[Samba] Samba+LDAP problems

[Celodrake]

Hello there...
My name is Marcelo, i am new in this list.
I don't know if here is the right place for asking about samba + LDAP, 
if not, sorry...


I am finishing to implement a samba server with ldap support but, when i 
want to add some group to the samba domain i obtain the following error 
messages:

- SMBLDAP_TOOLS
# smbldap-groupadd -a -g 1 -s S-1-5-21-blablabla -t 2 domainadmins
erreur LDAP: Can't contact master ldap server for writing
(IO::Socket::INET: connect: Conexion rehusada) at
/usr/share/perl5/smbldap_tools.pm line 277.

This line code refers to master ldap server, this server is in 
/etc/smbldap-tools/smbldap.conf configuration file.


- LAM (LDAP ACCOUNT MANAGER)
In section groups i press the New Group button and then i complete the 
form for Unix and Samba 3 sections, but when i press the Create Account 
button it show me the following error message:


*Warning*: ldap_add() [function.ldap-add
]:
Add: Internal (implementation specific) error in
*/usr/share/ldap-account-manager/lib/modules.inc* on line *1401
*


  Can't create the DN:
  cn=domainadmins,ou=group,dc=skull-one,dc=com,dc=ar.

Internal (implementation specific) error

I don't undertand what mean the 1401 line code in  modules.inc file, 
searching in google i don't find information, onle a person who advises 
to use a old samba.schema version, i have the version which come with 
debian packet 3.0.26a and i downloaded the versions 3.0.25, 3.0.24 and 
3.0.23 but i had no luck, the problem continues there.


- PHPLDAPADMIN
In left menu, in ou=group section i press Create New Object button, i 
select Posix Group, i complete form with group name and GID and then 
press Proceed>> button. Then Create Object and i obtain the following 
error:



  Error

Can't add object to LDAP server.

LDAP sais: Internal (implementation specific) error
Error number: 0x50 (LDAP_OTHER)
Descripción: .

Searching in google i don't find any information about this error number.

I would be thankful if someone could help me with this problem.

Best regards
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP - now with ldapsam extensions

[Daniel L. Miller]

John H Terpstra wrote:

On Thursday 11 October 2007 22:57, Daniel L. Miller wrote:
  

Are the IDEALX tools necessary for "complete" integration with LDAP?  Or
is the built-in support sufficiently advanced now?

Daniel


What does "complete" integration with LDAP mean to you?

You are not the first person to ask questions like these.  It would help me to 
write more useful documentation if I could better understand what is behind 
the questions.
  
Do the "ldapsam:trusted: and "ldapsam:editposix" extensions provide - 
(pause whilst I search for the correct word) - "equivalent" 
functionality to the IDEALX tools?  Or are they solutions for different 
applications?  For "typical" applications, with a PDC, mixed Unix and 
Windows workstations, file and print sharing - are the extensions a 
simpler way to achieve the - (wait, need to substitute word again) - 
"equivalent" level of LDAP integration?


--
Daniel
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?

[Torsten]

Adam Tauno Williams schrieb:


Add them to the domain administrators group.

  
if you have read my initial posting, you would have noticed that this is 
the problem.  the user administrator is member of "domain admins" but 
still can't perform administrative tasks.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP

[Daniel L. Miller]

John H Terpstra wrote:

On Thursday 11 October 2007 22:57, Daniel L. Miller wrote:
  

Are the IDEALX tools necessary for "complete" integration with LDAP?  Or
is the built-in support sufficiently advanced now?

Daniel



Daniel,

What function do you believe the IDEALX tools serve?  Why do you think these 
scripts are needed?  What makes you think that "built-in support" might be 
the right (or best) solution?


Have you read the Samba documentation? Specifically, is there anything in the 
Samba3-HOWTO or in Samba3-ByExample that would lead you to believe that there 
is any attempt to supercede the necessity for the IDEALX tools (or an 
alternative set of scripts that is external to Samba itself)?


What does "complete" integration with LDAP mean to you?

You are not the first person to ask questions like these.  It would help me to 
write more useful documentation if I could better understand what is behind 
the questions.


In case you do not know of the books "Samba3-HOWTO" and "Samba3-byExample" 
they can be obtained from:


http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
http://www.samba.org/samba/docs/Samba3-ByExample.pdf

The IDEALX tools are a means of creating and managing UNIX user and group 
accounts in the LDAP directory.  Samba can then create and manage the Windows 
(SambaSAM) account information that is necessary to support Windows network 
activities.


As a network administrator, I want total control over how UNIX accounts are 
managed in my LDAP directory and I would not want this done by Samba - 
particularly if that removes my ability to control how this is done.  Your 
mileage may vary, but I suspect most UNIX administrators who manage Samba 
would not want to lose control of the UNIX part of the directory.


For example, if Samba had total control over all Windows networking (Samba) 
accounts, and the Windows network administrator deletes a user account, but 
the users also has vital UNIX files, how should the deletion of the UNIX 
account information be handled?


By keeping the LDAP administration scripts that impact the UNIX account 
management separate from the Windows (Samba) account part, the administrator 
can exercise greater control over.  - Just my $0.02 worth.


Cheers,
John T.
  
By "built-in support", I am referring to the ldapsam:trusted and 
ldapsam:editposix extensions - documented at:


   http://wiki.samba.org/index.php/Ldapsam_Editposix

Because using these extensions appeared to simplify my configuration, 
and inferred that they were "optimized", I thought this was the future 
of Samba+LDAP and the IDEALX scripts were a holdover from the past.  
Since I have had difficulty in getting this configuration to work 
solidly - I'm still questioning whether or not these extensions are what 
I should be using.


"Complete" integration to me means after setting the appropriate 
smb.conf parameters - and having a configured LDAP backend - no 
information is stored external to the LDAP server and standard tools for 
Samba account manipulation perform all needed functions without the need 
for manipulating the LDAP database directly.  Such account manipulation 
should be exclusive to Samba - if the UNIX accounts are also LDAP based 
then obviously the UNIX accounts MAY be impacted by such Samba 
configuration - but it should not be a requirement for any Samba 
accounts to map to UNIX - unless the administrator wants that.


How to handle account deletion is a matter of individual preference - 
both for Samba and for UNIX.  In any case, the option to either leave 
the user files intact, move them to a repository, or delete upon account 
deletion should be a simple configuration setting.


I'm still learning how all these components interconnect - I have yet to 
have a fully-functional Samba PDC, that has no errors/warnings in the 
logs, and communicates with the compatible Windows NT tools for domain 
manipulation.  I had thought that if the IDEALX tools had been 
superseded by the ldapsam:trusted extensions, that was one less item I 
had to worry about.


Daniel
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP

[Guenter Kukkukk]

Am Freitag, 12. Oktober 2007 06:58 schrieb John H Terpstra:
> On Thursday 11 October 2007 22:57, Daniel L. Miller wrote:
> > Are the IDEALX tools necessary for "complete" integration with LDAP?  Or
> > is the built-in support sufficiently advanced now?
> >
> > Daniel
> 
> Daniel,
> 
> What function do you believe the IDEALX tools serve?  Why do you think these 
> scripts are needed?  What makes you think that "built-in support" might be 
> the right (or best) solution?
> 
> Have you read the Samba documentation? Specifically, is there anything in the 
> Samba3-HOWTO or in Samba3-ByExample that would lead you to believe that there 
> is any attempt to supercede the necessity for the IDEALX tools (or an 
> alternative set of scripts that is external to Samba itself)?
> 
> What does "complete" integration with LDAP mean to you?
> 
> You are not the first person to ask questions like these.  It would help me 
> to 
> write more useful documentation if I could better understand what is behind 
> the questions.
> 
> In case you do not know of the books "Samba3-HOWTO" and "Samba3-byExample" 
> they can be obtained from:
> 
>   http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
>   http://www.samba.org/samba/docs/Samba3-ByExample.pdf
> 
> The IDEALX tools are a means of creating and managing UNIX user and group 
> accounts in the LDAP directory.  Samba can then create and manage the Windows 
> (SambaSAM) account information that is necessary to support Windows network 
> activities.
> 
> As a network administrator, I want total control over how UNIX accounts are 
> managed in my LDAP directory and I would not want this done by Samba - 
> particularly if that removes my ability to control how this is done.  Your 
> mileage may vary, but I suspect most UNIX administrators who manage Samba 
> would not want to lose control of the UNIX part of the directory.
> 
> For example, if Samba had total control over all Windows networking (Samba) 
> accounts, and the Windows network administrator deletes a user account, but 
> the users also has vital UNIX files, how should the deletion of the UNIX 
> account information be handled?
> 
> By keeping the LDAP administration scripts that impact the UNIX account 
> management separate from the Windows (Samba) account part, the administrator 
> can exercise greater control over.  - Just my $0.02 worth.
> 
> Cheers,
> John T.

Hi John,

there is ongoing work to avoid (some) external scripts

http://wiki.samba.org/index.php/Ldapsam_Editposix

Cheers, Guenter
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP

[John H Terpstra]

On Thursday 11 October 2007 22:57, Daniel L. Miller wrote:
> Are the IDEALX tools necessary for "complete" integration with LDAP?  Or
> is the built-in support sufficiently advanced now?
>
> Daniel

Daniel,

What function do you believe the IDEALX tools serve?  Why do you think these 
scripts are needed?  What makes you think that "built-in support" might be 
the right (or best) solution?

Have you read the Samba documentation? Specifically, is there anything in the 
Samba3-HOWTO or in Samba3-ByExample that would lead you to believe that there 
is any attempt to supercede the necessity for the IDEALX tools (or an 
alternative set of scripts that is external to Samba itself)?

What does "complete" integration with LDAP mean to you?

You are not the first person to ask questions like these.  It would help me to 
write more useful documentation if I could better understand what is behind 
the questions.

In case you do not know of the books "Samba3-HOWTO" and "Samba3-byExample" 
they can be obtained from:

http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
http://www.samba.org/samba/docs/Samba3-ByExample.pdf

The IDEALX tools are a means of creating and managing UNIX user and group 
accounts in the LDAP directory.  Samba can then create and manage the Windows 
(SambaSAM) account information that is necessary to support Windows network 
activities.

As a network administrator, I want total control over how UNIX accounts are 
managed in my LDAP directory and I would not want this done by Samba - 
particularly if that removes my ability to control how this is done.  Your 
mileage may vary, but I suspect most UNIX administrators who manage Samba 
would not want to lose control of the UNIX part of the directory.

For example, if Samba had total control over all Windows networking (Samba) 
accounts, and the Windows network administrator deletes a user account, but 
the users also has vital UNIX files, how should the deletion of the UNIX 
account information be handled?

By keeping the LDAP administration scripts that impact the UNIX account 
management separate from the Windows (Samba) account part, the administrator 
can exercise greater control over.  - Just my $0.02 worth.

Cheers,
John T.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + LDAP

[Daniel L. Miller]

Are the IDEALX tools necessary for "complete" integration with LDAP?  Or 
is the built-in support sufficiently advanced now?


Daniel
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?

[Daniel L. Miller]

Torsten wrote:

Frank Van Damme schrieb:

On 10/11/07, Torsten <[EMAIL PROTECTED]> wrote:
 

Frank Van Damme schrieb:
   

You problem is that the account does not have uid number 0. If it has,
it has a root account on your unix box and you're all set.  
o.k, but uid 0 is reserved for root, isn't it? and it should be 
possible

to have more than one account with administrative priviliges.



Yes, uid 0 is for root, but you can easily have a user in ldap with
uid 0 and one in /etc/passwd or similar. Try it.
  
o.k. I believe you (;-), but still, wthat if I want to promote my 
assistent and my housekeeper with administrative piviliges? I cant 
give them all uid0.
Samba administrator is totally different from Linux root.  While 
typically the Linux root user is also shown as a Samba administrator - 
this is not necessary and in fact can be a security consideration.  
Unless your configuration requires Samba users to also be Linux users, 
your Samba users - and administrators - have nothing to do with Linux 
privileges.

--
Daniel
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba/LDAP RID assignment

[E.V. Suprun]

We've got SAMBA 3.0.23d / LDAP PDC using smb-ldap-tools. smb.conf
contains: 

add user script = /opt/IDEALX/sbin/smbldap-useradd "%u"

A new user may be added to the domain by various ways, e.g:

1. from a Windows workstation of an administrator:
 usrmgr.exe;
2. from the server shell: smbldap-useradd "a_new_user";
 then net rpc -Uroot add user a_new_user;
3. from the server shell: smbldap-useradd "a_new_user";
 then smbpasswd -a a_new_user;

In any case, first of all "a_new_user" is created in LDAP and gets his
unique "uidNumber" attribute, then he is assigned a RID. In cases (1-2)
the final digits of the RID are assigned according to the value of the
SambaDomainName=domain_name sambaNextRid attribute, but in case (3) the
final part of new RID is (uidNumber*2)+1000.

I tried the latest Samba version, it's behaviour is the same as in
3.0.23d. Are there ways to make the modes of assigning RIDs the same for
smbpasswd and for RPC calls (AFAIK, usrmgr.exe applies RPC calls)? If
so, how can I choose the mode of assigning the new RID?

Eugene.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?

[adrian sender]

This may be what you are looking for..

net rpc rightsto manage privileges assigned to SIDs

http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id364647

root#  net rpc rights list -U root%not24get
 SeMachineAccountPrivilege  Add machines to domain
  SePrintOperatorPrivilege  Manage printers
   SeAddUsersPrivilege  Add users and groups to the domain
 SeRemoteShutdownPrivilege  Force shutdown from a remote system
   SeDiskOperatorPrivilege  Manage disk shares
 SeBackupPrivilege  Back up files and directories
SeRestorePrivilege  Restore files and directories
  SeTakeOwnershipPrivilege  Take ownership of files or other objects

All in the docs.

Adrian Sender



>> 
> email message attachment
>>  Forwarded Message 
>> From: Torsten 
>> To: samba@lists.samba.org
>> Subject: [Samba] SAMBA+LDAP-How to promote Administrator with all
>> priviliges?
>> Date: Thu, 11 Oct 2007 11:15:59 +0200
>> 
>> Hi,
>> 
>> I have setup samba+ldap an almost everything went well, accept the fact, 
>> that there was no administrative account from the beginning. So I just 
>> created one using smbldap-useradd.
>> 
>> samba-pdc:~# /usr/sbin/smbldap-usershow administrator
>> dn: uid=administrator,ou=Users,dc=rhhu,dc=local
>> objectClass: 
>> top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
>> cn: administrator
>> sn: administrator
>> givenName: administrator
>> uid: administrator
>> uidNumber: 1004
>> gidNumber: 513
>> homeDirectory: /home/administrator
>> loginShell: /bin/bash
>> gecos: System User
>> sambaLogonTime: 0
>> sambaLogoffTime: 2147483647
>> sambaKickoffTime: 2147483647
>> sambaPwdCanChange: 0
>> sambaSID: S-1-5-21-55810726-2383910042-1397420801-3008
>> sambaPrimaryGroupSID: S-1-5-21-55810726-2383910042-1397420801-513
>> sambaLogonScript: logon.bat
>> sambaHomeDrive: Z:
>> sambaLMPassword: 79A0A158A100C04D902139606B6D16B5
>> sambaAcctFlags: [U]
>> sambaNTPassword: 6261BD5C725F9795FC7E84DA0350FA29
>> sambaPwdLastSet: 1187341118
>> sambaPwdMustChange: 1191229118
>> userPassword: {MD5}0/ECsVoPmE2fvVgfBQguZg==
>> 
>> samba-pdc:~# /usr/sbin/smbldap-groupshow "Domain Admins"
>> dn: cn=Domain Admins,ou=Groups,dc=rhhu,dc=local
>> objectClass: top,posixGroup,sambaGroupMapping
>> gidNumber: 512
>> cn: Domain Admins
>> memberUid: root,Administrator
>> description: Netbios Domain Administrators
>> sambaSID: S-1-5-21-55810726-2383910042-1397420801-512
>> sambaGroupType: 2
>> displayName: Domain Admins
>> 
>> So, administrator is member of Domain Admins. I suppose the problem lies 
>> within the primary group membership of that account, but I have no clue 
>> how to change the sid.
>> 
>> What would be a practicable solution? Thanks.
>> 
>> Regards, Torsten
>> 

_
Your Future Starts Here. Dream it? Then be it! Find it at www.seek.com.au
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F%3Ftracking%3Dsk%3Ahet%3Ask%3Anine%3A0%3Ahot%3Atext&_t=764565661&_r=OCT07_endtext_Future&_m=EXT--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?

[Adam Tauno Williams]

> o.k. I believe you (;-), but still, wthat if I want to promote my 
> assistent and my housekeeper with administrative piviliges? I cant give 
> them all uid0.

Add them to the domain administrators group.

-- 
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?

[Torsten]

Frank Van Damme schrieb:

On 10/11/07, Torsten <[EMAIL PROTECTED]> wrote:
  

Frank Van Damme schrieb:


You problem is that the account does not have uid number 0. If it has,
it has a root account on your unix box and you're all set.



  

o.k, but uid 0 is reserved for root, isn't it? and it should be possible
to have more than one account with administrative priviliges.



Yes, uid 0 is for root, but you can easily have a user in ldap with
uid 0 and one in /etc/passwd or similar. Try it.
  
o.k. I believe you (;-), but still, wthat if I want to promote my 
assistent and my housekeeper with administrative piviliges? I cant give 
them all uid0.














--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?

[Marcin Giedz]

Torsten napisał(a):

Frank Van Damme schrieb:



You problem is that the account does not have uid number 0. If it has,
it has a root account on your unix box and you're all set.


  
o.k, but uid 0 is reserved for root, isn't it? and it should be 
possible to have more than one account with administrative priviliges.

You don't have to this.

1) Try to add uid=administrator do "domain admins" group in LDAP -> in 
"domain admins" add attribute memberUid=administrator. That's all


2) In samba you can also set privileges to every normal users by grants:

net rpc rights grant "user1\Domain Admins" SeDiskOperatorPrivilege -U 
administrator%pass



.

BR,
Marcin

--
ARISE M.Giedz, T.Żebruń sp.j.
http: www.arise.pl
mail: [EMAIL PROTECTED]
tel: +48 502 537 157



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?

[Frank Van Damme]

On 10/11/07, Torsten <[EMAIL PROTECTED]> wrote:
> Frank Van Damme schrieb:
> >
> >
> > You problem is that the account does not have uid number 0. If it has,
> > it has a root account on your unix box and you're all set.
> >
> >
> >
> o.k, but uid 0 is reserved for root, isn't it? and it should be possible
> to have more than one account with administrative priviliges.

Yes, uid 0 is for root, but you can easily have a user in ldap with
uid 0 and one in /etc/passwd or similar. Try it.


-- 
Frank Van Damme   A: Because it destroys the flow of the conversation
  Q: Why is it bad?
  A: No, it's bad.
  Q: Should I top post in replies to mails or on usenet?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?

[Torsten]

Frank Van Damme schrieb:



You problem is that the account does not have uid number 0. If it has,
it has a root account on your unix box and you're all set.


  
o.k, but uid 0 is reserved for root, isn't it? and it should be possible 
to have more than one account with administrative priviliges.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?

[Frank Van Damme]

On 10/11/07, Torsten <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have setup samba+ldap an almost everything went well, accept the fact,
> that there was no administrative account from the beginning. So I just
> created one using smbldap-useradd.
>
> samba-pdc:~# /usr/sbin/smbldap-usershow administrator
> dn: uid=administrator,ou=Users,dc=rhhu,dc=local
> objectClass:
> top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
> cn: administrator
> sn: administrator
> givenName: administrator
> uid: administrator
> uidNumber: 1004
> gidNumber: 513


*SNIP*


> So, administrator is member of Domain Admins. I suppose the problem lies
> within the primary group membership of that account, but I have no clue
> how to change the sid.
>
> What would be a practicable solution? Thanks.
>
> Regards, Torsten

You problem is that the account does not have uid number 0. If it has,
it has a root account on your unix box and you're all set.


-- 
Frank Van Damme   A: Because it destroys the flow of the conversation
  Q: Why is it bad?
  A: No, it's bad.
  Q: Should I top post in replies to mails or on usenet?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SAMBA+LDAP-How to promote Administrator with all priviliges?

[Torsten]

Hi,

I have setup samba+ldap an almost everything went well, accept the fact, 
that there was no administrative account from the beginning. So I just 
created one using smbldap-useradd.


samba-pdc:~# /usr/sbin/smbldap-usershow administrator
dn: uid=administrator,ou=Users,dc=rhhu,dc=local
objectClass: 
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount

cn: administrator
sn: administrator
givenName: administrator
uid: administrator
uidNumber: 1004
gidNumber: 513
homeDirectory: /home/administrator
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaSID: S-1-5-21-55810726-2383910042-1397420801-3008
sambaPrimaryGroupSID: S-1-5-21-55810726-2383910042-1397420801-513
sambaLogonScript: logon.bat
sambaHomeDrive: Z:
sambaLMPassword: 79A0A158A100C04D902139606B6D16B5
sambaAcctFlags: [U]
sambaNTPassword: 6261BD5C725F9795FC7E84DA0350FA29
sambaPwdLastSet: 1187341118
sambaPwdMustChange: 1191229118
userPassword: {MD5}0/ECsVoPmE2fvVgfBQguZg==

samba-pdc:~# /usr/sbin/smbldap-groupshow "Domain Admins"
dn: cn=Domain Admins,ou=Groups,dc=rhhu,dc=local
objectClass: top,posixGroup,sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root,Administrator
description: Netbios Domain Administrators
sambaSID: S-1-5-21-55810726-2383910042-1397420801-512
sambaGroupType: 2
displayName: Domain Admins

So, administrator is member of Domain Admins. I suppose the problem lies 
within the primary group membership of that account, but I have no clue 
how to change the sid.


What would be a practicable solution? Thanks.

Regards, Torsten


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP

[Mike Eggleston]

On Mon, 08 Oct 2007, simo might have said:

> On Mon, 2007-10-08 at 15:45 +0100, Ricardo Manuel Esteves (VI) wrote:
> > Hi,
> > 
> > I got samba 3.0.26a on my Fedora 7, and when i try to add users with
> > smbpasswd -a username, it only works if the user exists as a linux
> > user... i got a Centos 4.4 system with samba 3.0.10 and it  works even
> > if the user doesn't exists on the system.
> > 
> > Can anyone explain me why this happens? is it from this new version
> > (3.0.26a) or may be a problem of 
> > Fedora 7?
> 
> Always been like that since I can remember, and it is by design.
> Simo.

The subject says Samba + LDAP. I use smbldap-passwd to add users to LDAP.

Mike
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP

[simo]

On Mon, 2007-10-08 at 15:45 +0100, Ricardo Manuel Esteves (VI) wrote:
> Hi,
> 
> I got samba 3.0.26a on my Fedora 7, and when i try to add users with
> smbpasswd -a username, it only works if the user exists as a linux
> user... i got a Centos 4.4 system with samba 3.0.10 and it  works even
> if the user doesn't exists on the system.
> 
> Can anyone explain me why this happens? is it from this new version
> (3.0.26a) or may be a problem of 
> Fedora 7?

Always been like that since I can remember, and it is by design.
Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + LDAP

[Ricardo Manuel Esteves (VI)]

Hi,

I got samba 3.0.26a on my Fedora 7, and when i try to add users with
smbpasswd -a username, it only works if the user exists as a linux
user... i got a Centos 4.4 system with samba 3.0.10 and it  works even
if the user doesn't exists on the system.

Can anyone explain me why this happens? is it from this new version
(3.0.26a) or may be a problem of 
Fedora 7?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba + Ldap: password syn

[adrian sender]

Check your slapd.conf ACL options.


--Forwarded Message Attachment--
From: [EMAIL PROTECTED]
Subject: [Samba] Samba + Ldap: password sync
Date: Thu, 4 Oct 2007 15:19:42 -0300
To: samba@lists.samba.org

Gentleman,
 
While using Openldap 2.2.x, password syncronization was working fine. It
means that when a user changed his password through MS Windows XP,
unixPassword, sambaNTPassword and sambaLMPassword were updated at the
same time.
 
javascript:onSubmitToolbarItemClicked('SendMessage','SendMessageLight.aspx?_ec=1&n=703840716');
Since I migrated Openldap to version 2.3.38 (same compilation options /
conf files untouched) it stopped working. Now only sambaXXPassword are
updated and unixPassword remain with the old value.
 
No errors are shown on ldap or samba logs.
 
How do I proceed now?
 
Fabiano.
_
WIN new Jeep Compass & Off-Road Adventure with Trading Post!

http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fwww%2Etradingpostcompetition%2Ecom%2Eau%2FOffRoadAdventure%2F%3Freferrer%3Dplace83&_t=763756818&_r=hotmail_email_tagline_July07&_m=EXT
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + Ldap: password sync

[Fabiano Caixeta Duarte]

Gentleman,

While using Openldap 2.2.x, password syncronization was working fine. It
means that when a user changed his password through MS Windows XP,
unixPassword, sambaNTPassword and sambaLMPassword were updated at the
same time.

Since I migrated Openldap to version 2.3.38 (same compilation options /
conf files untouched) it stopped working. Now only sambaXXPassword are
updated and unixPassword remain with the old value.

No errors are shown on ldap or samba logs.

How do I proceed now?

Fabiano.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba+LDAP with real-time share permissions

[simo]

On Fri, 2007-08-31 at 10:16 -0300, Steve Scanavarro wrote:
> Hello everyone!
> I'm using samba with LDAP, and everything is working fine.
> But I'm having problems when I change something in the permissions on the
> share, for example, I have a share called "daily".
> In this share, the permissions are set to the LDAP group called Daily, where
> "steve" is a member.
> Well, when I log in, the share maps ok, but what I want to do is, when I
> remove the user steve from the LDAP group, his access will be denied in
> "real-time" (when remove from the group, stop been able to see anything in
> the drive).
> 
> *BUT*, it's not working, the user still have the permissions in the drive
> 'til logout/login again.

This is by design, privileges are set at connection time and never
changed.

> My question is, what if the user logout only in the weekends? In the
> meanwhile user 'steve' will still have access to the drive?
> In an experience here, he no longer has access only when I restart Samba,
> but when I do that, the other drives that are mapped stop working as well,
> and the user should logout/login again, and then the permissions are ok.
> (and it's not a good idea to restart samba everytime I change a permission
> isn't it? :)
> 
> Thanks in advance for any help/ideas!

You can use smbstatus to find out the pid of the specific smbd serving
that user and then send this process a shutdown command using
smbcontrol, this will disconnect the user and force his workstation to
reconnect all drives and perform a new authentication.

I think another way could be to simply change the main directory
permissions. Instead of adding and removing users to the Daily group,
simply deny it access to the directory setting its permissions to ---
(no r,w or x). This may be more practical and does not require
disconnections, nor constant manipulation of user memberships.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba+LDAP with real-time share permissions

[Steve Scanavarro]

Hello everyone!
I'm using samba with LDAP, and everything is working fine.
But I'm having problems when I change something in the permissions on the
share, for example, I have a share called "daily".
In this share, the permissions are set to the LDAP group called Daily, where
"steve" is a member.
Well, when I log in, the share maps ok, but what I want to do is, when I
remove the user steve from the LDAP group, his access will be denied in
"real-time" (when remove from the group, stop been able to see anything in
the drive).

*BUT*, it's not working, the user still have the permissions in the drive
'til logout/login again.

My question is, what if the user logout only in the weekends? In the
meanwhile user 'steve' will still have access to the drive?
In an experience here, he no longer has access only when I restart Samba,
but when I do that, the other drives that are mapped stop working as well,
and the user should logout/login again, and then the permissions are ok.
(and it's not a good idea to restart samba everytime I change a permission
isn't it? :)

Thanks in advance for any help/ideas!

Best,

Steve
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + displayName attribute

[Didster]

I don't use nscd myself, for comparison

On 8/24/07, John Drescher <[EMAIL PROTECTED]> wrote:
> > On 23/08/07, Didster <[EMAIL PROTECTED]> wrote:
> > > Thanks,
> > >
> > > I haven't had any other responses to this :o( So I will try and a read
> > > though the archives [i did this before posting, but again wont hurt]
> > >
> > > Its driving me mad!
> >
> > Have you got nscd on?
> >
> I do have nscd as without it my nfs transfers between my linux clients
> were horribly slow. I do not have winbind though. I have just noticed
> I have the same effect (I see my username in the start menu instead of
> my real name). No one has complained so I am not really worried.
>
> John
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + displayName attribute

[John Drescher]

> On 23/08/07, Didster <[EMAIL PROTECTED]> wrote:
> > Thanks,
> >
> > I haven't had any other responses to this :o( So I will try and a read
> > though the archives [i did this before posting, but again wont hurt]
> >
> > Its driving me mad!
>
> Have you got nscd on?
>
I do have nscd as without it my nfs transfers between my linux clients
were horribly slow. I do not have winbind though. I have just noticed
I have the same effect (I see my username in the start menu instead of
my real name). No one has complained so I am not really worried.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + displayName attribute

[Gavin Henry]

On 23/08/07, Didster <[EMAIL PROTECTED]> wrote:
> Thanks,
>
> I haven't had any other responses to this :o( So I will try and a read
> though the archives [i did this before posting, but again wont hurt]
>
> Its driving me mad!

Have you got nscd on?

>
> On 8/21/07, John Drescher <[EMAIL PROTECTED]> wrote:
> > > When signing into Window XP, everything works fine.  Clicking on the
> > > start menu shows whatever is set in displayName at the top as the
> > > persons name.
> > >
> > > However, after an as yet undetermined amount of time [about 20 mins],
> > > it switches to displaying the UID.  So at the top of the start menu it
> > > will say "Joe Bloggs" for 20 minutes [ish], then switch to showing
> > > "bloggsjoe"
> > >
> > > Just wondering if anyone knows what is causing this?  I know it's not
> > > critical, XP is still enable to authenticate after this amount of
> > > time, but there could be other things going on that are not so
> > > visible.
> > >
> > I don't know but I do remember seeing this on the samba-users list a
> > few months back. Not sure when as I read a lot of posts on this
> > list...
> >
> > John
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + displayName attribute

[Didster]

Thanks,

I haven't had any other responses to this :o( So I will try and a read
though the archives [i did this before posting, but again wont hurt]

Its driving me mad!

On 8/21/07, John Drescher <[EMAIL PROTECTED]> wrote:
> > When signing into Window XP, everything works fine.  Clicking on the
> > start menu shows whatever is set in displayName at the top as the
> > persons name.
> >
> > However, after an as yet undetermined amount of time [about 20 mins],
> > it switches to displaying the UID.  So at the top of the start menu it
> > will say "Joe Bloggs" for 20 minutes [ish], then switch to showing
> > "bloggsjoe"
> >
> > Just wondering if anyone knows what is causing this?  I know it's not
> > critical, XP is still enable to authenticate after this amount of
> > time, but there could be other things going on that are not so
> > visible.
> >
> I don't know but I do remember seeing this on the samba-users list a
> few months back. Not sure when as I read a lot of posts on this
> list...
>
> John
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + displayName attribute

[John Drescher]

> When signing into Window XP, everything works fine.  Clicking on the
> start menu shows whatever is set in displayName at the top as the
> persons name.
>
> However, after an as yet undetermined amount of time [about 20 mins],
> it switches to displaying the UID.  So at the top of the start menu it
> will say "Joe Bloggs" for 20 minutes [ish], then switch to showing
> "bloggsjoe"
>
> Just wondering if anyone knows what is causing this?  I know it's not
> critical, XP is still enable to authenticate after this amount of
> time, but there could be other things going on that are not so
> visible.
>
I don't know but I do remember seeing this on the samba-users list a
few months back. Not sure when as I read a lot of posts on this
list...

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + LDAP + displayName attribute

[Didster]

Hi All,

I have a rather strange, if not critical, issue with samba as a NT4
domain controller.

We have samba [version 3.0.24] set up as a PDC using LDAP as a
backend.  Each account was created using the IDEALX scripts, has a
displayName set to a users full name, say Joe Bloggs.  The actual UID
of the account is different, say bloggsjoe.

When signing into Window XP, everything works fine.  Clicking on the
start menu shows whatever is set in displayName at the top as the
persons name.

However, after an as yet undetermined amount of time [about 20 mins],
it switches to displaying the UID.  So at the top of the start menu it
will say "Joe Bloggs" for 20 minutes [ish], then switch to showing
"bloggsjoe"

Just wondering if anyone knows what is causing this?  I know it's not
critical, XP is still enable to authenticate after this amount of
time, but there could be other things going on that are not so
visible.

Thanks in advance.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba+LDAP: Groups and Groupmappings?

[Hadmut Danisch]

Hi,

just a question about the representation of Windows Domain groups in
LDAP when using the ldapsam backend: What exactly is required to have
a Windows Domain group properly configured?


Am I correct that there is only a single LDAP object of 

- objectClasses sambaGroupMapping and posixGroup, 

- where the cn and gidNumber tell the posix/unix group stuff, 

- where the sambaSID, the sambaGroupType, and the displayName describe
  the Windows group, 

- and the mapping is done by just having both parts of information in 
  the same object?




Is it correct that the posix group name  (cn) and the windows group
name (displayName) are independent and can be arbitrarily chosen? And
that it does not matter whether the windows group name contains
spaces, where unix/posix group names must not?

regards
Hadmut




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba, ldap changing password

[Rune Tønnesen]

Hi Adam

Try usermin
http://www.webmin.com/usermin.html
-- 
Rune Tønnesen
Venlig Hilsen/Best Regards

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba, ldap changing password

[Adam Tauno Williams]

> I have a samba 3 with ldap working as a PDC,my mail server also using 
> LDAP database as a authentication.
> Do you know any web application, script  (working with apache) that 
> allow users to change their ldap passwords (smaba passwords and passwd 
> passwords).
> Usually users can do that from windows clients which log in to domain, 
> but I have also a lot of users using laptops and they dont log in to domain.

Configure the smbk5pwd module in OpenLDAP and use exop to change your
password(s).  You should be able to perform exops from any scripting
language with a half-way decent LDAP binding.

- 
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba, ldap changing password

[empirium]

HEllo
I have a samba 3 with ldap working as a PDC,my mail server also using 
LDAP database as a authentication.
Do you know any web application, script  (working with apache) that 
allow users to change their ldap passwords (smaba passwords and passwd 
passwords).
Usually users can do that from windows clients which log in to domain, 
but I have also a lot of users using laptops and they dont log in to domain.

Thanks in advance
luk
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Anyone? :o) Re: [Samba] Samba LDAP Directory Tree details

[[EMAIL PROTECTED]]

[EMAIL PROTECTED] schrieb:

Hello List,

i have set up a samba pdc with ldap, smbldap-tools about one year ago. 
Now i would like to extend it with OX, squid, etc...
After checking out the LDAP Directory tree i was wondering what the 
Organisation Units "DSA" and "ldmap" are good for?


My current tree looks like this:

dc=example,dc=com
+ ou=Computers
+ ou=DSA
+ ou=Groups
+ ou=Idmap
+ ou=Users
+ sambaDomainName=MyDomain



I also had a look at Collax´s PDC and they even have an additional 
PosixGroup. Their tree looks like this:

dc=example,dc=com
+ ou=ABook
+ ou=groups
+ ou=Infrastructure
+ ou=people
+ ou=posixgroups
+ sambaDomainName=MyDomain


Any idea why they have "groups" and "posixgroups"?


If i would like to add other services than samba, would a directory 
tree like Collax has make more sense than my current "samba-only" tree?


Thanks, Mario


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba LDAP Directory Tree details

[[EMAIL PROTECTED]]

Hello List,

i have set up a samba pdc with ldap, smbldap-tools about one year ago. 
Now i would like to extend it with OX, squid, etc...
After checking out the LDAP Directory tree i was wondering what the 
Organisation Units "DSA" and "ldmap" are good for?


My current tree looks like this:

dc=example,dc=com
+ ou=Computers
+ ou=DSA
+ ou=Groups
+ ou=Idmap
+ ou=Users
+ sambaDomainName=MyDomain



I also had a look at Collax´s PDC and they even have an additional 
PosixGroup. Their tree looks like this:

dc=example,dc=com
+ ou=ABook
+ ou=groups
+ ou=Infrastructure
+ ou=people
+ ou=posixgroups
+ sambaDomainName=MyDomain


Any idea why they have "groups" and "posixgroups"?


If i would like to add other services than samba, would a directory tree 
like Collax has make more sense than my current "samba-only" tree?


Thanks, Mario
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba/LDAP PDC and member servers

[Julian Pilfold-Bagwell]

Hi All,

I have a problem with permissions following a migration from tdbsam to LDAP.

As I understand it from the documentation, each member server on the 
domain needs to have 2 SIDs, a domain SID and a local machine SID. After 
migrating the server to ldap, users can still login and desktops and 
servers can still connect so the machine accounts are fine but I've lost 
access to shares on member servers. I've set the smb.conf to obtain the 
unix user and group info from the LDAP server and the conditions are met:


1) I can su to a UNIX account on any machine

2) wbinfo -u & g return full and correct user & group listsings.

3) net groupmap list on all servers returns identical map lists

4) logging into any server and running id  produces identical 
user and group id's


I have 777 as permissions on the share and its parent directory and I 
have tried valid users, read list and write list with @"Group" and 
+"NTDomain\groupname" with no success. The only member server I can 
access shares on is one that has the same SID for local and machine 
although users and groups show up as SERVERNETBIOSNAME\group.


It states in the documentation that each member server has different 
domain and machine SIDs but does that include the PDC. Given that the 
PDC itself has to be joined to the NT Domain with net rpc join I suspect 
that's the case but I haven't  found anything confirming it. Can anyone 
elaborate?


Cheers,

Jools
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba - LDAP - Kerberos

[Andrew Bartlett]

On Thu, 2007-04-05 at 14:35 +0200, Jörg Herzinger wrote:
> > Like Kerberos, Samba needs the password-equivilant values, or some other
> > process that will perform the same calculations on them (like a DC for a
> > member server).  There isn't any way around that.  Interestingly Heimdal
> > 0.8 includes code to do this in the KDC (we don't have a client for this
> > yet, but it is a very interesting move).  
> 
> > Andrew Bartlett
> 
> Ok, I see the problem now. Since i am in a small network sending unencrypted 
> passwords would'nt be a problem and when samba has the cleartext password
> authenticating via PAM or anything else should'nt be a problem, right?

You can't do domain logons with plaintext passwords, and it is far less
stable, even for normal operations (with windows clients, after apply
the registry patch).  Just don't do it.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Red Hat Inc.  http://redhat.com


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba - LDAP - Kerberos

[Jörg Herzinger]

> Like Kerberos, Samba needs the password-equivilant values, or some other
> process that will perform the same calculations on them (like a DC for a
> member server).  There isn't any way around that.  Interestingly Heimdal
> 0.8 includes code to do this in the KDC (we don't have a client for this
> yet, but it is a very interesting move).  

> Andrew Bartlett

Ok, I see the problem now. Since i am in a small network sending unencrypted 
passwords would'nt be a problem and when samba has the cleartext password
authenticating via PAM or anything else should'nt be a problem, right?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba - LDAP - Kerberos

[Andrew Bartlett]

On Wed, 2007-04-04 at 15:18 +0200, Jörg Herzinger wrote:
> > The other option is the smbk5pwd module for openldap, and setting 'ldap 
> > password sync = yes'.  I've not used it > myself, but I'm told it works.
> 
> Hmm, thanks, but this module is just a dirty trick in my eyes and it
> works just for Heimdal Kerberos but I use MIT-Kerberos. I almost can't
> believe that samba supports no other way of authenticating local users
> than its own database.

Like Kerberos, Samba needs the password-equivilant values, or some other
process that will perform the same calculations on them (like a DC for a
member server).  There isn't any way around that.  Interestingly Heimdal
0.8 includes code to do this in the KDC (we don't have a client for this
yet, but it is a very interesting move).  

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Red Hat Inc.  http://redhat.com


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba - LDAP - Kerberos

[Jörg Herzinger]

> The other option is the smbk5pwd module for openldap, and setting 'ldap 
> password sync = yes'.  I've not used it > myself, but I'm told it works.

Hmm, thanks, but this module is just a dirty trick in my eyes and it works just 
for Heimdal Kerberos but I use MIT-Kerberos. I almost can't believe that samba 
supports no other way of authenticating local users than its own database.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba - LDAP - Kerberos

[Andrew Bartlett]

On Tue, 2007-04-03 at 21:47 -0400, Sean Elble wrote:
> On 4/3/07 1:20 PM, "Jörg Herzinger" <[EMAIL PROTECTED]> wrote:
> 
> > Hello. I'm trying to implement a single-sign-on system with MIT-Kerberos and
> > OpenLDAP. These two are currently working pretty well, but now I'm trying to
> > add samba to this system. I've found a lot of tutorials about samba PDC with
> > LDAP backend, but this is of course not quite what I want. My passwords are
> > stored in the kerberos database and userdata is stored in LDAP.
> > Is there a way to authenticate samba through LDAP/Kerberos? Or is it maybe
> > possible to authenticate samba through PAM?
> > 
> 
> It's an idea a lot of people want to implement, but sadly, it is not
> possible for Samba to use a Kerberos password database, at least not while
> using encrypted passwords. The reason being is that, when Samba uses
> encrypted passwords, it has no access to the password itself, only the
> hashed representation. In addition, the encryption hash, if you will, that
> Windows uses is nothing like the encryption hash used by Kerberos. This is a
> bit of a simplification, but it is how I understand it.

This is incorrect.  Heimdal can use Samba's password database as a
backend, because the sambaNTPassword is what Microsoft made the
arcfour-hmac-md5 kerberos key out of. 

> I have achieved a sort of single-sign-on environment by using Samba's
> password script functionality to change both the Samba password (stored in a
> LDAP backend) and the Kerberos password at the same time. My particular
> setup involves Samba running on the same machine as the KDC daemon, which
> allows me to use these Samba parameters in smb.conf:
> 
> unix password sync = yes
> passwd program = /usr/kerberos/sbin/kadmin.local -q 'cpw %u'
> passwd chat = "Authenticating as principal*"\n"Enter password for
> principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n
> \n"Password for *"%u"@* changed."\n
> 
> This probably would not be the best setup in an enterprise environment, but
> at my in-home "lab" where I play with this kind of stuff, it works just
> fine, as long as my "users" remember to change their passwords via Windows
> (i.e. Not your typical passwd/kpasswd programs). Hope that helps . . .

The other option is the smbk5pwd module for openldap, and setting 'ldap
password sync = yes'.  I've not used it myself, but I'm told it works.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Red Hat Inc.  http://redhat.com


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Re: [Samba] Samba - LDAP - Kerberos

[Jörg Herzinger]

I already thought that this is not possible. Is there no other way of 
authenticating samba? PAM, SASL, ANYTHING. I mean, I like samba, but in terms 
of user authentication it really isn't flexible.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba - LDAP - Kerberos

[Sean Elble]

On 4/3/07 1:20 PM, "Jörg Herzinger" <[EMAIL PROTECTED]> wrote:

> Hello. I'm trying to implement a single-sign-on system with MIT-Kerberos and
> OpenLDAP. These two are currently working pretty well, but now I'm trying to
> add samba to this system. I've found a lot of tutorials about samba PDC with
> LDAP backend, but this is of course not quite what I want. My passwords are
> stored in the kerberos database and userdata is stored in LDAP.
> Is there a way to authenticate samba through LDAP/Kerberos? Or is it maybe
> possible to authenticate samba through PAM?
> 

It's an idea a lot of people want to implement, but sadly, it is not
possible for Samba to use a Kerberos password database, at least not while
using encrypted passwords. The reason being is that, when Samba uses
encrypted passwords, it has no access to the password itself, only the
hashed representation. In addition, the encryption hash, if you will, that
Windows uses is nothing like the encryption hash used by Kerberos. This is a
bit of a simplification, but it is how I understand it.

I have achieved a sort of single-sign-on environment by using Samba's
password script functionality to change both the Samba password (stored in a
LDAP backend) and the Kerberos password at the same time. My particular
setup involves Samba running on the same machine as the KDC daemon, which
allows me to use these Samba parameters in smb.conf:

unix password sync = yes
passwd program = /usr/kerberos/sbin/kadmin.local -q 'cpw %u'
passwd chat = "Authenticating as principal*"\n"Enter password for
principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n
\n"Password for *"%u"@* changed."\n

This probably would not be the best setup in an enterprise environment, but
at my in-home "lab" where I play with this kind of stuff, it works just
fine, as long as my "users" remember to change their passwords via Windows
(i.e. Not your typical passwd/kpasswd programs). Hope that helps . . .


> tia,
> Bowser

-- 
+-+
|  Sean Elble |
|  Virginia Tech, Class of 2008   |
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
|  Web:  http://www.sessys.com/~elbles/   |
+-+
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba - LDAP - Kerberos

[Jörg Herzinger]

Hello. I'm trying to implement a single-sign-on system with MIT-Kerberos and 
OpenLDAP. These two are currently working pretty well, but now I'm trying to 
add samba to this system. I've found a lot of tutorials about samba PDC with 
LDAP backend, but this is of course not quite what I want. My passwords are 
stored in the kerberos database and userdata is stored in LDAP.
Is there a way to authenticate samba through LDAP/Kerberos? Or is it maybe 
possible to authenticate samba through PAM?

tia,
Bowser
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba-LDAP interdomain trust

[Allysson Steve Mota Lacerda]

I'm trying to create a trust between two Samba-LDAP domains (on a single
server).

I'm following Samba Howto Collection
(http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id335566)
but I'm getting the error below.

[EMAIL PROTECTED]:~# /usr/local/samba.labi/bin/net rpc testjoin -S
rpc_client/cli_pipe.c:get_schannel_session_key(2443)
 get_schannel_session_key: could not fetch trust account password for
domain 'LABI'
utils/net_rpc_join.c:net_rpc_join_ok(70)
 net_rpc_join_ok: failed to get schannel session key from server LABISERVER
for domain LABI. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Join to domain 'LABI' is not valid

Are there any restrictions to Samba-LDAP trusts? Does anyone know how to
solve this?

Thanks.

--
Allysson Steve Mota Lacerda
[EMAIL PROTECTED]
http://www.stevelacerda.net
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba ldap export account

[Pascal Legrand]

Hello
i'm trying to export the old passwd/smbpasswd account to the ldap directory 
with pdbedit :
pdbedit -e tdbsam:test
pdbedit -i tdbsam:test

but when i do that there is no posix informations.
what is the way to have those informations ?
thank you
--

---
Pascal Legrand
*IUT de Chartres* - _Service Informatique_
---
1, place Roger Joly
28000 Chartres
Tel : 02 37 91 83 36 - Fax: 02 37 91 83 01


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+Ldap+smbldap-tools

[sato x]

Asier was right: you don't need the "passwd program" line in smb.conf - even
it's not smbldap application.  The  smbldap application that used to change
the user password is smbldap-passwd. Please check your ACL in slapd.conf.
Mine is

access to attr=userPassword,sambaLMPassword,sambaNTPassword
   by self write
   by anonymous auth
   by * none

access to *
   by * read

It should work in your place either.

PS. You didn't forget to run the "smbpasswd -w Password", did you?


On 3/12/07, Asier Baranguán <[EMAIL PROTECTED]> wrote:


Chechu escribió:
> I have  aproblem with the smbldap-tools...when I try to change the
> passwd fron a user in win...I get the error "", and I know that the
> script of smbldap-tools fails when try to execute the next line:

[ ... ]

This looks mostly an ACL problem in your LDAP server (OpenLDAP?).

> [global]
>
>workgroup = IRONMAN
>netbios name = SHOGUN
>server string = SAMBA-LDAP PDC server
> ;  wins support = no
> ;  wins server = w.x.y.z

Hmmm... ¿domain without WINS Server? If you have windows clients a wins
server is not
strictly neccesary, but it's strongly adviced.

>security = user
>encrypt passwords = true
>passdb backend = ldapsam:ldaps://shogun.ironman.es:636
> ;  guest account = guest
>invalid users = root
>unix password sync = no
> ;   ldap passwd sync = yes

With this settings I assume that your samba users don't need to be
recognized as regular
users.

>passwd program = /usr/sbin/changepasswd.atc   -o %u

Emmm... ¿this script calls smbldap-passwd?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+Ldap+smbldap-tools

[Asier Baranguán]

Chechu escribió:

I have  aproblem with the smbldap-tools...when I try to change the
passwd fron a user in win...I get the error "", and I know that the
script of smbldap-tools fails when try to execute the next line:


[ ... ]

This looks mostly an ACL problem in your LDAP server (OpenLDAP?).


[global]

   workgroup = IRONMAN
   netbios name = SHOGUN
   server string = SAMBA-LDAP PDC server
;  wins support = no
;  wins server = w.x.y.z


Hmmm... ¿domain without WINS Server? If you have windows clients a wins server is not 
strictly neccesary, but it's strongly adviced.



   security = user
   encrypt passwords = true
   passdb backend = ldapsam:ldaps://shogun.ironman.es:636
;  guest account = guest
   invalid users = root
   unix password sync = no
;   ldap passwd sync = yes


With this settings I assume that your samba users don't need to be recognized as regular 
users.



   passwd program = /usr/sbin/changepasswd.atc   -o %u


Emmm... ¿this script calls smbldap-passwd?

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba+Ldap+smbldap-tools

[Chechu]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi,

I have  aproblem with the smbldap-tools...when I try to change the
passwd fron a user in win...I get the error "", and I know that the
script of smbldap-tools fails when try to execute the next line:

# non-root user
if (!defined($oldpass)) {
  # prompt for current password
  system "stty -echo";
  print "(current) UNIX password: ";

  chomp($oldpass=);   ###(this line)###

  print "\n";
  system "stty echo";

My smb.conf is :


[global]

   workgroup = IRONMAN
   netbios name = SHOGUN
   server string = SAMBA-LDAP PDC server
;  wins support = no
;  wins server = w.x.y.z
   interfaces = eth1
;  pam password change = Yes
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
;  syslog only = yes
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   name resolve order = lmhosts host wins bcast

AUTENTIFICACION##

   security = user
   encrypt passwords = true
   passdb backend = ldapsam:ldaps://shogun.ironman.es:636
;  guest account = guest
   invalid users = root
   unix password sync = no
;   ldap passwd sync = yes
   passwd program = /usr/sbin/changepasswd.atc   -o %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
 ;  obey pam restrictions = yes
 ;  pam password change = no


#LDAP#


   ldap admin dn = cn=admin,dc=ironman,dc=es
   ldap ssl = on
   ldap delete dn = no
   ldap suffix = dc=ironman,dc=es
   ldap user suffix = ou=people
   ldap group suffix = ou=groups
  ldap machine suffix = ou=machines
## Printing ##

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes

# lpr(ng) printing. You may wish to override the location of the
# printcap file
;   printing = bsd
;   printcap name = /etc/printcap

# CUPS printing.  See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
   printing = cups
   printcap name = cups

# When using [print$], root is implicitly a 'printer admin', but you can
# also give this right to other users to add drivers and set printer
# properties
   printer admin = @domainprintoperators

###PDC###3

   os level = 80
   preferred master = yes
   domain master = yes
   local master = yes
   domain logons = yes
   logon path = //SHOGUN/profiles/%u
   logon drive = V:
   logon home = //SHOGUN/%u
   logon script =%u.bat
;   domain admin group = @domainadmins
  add user script = /usr/local/sbin/smbldap-useradd -w %u



someone can help me?

thanks
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF9JEMu1kTJztljjMRAhHvAJ4z6BAn/sMeBgpDMREdtMaC5czIKgCfaYa9
mLRlk7+dB36lC3a/5YeUpEE=
=w5ts
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba+LDAP wrong domain name

[Tim Boneko]

Luis Filipe Lobo schrieb:
> [global]
>workgroup = ALUNOS
>server string = %h

Did you test the behaviour with an unset "server string" option, i.e.
commented out? Or with a

netbios name = PUKEBOX

timbo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+ldap: Simu.- login of 2 different users => user rejected

[Tim Boneko]

>>> obey pam restrictions = yes
>>> pam password change =   yes

I reconfigured the server at these points (and profile acls = yes). At
least it improved the unaccessible profile: One of the 2 concurrent
clients gets its profile instantly, the other one has a minute of
waiting before getting its data.

I'll still have to increase the log level. Didn't have time for much the
past few days.
Thanks again,

  timbo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba+LDAP wrong domain name

[Luis Filipe Lobo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi!

I am using samba 3.0.24 with backend ldapsam.
When i restart samba it tries to create the sambaDomainName entry in
ldap with the domain name, the problem is, it does not create the entry
with the name specified in workgroup attribute (in smb.conf) it creates
one with the name of the machine.

Am i doing something wrong ?

Best regards,
Luis Lobo

Here is a snippet of my smb.conf:
-
--

[global]
   workgroup = ALUNOS
   server string = %h
   domain master = yes
   domain logons = yes
   preferred master = yes
   ...
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF8T0T74zKLATG/jMRAh5kAJ9S8retMnNNI40L1odEFAfHK4oJ/wCg5BW8
ozgQ/6oYXUltsvgDrBhIZqc=
=pxgv
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+ldap: Simu.- login of 2 different users => user rejected

[Tim Boneko]

Felipe Augusto van de Wiel schrieb:

>   PAM: UNKNOWN PAM ERROR is not something nice to see
> on your longs. 

That's sad but true...

>   Did you already increase the log level of Samba?

I'll check that tomorrow (hopefully).
>   Simultaneously should be interpreted "at the exactly
> same time", or should be interpreted as "a user logs in the
> morning and the same user logs in the afternoon".

They hit the return key at the same second. Found it out when i did some
performance tuning and testing (which showed that the SO_xBUF options
indeed increased it. I'm at 8 MB/sec netto data rate on a 100Mbit net.
Is that acceptable for you?)

>> obey pam restrictions = yes
>> pam password change =   yes
> 
>   You are using PAM, so you really should check
> there, it could be the problem.

OK, I'll try it tomorrow. I'm not sure why these options are set, must
have been me some months ago... darn amateurs...

Many thanks for your hints, i'll let you know the effects!

timbo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+ldap: Simu.- login of 2 different users => user rejected

[Felipe Augusto van de Wiel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/05/2007 02:02 PM, Tim Boneko wrote:
> Has anybody had this problem before? If not, where should i 
> start digging?

By the logs you sent, definetely PAM. :-)


> I'm running Samba 3.0.24 on Debian stable with slapd-2.2.23 backend.
> smb.conf is attached below.
> When two different users log in at the same moment, the login process
> seems to freeze for a minute and the client (win2k) complains about
> missing profile or missing access to profile. A single user login works
> perfectly.
> 
> The log.smbd contains this:
> 
> krake smbd[28474]: [2007/03/05 15:06:09, 0]
> auth/pampass.c:smb_pam_account(573)
> krake smbd[28474]:   smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during
> Account Management for User: ws13
> krake smbd[28474]: [2007/03/05 15:06:09, 0]
> auth/pampass.c:smb_pam_accountcheck(781)
> krake smbd[28474]:   smb_pam_accountcheck: PAM: Account Validation
> Failed - Rejecting User ws13!

PAM: UNKNOWN PAM ERROR is not something nice to see
on your longs. By the description of the problem, I would
say that the try to access the profile (specially if it is
a big one) could lead do RO/RW problems, but I'm not sure,
that's just MHO.


> Nothing interesting in auth.log and the same message in 
> syslog (where slapd logs to).
> I don't know if this is a samba issue or ldap or network...

It seems something in the middle. ;)

Did you already increase the log level of Samba?


> Any suggestions are highly welcome. We've got 20+ clients and users
> typically log in simultaneously.

Simultaneously should be interpreted "at the exactly
same time", or should be interpreted as "a user logs in the
morning and the same user logs in the afternoon".



>   timbo
> 
> smb.conf:

[...]
> obey pam restrictions = yes
> pam password change =   yes

You are using PAM, so you really should check
there, it could be the problem.


> socket options =IPTOS_LOWDELAY SO_SNDBUF=32768 SO_RCVBUF=32768

Are you aware that under kernel 2.6.x you
can have a better network performance if you remove
SO_SNDBUF and SO_RCVBUF?


> [netlogon]
> path = /ghswa/home/netlogon
> write list = supervisor
> browseable = yes
> 
> [profiles]
> path = /ghswa/home/%u
> writeable = yes
> write list = %u
> browseable = no

Maybe you should try 'csc policy = disable' and maybe
'profile acls' can help you on this one.


Kind regards,

- --
Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7XpfCj65ZxU4gPQRArDWAJ0T7jbRlTwSdcS9dpOQsmExj5h5/QCbBV6X
m6NLCHaK2kRH2GlafeZROyU=
=Mzz/
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba+ldap: Simu.- login of 2 different users => user rejected

[Tim Boneko]

Has anybody had this problem before? If not, where should i start digging?

I'm running Samba 3.0.24 on Debian stable with slapd-2.2.23 backend.
smb.conf is attached below.
When two different users log in at the same moment, the login process
seems to freeze for a minute and the client (win2k) complains about
missing profile or missing access to profile. A single user login works
perfectly.

The log.smbd contains this:

krake smbd[28474]: [2007/03/05 15:06:09, 0]
auth/pampass.c:smb_pam_account(573)
krake smbd[28474]:   smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during
Account Management for User: ws13
krake smbd[28474]: [2007/03/05 15:06:09, 0]
auth/pampass.c:smb_pam_accountcheck(781)
krake smbd[28474]:   smb_pam_accountcheck: PAM: Account Validation
Failed - Rejecting User ws13!

Nothing interesting in auth.log and the same message in syslog (where
slapd logs to).
I don't know if this is a samba issue or ldap or network...

Any suggestions are highly welcome. We've got 20+ clients and users
typically log in simultaneously.

timbo

smb.conf:

panic action = /usr/share/samba/panic-action %d
dos charset = 850
unix charset = ISO-8859-15
display charset = ISO-8859-15

netbios name =  KRAKE
workgroup = GHSWA
hosts allow =   192.168.
inherit acls =  yes
update encrypted =  yes
obey pam restrictions = yes
pam password change =   yes
socket options =IPTOS_LOWDELAY SO_SNDBUF=32768 SO_RCVBUF=32768
passdb backend =ldapsam:ldap://127.0.0.1
os level =  65
preferred master =  yes
domain master = yes
local master =  yes
wins support =  yes
time server =   yes
security =  user
admin users =   supervisor

add user script =   smbldap-useradd -m -a %u
delete user script =smbldap-userdel %u
add group script =  smbldap-groupadd -p %g
delete group script =   smbldap-groupdel %g
add user to group script = smbldap-groupmod -m %u %g
delete user from group script = smbldap-groupmod -x %u %g
set primary group script = smbldap-usermod -g %u %g
add machine script = smbldap-useradd -w %u

domain logons = yes
logon path =\\KRAKE\%U\.winprofile
logon home =\\%L\%U
logon script =  logon.bat
preserve case = yes
short preserve case =   yes
case sensitive =no
guest ok =  no
printcap =  cups

ldap admin dn = cn=supervisor,dc=ghswa
ldap delete dn =yes
ldap user suffix =  ou=Users
ldap group suffix = ou=Groups
ldap machine suffix =   ou=Machines
ldap passwd sync =  yes
ldap suffix =   dc=ghswa
ldap ssl =  no
host msdfs =yes


[netlogon]
path = /ghswa/home/netlogon
write list = supervisor
browseable = yes

[profiles]
path = /ghswa/home/%u
writeable = yes
write list = %u
browseable = no

[...other shares...]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba/LDAP PDC problem

[Guillaume]

Hi

I want to run a Samba PDC with LDAP backend on a FreeBSD 6.2 for Sparc64.

And off course, if I send this mail, it is not working ! :-(

I have this error message when using smbclient on the PDC itself.
The command line is: smbclient -L janus -Uadministrator%toto
The result is: session setup failed: Call returned zero bytes (EOF)

I've tested on 2 differents FreeBSD6.2 Sparc64, I have the same problem.
But i've also tested on a FreeBSD 6.2 i386 with exactly the same
configuration, it is working very well. And it is also working on a
Debian Etch for Sparc64 !
The version of Samba is always up to date

Thanks for any help.


I put here my config file for Samba:
---
# General parameters
netbios name = janus
work group = tatooine
server string = janus (Centile PDC Server)
dns proxy = no
wins support = yes
name resolve order = wins lmhosts host bcast
time server = yes
#socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192

# Logging
log file = /var/log/samba/log.%m
syslog = 0
log level = 10
max log size = 1000

# This server is the PDC
domain logons = yes
os level = 35
local master = yes
prefered master = yes
domain master = yes
security = user
encrypt passwords = yes

# Admin groups
admin users = @administrators

# Profils
logon path =
logon home =
logon drive = u:
logon script = %U.bat

# LDAP parameters
passdb backend = "ldapsam:ldaps://ldap1.centile.com/"
ldap ssl = on
ldap suffix = ou=internal,o=centile,dc=com
ldap admin dn = cn=manager,o=centile,dc=com
ldap machine suffix = ou=computers
ldap user suffix = ou=users
ldap group suffix = ou=groups
#ldap idmap suffix  = ou=users
ldap passwd sync = yes

# Netlogon
#[netlogon]
#  comment = Repertoire Netlogon
#  path = /var/db/samba/netlogon
#  browsable = yes
#  read only = no
#  write list = @administrateurs
#  create mask = 0644
---

And here is the corresponding log file at level 10:
---
[2007/01/29 10:17:26, 6] param/loadparm.c:lp_file_list_changed(2998)
  lp_file_list_changed()
  file /usr/local/etc/smb.conf -> /usr/local/etc/smb.conf  last
mod_time: Mon Jan 29 10:06:43 2007

[2007/01/29 10:17:26, 5] auth/auth_util.c:make_user_info_map(161)
  make_user_info_map: Mapping user [TATOOINE]\[administrator] from
workstation [JANUS]
[2007/01/29 10:17:26, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/01/29 10:17:26, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/01/29 10:17:26, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/01/29 10:17:26, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2007/01/29 10:17:26, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/01/29 10:17:26, 5] auth/auth_util.c:is_trusted_domain(2020)
  is_trusted_domain: Checking for domain trust with [TATOOINE]
[2007/01/29 10:17:26, 5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(340)
  secrets_fetch failed!
[2007/01/29 10:17:26, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/01/29 10:17:26, 10] lib/gencache.c:gencache_get(329)
  Cache entry with key = TDOM/TATOOINE couldn't be found
[2007/01/29 10:17:26, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
  no entry for trusted domain TATOOINE found.
[2007/01/29 10:17:26, 5] auth/auth_util.c:make_user_info(75)
  attempting to make a user_info for administrator (administrator)
[2007/01/29 10:17:26, 5] auth/auth_util.c:make_user_info(85)
  making strings for administrator's user_info struct
[2007/01/29 10:17:26, 5] auth/auth_util.c:make_user_info(117)
  making blobs for administrator's user_info struct
[2007/01/29 10:17:26, 10] auth/auth_util.c:make_user_info(135)
  made an encrypted user_info for administrator (administrator)
[2007/01/29 10:17:26, 3] auth/auth.c:check_ntlm_password(221)
  check_ntlm_password:  Checking password for unmapped user
[EMAIL PROTECTED] with the new password interface
[2007/01/29 10:17:26, 3] auth/auth.c:check_ntlm_password(224)
  check_ntlm_password:  mapped user is: [EMAIL PROTECTED]
[2007/01/29 10:17:26, 10] auth/auth.c:check_ntlm_password(233)
  check_ntlm_password: auth_context challenge created by NTLMSSP
callback (NTLM2)
[2007/01/29 10:17:26, 10] auth/auth.c:check_ntlm_password(235)
  challenge is:
[2007/01/29 10:17:26, 5] lib/util.c:dump_data()
  [000] 56 D3 03 25 4A 00 8D 86   V..%J...
[2007/01/29 10:17:26, 10] auth/auth.c:check_ntlm_password(261)
  check_ntlm_password: guest had nothing to say
[2007/01/29 10:17:26, 8] lib/util.c:is_myname(2043)
  is_myname("TATOOINE") returns 0
[2007/01/29 10:17:26, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/01/29 10:17:26, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/01/29 10:17:26, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/01/29 10:17:26, 5] a

Re: [Samba] SAMBA-LDAP - Group permissions

[Stefan Schmitz]

Hi,

Do you want them to be admins from out of the Windows Tools
Usermanager/Servermanager?
Have a look at the privileges. (Samba Howto Collection chapter 15)

Another chance is to put some access controll lists in your slapd.conf
file and make the admins to use an ldap browser of their choice.

Good luck Stefan




Allysson Steve Mota Lacerda schrieb:
> Hi folks.
> 
> I have a functional Samba-LDAP server running as a PDC with Windows 2003
> clients.
> 
> I'm changing the structure of my LDAP tree and I want to give
> administrator's permissions to a branch (i.e.
> ou=teachers,dc=domain,dc=com).
> Is there a way to do this automatically (i.e. by using an argument in
> smb.conf)?
> 
> Ah... I tried to use admin users in smb.conf to give permissions to a
> single
> user but it didn't function.
> 
> Thanks a lot.
> 
> My smb.conf:
> 
> [global]
>workgroup = FACOMP
>netbios name = FACOMP01
>server string = Controlador de Dominio
>domain master = yes
>preferred master = yes
>local master = yes
>domain logons = yes
>enable privileges = yes
>encrypt passwords = yes
>ldap passwd sync = yes
>admin users = rodrigoqueiroz
>passdb backend = ldapsam:ldap://localhost smbpasswd guest
>ldap suffix = dc=facomp,dc=edu,dc=br
>ldap machine suffix = ou=Computadores
>ldap user suffix = ou=Usuarios
>ldap group suffix = ou=Grupos
>ldap admin dn = cn=admin,dc=facomp,dc=edu,dc=br
>ldap ssl = no
>logon script = netlogon.bat
>logon home = \\%L\%U\.profiles
>logon path = \\%L\profiles\%U
>security = user
>os level = 256
>interfaces = 192.168.0.1
>log level = 3
>veto files = /*.mp3/*.wma/*.wmv/*.avi/*.mpg/*.wav/*.rmvb/
>delete veto files = Yes
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SAMBA-LDAP - Group permissions

[Allysson Steve Mota Lacerda]

Hi folks.

I have a functional Samba-LDAP server running as a PDC with Windows 2003
clients.

I'm changing the structure of my LDAP tree and I want to give
administrator's permissions to a branch (i.e. ou=teachers,dc=domain,dc=com).
Is there a way to do this automatically (i.e. by using an argument in
smb.conf)?

Ah... I tried to use admin users in smb.conf to give permissions to a single
user but it didn't function.

Thanks a lot.

My smb.conf:

[global]
   workgroup = FACOMP
   netbios name = FACOMP01
   server string = Controlador de Dominio
   domain master = yes
   preferred master = yes
   local master = yes
   domain logons = yes
   enable privileges = yes
   encrypt passwords = yes
   ldap passwd sync = yes
   admin users = rodrigoqueiroz
   passdb backend = ldapsam:ldap://localhost smbpasswd guest
   ldap suffix = dc=facomp,dc=edu,dc=br
   ldap machine suffix = ou=Computadores
   ldap user suffix = ou=Usuarios
   ldap group suffix = ou=Grupos
   ldap admin dn = cn=admin,dc=facomp,dc=edu,dc=br
   ldap ssl = no
   logon script = netlogon.bat
   logon home = \\%L\%U\.profiles
   logon path = \\%L\profiles\%U
   security = user
   os level = 256
   interfaces = 192.168.0.1
   log level = 3
   veto files = /*.mp3/*.wma/*.wmv/*.avi/*.mpg/*.wav/*.rmvb/
   delete veto files = Yes

--
Allysson Steve Mota Lacerda
[EMAIL PROTECTED]
http://www.stevelacerda.net
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+ldap windows problem

[sermodi]

Hi!
Happy new year to you all, I hade the line passwd program =
/usr/bin/smbpasswd -r netbiosname -U %u which seems to work when I force the
user to change the password. I tried the line you suggested but without any
luck. Thanks for the reply. I have been on holiday until today so now it is
back to cracking this thing. All ideas are welcome.
Thanks
/Sermed


2007/1/1, Tim Boneko <[EMAIL PROTECTED]>:


Hello Sermodi & happy new year to all!

sermodi schrieb:

> The logon is working the only trouble is that I
> can't get the option for changing the password, when I press the
ctrl-alt-del,
> the change password button is "unclickable".

I`m looking for the declaration of a password change command in smb.conf
(global). "passwd program" looks like what you need; a line like

passwd program = /usr/bin/smbldap-passwd %u


in smb.conf might help.
WARNING: unchecked! I'm at home, no windows system available :-]

timbo

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+ldap windows problem

[Tim Boneko]

Hello Sermodi & happy new year to all!

sermodi schrieb:

> The logon is working the only trouble is that I
> can't get the option for changing the password, when I press the ctrl-alt-del,
> the change password button is "unclickable". 

I`m looking for the declaration of a password change command in smb.conf
(global). "passwd program" looks like what you need; a line like

passwd program = /usr/bin/smbldap-passwd %u


in smb.conf might help.
WARNING: unchecked! I'm at home, no windows system available :-]

timbo

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+ldap windows problem

[Tim Boneko]

Hello Sermodi & happy new year to all!

sermodi schrieb:

> The logon is working the only trouble is that I
> can't get the option for changing the password, when I press the ctrl-alt-del,
> the change password button is "unclickable". 

I`m looking for the declaration of a password change command in smb.conf
(global). "passwd program" looks like what you need; a line like

passwd program = /usr/bin/smbldap-passwd %u


in smb.conf might help.
WARNING: unchecked! I'm at home, no windows system available :-]

timbo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] samba+ldap windows problem

[Adrian Sender]

You need to add some sort of script to change passwords, smbldap-tools work
for this.

Install/configure smbldap-tools, and add the following to smb.conf

add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'
delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p '%g'
delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%g' '%u'
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%g'
'%u'
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'


Cheers,
Adrian Sender.


-Original Message-
From: sermodi [mailto:[EMAIL PROTECTED] 
Sent: Saturday, 23 December 2006 6:58 AM
To: samba@lists.samba.org
Subject: Re: [Samba] samba+ldap windows problem

Hi!
Thanks for the reply Luis, maybe it is a windows issue but I thought 
maybe somebody in the mail list had some similar setup and if they had 
been able to change the password in windows. I got it to work in a 
previous setup once I changed the password encryption to yes. But in the 
new setup(only domain name change and new LDAP entries) it stopped working.
Luis, sorry for sending you an empty replay pushed the wrong button :-)
Regards
Sermed


Luis Daniel Lucio Quiroz skrev:
> That sounds more a win issue than a samba/ldap
>
> Dont you have a policy on changing password from your old win domain?
>
> Regards,
>
> LD
>
> Le jeudi 21 décembre 2006 10:08, sermodi a écrit :
>   
>> Hi everybody!
>> I don't know if this is a samba or ldap problem, so here is the problem
and
>> you decide.
>> I've installed Samba+LDAP to replace the windows solution. The
workstation
>> in the network are w2k so the need to logon to the samba+ldap for all the
>> setting to be fetched. The logon is working the only trouble is that I
>> can't get the option for changing the password, when I press the
>> ctrl-alt-del, the change password button is "unclickable". If I change
the
>> mustchangepasswd to 0 the the users are forced to change the password, it
>> works. I just can't get the changepassword button available. I have
>> searched the web for days and can't find a solution, Thanks
>> I have attached the smb.conf and slapd.conf
>> /Sermed
>> 




-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + ¿Kerberos?

[Michael Schurter]

PS - If you find my advice helpful, in lieu of lunch, I would accept 
entry into Washinton U's doctoral Computer Science & Engineering program 
with a nice stipend.  ;)
Sorry - just noticed your e-mail address and since I'm interested in 
grad studies, I couldn't resist.  :)


Good luck with Samba/Kerberos!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + ¿Kerberos?

[Jim Hogan]

To answer my own question.

Howard Chu, on the fedora-directory-users list, answered a slightly 
different version of the same query from me and I think has put me out 
of my misery :) 

   
https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00165.html


Now, my University has recently implemented an enterprise AD sign-on 
infrastructure that I could conceivable use for Samba Windows clients 
(via one-way trust) but I'm not sure where that would leave Linux / OS X 
machines.  ('Course if I make all of *them* Samba clients)


Jim

Jim Hogan wrote:

Michael, All,

I have been going back through the Samba archives looking to see if a 
Samba+LDAP+Kerberos configuration is possible given my situation.  
Mostly I see posts that say "You can't get there from here.", but I 
don't want to give up too easily.  My situation is this:



I have a new Samba 3.x domain with LDAP back end (using Fedora 
Directory Server) and this stores user accounts for my university 
department (about 300) and groups.  For UID this Samba domain uses the 
unique ID employed by the university.  The university employs a very 
mature SSO infrastructure that includes Kerberos.  I would like my 
Samba domain to use university Kerberos realm for authentication (SSO) 
while I retain control over authorization and departmental 
users/groups/shares.  We have a mix of Windows, Macs and Linux, so a 
generalizable Kerberos authentication has even more appeal.



I have seen Samba How-To docs on using client Kerberos in AD 
environment with examples of smb.conf  entries for this.



The Fedora Directory Server Wiki has a fairly straightforward entry on 
how to use FDS with Kerberos:


   http://directory.fedora.redhat.com/wiki/Howto:Kerberos

What I am not seeing is a way to combine the two -- configure Samba 
clients as kerberos client but which then presents kerberos credential 
to Samba backend (LDAP) to satisfy authentication.  I can't find it, 
but I saw one article that seemed to suggest storing Kerberos 
credentials in LDAP NTPasswd field -- made it seem like LDAP/Samba 
server would act like proxy for Samba client PCs -- but I am having a 
hard time seeing how you could avoid having all client PCs act as 
Kerberos clients.



Like I say, I see some "not possible" replies, but some of them are 
pretty dated.  I also see some replies (like this one from 2004: 
http://lists.samba.org/archive/samba/2004-April/084387.html ) which 
propose some slightly different ways of achieving similar ends, but 
not quite what I want to accomplish.



Obviously, if anybody has already implemented the type of solution I 
lay out, I would buy them lunch (real or virtual) if they would share 
the details.  Alternatively if anybody can authoritatively  spell out 
why this just won't work, then I guess I can move on to the "grieving" 
stage :)  If there is a grey area here, some opportunity to 
experiment, well, I'm game.


Thanks!

Jim

Michael Schurter wrote:

Asier Baranguán wrote:

Hi!

Perhaps this is not the appropiate list, but I need some advices.

I have a working Samba PDC with a LDAP backend over a secure TLS 
connection, with W2000 and XP clients. I've readed in a lot of 
places that Kerberos is a very nice thing to have in the setup but I 
cannot see why. I know the foundations of kerberos but I can't see 
how much "value" will add to the setup.



I'm missing something? please, help.


Windows clients (as well as properly configured UNIX clients) will 
use Kerberos to authenticate against your PDC and between one 
another.  The advantage Kerberos has is that it allows single sign 
on: 2 clients both authenticate once against the PDC, and then they 
can use their kerberos tickets to authenticate one another as well 
(without having to manually login with usernames and passwords again).






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + ¿Kerberos?

[Jim Hogan]

Michael, All,

I have been going back through the Samba archives looking to see if a 
Samba+LDAP+Kerberos configuration is possible given my situation.  
Mostly I see posts that say "You can't get there from here.", but I 
don't want to give up too easily.  My situation is this:



I have a new Samba 3.x domain with LDAP back end (using Fedora Directory 
Server) and this stores user accounts for my university department 
(about 300) and groups.  For UID this Samba domain uses the unique ID 
employed by the university.  The university employs a very mature SSO 
infrastructure that includes Kerberos.  I would like my Samba domain to 
use university Kerberos realm for authentication (SSO) while I retain 
control over authorization and departmental users/groups/shares.  We 
have a mix of Windows, Macs and Linux, so a generalizable Kerberos 
authentication has even more appeal.



I have seen Samba How-To docs on using client Kerberos in AD environment 
with examples of smb.conf  entries for this.



The Fedora Directory Server Wiki has a fairly straightforward entry on 
how to use FDS with Kerberos:


   http://directory.fedora.redhat.com/wiki/Howto:Kerberos

What I am not seeing is a way to combine the two -- configure Samba 
clients as kerberos client but which then presents kerberos credential 
to Samba backend (LDAP) to satisfy authentication.  I can't find it, but 
I saw one article that seemed to suggest storing Kerberos credentials in 
LDAP NTPasswd field -- made it seem like LDAP/Samba server would act 
like proxy for Samba client PCs -- but I am having a hard time seeing 
how you could avoid having all client PCs act as Kerberos clients.



Like I say, I see some "not possible" replies, but some of them are 
pretty dated.  I also see some replies (like this one from 2004: 
http://lists.samba.org/archive/samba/2004-April/084387.html ) which 
propose some slightly different ways of achieving similar ends, but not 
quite what I want to accomplish.



Obviously, if anybody has already implemented the type of solution I lay 
out, I would buy them lunch (real or virtual) if they would share the 
details.  Alternatively if anybody can authoritatively  spell out why 
this just won't work, then I guess I can move on to the "grieving" stage 
:)  If there is a grey area here, some opportunity to experiment, well, 
I'm game.


Thanks!

Jim

Michael Schurter wrote:

Asier Baranguán wrote:

Hi!

Perhaps this is not the appropiate list, but I need some advices.

I have a working Samba PDC with a LDAP backend over a secure TLS 
connection, with W2000 and XP clients. I've readed in a lot of places 
that Kerberos is a very nice thing to have in the setup but I cannot 
see why. I know the foundations of kerberos but I can't see how much 
"value" will add to the setup.



I'm missing something? please, help.


Windows clients (as well as properly configured UNIX clients) will use 
Kerberos to authenticate against your PDC and between one another.  
The advantage Kerberos has is that it allows single sign on: 2 clients 
both authenticate once against the PDC, and then they can use their 
kerberos tickets to authenticate one another as well (without having 
to manually login with usernames and passwords again).



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+ldap windows problem

[sermodi]

Hi!
Thanks for the reply Luis, maybe it is a windows issue but I thought 
maybe somebody in the mail list had some similar setup and if they had 
been able to change the password in windows. I got it to work in a 
previous setup once I changed the password encryption to yes. But in the 
new setup(only domain name change and new LDAP entries) it stopped working.

Luis, sorry for sending you an empty replay pushed the wrong button :-)
Regards
Sermed


Luis Daniel Lucio Quiroz skrev:

That sounds more a win issue than a samba/ldap

Dont you have a policy on changing password from your old win domain?

Regards,

LD

Le jeudi 21 décembre 2006 10:08, sermodi a écrit :
  

Hi everybody!
I don't know if this is a samba or ldap problem, so here is the problem and
you decide.
I've installed Samba+LDAP to replace the windows solution. The workstation
in the network are w2k so the need to logon to the samba+ldap for all the
setting to be fetched. The logon is working the only trouble is that I
can't get the option for changing the password, when I press the
ctrl-alt-del, the change password button is "unclickable". If I change the
mustchangepasswd to 0 the the users are forced to change the password, it
works. I just can't get the changepassword button available. I have
searched the web for days and can't find a solution, Thanks
I have attached the smb.conf and slapd.conf
/Sermed



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+ldap windows problem

[Luis Daniel Lucio Quiroz]

That sounds more a win issue than a samba/ldap

Dont you have a policy on changing password from your old win domain?

Regards,

LD

Le jeudi 21 décembre 2006 10:08, sermodi a écrit :
> Hi everybody!
> I don't know if this is a samba or ldap problem, so here is the problem and
> you decide.
> I've installed Samba+LDAP to replace the windows solution. The workstation
> in the network are w2k so the need to logon to the samba+ldap for all the
> setting to be fetched. The logon is working the only trouble is that I
> can't get the option for changing the password, when I press the
> ctrl-alt-del, the change password button is "unclickable". If I change the
> mustchangepasswd to 0 the the users are forced to change the password, it
> works. I just can't get the changepassword button available. I have
> searched the web for days and can't find a solution, Thanks
> I have attached the smb.conf and slapd.conf
> /Sermed
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba+ldap windows problem

[sermodi]

Hi everybody!
I don't know if this is a samba or ldap problem, so here is the problem and
you decide.
I've installed Samba+LDAP to replace the windows solution. The workstation
in the network are w2k so the need to logon to the samba+ldap for all the
setting to be fetched. The logon is working the only trouble is that I can't
get the option for changing the password, when I press the ctrl-alt-del, the
change password button is "unclickable". If I change the mustchangepasswd to
0 the the users are forced to change the password, it works. I just can't
get the changepassword button available. I have searched the web for days
and can't find a solution, Thanks
I have attached the smb.conf and slapd.conf
/Sermed
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP + ¿Kerberos?

[Michael Schurter]

Asier Baranguán wrote:

Hi!

Perhaps this is not the appropiate list, but I need some advices.

I have a working Samba PDC with a LDAP backend over a secure TLS 
connection, with W2000 and XP clients. I've readed in a lot of places 
that Kerberos is a very nice thing to have in the setup but I cannot see 
why. I know the foundations of kerberos but I can't see how much "value" 
will add to the setup.



I'm missing something? please, help.


Windows clients (as well as properly configured UNIX clients) will use 
Kerberos to authenticate against your PDC and between one another.  The 
advantage Kerberos has is that it allows single sign on: 2 clients both 
authenticate once against the PDC, and then they can use their kerberos 
tickets to authenticate one another as well (without having to manually 
login with usernames and passwords again).

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + LDAP + ¿Kerberos?

[Asier Baranguán]

Hi!

Perhaps this is not the appropiate list, but I need some advices.

I have a working Samba PDC with a LDAP backend over a secure TLS connection, with W2000 
and XP clients. I've readed in a lot of places that Kerberos is a very nice thing to have 
in the setup but I cannot see why. I know the foundations of kerberos but I can't see how 
much "value" will add to the setup.



I'm missing something? please, help.

Thanks
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba-ldap permission and access using Microsoft Management Console - persmission to change folder and file access with MS full accees option

[Silas Wind]

Hi

I want the following share setup in samba 3.0.10 without the use of POSIX
ACL kernel support on the /dev/sdi01 partition:

   A group should be able to be "Windows owner" when ever a windows file or
   folder is created.
   A group should be able to be have windows full access when ever a file
   or folder is created.
   Only group should have login access to the hidden share [sharename$]
   Group members should be able to control windows permission's on file and
   folders in the [sharename$] basically be able to give a specific user
   from the allowed group full access to a given folder - eg. user1 from
   group1 [consist of user1 and user2) should be able to give user1
   fullaccess to folder1 and remove all other users and groups from that
   folder, so only user1 (in [sharename$] ) will be able to access the
   folder..


I keep getting this error every-time I try and do what is described in
POINT 4


if  we look at the share definitions in smb.conf

[sharename$]
path = /home/sharename
public = yes
valid users = @group1 (now as I understand the POINT 3
in above, valid users, is the samba share fix for this access request)
writable = yes  (provides access to create files and
folder on [sharename$])
create mask = 0666(now as I understand the POINT 2
in above, create mask, is the samba share fix for this access request)
directory mask = 0777   (now as I understand the POINT 2 in
above, directory mask, is the samba share fix for this access request)
  force group = group1  (now as I understand the POINT 3 in
above, valid users, is the samba share fix for this access request)
dos filemode = yes(now as I understand the POINT 4
in above, dos filemode, is the samba share fix for this access request)
nt acl support = yes  (now as I understand the POINT 4
in above, nt acl support, is the samba share fix for this access request)


Now this is not working, windows keeps coming up with the folowing error:
"unable to save permission changes on [sharename] access is denied"





Here is my samba ldap info

I am using and a RHES 4 update 3 kernel 2.6.9-34
   samba-3.0.10-1.4E.6
   samba-client-3.0.10-1.4E.6
   samba-common-3.0.10-1.4E.6
   openldap-devel-2.2.13-4
   openldap-servers-2.2.13-4
   openldap-clients-2.2.13-4
   openldap-2.2.13-4
   nss_ldap-226-10

My PDC /etc/samba/smb.conf file look like this

[global]
workgroup = DOMAINNAME
netbios name = TNGCPH01
username map = /etc/samba/smbusers
server string = Samba Server %v
security = user
encrypt passwords = yes
domain logons = Yes
os level = 65
preferred master = yes
local master = yes
domain master = yes
wins support = yes
log level = 3
log file = /var/log/samba/%m.log
max log size = 50

obey pam restrictions = No
ldap passwd sync = Yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=domainname,dc=com

# Ldap suffix

ldap suffix = dc=clipper-group,dc=com
ldap group suffix = ou=_GROUPS_
ldap user suffix = ou=_USERS_
ldap machine suffix = ou=_COMPUTERS_
ldap idmap suffix = ou=_USERS_
ldap ssl = no
add user script = /usr/local/sbin/smbldap-useradd.pl -m "%u"
ldap delete dn = Yes
delete user script = /usr/local/sbin/smbldap-userdel.pl "%u"
add machine script = /usr/local/sbin/smbldap-useradd.pl -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd.pl -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel.pl "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m
"%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod.pl
-x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod.pl -g
"%g" "%u"

   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/false
   winbind use default domain = no



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA + LDAP + TLS

[Zach]

Samba is a client to slapd, so it needs a properly configured ldap.conf.

On 10/9/06, Net Warrior <[EMAIL PROTECTED]> wrote:

Ok, thanks I'll try that.
I did not modify ldap.conf, cause I thought that ldap.conf is a client
setting and not a server seting,



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA + LDAP + TLS

[Net Warrior]

Ok, thanks I'll try that.
I did not modify ldap.conf, cause I thought that ldap.conf is a client
setting and not a server seting,
I'll try that anyway.
And one me thing :
wha't right like this -> passdb backend = ldapsam:ldap://127.0.0.1,
or like this -> ldaps://127.0.0.1:636 ?

Thanks for your time, very kind of you.

2006/10/9, Guillaume <[EMAIL PROTECTED]>:


Net Warrior a écrit :
> Hi there guys, do not know if post this here or in openldap list, sorry
> if I
> disturb you.
>
> I configured samba+ldap as a PDC and byt now it's working fine, so, I
> decided to put some security to the stuff.
> The problem is that I coudl not make it work, here I what I've done.
>
> This is what netstat shows.
>
> tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
> tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED
> tcp 0 0 :::389 :::* LISTEN
> tcp 0 0 :::636 :::* LISTEN
>
>
> in slapd.conf i have
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv3
> TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt
> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key
> VerifyClient demand
>
> I created the certificate like this:
>
> openssl genrsa 2048 -out > server.key
> openssl req -new -key server.key -out server.csr
> openssl req -in server.csr -key server.key -x509 -out server.crt
>
>
> openssl s_client -connect localhost:636 -showcerts
>
> CONNECTED(0003)
> ---
> Certificate chain
> 0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> -BEGIN CERTIFICATE-
> the garbage
> -END CERTIFICATE-
>
>
> subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1115 bytes and written 468 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A
> Session-ID-ctx:
> Master-Key:
>
6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623
>
>
> Key-Arg : None
> Start Time: 1160232704
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
>
> ---
> closed
>
>
> smb.conf
> passdb backend = ldapsam:ldap://127.0.0.1
> Does it hae to be ldaps://127.0.0.1:636 ?
>
>
> Is this enought to establish a secure conection? I never see , with
> netstat,
> 636 ESTABLISHED
>
> If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals
> how-to's I get
> for example with pdbedit -Lv or trying to login from an XP machine the
> followigin in the server:
>
> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))]
> smbldap_open_connection: connection opened
> failed to bind to server ldaps://127.0.0.1:636 with
> dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
> failed
> Connection to LDAP server failed for the 1 try!
> and on, and on. and on..
>
> What am I missing?
>
> My clients are XP machines
>
>
> Thanks in advance, sorry for the noise and for my very basic question.

Hi

I think you have a problem because you sign your certificat by yourself.

Just try to put this line in you ldap.conf file the client config
file... not the slapd.conf !!
-
TLS_REQCERT allow
-

Regards
Guillaume


--
Guillaume
E-mail: silencer__free-4ever__net
Blog: http://guillaume.free-4ever.net

Site: http://www.free-4ever.net
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA + LDAP + TLS

[Guillaume]

Net Warrior a écrit :
Hi there guys, do not know if post this here or in openldap list, sorry 
if I

disturb you.

I configured samba+ldap as a PDC and byt now it's working fine, so, I
decided to put some security to the stuff.
The problem is that I coudl not make it work, here I what I've done.

This is what netstat shows.

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED
tcp 0 0 :::389 :::* LISTEN
tcp 0 0 :::636 :::* LISTEN


in slapd.conf i have

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key
VerifyClient demand

I created the certificate like this:

openssl genrsa 2048 -out > server.key
openssl req -new -key server.key -out server.csr
openssl req -in server.csr -key server.key -x509 -out server.crt


openssl s_client -connect localhost:636 -showcerts

CONNECTED(0003)
---
Certificate chain
0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
-BEGIN CERTIFICATE-
the garbage
-END CERTIFICATE-


subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
---
SSL handshake has read 1115 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 
F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A

Session-ID-ctx:
Master-Key:
6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623 



Key-Arg : None
Start Time: 1160232704
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

---
closed


smb.conf
passdb backend = ldapsam:ldap://127.0.0.1
Does it hae to be ldaps://127.0.0.1:636 ?


Is this enought to establish a secure conection? I never see , with 
netstat,

636 ESTABLISHED

If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals
how-to's I get
for example with pdbedit -Lv or trying to login from an XP machine the
followigin in the server:

Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))]
smbldap_open_connection: connection opened
failed to bind to server ldaps://127.0.0.1:636 with
dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
Connection to LDAP server failed for the 1 try!
and on, and on. and on..

What am I missing?

My clients are XP machines


Thanks in advance, sorry for the noise and for my very basic question.


Hi

I think you have a problem because you sign your certificat by yourself.

Just try to put this line in you ldap.conf file the client config 
file... not the slapd.conf !!

-
TLS_REQCERT allow
-

Regards
Guillaume


--
Guillaume
E-mail: silencer__free-4ever__net
Blog: http://guillaume.free-4ever.net

Site: http://www.free-4ever.net
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SAMBA + LDAP + TLS

[Net Warrior]

Hi there guys, do not know if post this here or in openldap list, sorry if I
disturb you.

I configured samba+ldap as a PDC and byt now it's working fine, so, I
decided to put some security to the stuff.
The problem is that I coudl not make it work, here I what I've done.

This is what netstat shows.

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:389 127.0.0.1:1873 ESTABLISHED
tcp 0 0 :::389 :::* LISTEN
tcp 0 0 :::636 :::* LISTEN


in slapd.conf i have

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/ssl/server.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/server.key
VerifyClient demand

I created the certificate like this:

openssl genrsa 2048 -out > server.key
openssl req -new -key server.key -out server.csr
openssl req -in server.csr -key server.key -x509 -out server.crt


openssl s_client -connect localhost:636 -showcerts

CONNECTED(0003)
---
Certificate chain
0 s:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
i:/C=UY/ST=Location/O=Internet Widgits Pty Ltd
-BEGIN CERTIFICATE-
the garbage
-END CERTIFICATE-


subject=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
issuer=/C=UY/ST=Location/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
---
SSL handshake has read 1115 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: F605F2CC3CE88DC628D37DD843A9F879F5C8F0DAAFC6A92020A99B6DEF82705A
Session-ID-ctx:
Master-Key:
6763B71DE44699A2F13C548274E92FA097B7F6DA6EB4E73B32598616E8083A2C09524A5FB28121B507E0D4B923B10623

Key-Arg : None
Start Time: 1160232704
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

---
closed


smb.conf
passdb backend = ldapsam:ldap://127.0.0.1
Does it hae to be ldaps://127.0.0.1:636 ?


Is this enought to establish a secure conection? I never see , with netstat,
636 ESTABLISHED

If in smb.conf I change to ldaps://127.0.0.1:636, as I read in severals
how-to's I get
for example with pdbedit -Lv or trying to login from an XP machine the
followigin in the server:

Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TESTSERVER))]
smbldap_open_connection: connection opened
failed to bind to server ldaps://127.0.0.1:636 with
dn="cn=Manager,dc=testserver,dc=com" Error: Can't contact LDAP server
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
Connection to LDAP server failed for the 1 try!
and on, and on. and on..

What am I missing?

My clients are XP machines


Thanks in advance, sorry for the noise and for my very basic question.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba/LDAP - using Poledit for security templates.

[Cleber P. de Souza]

Have you defined the Samba SID for the new group you created?
Are the base SID equal to that in the Samba domain?

On 9/24/06, Matthew Thompson <[EMAIL PROTECTED]> wrote:

Hi samba gurus,

I have a successful install of samba/LDAP (on FC5) and am looking at
applying security templates for different groups.

I had this successfully working on my old RH9 box running samba (but not
using LDAP). Using poledit, I created groups (sales, it, etc) that were
the same as my linux groups, and created a Ntconfig.POL file.

Referring to this article for use on poledit.exe and applying a security
template to a samba domain:

http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba

On the new setup, when I create new groups using the smbldap-tools, all
appears to be correct. My user can join that group and it shows up with
'id' and 'getent group'.

My problem is with poledit.exe... when I create groups (for the purpose
of applying security settings to my different groups) it seems as if
they don't pickup the newly created groups within my LDAP directory.
When I make changes to the "default users" group, those settings do
apply, but any settings made to the newly created group does not. This
to me would rule out a permission issue on the *.POL file.

There is as setting within poledit.exe where you can browse for groups
within the domain. I cannot view any non default groups (as in the ones
I created after smbldap-populate - it, sales, etc). I thought that this
may have had something to do with it, however, my old RH9 box cannot
view additional groups either, and it worked.

I'm new to Linux and samba/LDAP - so I'm not exactly sure whether I'm
asking the right people. However, I thought I start with you guys and
progress further if need be.



Thanks for you time and thoughts on this.



Regards



Matthew Thompson



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba




--
***
Cleber P. de Souza
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba/LDAP - using Poledit for security templates.

[Matthew Thompson]

Hi samba gurus, 

I have a successful install of samba/LDAP (on FC5) and am looking at
applying security templates for different groups. 

I had this successfully working on my old RH9 box running samba (but not
using LDAP). Using poledit, I created groups (sales, it, etc) that were
the same as my linux groups, and created a Ntconfig.POL file.

Referring to this article for use on poledit.exe and applying a security
template to a samba domain: 

http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba 

On the new setup, when I create new groups using the smbldap-tools, all
appears to be correct. My user can join that group and it shows up with
'id' and 'getent group'. 

My problem is with poledit.exe... when I create groups (for the purpose
of applying security settings to my different groups) it seems as if
they don't pickup the newly created groups within my LDAP directory.
When I make changes to the "default users" group, those settings do
apply, but any settings made to the newly created group does not. This
to me would rule out a permission issue on the *.POL file. 

There is as setting within poledit.exe where you can browse for groups
within the domain. I cannot view any non default groups (as in the ones
I created after smbldap-populate - it, sales, etc). I thought that this
may have had something to do with it, however, my old RH9 box cannot
view additional groups either, and it worked. 

I'm new to Linux and samba/LDAP - so I'm not exactly sure whether I'm
asking the right people. However, I thought I start with you guys and
progress further if need be.

 

Thanks for you time and thoughts on this.



Regards

 

Matthew Thompson

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba ldap pdc w/unix accounts: local unix and ldap unix users can't resolve uids to names on the server

[Cleber P. de Souza]

Try temporally stop winbind and start nscd to look if your problem is solved.

On 9/12/06, Noah Dain <[EMAIL PROTECTED]> wrote:

On 9/11/06, Cleber P. de Souza <[EMAIL PROTECTED]> wrote:
> You'll need setup and start the nscd service on your machine.
> This solve your problem.

well, windbind and nscd don't get along together, as winbind does it's
own caching.

reference:  http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#id2544165

> On 9/11/06, Noah Dain <[EMAIL PROTECTED]> wrote:
> > * distro: ubuntu breezy ( 6.06 )
> > * samba version: shipped version with updates ( 3.0.22-1ubuntu3.1 )
> > * no ssl
> > * openLDAP is running on the same machine as samba, and referenced as
> > localhost/127.0.0.1 where applicable ( 2.2.26-5ubuntu2.1 )
> > * nscd is not installed, much less running
> >
> > I've set up a samba pdc with ldap by following the Samba Guide very
> > closely, adapting it to Ubuntu/Debian where it seemed applicable, and
> > I've had mostly success.
> >
> > Windows clients work fine:  they can join the domain, roaming profiles
> > work, read/write to their respective shares.
> >
> > However, when logged into the samba/ldap server, local users other
> > than root cannot resolve names in ldap.  No ldap accounts show up for
> > 'getent passwd' or 'getent group'.
> >
> > I can login to the system with an ldap user account, but when I do so I get:
> > NOTE: 'ndain' is a local account. 'dainn' is an ldap account.
> >
> > [EMAIL PROTECTED]:~$ su dainn
> > Password:
> > id: cannot find name for group ID 513
> > id: cannot find name for group ID 512
> > I have no [EMAIL PROTECTED]:/home/ndain$
> >
> > /var/log/syslog records:
> > Sep 11 11:32:49 sambapdc bash: nss_ldap: could not search LDAP server
> > - Operations error
> > Sep 11 11:32:49 sambapdc id: nss_ldap: could not search LDAP server -
> > Operations error
> >
> >
> > However, if I set /etc/libnss-ldap.conf permissions to 644, everything
> > works.  Obviously, this is less than optimal as it has the "root" ldap
> > account password in plaintext.
> >
> >
> > ### nothing below but config files ###
> >
> > ## file: /etc/nsswitch.conf
> > ## edited to incorporate changes from #3:
> > ##http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-nss02
> > passwd: files ldap
> > group:  files ldap
> > shadow: files ldap
> > #hosts:  files dns
> > hosts:  files dns wins
> > networks:   files
> > protocols:  db files
> > services:   db files
> > ethers: db files
> > rpc:db files
> > netgroup:   nis
> > # end /etc/nsswitch.conf
> >
> > ## file: /etc/libnss-ldap.conf
> > ## ripped from:
> > http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-nss01
> > host 127.0.0.1
> > #base dc=abmas,dc=biz
> > base dc=sysgenmedia,dc=com
> > ldap_version 3
> > binddn cn=manager,dc=sysgenmedia,dc=com
> > bindpw MyPassWord
> > timelimit 50
> > bind_timelimit 50
> > bind_policy hard
> > idle_timelimit 3600
> > pam_password exop
> > #nss_base_passwd ou=People,dc=abmas,dc=biz?one
> > #nss_base_shadow ou=People,dc=abmas,dc=biz?one
> > #nss_base_group  ou=Groups,dc=abmas,dc=biz?one
> > nss_base_passwd ou=People,dc=sysgenmedia,dc=com?one
> > nss_base_shadow ou=People,dc=sysgenmedia,dc=com?one
> > nss_base_group  ou=Groups,dc=sysgenmedia,dc=com?one
> > ssl off
> > ## end file: /etc/nsswitch.conf
> >
> >
> >
> > --
> > Noah Dain
> > "I don't want to make toys, I want to be a dentist!"
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
>
>
> --
> ***
> Cleber P. de Souza
>


--
Noah Dain
"I don't want to make toys, I want to be a dentist!"
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba




--
***
Cleber P. de Souza
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba ldap pdc w/unix accounts: local unix and ldap unix users can't resolve uids to names on the server

[Noah Dain]

On 9/11/06, Cleber P. de Souza <[EMAIL PROTECTED]> wrote:

You'll need setup and start the nscd service on your machine.
This solve your problem.


well, windbind and nscd don't get along together, as winbind does it's
own caching.

reference:  http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#id2544165


On 9/11/06, Noah Dain <[EMAIL PROTECTED]> wrote:
> * distro: ubuntu breezy ( 6.06 )
> * samba version: shipped version with updates ( 3.0.22-1ubuntu3.1 )
> * no ssl
> * openLDAP is running on the same machine as samba, and referenced as
> localhost/127.0.0.1 where applicable ( 2.2.26-5ubuntu2.1 )
> * nscd is not installed, much less running
>
> I've set up a samba pdc with ldap by following the Samba Guide very
> closely, adapting it to Ubuntu/Debian where it seemed applicable, and
> I've had mostly success.
>
> Windows clients work fine:  they can join the domain, roaming profiles
> work, read/write to their respective shares.
>
> However, when logged into the samba/ldap server, local users other
> than root cannot resolve names in ldap.  No ldap accounts show up for
> 'getent passwd' or 'getent group'.
>
> I can login to the system with an ldap user account, but when I do so I get:
> NOTE: 'ndain' is a local account. 'dainn' is an ldap account.
>
> [EMAIL PROTECTED]:~$ su dainn
> Password:
> id: cannot find name for group ID 513
> id: cannot find name for group ID 512
> I have no [EMAIL PROTECTED]:/home/ndain$
>
> /var/log/syslog records:
> Sep 11 11:32:49 sambapdc bash: nss_ldap: could not search LDAP server
> - Operations error
> Sep 11 11:32:49 sambapdc id: nss_ldap: could not search LDAP server -
> Operations error
>
>
> However, if I set /etc/libnss-ldap.conf permissions to 644, everything
> works.  Obviously, this is less than optimal as it has the "root" ldap
> account password in plaintext.
>
>
> ### nothing below but config files ###
>
> ## file: /etc/nsswitch.conf
> ## edited to incorporate changes from #3:
> ##http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-nss02
> passwd: files ldap
> group:  files ldap
> shadow: files ldap
> #hosts:  files dns
> hosts:  files dns wins
> networks:   files
> protocols:  db files
> services:   db files
> ethers: db files
> rpc:db files
> netgroup:   nis
> # end /etc/nsswitch.conf
>
> ## file: /etc/libnss-ldap.conf
> ## ripped from:
> http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-nss01
> host 127.0.0.1
> #base dc=abmas,dc=biz
> base dc=sysgenmedia,dc=com
> ldap_version 3
> binddn cn=manager,dc=sysgenmedia,dc=com
> bindpw MyPassWord
> timelimit 50
> bind_timelimit 50
> bind_policy hard
> idle_timelimit 3600
> pam_password exop
> #nss_base_passwd ou=People,dc=abmas,dc=biz?one
> #nss_base_shadow ou=People,dc=abmas,dc=biz?one
> #nss_base_group  ou=Groups,dc=abmas,dc=biz?one
> nss_base_passwd ou=People,dc=sysgenmedia,dc=com?one
> nss_base_shadow ou=People,dc=sysgenmedia,dc=com?one
> nss_base_group  ou=Groups,dc=sysgenmedia,dc=com?one
> ssl off
> ## end file: /etc/nsswitch.conf
>
>
>
> --
> Noah Dain
> "I don't want to make toys, I want to be a dentist!"
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


--
***
Cleber P. de Souza




--
Noah Dain
"I don't want to make toys, I want to be a dentist!"
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba ldap pdc w/unix accounts: local unix and ldap unix users can't resolve uids to names on the server

[Noah Dain]

* distro: ubuntu breezy ( 6.06 )
* samba version: shipped version with updates ( 3.0.22-1ubuntu3.1 )
* no ssl
* openLDAP is running on the same machine as samba, and referenced as
localhost/127.0.0.1 where applicable ( 2.2.26-5ubuntu2.1 )
* nscd is not installed, much less running

I've set up a samba pdc with ldap by following the Samba Guide very
closely, adapting it to Ubuntu/Debian where it seemed applicable, and
I've had mostly success.

Windows clients work fine:  they can join the domain, roaming profiles
work, read/write to their respective shares.

However, when logged into the samba/ldap server, local users other
than root cannot resolve names in ldap.  No ldap accounts show up for
'getent passwd' or 'getent group'.

I can login to the system with an ldap user account, but when I do so I get:
NOTE: 'ndain' is a local account. 'dainn' is an ldap account.

[EMAIL PROTECTED]:~$ su dainn
Password:
id: cannot find name for group ID 513
id: cannot find name for group ID 512
I have no [EMAIL PROTECTED]:/home/ndain$

/var/log/syslog records:
Sep 11 11:32:49 sambapdc bash: nss_ldap: could not search LDAP server
- Operations error
Sep 11 11:32:49 sambapdc id: nss_ldap: could not search LDAP server -
Operations error


However, if I set /etc/libnss-ldap.conf permissions to 644, everything
works.  Obviously, this is less than optimal as it has the "root" ldap
account password in plaintext.


### nothing below but config files ###

## file: /etc/nsswitch.conf
## edited to incorporate changes from #3:
##http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-nss02
passwd: files ldap
group:  files ldap
shadow: files ldap
#hosts:  files dns
hosts:  files dns wins
networks:   files
protocols:  db files
services:   db files
ethers: db files
rpc:db files
netgroup:   nis
# end /etc/nsswitch.conf

## file: /etc/libnss-ldap.conf
## ripped from:
http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-nss01
host 127.0.0.1
#base dc=abmas,dc=biz
base dc=sysgenmedia,dc=com
ldap_version 3
binddn cn=manager,dc=sysgenmedia,dc=com
bindpw MyPassWord
timelimit 50
bind_timelimit 50
bind_policy hard
idle_timelimit 3600
pam_password exop
#nss_base_passwd ou=People,dc=abmas,dc=biz?one
#nss_base_shadow ou=People,dc=abmas,dc=biz?one
#nss_base_group  ou=Groups,dc=abmas,dc=biz?one
nss_base_passwd ou=People,dc=sysgenmedia,dc=com?one
nss_base_shadow ou=People,dc=sysgenmedia,dc=com?one
nss_base_group  ou=Groups,dc=sysgenmedia,dc=com?one
ssl off
## end file: /etc/nsswitch.conf



--
Noah Dain
"I don't want to make toys, I want to be a dentist!"
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba + ldap query filter

[Felipe Augusto van de Wiel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/03/2006 11:13 AM, Andreas Calvo escreveu:
> Hi!
> I've been using samba as PDC with a LDAP backend, and everything seems to
> work fine but, whenever a user has to auth to samba, it seems that the
> query
> that it performs is against the mail attribute, instead of the uid as I
> desired.
> Is there any way to manually specify the query filter to use agains the
> LDAP
> tree?

I remeber that there is an 'ldap filter' parameter.

I couldn't find it on the smb.conf manpage (I'm cc:ing
John Terpstra), but in the [1]docs I could find a reference.

1.http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2559680


I hope this helps.


> Thanks!

You are welcome, kind regards!

- --
Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFE/BPuCj65ZxU4gPQRAvNPAJwPxwxry41C1fEFpHoXwRaMDJj0DACgvaew
HvBTSLBDy++hkhaKyuBxDkk=
=PBfd
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba + ldap query filter

[Andreas Calvo]

Hi!
I've been using samba as PDC with a LDAP backend, and everything seems to
work fine but, whenever a user has to auth to samba, it seems that the query
that it performs is against the mail attribute, instead of the uid as I
desired.
Is there any way to manually specify the query filter to use agains the LDAP
tree?
Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + ldap documentation

[Matt Richardson]

Jean-Michel Caricand wrote:

Hai All,

can anyone give me a proper documentation to do
samba + ldap PDC

in my environment 50% of machine is in windows and 50% in

redhat linux..

winXP and RHEL3 and RHEL4

if anyone can give a proper documentation ... that will be a

grate help..

thank you in advance
jerrynikky.
--
To unsubscribe from this list go to the following URL and

read the

instructions:  https://lists.samba.org/mailman/listinfo/samba



Hi,

I use http://us2.samba.org/samba/docs/man/Samba-Guide/ to
build my environnemnt : 


Servers PDC and BDC : Debian/LDAP/Samba 3.0.14
Client : Fedora Core 4 and Windows XP Pro SP2

All works fine.

Cheers.


Jean-Michel Caricand 
 
[EMAIL PROTECTED]
 





Cet été, pensez aux cartes postales de laposte.net !




I used that as well for my Debian-based system, chapter 5 specifically. 
 If I recall, the docs are oriented towards Red Hat and Suse, so you 
shouldn't have too much trouble walking through the steps.  One day I'll 
write up my notes on how my Debian install was different.


--
Matt Richardson
IT Consultant
College of Arts and Letters
CSU San Bernardino
work: (909)537-7598
fax: (909)537-5926

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re:[Samba] Samba + ldap documentation

[Jean-Michel Caricand]

> Hai All,
>
> can anyone give me a proper documentation to do
> samba + ldap PDC
>
> in my environment 50% of machine is in windows and 50% in
redhat linux..
> winXP and RHEL3 and RHEL4
>
> if anyone can give a proper documentation ... that will be a
grate help..
>
> thank you in advance
> jerrynikky.
> --
> To unsubscribe from this list go to the following URL and
read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Hi,

I use http://us2.samba.org/samba/docs/man/Samba-Guide/ to
build my environnemnt :

Servers PDC and BDC : Debian/LDAP/Samba 3.0.14
Client : Fedora Core 4 and Windows XP Pro SP2

All works fine.

Cheers.


Jean-Michel Caricand

[EMAIL PROTECTED]





Cet été, pensez aux cartes postales de laposte.net !


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba + ldap documentation

[updatemyself .]

Hai All,

can anyone give me a proper documentation to do
samba + ldap PDC

in my environment 50% of machine is in windows and 50% in redhat linux..
winXP and RHEL3 and RHEL4

if anyone can give a proper documentation ... that will be a grate help..

thank you in advance
jerrynikky.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba, ldap and sco.. help please?

[David Korsgen]

The subject pretty much sums it up. SCO, Samba and LDAP.. only, we're not
using LDAP. I got dropped into the middle of this project with little
information about much of anything and I'm not a native to SCO and I'm
unfamiliar with Samba, however I will be as informative as possible.

# uname -a
SCO_SV smbpsrv1 3.2 5.0.6 i386

# /usr/local/samba/bin/smbd -V
Version 2.0.7

The admin of this box wants to upgrade Samba to version 3.0.14 in the hopes
that it will fix some performance and access/compatability issues, however
I'm running in to some problems with a missing ldap library. To my
knowledge, we're not using ldap for password auth. And the old version of
Samba doesn't require this library. When we try to run the new version of
samba out of the test directory, trying to place the old config file where
it would be called from (assuming /etc/samba or /usr/bin/.. to be honest, we
aren't sure where the new config goes and there is no documentation for it),
we get the error message;

# /sambastuff/samba/dist/usr/sbin/smbd
dynamic linker : /sambastuff/samba/dist/usr/sbin/smbd : error opening
/usr/lib/libldap-2.2.so.7
Killed

With my limited experience with not only Samba, but SCO as well, I'm at a
loss. I come from a Linux and FreeBSD background and SCO is considerably
different for me. Any help or insight would be *greatly* appreciated.

Thanks,
David
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba ldap / password (smbpasswd)

[Doug VanLeuven]

oly wrote:

hi i have set up samba as a pdc with ldap but i am having problems with
passwords they do not seem to be taken from ldap instead i have to run
smbpasswd username to allow a user to login.

this directory will have around 800 users when complete and the ldap is also
used for other authentication like to websites and other resources like
jabber they all work fine it is only the windows login that needs smbpasswd.

i have two accounts working the root and nobody accounts but none of the
others do they have the samba scheme on ll accounts but this does not help.

any ideas as to why or how i can find where the problem is the failed logins
do not seem to be logged any where and the failure message for winodws is
invalid username or password.


Have you set "passdb backend" in smb.conf?

Might help to let the list know what version samba you're running,
what your smb.conf is, etc.

Regards, Doug

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba ldap / password (smbpasswd)

[oly]

hi i have set up samba as a pdc with ldap but i am having problems with
passwords they do not seem to be taken from ldap instead i have to run
smbpasswd username to allow a user to login.

this directory will have around 800 users when complete and the ldap is also
used for other authentication like to websites and other resources like
jabber they all work fine it is only the windows login that needs smbpasswd.

i have two accounts working the root and nobody accounts but none of the
others do they have the samba scheme on ll accounts but this does not help.

any ideas as to why or how i can find where the problem is the failed logins
do not seem to be logged any where and the failure message for winodws is
invalid username or password.
-- 
View this message in context: 
http://www.nabble.com/samba-ldap---password-%28smbpasswd%29-tf1987486.html#a5454321
Sent from the Samba - General forum at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba/LDAP User add problem...

[listserv . traffic]

I think I've got everything setup, and when i try to add a user to
samba, I get the following error.
---
smbldap-useradd -a -m -c "Greg Sloop" gregs
Error: SID not set for unix group 513
check if your unix group is mapped to an NT group

---
When I view the Domain Users group in the LDAP tree, the GID of 513 is
set. I'm sure this is something dumb on my comprehension part, but I
just don't see it. Perhaps someone can enlighten me.

Details:
-
FC5,
Samba 3.0.22
LDAP, 2.3.19
smbldap-tools, 0.9.2

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba + ldap

[Marcin Giedz]

Márcio Luciano Donada napisał(a):

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

  

Hi,

Staff,
I am with a problem in the hour to make the connection with the samba
and ldap, in the hour to carry through the sharing, the same says that
the password of the users died, already changes the password of user
and exactly thus the problem persists.
  
Look for SambaAcctFlags in LDAP - it should be something like this for 
working account [U ]. Probably you have something like [DU ] - which 
means that you account exists but it is blocked.


Regards,
Marcin


- --
Márcio Luciano Donada
Departamento de T.I. - Aurora Alimentos
Cooperativa Central Oeste Catarinense - Chapecó(SC)
mdonada at auroraalimentos dot com dot br
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEhC5PyJq2hZEymxcRAi/kAKDE+EKtG+36kmh/dGUcUPgZaUVqrgCfRR4c
PJWInyKboKSDoZ9sVKBMauM=
=idzR
-END PGP SIGNATURE-

  


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba + ldap

[Márcio Luciano Donada]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Staff,
I am with a problem in the hour to make the connection with the samba
and ldap, in the hour to carry through the sharing, the same says that
the password of the users died, already changes the password of user
and exactly thus the problem persists.


- --
Márcio Luciano Donada
Departamento de T.I. - Aurora Alimentos
Cooperativa Central Oeste Catarinense - Chapecó(SC)
mdonada at auroraalimentos dot com dot br
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEhC5PyJq2hZEymxcRAi/kAKDE+EKtG+36kmh/dGUcUPgZaUVqrgCfRR4c
PJWInyKboKSDoZ9sVKBMauM=
=idzR
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba ldap: deleting then adding a machine account

[Philippe Strauss]

Hello samba users,

I've set up a test PDC samba server, using LDAP backend. It worked fine
during the firsts tests, but for trying purpose, I deleted the client
machine
account using smbldap-userdel. re-adding the machine account, I cannot
login anymore using the win2k client. What can be done?

samba server: fedora core 4, samba 3.14a.
ldap server:  ubuntu  breezy,  openldap 2.2.26-3

thanks

-- 
Network & System Engineer
Goelaan SA, Switzerland
Tel. +41-22-960 98 20
Fax +41-22-960 98 21
http://www.goelaan.ch

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba ldap domain join

[lenny]

still haven't found any resolution for this problem. I tried using a "-t"
parameter with smbldap-passwd, but that didn't make any difference. The
debug output still shows that it simply can't find the created computer
account, eventhough it creates it the right ou.

I wish there was a way to no have to deal with computer accounts at all.

here's the relevant part of debug output. machine name is cia.

 Finding user cia$
  Trying _Get_Pwnam(), username as lowercase is cia$
  Checking combinations of 0 uppercase letters in cia$
  Get_Pwnam_internals didn't find user [cia$]!
  _samr_create_user: Running the command
`/usr/local/samba/sbin/smbldap-useradd -t 5 -n -d /dev/null -s
/bin/false -w "cia"' gave 0
  Finding user cia$
  Trying _Get_Pwnam(), username as lowercase is cia$
  Checking combinations of 0 uppercase letters in cia$
  Get_Pwnam_internals didn't find user [cia$]!
  cia (192.168.1.94) closed connection to service IPC$



some other relevant config parts. ( the actual config files have correct
dns) ).

Domain Admins (S-1-5-21-572523613-314456280-397268875-512) -> sambaadmins
Domain Users (S-1-5-21-572523613-314456280-397268875-513) -> admins
Domain Guests (S-1-5-21-572523613-314456280-397268875-514) -> users
Domain Computers (S-1-5-21-572523613-314456280-397268875-515) -> guests


init_sam_from_ldap: Entry found for user: administrator
Home server: brutus
Home server: brutus
---
Unix username:administrator
NT username:  administrator
Account Flags:[U  ]
User SID: S-1-5-21-572523613-314456280-397268875-500
Primary Group SID:S-1-5-21-572523613-314456280-397268875-1041
Full Name:administrator
Home Directory:   \\brutus\administrator
HomeDir Drive:
Logon Script:
Profile Path: \\brutus\administrator\profile
Domain:   LDAPAUTH
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  Mon, 18 Jan 2038 22:14:07 EST
Kickoff time: Mon, 18 Jan 2038 22:14:07 EST
Password last set:Mon, 15 May 2006 10:00:52 EDT
Password can change:  Mon, 08 May 2006 14:39:02 EDT
Password must change: Mon, 18 Jan 2038 22:14:07 EST
Last bad password   : 0
Bad password count  : 0
Logon hours : FF

--

>
>
> smb.conf
>
>   add user script = /usr/local/samba/sbin/smbldap-useradd -n "%u"
>add machine script = /usr/local/samba/sbin/smbldap-useradd -n -d
> /dev/null -s /bin/false -w "%m"
>
  ldap suffix = dc=mydomain,dc=com
> ldap admin dn = "cn=Directory Manager"
> ldap group suffix = ou=groups,dc=mydomain,dc=com
> ldap idmap suffix = ou=idmap,dc=mydomain,dc=com
> ldap machine suffix =ou=computers,dc=mydomain,dc=com
> ldap ssl = no
> ldap user suffix = ou=people
> idmap backend = ldapsam:ldap://myldapserver
> idmap uid = 1-3
> idmap gid = 1-3

> smb-ldap.conf
>
> suffix="dc=mydomain,dc=com"
>
> usersdn="ou=People,${suffix}"
> computersdn="ou=computers,${suffix}"
> groupsdn="ou=Groups,${suffix}"
> idmapdn="ou=idmap,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}"





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba ldap domain join

[lenny]

> You don't need to give anonymous write access.
> You just need to give the ldap admin you set in smb.conf write access to
> the tree and properly set the ldap password with smbpasswd -w
>
Thank you, but this isn't really the issue for me right now. The rest of
the message described the problem I can't figure out.
By the way,  I had smbpasswd -w set to Directory Manager's credentials,
all the time, but I was getting
Insufficient 'write' privilege to the 'uidNumber' attribute of
> entry 'sambadomainname
and Insufficient add privileges for ou=computers, until I just made both
objects writable by anyone. anyway... this is working right now and I'll
deal with security implications later, but joining the domain still
produces errors that I described below.  Maybe it's worth mentioning that
I use Sun ONE directory 5.2, not OpenLDAP ?


It seems that eventhough the machine accounts get created upon successful
authentication, it fails to find that same machine account during the same
or another operation to actually join the domain.
The search string it uses has objectclass=sambaSamAccount. Apparently, the
newly created machine account doesn't have that object class. Also there's
no sambasid entry for the machine account ( not sure if it needs one, but
if sambaSamAccount requires that, I guess it does ? )

In addition to that, the search base it uses to look for the machine
accounts only has the parent suffix, without the "ou=computers.

Samba user accounts can be added with smbpasswd and all the sids,
passwords and other attributes are set correctly.

Another issue is that idmap ou doesn't get seem to get populated with any
entries at all, but I also don't know if it should be.



base => [dc=mydomain,dc=com]


> > [(&(uid=computer$)(objectclass=sambaSamAccount))]


smb.conf

  add user script = /usr/local/samba/bin/smbldap-useradd -n "%u"
   add machine script = /usr/local/samba/bin/smbldap-useradd -n -d
/dev/null -s /bin/false -w "%m"

ldap admin dn = "cn=Directory Manager"
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap suffix = dc=mydomain,dc=com
ldap ssl = no
ldap user suffix = ou=people
idmap backend = ldapsam:ldap://myldapserver
idmap uid = 1-3
idmap gid = 1-3



smb-ldap.conf

suffix="dc=mydomain,dc=com"

usersdn="ou=People,${suffix}"
computersdn="ou=computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}"





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba ldap domain join

[simo]

On Thu, 2006-05-11 at 10:52 -0400, [EMAIL PROTECTED] wrote:
> I got passed this by permitting anonymous writes to sambadomain
> and ou=computers in LDAP ( not ideal, but I really want this to work
> already ). Now I'm running into another problem.

You don't need to give anonymous write access.
You just need to give the ldap admin you set in smb.conf write access to
the tree and properly set the ldap password with smbpasswd -w

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba ldap domain join

[lenny]

I got passed this by permitting anonymous writes to sambadomain
and ou=computers in LDAP ( not ideal, but I really want this to work
already ). Now I'm running into another problem.

It seems that eventhough the machine accounts get created upon successful
authentication, it fails to find that same machine account during the same
or another operation to actually join the domain.
The search string it uses has objectclass=sambaSamAccount. Apparently, the
newly created machine account doesn't have that object class. Also there's
no sambasid entry for the machine account ( not sure if it needs one, but
if sambaSamAccount requires that, I guess it does ? )

In addition to that, the search base it uses to look for the machine
accounts only has the parent suffix, without the "ou=computers.

Samba user accounts can be added with smbpasswd and all the sids,
passwords and other attributes are set correctly.

Another issue is that idmap ou doesn't get seem to get populated with any
entries at all, but I also don't know if it should be.



base => [dc=mydomain,dc=com]


> [(&(uid=computer$)(objectclass=sambaSamAccount))]


smb.conf

  add user script = /usr/local/samba/bin/smbldap-useradd -n "%u"
   add machine script = /usr/local/samba/bin/smbldap-useradd -n -d
/dev/null -s /bin/false -w "%m"

ldap admin dn = "cn=Directory Manager"
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap suffix = dc=mydomain,dc=com
ldap ssl = no
ldap user suffix = ou=people
idmap backend = ldapsam:ldap://myldapserver
idmap uid = 1-3
idmap gid = 1-3



smb-ldap.conf

suffix="dc=mydomain,dc=com"

usersdn="ou=People,${suffix}"
computersdn="ou=computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}"

thank you.







> Still can't figure this one out.
>
> I get
>
> Error: Insufficient 'write' privilege to the 'uidNumber' attribute of
> entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/09 10:29:16,
> 0] rpc_server/srv_samr_nt.c:(2415)
>   _samr_create_user: Running the command
> `/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d
> /dev/null -s /bin/false computer$' gave 1
>
> when trying to join the domain from WinXP workstation.
>
> but if I run this manually
>  /usr/local/samba/bin/smbldap-useradd -w machine$
>
> machine$ computer account gets created exactly where it's expected, under
> ou=computers. Why isn't the default action creating machine
> accounts with -w switch ? Do I misunderstand something ?
>
>
> If simply browsing shares all windows auth. works fine via ldap.
>
> thank you all.
>
>
>
>>
>>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba ldap domain join

[lenny]

Still can't figure this one out.

I get

Error: Insufficient 'write' privilege to the 'uidNumber' attribute of
entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/09 10:29:16,
0] rpc_server/srv_samr_nt.c:(2415)
  _samr_create_user: Running the command
`/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d
/dev/null -s /bin/false computer$' gave 1

when trying to join the domain from WinXP workstation.

but if I run this manually
 /usr/local/samba/bin/smbldap-useradd -w machine$

machine$ computer account gets created exactly where it's expected, under
ou=computers. Why isn't the default action creating machine
accounts with -w switch ? Do I misunderstand something ?


If simply browsing shares all windows auth. works fine via ldap.

thank you all.



>
> All LDAP authentciation works just fine,
> windows passwords can be set LDAP users. Windows workstations can connect
> to the machine's shares using windows passwords stored in LDAP>
>
> LDAP tools are configured with the right LDAP credentials and DN settings,
> for people and computers. The logs show authenticated connections with
> Directory Manager's credentials, but the computer accounts don't get
> created.
>
> Any advise ?
>
> This seems to be the last issue I need to get fixed.
>
> Error: Insufficient 'write' privilege to the 'uidNumber' attribute of
> entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/04 10:15:17,
> 0] rpc_server/srv_samr_nt.c:(2415)
>   _samr_create_user: Running the command
> `/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d
> /dev/null -s /bin/false computer$' gave 1
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba ldap domain join

[lenny]

All LDAP authentciation works just fine,
windows passwords can be set LDAP users. Windows workstations can connect
to the machine's shares using windows passwords stored in LDAP>

LDAP tools are configured with the right LDAP credentials and DN settings,
for people and computers. The logs show authenticated connections with
Directory Manager's credentials, but the computer accounts don't get
created.

Any advise ?

This seems to be the last issue I need to get fixed.

Error: Insufficient 'write' privilege to the 'uidNumber' attribute of
entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/04 10:15:17,
0] rpc_server/srv_samr_nt.c:(2415)
  _samr_create_user: Running the command
`/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d
/dev/null -s /bin/false computer$' gave 1


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba+Ldap: Properties Dialog doesn't show owner, only groups, shares have R attribute set

[Andreas Buchler]

Hi all,

I have a samba PDC on linux (kernel 2.6.16-gentoo-r3, amd64, 2cpu's, samba 
3.0.22). My
passdb backend is an ldap-server on a different machine. I did an update from a 
slower
machine.

The configuration files on the old and new machines are equal. After the update
all seems to be OK. I can login on the windows-clients and access the shares on 
the
server. But a closer look shows that the file properties dialog on a windows 
machine
doesn't show the user, who ownes the file in the xfs-filesystem on the samba 
server (on
the old machine it worked). The domain groups are shown correctly.

Also all directories on a samba share have the R attribute set and some 
applications say
that the share is read only. But i can create, copy and delete files on the 
share with
explorer.

I googled a lot, but I couldn't find informations which solves the problem or 
give me more
informations what the reasons for the problem are. It seems that the 
windows-clients
doesn't know the domain users. Have anyone ever seen this problem.

thnx a lot
andy

P.S.: if a log is needed, please tell me which loglevel.

[global]
dos charset = CP437
unix charset = CP437
workgroup = GCD
interfaces = 192.168.20.70/255.255.255.0
client schannel = No
map to guest = Bad User
passdb backend = ldapsam:ldap://IP-of-LDAP-Server
passwd program = /usr/local/bin/passwd_pl.tcl %u
passwd chat = "*new*password*" %n\n "*new*password*" %n\n "*changed*"
unix password sync = Yes
log level = 2
syslog = 0
log file = /var/log/samba3/log.%m
max log size = 5
name resolve order = lmhosts host bcast wins
time server = Yes
deadtime = 480
keepalive = 600
socket options = TCP_NODELAY IPTOS_THROUGHPUT SO_SNDBUF=65536 
SO_RCVBUF=65536
printcap name = cups
add machine script = /usr/local/bin/nm.tcl %u
logon script = logon.bat
logon path = \\%L\profiles\%U\%m
logon drive = h:
logon home = \\%L\%U
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Manager,dc=de
ldap group suffix = ou=group
ldap idmap suffix = ou=idmaps
ldap machine suffix = ou=machines
ldap replication sleep = 5000
ldap suffix = dc=pl,ou=accounts,dc=mydomain,dc=de
ldap ssl = no
ldap user suffix = ou=user
lock directory = /var/lock/samba
profile acls = Yes
case sensitive = No
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
strict locking = No

[test]
comment = only for tests
path = /export1/test
read only = No
guest ok = No

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba