Matt Richards wrote:
Matt Richards wrote:
I was following the howto below (originally posted on this list as BIG
Samba howto for debian only.) to see if I could get my not-quite-working
Samba 3.0.14a (debian) server fully working and able to handle my Linux
logins too. The problem I'm having with my Samba setup is that I can't
change user passwords except through Swat. Users can't change them from
their machines using the Windows password change - but they are notified
to change them by when they expire.
Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP
Server configuration". Neither slapindex nor slapd will run. It looks
like it doesn't like something about my root password, but I'm not sure
what it wants (I'm no expert on LDAP). :)
Slapindex complains "bad configuration file". Slapd gives the more
detailed:
line 65 (rootpw ***)
/etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is
under suffix
I've attached my slapd.conf file if that is of any assistance. Any help
will be greatly appreciated.
Louis van Belle wrote:
[..snip..]
humm well looking at the config file the first thing that i notice is
this
...
# The base of your directory in database #1
suffix "dc=rahim-dale,dc=org"
rootdn "cn=admin,dc=toronto,dc=ontario,dc=ca"
your root dn isn't in the base of your ldap tree, this should probuly be
something like ...
suffix "dc=rahim-dale,dc=org"
rootdn "cn=admin,dc=rahim-dale,dc=org"
try it n let us know what happens :).
HTH
Matt.
You got it in one! I've got slapd running.
Now I'm stuck at "5.4 set the samba ldap admin password". I can set the
admin password and get the expected response, but when I try
"smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it fails
to add the various groups. I get "failed to add entry: modifications
require authentication at /usr/sbin/smbldap-populate line 460, <GEN1>
line 3." for each ou=<groupname> it tries to add.
Any ideas?
the smbldap-populate scripts requires authentication to the ldap server
there is probuly a problem with the login you have set in smbldap.conf ..
if you have set any at!
i would recommend looking through the smbldap-tools howto at
http://samba.idealx.org/smbldap-tools.en.html
and see if there is anything you have missed out, but the first thing i
would try is this ..
...
3 Configuring the smbldap-tools
As mentioned in the previous section, you'll have to update two
configuration files. The first (smbldap.conf) allows you to set global
parameter that are readable by everybody, and the second
(smbldap_bind.conf) defines two administrative accounts to bind to a slave
and a master ldap server: this file must thus be readable only by root. A
script is named configure.pl can help you to set their contents up. It is
located in the tarball downloaded or in the documentation directory if you
got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it:
/usr/share/doc/smbldap-tools/configure.pl
...
note : the smbldap-tools dir might not be located in your /usr/share/doc/
directory.
if this doesn't work you could attach your smbldap config file (with the
passwd taken out of cause) so we can have a little look.
Matt.
I can't see anything wrong with my setup but even when I tweak the
settings a little, I get the same result. Here are: smbldap.conf,
smbldap_bind.conf (with passwords removed) and the smb.conf I'm using
for ldap (renamed right now because I'm keeping my old setup available
until I get this working).
One issue is my password does have an apostrophe and a period in it. It
shouldn't be an issue because the bind file has them in quotes. I've
also tried them escaped ("\") but that didn't change anything.
# Global parameters
[global]
workgroup = RAHIM-DALE
netbios name = SEMPER
#interfaces = 192.168.5.11
username map = /etc/samba/smbusers
enable privileges = yes
server string = %h PDC (Samba %v)
security = user
encrypt passwords = Yes
min passwd length = 5
obey pam restrictions = No
ldap passwd sync = Yes
#unix password sync = Yes
#passwd program = /usr/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype
new password*" %n\n"
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
admin users = garydale, root
hosts allow = 192.168.2.
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = M:
logon home = \\%L\%U
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
# passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com";
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap admin dn = uid=samba,ou=Users,dc=rahim-dale,dc=org
ldap suffix = dc=rahim-dale,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap ssl = start tls
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
# printers configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile
folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
[netlogon]
comment = Logon Server Share
path = /home/samba/netlogon
read only = No
browseable = No
[profiles]
path = /home/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U "Domain Admins"
[printers]
comment = Network Printers
printer admin = @"Print Operators"
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
[print$]
path = /home/printers
guest ok = No
browseable = Yes
read only = Yes
valid users = @"Print Operators"
write list = @"Print Operators"
create mask = 0664
directory mask = 0775
[public]
comment = Repertoire public
path = /home/public
browseable = Yes
guest ok = Yes
read only = No
directory mask = 0775
create mask = 0664
[archives]
path = /home/shares/archives
write list = +Users, +users
read only = No
create mask = 0770
directory mask = 0770
[communications]
path = /home/shares/communications
read only = No
create mask = 0770
directory mask = 0770
[dosstuff]
path = /home/shares/dosstuff
read only = No
create mask = 0770
directory mask = 0770
[games]
path = /home/shares/games
read only = No
create mask = 0770
directory mask = 0770
[graphics]
path = /home/shares/graphics
read only = No
create mask = 0770
directory mask = 0770
[hardware]
path = /home/shares/hardware
read only = No
create mask = 0770
directory mask = 0770
[install]
path = /home/shares/install
read only = No
create mask = 0770
directory mask = 0770
[office]
path = /home/shares/office
read only = No
create mask = 0770
directory mask = 0770
[tools]
path = /home/shares/tools
read only = No
create mask = 0770
directory mask = 0770
[utility]
path = /home/shares/utility
read only = No
create mask = 0770
directory mask = 0770
[media$]
path = /home/secure/media
valid users = garydale
read only = No
create mask = 0770
directory mask = 0770
[webpages$]
path = /home/secure/webpages
valid users = garydale
read only = No
create mask = 0770
directory mask = 0770
[aleysha]
path = /home/aleysha
[shafeena]
path = /home/shafeena
[garydale]
path = /backup/home/samba/profiles/garydale
# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID
# to obtain this number do: net getlocalsid
SID="S-1-5-21-2876377172-3325382575-3296313911"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"
# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=rahim-dale,dc=org"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="sambaDomainName=rahim-dale,${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="$1$%.8s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/nologin"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="99"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
userSmbHome="\\semper\homes\%U"
# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
userProfile="\\semper\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="M:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.cmd"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="rogers.com"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=family,dc=rahim-family,dc=org"
slavePw="<password>"
masterDN="cn=admin,dc=family,dc=rahim-dale,dc=org"
masterPw="<password>"
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
