Hi!
Try this:
In /etc/ldap.conf:
scope sub (uncomment it).
In:
nss_base_passwd ou=Users,dc=wbcoll,dc=edu?one nss_base_shadow ou=Users,dc=wbcoll,dc=edu?one nss_base_group ou=Groups,dc=wbcoll,dc=edu?one
Try:
nss_base_passwd dc=wbcoll,dc=edu?sub nss_base_shadow dc=wbcoll,dc=edu?sub nss_base_group ou=Groups,dc=wbcoll,dc=edu?one
Not sure right now, but I have a /etc/libnss-ldap.conf, I made the same modifications to it.
With this you can keep your computers in another ou. I did something different:
nss_base_passwd ou=Accounts,dc=merkurio,dc=int?sub nss_base_shadow ou=Accounts,dc=merkurio,dc=int?sub nss_base_group ou=Groups,dc=merkurio,dc=int?one
And under Accounts (ou=People,ou=Accounts,....) I created the users, and under ou=Computers,ou=Accounts, I pointed to the machines suffix in the smb.conf (my smb.conf), but it is some tricky to get it work with the smbldap-populate.
[global]
workgroup = MERKURIO.INT
interfaces = eth0, lo
bind interfaces only = Yes
min passwd length = 7
passdb backend = ldapsam:ldap://ldap.merkurio.int
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
min protocol = LANMAN2
time server = Yes
server signing = auto
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
domain logons = Yes
os level = 40
preferred master = Yes
domain master = Yes
ldap suffix = dc=merkurio,dc=int
ldap machine suffix = ou=Computers,ou=Accounts
ldap user suffix = ou=People,ou=Accounts
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=merkurio,dc=int
ldap ssl = start tls
ldap passwd sync = Yes
ldap delete dn = Yes[netlogon]
path = /var/lib/samba/netlogon
browseable = No[homes]
read only = No
browseable = No[cosa]
path = /home/ftp/[profile]
path = /samba/profile
read only = No
profile acls = Yes
browseable = NoThe tls requires that the cert is correctly emited (ie, host name should match the cert's cn). I hasn't tested this config completly (I need to test the password change from win workstations).
Hope this helped,
Sincerely,
Ildefonso Camargo
Craig White wrote:
On Fri, 2004-07-16 at 13:39, abebe lsslp wrote:
Hey Craig, Here is what's happening. I've got nothing, but
headache from looking at log level 10, but finally I
finished going over it. For those of you who have not
been following, check
http://150.208.105.24/smbldap-pdc.html
----I have tried it your way as well.
smbd/process.c:timeout_processing(1332)(client
timeout_processing: End of file from client
has disconnected).
You are attempting to join WinXP to domain, are asked for the name/password/domain of a user who has sufficient privileges to add a machine to the domain and it fails to finish? The machine is indeed added to LDAP - that's all I can figure out from your email.
First off - my understanding is that Machine accounts should still be located in the People subtree and not in the Computers subtree because subsequent searches will not locate it there. If this has been fixed, I'm sure someone will correct me.
# 1
Changeed the Entry in '/etc/ldap.conf' to
nss_base_passwd ou=People,dc=wbcoll,dc=edu?one nss_base_shadow ou=People,dc=wbcoll,dc=edu?one nss_base_group ou=Groups,dc=wbcoll,dc=edu?one
#2
changed the entry in '/etc/samba/smb.conf' file, I
changed
ldap machine suffix = ou=People
#3 and finally, the entry in '/etc/smbldap-tools/smbldap.conf'
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" computersdn="ou=People,dc=wbcoll,dc=edu"
However, I am sure the "ou =Computers" entry works. A
lot of documentations, including idealx.org would have
corrected their documentations if it wasn't so.
Secondly - ldap log?I couldn't find any hint that leads me to believe the
ldap doesn't work, but you might see something I
don't. you will find the whole 'slapd.log' file here:
http://150.208.105.24/smbldap-pdc/. (there are also
log files for the xp machine. ('winxp.log.html' is log
level 10 and 'winxp_log.html' is log level 3). Log
level 10 doesn't really tell me anything log level 3
doesn't.
---- SID's don't match...
dn: uid=Administrator,ou=Users,dc=wbcoll,dc=edu <snip> sambaPrimaryGroupSID: S-1-5-21-952094410-1508517273-1204454084-512 sambaSID: S-1-5-21-952094410-1508517273-1204454084-2996
pdbedit -Lv testuser1 <snip> User SID: S-1-5-21-1414736517-1990894286-2385622597-3000 Primary Group SID: S-1-5-21-1414736517-1990894286-2385622597-513
Who knows which SID is in smbldap_conf and which SID is in dn=SambaDomainName,dc=wbcoll,dc=edu
This should be one of the first things you check.
Also - just for a point of reference (not that what I do is at all correct or even recommended by the many people that know way more than I do), I set the primary posix gid for all users to a posix labeled group and my /etc/samba/smbusers looks like this: # cat /etc/samba/smbusers # Unix_name = SMB_name1 SMB_name2 ... root = Administrator administrator admin nobody = guest pcguest smbguest
I hope this helps.
Craig
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
