Hello Everyone,
I am having some trouble and would greatly appreciate some assistance. I apologize if this has been on the list before I am however down to two hours before due date. I have use samba before with no problems but this is the first time I have had to do it with LDAP. The problem is no users appear to be authenticating and there are no errors in the logs. I followed the online tutorials and tried several variations to no avail. I would REALLY appreciate it if someone who has a working samba/OpenLDAP enviroment could take a moment to assist me.
The main problem is that different tutorials don't mix with each other, and there is no error-free tutorial. The best one is from The Official Samba-3 HOWTO and Reference Guide.
OK so far...below is my config for review:
[global]
workgroup = ventus.local server string = Ventus Samba Server hosts allow = 172.28.0. 127.
printcap name = /etc/printcapOh, you don't use CUPS? bad... the default is printcap name = cups
load printers = yesThis is the default and can be omitted
log file = /var/log/samba/%m.log max log size = 50
OK
passdb backend = ldapsam:ldap://192.168.1.243/ ldap suffix = o=ventusnetworks.com,dc=na
OK
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
This is probably the curlpit - the working default is: ldap filter = (uid=%u)
I assume that all those entries exist and that you didn't forget to run smbpass -w managerpasswordldap machine suffix = ou=computers,o=ventusnetworks.com,dc=na ldap user suffix = o=ventusnetworks.com,dc=na ldap admin dn = "cn=Manager,dc=na"
ldap delete dn = yes
OK
security = userThis is the default
null passwords = YesHm... Ok
encrypt passwords = yesThis is the default
unix password sync = YesYou don't need that in LDAP setup if you keep posix account information in LDAP using posixAccount objectclass, like LAM does. You probably want unix password sync = no, ldap password sync = yes and also mention pam_smbpass.so in /etc/pam.d/* and also install nss-ldap.
Also you forgot to mention IDEALX scripts for adding users and group into LDAP, like:
add user script = /var/lib/samba/smbldap/smbldap-useradd.pl -m '%u'
delete user script = /var/lib/samba/smbldap/smbldap-userdel.pl %u
add group script = /var/lib/samba/smbldap/smbldap-groupadd.pl -p '%g'
delete group script = /var/lib/samba/smbldap/smbldap-groupdel.pl '%g'
add user to group script = /var/lib/samba/smbldap/smbldap-groupmod.pl \
-m '%g' '%u'
delete user from group script = \
/var/lib/samba/smbldap/smbldap-groupmod.pl -x '%g' '%u'
set primary group script = /var/lib/samba/smbldap/smbldap-usermod.pl \
-g '%g' '%u'
add machine script = /var/lib/samba/smbldap/smbldap-useradd.pl -w '%u'passwd program = /usr/bin/passwd %uNot needed, since the password is kept in LDAP
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
Overconfiguration
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
OK
local master = yes os level = 255 domain master = yes preferred master = yes domain logons = yes
You can't have two logon scripts. Do you actually use them?logon script = %m.bat logon script = %U.bat
Looks right.logon path = \\%L\Profiles\%U logon drive = U:
name resolve order = wins lmhosts bcast wins support = yes dns proxy = no
idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no
I don't understand this idmap stuff. I know that it is needed when your SAMBA server is a member of a Windows-controlled domain, because there are no other sources of uids. But your situation is different, your PDC is SAMBA. I really don't know what should be done here in ihis case. My PDC doesn't use this winbindd/idmap stuff at all, because uids are in posixAccounts in LDAP.
The rest of your file looks OK. I post my own smb.conf for comparison.
-- Alexander E. Patrakov
[global]
debug level = 0
dos charset = CP866
unix charset = UTF-8
workgroup = DOMAIN
netbios name = CONTROLLER
interfaces = lo,eth1
bind interfaces only = yes
passdb backend = ldapsam:ldap://127.0.0.1
# Warning: I don't run winbindd. and don't understand the following
# four lines. I also don't understand if they are needed at all.
algorithmic rid base = 10000
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap backend = ldap:ldap://127.0.0.1
domain master = yes
local master = yes
preferred master = yes
os level = 65
security = user
guest account = Guest
template primary group = Domain Users
domain logons = yes
logon path = \\%L\profiles\%U
add user script = /var/lib/samba/smbldap/smbldap-useradd.pl -m '%u'
delete user script = /var/lib/samba/smbldap/smbldap-userdel.pl %u
add group script = /var/lib/samba/smbldap/smbldap-groupadd.pl -p '%g'
delete group script = /var/lib/samba/smbldap/smbldap-groupdel.pl '%g'
add user to group script = /var/lib/samba/smbldap/smbldap-groupmod.pl -m '%g' '%u'
delete user from group script = /var/lib/samba/smbldap/smbldap-groupmod.pl -x '%g'
'%u'
set primary group script = /var/lib/samba/smbldap/smbldap-usermod.pl -g '%g' '%u'
add machine script = /var/lib/samba/smbldap/smbldap-useradd.pl -w '%u'
ldap suffix = dc=dialog,dc=usu,dc=ru
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = uid=Samba,ou=Security,dc=dialog,dc=usu,dc=ru
ldap ssl = no
ldap passwd sync = Yes
[netlogon]
path = /var/lib/samba/netlogon
writable = no
browsable = no
[profiles]
; you might wish to use a different directory for your
; Windows NT/2000/XP roaming profiles
path = /var/lib/samba/profiles
browsable = no
writable = yes
create mask = 0600
directory mask = 0700
[homes]
read only = no
browsable = no
guest ok = no
map archive = yes
[tmp]
path=/tmp/samba
browsable = yes
read only = no
guest ok = yes
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
