[Samba] rpc trust gives WksQueryInfo call failed
Hello, i am trying to establish a trust from SAMBA 3.0.7 (RedHat AS3U4; same result with 3.0.9 from RedHat AS3-U5) with a NT4 domain controller. Here is the problem: [EMAIL PROTECTED] root]# net rpc trustdom establish DOM Password: Could not connect to server POMEROL [2005/06/22 09:44:11, 0] rpc_parse/parse_prs.c:prs_mem_get(537) prs_mem_get: reading data of size 4 would overrun buffer. [2005/06/22 09:44:11, 0] utils/net_rpc.c:rpc_trustdom_establish(4377) WksQueryInfo call failed. Both servers are on the same network, netbios name and domain controller are correctly resolved. People had already get this problem: i found a patch proposed by Jerry (http://lists.samba.org/archive/samba/2005-March/101572.html), but it should not be a problem for my versions. I also tried with the 3.0.13 release from samba.org and get the same result. I can't see where the problem come from as the trust can be established with another NT4 server, but NT4 administrator told me that both NT4 servers are with the same level security, same configurations (other than network)... Has anyone an idea ? Thanks ! -- Jerome -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot join SAMBA domain from XP/2K
Le Sun, Sep 19, 2004 at 10:50:34PM +0200, deff a ecrit: > Yes, I did. In some other thread someone mentioned that it is mandatory to put > all users and machines accounts to ou=People due to some weird samba design > decision. However, it isn't mentioned in any howto, neither official nor > idealx's, and samba doesn't complain about it in any way either. Too > bad...for me. If i'm not out of the thread (i read it quicly), i put few words about this (and links to the samba mailing list) just before the 4.2.4 paragraph : http://samba.idealx.org/smbldap-howto.fr.html -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Vampire Migrate NT4 to Samba-LDAP PDC. Access error
Le Tue, Aug 03, 2004 at 02:47:12PM +0200, Ioan Caltun a ecrit: > Error: Insufficient access at /usr/local/sbin//smbldap_tools.pm line 920. > > And this repeats itself for all the accounts.. Could somebody tell me why there is > insufficient acces and especially for whom? As I start the actions as root :-( the script look for a priviledge account defined in smbldap_bind.conf (look in /etc/smbldap-tools). This account must have write access to the directory to be able to add new entries. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-populate issues?
Le Fri, Jul 23, 2004 at 11:17:29AM +1000, Eric J Bennett a ecrit: > [EMAIL PROTECTED] root]# smbldap-populate > failed to add entry: unrecognized objectClass 'sambaUnixIdPool' at > failed to add entry: sambapwdlastset: attribute type undefined at > failed to add entry: sambapwdlastset: attribute type undefined at > failed to add entry: sambasid: attribute type undefined at It seam that the samba schema is not loaded. Check that you have the include file in smb.conf, and that the loaded schema has for example the sambaUnixIdPool objectclass defined. I think this is a ldap problem... -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pam_smbmount
Le Tue, Jul 20, 2004 at 11:17:06PM +1000, John Simovic a ecrit: > Has anybody managed to get this working under linux and if not does anybody > mount windows shares under linux without user intervention? yes, you can use the pam's libpam-mount module for this. Note that if you want to mount windows 2003 share, you need to patch the kernel for CIFS support, or use en 2.6 kernel. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-tools, setting password on command line?
Le Sun, Jul 11, 2004 at 10:33:58PM +0200, [EMAIL PROTECTED] a ecrit: > script around these tools. I tried > smbldap-passwd.pl testuser1 < pass > where pass contains on two lines the passwort, but thats a solution I'm not > proud of, especially since I get this warning/error: > fileserver:~ # /opt/samba3/sbin/smbldap-passwd.pl testuser2 < testpasses You can use (with 0.8.5 or you'll have error messages with older version, altought it should work) echo -e 'password\npassword' | smbldap-passwd testuser2 -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] configuring samba-LDAP-PDC using IDEALX tools
Le Thu, Jun 17, 2004 at 09:21:46PM -0700, abebe lsslp a ecrit: > failed to bind to server with dn= cn=Manager,dc=pdc,dc=wbc Error: Invalid > credentials The password you defined for cn=Manager,dc=pdc,dc=wbc is invalid. Did you fix it with the command "smbpasswd -w your_passwd" ? > [EMAIL PROTECTED] root]# smbldap-passwd administrator > No such object at /usr/sbin//smbldap_tools.pm line 189, line 283. be careful : the scipt and smbldap_tools.pm must be in the same directory. And the configuration files must be located in /etc/smbldap-tools/ (unless you change the path in smbldap_tools.pm in the function read_conf) -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Two questions about smbldap-tools
Le Mon, Jun 07, 2004 at 10:05:52AM -0400, Dan Hill a ecrit: > 2. Is www.idealx.org still a valid site for the smbldap-tools and > related info? When I go there, no matter the URL I enter, I get a login > screen prompting for a username and password or a message that page can > not be found on the server. if a login/password is asked to you, there's certainly a problem. In that case, please send me the url you want to access. Thanks. The smbldap-tools page is http://samba.idealx.org/ -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-populate under debian woody fail
Le Thu, Jun 03, 2004 at 03:50:02PM +0200, Marc Remolt a ecrit: > Why are they commented in the first place, if I may ask? Because those groups are not actually used with samba -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-populate under debian woody fails
Le Thu, Jun 03, 2004 at 12:35:32PM +0200, Marc Remolt a ecrit: > The script starts adding the enties but after > cn=Domain Guests,ou=Groups,dc=xyz,dc=com > which is successfull the following line show up > Can't call method "dn" on an undefined value at > /usr/sbin/smbldap-populate line 341, line 11. Which verison of the script are you using ? Can you test "smbldap-populate -e /tmp/export.ldif" and look if the ldif file looks good near the Domain Guests entry ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to execute program from smbldap-passwd.pl om samba 3.0.4
Le Wed, Jun 02, 2004 at 04:21:59PM +0300, zergio a ecrit: > When I run smbldap-passwd.pl script from command line it works just > fine, however when samba calls it, unix and samba passwords got changed. > But my code, which I added, looks like never been called at all. for smbldap-passwd.pl to be called, you need to add in smb.conf : 'unix password sync = Yes' I know this is strange for ldap backend, but the man page said that. Next, you need to patch smbldap-passwd.pl (in 3 different places) so that you have only the between "stty -echo" and "stty echo". For example: system "stty -echo"; chomp($pass=); system "stty echo"; print "\n"; and not system "stty -echo"; chomp($pass=); print "\n"; system "stty echo"; i am sorry, i can't send a patch because i don't have old sources with me :-( -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA 3.0.4 + LDAP + usrmgr
Le Thu, May 20, 2004 at 08:55:59AM +0200, RRuegner a ecrit: > >add machine script = /var/lib/samba/scripts/smbldap-useradd -w %u > you have to copy the script in /usr/local/sbin/ cause this is hardcoded > in them use this >add machine script = /usr/local/sbin/smbldap-useradd.pl -w "%u" Things that are hardcoded in the script are . in smbldap-passwd: the path to slappasswd . in smbldap-useradd, smbldap_tools.pm: the script to nscd init script . in smbldap_tools.pm: the path to configuration files (in /etc/smbldap-tools/) The one to take care is the last one, because if configuration's files are not in /etc/smbldap-tools/, all scripts will failed. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.4 PDC w/ LDAP - XP client
Le Thu, May 20, 2004 at 12:40:10AM +0200, Stefan G. Weichinger a ecrit: > What about 0.8.5 ? ;-) Well, it will come in a short time i think. I just wait for some feedback about the cvs version: i added a new object called cn=sambaUnixIdPool that has the sambaUnixIdPool objectclass. This object allow to store the next uidNumber and gidNumber available when adding a new user or a new group. This is usefull for directory with large number of users. I am not sure that cn=sambaUnixIdPool is the best name for this, and i am wondering if this objectclass was initially made for this purpose (if i must remove that later because this objectclass is made for something else, i prefer to know that as soon as possible) Any comment is welcome ;-) > As many people will take your toolset as the one to start with and > will take the included HOWTO as the one to follow, I would suggest to > modify the HOWTO to something like: > "As bugreport x.y.z in bugzilla.samba.org states, there are problems > with using the Container ou=Computers with Samba 3.0.x ... " This is present in the cvs version of the smbldap-tools documentation. I was waiting for the next release to publish the cvs version as the documentation explain options that are not present in the 0.8.4 release. btw, i've updated the Samba-ldap Howto for use with samba3. It is essentially an update, and there are still some TODO in the documentation. A draft is available here : http://samba.idealx.org/smbldap-howto.fr.html > If you know that, you don't need the HOWTO. so the Howto is reduced to 2 lines :) > I would be happy to help you with contributing my experiences with > your (very helpful) tools and maybe adding the points that I missed. Well, all contributions of the scripts and the documentations are always welcome ! -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.4 PDC w/ LDAP - XP client
Le Wed, May 19, 2004 at 04:43:11PM +0200, Stefan G. Weichinger a ecrit: > - Right now my XP-box has the registry changed (SignOrSeal ...) > because I somewhere read about that. Necessary or not? (I will test > that ...) No, not necessary > - Should smbldap-populate get edited to create root with uidnumber=0? smbldap-populate does not create a root account. But you can use the Administrator one. I just forgot to set the uidNumber to 0 in 0.8.4 version of the script. You can set it using 'smbldap-usermod -u 0 Administrator' > - Should smbldap-populate get edited to use the same ou-Container for > Users AND Computers? smbldap-populate will create an ou for both users and computers. You don't need to change this script. If you want computer's account to be set in ou=Users, just modify the smbldap.conf file as follow: computersdn="ou=Users,..." Note that you can use ou=Computers for computer's account: look at this: http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2 -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How do I add accounts when using ldap authentication?
Le Thu, Apr 15, 2004 at 06:14:41PM -0700, K. Richard Pixley a ecrit: > ldap user suffix = ou=People,dc=isw1,dc=symbol,dc=com > ldap group suffix = ou=Groups,dc=isw1,dc=symbol,dc=com > ldap machine suffix = ou=Computers,dc=isw1,dc=symbol,dc=com > ldap suffix = dc=isw1,dc=symbol,dc=com > ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) > ldap passwd sync = yes > Anyone see an obvious flaw in what I'm doing? Or can anyone point me > toward clarifying doc? (most of this comes from the howto). "ldap user suffix", "ldap group suffix" and "ldap machine suffix" must not have the suffix extension. And i think it is recommanded to comment the "ldap filter" directive. You must then have: ldap suffix = dc=isw1,dc=symbol,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers # ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] add machine script wont add Posix account
Le Wed, Apr 14, 2004 at 07:42:40PM +0200, Stéphane Purnelle a ecrit: > If a computer is added succesfully, the next SambaSID isn't correctly > computed, because > the uidNumber is not changed. Do you have nss_ldap correctly configured ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] add machine script wont add Postfix account
Le Fri, Mar 26, 2004 at 04:06:38PM +0100, Stagiair a ecrit: > When we add a client pc (win2k) to our domain everything goes well > except that the add machine script wont run. > A computer will be created within the lDAP directory but not with the > add machine script. I don't have answer to your problem, but i have 2 remarks... >socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 >add user script = /usr/sbin/smbldap-useradd.pl -a -m %u >add machine script = /usr/sbin/smbldap-useradd.pl -w %u >delete user script = /usr/sbin/smbldap-userdel.pl -r %u >add group script = /usr/sbin/smbldap-groupadd.pl %g >delete group script = /usr/sbin/smbldap-groupdel.pl %g >add user to group script = /usr/sbin/smbldap-usermod.pl -G %g %u Those scripts are old. You should maybe use the latest one (be careful to the configutation file: there are 2 files now located in /etc/smbldap-tools and the script does not have the .pl extension anymore) > After login the following entry will be made in LDAP: > uid=tmc-ontwikkelpc$,ou=computers,o=T3E,c=nl > objectClass: sambaSamAccount > This is a really different schema, and this is the one that we need. > Anyone sees what were doing wrong? The sambaSAMAccount is added by samba itself when joining the domain. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap_tools
Le Mon, Apr 05, 2004 at 11:57:40AM +0200, Brendon Standing a ecrit: > failed to perform search; invalid DN at > /usr/share/samba/scripts//smbldap_tools.pm line 154, line 283. > Can't call method "get_value" on an undefined value at > /usr/bin/smbldap-useradd line 152, line 283. . does the default group defined in smbldap.conf exist (defaultUserGid="513") ? . does the NT "Domain Users" group mapped to a unix group of rid 513 (see option -r of smbldap-groupadd and smbldap-groupmod to set a rid) ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-tools dont handle referrals
Le Mon, Mar 22, 2004 at 06:46:54PM +0100, Matthias Eichler a ecrit: > Unfortunately it seems that the smbldap-tools are not able to handle > referals? I always get: > ---cut--- > failed to modify entry: Referral received at > /usr/local/sbin/smbldap-passwd.pl line 140, line 2. > Unable to change password : Referral received at > /usr/local/sbin/smbldap-passwd.pl line 174, line 2. > ---cut--- The smbldap-tools's configuration file allow you to specifie the master ldap server for writable operations (masterDN and masterPw). -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba-3.0.2 PDC LDAP: Add computer to domain issue with smbldap-tools
Le Thu, Feb 26, 2004 at 03:08:58PM +0200, David Wilson a ecrit: > add users to /etc/passwd etc. and then to LDAP with smbldap-useradd -a Why don't you put the account in ldap only ? 'smbldap-useradd -a' will add a posix account in the directory: you'll then have 2 accounts with the same username ! > My only problem is that I cannot seem to get a machine account added > correctly. I've added the PC name to /etc/passwd etc. with "useradd -s > /bin/false -g computers pc1$" and also run "smbldap-useradd -w pc1". > When the computer attempts to join the domain it receives an "unable to > join domain" error. It seems that "smbldap-useradd -w pc1" seems to add > only a posix account to the LDAP backend ?: Yes. Samba will add the sambaSAMAccoutn objectclass when joining the domain. > I've missed something somewhere for sure ? Perhaps I need nss_ldap ? Yes, you nedd nss_ldap. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] probleb with 'passwd chat' and 'passwd program'
Le Wed, Feb 25, 2004 at 05:25:30PM -0800, Loc Nguyen a ecrit: > remove > unix password sync = yes > if you're using ldap for > authentication Well, i add it for the 'passwd program' to be called as root (as said in the man of smb.conf). Otherwise, it is not called. I know that i can remove this and only add 'ldap passwd sync = Yes' but i just want to understand why my script is not finished. And i also tried samba with Oracle Internet Database : everything work perfectly, exept the update of userPassword. Why ? i don't know. Samba can update all others attribut, but not this one ! That's why i also need to use an external script. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] probleb with 'passwd chat' and 'passwd program'
Hi ! I have a problem using an external script to change password : in smb.conf, i have : => passwd chat = "Changing password for*\nNew password*" %n\n "\nRetype new password*" %n\n => passwd chat debug = Yes => log level = 100 => unix password sync = Yes => passwd program = /usr/local/sbin/smbldap-passwd %u The script is called normally, and logs show that the "passwd chat" looks good as the new password (coucou) is send two times. You can find the logs bellow. But the script should normally also changed the userPassword attribut and this is not done. The smbldap-passwd script read the passwords like that (it's a perl script) : -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= system "stty -echo"; print "New password : "; chomp($pass=); print "\n"; system "stty echo"; system "echo pass=$pass >> /tmp/bla.txt"; system "stty -echo"; print "Retype new password : "; chomp($pass2=); print "\n"; system "stty echo"; system "echo pass2=$pass2 >> /tmp/bla.txt"; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= I added two 'echo ... > /tmp/bla.txt' to see what is passed to the script. The first one is called as it should be, but the second one is never called. The end of the script is then never done : the userPassword is then never updated :-( (i am using samba 3.0.2rc2). I can find what is wrong. Anyone has an idea ? Thanks :) Here are the log of smbd : -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Invoking '/usr/local/sbin/smbldap-passwd jto' as password change program. [2004/02/25 20:33:01, 10] lib/util_sock.c:read_socket_with_timeout(263) read_socket_with_timeout: timeout read. select timed out. [2004/02/25 20:33:01, 100] smbd/chgpasswd.c:expect(274) expect: expected [Changing password for* New password*] received [Changing password for jto New password : ] match yes [2004/02/25 20:33:01, 10] smbd/chgpasswd.c:expect(285) expect: returning True [2004/02/25 20:33:01, 100] smbd/chgpasswd.c:expect(237) expect: sending [coucou ] [2004/02/25 20:33:01, 10] lib/util_sock.c:read_socket_with_timeout(263) read_socket_with_timeout: timeout read. select timed out. [2004/02/25 20:33:01, 100] smbd/chgpasswd.c:expect(274) expect: expected [ Retype new password*] received [ Retype new password : ] match yes [2004/02/25 20:33:01, 10] smbd/chgpasswd.c:expect(285) expect: returning True [2004/02/25 20:33:01, 100] smbd/chgpasswd.c:expect(237) expect: sending [coucou ] [2004/02/25 20:33:21, 3] smbd/chgpasswd.c:chat_with_program(440) chat_with_program: Password change successful for user jto -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] problems on join domain on Samba3 + ldap
Le Fri, Feb 20, 2004 at 11:49:23AM +0100, Vanni Della Ricca a ecrit: > add user script = /usr/local/sbin/smbldap-useradd -a %u You do not have to set the '-a' option : add user script = /usr/local/sbin/smbldap-useradd "%u" Samba will add the sambaSAMAccount when joining the domain. > ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) Test without the 'ldap filter' directive ... > userSmbHome="\\PDC-SMB3\homes" are you sure :) userSmbHome="\\SERVER-DEPARTMENT1\homes" Did you configured pam ? -- Jérôme pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap
Le Thu, Feb 19, 2004 at 01:30:24PM +0100, Carlos García Recio a ecrit: > ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) Can you try removing the filter (or comment it) ? It seem to cause some problem. I did not search the exact problem, bust there must certainly be a good way of writing the filter. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Using the same LDAP entry for posixAccount and sambaSamAccount with smbldap
Le Thu, Feb 19, 2004 at 12:07:49PM +0100, Carlos García Recio a ecrit: > samba 3.0.2 > smbldap-tools 0.8.4 > RH 9 > nss_ldap configured > pam_ldap NOT configured > LDAP passwd backend > winxp pro domain member Can you also send us your smbldap-tools configuration files, and also samba and openldap (?) one ? thx -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba PDC and BDC with ldap master and slave backend
Le Mon, Feb 09, 2004 at 07:34:38PM +0700, Beast a ecrit: > Problem if master ldap is over wan and link is down. nobody will be able to change > any attributes on that site. I know its not samba fault, but any advise on that > setup? and if the link is down, as computers peridically changed their trust account password, what will happen if they can't do that ? They'll keep their current password, but can they keep it a long time without problem in user authentication or anything else ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba PDC and BDC with ldap master and slave backend
Le Mon, Feb 09, 2004 at 08:35:52AM +1100, Andrew Bartlett a ecrit: > > => passdb backend = ldapsam:"ldap://slave.quenya.org ldap://master.quenya.org"; > > will samba store informations in the master ldap server or will it fail ? > > This will work fine. Samba will talk to the master for updates. Set > 'ldap replication sleep' to the amount of time you expect the slave to > take to catch up to reality. (Oh, and I know that's dody, but better > ideas haven't yet been implemented). OK. But with the order specified in the example above (slave and then master), will samba contact first the slave and then the master if needed ? I mean, let suppose i have the 'passdb backend' defined above. If samba need to modify something, is the operation procedure like this : 1) samba contact the first ldaps server mentionned in 'passdb backend', ie the slave server 2) samba try to update the directory : that fail 3) samba try to contact the second ldap server mentionned in 'passdb backend', ie the master 4) samba try to update the master directory : succes 5) all next operations will be done first with the slave ldap server Is that the good senario ? Thanks -- Jérôme pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba PDC and BDC with ldap master and slave backend
Hi all ! In the samba-Howto, i was looking on informations on how to set up both a samba PDC and a samba BDC controller with ldap backend. I can read: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Do not install a Samba PDC on a OpenLDAP slave server... Possible PDC/BDC plus LDAP configurations include: . PDC -> LDAP master server, BDC -> LDAP slave server. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= And now i am wondering this questions : . if the samba DBC contain the following configuration => passdb backend = ldapsam:"ldap://slave.quenya.org ldap://master.quenya.org"; will samba store informations in the master ldap server or will it fail ? Or is it necessary to put the master ldap server first like this : => passdb backend = ldapsam:"ldap://master.quenya.org ldap://slave.quenya.org"; . can i install a samba BDC with a ldap slave server ? Yes you will answer me but in the case where the master ldap server is unreachable, where does the samba BDC will store new informations (Machine Trust Account password for example wich are periodically changed) Thanks for any precision :) -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.1 and LDAP
Le Wed, Feb 04, 2004 at 01:21:10PM -0800, Jeff Davis a ecrit: > [EMAIL PROTECTED] root]# smbldap-useradd -am testuser2 > failed to perform search; No such object at > /usr/local/sbin//smbldap_tools.pm line 211, line 283. > No such object at /usr/local/sbin//smbldap_tools.pm line 719, line > 283. the problem may come from this: you want to add a windows account. The script will then use the default gidNumber defined in the smbldap.conf file. So does this group exist in the directory, and did you create the mapping (you can use the -a option of smbldap-groupadd to create an automatic group mapping) ? -- Jérome -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Still with my problem of samba 3.0.2rc2 and LDAP
Le Wed, Feb 04, 2004 at 05:58:32PM +0100, Frédéric Descamps a ecrit: > Yes, it does : > # net getlocalsid > SID for domain SAMBA3 is: S-1-5-21-3737323649-216568395-2605648481 did you configured nss_ldap ? What is the samba version you are using ? I've just tested 3.0.2pre1 and 3.0.2rc2 and it works. -- Jérôme > On mer, 2004-02-04 at 17:23, Jérôme Tournier wrote: > > Le Wed, Feb 04, 2004 at 04:48:45PM +0100, Frédéric Descamps a ecrit: > > > uid=fred-6csvh95hqd$,ou=Computers,dc=maladree,dc=be with: Object class > > > violation > > >object class 'sambaSamAccount' requires attribute 'sambaSID' > > > > samba can't find the SID of the domain. > > Does it exist (net getlocalsid) ? > > -- > > Jérôme > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP SSL
Le Wed, Feb 04, 2004 at 05:13:34PM +, Martin Ritchie a ecrit: > Is anyone using samba with an openldap backend? I've been trying to get > it to use a SSL connection without much success. Has anyone managed to > get it all to work? i've done a quick guide. You can have a look here : http://samba.idealx.org/dist/doc/smbldap-tools007.html -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Still with my problem of samba 3.0.2rc2 and LDAP
Le Wed, Feb 04, 2004 at 04:48:45PM +0100, Frédéric Descamps a ecrit: > uid=fred-6csvh95hqd$,ou=Computers,dc=maladree,dc=be with: Object class > violation >object class 'sambaSamAccount' requires attribute 'sambaSID' samba can't find the SID of the domain. Does it exist (net getlocalsid) ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC/LDAP
Le Wed, Jan 28, 2004 at 10:36:59AM +0100, asky a ecrit: > Hi, > > I'm using Redhat 8.0, samba-3.0, openladp-2.0.25 and sambatools-0.8.3 to > setup a PDC. > When I run smbldap-populate I get the following error: I think that the masterDN and masterPw defined in /etc/smbldap-tools/smbldap_bind.conf does not allow the account to have write access in the directory, is he ? -- Jérôme > [EMAIL PROTECTED] root]# smbldap-populate > Using builtin directory structure > adding new entry: dc=nijacol,dc=net > failed to add entry: Already exists at /usr/local/sbin/smbldap-populate > line 384, line 2. > adding new entry: ou=Users,dc=nijacol,dc=net > failed to add entry: Already exists at /usr/local/sbin/smbldap-populate > line 384, line 3. > adding new entry: ou=Groups,dc=nijacol,dc=net > failed to add entry: no write access to parent at > /usr/local/sbin/smbldap-populate line 384, line 4. > adding new entry: ou=Computers,dc=nijacol,dc=net > failed to add entry: Already exists at /usr/local/sbin/smbldap-populate > line 384, line 5. > adding new entry: uid=Administrators,ou=Users,dc=nijacol,dc=net > failed to add entry: no write access to parent at > /usr/local/sbin/smbldap-populate line 384, line 6. > adding new entry: uid=nobody,ou=Users,dc=nijacol,dc=net > failed to add entry: no write access to parent at > /usr/local/sbin/smbldap-populate line 384, line 7. > adding new entry: cn=Domain Admins,ou=Groups,dc=nijacol,dc=net > failed to add entry: no write access to parent at > /usr/local/sbin/smbldap-populate line 384, line 8. > adding new entry: cn=Domain Users,ou=Groups,dc=nijacol,dc=net > failed to add entry: no write access to parent at > /usr/local/sbin/smbldap-populate line 384, line 9. > adding new entry: cn=Domain Guests,ou=Groups,dc=nijacol,dc=net > failed to add entry: no write access to parent at > /usr/local/sbin/smbldap-populate line 384, line 16. > adding new entry: cn=Print Operators,ou=Groups,dc=nijacol,dc=net > failed to add entry: no write access to parent at > /usr/local/sbin/smbldap-populate line 384, line 17. > adding new entry: cn=Backup Operators,ou=Groups,dc=nijacol,dc=net > failed to add entry: no write access to parent at > /usr/local/sbin/smbldap-populate line 384, line 18. > adding new entry: cn=Replicator,ou=Groups,dc=nijacol,dc=net > failed to add entry: no write access to parent at > /usr/local/sbin/smbldap-populate line 384, line 19. > adding new entry: cn=Domain Computers,ou=Groups,dc=nijacol,dc=net > failed to add entry: no write access to parent at > /usr/local/sbin/smbldap-populate line 384, line 19. > [EMAIL PROTECTED] root]# > > Also, when I shutdown, I can only login from single user mode after > disabling services using authconfig (ldap etc). > I know I'm not doing something right but I just can't figure it out . Any > help would be appreciated. > > Asky > > > > -- > This message has been scanned for viruses and > dangerous content by Nijacol Email Protection Service > ([EMAIL PROTECTED]), and is believed to be clean. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Oracle directory
Le Tue, Jan 27, 2004 at 07:57:03PM +1100, Andrew Bartlett a ecrit: > There is nothing that prevents you from writing a pdb_oracle - I would > suggest you look closely at pdb_mysql and pdb_pgsql for hints, and > common code to raid. Well, i was speaking about the oracle ldap directory and searching if a schema for it was available. -- Jérôme pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to setup a TLS session
Le Tue, Jan 27, 2004 at 12:09:22PM +0100, patrice raby a ecrit: > Hi all, > I'm trying to configure Samba with ldap support, i have compiled samba with ldap... > openldap seems to work fine, users can connect with ssh but when they try to connect > to samba, i have the following > error message: > [2004/01/27 12:20:40, 0] passdb/pdb_ldap.c:ldap_open_connection(129) > Failed to setup a TLS session Is your ldap server configured to accept TLS session (did you create certificates) ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and Oracle directory
Hello ! Does anyone already configured samba 3 with Oracle directory ? Is it possible ? Does anyone has any link to an existing schema ? Thanks for any comment :) -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] after switching to ldap, cannot net groupmap stuff
Le Mon, Jan 26, 2004 at 03:28:29AM -0500, John H. a ecrit: > ldap suffix = "dc=INTRANET" You must have ldap suffix = dc=INTRANET -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-tools 8.3 populate errors
Le Sat, Jan 17, 2004 at 04:00:23PM +0100, Manfred Odenstein a ecrit: > The tgz file is incomplete, I've notced this too. The rpm is complete, so I've > downloaded the rpm file instead, unpacked it, and copied the scripts to their > respective location. Yes, you are write. The archive now include the file. > My system is now runnung, but I think there are some bugs in the populate > script, e.g. the SID of the Administrator account should end with -500 as I > know, because it's predefinded. Any comment from the author ??? 500 is the well-known RID for the domain administrator, not for the administrator account, am i wrong ? > and please take care of the default groups in the smbldap.conf file, default > machine account points to "Print Operators" (550) should be "Domain > Computers" (553). Yes, fixed. > I've also changed the gidNumber and uidNumber of the guest account and "Domain > Guest" group to the default values of my system (SuSE9) > > after this all worked correctly except some log-entries . > "Failed to open group mapping database" > and > "failed to decode PDU" Do you always have this error messages ? With every scripts ? Thanks for your report ! -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 2.2.8a PDC LDAP CTRL+ALT+DEL password change, not chaning Unix password
Le Wed, Jan 14, 2004 at 10:01:30AM -0500, Sundaram Ramasamy a ecrit: > I am running samba 2.2.8a with ldap PDC. From windows machine If I change > password by process CTL+ALT+DEL key its changing only windows password. > from command line smbldap-passwd.pl script changing the both UNIX and > samba password. > any idea why its not changing UNIX password? you can use the 'ldap passwd sync = Yes' in smb.conf -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbldap-tools: cvs version
Hi! i just want to warn everybody that wants to get the latest CVS version of the smbldap-tools ! The cvs version of the smbldap-tools has changed. Read the INSTALL file before upgrading because name's scripts have changed and also their location: . Configuration file is now split in two files => /etc/smbldap-tools/smbldap.conf : globals parameters => /etc/smbldap-tools/smbldap_bind.conf: connection parameters to the directory . All the scripts have the .pl extansion removed: update the smb.conf file . There's a script configure.pl to help you setting up both of the configuration files (smbldap.conf and smbldap_bind.conf must first be present in the /etc/smbldap-tools/ before calling the configure.pl script) I will create a new rpm package in the next days. It will be available on our site (http://samba.idealx.org). If you have time to test it, any feedback is welcome of course ! -- Jérôme pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-tools problem with Samba 3.0.1/LDAP 2.1.22/Fedora Core 1
Le Fri, Jan 09, 2004 at 06:21:48PM -0500, Data Control Systems Inc. - Mike Elkevizth a ecrit: > I'm trying to setup a samba PDC/BDC with disconnected auth. and am stuck at > step one because I can't get smbldap-tools to work right. First when I do a > smbldap-useradd.pl -a test, it works fine. ldapsearch shows the entry > properly. Then I try smbldap-usershow.pl or smbldap-userdel.pl or any other > one for that matter and they all fail with a "user test does not exist"! > Also if I do a smbldap-useradd.pl -w ... for a workstation add it adds the > workstation to the directory, but doesn't add any samba entries > (SambaSamAccount, etc.). Please someone help, I've been working on this for > quite a while and really need to get it working soon. The -w option of smbldap-useradd.pl add a workstation account. But the sambaSAMAccount is added by samba when joining the domain. If you can't show a user you just added, i suppose you did not configured nss_ldap. Use the authconfig utility for that. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.1/Solaris 9 - smbldap & dots in usernames
Le Tue, Dec 30, 2003 at 09:31:17PM +1100, Chew, Darren a ecrit: > Is it possible to vampire across dots in usernames? I got over 1000 > accounts with dots in them eg. . > The smbldap-tools (version 0.8.2) don't seem to like adding users and > groups with dots in them. Yes, you are right. If you really need this, you can use this patch to correct the problem. But i think that windows does not like that ! -- Jérôme Tournier IDEALX SAS Administrateur Systèmes 15-17 Avenue de Segur [EMAIL PROTECTED] 75007 PARIS Tel.: 01 44 42 00 53 Fax.: 01 44 42 00 01 gpg key ID: 0xDA962B24 (pgp.mit.edu) --- smbldap-useradd.pl.orig 2003-12-30 11:46:47.0 +0100 +++ smbldap-useradd.pl 2003-12-30 11:46:51.0 +0100 @@ -128,7 +128,7 @@ if (!defined($userGidNumber)) { my $userName = $ARGV[0]; # untaint $userName (can finish with one or two $) -if ($userName =~ /^([\w -]+\$?)$/) { +if ($userName =~ /^([\w -.]+\$?)$/) { $userName = $1; } else { print "$0: illegal username\n"; -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap Tools problem
Le Mon, Dec 22, 2003 at 11:25:27AM +0100, [EMAIL PROTECTED] a ecrit: > Hi all! > I want to thanks all people here for their help, good job guys! :o) > And nox, it's my question: > I'm using smbldap-tools 0.8.2 from samba.idealx.org. In all the docs I read > about it, I read that I must put these lines in smb.conf: > passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u > passwd chat = *new*password* %n\n *new*password* %n\n *successfully* I'll have a look at the script. In any case, it is not useful to call this script. You can leave the default value and set: ldap passwd sync = Yes -- Jérôme Tournier IDEALX SAS Administrateur Systèmes 15-17 Avenue de Segur [EMAIL PROTECTED] 75007 PARIS Tel.: 01 44 42 00 53 Fax.: 01 44 42 00 01 gpg key ID: 0xDA962B24 (pgp.mit.edu) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: adding machines to the domain with Samba 3.0.0
Le Thu, Dec 11, 2003 at 10:06:17PM -0600, Andrew Gaffney a ecrit: > >admin users = @domainadmins > >This will allow any user in the domainadmins group join machines to the > >domain. > You've got the wrong option. That option allows the specified users to > connect as if they were root on that share. It is not the same as the > 'domain admin group' option in 2.2.x. This option is not the same of 'domain admin group' in 2.2.X but it allow it's membre to join computer to the domain. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP help
Le Mon, Dec 08, 2003 at 09:36:16AM -0500, Andre Cameron a ecrit: > I am trying to use an existing Netscape LDAP server, I have not added a > schema as I do not want to store any information in LDAP I just want > SAMBA to authenticate using existing LDAP users... Samba uses special attributes (defined in the samba3 schema) to authenticate a user. So you need to include the shema. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP help
Le Mon, Dec 08, 2003 at 02:15:41PM +0100, [EMAIL PROTECTED] a ecrit: > > Could you send the testparm output ? > The samba.shema is in ldap conf and in the correct directory ? And is it the schema for samba3 (and not samba2) ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP help
Le Mon, Dec 08, 2003 at 07:11:46AM -0500, Andre Cameron a ecrit: > ldap admin dn = "cn=Directory Manager" > Am I missing sometrhing, or is there some step I need to do? I Did you set the password of the "cn=Directory Manager" ? (smbpassword -w password_of_Directory_Manager) Do you have something in your logs ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Fw: [Samba] PDC/LDAP/SAMBA3/NT4
Le Mon, Dec 01, 2003 at 07:56:46PM -0200, Fabio Junior a ecrit: > failed to add entry: Insufficient access at > /usr/local/sbin/smbldap-populate.pl line 273, line 2. > adding new entry: ou=_USERS_,dc=maxwelleducacional,dc=com,dc=br > adding new entry: ou=_GROUPS_,dc=maxwelleducacional,dc=com,dc=br > adding new entry: ou=_COMPUTERS_,dc=maxwelleducacional,dc=com,dc=br in smbldap_conf.pm . check if the 'binddn' and 'bindpassword' are priviledge login and password that can allow modifications in the directory . replace _USERS_, _GROUPS_ and _COMPUTERS_ with an appropriate ou like 'Users', 'Groups' and 'Computers' -- Jérôme Tournier IDEALX SAS Administrateur Systèmes 15-17 Avenue de Segur [EMAIL PROTECTED] 75007 PARIS Tel.: 01 44 42 00 53 Fax.: 01 44 42 00 01 gpg key ID: 0xDA962B24 (pgp.mit.edu) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA 3.0.0 PDC + LDAP - Adding Computer Account
> # data$, Computers, firerun, net > dn: uid=data$,ou=Computers,dc=firerun,dc=net > uid: data$ > cn: Computer Account > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > uidNumber: 1007 > gidNumber: 1003 > homeDirectory: /dev/null > gecos: Computer Account > loginShell: /sbin/nologin > description: Computer Account > shadowLastChange: 12372 > shadowMin: 0 > shadowMax: 9 > shadowWarning: 7 You don't have the attribute sambaAcctFlags ? sambaAcctFlags: [W ] -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: AW: [Samba] smbtools, existing users, etc...
> Hello Jerome, > > thanx for your help. Is the 0.8.1 version of smbldap tools already patched or do I > have to patch it myself. If so - please write me a few lines how to do it, and which > files to patch. no, it is not. You'll find attached the latest scripts (hope the attechment will succeed this time). > I havent been working with smbldap-tools, but I want to try them out. Do they work > on > SuSE Linux? Yes of course. You just need perl and Net::LDAP > Can I call your script everytime my user changes his password though my php-backend? Yes. > Are the passwords going to be changed then, although the user exists in posixAccount > and samba.schema?? or easier - what happens when I use this script twice for a user > that already exists? Is it going to change his password or am I going to get an > error? Every time you use the smbldap-password.pl script, all of userPassword, ntPassword and lmPassword will be updated. If you add the sambaSAMAccount to an existing user and want to change all of the 3 passwords, you can use $ smbldap-usermod.pl -a -P (..options..) user -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Fwd: Re: [Samba] smbpasswd fails to add machine account with ldapsam
> Does the order of the directives make a difference? > In other words, would the above work if I had put the "ldap suffix" FIRST? Yes, i thinks that 'ldap suffix' must be set first -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbtools, existing users, etc...
> Hello. Hi ! > Is it possible to add samba part of user account to the already existing user account > in LDAP? My response is only available if you use the smbldap-tools. Yes you can. If you applied the patch i post this morning to the latest scripts (look at cvs.idealx.org), you can use the following command to add the sambaSAMAccount objectclass to the user 'user'. $ smbldap-usermod.pl -a user The sambaSID attribute will be calculated as 2*uidNumber+1000. You can also add more informations: -aadd sambaSAMAccount objectclass -eexpire date ("-MM-DD HH:MM:SS") -Acan change password ? 0 if no, 1 if yes -Bmust change password ? 0 if no, 1 if yes -CsambaHomePath (SMB home share, like '\\PDC-SRV\homes') -DsambaHomeDrive (letter associated with home share, like 'H:') -EsambaLogonScript (DOS script to execute on login) -FsambaProfilePath (profile directory, like '\\PDC-SRV\profiles\foo') -HsambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]') -Idisable an user. Can't be used with -H or -J -Jenable an user. Can't be used with -H or -I For example: $ smbldap-usermod.pl -a -E script.cmd user > What if my user changes his password ( by using a web php-backend ), is samba > password > automatically changed, or do I have to change it manually? No it is not. Can can calculate the lmPassword and ntPassword, and patch your php-backend to update le attributes. Or can can use smbldap-passwd.pl that update both unix password and win32 passwords. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
> Still none, seems the list manager removes the attachments Well, i don't understand... I think that the problem come from me. I'll copy-paste the patch bellow: diff -rup sbin.orig/smbldap-usermod.pl sbin/smbldap-usermod.pl --- sbin.orig/smbldap-usermod.pl2003-11-18 10:02:12.0 +0100 +++ sbin/smbldap-usermod.pl 2003-11-18 09:56:27.0 +0100 @@ -37,7 +37,7 @@ use Getopt::Std; my %Options; my $nscd_status; -my $ok = getopts('A:B:C:D:E:F:H:IJN:S:me:f:u:g:G:d:l:s:c:ok:?h', \%Options); +my $ok = getopts('A:B:C:D:E:F:H:IJN:S:ame:f:u:g:G:d:l:s:c:ok:?h', \%Options); if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) || ($Options{'h'}) ) { print "Usage: $0 [-awmugdsckxABCDEFGHI?h] username\n"; print "Available options are:\n"; @@ -54,6 +54,7 @@ if ( (!$ok) || (@ARGV < 1) || ($Options{ print " -Ncanonical name\n"; print " -Ssurname\n"; print " For samba users:\n"; + print " -aadd sambaSAMAccount objectclass\n"; print " -eexpire date (\"-MM-DD HH:MM:SS\")\n"; print " -Acan change password ? 0 if no, 1 if yes\n"; print " -Bmust change password ? 0 if no, 1 if yes\n"; @@ -93,6 +94,34 @@ my $dn= $user_entry->dn(); my $tmp; my @mods; +if (defined($tmp = $Options{'a'})) { + # Let's connect to the directory first + my $ldap_master=connect_ldap_master(); +my $winmagic = 2147483647; +my $valpwdcanchange = 0; +my $valpwdmustchange = $winmagic; +my $valpwdlastset = 0; +my $valacctflags = "[UX]"; + my $user_entry=read_user_entry($user); + my $uidNumber = $user_entry->get_value('uidNumber'); + my $userRid = 2 * $uidNumber + 1000; + # apply changes + my $modify = $ldap_master->modify ( "$dn", + changes => [ + add => [objectClass => 'sambaSAMAccount'], + add => [sambaPwdLastSet => "$valpwdlastset"], + add => [sambaLogonTime => '0'], + add => [sambaLogoffTime => '2147483647'], + add => [sambaKickoffTime => '2147483647'], + add => [sambaPwdCanChange => "$valpwdcanchange"], + add => [sambaPwdMustChange => "$valpwdmustchange"], + add => [displayName => "$_userGecos"], + add => [sambaSID=> "$SID-$userRid"], + add => [sambaAcctFlags => "$valacctflags"], + ] + ); + $modify->code && warn "failed to modify entry: ", $modify->error ; +} # Process options my $changed_uid; -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
> No attachment received Oups, sorry ;-) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
> There's no option today to add the sambaSAMAccount objectclass to an > existing user. But this can be quickly done. I just not have enought > time to do it now. I've had a new option '-a' to smbldap-usermod.pl to add the sambaSAMAccount to a unix user. You can find it attached to this mail. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
> Ahhh...but what if the posixAccount already exists? This is the issue > I've run in to. I migrated my /etc/passwd accounts to LDAP and am now > attempting to add sambaSAMAccount information to those accounts. If I > try to run 'smbldap-useradd.pl -a ExistingPosixUser', I get an error > saying that the user already exists. There's no option today to add the sambaSAMAccount objectclass to an existing user. But this can be quickly done. I just not have enought time to do it now. > I suppose I could delete the user and then recreate it with the above > command line, but that shouldn't be necessary (in my eyes at least). > > A second question. I'd like to have the NTpasswords (for samba) and the > posix passwords ( for Unix logins and such) be different. How do I > accomplish that? Can smbpasswd be used (once the sambaSAMAccount > portion is created) be used to change ONLY the smb password and > smbldap-passwd.pl be used to change ONLY the unix posix password? Well, you have to be sure that the smb.conf does not include 'ldap password sync = Yes' (to be certain, you can add 'ldap password sync = No'). So when a 'samba user' will change his password, he will change only the lmpassword and ntpassword attributes. Now for unix users: the 'smbldap-password.pl' command will change both windows passwords and unix password. If you have configured pam and nss_ldap, you should better user the 'password' command that can change a ldap password. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
> it is 0.8.1 This version should add the sambaSAMAccount. The problem is somewhere else. You shoul tried starting openldap in command line: "slapd -u ldap -d -1" and see if samba's attributes are given to the server... -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
> Well, this script does not add sambaSAMAccount in my case and I do not > know why Which version of smbldap-tools are you using ? -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
> How will samba do that, or more accurately when ? Well, if you need the 'add user script', this is because you want to create a user with a tool like 'User Manager'. So, when creating a user from User Manager, samba will call the script to create the posix part of the account, and will then add the samba part. Of course, you can create the account in a shell (with both the posixAccount and the sambaSAMAccount) using the command 'smbldap-useradd.pl -a user'. -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
> The only difference here is that it creates the home directory but still > posixAccount. Yes you are write > This makes creating a new user a 2 step: > 1-smbldap-useradd.pl > 2- smbpasswd The script will add the the posixAccount for your user, and samba will automatically add the sambaSAMAccount. > also I get an error "/usr/local/sbin/smbldap-useradd.pl: group "513" > doesn't exist" which I don not understand You don't have a group with gidNumber 513 in your directory (this is the default group defined in the smbldap_conf.pm file). -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap tools
> this means I can not use this script as user add script in smb.conf. Yes you can, but without the -a option: add user script = /usr/local/sbin/smbldap-useradd.pl -m "%u" -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbpasswd problem
> # smbpasswd -x administrator > ldapsam_delete_entry: Could not delete attributes for > uid=administrator,ou=Users,dc=my-domain,dc=com, error: Object class > violation (object class 'account' requires attribute 'uid') J'ai le même problème, et je ne comprens pas pourquoi. Par contre, si tu souhaites supprimer complètement le compte (même le compte unix), ajoute la directive suivante au smb.conf, et 'pdbedit -x user' passe: ldap delete dn = Yes -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error when creating user with Samba 3.0 & LDAP
Le Sun, Oct 12, 2003 at 10:44:08PM +0200, Nicko a ecrit: > But when i triy to add user with smbpasswd ou pdbedit i get these errors in > debug mode (this user is an unix user). > --SNIP-- > ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No > such object)ldapsam_search_one_group: Query was: ou=Groups, > (&(objectClass=sambaGroupMapping)(gidNumber=100)) > --SNIP-- Where does the unix user part is defined ? in the directory ? I think you should better specifie a default gidNumber for the users to be 513 for 'Domain Users' ($_defaultUserGid = 513 in the smbldap_conf.pm). If you installed the Idealx's tools, why don't you use the 'smbldap-useradd.pl -a user' instead of smbpasswd or pdedit ? btw, i have attached to this mail the last updated script of smbldap-populate.pl that created the ldap directory structure, and that included the mapping of the groups. -- Jérôme Tournier IDEALX SAS Administrateur Systèmes 15-17 Avenue de Segur [EMAIL PROTECTED] 75007 PARIS Tel.: 01 44 42 00 37 Fax.: 01 44 42 00 37 gpg key ID: 0xDA962B24 #!/usr/bin/perl -w # Populate a LDAP base for Samba-LDAP usage # # $Id: smbldap-populate.pl,v 1.18 2003/09/19 12:36:44 jtournier Exp $ # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose : # . Create an initial LDAP database suitable for Samba 2.2 # . For lazy people, replace ldapadd (with only an ldif parameter) use strict; use FindBin; use FindBin qw($RealBin); use lib "$RealBin/"; use smbldap_tools; use smbldap_conf; use Getopt::Std; use Net::LDAP::LDIF; use vars qw(%oc); # objectclass of the suffix %oc = ( "ou" => "organizationalUnit", "o" => "organization", "dc" => "dcObject", ); my %Options; my $ok = getopts('a:b:?', \%Options); if ( (!$ok) || ($Options{'?'}) ) { print "Usage: $0 [-ab?] [ldif]\n"; print " -a administrator login name (default: Administrator)\n"; print " -b guest login name (default: nobody)\n"; print " -? show this help message\n"; print " ldif file to add to ldap (default: suffix, Groups,"; print " Users, Computers and builtin users )\n"; exit (1); } my $_ldifName; my $tmp_ldif_file="/tmp/$$.ldif"; if (@ARGV >= 1) { $_ldifName = $ARGV[0]; } my $adminName = $Options{'a'}; if (!defined($adminName)) { $adminName = "Administrator"; } my $guestName = $Options{'b'}; if (!defined($guestName)) { $guestName = "nobody"; } if (!defined($_ldifName)) { my $attr; my $val; my $objcl; print "Using builtin directory structure\n"; if ($suffix =~ m/([^=]+)=([^,]+)/) { $attr = $1; $val = $2; $objcl = $oc{$attr} if (exists $oc{$attr}); if (!defined($objcl)) { $objcl = "myhardcodedobjectclass"; } } else { die "can't extract first attr and value from suffix $suffix"; } #print "$attr=$val\n"; my ($organisation,$ext) = ($suffix =~ m/dc=(\w+),dc=(\w+)$/); #my $FILE="|cat"; my $FILE=$tmp_ldif_file; open (FILE, ">$FILE") || die "Can't open file $FILE: $!\n"; print FILE <new($tmp_ldif_file, "r", onerror => 'undef' ); while( not $ldif->eof() ) { my $entry = $ldif->read_entry(); if ( $ldif->error() ) { print "Error msg: ",$ldif->error(),"\n"; print "Error lines:\n",$ldif->error_lines(),"\n"; } else { my $dn = $entry->dn; print "adding new entry: $dn\n"; my $result=$ldap_master->add($entry); $result->code && warn "failed to add entry: ", $result->error ; } } $ldap_master->unbind; system "rm -f $tmp_ldif_file"; ex
Re: [Samba] smbldap-tools updates (diffs)
> | I have found the smbldap-tools provided in the samba 3 tarball to have > a | few glitches with the samba 3 schema. I have made my changes and > 'diffed' | them with the source. There are also updates available on our cvs server. See http://cvs.idealx.org (only the cvs server is updated. don't download the RPMS packages). export CVSROOT=:ext:[EMAIL PROTECTED]:/opt/cvs/ cvs co samba -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba-ldap and password expiration
Hello every body, i am using samba (2.2.8a) with ldap support. In the samba.schema, there are special attributes relatives to the user passord: pwdMustChange, pwdCanChange, kickoffTime, logoffTime, logonTime and pwdLastSet. All the samba's documentations i can found described those attributes as "currently unused", execpt the last one that represent the time modification since 1970. But what do the others attributes are for ? Can they be used and how ? For example, i found that pwdMustChange can be used to force user to change his password. It seems that if i set pwdMustChange to epoch time+20, the user will have to change his password in 20s. And again in 20s ... So can i force a user to change his password in n secondes, but more later ? Thanks a lot -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba