Re: [Samba] Samba LDAP rootpw error
Further to my previous message: I've gone over section 8.1 of http://samba.idealx.org/smbldap-tools.en.html, which shows some working .conf files, and put back a few things the way I'd previously had them. The example files use Manager while I use admin is the main thing. I've kept samba in smb.conf however. Because there is now a samba user in the LDAP database, this seems to work now. However, I still can't do smbpasswd -a root. I'm still getting: semper:/etc/ldap# smbpasswd -a root New SMB password: Retype new SMB password: ldapsam_modify_entry: Failed to add user dn= uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access no write access to parent ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = uid=root,ou=Users,dc=rahim-dale,dc=org) Failed to add entry for user root. Failed to modify password entry for user root I have a samba-access.conf file that is included in slapd.conf that combines the 8.2 samba uid stuff with a shorter list from the original howto I was following. I've attached it in case it helps. An ldap search gives the following results: semper:/etc/ldap# ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b dc=rahim-dale,dc=org -h 127.0.0.1 -x -W "" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope sub # filter: (objectclass=*) # requesting: # # rahim-dale.org dn: dc=rahim-dale,dc=org # admin, rahim-dale.org dn: cn=admin,dc=rahim-dale,dc=org # Users, rahim-dale.org dn: ou=Users,dc=rahim-dale,dc=org # Groups, rahim-dale.org dn: ou=Groups,dc=rahim-dale,dc=org # Computers, rahim-dale.org dn: ou=Computers,dc=rahim-dale,dc=org # Idmap, rahim-dale.org dn: ou=Idmap,dc=rahim-dale,dc=org # rahim-dale, rahim-dale.org dn: sambaDomainName=rahim-dale,dc=rahim-dale,dc=org # Administrator, Users, rahim-dale.org dn: uid=Administrator,ou=Users,dc=rahim-dale,dc=org # nobody, Users, rahim-dale.org dn: uid=nobody,ou=Users,dc=rahim-dale,dc=org # Domain Admins, Groups, rahim-dale.org dn: cn=Domain Admins,ou=Groups,dc=rahim-dale,dc=org # Domain Users, Groups, rahim-dale.org dn: cn=Domain Users,ou=Groups,dc=rahim-dale,dc=org # Domain Guests, Groups, rahim-dale.org dn: cn=Domain Guests,ou=Groups,dc=rahim-dale,dc=org # Domain Computers, Groups, rahim-dale.org dn: cn=Domain Computers,ou=Groups,dc=rahim-dale,dc=org # Administrators, Groups, rahim-dale.org dn: cn=Administrators,ou=Groups,dc=rahim-dale,dc=org # Print Operators, Groups, rahim-dale.org dn: cn=Print Operators,ou=Groups,dc=rahim-dale,dc=org # Backup Operators, Groups, rahim-dale.org dn: cn=Backup Operators,ou=Groups,dc=rahim-dale,dc=org # Replicators, Groups, rahim-dale.org dn: cn=Replicators,ou=Groups,dc=rahim-dale,dc=org # samba, Users, rahim-dale.org dn: uid=samba,ou=Users,dc=rahim-dale,dc=org # search result search: 2 result: 0 Success # numResponses: 19 # numEntries: 18 # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write by self write by anonymous auth by * none # some attributes need to be readable anonymously so that 'id user' can answer correctly access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write by * read # somme attributes can be writable by users themselves access to attrs=description,telephoneNumber by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write by self write by * read # some attributes need to be writable for samba access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write by self read by * none # samba need to be able to create the samba domain account access to dn.base="dc=rahim-dale,dc=org" by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write by * none # samba need to be able to create new users account access to dn="ou=Users,dc=rahim-dale,dc=org" by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write by * none # samba need to be able to create new groups account access to dn="ou=Groups,dc=rahim-dale,dc=org" by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write by * none # samba need to be able to create new computers account access to dn="ou=Computers,dc=rahim-dale,dc=org" by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write by * none # this can be omitted but we leave it: there could be other branch # in the directory access to * by self read by * none access to attrs=us
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: :) glad its working, hehe er. ldap_connect_system: Failed to retrieve password from secrets.tdb from the http://samba.idealx.org/smbldap-tools.en.html doc ... don't forget to also set the samba account password in secrets.tdb file : smbpasswd -w samba ... from man smbpasswd ... -w password This parameter is only available if Samba has been compiled with LDAP support. The -w switch is used to specify the password to be used with theldap admin dn. Note that the password is stored in the secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the pass- word will need to be manually updated as well. HTH Matt. I found section 8.2 in the text about changing the administrative account. I followed the directions to change it from admin to samba (the samba-access.conf file is now a lot larger) and I now seem to have some kind of connection. However, when I try the smbpasswd -a root, I get errors: semper:/var/lib/ldap# smbpasswd -a root New SMB password: Retype new SMB password: ldapsam_modify_entry: Failed to add user dn= uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access no write access to parent ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = uid=root,ou=Users,dc=rahim-dale,dc=org) Failed to add entry for user root. Failed to modify password entry for user root -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP rootpw error
> Sorry Matt, I've got it going now - at least to the point of getting the > smbldap-populate to work. The next issue is smbpasswd -a root. It's not > working. Also, I've installed phpldapadmin and can't get it to connect > either. The issue now seems to be a TLS connection between Samba and > LDAP. I didn't think I was using one, but LDAP seems to think otherwise. > For example, both phpldapadmin and lsmbldap-usermod -J Administrator > complain about TLS connections to the LDAP server. > > I've been looking at the idealx.org instructions for TLS with LDAP but > still not getting it working. > > > --- > > Further to the above: > Trying to get TLS working is a pain. I've also had only slightly better > luck with trying to not use it. When I don't use it, I can get > ldapsearch to return a result. However, Samba doesn't seem to want to > talk to it. When I try to get TLS running, I get TLS errors everywhere. :( > > > Right now I've got it configured, I believe, to not use TLS. When I run > smbpasswd, I get: > > semper:/etc/smbldap-tools# smbpasswd -a root > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP server failed for the 1 try! > :) glad its working, hehe er. ldap_connect_system: Failed to retrieve password from secrets.tdb from the http://samba.idealx.org/smbldap-tools.en.html doc ... don't forget to also set the samba account password in secrets.tdb file : smbpasswd -w samba ... from man smbpasswd ... -w password This parameter is only available if Samba has been compiled with LDAP support. The -w switch is used to specify the password to be used with theldap admin dn. Note that the password is stored in the secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the pass- word will need to be manually updated as well. HTH Matt. > I've attached my various .conf files again. Sorry to be such a pain, but > I am not having any luck by myself. > > - > > BTW - Here's the results of an ldapsearch: > > semper:/var/lib/ldap# smbldap-populate -a Administrator -b nobody > -semper:/var/lib/ldap# ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b > dc=rahim-dale,dc=org -h 127.0.0.1 -x -W "" > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope sub > # filter: (objectclass=*) > # requesting: > # > > # rahim-dale.org > dn: dc=rahim-dale,dc=org > > # admin, rahim-dale.org > dn: cn=admin,dc=rahim-dale,dc=org > > # Users, rahim-dale.org > dn: ou=Users,dc=rahim-dale,dc=org > > # Groups, rahim-dale.org > dn: ou=Groups,dc=rahim-dale,dc=org > > # Computers, rahim-dale.org > dn: ou=Computers,dc=rahim-dale,dc=org > > # Idmap, rahim-dale.org > dn: ou=Idmap,dc=rahim-dale,dc=org > > # rahim-dale, rahim-dale.org > dn: sambaDomainName=rahim-dale,dc=rahim-dale,dc=org > > # Administrator, Users, rahim-dale.org > dn: uid=Administrator,ou=Users,dc=rahim-dale,dc=org > > # nobody, Users, rahim-dale.org > dn: uid=nobody,ou=Users,dc=rahim-dale,dc=org > > # Domain Admins, Groups, rahim-dale.org > dn: cn=Domain Admins,ou=Groups,dc=rahim-dale,dc=org > > # Domain Users, Groups, rahim-dale.org > dn: cn=Domain Users,ou=Groups,dc=rahim-dale,dc=org > > # Domain Guests, Groups, rahim-dale.org > dn: cn=Domain Guests,ou=Groups,dc=rahim-dale,dc=org > > # Domain Computers, Groups, rahim-dale.org > dn: cn=Domain Computers,ou=Groups,dc=rahim-dale,dc=org > > # Administrators, Groups, rahim-dale.org > dn: cn=Administrators,ou=Groups,dc=rahim-dale,dc=org > > # Print Operators, Groups, rahim-dale.org > dn: cn=Print Operators,ou=Groups,dc=rahim-dale,dc=org > > # Backup Operators, Groups, rahim-dale.org > dn: cn=Backup Operators,ou=Groups,dc=rahim-dale,dc=org > > # Replicators, Groups, rahim-dale.org > dn: cn=Replicators,ou=Groups,dc=rahim-dale,dc=org > > # search result > search: 2 > result: 0 Success > > # numResponses: 18 > # numEntries: 17 > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP rootpw error
Sorry Matt, I've got it going now - at least to the point of getting the smbldap-populate to work. The next issue is smbpasswd -a root. It's not working. Also, I've installed phpldapadmin and can't get it to connect either. The issue now seems to be a TLS connection between Samba and LDAP. I didn't think I was using one, but LDAP seems to think otherwise. For example, both phpldapadmin and lsmbldap-usermod -J Administrator complain about TLS connections to the LDAP server. I've been looking at the idealx.org instructions for TLS with LDAP but still not getting it working. --- Further to the above: Trying to get TLS working is a pain. I've also had only slightly better luck with trying to not use it. When I don't use it, I can get ldapsearch to return a result. However, Samba doesn't seem to want to talk to it. When I try to get TLS running, I get TLS errors everywhere. :( Right now I've got it configured, I believe, to not use TLS. When I run smbpasswd, I get: semper:/etc/smbldap-tools# smbpasswd -a root fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP server failed for the 1 try! I've attached my various .conf files again. Sorry to be such a pain, but I am not having any luck by myself. - BTW - Here's the results of an ldapsearch: semper:/var/lib/ldap# smbldap-populate -a Administrator -b nobody -semper:/var/lib/ldap# ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b dc=rahim-dale,dc=org -h 127.0.0.1 -x -W "" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope sub # filter: (objectclass=*) # requesting: # # rahim-dale.org dn: dc=rahim-dale,dc=org # admin, rahim-dale.org dn: cn=admin,dc=rahim-dale,dc=org # Users, rahim-dale.org dn: ou=Users,dc=rahim-dale,dc=org # Groups, rahim-dale.org dn: ou=Groups,dc=rahim-dale,dc=org # Computers, rahim-dale.org dn: ou=Computers,dc=rahim-dale,dc=org # Idmap, rahim-dale.org dn: ou=Idmap,dc=rahim-dale,dc=org # rahim-dale, rahim-dale.org dn: sambaDomainName=rahim-dale,dc=rahim-dale,dc=org # Administrator, Users, rahim-dale.org dn: uid=Administrator,ou=Users,dc=rahim-dale,dc=org # nobody, Users, rahim-dale.org dn: uid=nobody,ou=Users,dc=rahim-dale,dc=org # Domain Admins, Groups, rahim-dale.org dn: cn=Domain Admins,ou=Groups,dc=rahim-dale,dc=org # Domain Users, Groups, rahim-dale.org dn: cn=Domain Users,ou=Groups,dc=rahim-dale,dc=org # Domain Guests, Groups, rahim-dale.org dn: cn=Domain Guests,ou=Groups,dc=rahim-dale,dc=org # Domain Computers, Groups, rahim-dale.org dn: cn=Domain Computers,ou=Groups,dc=rahim-dale,dc=org # Administrators, Groups, rahim-dale.org dn: cn=Administrators,ou=Groups,dc=rahim-dale,dc=org # Print Operators, Groups, rahim-dale.org dn: cn=Print Operators,ou=Groups,dc=rahim-dale,dc=org # Backup Operators, Groups, rahim-dale.org dn: cn=Backup Operators,ou=Groups,dc=rahim-dale,dc=org # Replicators, Groups, rahim-dale.org dn: cn=Replicators,ou=Groups,dc=rahim-dale,dc=org # search result search: 2 result: 0 Success # numResponses: 18 # numEntries: 17 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP rootpw error
Sorry Matt, I've got it going now - at least to the point of getting the smbldap-populate to work. The next issue is smbpasswd -a root. It's not working. Also, I've installed phpldapadmin and can't get it to connect either. The issue now seems to be a TLS connection between Samba and LDAP. I didn't think I was using one, but LDAP seems to think otherwise. For example, both phpldapadmin and lsmbldap-usermod -J Administrator complain about TLS connections to the LDAP server. I've been looking at the idealx.org instructions for TLS with LDAP but still not getting it working. --- Further to the above: Trying to get TLS working is a pain. I've also had only slightly better luck with trying to not use it. When I don't use it, I can get ldapsearch to return a result. However, Samba doesn't seem to want to talk to it. When I try to get TLS running, I get TLS errors everywhere. :( Right now I've got it configured, I believe, to not use TLS. When I run smbpasswd, I get: semper:/etc/smbldap-tools# smbpasswd -a root fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP server failed for the 1 try! I've attached my various .conf files again. Sorry to be such a pain, but I am not having any luck by myself. access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPWDMustChange by dn="cn=admin,dc=rahim-dale,dc=org" write by anonymous auth by self write by * none access to attrs=loginShell by dn="cn=admin,dc=rahim-dale,dc=org" write by * none access to attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname by dn="cn=admin,dc=rahim-dale,dc=org" write by self write by * read # Allow LDAPv2 binds # allow bind_v2 # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile/var/run/slapd.args # Read slapd.conf(5) for possible values loglevel0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb TLSCACertificateFile/etc/ldap/ssl/ldap-server.pem TLSCertificateFile /etc/ldap/ssl/ldap-server.pem TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem ### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 ### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend ### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs databasebdb # The base of your directory in database #1 suffix "dc=rahim-dale,dc=org" rootdn "cn=admin,dc=rahim-dale,dc=org" rootpw {MD5}hdduy/+JqjCnJjCWiKOGBQ== # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,eq,sub index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq # default index index default eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile/var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword by dn="cn=admin,dc=rahim-dale,dc=org" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without
Re: [Samba] Samba LDAP rootpw error
> Matt Richards wrote: > >>>Matt Richards wrote: >>> >>> >>> >Matt Richards wrote: > > > > > >>>Matt Richards wrote: >>> >>> >>> >>> >>> >>> >>> >Matt Richards wrote: > > > > > > > > > >>>I was following the howto below (originally posted on this list >>> as >>>BIG >>>Samba howto for debian only.) to see if I could get my >>>not-quite-working >>>Samba 3.0.14a (debian) server fully working and able to handle >>> my >>>Linux >>>logins too. The problem I'm having with my Samba setup is that I >>>can't >>>change user passwords except through Swat. Users can't change >>> them >>>from >>>their machines using the Windows password change - but they are >>>notified >>>to change them by when they expire. >>> >>>Anyway, my attempts to follow the howto hit a roadblock at "3 >>> LDAP >>>Server configuration". Neither slapindex nor slapd will run. It >>>looks >>>like it doesn't like something about my root password, but I'm >>> not >>>sure >>>what it wants (I'm no expert on LDAP). :) >>> >>>Slapindex complains "bad configuration file". Slapd gives the >>> more >>>detailed: >>>line 65 (rootpw ***) >>>/etc/ldap/slapd.conf: line 65: rootpw can only be set when >>> rootdn >>>is >>>under suffix >>> >>>I've attached my slapd.conf file if that is of any assistance. >>> Any >>>help >>>will be greatly appreciated. >>> >>> >>>Louis van Belle wrote: >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>[..snip..] >> >>humm well looking at the config file the first thing that i >> notice >>is >>this >>... >> >># The base of your directory in database #1 >>suffix "dc=rahim-dale,dc=org" >>rootdn"cn=admin,dc=toronto,dc=ontario,dc=ca" >> >> >>your root dn isn't in the base of your ldap tree, this should >>probuly >>be >>something like ... >> >>suffix "dc=rahim-dale,dc=org" >>rootdn"cn=admin,dc=rahim-dale,dc=org" >> >>try it n let us know what happens :). >> >>HTH >> >>Matt. >> >> >> >> >> >> >> >> >> >> >> >You got it in one! I've got slapd running. > >Now I'm stuck at "5.4 set the samba ldap admin password". I can > set >the >admin password and get the expected response, but when I try >"smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it >fails >to add the various groups. I get "failed to add entry: > modifications >require authentication at /usr/sbin/smbldap-populate line 460, > >line 3." for each ou= it tries to add. > >Any ideas? > > > > > > > > the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with >
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP Server configuration". Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains "bad configuration file". Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=toronto,dc=ontario,dc=ca" your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=rahim-dale,dc=org" try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at "5.4 set the samba ldap admin password". I can set the admin password and get the expected response, but when I try "smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it fails to add the various groups. I get "failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, line 3." for each ou= it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped ("\") but that didn't change anything. ok i have looked over everything and the only thing i can see at this moment is this ... in your smbldap_bind.conf file you arn't using a bind dn of cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the ldap server but the line in the config i gave you before was rootdn "cn=admin,dc=rahim-dale,dc=org" ... when you first setup ldap no accounts exist in the ldap database the rootdn account is like a virtual account that will always have full access and because of this (and i'm guessing your ldap tree is blank) you will only be able to use the rootdn to bind at this time. there are a few lines you can try to attempt to bind to the ldap server ... ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W "" ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W "" the first the the bind dn in your smbldap_bind.conf and the second is using the rootdn from the other email. as your ldap tree is blank you wont get much output but one should fail with a bind error
Re: [Samba] Samba LDAP rootpw error
> Matt Richards wrote: > >>>Matt Richards wrote: >>> >>> >>> >Matt Richards wrote: > > > > > >>>Matt Richards wrote: >>> >>> >>> >>> >>> >>> >>> >I was following the howto below (originally posted on this list as >BIG >Samba howto for debian only.) to see if I could get my >not-quite-working >Samba 3.0.14a (debian) server fully working and able to handle my >Linux >logins too. The problem I'm having with my Samba setup is that I >can't >change user passwords except through Swat. Users can't change them >from >their machines using the Windows password change - but they are >notified >to change them by when they expire. > >Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP >Server configuration". Neither slapindex nor slapd will run. It >looks >like it doesn't like something about my root password, but I'm not >sure >what it wants (I'm no expert on LDAP). :) > >Slapindex complains "bad configuration file". Slapd gives the more >detailed: >line 65 (rootpw ***) >/etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn >is >under suffix > >I've attached my slapd.conf file if that is of any assistance. Any >help >will be greatly appreciated. > > >Louis van Belle wrote: > > > > > > > > > [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=toronto,dc=ontario,dc=ca" your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=rahim-dale,dc=org" try it n let us know what happens :). HTH Matt. >>>You got it in one! I've got slapd running. >>> >>>Now I'm stuck at "5.4 set the samba ldap admin password". I can set >>>the >>>admin password and get the expected response, but when I try >>>"smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it >>>fails >>>to add the various groups. I get "failed to add entry: modifications >>>require authentication at /usr/sbin/smbldap-populate line 460, >>> >>>line 3." for each ou= it tries to add. >>> >>>Any ideas? >>> >>> >>> >>> >>> >>> >>the smbldap-populate scripts requires authentication to the ldap >> server >>there is probuly a problem with the login you have set in >> smbldap.conf >>.. >>if you have set any at! >> >>i would recommend looking through the smbldap-tools howto at >>http://samba.idealx.org/smbldap-tools.en.html >>and see if there is anything you have missed out, but the first thing >> i >>would try is this .. >> >>... >>3 Configuring the smbldap-tools >>As mentioned in the previous section, you'll have to update two >>configuration files. The first (smbldap.conf) allows you to set >> global >>parameter that are readable by everybody, and the second >>(smbldap_bind.conf) defines two administrative accounts to bind to a >>slave >>and a master ldap server: this file must thus be readable only by >> root. >>A >>script is named configure.pl can help you to set their contents up. >> It >>is >>located in the tarball downloaded or in the documentation directory >> if >>you >>got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke >>it: >> >>/usr/share/doc/smbldap-tools/configure.pl >>... >> >>note : the smbldap-tools dir might not be located in your >>/usr/share/doc/ >>directory. >> >>if this doesn't work you could attach your smbldap config file (with >>the >>passwd taken out of cause) so we can have a little look. >> >>Matt. >> >> >> >> >> >> >> >I can't see anything wrong with my setup but even when I tweak the >settings a little, I get the same result. Here are: smbldap.conf, >smbldap_bind.conf (with passwords removed) and the smb.conf I'm using >for ldap (renamed right now because I'm keeping my old setup available >until I get this working). > >One issue is my password does have an apostrophe and a period in it. > It >shouldn't be an issue because the bind file has them
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP Server configuration". Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains "bad configuration file". Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=toronto,dc=ontario,dc=ca" your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=rahim-dale,dc=org" try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at "5.4 set the samba ldap admin password". I can set the admin password and get the expected response, but when I try "smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it fails to add the various groups. I get "failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, line 3." for each ou= it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped ("\") but that didn't change anything. ok i have looked over everything and the only thing i can see at this moment is this ... in your smbldap_bind.conf file you arn't using a bind dn of cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the ldap server but the line in the config i gave you before was rootdn "cn=admin,dc=rahim-dale,dc=org" ... when you first setup ldap no accounts exist in the ldap database the rootdn account is like a virtual account that will always have full access and because of this (and i'm guessing your ldap tree is blank) you will only be able to use the rootdn to bind at this time. there are a few lines you can try to attempt to bind to the ldap server ... ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W "" ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W "" the first the the bind dn in your smbldap_bind.conf and the second is using the rootdn from the other email. as your ldap tree is blank you wont get much output but one should fail with a bind error and the other should say something like no such object. HTH, let me know if
Re: [Samba] Samba LDAP rootpw error
> Matt Richards wrote: > >>>Matt Richards wrote: >>> >>> >>> >Matt Richards wrote: > > > > > >>>I was following the howto below (originally posted on this list as >>> BIG >>>Samba howto for debian only.) to see if I could get my >>>not-quite-working >>>Samba 3.0.14a (debian) server fully working and able to handle my >>>Linux >>>logins too. The problem I'm having with my Samba setup is that I >>> can't >>>change user passwords except through Swat. Users can't change them >>>from >>>their machines using the Windows password change - but they are >>>notified >>>to change them by when they expire. >>> >>>Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP >>>Server configuration". Neither slapindex nor slapd will run. It >>> looks >>>like it doesn't like something about my root password, but I'm not >>>sure >>>what it wants (I'm no expert on LDAP). :) >>> >>>Slapindex complains "bad configuration file". Slapd gives the more >>>detailed: >>> line 65 (rootpw ***) >>> /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn >>> is >>>under suffix >>> >>>I've attached my slapd.conf file if that is of any assistance. Any >>>help >>>will be greatly appreciated. >>> >>> >>>Louis van Belle wrote: >>> >>> >>> >>> >>> >>> >>> >>[..snip..] >> >>humm well looking at the config file the first thing that i notice is >>this >>... >> >># The base of your directory in database #1 >>suffix "dc=rahim-dale,dc=org" >>rootdn"cn=admin,dc=toronto,dc=ontario,dc=ca" >> >> >>your root dn isn't in the base of your ldap tree, this should probuly >>be >>something like ... >> >>suffix "dc=rahim-dale,dc=org" >>rootdn"cn=admin,dc=rahim-dale,dc=org" >> >>try it n let us know what happens :). >> >>HTH >> >>Matt. >> >> >> >> >> >> >> >You got it in one! I've got slapd running. > >Now I'm stuck at "5.4 set the samba ldap admin password". I can set > the >admin password and get the expected response, but when I try >"smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it > fails >to add the various groups. I get "failed to add entry: modifications >require authentication at /usr/sbin/smbldap-populate line 460, >line 3." for each ou= it tries to add. > >Any ideas? > > > > the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. >>>I can't see anything wrong with my setup but even when I tweak the >>>settings a little, I get the same result. Here are: smbldap.conf, >>>smbldap_bind.conf (with passwords removed) and the smb.conf I'm using >>>for ldap (renamed right now because I'm keeping my old setup available >>>until I get this working). >>> >>>One issue is my password does have an apostrophe and a period in it. It >>>shouldn't be an issue because the bind file has them in quotes. I've >>>also tried them escaped ("\") but that didn't change anything. >>> >>> >>> >> >>ok i have looked over everything and the only thing i can see at this >>moment is this ... >> >>in your smbldap_bind.conf file you arn't using a bind dn of >>cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the >>ldap server but the line in the config i gave you before was rootdn >>"cn=admin,dc=rahim-dale,dc=org" ... when you first setup ldap no accounts >>exist in the ldap d
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP Server configuration". Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains "bad configuration file". Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=toronto,dc=ontario,dc=ca" your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=rahim-dale,dc=org" try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at "5.4 set the samba ldap admin password". I can set the admin password and get the expected response, but when I try "smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it fails to add the various groups. I get "failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, line 3." for each ou= it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped ("\") but that didn't change anything. ok i have looked over everything and the only thing i can see at this moment is this ... in your smbldap_bind.conf file you arn't using a bind dn of cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the ldap server but the line in the config i gave you before was rootdn "cn=admin,dc=rahim-dale,dc=org" ... when you first setup ldap no accounts exist in the ldap database the rootdn account is like a virtual account that will always have full access and because of this (and i'm guessing your ldap tree is blank) you will only be able to use the rootdn to bind at this time. there are a few lines you can try to attempt to bind to the ldap server ... ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W "" ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W "" the first the the bind dn in your smbldap_bind.conf and the second is using the rootdn from the other email. as your ldap tree is blank you wont get much output but one should fail with a bind error and the other should say something like no such object. HTH, let me know if they work will see if i can see anything else that may be wrong. Ma
Re: [Samba] Samba LDAP rootpw error
> Matt Richards wrote: > >>>Matt Richards wrote: >>> >>> >>> >I was following the howto below (originally posted on this list as BIG >Samba howto for debian only.) to see if I could get my > not-quite-working >Samba 3.0.14a (debian) server fully working and able to handle my > Linux >logins too. The problem I'm having with my Samba setup is that I can't >change user passwords except through Swat. Users can't change them > from >their machines using the Windows password change - but they are > notified >to change them by when they expire. > >Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP >Server configuration". Neither slapindex nor slapd will run. It looks >like it doesn't like something about my root password, but I'm not > sure >what it wants (I'm no expert on LDAP). :) > >Slapindex complains "bad configuration file". Slapd gives the more >detailed: > line 65 (rootpw ***) > /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is >under suffix > >I've attached my slapd.conf file if that is of any assistance. Any > help >will be greatly appreciated. > > >Louis van Belle wrote: > > > > > [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=toronto,dc=ontario,dc=ca" your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=rahim-dale,dc=org" try it n let us know what happens :). HTH Matt. >>>You got it in one! I've got slapd running. >>> >>>Now I'm stuck at "5.4 set the samba ldap admin password". I can set the >>>admin password and get the expected response, but when I try >>>"smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it fails >>>to add the various groups. I get "failed to add entry: modifications >>>require authentication at /usr/sbin/smbldap-populate line 460, >>>line 3." for each ou= it tries to add. >>> >>>Any ideas? >>> >>> >> >>the smbldap-populate scripts requires authentication to the ldap server >>there is probuly a problem with the login you have set in smbldap.conf .. >>if you have set any at! >> >>i would recommend looking through the smbldap-tools howto at >>http://samba.idealx.org/smbldap-tools.en.html >>and see if there is anything you have missed out, but the first thing i >>would try is this .. >> >>... >>3 Configuring the smbldap-tools >>As mentioned in the previous section, you'll have to update two >>configuration files. The first (smbldap.conf) allows you to set global >>parameter that are readable by everybody, and the second >>(smbldap_bind.conf) defines two administrative accounts to bind to a >> slave >>and a master ldap server: this file must thus be readable only by root. A >>script is named configure.pl can help you to set their contents up. It is >>located in the tarball downloaded or in the documentation directory if >> you >>got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: >> >>/usr/share/doc/smbldap-tools/configure.pl >>... >> >>note : the smbldap-tools dir might not be located in your /usr/share/doc/ >>directory. >> >>if this doesn't work you could attach your smbldap config file (with the >>passwd taken out of cause) so we can have a little look. >> >>Matt. >> >> >> > I can't see anything wrong with my setup but even when I tweak the > settings a little, I get the same result. Here are: smbldap.conf, > smbldap_bind.conf (with passwords removed) and the smb.conf I'm using > for ldap (renamed right now because I'm keeping my old setup available > until I get this working). > > One issue is my password does have an apostrophe and a period in it. It > shouldn't be an issue because the bind file has them in quotes. I've > also tried them escaped ("\") but that didn't change anything. > ok i have looked over everything and the only thing i can see at this moment is this ... in your smbldap_bind.conf file you arn't using a bind dn of cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the ldap server but the line in the config i gave you before was rootdn "cn=admin,dc=rahim-dale,dc=org" ... when you first setup ldap no accounts exist in the ldap database the rootdn account is like a virtual account that will always have full access and because of this (and i'm guessing your ldap tree is blank) you will only be able to use the rootdn to bind at this time. there are a few lines you can try to attempt to bind to the ldap server ... ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W "" ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP Server configuration". Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains "bad configuration file". Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=toronto,dc=ontario,dc=ca" your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=rahim-dale,dc=org" try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at "5.4 set the samba ldap admin password". I can set the admin password and get the expected response, but when I try "smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it fails to add the various groups. I get "failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, line 3." for each ou= it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped ("\") but that didn't change anything. # Global parameters [global] workgroup = RAHIM-DALE netbios name = SEMPER #interfaces = 192.168.5.11 username map = /etc/samba/smbusers enable privileges = yes server string = %h PDC (Samba %v) security = user encrypt passwords = Yes min passwd length = 5 obey pam restrictions = No ldap passwd sync = Yes #unix password sync = Yes #passwd program = /usr/sbin/smbldap-passwd -u %u #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" ldap passwd sync = Yes log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 admin users = garydale, root hosts allow = 192.168.2. logon script = scripts\logon.bat logon path = \\%L\Profiles\%U logon drive = M: logon home = \\%L\%U domain logons = Yes os level = 65 preferred master = Yes domain master =
Re: [Samba] Samba LDAP rootpw error
> Matt Richards wrote: > >>>I was following the howto below (originally posted on this list as BIG >>>Samba howto for debian only.) to see if I could get my not-quite-working >>>Samba 3.0.14a (debian) server fully working and able to handle my Linux >>>logins too. The problem I'm having with my Samba setup is that I can't >>>change user passwords except through Swat. Users can't change them from >>>their machines using the Windows password change - but they are notified >>>to change them by when they expire. >>> >>>Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP >>>Server configuration". Neither slapindex nor slapd will run. It looks >>>like it doesn't like something about my root password, but I'm not sure >>>what it wants (I'm no expert on LDAP). :) >>> >>>Slapindex complains "bad configuration file". Slapd gives the more >>>detailed: >>> line 65 (rootpw ***) >>> /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is >>>under suffix >>> >>>I've attached my slapd.conf file if that is of any assistance. Any help >>>will be greatly appreciated. >>> >>> >>>Louis van Belle wrote: >>> >>> >>> >>[..snip..] >> >>humm well looking at the config file the first thing that i notice is >> this >>... >> >># The base of your directory in database #1 >>suffix "dc=rahim-dale,dc=org" >>rootdn"cn=admin,dc=toronto,dc=ontario,dc=ca" >> >> >>your root dn isn't in the base of your ldap tree, this should probuly be >>something like ... >> >>suffix "dc=rahim-dale,dc=org" >>rootdn"cn=admin,dc=rahim-dale,dc=org" >> >>try it n let us know what happens :). >> >>HTH >> >>Matt. >> >> >> > You got it in one! I've got slapd running. > > Now I'm stuck at "5.4 set the samba ldap admin password". I can set the > admin password and get the expected response, but when I try > "smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it fails > to add the various groups. I get "failed to add entry: modifications > require authentication at /usr/sbin/smbldap-populate line 460, > line 3." for each ou= it tries to add. > > Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP Server configuration". Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains "bad configuration file". Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=toronto,dc=ontario,dc=ca" your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=rahim-dale,dc=org" try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at "5.4 set the samba ldap admin password". I can set the admin password and get the expected response, but when I try "smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it fails to add the various groups. I get "failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, line 3." for each ou= it tries to add. Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP rootpw error
> I was following the howto below (originally posted on this list as BIG > Samba howto for debian only.) to see if I could get my not-quite-working > Samba 3.0.14a (debian) server fully working and able to handle my Linux > logins too. The problem I'm having with my Samba setup is that I can't > change user passwords except through Swat. Users can't change them from > their machines using the Windows password change - but they are notified > to change them by when they expire. > > Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP > Server configuration". Neither slapindex nor slapd will run. It looks > like it doesn't like something about my root password, but I'm not sure > what it wants (I'm no expert on LDAP). :) > > Slapindex complains "bad configuration file". Slapd gives the more > detailed: >line 65 (rootpw ***) >/etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is > under suffix > > I've attached my slapd.conf file if that is of any assistance. Any help > will be greatly appreciated. > > > Louis van Belle wrote: > [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=toronto,dc=ontario,dc=ca" your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix "dc=rahim-dale,dc=org" rootdn"cn=admin,dc=rahim-dale,dc=org" try it n let us know what happens :). HTH Matt. >> >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba LDAP rootpw error
I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP Server configuration". Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains "bad configuration file". Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: Hi everybody, I made a pretty complete howto for samba on debian servers. This howto covers samba + ldap + cups + recycle bin + samba-vscan + phpldapadmin + ACL + Extended Attributes. this howto is also based on the idealx howto If you do this setup, you should be able to use the NT4 Usermanager, setup Point en Print Printing. set rights from explorer etc. other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out. We will use a Debian Sarge as setup. If you never used Debian before, you can follow this how-to (http://www.howtoforge.com/perfect_setup_debian_sarge ) , please read the comment below the pages first, this can save you time and problems or install Debian without any software packaged, we will install them later when needed. Checking the kernel of compile your own kernel if needed. I try to give a complete solution for this how-to, this is because lots of people where asking the same things on the samba list and lots of people make the same mistakes. This is my company's running setup. I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users 25 printers which do about 150.000 prints a month. I thank my company to let me make this document. Please if you have improvements, comments, send them to me. Louis van Belle INDEX Page nr. 1 Checking the kernel or compile your own kernel3 1.1 Preparing apt configuration3 1.2 Preparing the kernel3 1.3 setup the /etc/fstab3 1.4 final touch, lilo (or grub) 3 2 Pre-installation of the debian packages 4 2.1 Samba and Ldap 4 2.2 basic rights setup for samba4 2.3 why this rights setup. 4 3 LDAP Server configuration 5 4 installation/configuration libnss, libpam (-ldap) 7 5 Samba and smbldap-tools Configuration 8 5.1 smbldap-tools installation/configuration8 5.2 setting up samba base config8 5.3 Configuring smbldap.conf9 5.4 set the samba ldap admin password 9 5.5 Samba PRIVILEGES Setup 10 6 CUPS - Printer software 11 6.1 Setup Cups 11 6.2 Setup Cups PDF Printer. - Creating a PDF Printer11 7 Configuring phpldapadmin 12 7.1 installation of phpldapadmin ( and apache ) 12 8.0 On-Access virus scanning on samba (samba-clamav)13 8.1 Installing ClamAV 13 8.2 get the sources ( samba & samba-vscan ) 13 9.0 Recycle bin on samba14 9.1 Recycle bin configuration 14 Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS15 Appendix 2 APT 16 2.1 APT HOWTO 16 2.2 Files from /etc/apt 17 2.2.1 /etc/apt/apt.conf 17 2.2.2 /etc/apt/preferences 17 1 Checking the kernel or compile your own kernel 1.1 Preparing apt configuration for this go check out my apt howto. if you apt config is setup rights, follow the steps below. ncurses interface for compiling the kernel apt-get install libncurses5-dev get the kernel source apt-get install kernel-source-2.6.8 kernel-package installer right kernel and activate EXT2/3 + Extended attributes and setup CIFS kernel support to in kernel. 1.2 Preparing the kernel apt-get install kernel-source-2.6.8 kernel-package fakeroot libc6-dev libncurses5-dev cd /usr/src tar -jxf kernel-source-2.6.8.tar.bz2 ln -s /usr/src/linux /usr/src/kernel-source-2.6.8 cp /boot/config-2.6.8-2-* /usr/src/linux/.config cd linux make menuconfig - File systems - Ext2/3 + extended options also File systems - Miscellaneous filesystems - CramFS and File systems - Network File Systems - CIFS support + extended Attributes now create the kernel and install it. fakeroot make-kpkg --append-to-kernel=-mykernel --initrd kernel_image This create a file kernel-image-2.6.8.custom.1.0_i386.deb under /us