wiki/index.php/Samba_Ldap_Howto pentru
ca nu mai facusem asta niciodata.
Momentan ma lovesc de urmatoarea problema (nu pot adauga useri in ldap,
folosesc smbldap-tools):
CLS:/# smbldap-useradd testuser
Error looking for next uid at /usr/share/perl5/smbldap_tools.pm line
1044.
Nu pot adauga o statie in domeniu, log-urile spun:
[2007/05/23 06:16:00, 0] auth/auth_util.c:create_builtin_users(751)
create_builtin_users: Failed to create Users
Pentru statiile care le bagi in domeniu, trebuie sa ai un cont de user
care va fi asociat statiei. Acest cont este folosit de kerberos ca sa
construiasca "principal"-ul pentru statie.
Ma intreb daca nu a trebuit sa configurezi si Kerberos. Trebuie sa
rulezi si ceva daemon.
Iar pentru Kerberos iti trebuie si DNS-ul configurat cum trebuie (ceva
SRV records).
[2007/05/23 06:16:02, 0] auth/auth_util.c:create_builtin_users(751)
create_builtin_users: Failed to create Users
[2007/05/23 06:16:03, 1]
auth/auth_util.c:create_token_from_username(1083)
lookup_name_smbconf for smbpublic failed
[2007/05/23 06:34:51, 0] auth/auth_util.c:create_builtin_users(751)
create_builtin_users: Failed to create Users
[2007/05/23 06:34:54, 0] auth/auth_util.c:create_builtin_users(751)
create_builtin_users: Failed to create Users
Error looking for next uid at /usr/share/perl5/smbldap_tools.pm line
1044.
[2007/05/23 06:34:57, 0]
passdb/pdb_interface.c:pdb_default_create_user(368)
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
"stoshiba$"' gave 1
Vezi ce e cu scriptul asta. Ruleaza-l ad labam.
Acelasi lucru se intampla si daca incerc sa accesez un share de pe
serverul samba:
[2007/05/23 06:36:38, 0] passdb/passdb.c:lookup_global_sam_name(598)
User root with invalid SID
S-1-5-21-405599704-3249903774-2135862609-500 in passdb
Vezi daca poti sa rulezi
wbinfo -u
ca sa vezi ce e cu sid-ul ala:
wbinfo --sid-to-name S-1-5-21-405599704-3249903774-2135862609-500
Imi este foarte clar ca ceva este complet gresit, dar nu imi dau seama
ce.
As fi recunoscator daca m-ar putea ajuta cineva (incluzand aici
consultanta pe bani/bere/etc, poate un tutorial mai bun).
Am atasat in continuare snip-uri din config-urile cele mai folosite (am
exclus conf-urile lui pam).
Toate bune,
Cristian Sandescu
Snip from smb.conf
[global]
workgroup = MYDOMAIN
netbios name = MYDOMAIN
time server = yes
wins support = yes
name resolve order = wins lmhosts bcast host
log file = /var/log/samba/log.%m
security = user
encrypt passwords = true
passdb backend = ldapsam:ldap://ldap.MYDOMAIN.net/
ldap passwd sync = yes
ldap suffix = dc=MYDOMAIN,dc=net
ldap admin dn = cn=admin,dc=MYDOMAIN,dc=net
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = yes
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
obey pam restrictions = yes
; guest account = nobody
; invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
domain logons = yes
logon path = \\%N\profiles\%U
logon drive = M:
logon home = \\%N\%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = yes
preferred master = yes
local master = yes
domain logons = yes
guest ok = yes
case sensitive = no
hide dot files = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
password server = CLS
preserve case = no
short preserve case = no
default case = lower
load printers = yes
Snip from slapd.conf:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
schemacheck on
loglevel 256
modulepath /usr/lib/ldap
moduleload back_bdb
backend bdb
checkpoint 512 30
database bdb
suffix "dc=MYDOMAIN,dc=net"
rootdn "cn=admin,dc=MYDOMAIN,dc=net"
rootpw {SSHA}parola_criptata
directory "/var/lib/ldap"
lastmod on
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=MYDOMAIN,dc=net" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=MYDOMAIN,dc=net" write
by * read
index sambaSID eq
index sambaPrimaryGroupSID eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq index
cn,mail,surname,givenname eq,subinitial
#TLSCertificateFile /etc/ldap/cert/server.csr
#TLSCertificateKeyFile /etc/ldap/cert/server.key
#TLSVerifyClient 0
#startls=yes
Snip from ldap.conf:
BASE dc=MYDOMAIN, dc=net
URI ldap://ldap.MYDOMAIN.net ldap://ldap.MYDOMAIN.com:636
rootdn "cn=admin,dc=MYDOMAIN,dc=net"
rootpw {SSHA}parola_criptata
#TLS_CERT /etc/ldap/cert/client.csr
#TLS_KEY /etc/ldap/cert/client.key
#TLS_REQCERT allow
Snip from smbldap_bind.conf
CLS:/var/log/samba# cat /etc/smbldap-tools/smbldap_bind.conf
masterDN="cn=admin,dc=MYDOMAIN,dc=net"
masterPw="parola_in_clar"
Snip din smbldap.conf
CLS:/var/log/samba# cat /etc/smbldap-tools/smbldap.conf
SID="S-1-5-21-2166458250-4071163207-2971366508" (obtinut cu net
getlocalsid) slaveLDAP="ldap.MYDOMAIN.net"
slavePort="389"
masterLDAP="ldap.MYDOMAIN.net"
masterPort="389"
ldapTLS="0"
verify="none"
suffix="dc=MYDOMAIN,dc=net"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=CLS,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
userSmbHome="\\CLS\homes\%U"
userProfile="\\CLS\profiles\%U"
userHomeDrive="H:"
mailDomain="MYDOMAIN.net"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
