subject:"\\\[Samba\\\] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap"

[Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap

2004-02-19 Thread Carlos García Recio


samba 3.0.2
smbldap-tools 0.8.4
RH 9
nss_ldap configured
pam_ldap NOT configured
LDAP passwd backend
winxp pro domain member

Hello,
i've configured smbldap-tools in smb.conf to manage users from usrmgr.exe. It 
works at group creation but have a strange behavior in user creation. In the 
LDAP there are two manually created accounts; Administrador  invitado, both 
posixAccount and sambaSamAccount. When i try to create a new account with 
usrmgr using smbldap-useradd %u in add user script i get this error:

[2004/02/19 11:37:53, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1634)
  ldapsam_add_sam_account: failed to modify/add user with uid = juan (dn = 
uid=juan,ou=People,o=senado.es)
[2004/02/19 11:37:53, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2251)
  could not add user/computer juan to passdb.  Check permissions?

The usrmgr shows me an Access denied window and as result i can find a new 
entry in the LDAP server with uid=juan that is a posixAccount and 
shadowAccount.

It looks like smbldap-useradd create a new entry (posixAccount) in the LDAP 
server and then samba tries to create the same entry (but with 
sambaSamAccount i think)

I can get rid this error making a conventional unix account with useradd 
(created in /etc/passwd) and then adding the user with usrmgr. As result i 
get a new entry in the LDAP server that is a sambaSamAccount but not a 
posixAccount. (in this case i think that i didn't use add user script)

The question is, how must i configure to create new users throw usrmgr with 
add user script = ...smbldap-useradd %u and getting as result a new entry in 
the LDAP server that is both posixAccount and sambaSamAccount?


Thanks in advance!

Carlos
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap

2004-02-19 Thread Jérôme Tournier

Le Thu, Feb 19, 2004 at 12:07:49PM +0100, Carlos García Recio a ecrit:
 samba 3.0.2
 smbldap-tools 0.8.4
 RH 9
 nss_ldap configured
 pam_ldap NOT configured
 LDAP passwd backend
 winxp pro domain member
Can you also send us your smbldap-tools configuration files, and also samba and
openldap (?) one ?
thx
-- 
Jérôme
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap

2004-02-19 Thread Carlos García Recio

Here we go!
El Jueves 19 Febrero 2004 12:39, Jérôme Tournier escribió:
 Le Thu, Feb 19, 2004 at 12:07:49PM +0100, Carlos García Recio a ecrit:
  samba 3.0.2
  smbldap-tools 0.8.4
  RH 9
  nss_ldap configured
  pam_ldap NOT configured
  LDAP passwd backend
  winxp pro domain member

 Can you also send us your smbldap-tools configuration files, and also samba
 and openldap (?) one ?
 thx
 --
 Jérôme
dn: o=senado.es
objectClass: organization
objectClass: organization
objectClass: top
o: senado.es

dn: ou=People,o=senado.es
objectClass: organizationalUnit
ou: People

dn: ou=Groups,o=senado.es
objectClass: organizationalUnit
ou: Groups

dn: ou=Computers,o=senado.es
objectClass: organizationalUnit
ou: Computers

dn: uid=Administrador,ou=People,o=senado.es
sambaPwdLastSet: 1077009096
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 1077009096
sambaPwdMustChange: 2147483647
sambaLMPassword: F0D412BD764FFE81AAD3B435B51404EE
sambaNTPassword: 209C6174DA490CAEB422F3FA5A7AE634
sambaAcctFlags: [U  ]
loginShell: /bin/false
gecos: Netbios Domain Administrator
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
homeDirectory: /tmp
sambaPrimaryGroupSID: S-1-5-21-2056510298-3027076148-852687323-512
userPassword: {SSHA}tsGSr9yQRsPT1cRjBGBCPWqbEGO/EtHR
sn: Administrador
cn: Administrador
displayName: Administrador
uid: Administrador
sambaSID: S-1-5-21-2056510298-3027076148-852687323-1000
uidNumber: 0
gidNumber: 0

dn: uid=Invitado,ou=People,o=senado.es
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaLMPassword: NO PASSWORDX
sambaNTPassword: NO PASSWORDX
sambaAcctFlags: [NU ]
loginShell: /bin/false
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
sambaPrimaryGroupSID: S-1-5-21-2056510298-3027076148-852687323-514
sambaSID: S-1-5-21-2056510298-3027076148-852687323-501
uidNumber: 501
gidNumber: 99
sn: Invitado
cn: Invitado
displayName: Invitado
uid: Invitado

dn: cn=usuarios,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
sambaGroupType: 2
displayName: Usuarios del Dominio
sambaSID: S-1-5-21-2056510298-3027076148-852687323-513
cn: usuarios
description: Usuarios del domio NetBios

dn: cn=invitados,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-2056510298-3027076148-852687323-514
gidNumber: 99
cn: Invitados
displayName: Invitados
memberUid: Invitado
description: Usuarios invitados del dominio NetBios

dn: cn=Usuarios Avanzados,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 547
description: Netbios Domain Members can share directories and printers
sambaGroupType: 2
cn: Usuarios Avanzados
displayName: Usuarios Avanzados
sambaSID: S-1-5-21-2056510298-3027076148-852687323-547

dn: cn=Operadores de Cuenta,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
description: Netbios Domain Users to manipulate users accounts
sambaGroupType: 2
cn: Operadores de Cuenta
sambaSID: S-1-5-21-2056510298-3027076148-852687323-548
displayName: Operadores de Cuenta

dn: cn=Operadores de Servidor,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 549
description: Netbios Domain Server Operators
sambaGroupType: 2
cn: Operadores de Servidor
sambaSID: S-1-5-21-2056510298-3027076148-852687323-549
displayName: Operadores de Servidor

dn: cn=Operadores de Impresion,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
description: Netbios Domain Print Operators
sambaGroupType: 2
cn: Operadores de Impresion
sambaSID: S-1-5-21-2056510298-3027076148-852687323-550
displayName: Operadores de Impresion

dn: cn=Operadores de Copia de Seguridad,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
description: Netbios Domain Members can bypass file security to back up files
 
sambaGroupType: 2
cn: Operadores de Copia de Seguridad
sambaSID: S-1-5-21-2056510298-3027076148-852687323-551
displayName: Operadores de Copia de Seguridad

dn: cn=Replicador,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
description: Netbios Domain Supports file replication in a sambaDomainName
sambaGroupType: 2
cn: Replicador
displayName: Replicador
sambaSID: S-1-5-21-2056510298-3027076148-852687323-552

dn: cn=maquinas,ou=Groups,o=senado.es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 553
sambaGroupType: 2
displayName: Maquinas del Dominio
sambaSID: S-1-5-21-2056510298-3027076148-852687323-553
cn: maquinas
description: Cuentas de maquinas del dominio NetBios

dn: sambaDomainName=TEST,o=senado.es
sambaDomainName: TEST
sambaSID:

Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap

2004-02-19 Thread Carlos García Recio

Here we go again!

El Jueves 19 Febrero 2004 12:59, Carlos García Recio escribió:
 Here we go!

 El Jueves 19 Febrero 2004 12:39, Jérôme Tournier escribió:
  Le Thu, Feb 19, 2004 at 12:07:49PM +0100, Carlos García Recio a ecrit:
   samba 3.0.2
   smbldap-tools 0.8.4
   RH 9
   nss_ldap configured
   pam_ldap NOT configured
   LDAP passwd backend
   winxp pro domain member
 
  Can you also send us your smbldap-tools configuration files, and also
  samba and openldap (?) one ?
  thx
  --
  Jérôme

# /etc/nsswitch.conf
passwd: files ldap
shadow: files
group:  files ldap


# /etc/samba/smb.conf
[global]
log level = 1 passdb:5 auth:5 winbind:10
# Nombre NetBIOS de maquina y dominio
netbios name = testPDC
workgroup = test

# Definicion del backend de cuentas
passdb backend = ldapsam:ldap://localhost:389
ldap admin dn = cn=Manager,o=senado.es
ldap ssl = off
; Cuando borro un usuario del dominio solo quiero
; borrar sus atributos de samba, pero no elimino
; la entrada del ldap.
ldap suffix = o=senado.es
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap filter = ((uid=%u)(objectclass=sambaSamAccount))


add user script = /usr/local/sbin/smbldap-useradd %u
ldap delete dn = no
#delete user script = /usr/local/sbin/smbldap-userdel %u
add machine script = /usr/local/sbin/smbldap-useradd -w %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
#delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u


# Mapeo de UID's/GID's en las maquinas UNIX del dominio
idmap backend = ldap:ldap://localhost:389
ldap idmap suffix = ou=Idmap
; Intenta sincronizar el password ldap con la password NT
ldap passwd sync = no
;username map = /etc/samba/smbusers

# Rol de PDC
security = user
encrypt passwords = yes
os level = 255
preferred master = yes
domain master = yes
local master = yes
wins support = yes
domain logons = yes

# Establecemos que los perfiles sean locales
logon path = 
logon home = 
logon drive = 
logon script = 

# Share necesario para login de los usuarios en el dominio
[netlogon]
path = /home/samba/netlogon
read only = yes


# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema

#
# SAMBA #
#
include /usr/share/doc/samba-3.0.2a/examples/LDAP/samba.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org

#pidfile//var/run/slapd.pid
#argsfile   //var/run/slapd.args

# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile /var/lib/ldap/master-slapd.replog

# Load dynamic backend modules:
# modulepath/usr/sbin/openldap
# moduleloadback_ldap.la
# moduleloadback_ldbm.la
# moduleloadback_passwd.la
# moduleloadback_shell.la

#
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running make slapd.pem, and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
#
# Sample Access Control
#   Allow read access of root DSE
#   Allow self write access
#   Allow authenticated users read access
#   Allow anonymous users to authenticate
#
#access to *
#   by self write
#   by users read
#   by anonymous auth
#
# if no access controls are present, the default is:
#   Allow read by all
#
# rootdn can always write!

###
# ldbm database definitions
###

loglevel 256

databaseldbm
#suffix dc=my-domain,dc=com
suffix  o=senado.es
rootdn  cn=Manager,o=senado.es
#rootdn cn=Manager,dc=example,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw  secret
# rootpw

Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap

2004-02-19 Thread Jérôme Tournier

Le Thu, Feb 19, 2004 at 01:30:24PM +0100, Carlos García Recio a ecrit:
 ldap filter = ((uid=%u)(objectclass=sambaSamAccount))
Can you try removing the filter (or comment it) ?
It seem to cause some problem. I did not search the exact problem, bust
there must certainly be a good way of writing the filter.
-- 
Jérôme
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap

Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap

Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap

Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap

Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap

5 matches

Site Navigation

Mail list logo

Footer information