Here we go again! El Jueves 19 Febrero 2004 12:59, Carlos García Recio escribió: > Here we go! > > El Jueves 19 Febrero 2004 12:39, Jérôme Tournier escribió: > > Le Thu, Feb 19, 2004 at 12:07:49PM +0100, Carlos García Recio a ecrit: > > > samba 3.0.2 > > > smbldap-tools 0.8.4 > > > RH 9 > > > nss_ldap configured > > > pam_ldap NOT configured > > > LDAP passwd backend > > > winxp pro domain member > > > > Can you also send us your smbldap-tools configuration files, and also > > samba and openldap (?) one ? > > thx > > -- > > Jérôme
# /etc/nsswitch.conf passwd: files ldap shadow: files group: files ldap # /etc/samba/smb.conf [global] log level = 1 passdb:5 auth:5 winbind:10 # Nombre NetBIOS de maquina y dominio netbios name = testPDC workgroup = test # Definicion del backend de cuentas passdb backend = ldapsam:ldap://localhost:389 ldap admin dn = "cn=Manager,o=senado.es" ldap ssl = off ; Cuando borro un usuario del dominio solo quiero ; borrar sus atributos de samba, pero no elimino ; la entrada del ldap. ldap suffix = o=senado.es ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) add user script = /usr/local/sbin/smbldap-useradd "%u" ldap delete dn = no #delete user script = /usr/local/sbin/smbldap-userdel "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" #delete group script = /usr/local/sbin/smbldap-groupdel "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" # Mapeo de UID's/GID's en las maquinas UNIX del dominio idmap backend = ldap:ldap://localhost:389 ldap idmap suffix = ou=Idmap ; Intenta sincronizar el password ldap con la password NT ldap passwd sync = no ;username map = /etc/samba/smbusers # Rol de PDC security = user encrypt passwords = yes os level = 255 preferred master = yes domain master = yes local master = yes wins support = yes domain logons = yes # Establecemos que los perfiles sean locales logon path = logon home = logon drive = logon script = # Share necesario para login de los usuarios en el dominio [netlogon] path = /home/samba/netlogon read only = yes # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/rfc822-MailMember.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/redhat/kerberosobject.schema ######### # SAMBA # ######### include /usr/share/doc/samba-3.0.2a/examples/LDAP/samba.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org #pidfile //var/run/slapd.pid #argsfile //var/run/slapd.args # Create a replication log in /var/lib/ldap for use by slurpd. #replogfile /var/lib/ldap/master-slapd.replog # Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # # Sample Access Control # Allow read access of root DSE # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default is: # Allow read by all # # rootdn can always write! ####################################################################### # ldbm database definitions ####################################################################### loglevel 256 database ldbm #suffix "dc=my-domain,dc=com" suffix "o=senado.es" rootdn "cn=Manager,o=senado.es" #rootdn "cn=Manager,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial # Replicas to which we should propagate changes #replica host=ldap-1.example.com:389 tls=yes # bindmethod=sasl saslmech=GSSAPI # authcId=host/[EMAIL PROTECTED] # $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ # $Id: smbldap.conf,v 1.6 2004/02/07 16:58:52 jtournier Exp $ # # smbldap-tools.conf : Q & D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose : # . be the configuration file for all smbldap-tools scripts ############################################################################## # # General Configuration # ############################################################################## # UID and GID starting at... UID_START="1000" GID_START="1000" # Put your own SID # to obtain this number do: net getlocalsid SID="S-1-5-21-2056510298-3027076148-852687323" ############################################################################## # # LDAP Configuration # ############################################################################## # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. # Those two servers declarations can also be used when you have # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done # (typically a replication directory) # Ex: slaveLDAP=127.0.0.1 slaveLDAP="127.0.0.1" slavePort="389" # Master LDAP : needed for write operations # Ex: masterLDAP=127.0.0.1 masterLDAP="127.0.0.1" masterPort="389" # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) ldapTLS="0" # How to verify the server's certificate (none, optional or require) # see "man Net::LDAP" in start_tls section for more details verify="require" # CA certificate # see "man Net::LDAP" in start_tls section for more details cafile="/etc/smbldap-tools/ca.pem" # certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientcert="/etc/smbldap-tools/smbldap-tools.pem" # key certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientkey="/etc/smbldap-tools/smbldap-tools.key" # LDAP Suffix # Ex: suffix=dc=IDEALX,dc=ORG suffix="o=senado.es" # Where are stored Users # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" usersdn="ou=People,o=senado.es" # Where are stored Computers # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" computersdn="ou=Computers,o=senado.es" # Where are stored Groups # Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" groupsdn="ou=Groups,o=senado.es" # Default scope Used scope="sub" # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) hash_encrypt="SSHA" ############################################################################## # # Unix Accounts Configuration # ############################################################################## # Login defs # Default Login Shell # Ex: userLoginShell="/bin/bash" userLoginShell="/bin/false" # Home directory prefix (without username) # Ex: userHomePrefix="/home/" userHomePrefix="/tmp" # Gecos userGecos="System User" # Default User (POSIX and Samba) GID defaultUserGid="513" # Default Computer (Samba) GID defaultComputerGid="553" # Skel dir skeletonDir="/etc/skel" # Default password validation time (time in days) Comment the next line if # you don't want password to be enable for defaultMaxPasswordAge days (be # careful to the sambaPwdMustChange attribute's value) #defaultMaxPasswordAge="55" ############################################################################## # # SAMBA Configuration # ############################################################################## # The UNC path to home drives location without the username last extension # (will be dynamically prepended) # Ex: \\My-PDC-netbios-name\homes # Just set it to a null string if you want to use the smb.conf 'logon home' # directive and/or desabling roaming profiles userSmbHome="" # The UNC path to profiles locations without the username last extension # (will be dynamically prepended) # Ex: \\My-PDC-netbios-name\profiles\ # Just set it to a null string if you want to use the smb.conf 'logon path' # directive and/or desabling roaming profiles userProfile="" # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: q(U:) for U: userHomeDrive="" # The default user netlogon script name # if not used, will be automatically username.cmd # make sure script file is edited under dos userScript="" ############################################################################## # # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) # ############################################################################## # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but # prefer mkntpwd... most of the time, it's a wise choice :-) with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" mk_ntpasswd="/usr/local/sbin/mkntpwd" ############################ # Credential Configuration # ############################ # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN="cn=Manager,o=senado.es" slavePw="secret" masterDN="cn=Manager,o=senado.es" masterPw="secret" dn: o=senado.es objectClass: organization objectClass: organization objectClass: top o: senado.es dn: ou=People,o=senado.es objectClass: organizationalUnit ou: People dn: ou=Groups,o=senado.es objectClass: organizationalUnit ou: Groups dn: ou=Computers,o=senado.es objectClass: organizationalUnit ou: Computers dn: uid=Administrador,ou=People,o=senado.es sambaPwdLastSet: 1077009096 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1077009096 sambaPwdMustChange: 2147483647 sambaLMPassword: F0D412BD764FFE81AAD3B435B51404EE sambaNTPassword: 209C6174DA490CAEB422F3FA5A7AE634 sambaAcctFlags: [U ] loginShell: /bin/false gecos: Netbios Domain Administrator objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount homeDirectory: /tmp sambaPrimaryGroupSID: S-1-5-21-2056510298-3027076148-852687323-512 userPassword: {SSHA}tsGSr9yQRsPT1cRjBGBCPWqbEGO/EtHR sn: Administrador cn: Administrador displayName: Administrador uid: Administrador sambaSID: S-1-5-21-2056510298-3027076148-852687323-1000 uidNumber: 0 gidNumber: 0 dn: uid=Invitado,ou=People,o=senado.es homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaAcctFlags: [NU ] loginShell: /bin/false objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount sambaPrimaryGroupSID: S-1-5-21-2056510298-3027076148-852687323-514 sambaSID: S-1-5-21-2056510298-3027076148-852687323-501 uidNumber: 501 gidNumber: 99 sn: Invitado cn: Invitado displayName: Invitado uid: Invitado dn: cn=usuarios,ou=Groups,o=senado.es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 sambaGroupType: 2 displayName: Usuarios del Dominio sambaSID: S-1-5-21-2056510298-3027076148-852687323-513 cn: usuarios description: Usuarios del domio NetBios dn: cn=invitados,ou=Groups,o=senado.es objectClass: posixGroup objectClass: sambaGroupMapping sambaGroupType: 2 sambaSID: S-1-5-21-2056510298-3027076148-852687323-514 gidNumber: 99 cn: Invitados displayName: Invitados memberUid: Invitado description: Usuarios invitados del dominio NetBios dn: cn=Usuarios Avanzados,ou=Groups,o=senado.es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 547 description: Netbios Domain Members can share directories and printers sambaGroupType: 2 cn: Usuarios Avanzados displayName: Usuarios Avanzados sambaSID: S-1-5-21-2056510298-3027076148-852687323-547 dn: cn=Operadores de Cuenta,ou=Groups,o=senado.es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 548 description: Netbios Domain Users to manipulate users accounts sambaGroupType: 2 cn: Operadores de Cuenta sambaSID: S-1-5-21-2056510298-3027076148-852687323-548 displayName: Operadores de Cuenta dn: cn=Operadores de Servidor,ou=Groups,o=senado.es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 549 description: Netbios Domain Server Operators sambaGroupType: 2 cn: Operadores de Servidor sambaSID: S-1-5-21-2056510298-3027076148-852687323-549 displayName: Operadores de Servidor dn: cn=Operadores de Impresion,ou=Groups,o=senado.es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 description: Netbios Domain Print Operators sambaGroupType: 2 cn: Operadores de Impresion sambaSID: S-1-5-21-2056510298-3027076148-852687323-550 displayName: Operadores de Impresion dn: cn=Operadores de Copia de Seguridad,ou=Groups,o=senado.es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 description: Netbios Domain Members can bypass file security to back up files sambaGroupType: 2 cn: Operadores de Copia de Seguridad sambaSID: S-1-5-21-2056510298-3027076148-852687323-551 displayName: Operadores de Copia de Seguridad dn: cn=Replicador,ou=Groups,o=senado.es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 description: Netbios Domain Supports file replication in a sambaDomainName sambaGroupType: 2 cn: Replicador displayName: Replicador sambaSID: S-1-5-21-2056510298-3027076148-852687323-552 dn: cn=maquinas,ou=Groups,o=senado.es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 553 sambaGroupType: 2 displayName: Maquinas del Dominio sambaSID: S-1-5-21-2056510298-3027076148-852687323-553 cn: maquinas description: Cuentas de maquinas del dominio NetBios dn: sambaDomainName=TEST,o=senado.es sambaDomainName: TEST sambaSID: S-1-5-21-2056510298-3027076148-852687323 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain dn: uid=winxp$,ou=Computers,o=senado.es objectClass: top objectClass: posixAccount objectClass: sambaSamAccount cn: winxp$ uid: winxp$ gidNumber: 553 homeDirectory: /tmp sambaPwdMustChange: 2147483647 sambaAcctFlags: [W ] sambaPrimaryGroupSID: S-1-5-21-2056510298-3027076148-852687323-553 uidNumber: 4000 sambaSID: S-1-5-21-2056510298-3027076148-852687323-4000 sambaPwdCanChange: 1077105563 sambaLMPassword: A0EE4F6FCC250B20D355D7E01D42A574 sambaNTPassword: 312CDD18F95A1C6E4F803F5EB122FF06 sambaPwdLastSet: 1077105563 dn: cn=Administradores,ou=Groups,o=senado.es objectClass: posixGroup objectClass: sambaGroupMapping description: Netbios Domain Administrators sambaSID: S-1-5-21-2056510298-3027076148-852687323-512 sambaGroupType: 2 cn: Administradores displayName: Administradores memberUid: Administrador gidNumber: 0 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba