Re: [Samba] ldapsam, smbpasswd and posixAccount
On [Tue, 06.10.2009 12:13], Adam Williams wrote: are you loading samba.schema in your slapd.conf? yes. running smbpasswd -a works without any problem when the user doesn't already exists with posix-attrs in LDAP. Thorsten Scherf wrote: Hi, I have a setup with Samba (3.4) as PDC with ldapsam as backend. LDAP is managed by Samba, no external helper scripts. When I add a new user with "smbpasswd -a foo" it works fine, user is created and the openldap is populated with samba and posix attributes. Now, when I add a new user to the directory by running ldapadd against a ldif file which contains only posix related attrs, I thought, running smbpasswd -a would add the necessary samba attrs, but that's not the case. I see this problem: $ ldapadd -x -D "cn=Manager,dc=tuxgeek,dc=de" -f /tmp/posix.ldif -W adding new entry "uid=schalke,ou=users,dc=tuxgeek,dc=de" $ ldapsearch -xLLL uid=schalke dn: uid=schalke,ou=users,dc=tuxgeek,dc=de uid: schalke objectClass: account objectClass: posixAccount cn: schalke uidNumber: 10100 gidNumber: 10023 homeDirectory: /home/TUXGEEK/schalke loginShell: /bin/bash [r...@tiffy openldap]$ smbpasswd -a schalke New SMB password: Retype new SMB password: ldapsam_create_user: failed to create a new user [schalke] (dn = uid=schalke,ou=users,dc=tuxgeek,dc=de) Failed to add entry for user schalke. This is from the log: sambaAcctFlags objectClass Oct 6 18:05:26 tiffy slapd[5819]: conn=12 op=7 RESULT tag=103 err=20 text=modify/add: uid: value #0 already exists Could anybody shed some light on this? Cheers. Thorsten smime.p7s Description: S/MIME cryptographic signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldapsam, smbpasswd and posixAccount
Hi, I have a setup with Samba (3.4) as PDC with ldapsam as backend. LDAP is managed by Samba, no external helper scripts. When I add a new user with "smbpasswd -a foo" it works fine, user is created and the openldap is populated with samba and posix attributes. Now, when I add a new user to the directory by running ldapadd against a ldif file which contains only posix related attrs, I thought, running smbpasswd -a would add the necessary samba attrs, but that's not the case. I see this problem: $ ldapadd -x -D "cn=Manager,dc=tuxgeek,dc=de" -f /tmp/posix.ldif -W adding new entry "uid=schalke,ou=users,dc=tuxgeek,dc=de" $ ldapsearch -xLLL uid=schalke dn: uid=schalke,ou=users,dc=tuxgeek,dc=de uid: schalke objectClass: account objectClass: posixAccount cn: schalke uidNumber: 10100 gidNumber: 10023 homeDirectory: /home/TUXGEEK/schalke loginShell: /bin/bash [r...@tiffy openldap]$ smbpasswd -a schalke New SMB password: Retype new SMB password: ldapsam_create_user: failed to create a new user [schalke] (dn = uid=schalke,ou=users,dc=tuxgeek,dc=de) Failed to add entry for user schalke. This is from the log: sambaAcctFlags objectClass Oct 6 18:05:26 tiffy slapd[5819]: conn=12 op=7 RESULT tag=103 err=20 text=modify/add: uid: value #0 already exists Could anybody shed some light on this? Cheers. Thorsten -- "Eternity is a very long time, especially towards the end." — Stephen Hawking smime.p7s Description: S/MIME cryptographic signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: winbind with ldap backend permissions
On Wed, 06.10.2004 Igor Belyi wrote: > Thorsten Scherf wrote: > > hi, > > > > I set up a winbindd with a ldap backend, here is the relevant part of my > > smb.conf: > > > > idmap backend = ldap:ldap://mail.rhel.homelinux.com > > ldap admin dn = cn=winbind,dc=example,dc=com > > ldap suffix = dc=example,dc=com > > ldap idmap suffix = ou=idmap > > > > On the ldap server I set up the ou=idmap and also permissions for > > cn=winbind to write into the ou=idmap: > > > > access to dn="(.),ou=idmap,dc=example,dc=com" > > by dn="cn=winbind,dc=example,dc=com" > > by * read > > Did you try to change your 'what' part of the access to: > > dn.subtree="ou=idmap,dc=example,dc=com" this works fine. but what is the difference to "dn=(.*),ou=idmap,dc=example,dc=com"? with my understanding of the ldap-access rules it should just be a performance issue, souldn't it?! cu, thorsten -- Thorsten Scherf <[EMAIL PROTECTED]> signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind with ldap backend permissions
hi, I set up a winbindd with a ldap backend, here is the relevant part of my smb.conf: idmap backend = ldap:ldap://mail.rhel.homelinux.com ldap admin dn = cn=winbind,dc=example,dc=com ldap suffix = dc=example,dc=com ldap idmap suffix = ou=idmap On the ldap server I set up the ou=idmap and also permissions for cn=winbind to write into the ou=idmap: access to dn="(.),ou=idmap,dc=example,dc=com" by dn="cn=winbind,dc=example,dc=com" by * read when trying a "getent passwd" on the client I get the following error messages on the ldap-server: Oct 6 13:02:49 mail slapd[21955]: conn=2 op=22 SEARCH RESULT tag=101 err=0 text= Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 MOD dn="cn=IdPool,ou=Idmap,dc=example,dc=com" Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 RESULT tag=103 err=0 text= Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 ADD dn="SAMBASID=S-1-5-32-546,OU=IDMAP,DC=EXAMPLE,DC=COM" Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 RESULT tag=105 err=50 text=no write access to parent Oct 6 13:02:49 mail slapd[21955]: conn=2 op=25 SRCH base="ou=idmap,dc=example,dc=com" scope=2 filter="(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-32-547))" so, seems that winbind have no write access on the PARENT! if I give him write access on dc=example,dc=com everything works just fine and the sid/uid/gib-mapping works wonderful. but why is winbind needing access on the parent and not just on the ou-container where the id-mapping happens, ou=idmap? can anybody explain that to me?! thanks and greetings, thorsten -- Thorsten Scherf <[EMAIL PROTECTED]> signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind with ldap backend permissions
hi,
I set up a winbindd with a ldap backend, here is the relevant part of my
smb.conf:
idmap backend = ldap:ldap://mail.rhel.homelinux.com
ldap admin dn = cn=winbind,dc=example,dc=com
ldap suffix = dc=example,dc=com
ldap idmap suffix = ou=idmap
On the ldap server I set up the ou=idmap and also permissions for
cn=winbind to write into the ou=idmap:
access to dn="(.),ou=idmap,dc=example,dc=com"
by dn="cn=winbind,dc=example,dc=com"
by * read
when trying a "getent passwd" on the client I get the following error
messages on the ldap-server:
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=22 SEARCH RESULT tag=101
err=0 text=
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 MOD
dn="cn=IdPool,ou=Idmap,dc=example,dc=com"
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 RESULT tag=103 err=0
text=
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 ADD
dn="SAMBASID=S-1-5-32-546,OU=IDMAP,DC=EXAMPLE,DC=COM"
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 RESULT tag=105 err=50
text=no write access to parent
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=25 SRCH
base="ou=idmap,dc=example,dc=com" scope=2
filter="(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-32-547))"
so, seems that winbind have no write access on the PARENT! if I give him
write access on dc=example,dc=com everything works just fine and the
sid/uid/gib-mapping works wonderful. but why is winbind needing access
on the parent and not just on the ou-container where the id-mapping
happens, ou=idmap?
can anybody explain that to me?!
thanks and greetings,
thorsten
--
Thorsten Scherf <[EMAIL PROTECTED]>
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind sid -> uid/gid mapping
as far as I understood the manual correct, the mapping between windows sid and linux uid/gid when using a ldap backend is done under ou=idmap. so, winbind is working well, but I can't see any entries between the ldap ou=imap. where are the entries? cu, thorsten -- Thorsten Scherf <[EMAIL PROTECTED]> signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Howto: 2 samba server sharing password db ?
On Friday, 01.10.2004 Lee Niorant wrote: > simply looking how to configure 2 samba servers sharing same password db. I tried > many combination (winbind, nis, PDC), none of which worked :-( ... (but that's maybe > I'm not an expert) ... how about a ldap backend for the sam? cu, thorsten -- Thorsten Scherf <[EMAIL PROTECTED]> signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] can't join a domain
when trying to put a samba3 server into a domain (samba3 pdc) I always get the following error messages: [EMAIL PROTECTED] samba]# net join -d 2 -U smbadmin RHEL -S server1.example.com [2004/09/30 23:36:35, 2] lib/interface.c:add_interface(79) added interface ip=192.168.0.150 bcast=192.168.0.255 nmask=255.255.255.0 smbadmin's password: [2004/09/30 23:36:37, 1] libads/ldap.c:ads_connect(251) Failed to get ldap server info [2004/09/30 23:36:37, 0] utils/net_ads.c:ads_startup(183) ads_connect: No results returned [2004/09/30 23:36:37, 1] utils/net_rpc.c:run_rpc_command(141) rpc command function failed! (NT_STATUS_ACCESS_DENIED) Create of workstation account failed User specified does not have administrator privileges Unable to join domain RHEL. [2004/09/30 23:36:38, 2] utils/net.c:main(792) return code = 1 I'm using a ldapsam backend, and authentication with smbclient is working well. the user smbadmin is also a member of the domain admin group, and group mapping was done: [EMAIL PROTECTED] samba]# net groupmap list Domain Admins (S-1-5-21-3370306482-4184561861-561853233-512) -> domadmin Domain Users (S-1-5-21-3370306482-4184561861-561853233-512) -> domuser Domain Guests (S-1-5-21-3370306482-4184561861-561853233-512) -> domguest I saw this on problem discussed on several mailinglists, but with no solution. maybe anybody here can help me with a hint. cu, thorsten -- Thorsten Scherf GLS Instructor Red Hat GmbH - Global Learning Services Hauptstaetterstr. 58, D-70178 Stuttgart, Germany Tel: +49-711-96437-500, Fax: +49-711-96437-111 eMail: [EMAIL PROTECTED] GPG-Fingerprint: 92BF AA4C 082B F5DD FB28 47CC C1F9 282D 3B92 80BB signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
