Hi,
I have a LDAP backend for my Samba 3.0.2, and everything seems to work
except adding XP machines to the domain, and unix logins with a ldap client.
Since this mail is very long, I have created a small index, so you don't
get exhaustet in the middle of all the logs... ;)
1. LDAP user-creation
2. Group info
3. pam/nss info
4. smb.conf [global]
5. Log from trying to add machine to domain
6. Log fror trying to unix-login the user
7. conclution
1)
I create new users through a webinterface where i have created test3 as
a domain admin and a ldap search returns the following attributes on test3:
uidnumber: 10009
sambasid: S-1-5-21-2409322033-11024189-1315579533-21018
cn: test3
displayname: test3
sn: test3
uid: test3
loginshell: /bin/bash
homedirectory: /samba/home/test3
gidnumber: 512
objectclass: inetOrgPerson
objectclass: sambaSAMAccount
objectclass: posixAccount
sambahomepath: \\LOGIN\homes
sambahomedrive: H:
sambaacctflags: [U ]
sambadomainname: SKOLE1
sambalogonscript: \\LOGIN\logonScript\test3.bat
sambaprofilepath: \\LOGIN\test3\.profile
sambaprimarygroupsid: S-1-5-21-2409322033-11024189-1315579533-512
sambalmpassword: 07E9BB454DCA7EBCAAD3B435B51404EE
sambantpassword: C3F7CE8E37AB104169F3313FF2C6AC6A
userpassword: {MD5}WnsFSpsqzAhNDorh9YhDpA==
I can validate the user with smbclient -L localhost -U test3 but NOT
login the user in linux!
2)
A net groupmap list return the interesting parts like:
Domain Admins (S-1-5-21-2409322033-11024189-1315579533-512) - admin
Domain Computers (S-1-5-21-2409322033-11024189-1315579533-553) - Domain
Computers
And all the admin tools seems to work as well, smbpasswd, and the
smbldat tools in /usr/local/sbin seems to work (I can create new users
with smbldap-useradd.pl)!
and ls -l /usr/local/sbin returns:
-rwxr-xr-x1 root staff 2 Feb 12 16:22 mkntpwd
-rwxr-xr-x1 root staff4367 Feb 10 21:05 smbldap-groupadd.pl
-rwxr-xr-x1 root staff2324 Feb 10 21:05 smbldap-groupdel.pl
-rwxr-xr-x1 root staff7869 Feb 10 21:05 smbldap-groupmod.pl
-rwxr-xr-x1 root staff1884 Feb 10 21:05 smbldap-groupshow.pl
-rwxr-xr-x1 root staff7158 Feb 10 21:05
smbldap-migrate-accounts.pl
-rwxr-xr-x1 root staff4974 Feb 10 21:05
smbldap-migrate-groups.pl
-rwxr-xr-x1 root staff5599 Feb 10 21:05 smbldap-passwd.pl
-rwxr-xr-x1 root staff8995 Feb 10 21:05 smbldap-populate.pl
-rw-r--r--1 root staff5521 Feb 10 21:05 smbldap-tools.spec
-rwxr-x--x1 root admin 16100 Mar 2 18:45 smbldap-useradd.pl
-rwxr-x--x1 root staff 16162 Mar 2 18:37 smbldap-useradd.pl~
-rwxr-xr-x1 root staff2950 Feb 10 21:05 smbldap-userdel.pl
-rwxr-xr-x1 root staff 15085 Feb 10 21:05 smbldap-usermod.pl
-rwxr-xr-x1 root staff1826 Feb 10 21:05 smbldap-usershow.pl
-rwxr-x-wx1 root admin3842 Mar 4 20:21 smbldap_conf.pm
-rwxr-x-wx1 root admin3844 Mar 4 20:17 smbldap_conf.pm~
-rw-r--r--1 root staff 18882 Feb 10 21:05 smbldap_tools.pm
3)
I suspect nss/pam as the problem, but I don't know how to solve it...
My /etc/nsswitch.conf :
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc:db files
netgroup: nis
4)
- SMB.CONF -
[global]
workgroup = SKOLE1
passdb backend = ldapsam:ldap://127.0.0.1/
ldap suffix = dc=login
ldap machine suffix = ou=machines
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=login
ldap passwd sync = yes
ldap delete dn = yes
ldap filter = ((uid=%u)(objectclass=sambaSamAccount))
ldap ssl = no
passwd chat debug = Yes
passwd program =/usr/local/bin/smbldap-passwd.pl -o %u
passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/local/sbin/smbldap-useradd.pl -a -w %m
add user script = /usr/local/sbin/smbldap-useradd.pl -a %u
delete user script = /usr/local/sbin/smbldap-useradd.pl -d %u
add group script = /usr/local/sbin/smbldap-useradd.pl -a -g %g
delete group script = /usr/local/sbin/smbldap-useradd.pl -d -g %g
add user to group script = /usr/local/sbin/smbldap-useradd.pl -j -u
%u -g %g
delete user from group script = /usr/local/sbin/smbldap-useradd.pl
-j -u %u -g %g
set primary group script = /usr/local/sbin/smbldap-useradd.pl -m -u
%u -gid %g
server string = thePri Samba Server
netbios name = THEPRI
#printcap name = cups
load printers = no
#printing = cups
log file = /var/log/samba/%m.log
log level = 3
max log size = 5000
security = user
encrypt passwords = true
socket options = TCP_NODELAY