Re: [Samba] vampire fails because of Debian smbldap-tools problem
Sorry, Geoff, I thought I'd reply to the list as this seems an important issue... On Nov 24, Geoff Scott wrote: There is a note in the book (and online) that says that you have to create all these yourself in the case that you are using ldap. Nowhere does it make mention of that in the example scripts. This is how I missed it first time around. Does it say it in the TOSHARG book? I looked again and I can't find any reference to it in the samba by example book online. Ok, I lied. I had seen it somewhere... it is in the Samba-HOWTO-Collection/groupmapping.html#id2537327 paragraph (the note...) The other really useful thing I found while looking for the above reference is in the Samba-Guide/happy.html#id2536161 where in the note it says that having separate containers for users and computers does not yet work, yet examples appear to use this (hence I got the crazy idea it should just work and it didn't). This brings me to my last point about the LDAP issue that seemed to bring this thread up: Why is samba using NSS when it has all the necessary information to do the proper LDAP search itself? This does not appear to make sense. tom. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] vampire fails because of Debian smbldap-tools problem
On Wednesday 24 November 2004 15:30, tom burkart wrote: Sorry, Geoff, I thought I'd reply to the list as this seems an important issue... On Nov 24, Geoff Scott wrote: There is a note in the book (and online) that says that you have to create all these yourself in the case that you are using ldap. Nowhere does it make mention of that in the example scripts. This is how I missed it first time around. Does it say it in the TOSHARG book? I looked again and I can't find any reference to it in the samba by example book online. Ok, I lied. I had seen it somewhere... it is in the Samba-HOWTO-Collection/groupmapping.html#id2537327 paragraph (the note...) The other really useful thing I found while looking for the above reference is in the Samba-Guide/happy.html#id2536161 where in the note it says that having separate containers for users and computers does not yet work, yet examples appear to use this (hence I got the crazy idea it should just work and it didn't). Smile. :) It can be made to work by moving the basedn up the tree. The performance impact works against that. This brings me to my last point about the LDAP issue that seemed to bring this thread up: Why is samba using NSS when it has all the necessary information to do the proper LDAP search itself? This does not appear to make sense. Surely you realize that Samba stores files in the file system. The file system is completely divorced from Samba. Who would own the files if the UID and GID Identities are NOT resolved via NSS? You are completely correct that Samba can do an LDAP lookup to get user and group ID information, but that is not the issue. How do you propose to resolve IDs within the OS if not through NSS? - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] vampire fails because of Debian smbldap-tools problem
On Nov 24, John H Terpstra wrote: The other really useful thing I found while looking for the above reference is in the Samba-Guide/happy.html#id2536161 where in the note it says that having separate containers for users and computers does not yet work, yet examples appear to use this (hence I got the crazy idea it should just work and it didn't). Smile. :) It can be made to work by moving the basedn up the tree. The So I noticed... ;-( performance impact works against that. Yeah, which could be significant if you are using LDAP for other things as well. This brings me to my last point about the LDAP issue that seemed to bring this thread up: Why is samba using NSS when it has all the necessary information to do the proper LDAP search itself? This does not appear to make sense. Surely you realize that Samba stores files in the file system. The file system is completely divorced from Samba. Who would own the files if the UID and GID Identities are NOT resolved via NSS? No argument with that. You are completely correct that Samba can do an LDAP lookup to get user and group ID information, but that is not the issue. How do you propose to resolve IDs within the OS if not through NSS? The issue of this thread was authenticating machine accounts if I remember correctly... tom. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] vampire fails because of Debian smbldap-tools problem
On 25 Nov 2004, at 10:09, John H Terpstra wrote: On Wednesday 24 November 2004 15:30, tom burkart wrote: The other really useful thing I found while looking for the above reference is in the Samba-Guide/happy.html#id2536161 where in the note it says that having separate containers for users and computers does not yet work, yet examples appear to use this (hence I got the crazy idea it should just work and it didn't). Smile. :) It can be made to work by moving the basedn up the tree. The performance impact works against that. Another option is to add a new ou into the tree - I can't remember where I read this idea: dc=example,dc=com | + ou=Accounts | + ou=People | + ou=Computers That way you can limit the search to ou=Account,dc=example,dc=com, and still separate Computer accounts from People accounts. HTH Alex -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] vampire fails because of Debian smbldap-tools problem
The issue of this thread was authenticating machine accounts if I remember correctly... No I was just having a hard time getting the smbldap tools to work properly. It all came down to me not knowing at what point you switch from chapter 6 of the example book to chapter 8 to vampire accounts of the NT server. Of course if you vampire accounts straight after you use the preload.ldif then you end up with different GID's than what the smbldap tools expect in their defaults. therefore the vampire fails as the expected GID for the group is different to what vampire sets up as it creates the groups from the NT server. It would be nice if John could add to chapter 8 something like: Build the Base server the same as in Chapter 6 including step ? using the smbldap-populate script then continue with vampiring the accounts. Regards Geoff -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] vampire fails because of Debian smbldap-tools problem
On Wednesday 24 November 2004 17:00, Geoff Scott wrote: The issue of this thread was authenticating machine accounts if I remember correctly... No I was just having a hard time getting the smbldap tools to work properly. It all came down to me not knowing at what point you switch from chapter 6 of the example book to chapter 8 to vampire accounts of the NT server. Of course if you vampire accounts straight after you use the preload.ldif then you end up with different GID's than what the smbldap tools expect in their defaults. therefore the vampire fails as the expected GID for the group is different to what vampire sets up as it creates the groups from the NT server. It would be nice if John could add to chapter 8 something like: Build the Base server the same as in Chapter 6 including step ? using the smbldap-populate script then continue with vampiring the accounts. I'll consider this when I do the update in January. Cheers, John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] vampire fails because of Debian smbldap-tools problem
On Wednesday 24 November 2004 16:44, Alex Satrapa wrote: On 25 Nov 2004, at 10:09, John H Terpstra wrote: On Wednesday 24 November 2004 15:30, tom burkart wrote: The other really useful thing I found while looking for the above reference is in the Samba-Guide/happy.html#id2536161 where in the note it says that having separate containers for users and computers does not yet work, yet examples appear to use this (hence I got the crazy idea it should just work and it didn't). Smile. :) It can be made to work by moving the basedn up the tree. The performance impact works against that. Another option is to add a new ou into the tree - I can't remember where I read this idea: dc=example,dc=com + ou=Accounts + ou=People + ou=Computers That way you can limit the search to ou=Account,dc=example,dc=com, and still separate Computer accounts from People accounts. Precisely how does this help? What is the benefit? You still need to be able to resolve BOTH machine accounts AND user accounts via NSS. There is only one vehicle that is the mechanism for user account resolution - the NSS entry for passwd. This is achieved through ldap.conf by specifying the nss_base_passwd entry. No matter how you cut your cake with this, the machine accounts _AND_ the user accounts must be listed by: getent passwd So - why separate them? What is the gain? - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] vampire fails because of Debian smbldap-tools problem
Le mar 23/11/2004 à 05:35, Geoff Scott a écrit : Hi people, As usual I've tried a number of different approaches to this problem and can't figure it out. I don't have enough knowledge. Every time I do net rpc vampire I get this crap spewed at me: Use of uninitialized value in substitution (s///) at /usr/share/perl5/smbldap_tools.pm line 106, CONFIGFILE line 233. Use of uninitialized value in substitution (s///) at /usr/share/perl5/smbldap_tools.pm line 106, CONFIGFILE line 245. it looks like there is a problem in your config file ( smbldap-tools.conf ). you should double-check syntax and verify proper location don't know if it's relevant but according to my installation of smbldap-tools from tgz, configuration files should be in /etc/smbldap-tools and debian package don't create this directory. you should check /usr/share/doc/smbldap-tools/README.Debian.gz for proper install instruction erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad hostname '' apparently variable hostname is not initialized. hope this help BTW i use tgz version of smbldap-tools on debian, they are more up-to-date, and aparently better packaged. -- -- Thomas Constans -- http://www.opendoor.fr [EMAIL PROTECTED] 04 78 68 17 34 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] vampire fails because of Debian smbldap-tools problem
BTW i use tgz version of smbldap-tools on debian, they are more up-to-date, and aparently better packaged. OK so I gave up on the .DEB version and downloaded the .tgz version. I put the scripts in /usr/sbin/samba. I copied the 2 .conf files into /etc/smbldap-tools/ and just to be sure that I didn't get any typos I used the configure.pl script that comes with the tgz file. It seems to run fine and produce 2 good .conf files. It does output this part way through though: Use of uninitialized value in scalar chomp at /usr/sbin/samba/configure.pl line138, STDIN line 17. Use of uninitialized value in hash element at /usr/sbin/samba/configure.pl line140, STDIN line 17. Use of uninitialized value in concatenation (.) or string at /usr/sbin/samba/configure.pl line 144, STDIN line 17. Use of uninitialized value in string at /usr/sbin/samba/configure.pl line 145, STDIN line 17. Then when you Vampire accounts this happens: Fetching DOMAIN database SAM_DELTA_DOMAIN_INFO not handled Creating unix group: 'Domain Admins' Creating unix group: 'Domain Users' Creating unix group: 'Domain Guests' Creating unix group: 'Sofa Workshop' Creating unix group: 'Family' Creating unix group: 'Payroll' Creating unix group: 'PA' Creating unix group: 'Accounting' Creating unix group: 'GHAccounts' Creating unix group: 'Hire Accounting' Creating unix group: 'Seagate Info' Creating unix group: 'MTS Trusted Impersonators' Creating unix group: 'TopTools' Creating unix group: 'Melb Consultants' Creating unix group: 'Melb Accounts' Creating unix group: 'Manager Reporting' Creating unix group: 'NSW Consultants' Creating unix group: 'Actif' Creating unix group: 'QLD Consultants' Creating account: administrator Can't call method get_value on an undefined value at /usr/sbin/samba/smbldap-useradd line 168, DATA line 283. Could not create posix account info for 'administrator' Creating account: deloitte Can't call method get_value on an undefined value at /usr/sbin/samba/smbldap-useradd line 168, DATA line 283. Could not create posix account info for 'deloitte' Creating account: iusr_guests Can't call method get_value on an undefined value at /usr/sbin/samba/smbldap-useradd line 168, DATA line 283. Could not create posix account info for 'iusr_guests' So everything works fine till you get to creating proper users. I've checked and checked the smbldap.conf file for errors, which I can't see. Can anyone see anything glaringly obvious that I have missed? Oh, and the reason that I am putting users etc into ou=Users,ou=OxObjects is that I am trying to integrate Samba with Open Exchange. Is there something hardcoded into Samba that will stop me from doing this? Regards Geoff The smbldap.conf file that I am currently using is below: # General Configuration # Put your own SID # to obtain this number do: net getlocalsid SID=S-1-5-21-1766222747-101449826-1539857752 # LDAP Configuration slaveLDAP=127.0.0.1 slavePort=389 # Master LDAP : needed for write operations # Ex: masterLDAP=127.0.0.1 masterLDAP=127.0.0.1 masterPort=389 # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) ldapTLS=0 # How to verify the server's certificate (none, optional or require) # see man Net::LDAP in start_tls section for more details verify= # CA certificate # see man Net::LDAP in start_tls section for more details cafile= # certificate to use to connect to the ldap server # see man Net::LDAP in start_tls section for more details clientcert= # key certificate to use to connect to the ldap server # see man Net::LDAP in start_tls section for more details clientkey= # LDAP Suffix # Ex: suffix=dc=IDEALX,dc=ORG suffix=dc=foobar,dc=com,dc=au # Where are stored Users # Ex: usersdn=ou=Users,dc=IDEALX,dc=ORG usersdn=ou=Users,ou=OxObjects,${suffix} # Where are stored Computers # Ex: computersdn=ou=Computers,dc=IDEALX,dc=ORG computersdn=ou=Users,ou=OxObjects,${suffix} # Where are stored Groups # Ex groupsdn=ou=Groups,dc=IDEALX,dc=ORG groupsdn=ou=Groups,ou=OxObjects,${suffix} # Where are stored Idmap entries (used if samba is a domain member server) # Ex groupsdn=ou=Idmap,dc=IDEALX,dc=ORG idmapdn=ou=Idmap,${suffix} # Where to store next uidNumber and gidNumber available sambaUnixIdPooldn=cn=NextFreeUnixId,${suffix} # Default scope Used scope=sub # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) hash_encrypt=MD5 # if hash_encrypt is set to CRYPT, you may set a salt format. # default is %s, but many systems will generate MD5 hashed # passwords if you use $1$%.8s. This parameter is optional! crypt_salt_format=%s ## # # Unix Accounts Configuration # ## # Login defs # Default Login Shell # Ex: userLoginShell=/bin/bash userLoginShell=/bin/bash # Home directory # Ex: userHome=/home/%U userHome=/home/%U # Gecos userGecos=User # Default
[Samba] vampire fails because of Debian smbldap-tools problem
BTW i use tgz version of smbldap-tools on debian, they are more up-to-date, and aparently better packaged. OK so I gave up on the .DEB version and downloaded the .tgz version. I put the scripts in /usr/sbin/samba. I copied the 2 .conf files into /etc/smbldap-tools/ and just to be sure that I didn't get any typos I used the configure.pl script that comes with the tgz file. It seems to run fine and produce 2 good .conf files. It does output this part way through though: Use of uninitialized value in scalar chomp at /usr/sbin/samba/configure.pl line138, STDIN line 17. Use of uninitialized value in hash element at /usr/sbin/samba/configure.pl line140, STDIN line 17. Use of uninitialized value in concatenation (.) or string at /usr/sbin/samba/configure.pl line 144, STDIN line 17. Use of uninitialized value in string at /usr/sbin/samba/configure.pl line 145, STDIN line 17. Then when you Vampire accounts this happens: Fetching DOMAIN database SAM_DELTA_DOMAIN_INFO not handled Creating unix group: 'Domain Admins' Creating unix group: 'Domain Users' Creating unix group: 'Domain Guests' snip Creating unix group: 'QLD Consultants' Creating account: administrator Can't call method get_value on an undefined value at /usr/sbin/samba/smbldap-useradd line 168, DATA line 283. Could not create posix account info for 'administrator' Creating account: deloitte Can't call method get_value on an undefined value at I thought that I would give it another go. This time just adding a user with smbldap-useradd only. The error that I got back was that the group gid 513 didn't exist. I did a slapcat and looked for the domain users and the gid was like 10001 or something the reason for this was that I had followed chapter 8 of JHT's example book and it doesn't explicitly state in that chapter where you follow on from chapter 6. If you use the smbldap tools they set the domain users gid to 513 and the default group of your users to the domain users. So if you follow chapter 8 don't just use the preload.ldif and then follow that up with a vampire off the NT server, you probably want to use smbldap-populate after you join the domain and before you vampire accounts, as it will create the Domain Users group with gid 513, the same as is the default for the smbldap scripts. I hope this helps other people. Regards Geoff -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] vampire fails because of Debian smbldap-tools problem
Today, Geoff Scott wrote: 513 didn't exist. I did a slapcat and looked for the domain users and the gid was like 10001 or something the reason for this was that I had followed chapter 8 of JHT's example book and it doesn't explicitly state in that chapter where you follow on from chapter 6. If you use the smbldap tools they set the domain users gid to 513 and the default group of your users to the domain users. So if you follow chapter 8 don't just use the preload.ldif and then follow that up with a vampire off the NT server, you probably want to use smbldap-populate after you join the domain and before you vampire accounts, as it will create the Domain Users group with gid 513, the same as is the default for the smbldap scripts. There is a note in the book (and online) that says that you have to create all these yourself in the case that you are using ldap. Nowhere does it make mention of that in the example scripts. This is how I missed it first time around. tom. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] vampire fails because of Debian smbldap-tools problem
Hi people, As usual I've tried a number of different approaches to this problem and can't figure it out. I don't have enough knowledge. Every time I do net rpc vampire I get this crap spewed at me: Use of uninitialized value in substitution (s///) at /usr/share/perl5/smbldap_tools.pm line 106, CONFIGFILE line 233. Use of uninitialized value in substitution (s///) at /usr/share/perl5/smbldap_tools.pm line 106, CONFIGFILE line 245. Use of uninitialized value in string at /usr/share/perl5/smbldap_tools.pm line 153. Use of uninitialized value in string at /usr/share/perl5/smbldap_tools.pm line 153. erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad hostname '' ) at /usr/share/perl5/smbldap_tools.pm line 153. Creating unix group: 'Hire Accounting' I've got this in my smbldap.conf file: # Master LDAP : needed for write operations # Ex: $masterLDAP = 127.0.0.1; $masterLDAP = guests1.guestsfurniturehire.com.au; $masterPort = 389; And /usr/share/perl5/smbldap_tools.pm line 106, has this: 101 sub subst_configvar 102 { 103 my $value = shift; 104 my $vars = shift; 105 106 $value =~ s/\$\{([^}]+)\}/$vars-{$1} ? $vars-{$1} : $1/eg; 107 return $value; 108 } 109 /usr/share/perl5/smbldap_tools.pm line 153 Says this: 150 sub connect_ldap_master 151 { 152 # bind to a directory with dn and password 153 my $ldap_master = Net::LDAP-new( 154 154 $config{masterLDAP}, These are the files provided by Debian sarge with an apt-get install smbldap-tools. And libnet-ldap-perl has been installed. I don't know what to do next. I'm hoping that someone can please help me figure out what is missing. Regards Geoff Scott -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba