Re: [Samba] smbldap-useradd problem
On 9/27/07, Jerome Tournier <[EMAIL PROTECTED]> wrote: > Hi, > which version of the smbldap-tools are you using ? 0.9.2 (Debian Etch) > Have you check your configuration files ? > Have you include samba schema to slapd.conf definition ? Off course. I can see the objectClasses in an LDAP browsers schema viewer, and smbldap-populate has had nog problems creating groups and copying the "nobody" and "root" users off my system to the LDAP tree. This may be an important detail. nobody has 514 as gidNumber, which is the gidNumber of the "Domain Guests". > Are you sure you don't have ACL access problem ? If it can create the object and stuff the posix-related attributes in them, you'd think it could do the Samba ones as well. However. I did discover some strangeities with my ldap configuration though. When starting the ldap server, this is printed in the logs (when I set the loglevel to 232): /etc/ldap/slapd.conf: line 123: warning: cannot assess the validity of the ACL scope within backend naming context Well, this is the result of the following acl settings in slapd.conf: access to * by dn="cn=admin,dc=sambadomein" write by * read (the last line is line 123) or: access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=sambadomein" write by anonymous auth by self write by * none The problem disappears if you explicitly mention which tree to apply the acl to: access to dn.subtree="dc=sambadomein" by dn="cn=admin,dc=sambadomein" write by * read respectively: access to dn.subtree="dc=sambadomein" attrs=userPassword,shadowLastChange by dn="cn=admin,dc=sambadomein" write by anonymous auth by self write by * none So, this wasn't necessarily an obvious problem, log level 232 means stats logs + connection management, I'd had expected to find these sort of warnings under level 128 - acl processing. So I'm posting enough googleable details for future reference :-) So, case closed, onto the next stumbling block. Thanks for your help! -- Frank Van Damme A: Because it destroys the flow of the conversation Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mails or on usenet? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-useradd problem
Have you changed your SID? net getlocalsid Maybe you have a different SID in ldap to that configured in smbldap such that the group lookups fail. The differences between using the net command and using smbldap tools include; ## Bind credentials: With smbldap you bind directly to the ldap server using the credentials in the smbldap_bind.conf If you use the net command (and others) it uses nss_ldap (using either anonymous bind or the credentials in /etc/ldap.conf or /etc/openldap/ldap.conf) ## SID lookup The net command looks in ldap or tdb for the SID whereas with smbldap you can set the SID explicitly in smbldap.conf - ensure that it's correct. On 27/09/2007, Frank Van Damme <[EMAIL PROTECTED]> wrote: > On 9/26/07, Quinn Fissler <[EMAIL PROTECTED]> wrote: > > Does it work if you run it as root? > > I ran it as root, sorry for the confusing "$" command prompt. > > > -- > Frank Van Damme A: Because it destroys the flow of the conversation > Q: Why is it bad? > A: No, it's bad. > Q: Should I top post in replies to mails or on usenet? > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-useradd problem
On 9/26/07, Quinn Fissler <[EMAIL PROTECTED]> wrote: > Does it work if you run it as root? I ran it as root, sorry for the confusing "$" command prompt. -- Frank Van Damme A: Because it destroys the flow of the conversation Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mails or on usenet? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-useradd problem
Hi, which version of the smbldap-tools are you using ? Have you check your configuration files ? Have you include samba schema to slapd.conf definition ? Are you sure you don't have ACL access problem ? -- Jerome On 9/26/07, Frank Van Damme <[EMAIL PROTECTED]> wrote: > Dear list, > > Arghl! (I'm sure you know the feeling). > I'm still hooked on Samba by example, and trying to add users to my ldap tree. > > $ smbldap-useradd -m -a ldaptest2 > Can't call method "get_value" on an undefined value at > /usr/sbin/smbldap-useradd line 197 > > The documentation of the smbldap scripts mentions this sort of error > (albeit with a different line number). Two possible problems are > proposed: > 1. the default group defined in smbldap.conf does not exist (the one > with defaultUserGid 513) > 2. the NT "Domain Users" group is not mapped to a unix group of rid 513 > > => I checked both. The group exists, it's called "Domain Users", I can > chgrp a file on the samba/ldap system to 513 and ls -l shows it's > owned by Domain Users. > > => $ net groupmap list > shows thet "Domain Users" is linked to a group called "Domain Users" > (which makes sense). > > If I leave the option -a of smbldap-useradd, the command completes > with no error but off course my new user isn't a Windows user then > (pretty useless). So it's not an LDAP permissions issue since the > object /is/ created. (Why can't this script be a bit more verbose?) > > -- > Frank Van Damme A: Because it destroys the flow of the conversation > Q: Why is it bad? > A: No, it's bad. > Q: Should I top post in replies to mails or on usenet? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- Jérôme -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-useradd problem
Does it work if you run it as root? On 26/09/2007, Frank Van Damme <[EMAIL PROTECTED]> wrote: > > Dear list, > > Arghl! (I'm sure you know the feeling). > I'm still hooked on Samba by example, and trying to add users to my ldap > tree. > > $ smbldap-useradd -m -a ldaptest2 > Can't call method "get_value" on an undefined value at > /usr/sbin/smbldap-useradd line 197 > > The documentation of the smbldap scripts mentions this sort of error > (albeit with a different line number). Two possible problems are > proposed: > 1. the default group defined in smbldap.conf does not exist (the one > with defaultUserGid 513) > 2. the NT "Domain Users" group is not mapped to a unix group of rid 513 > > => I checked both. The group exists, it's called "Domain Users", I can > chgrp a file on the samba/ldap system to 513 and ls -l shows it's > owned by Domain Users. > > => $ net groupmap list > shows thet "Domain Users" is linked to a group called "Domain Users" > (which makes sense). > > If I leave the option -a of smbldap-useradd, the command completes > with no error but off course my new user isn't a Windows user then > (pretty useless). So it's not an LDAP permissions issue since the > object /is/ created. (Why can't this script be a bit more verbose?) > > -- > Frank Van Damme A: Because it destroys the flow of the conversation > Q: Why is it bad? > A: No, it's bad. > Q: Should I top post in replies to mails or on usenet? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smbldap-useradd problem
Dear list, Arghl! (I'm sure you know the feeling). I'm still hooked on Samba by example, and trying to add users to my ldap tree. $ smbldap-useradd -m -a ldaptest2 Can't call method "get_value" on an undefined value at /usr/sbin/smbldap-useradd line 197 The documentation of the smbldap scripts mentions this sort of error (albeit with a different line number). Two possible problems are proposed: 1. the default group defined in smbldap.conf does not exist (the one with defaultUserGid 513) 2. the NT "Domain Users" group is not mapped to a unix group of rid 513 => I checked both. The group exists, it's called "Domain Users", I can chgrp a file on the samba/ldap system to 513 and ls -l shows it's owned by Domain Users. => $ net groupmap list shows thet "Domain Users" is linked to a group called "Domain Users" (which makes sense). If I leave the option -a of smbldap-useradd, the command completes with no error but off course my new user isn't a Windows user then (pretty useless). So it's not an LDAP permissions issue since the object /is/ created. (Why can't this script be a bit more verbose?) -- Frank Van Damme A: Because it destroys the flow of the conversation Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mails or on usenet? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba