Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
On 3/4/06, John H Terpstra [EMAIL PROTECTED] wrote: I'd be delighted if someone steps forward with an offer to take over responsibility for maintenance and improvement of the documentation. Its about time for a more capable and more enthusiastic person to have a go. Please allow me rush to step aside. :-) for what it's worth: THANKS!!! for all your efforts with this documentation. I bought the book, I know of lots of people who have working samba domains thanks to your work. Will you write such a piece for the new samba version? I truly hope so, although if you do not I will certainly understand and respect your decision. And again: thanks a lot for your work. -- Groeten, J.Asenjo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
Natxo Asenjo wrote: On 3/4/06, John H Terpstra [EMAIL PROTECTED] wrote: I'd be delighted if someone steps forward with an offer to take over responsibility for maintenance and improvement of the documentation. Its about time for a more capable and more enthusiastic person to have a go. Please allow me rush to step aside. :-) for what it's worth: THANKS!!! for all your efforts with this documentation. I bought the book, I know of lots of people who have working samba domains thanks to your work. Will you write such a piece for the new samba version? I truly hope so, although if you do not I will certainly understand and respect your decision. And again: thanks a lot for your work. Agreed, I can't say thanks enough. I've purchased both editions of the How-To and By-Example to support your efforts. Both books match up with Samba for quality, and I'll continue to point people at both volumes for any Samba questions that come up. Eric -- Eric Feldhusen System Administrator http://www.remc1.org [EMAIL PROTECTED] PO Box 270 (906) 482-4520 x239 809 Hecla St(906) 482-5031 fax Hancock, MI 49930 (906) 370 6202 mobile -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager -sambaadmin)
Well I am glad that there has been alot of input on this topic, alot of people are having different opinions but that is because we are not focusing with the problem at hand. The documentation provides full details on how to get samba + ldap working from scratch; but there seems to be a gap between chapter 5 6; Once again I will say I love this book; by far the best technical reference manaual available for samba and highly recommend it. Chapter 6, is it assumeing we are starting fresh here, because the ldap database is placed in a different directory to what was in chapter 5 slapd.conf? Questions; 1. If it is assumeing that we are starting from scratch; all configuration files are to that of the documentation - why will the database not populate with the smbldap-tools using sambaadmin? 2. If I change sambaadmin to Manager all works fine; is there anything wrong with doing this. 3. I am not interested in learning ldap and its complexities, otherwise I would not have bothered using ldap, samba 3 by example provides simple steps - however this step I am stuck with. 4. A solution ? For over a year now I have worked around this by using Manager in place of sambaadmin - but it is time for me to get to the bottom of this so I can start with another problem and move on to testing samba4. All your help and time is greatly appreciated. Thanks. Adrian. From: adrian sender [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager -sambaadmin) Date: Fri, 03 Mar 2006 11:49:25 +1100 I have this in my slap.conf as per the docs; access to attrs=sambaLMPassword,sambaNTPassword by dn=cn=sambaadmin,dc=tinistuff,dc=com write by * none Should that work? From: Yanick Durant [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Thu, 2 Mar 2006 09:49:19 +0100 (CET) You need to give enough rights to your sambaadmin to allow him to write to the ldap repository for adding users, and updating information. Ie : This kind of access rule inside your slapd.conf these line need to be after the database tag in the config file. This will also allow user to change their password access to attr=userPassword,sambaLMPassword,sambaNTPassword by self write by dn=cn=Manager,dc=tinistuff,dc=com write by dn=cn=sambaadmin,dc=tinistuff,dc=com write by anonymous auth by * none # The admin dn has full write access access to * by self write by dn=cn=Manager,dc=tinistuff,dc=com write by dn=cn=sambaadmin,dc=tinistuff,dc=com write by * read Regards, Yanick Durant I will try to explain my situtation a little better so other can understand. I am sticking to the documentation, (samba 3 by example by jht) excellent book!; So here is where I am at; I have configured my smb.conf; slapd.conf, ldap.conf, nssldap.conf as per the documentation chapter 6. I do have a bdc; however there is no relivence to that as I am only working on the PDC at the time; I have these commented out in the slapd.conf for the moment. #replica host=192.168.0.3:389 #suffix=dc=tinistuff,dc=com #binddn=cn=updateuser,dc=tinistuff,dc=com #bindmethod=simple credentials=123456 #replogfile /var/lib/ldap/replogfile This is my smb.conf as per chapter 6; ***Note we are using sambaadmin and not Manager as in Chapter 5*** ldap admin dn = cn=sambaadmin,dc=tinistuff,dc=com [EMAIL PROTECTED] sbin]# smbpasswd -w 123456 Setting stored password for cn=sambaadmin,dc=tinistuff,dc=com in secrets.tdb Does this look right so far; I am now going to configure smbldaptools as per the documentation; In chapter 5 (./configure) Ok, now we take a look at this - [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=cn=sambaadmin,dc=tinistuff,dc=com slavePw=123456 masterDN=cn=sambaadmin,dc=tinistuff,dc=com masterPw=123456 Time to populate the ldap DB. [EMAIL PROTECTED] sbin]# ./smbldap-populate -a root -k 0 -m 0 This does not work because it cannot bind as sambaadmin If I change my smbldap_bind to Manager, I can populate the DB. [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager -sambaadmin)
On Sat, 2006-03-04 at 00:25 +1100, adrian sender wrote: Well I am glad that there has been alot of input on this topic, alot of people are having different opinions but that is because we are not focusing with the problem at hand. The documentation provides full details on how to get samba + ldap working from scratch; but there seems to be a gap between chapter 5 6; Once again I will say I love this book; by far the best technical reference manaual available for samba and highly recommend it. Chapter 6, is it assumeing we are starting fresh here, because the ldap database is placed in a different directory to what was in chapter 5 slapd.conf? Questions; 1. If it is assumeing that we are starting from scratch; all configuration files are to that of the documentation - why will the database not populate with the smbldap-tools using sambaadmin? 2. If I change sambaadmin to Manager all works fine; is there anything wrong with doing this. 3. I am not interested in learning ldap and its complexities, otherwise I would not have bothered using ldap, samba 3 by example provides simple steps - however this step I am stuck with. 4. A solution ? For over a year now I have worked around this by using Manager in place of sambaadmin - but it is time for me to get to the bottom of this so I can start with another problem and move on to testing samba4. All your help and time is greatly appreciated. the reason you can't get past it is inherent in your 'question 3' which of course isn't a question at all. If you aren't interested in learning LDAP - don't use it. Perhaps with Samba 4, you can use LDAP without knowing a thing about it much as you can in a Windows AD but definitely not Samba 3 and OpenLDAP - there is no close my eyes and hope it works scenario that is going to work because the worst thing you can ever do is get lucky and make it work and then depend upon it to work because it will break and you won't be able to fix it. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
On Thursday 02 March 2006 23:15, Craig White wrote: On Thu, 2006-03-02 at 22:38 -0600, John H Terpstra wrote: I think you should follow Craig's advice, get your hands on a copy of LDAP System Administration, and go through it carefully. LDAP is a wonderful enabling technology, but if you don't understand how it works, you'll get terrible performance, and risk exposing private data. I have no argument with this advice - but please be careful that you do not needlessly scare people off from using LDAP. I was wondering if you dropped off the face of this planet since I knew you wouldn't take his commentary well. I started employment with AMD in January based in Austin, Texas. I've been very much swamped since December. I'll get back to the documentation when I come up for oxygen. My biggest concern isn't necessarily for performance or exposing data as much as having a user who relies upon a technology that provides essential user/group authentication services as well as configuration information and can neither comprehend nor maintain it and when you know what hits the fan, that user is ill equipped to solve the problem. No one should be scared away from using LDAP and the samba documentation clearly gives enough information to permit someone to integrate samba in an LDAP environment but the samba documentation doesn't suggest that you can use LDAP on your domain without getting a reasonably rounded education on using LDAP itself. Some people have that erroneous expectation. I have received a number of emails from people who used the Samba documentation - some of it is rude and some is most appreciative. I can handle criticism if it is valid. The documentation is in open SVN. Anyone can contribute patches - and those who contribute get recognition for their work. When I released the documentation to public CVS, and then to SVN, I made a conscious decision to disown my own work. I want to encourage people to contribute improvements to the documentation. There have been a few contributions - but most people just like to poke holes even where they do not exist. Samba3 by Example is not a book on LDAP. It has a well defined purpose and meets its goals. If anyone wishes to contribute systematic changes that converts the whole book to a new set of goals and objectives I will not object one bit. As far as I am concerned, the source is open and our users are far more experienced and much smarter than I am. Please, please make the problem go away if you feel inclined to do so. I'd be delighted if someone steps forward with an offer to take over responsibility for maintenance and improvement of the documentation. Its about time for a more capable and more enthusiastic person to have a go. Please allow me rush to step aside. :-) Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
You need to give enough rights to your sambaadmin to allow him to write to the ldap repository for adding users, and updating information. Ie : This kind of access rule inside your slapd.conf these line need to be after the database tag in the config file. This will also allow user to change their password access to attr=userPassword,sambaLMPassword,sambaNTPassword by self write by dn=cn=Manager,dc=tinistuff,dc=com write by dn=cn=sambaadmin,dc=tinistuff,dc=com write by anonymous auth by * none # The admin dn has full write access access to * by self write by dn=cn=Manager,dc=tinistuff,dc=com write by dn=cn=sambaadmin,dc=tinistuff,dc=com write by * read Regards, Yanick Durant I will try to explain my situtation a little better so other can understand. I am sticking to the documentation, (samba 3 by example by jht) excellent book!; So here is where I am at; I have configured my smb.conf; slapd.conf, ldap.conf, nssldap.conf as per the documentation chapter 6. I do have a bdc; however there is no relivence to that as I am only working on the PDC at the time; I have these commented out in the slapd.conf for the moment. #replica host=192.168.0.3:389 #suffix=dc=tinistuff,dc=com #binddn=cn=updateuser,dc=tinistuff,dc=com #bindmethod=simple credentials=123456 #replogfile /var/lib/ldap/replogfile This is my smb.conf as per chapter 6; ***Note we are using sambaadmin and not Manager as in Chapter 5*** ldap admin dn = cn=sambaadmin,dc=tinistuff,dc=com [EMAIL PROTECTED] sbin]# smbpasswd -w 123456 Setting stored password for cn=sambaadmin,dc=tinistuff,dc=com in secrets.tdb Does this look right so far; I am now going to configure smbldaptools as per the documentation; In chapter 5 (./configure) Ok, now we take a look at this - [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=cn=sambaadmin,dc=tinistuff,dc=com slavePw=123456 masterDN=cn=sambaadmin,dc=tinistuff,dc=com masterPw=123456 Time to populate the ldap DB. [EMAIL PROTECTED] sbin]# ./smbldap-populate -a root -k 0 -m 0 This does not work because it cannot bind as sambaadmin If I change my smbldap_bind to Manager, I can populate the DB. [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=cn=Manager,dc=tinistuff,dc=com slavePw=123456 masterDN=cn=Manager,dc=tinistuff,dc=com masterPw=123456 Now it populates fine. Is this a fault on my behalf, or is there something wrong with sambaadmin in the config files? PS - please forgive any spelling errors. Kind Regards, Adrian Sender. From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED], samba samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Wed, 01 Mar 2006 08:13:32 -0800 Well... you have to create the containers using slapdadd. After the containers are present, then you can populate them with users, etc, using ldapadd or other tools. If you haven't created the containers, nothing is going to work. adrian sender wrote: The database has not been populated, and cannot be populated using sambaadmin From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Tue, 28 Feb 2006 22:01:24 -0800 adrian sender wrote: [EMAIL PROTECTED] scripts]# slapadd -v -l admin-accts.ldif added: cn=updateuser,dc=tinistuff,dc=com (0002) added: cn=sambaadmin,dc=tinistuff,dc=com (0003) Error, entries missing! entry 1: dc=tinistuff,dc=com If you dump the database, does dc=tinistuff,dc=com show up in there? It looks like the entry for the base DN is missing, which might explain the problems that you're having. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
I have this in my slap.conf as per the docs; access to attrs=sambaLMPassword,sambaNTPassword by dn=cn=sambaadmin,dc=tinistuff,dc=com write by * none Should that work? From: Yanick Durant [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Thu, 2 Mar 2006 09:49:19 +0100 (CET) You need to give enough rights to your sambaadmin to allow him to write to the ldap repository for adding users, and updating information. Ie : This kind of access rule inside your slapd.conf these line need to be after the database tag in the config file. This will also allow user to change their password access to attr=userPassword,sambaLMPassword,sambaNTPassword by self write by dn=cn=Manager,dc=tinistuff,dc=com write by dn=cn=sambaadmin,dc=tinistuff,dc=com write by anonymous auth by * none # The admin dn has full write access access to * by self write by dn=cn=Manager,dc=tinistuff,dc=com write by dn=cn=sambaadmin,dc=tinistuff,dc=com write by * read Regards, Yanick Durant I will try to explain my situtation a little better so other can understand. I am sticking to the documentation, (samba 3 by example by jht) excellent book!; So here is where I am at; I have configured my smb.conf; slapd.conf, ldap.conf, nssldap.conf as per the documentation chapter 6. I do have a bdc; however there is no relivence to that as I am only working on the PDC at the time; I have these commented out in the slapd.conf for the moment. #replica host=192.168.0.3:389 #suffix=dc=tinistuff,dc=com #binddn=cn=updateuser,dc=tinistuff,dc=com #bindmethod=simple credentials=123456 #replogfile /var/lib/ldap/replogfile This is my smb.conf as per chapter 6; ***Note we are using sambaadmin and not Manager as in Chapter 5*** ldap admin dn = cn=sambaadmin,dc=tinistuff,dc=com [EMAIL PROTECTED] sbin]# smbpasswd -w 123456 Setting stored password for cn=sambaadmin,dc=tinistuff,dc=com in secrets.tdb Does this look right so far; I am now going to configure smbldaptools as per the documentation; In chapter 5 (./configure) Ok, now we take a look at this - [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=cn=sambaadmin,dc=tinistuff,dc=com slavePw=123456 masterDN=cn=sambaadmin,dc=tinistuff,dc=com masterPw=123456 Time to populate the ldap DB. [EMAIL PROTECTED] sbin]# ./smbldap-populate -a root -k 0 -m 0 This does not work because it cannot bind as sambaadmin If I change my smbldap_bind to Manager, I can populate the DB. [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=cn=Manager,dc=tinistuff,dc=com slavePw=123456 masterDN=cn=Manager,dc=tinistuff,dc=com masterPw=123456 Now it populates fine. Is this a fault on my behalf, or is there something wrong with sambaadmin in the config files? PS - please forgive any spelling errors. Kind Regards, Adrian Sender. From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED], samba samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Wed, 01 Mar 2006 08:13:32 -0800 Well... you have to create the containers using slapdadd. After the containers are present, then you can populate them with users, etc, using ldapadd or other tools. If you haven't created the containers, nothing is going to work. adrian sender wrote: The database has not been populated, and cannot be populated using sambaadmin From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Tue, 28 Feb 2006 22:01:24 -0800 adrian sender wrote: [EMAIL PROTECTED] scripts]# slapadd -v -l admin-accts.ldif added: cn=updateuser,dc=tinistuff,dc=com (0002) added: cn=sambaadmin,dc=tinistuff,dc=com (0003) Error, entries missing! entry 1: dc=tinistuff,dc=com If you dump the database, does dc=tinistuff,dc=com show up in there? It looks like the entry for the base DN is missing, which might explain the problems that you're having
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
you are gonna need to add 'self write' to your ACL's for users to login. You probably should follow Yanick's very simple ACL's at first - just to get you started but you aren't going to learn ACL's from samba Craig On Fri, 2006-03-03 at 11:49 +1100, adrian sender wrote: I have this in my slap.conf as per the docs; access to attrs=sambaLMPassword,sambaNTPassword by dn=cn=sambaadmin,dc=tinistuff,dc=com write by * none Should that work? From: Yanick Durant [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Thu, 2 Mar 2006 09:49:19 +0100 (CET) You need to give enough rights to your sambaadmin to allow him to write to the ldap repository for adding users, and updating information. Ie : This kind of access rule inside your slapd.conf these line need to be after the database tag in the config file. This will also allow user to change their password access to attr=userPassword,sambaLMPassword,sambaNTPassword by self write by dn=cn=Manager,dc=tinistuff,dc=com write by dn=cn=sambaadmin,dc=tinistuff,dc=com write by anonymous auth by * none # The admin dn has full write access access to * by self write by dn=cn=Manager,dc=tinistuff,dc=com write by dn=cn=sambaadmin,dc=tinistuff,dc=com write by * read Regards, Yanick Durant I will try to explain my situtation a little better so other can understand. I am sticking to the documentation, (samba 3 by example by jht) excellent book!; So here is where I am at; I have configured my smb.conf; slapd.conf, ldap.conf, nssldap.conf as per the documentation chapter 6. I do have a bdc; however there is no relivence to that as I am only working on the PDC at the time; I have these commented out in the slapd.conf for the moment. #replica host=192.168.0.3:389 #suffix=dc=tinistuff,dc=com #binddn=cn=updateuser,dc=tinistuff,dc=com #bindmethod=simple credentials=123456 #replogfile /var/lib/ldap/replogfile This is my smb.conf as per chapter 6; ***Note we are using sambaadmin and not Manager as in Chapter 5*** ldap admin dn = cn=sambaadmin,dc=tinistuff,dc=com [EMAIL PROTECTED] sbin]# smbpasswd -w 123456 Setting stored password for cn=sambaadmin,dc=tinistuff,dc=com in secrets.tdb Does this look right so far; I am now going to configure smbldaptools as per the documentation; In chapter 5 (./configure) Ok, now we take a look at this - [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=cn=sambaadmin,dc=tinistuff,dc=com slavePw=123456 masterDN=cn=sambaadmin,dc=tinistuff,dc=com masterPw=123456 Time to populate the ldap DB. [EMAIL PROTECTED] sbin]# ./smbldap-populate -a root -k 0 -m 0 This does not work because it cannot bind as sambaadmin If I change my smbldap_bind to Manager, I can populate the DB. [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=cn=Manager,dc=tinistuff,dc=com slavePw=123456 masterDN=cn=Manager,dc=tinistuff,dc=com masterPw=123456 Now it populates fine. Is this a fault on my behalf, or is there something wrong with sambaadmin in the config files? PS - please forgive any spelling errors. Kind Regards, Adrian Sender. From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED], samba samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Wed, 01 Mar 2006 08:13:32 -0800 Well... you have to create the containers using slapdadd. After the containers are present, then you can populate them with users, etc, using ldapadd or other tools. If you haven't created the containers, nothing is going to work. adrian sender wrote: The database has not been populated, and cannot be populated using sambaadmin From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED] CC: samba@lists.samba.org
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
On Thursday 02 March 2006 01:38, Gordon Messmer wrote: adrian sender wrote: I am sticking to the documentation, (samba 3 by example by jht) excellent book!; Yes, it's an excellent book. I have a copy, myself. However, you won't get anywhere sticking to its LDAP documentation. The LDAP documentation in Samba-3 by Example is BAD. Very bad. It completely abrogates any discussion of security as a matter that the user should be expert enough to handle, and gives example configuration files that are completely open to attack. It would have been better to ignore the LDAP server's configuration entirely and explicitly state that admins are expected to be able to do it on their own. Where were you when I asked for feedback and review? When will you provide updates to the documentation that improve its real value? I hope you are willing to contribute corrections and improvements and not just criticism. All contributions are most appreciated. Further, Samba-3 by Example assumes that you have a working directory, to begin with. Using OpenLDAP, you must create the containers (using Please explain this claim? Where does chapter 5 of Samba-3 by Example make that assumption? Are you sure that chapter 5 does not provide clean-slate installation instructions that create a fully working LDAP directory that has been correctly populated? slapadd, or ldapadd and the rootdn) before you can bind and populate the directory with other tools. This is covered in the quickstart guide: http://www.openldap.org/doc/admin23/quickstart.html I think you should follow Craig's advice, get your hands on a copy of LDAP System Administration, and go through it carefully. LDAP is a wonderful enabling technology, but if you don't understand how it works, you'll get terrible performance, and risk exposing private data. I have no argument with this advice - but please be careful that you do not needlessly scare people off from using LDAP. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
On Thu, 2006-03-02 at 22:38 -0600, John H Terpstra wrote: I think you should follow Craig's advice, get your hands on a copy of LDAP System Administration, and go through it carefully. LDAP is a wonderful enabling technology, but if you don't understand how it works, you'll get terrible performance, and risk exposing private data. I have no argument with this advice - but please be careful that you do not needlessly scare people off from using LDAP. I was wondering if you dropped off the face of this planet since I knew you wouldn't take his commentary well. My biggest concern isn't necessarily for performance or exposing data as much as having a user who relies upon a technology that provides essential user/group authentication services as well as configuration information and can neither comprehend nor maintain it and when you know what hits the fan, that user is ill equipped to solve the problem. No one should be scared away from using LDAP and the samba documentation clearly gives enough information to permit someone to integrate samba in an LDAP environment but the samba documentation doesn't suggest that you can use LDAP on your domain without getting a reasonably rounded education on using LDAP itself. Some people have that erroneous expectation. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
John H Terpstra wrote: Where were you when I asked for feedback and review? Beats me, man. Working on something else. :) When will you provide updates to the documentation that improve its real value? Huh... I hadn't considered that it'd be accepted. Specifically, because of this note: Why did you not cover secure practices? Isn't it rather irresponsible to instruct network administrators to implement insecure solutions? ... I made the decision, right or wrong, to keep this material as simple as possible. The intent of this book is to demonstrate a working solution and not to discuss too many peripheral issues. It really bothers me to see any reference material treat security as an exercise for the reader. It bothered me more because as far as I've been able to determine, there's no reference material available which discusses which of the samba attributes need to be hidden from public view, and which need to be protected from writing by self. Now, maybe my impression of the security practices you had in mind wasn't accurate. If you're open to what I think would be improvements, I could send patches to the documentation. I presume it's in CVS somewhere? Let me know where to check it out. I hope you are willing to contribute corrections and improvements and not just criticism. All contributions are most appreciated. Awww... but criticism is what I've got the most of. ;) Are you sure that chapter 5 does not provide clean-slate installation instructions that create a fully working LDAP directory that has been correctly populated? Um, no. You busted me. I misread some of the docs, and then made an erroneous claim. My mistake was reinforced by the expectation that Adrian had followed the documentation, which probably isn't the case. If it were, then the top level entries of his directory probably wouldn't be missing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
Well... you have to create the containers using slapdadd. After the containers are present, then you can populate them with users, etc, using ldapadd or other tools. If you haven't created the containers, nothing is going to work. adrian sender wrote: The database has not been populated, and cannot be populated using sambaadmin From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Tue, 28 Feb 2006 22:01:24 -0800 adrian sender wrote: [EMAIL PROTECTED] scripts]# slapadd -v -l admin-accts.ldif added: cn=updateuser,dc=tinistuff,dc=com (0002) added: cn=sambaadmin,dc=tinistuff,dc=com (0003) Error, entries missing! entry 1: dc=tinistuff,dc=com If you dump the database, does dc=tinistuff,dc=com show up in there? It looks like the entry for the base DN is missing, which might explain the problems that you're having. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
I will try to explain my situtation a little better so other can understand. I am sticking to the documentation, (samba 3 by example by jht) excellent book!; So here is where I am at; I have configured my smb.conf; slapd.conf, ldap.conf, nssldap.conf as per the documentation chapter 6. I do have a bdc; however there is no relivence to that as I am only working on the PDC at the time; I have these commented out in the slapd.conf for the moment. #replica host=192.168.0.3:389 #suffix=dc=tinistuff,dc=com #binddn=cn=updateuser,dc=tinistuff,dc=com #bindmethod=simple credentials=123456 #replogfile /var/lib/ldap/replogfile This is my smb.conf as per chapter 6; ***Note we are using sambaadmin and not Manager as in Chapter 5*** ldap admin dn = cn=sambaadmin,dc=tinistuff,dc=com [EMAIL PROTECTED] sbin]# smbpasswd -w 123456 Setting stored password for cn=sambaadmin,dc=tinistuff,dc=com in secrets.tdb Does this look right so far; I am now going to configure smbldaptools as per the documentation; In chapter 5 (./configure) Ok, now we take a look at this - [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=cn=sambaadmin,dc=tinistuff,dc=com slavePw=123456 masterDN=cn=sambaadmin,dc=tinistuff,dc=com masterPw=123456 Time to populate the ldap DB. [EMAIL PROTECTED] sbin]# ./smbldap-populate -a root -k 0 -m 0 This does not work because it cannot bind as sambaadmin If I change my smbldap_bind to Manager, I can populate the DB. [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=cn=Manager,dc=tinistuff,dc=com slavePw=123456 masterDN=cn=Manager,dc=tinistuff,dc=com masterPw=123456 Now it populates fine. Is this a fault on my behalf, or is there something wrong with sambaadmin in the config files? PS - please forgive any spelling errors. Kind Regards, Adrian Sender. From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED], samba samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Wed, 01 Mar 2006 08:13:32 -0800 Well... you have to create the containers using slapdadd. After the containers are present, then you can populate them with users, etc, using ldapadd or other tools. If you haven't created the containers, nothing is going to work. adrian sender wrote: The database has not been populated, and cannot be populated using sambaadmin From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Tue, 28 Feb 2006 22:01:24 -0800 adrian sender wrote: [EMAIL PROTECTED] scripts]# slapadd -v -l admin-accts.ldif added: cn=updateuser,dc=tinistuff,dc=com (0002) added: cn=sambaadmin,dc=tinistuff,dc=com (0003) Error, entries missing! entry 1: dc=tinistuff,dc=com If you dump the database, does dc=tinistuff,dc=com show up in there? It looks like the entry for the base DN is missing, which might explain the problems that you're having. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
On Thu, 2006-03-02 at 14:47 +1100, adrian sender wrote: I will try to explain my situtation a little better so other can understand. I am sticking to the documentation, (samba 3 by example by jht) excellent book!; So here is where I am at; I have configured my smb.conf; slapd.conf, ldap.conf, nssldap.conf as per the documentation chapter 6. I do have a bdc; however there is no relivence to that as I am only working on the PDC at the time; I have these commented out in the slapd.conf for the moment. #replica host=192.168.0.3:389 #suffix=dc=tinistuff,dc=com #binddn=cn=updateuser,dc=tinistuff,dc=com #bindmethod=simple credentials=123456 #replogfile /var/lib/ldap/replogfile This is my smb.conf as per chapter 6; ***Note we are using sambaadmin and not Manager as in Chapter 5*** ldap admin dn = cn=sambaadmin,dc=tinistuff,dc=com [EMAIL PROTECTED] sbin]# smbpasswd -w 123456 Setting stored password for cn=sambaadmin,dc=tinistuff,dc=com in secrets.tdb Does this look right so far; I am now going to configure smbldaptools as per the documentation; In chapter 5 (./configure) Ok, now we take a look at this - [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=cn=sambaadmin,dc=tinistuff,dc=com slavePw=123456 masterDN=cn=sambaadmin,dc=tinistuff,dc=com masterPw=123456 Time to populate the ldap DB. [EMAIL PROTECTED] sbin]# ./smbldap-populate -a root -k 0 -m 0 This does not work because it cannot bind as sambaadmin If I change my smbldap_bind to Manager, I can populate the DB. [EMAIL PROTECTED] sbin]# cat /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf # Credential Configuration # # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=cn=Manager,dc=tinistuff,dc=com slavePw=123456 masterDN=cn=Manager,dc=tinistuff,dc=com masterPw=123456 Now it populates fine. Is this a fault on my behalf, or is there something wrong with sambaadmin in the config files? PS - please forgive any spelling errors. the problem with this of course is that this really has nothing to do with Samba at all - this is strictly a user grappling with LDAP. What do you get from command line ? ldapsearch -x -h localhost -D 'cn=Manager,dc=tinistuff,dc=com' -W \ '(cn=sambaadmin)' If there is a dn: there it should show several attributes including a userPassword attribute. My guess is that is why it's not working...either there isn't a dn: cn=sambaadmin,dc=tinistuff,dc=com or there isn't a userPassword attribute set. My recommendation to you is to forget all about samba for a while and learn how to set up and manage LDAP. Then integrating samba will be a piece of cake. Here's my best suggestion, buy LDAP System Administration book by Gerald Carter (yes, our Jerry)...it's a bit outdated but it makes understanding LDAP easy. Using samba to learn LDAP is like trying to use salad tongs to do neuro surgery. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
adrian sender wrote: I am sticking to the documentation, (samba 3 by example by jht) excellent book!; Yes, it's an excellent book. I have a copy, myself. However, you won't get anywhere sticking to its LDAP documentation. The LDAP documentation in Samba-3 by Example is BAD. Very bad. It completely abrogates any discussion of security as a matter that the user should be expert enough to handle, and gives example configuration files that are completely open to attack. It would have been better to ignore the LDAP server's configuration entirely and explicitly state that admins are expected to be able to do it on their own. Further, Samba-3 by Example assumes that you have a working directory, to begin with. Using OpenLDAP, you must create the containers (using slapadd, or ldapadd and the rootdn) before you can bind and populate the directory with other tools. This is covered in the quickstart guide: http://www.openldap.org/doc/admin23/quickstart.html I think you should follow Craig's advice, get your hands on a copy of LDAP System Administration, and go through it carefully. LDAP is a wonderful enabling technology, but if you don't understand how it works, you'll get terrible performance, and risk exposing private data. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
Hi Gordon, This is my admin-accts.ldif; --- dn: cn=updateuser,dc=tinistuff,dc=com objectClass: person cn: updateuser sn: updateuser userPassword: {crypt}ABiELdbxGY2fY dn: cn=sambaadmin,dc=tinistuff,dc=com objectClass: person cn: sambaadmin sn: sambaadmin userPassword: {crypt}ABiELdbxGY2fY So the ldap server is stopped, I add these entries; and restart ldap. [EMAIL PROTECTED] scripts]# slapadd -v -l admin-accts.ldif added: cn=updateuser,dc=tinistuff,dc=com (0002) added: cn=sambaadmin,dc=tinistuff,dc=com (0003) Error, entries missing! entry 1: dc=tinistuff,dc=com [EMAIL PROTECTED] programs]# ldapsearch -x -D cn=sambaadmin,dc=tinistuff,dc=com -W uid=sambaadmin Enter LDAP Password: ldap_bind: Invalid credentials (49) It will not let me populate the database either; however I can populate fine when using Manager instead of sambaadmin [EMAIL PROTECTED] sbin]# ./smbldap-populate -a root -k 0 -m 0 Populating LDAP directory for domain TINISTUFF (S-1-5-21-1850218137-420253120-3974286998) (using builtin directory structure) adding new entry: dc=tinistuff,dc=com failed to add entry: modifications require authentication at ./smbldap-populate line 471, GEN1 line 2. etc.. Hm :( Adrian. From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Sun, 26 Feb 2006 23:08:29 -0800 adrian sender wrote: Hey Guys, Gordon, I do not think that is the issue; I have tried what you said but still get the same error. Remember I have a SDC or BDC that uses updateuser; the ldif I add for that uses plain text passwords and works perfectly. I see... Your original message indicated that you had an updateuser in the database, but didn't indicate that you were actually using it for anything. I'm still guessing that this is an LDAP issue, and not a samba one. Are you able to perform a search with the sambaadmin user, or the updateuser user, using the ldapsearch command line? Try both of these, and make sure that sambaadmin is not the rootdn specified in your slapd.conf: ldapsearch -x -D cn=sambaadmin,dc=ddesign,dc=com -W uid=sambaadmin ldapsearch -x -D cn=updateuser,dc=ddesign,dc=com -W uid=sambaadmin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
adrian sender wrote: [EMAIL PROTECTED] scripts]# slapadd -v -l admin-accts.ldif added: cn=updateuser,dc=tinistuff,dc=com (0002) added: cn=sambaadmin,dc=tinistuff,dc=com (0003) Error, entries missing! entry 1: dc=tinistuff,dc=com If you dump the database, does dc=tinistuff,dc=com show up in there? It looks like the entry for the base DN is missing, which might explain the problems that you're having. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
On Wed, 2006-03-01 at 15:45 +1100, adrian sender wrote: Hi Gordon, This is my admin-accts.ldif; --- dn: cn=updateuser,dc=tinistuff,dc=com objectClass: person cn: updateuser sn: updateuser userPassword: {crypt}ABiELdbxGY2fY dn: cn=sambaadmin,dc=tinistuff,dc=com objectClass: person cn: sambaadmin sn: sambaadmin userPassword: {crypt}ABiELdbxGY2fY So the ldap server is stopped, I add these entries; and restart ldap. [EMAIL PROTECTED] scripts]# slapadd -v -l admin-accts.ldif added: cn=updateuser,dc=tinistuff,dc=com (0002) added: cn=sambaadmin,dc=tinistuff,dc=com (0003) Error, entries missing! entry 1: dc=tinistuff,dc=com [EMAIL PROTECTED] programs]# ldapsearch -x -D cn=sambaadmin,dc=tinistuff,dc=com -W uid=sambaadmin Enter LDAP Password: ldap_bind: Invalid credentials (49) It will not let me populate the database either; however I can populate fine when using Manager instead of sambaadmin [EMAIL PROTECTED] sbin]# ./smbldap-populate -a root -k 0 -m 0 Populating LDAP directory for domain TINISTUFF (S-1-5-21-1850218137-420253120-3974286998) (using builtin directory structure) adding new entry: dc=tinistuff,dc=com failed to add entry: modifications require authentication at ./smbldap-populate line 471, GEN1 line 2. no - this seems to have failed too. can you authenticate with your rootdn? Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
adrian sender wrote: Hey Guys, Gordon, I do not think that is the issue; I have tried what you said but still get the same error. Remember I have a SDC or BDC that uses updateuser; the ldif I add for that uses plain text passwords and works perfectly. I see... Your original message indicated that you had an updateuser in the database, but didn't indicate that you were actually using it for anything. I'm still guessing that this is an LDAP issue, and not a samba one. Are you able to perform a search with the sambaadmin user, or the updateuser user, using the ldapsearch command line? Try both of these, and make sure that sambaadmin is not the rootdn specified in your slapd.conf: ldapsearch -x -D cn=sambaadmin,dc=ddesign,dc=com -W uid=sambaadmin ldapsearch -x -D cn=updateuser,dc=ddesign,dc=com -W uid=sambaadmin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
Hey Guys, Gordon, I do not think that is the issue; I have tried what you said but still get the same error. Remember I have a SDC or BDC that uses updateuser; the ldif I add for that uses plain text passwords and works perfectly. H. Adrian. From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Mon, 20 Feb 2006 10:20:58 -0800 adrian sender wrote: Hi gordon, I don't think that is the issue here because I am able to use Manager ldif with plain text passwords. Yeah... I don't think you are. According to your account, you're only able to use Manager or sambaadmin when it's the rootdn in the openldap configuration file. In that case, the plain text password from the configuration file, and not the password in the directory, is used. Try crypt()ing the password, and see if that allows you to bind as the sambaadmin user, without specifying that account as the rootdn. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
adrian sender wrote: Hi gordon, I don't think that is the issue here because I am able to use Manager ldif with plain text passwords. Yeah... I don't think you are. According to your account, you're only able to use Manager or sambaadmin when it's the rootdn in the openldap configuration file. In that case, the plain text password from the configuration file, and not the password in the directory, is used. Try crypt()ing the password, and see if that allows you to bind as the sambaadmin user, without specifying that account as the rootdn. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
adrian sender wrote: dn: cn=sambaadmin,dc=ddesign,dc=com objectClass: person cn: sambaadmin sn: sambaadmin userPassword: 123456 When using sambaadmin instead of manager samba hangs unable to connect to the ldap database, however if i change this entry in the slapd.conf all works find also. rootdn cn=Manager,dc=ddesign,dc=com TO rootdn cn=sambaadmin,dc=ddesign,dc=com Given that, I'd guess that your directory server doesn't support plain text userPassword fields. Try crypt()ing them. # perl -e 'print crypt(123456, AB) . \n' ABiELdbxGY2fY So, then, your LDIF should have: dn: cn=sambaadmin,dc=ddesign,dc=com objectClass: person cn: sambaadmin sn: sambaadmin userPassword: {crypt}ABiELdbxGY2fY -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
Hi gordon, I don't think that is the issue here because I am able to use Manager ldif with plain text passwords. Cheers. Adrian Sender. From: Gordon Messmer [EMAIL PROTECTED] To: adrian sender [EMAIL PROTECTED] CC: samba@lists.samba.org Subject: Re: [Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin) Date: Sun, 19 Feb 2006 10:44:14 -0800 adrian sender wrote: dn: cn=sambaadmin,dc=ddesign,dc=com objectClass: person cn: sambaadmin sn: sambaadmin userPassword: 123456 When using sambaadmin instead of manager samba hangs unable to connect to the ldap database, however if i change this entry in the slapd.conf all works find also. rootdn cn=Manager,dc=ddesign,dc=com TO rootdn cn=sambaadmin,dc=ddesign,dc=com Given that, I'd guess that your directory server doesn't support plain text userPassword fields. Try crypt()ing them. # perl -e 'print crypt(123456, AB) . \n' ABiELdbxGY2fY So, then, your LDIF should have: dn: cn=sambaadmin,dc=ddesign,dc=com objectClass: person cn: sambaadmin sn: sambaadmin userPassword: {crypt}ABiELdbxGY2fY -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3 by Example - chapter 5 6 ( Manager - sambaadmin)
Dear Samba Users. I have spent some time going over the documentation, however I still no not fully understand what the cause is. I am focusing on Samba 3 by Example chapter 5 6 specifically Chapter 5 smbpasswd -w 123456 [EMAIL PROTECTED] data]# smbpasswd -w 123456 Setting stored password for cn=Manager,dc=ddesign,dc=com in secrets.tdb Chapter 6 indicates in the smb.conf to use sambaadmin instead of manager. If i change this to manager in the smb.conf also this entry in the slapd.conf access to attrs=sambaLMPassword,sambaNTPassword by dn=cn=sambaadmin,dc=ddesign,dc=com write by * none to access to attrs=sambaLMPassword,sambaNTPassword by dn=cn=Manager,dc=ddesign,dc=com write by * none Alll works fine. Chapter 6 smbpasswd -w 123456 [EMAIL PROTECTED] ~]# smbpasswd -w 123456 Setting stored password for cn=sambadmin,dc=ddesign,dc=com in secrets.tdb [EMAIL PROTECTED] samba]# cat smbd [2006/01/30 15:23:15, 0] lib/smbldap.c:smbldap_connect_system(890) failed to bind to server ldap://127.0.0.1 with dn=cn=sambadmin,dc=ddesign,dc=com Error: Invalid credentials [2006/01/30 15:23:15, 1] lib/smbldap.c:another_ldap_try(1051) Â Connection to LDAP server failed for the 1 try! I have added this ldif entry from chapter 6 ; dn: cn=updateuser,dc=ddesign,dc=com objectClass: person cn: updateuser sn: updateuser userPassword: 123456 dn: cn=sambaadmin,dc=ddesign,dc=com objectClass: person cn: sambaadmin sn: sambaadmin userPassword: 123456 When using sambaadmin instead of manager samba hangs unable to connect to the ldap database, however if i change this entry in the slapd.conf all works find also. rootdn cn=Manager,dc=ddesign,dc=com TO rootdn cn=sambaadmin,dc=ddesign,dc=com I have been through this configuration several times and keep getting the same issue. Is it possible that I am missing a crutial step between chapter 5 and the single master ldap chapter 6 master/slave configuration. This is only for testing purposes so I can blow away the database without any worries. I am thinking that the problem may be an entry in ldap is not there, although it shows the sambaadmin user. For the moment I am using Manager in replace of sambaadmin. Thanks. Adrian Sender. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba