Hello Everyone,
I am having some trouble and would greatly appreciate some assistance. I apologize if this has been on the list before I am however down to two hours before due date. I have use samba before with no problems but this is the first time I have had to do it with LDAP. The problem is no users appear to be authenticating and there are no errors in the logs. I followed the online tutorials and tried several variations to no avail. I would REALLY appreciate it if someone who has a working samba/OpenLDAP enviroment could take a moment to assist me.
The main problem is that different tutorials don't mix with each other, and there is no error-free tutorial. The best one is from The Official Samba-3 HOWTO and Reference Guide.
OK so far...below is my config for review:
[global]
workgroup = ventus.local server string = Ventus Samba Server hosts allow = 172.28.0. 127.
printcap name = /etc/printcapOh, you don't use CUPS? bad... the default is printcap name = cups
load printers = yesThis is the default and can be omitted
log file = /var/log/samba/%m.log max log size = 50
OK
passdb backend = ldapsam:ldap://192.168.1.243/ ldap suffix = o=ventusnetworks.com,dc=na
OK
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
This is probably the curlpit - the working default is: ldap filter = (uid=%u)
I assume that all those entries exist and that you didn't forget to run smbpass -w managerpasswordldap machine suffix = ou=computers,o=ventusnetworks.com,dc=na ldap user suffix = o=ventusnetworks.com,dc=na ldap admin dn = "cn=Manager,dc=na"
ldap delete dn = yes
OK
security = userThis is the default
null passwords = YesHm... Ok
encrypt passwords = yesThis is the default
unix password sync = YesYou don't need that in LDAP setup if you keep posix account information in LDAP using posixAccount objectclass, like LAM does. You probably want unix password sync = no, ldap password sync = yes and also mention pam_smbpass.so in /etc/pam.d/* and also install nss-ldap.
Also you forgot to mention IDEALX scripts for adding users and group into LDAP, like:
add user script = /var/lib/samba/smbldap/smbldap-useradd.pl -m '%u' delete user script = /var/lib/samba/smbldap/smbldap-userdel.pl %u add group script = /var/lib/samba/smbldap/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/smbldap/smbldap-groupdel.pl '%g' add user to group script = /var/lib/samba/smbldap/smbldap-groupmod.pl \ -m '%g' '%u' delete user from group script = \ /var/lib/samba/smbldap/smbldap-groupmod.pl -x '%g' '%u' set primary group script = /var/lib/samba/smbldap/smbldap-usermod.pl \ -g '%g' '%u' add machine script = /var/lib/samba/smbldap/smbldap-useradd.pl -w '%u'
passwd program = /usr/bin/passwd %uNot needed, since the password is kept in LDAP
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
Overconfiguration
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
OK
local master = yes os level = 255 domain master = yes preferred master = yes domain logons = yes
You can't have two logon scripts. Do you actually use them?logon script = %m.bat logon script = %U.bat
Looks right.logon path = \\%L\Profiles\%U logon drive = U:
name resolve order = wins lmhosts bcast wins support = yes dns proxy = no
idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no
I don't understand this idmap stuff. I know that it is needed when your SAMBA server is a member of a Windows-controlled domain, because there are no other sources of uids. But your situation is different, your PDC is SAMBA. I really don't know what should be done here in ihis case. My PDC doesn't use this winbindd/idmap stuff at all, because uids are in posixAccounts in LDAP.
The rest of your file looks OK. I post my own smb.conf for comparison.
-- Alexander E. Patrakov
[global] debug level = 0 dos charset = CP866 unix charset = UTF-8 workgroup = DOMAIN netbios name = CONTROLLER interfaces = lo,eth1 bind interfaces only = yes passdb backend = ldapsam:ldap://127.0.0.1
# Warning: I don't run winbindd. and don't understand the following # four lines. I also don't understand if they are needed at all. algorithmic rid base = 10000 idmap uid = 10000-20000 idmap gid = 10000-20000 idmap backend = ldap:ldap://127.0.0.1 domain master = yes local master = yes preferred master = yes os level = 65 security = user guest account = Guest template primary group = Domain Users domain logons = yes logon path = \\%L\profiles\%U add user script = /var/lib/samba/smbldap/smbldap-useradd.pl -m '%u' delete user script = /var/lib/samba/smbldap/smbldap-userdel.pl %u add group script = /var/lib/samba/smbldap/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/smbldap/smbldap-groupdel.pl '%g' add user to group script = /var/lib/samba/smbldap/smbldap-groupmod.pl -m '%g' '%u' delete user from group script = /var/lib/samba/smbldap/smbldap-groupmod.pl -x '%g' '%u' set primary group script = /var/lib/samba/smbldap/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/smbldap/smbldap-useradd.pl -w '%u' ldap suffix = dc=dialog,dc=usu,dc=ru ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = uid=Samba,ou=Security,dc=dialog,dc=usu,dc=ru ldap ssl = no ldap passwd sync = Yes [netlogon] path = /var/lib/samba/netlogon writable = no browsable = no [profiles] ; you might wish to use a different directory for your ; Windows NT/2000/XP roaming profiles path = /var/lib/samba/profiles browsable = no writable = yes create mask = 0600 directory mask = 0700 [homes] read only = no browsable = no guest ok = no map archive = yes [tmp] path=/tmp/samba browsable = yes read only = no guest ok = yes
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba