Re: [Samba] Samba-LDAP Roaming Profiles
mallapadi niranjan skrev: Hi all I have a samba 3.0.21c with OpenLDAP 2.3.19 as Primary Domain Controller. I would like to enable Roaming Profiles per user basis , not for all users. below is my smb.conf , [global] workgroup = mydomain.com http://msdpl.com/ netbios name = mydomain passdb backend = ldapsam:ldap://mydomain.com server string = Domain Controller hosts allow = 192.168.128. 192.168.129. 192.168.130. 127. security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = eth0, lo printing = cups disable spoolss = Yes printcap name = cups max print jobs = 100 enable privileges = yes password level = 8 username level = 8 bind interfaces only = yes local master = Yes os level = 65 domain master = yes preferred master = yes null passwords = no hide unreadable = yes hide dot files = yes domain logons = yes logon script = %u.bat logon path = logon drive = X: logon home = \\mydomain\%U wins support = yes name resolve order = wins lmhosts host bcast dns proxy = no time server = yes log file = /var/log/samba/%m.log max log size = 50 nt acl support = yes ldap passwd sync = yes add user script = /usr/local/sbin/smbldap-useradd -m %u delete user script = /usr/local/sbin/smbldap-userdel %u add machine script = /usr/local/sbin/smbldap-useradd -w %m add group script = /usr/local/sbin/smbldap-groupadd -p %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' ldap delete dn = Yes ldap ssl = no ldap suffix = dc=msdpl,dc=com ldap admin dn = cn=manager,dc=msdpl,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap timeout = 50 idmap backend = ldap:ldap://mydomain.com idmap uid = 1-2 idmap gid = 1-2 check password script = /usr/local/bin/crackcheck -s map acl inherit = yes winbind use default domain = yes template shell = /bin/false # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /usr/local/samba-3c/lib/netlogon/scripts guest ok = yes browseable = yes write list = root [profiles] Comment = Profile Shares path=/profiles browseable=yes writeable = yes create mode = 0600 directory mode = 0700 In the above configuration. I have not given any netbios logon path ie logon path = and for users whom i want to enable roaming profiles i have modified through smbldap-usermod command ie i have given smbldap-usermod -F \\mydomain\profiles\username username 1)using the above said configuration. Roaming profiles for that particular user is not getting enabled. 2) suppose i edit my above smb.conf and write logon path=\\mydomain\profiles\%U and enable roaming profile for the intended user through smbldap-usermod, then roaming profile is getting enable, but the problem is , in /profile directory (which is profile share) all the user who logon to the domain, a directory is created by their username. 3) for the user's who i have manually enabled roaming profile, their roaming profile works perfectly in windows 2003 and windows Xp, ie if they create any new folder or shortcut , it gets reflected in the server profile directory,but the same user when logon in windows 2000 professional, it's not working ie, what ever is in the server profile it gets loaded but if any modification is done, it does not reflect in server. 4) my query is should we enable logon path = \\mypdc\profiles\%u in server. if i leave it blank and edit manually per user through smbldap-usermod will it work. what is the correct method of enable per user roaming profile for samba with LDAP backend Please guide me Regards Niranjan Hi Niranjan My suggestion to your problem would be Mandatory profile as default for all users which mean you specify the profile directory in smb.conf check http://caad.ar.vtu.lt/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html#id2628723 logon path=\\mydomain\profiles\mandatory # you would have to use fake perms by doing so they download their profile from \\mydomain\profiles\mandatory For the few choosen you change logon path in their account using smbldap-usermod to \\mydomain\profiles\%U -- Venlig Hilsen (Best Regards) Rune Tønnesen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-LDAP Roaming Profiles
Hi all I have a samba 3.0.21c with OpenLDAP 2.3.19 as Primary Domain Controller. I would like to enable Roaming Profiles per user basis , not for all users. below is my smb.conf , [global] workgroup = mydomain.com http://msdpl.com/ netbios name = mydomain passdb backend = ldapsam:ldap://mydomain.com server string = Domain Controller hosts allow = 192.168.128. 192.168.129. 192.168.130. 127. security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = eth0, lo printing = cups disable spoolss = Yes printcap name = cups max print jobs = 100 enable privileges = yes password level = 8 username level = 8 bind interfaces only = yes local master = Yes os level = 65 domain master = yes preferred master = yes null passwords = no hide unreadable = yes hide dot files = yes domain logons = yes logon script = %u.bat logon path = logon drive = X: logon home = \\mydomain\%U wins support = yes name resolve order = wins lmhosts host bcast dns proxy = no time server = yes log file = /var/log/samba/%m.log max log size = 50 nt acl support = yes ldap passwd sync = yes add user script = /usr/local/sbin/smbldap-useradd -m %u delete user script = /usr/local/sbin/smbldap-userdel %u add machine script = /usr/local/sbin/smbldap-useradd -w %m add group script = /usr/local/sbin/smbldap-groupadd -p %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' ldap delete dn = Yes ldap ssl = no ldap suffix = dc=msdpl,dc=com ldap admin dn = cn=manager,dc=msdpl,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap timeout = 50 idmap backend = ldap:ldap://mydomain.com idmap uid = 1-2 idmap gid = 1-2 check password script = /usr/local/bin/crackcheck -s map acl inherit = yes winbind use default domain = yes template shell = /bin/false # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /usr/local/samba-3c/lib/netlogon/scripts guest ok = yes browseable = yes write list = root [profiles] Comment = Profile Shares path=/profiles browseable=yes writeable = yes create mode = 0600 directory mode = 0700 In the above configuration. I have not given any netbios logon path ie logon path = and for users whom i want to enable roaming profiles i have modified through smbldap-usermod command ie i have given smbldap-usermod -F \\mydomain\profiles\username username 1)using the above said configuration. Roaming profiles for that particular user is not getting enabled. 2) suppose i edit my above smb.conf and write logon path=\\mydomain\profiles\%U and enable roaming profile for the intended user through smbldap-usermod, then roaming profile is getting enable, but the problem is , in /profile directory (which is profile share) all the user who logon to the domain, a directory is created by their username. 3) for the user's who i have manually enabled roaming profile, their roaming profile works perfectly in windows 2003 and windows Xp, ie if they create any new folder or shortcut , it gets reflected in the server profile directory,but the same user when logon in windows 2000 professional, it's not working ie, what ever is in the server profile it gets loaded but if any modification is done, it does not reflect in server. 4) my query is should we enable logon path = \\mypdc\profiles\%u in server. if i leave it blank and edit manually per user through smbldap-usermod will it work. what is the correct method of enable per user roaming profile for samba with LDAP backend Please guide me Regards Niranjan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-LDAP not quite working - help!
I was trying to follow the howto below to get Samba-LDAP working on my Debian/Sarge server. I'm stuck in section 5.4: When I try the smbpasswd -a root I get: semper:/etc/phpldapadmin/templates# smbpasswd -a root New SMB password: Retype new SMB password: ldapsam_modify_entry: Failed to add user dn= uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access no write access to parent ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = uid=root,ou=Users,dc=rahim-dale,dc=org) Failed to add entry for user root. Failed to modify password entry for user root The next two steps are: smbldap-passwd Administrator -- this works smbldap-usermod -J Administrator -- this fails And after that nothing works. I've managed to get phpldapadmin working (finally) but that doesn't seem to help. I can add accounts, etc., but they don't seem to help. When I try to get a Windows XP computer to join the domain, I get logon failure: unknown user name or bad password. I can browse the network from a Windows XP machine as well, but can't connect to any network shares that have any security on them. I've gone through the idealx.org smb-ldap documentation and can't see anything obvious that I'm doing wrong. Nor have I found anything in searches that tells me any more than what the immediate error message says (basically they seem to say it's a rights issue so fix it without specifying how to do it). Please help! Louis van Belle wrote: Hi everybody, I made a pretty complete howto for samba on debian servers. This howto covers samba + ldap + cups + recycle bin + samba-vscan + phpldapadmin + ACL + Extended Attributes. this howto is also based on the idealx howto If you do this setup, you should be able to use the NT4 Usermanager, setup Point en Print Printing. set rights from explorer etc. other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out. We will use a Debian Sarge as setup. If you never used Debian before, you can follow this how-to (http://www.howtoforge.com/perfect_setup_debian_sarge ) , please read the comment below the pages first, this can save you time and problems or install Debian without any software packaged, we will install them later when needed. Checking the kernel of compile your own kernel if needed. I try to give a complete solution for this how-to, this is because lots of people where asking the same things on the samba list and lots of people make the same mistakes. This is my company's running setup. I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users 25 printers which do about 150.000 prints a month. I thank my company to let me make this document. Please if you have improvements, comments, send them to me. Louis van Belle INDEX Page nr. 1 Checking the kernel or compile your own kernel3 1.1 Preparing apt configuration3 1.2 Preparing the kernel3 1.3 setup the /etc/fstab3 1.4 final touch, lilo (or grub) 3 2 Pre-installation of the debian packages 4 2.1 Samba and Ldap 4 2.2 basic rights setup for samba4 2.3 why this rights setup. 4 3 LDAP Server configuration 5 4 installation/configuration libnss, libpam (-ldap) 7 5 Samba and smbldap-tools Configuration 8 5.1 smbldap-tools installation/configuration8 5.2 setting up samba base config8 5.3 Configuring smbldap.conf9 5.4 set the samba ldap admin password 9 5.5 Samba PRIVILEGES Setup 10 6 CUPS - Printer software 11 6.1 Setup Cups 11 6.2 Setup Cups PDF Printer. - Creating a PDF Printer11 7 Configuring phpldapadmin 12 7.1 installation of phpldapadmin ( and apache ) 12 8.0 On-Access virus scanning on samba (samba-clamav)13 8.1 Installing ClamAV 13 8.2 get the sources ( samba samba-vscan ) 13 9.0 Recycle bin on samba14 9.1 Recycle bin configuration 14 Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS15 Appendix 2 APT 16 2.1 APT HOWTO 16 2.2 Files from /etc/apt 17 2.2.1 /etc/apt/apt.conf 17 2.2.2 /etc/apt/preferences 17 1 Checking the kernel or compile your own kernel 1.1 Preparing apt configuration for this go check out my apt howto. if you apt config is setup rights, follow the steps below. ncurses interface for compiling the kernel apt-get install libncurses5-dev get the kernel source apt-get install kernel-source-2.6.8 kernel-package installer right kernel and activate EXT2/3 + Extended attributes and setup CIFS kernel support to in kernel. 1.2 Preparing the kernel apt-get install kernel-source-2.6.8 kernel-package fakeroot libc6-dev libncurses5-dev cd /usr/src tar -jxf kernel-source-2.6.8.tar.bz2 ln -s /usr/src/linux /usr/src/kernel-source-2.6.8 cp /boot/config-2.6.8-2-* /usr/src/linux/.config cd linux make menuconfig - File systems - Ext2/3 + extended options
Re: [Samba] Samba-LDAP not quite working - help!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This howto contain some error I think, before truy a smbpasswd, Samba must have the information what user must I use to connect to LDAP, this question is answered with the ldap admin dn parameter in smb.conf. If there a user, there a password. For specifye the password, you must you the commande smbpasswd -w ( = the passwd of the user) ATTENTION : in your slapd.conf, only admin can write. If you want to use other ldap user, you must modify you slapd.conf Gary Dale a écrit : I was trying to follow the howto below to get Samba-LDAP working on my Debian/Sarge server. I'm stuck in section 5.4: When I try the smbpasswd -a root I get: semper:/etc/phpldapadmin/templates# smbpasswd -a root New SMB password: Retype new SMB password: ldapsam_modify_entry: Failed to add user dn= uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access no write access to parent ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = uid=root,ou=Users,dc=rahim-dale,dc=org) Failed to add entry for user root. Failed to modify password entry for user root The next two steps are: smbldap-passwd Administrator -- this works smbldap-usermod -J Administrator -- this fails And after that nothing works. I've managed to get phpldapadmin working (finally) but that doesn't seem to help. I can add accounts, etc., but they don't seem to help. When I try to get a Windows XP computer to join the domain, I get logon failure: unknown user name or bad password. I can browse the network from a Windows XP machine as well, but can't connect to any network shares that have any security on them. I've gone through the idealx.org smb-ldap documentation and can't see anything obvious that I'm doing wrong. Nor have I found anything in searches that tells me any more than what the immediate error message says (basically they seem to say it's a rights issue so fix it without specifying how to do it). Please help! Louis van Belle wrote: Hi everybody, I made a pretty complete howto for samba on debian servers. This howto covers samba + ldap + cups + recycle bin + samba-vscan + phpldapadmin + ACL + Extended Attributes. this howto is also based on the idealx howto If you do this setup, you should be able to use the NT4 Usermanager, setup Point en Print Printing. set rights from explorer etc. other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out. We will use a Debian Sarge as setup. If you never used Debian before, you can follow this how-to (http://www.howtoforge.com/perfect_setup_debian_sarge ) , please read the comment below the pages first, this can save you time and problems or install Debian without any software packaged, we will install them later when needed. Checking the kernel of compile your own kernel if needed. I try to give a complete solution for this how-to, this is because lots of people where asking the same things on the samba list and lots of people make the same mistakes. This is my company's running setup. I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users 25 printers which do about 150.000 prints a month. I thank my company to let me make this document. Please if you have improvements, comments, send them to me. Louis van Belle INDEX Page nr. 1 Checking the kernel or compile your own kernel3 1.1 Preparing apt configuration3 1.2 Preparing the kernel3 1.3 setup the /etc/fstab3 1.4 final touch, lilo (or grub)3 2 Pre-installation of the debian packages4 2.1 Samba and Ldap4 2.2 basic rights setup for samba4 2.3 why this rights setup.4 3 LDAP Server configuration5 4 installation/configuration libnss, libpam (-ldap)7 5 Samba and smbldap-tools Configuration8 5.1 smbldap-tools installation/configuration8 5.2 setting up samba base config8 5.3 Configuring smbldap.conf9 5.4 set the samba ldap admin password9 5.5 Samba PRIVILEGES Setup10 6 CUPS - Printer software11 6.1 Setup Cups11 6.2 Setup Cups PDF Printer. - Creating a PDF Printer11 7 Configuring phpldapadmin12 7.1 installation of phpldapadmin ( and apache )12 8.0 On-Access virus scanning on samba (samba-clamav)13 8.1 Installing ClamAV13 8.2 get the sources ( samba samba-vscan )13 9.0 Recycle bin on samba14 9.1 Recycle bin configuration14 Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS15 Appendix 2 APT16 2.1 APT HOWTO16 2.2 Files from /etc/apt17 2.2.1 /etc/apt/apt.conf17 2.2.2 /etc/apt/preferences17 1 Checking the kernel or compile your own kernel 1.1 Preparing apt configuration for this go check out my apt howto. if you apt config is setup rights, follow the steps below. ncurses interface for compiling the kernel apt-get install libncurses5-dev get the
Re: [Samba] Samba-LDAP not quite working - help!
The first step in 5.4 is smbpasswd -w password. I've done that and it succeeded. It currently reports that it set the password for samba, which is the user defined in smb.conf. phpldapadmin shows samba as being a gecos: System User in objectClasses top, inetOrgPerson, posixAccount, shadowAccount. The slapd.conf file includes samba-access.conf, which gives admin and samba extensive write privileges. The admin privileges are taken from the howto below, while the ones for samba are from the idealx.org manual. They also give others the right to modify some of their own information. Stéphane Purnelle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This howto contain some error I think, before truy a smbpasswd, Samba must have the information what user must I use to connect to LDAP, this question is answered with the ldap admin dn parameter in smb.conf. If there a user, there a password. For specifye the password, you must you the commande smbpasswd -w ( = the passwd of the user) ATTENTION : in your slapd.conf, only admin can write. If you want to use other ldap user, you must modify you slapd.conf Gary Dale a écrit : I was trying to follow the howto below to get Samba-LDAP working on my Debian/Sarge server. I'm stuck in section 5.4: When I try the smbpasswd -a root I get: semper:/etc/phpldapadmin/templates# smbpasswd -a root New SMB password: Retype new SMB password: ldapsam_modify_entry: Failed to add user dn= uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access no write access to parent ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = uid=root,ou=Users,dc=rahim-dale,dc=org) Failed to add entry for user root. Failed to modify password entry for user root The next two steps are: smbldap-passwd Administrator -- this works smbldap-usermod -J Administrator -- this fails And after that nothing works. I've managed to get phpldapadmin working (finally) but that doesn't seem to help. I can add accounts, etc., but they don't seem to help. When I try to get a Windows XP computer to join the domain, I get logon failure: unknown user name or bad password. I can browse the network from a Windows XP machine as well, but can't connect to any network shares that have any security on them. I've gone through the idealx.org smb-ldap documentation and can't see anything obvious that I'm doing wrong. Nor have I found anything in searches that tells me any more than what the immediate error message says (basically they seem to say it's a rights issue so fix it without specifying how to do it). Please help! Louis van Belle wrote: Hi everybody, I made a pretty complete howto for samba on debian servers. This howto covers samba + ldap + cups + recycle bin + samba-vscan + phpldapadmin + ACL + Extended Attributes. this howto is also based on the idealx howto If you do this setup, you should be able to use the NT4 Usermanager, setup Point en Print Printing. set rights from explorer etc. other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out. We will use a Debian Sarge as setup. If you never used Debian before, you can follow this how-to (http://www.howtoforge.com/perfect_setup_debian_sarge ) , please read the comment below the pages first, this can save you time and problems or install Debian without any software packaged, we will install them later when needed. Checking the kernel of compile your own kernel if needed. I try to give a complete solution for this how-to, this is because lots of people where asking the same things on the samba list and lots of people make the same mistakes. This is my company's running setup. I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users 25 printers which do about 150.000 prints a month. I thank my company to let me make this document. Please if you have improvements, comments, send them to me. Louis van Belle INDEX Page nr. 1 Checking the kernel or compile your own kernel3 1.1 Preparing apt configuration3 1.2 Preparing the kernel3 1.3 setup the /etc/fstab3 1.4 final touch, lilo (or grub)3 2 Pre-installation of the debian packages4 2.1 Samba and Ldap4 2.2 basic rights setup for samba4 2.3 why this rights setup.4 3 LDAP Server configuration5 4 installation/configuration libnss, libpam (-ldap)7 5 Samba and smbldap-tools Configuration8 5.1 smbldap-tools installation/configuration8 5.2 setting up samba base config8 5.3 Configuring smbldap.conf9 5.4 set the samba ldap admin password9 5.5 Samba PRIVILEGES Setup10 6 CUPS - Printer software11 6.1 Setup Cups11 6.2 Setup Cups PDF Printer. - Creating a PDF Printer11 7 Configuring phpldapadmin12 7.1 installation of phpldapadmin ( and apache )12 8.0 On-Access virus scanning on samba (samba-clamav)13 8.1 Installing ClamAV13 8.2 get the sources ( samba samba-vscan )13 9.0 Recycle bin on samba14 9.1
[Samba] Samba-LDAP not quite working still
Further to below: I noticed that some of the various documents show smbldap-populate adding the root account. The one on my system didn't. However, I'm still not sure why smbpasswd -a root doesn't add it. I tried using the samba and admin accounts to set the various privileges but that doesn't seem to work either. I get the following: semper:/etc/ldap# net -S Localhost -U admin rpc rights grant rahim-dale\Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege Password: Failed to grant privileges for rahim-dale\Domain Admins (NT_STATUS_ACCESS_DENIED) I can't see any way in phpldapadmin to add the privileges and I can't get smbldap-usermod to let me do anything either. I've also been playing around with pdbedit without any luck. Any help will be greatly appreciated. The first step in 5.4 is smbpasswd -w password. I've done that and it succeeded. It currently reports that it set the password for samba, which is the user defined in smb.conf. phpldapadmin shows samba as being a gecos: System User in objectClasses top, inetOrgPerson, posixAccount, shadowAccount. The slapd.conf file includes samba-access.conf, which gives admin and samba extensive write privileges. The admin privileges are taken from the howto below, while the ones for samba are from the idealx.org manual. They also give others the right to modify some of their own information. Stéphane Purnelle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This howto contain some error I think, before truy a smbpasswd, Samba must have the information what user must I use to connect to LDAP, this question is answered with the ldap admin dn parameter in smb.conf. If there a user, there a password. For specifye the password, you must you the commande smbpasswd -w ( = the passwd of the user) ATTENTION : in your slapd.conf, only admin can write. If you want to use other ldap user, you must modify you slapd.conf Gary Dale a écrit : I was trying to follow the howto below to get Samba-LDAP working on my Debian/Sarge server. I'm stuck in section 5.4: When I try the smbpasswd -a root I get: semper:/etc/phpldapadmin/templates# smbpasswd -a root New SMB password: Retype new SMB password: ldapsam_modify_entry: Failed to add user dn= uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access no write access to parent ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = uid=root,ou=Users,dc=rahim-dale,dc=org) Failed to add entry for user root. Failed to modify password entry for user root The next two steps are: smbldap-passwd Administrator -- this works smbldap-usermod -J Administrator -- this fails And after that nothing works. I've managed to get phpldapadmin working (finally) but that doesn't seem to help. I can add accounts, etc., but they don't seem to help. When I try to get a Windows XP computer to join the domain, I get logon failure: unknown user name or bad password. I can browse the network from a Windows XP machine as well, but can't connect to any network shares that have any security on them. I've gone through the idealx.org smb-ldap documentation and can't see anything obvious that I'm doing wrong. Nor have I found anything in searches that tells me any more than what the immediate error message says (basically they seem to say it's a rights issue so fix it without specifying how to do it). Please help! Louis van Belle wrote: Hi everybody, I made a pretty complete howto for samba on debian servers. This howto covers samba + ldap + cups + recycle bin + samba-vscan + phpldapadmin + ACL + Extended Attributes. this howto is also based on the idealx howto If you do this setup, you should be able to use the NT4 Usermanager, setup Point en Print Printing. set rights from explorer etc. other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out. We will use a Debian Sarge as setup. If you never used Debian before, you can follow this how-to (http://www.howtoforge.com/perfect_setup_debian_sarge ) , please read the comment below the pages first, this can save you time and problems or install Debian without any software packaged, we will install them later when needed. Checking the kernel of compile your own kernel if needed. I try to give a complete solution for this how-to, this is because lots of people where asking the same things on the samba list and lots of people make the same mistakes. This is my company's running setup. I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users 25 printers which do about 150.000 prints a month. I thank my company to let me make this document. Please if you have improvements, comments, send them to me. Louis van Belle INDEX Page nr. 1 Checking the kernel or compile your own kernel3 1.1 Preparing apt configuration3 1.2 Preparing the kernel
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdncn=admin,dc=toronto,dc=ontario,dc=ca your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix dc=rahim-dale,dc=org rootdncn=admin,dc=rahim-dale,dc=org try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at 5.4 set the samba ldap admin password. I can set the admin password and get the expected response, but when I try smbldap-populate -a Administrator -b nobody -u 2000 -g 2000, it fails to add the various groups. I get failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, GEN1 line 3. for each ou=groupname it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped (\) but that didn't change anything. ok i have looked over everything and the only thing i can see at this moment is this ... in your smbldap_bind.conf file you arn't using a bind dn of cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the ldap server but the line in the config i gave you before was rootdn cn=admin,dc=rahim-dale,dc=org ... when you first setup ldap no accounts exist in the ldap database the rootdn account is like a virtual account that will always have full access and because of this (and i'm guessing your ldap tree is blank) you will only be able to use the rootdn to bind at this time. there are a few lines you can try to attempt to bind to the ldap server ... ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W the first the the bind dn in your smbldap_bind.conf and the second is using the rootdn from the other email. as your ldap tree is blank you wont get much output but one should fail with a bind error and the other should say something like no such object. HTH, let me know if they work will see if i can see anything else that may be wrong. Matt. It's the one without the family. The
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdncn=admin,dc=toronto,dc=ontario,dc=ca your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix dc=rahim-dale,dc=org rootdncn=admin,dc=rahim-dale,dc=org try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at 5.4 set the samba ldap admin password. I can set the admin password and get the expected response, but when I try smbldap-populate -a Administrator -b nobody -u 2000 -g 2000, it fails to add the various groups. I get failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, GEN1 line 3. for each ou=groupname it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped (\) but that didn't change anything. ok i have looked over everything and the only thing i can see at this moment is this ... in your smbldap_bind.conf file you arn't using a bind dn of cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the ldap server but the line in the config i gave you before was rootdn cn=admin,dc=rahim-dale,dc=org ... when you first setup ldap no accounts exist in the ldap database the rootdn account is like a virtual account that will always have full access and because of this (and i'm guessing your ldap tree is blank) you will only be able to use the rootdn to bind at this time. there are a few lines you can try to attempt to bind to the ldap server ... ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W the first the the bind dn in your smbldap_bind.conf and the second is using the rootdn from the other email. as your ldap tree is blank you wont get much output but one should fail with a bind error and the other should say something like no such object. HTH, let me know if they work
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdncn=admin,dc=toronto,dc=ontario,dc=ca your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix dc=rahim-dale,dc=org rootdncn=admin,dc=rahim-dale,dc=org try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at 5.4 set the samba ldap admin password. I can set the admin password and get the expected response, but when I try smbldap-populate -a Administrator -b nobody -u 2000 -g 2000, it fails to add the various groups. I get failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, GEN1 line 3. for each ou=groupname it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped (\) but that didn't change anything. ok i have looked over everything and the only thing i can see at this moment is this ... in your smbldap_bind.conf file you arn't using a bind dn of cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the ldap server but the line in the config i gave you before was rootdn cn=admin,dc=rahim-dale,dc=org ... when you first setup ldap no accounts exist in the ldap database the rootdn account is like a virtual account that will always have full access and because of this (and i'm guessing your ldap tree is blank) you will only be able to use the rootdn to bind at this time. there are a few lines you can try to attempt to bind to the ldap server ... ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W the first the the bind dn in your smbldap_bind.conf and the second is using the rootdn from the other email. as your ldap tree is blank you wont get much output but one should fail with a bind error and the other should say something like no such object. HTH, let me know if they work will see if i can see anything else that may be wrong. Matt. It's
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdncn=admin,dc=toronto,dc=ontario,dc=ca your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix dc=rahim-dale,dc=org rootdncn=admin,dc=rahim-dale,dc=org try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at 5.4 set the samba ldap admin password. I can set the admin password and get the expected response, but when I try smbldap-populate -a Administrator -b nobody -u 2000 -g 2000, it fails to add the various groups. I get failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, GEN1 line 3. for each ou=groupname it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped (\) but that didn't change anything. ok i have looked over everything and the only thing i can see at this moment is this ... in your smbldap_bind.conf file you arn't using a bind dn of cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the ldap server but the line in the config i gave you before was rootdn cn=admin,dc=rahim-dale,dc=org ... when you first setup ldap no accounts exist in the ldap database the rootdn account is like a virtual account that will always have full access and because of this (and i'm guessing your ldap tree is blank) you will only be able to use the rootdn to bind at this time. there are a few lines you can try to attempt to bind to the ldap server ... ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W the first the the bind dn in your smbldap_bind.conf and the second is using the rootdn from the other email. as your ldap tree is blank you wont get much output but one should fail with a bind error and the
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdncn=admin,dc=toronto,dc=ontario,dc=ca your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix dc=rahim-dale,dc=org rootdncn=admin,dc=rahim-dale,dc=org try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at 5.4 set the samba ldap admin password. I can set the admin password and get the expected response, but when I try smbldap-populate -a Administrator -b nobody -u 2000 -g 2000, it fails to add the various groups. I get failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, GEN1 line 3. for each ou=groupname it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped (\) but that didn't change anything. ok i have looked over everything and the only thing i can see at this moment is this ... in your smbldap_bind.conf file you arn't using a bind dn of cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the ldap server but the line in the config i gave you before was rootdn cn=admin,dc=rahim-dale,dc=org ... when you first setup ldap no accounts exist in the ldap database the rootdn account is like a virtual account that will always have full access and because of this (and i'm guessing your ldap tree is blank) you will only be able to use the rootdn to bind at this time. there are a few lines you can try to attempt to bind to the ldap server ... ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W the first the the bind dn in your smbldap_bind.conf and the second is using the rootdn from the other email. as your ldap tree is blank you wont get much output but one should fail with a bind error and the other should say something like no such object. HTH, let me know if they work will see if i can see
Re: [Samba] Samba LDAP rootpw error
Sorry Matt, I've got it going now - at least to the point of getting the smbldap-populate to work. The next issue is smbpasswd -a root. It's not working. Also, I've installed phpldapadmin and can't get it to connect either. The issue now seems to be a TLS connection between Samba and LDAP. I didn't think I was using one, but LDAP seems to think otherwise. For example, both phpldapadmin and lsmbldap-usermod -J Administrator complain about TLS connections to the LDAP server. I've been looking at the idealx.org instructions for TLS with LDAP but still not getting it working. --- Further to the above: Trying to get TLS working is a pain. I've also had only slightly better luck with trying to not use it. When I don't use it, I can get ldapsearch to return a result. However, Samba doesn't seem to want to talk to it. When I try to get TLS running, I get TLS errors everywhere. :( Right now I've got it configured, I believe, to not use TLS. When I run smbpasswd, I get: semper:/etc/smbldap-tools# smbpasswd -a root fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP server failed for the 1 try! I've attached my various .conf files again. Sorry to be such a pain, but I am not having any luck by myself. access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPWDMustChange by dn=cn=admin,dc=rahim-dale,dc=org write by anonymous auth by self write by * none access to attrs=loginShell by dn=cn=admin,dc=rahim-dale,dc=org write by * none access to attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname by dn=cn=admin,dc=rahim-dale,dc=org write by self write by * read # Allow LDAPv2 binds # allow bind_v2 # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile/var/run/slapd.args # Read slapd.conf(5) for possible values loglevel0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb TLSCACertificateFile/etc/ldap/ssl/ldap-server.pem TLSCertificateFile /etc/ldap/ssl/ldap-server.pem TLSCertificateKeyFile /etc/ldap/ssl/ldap-server.pem ### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 ### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backendother ### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs databasebdb # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdn cn=admin,dc=rahim-dale,dc=org rootpw {MD5}hdduy/+JqjCnJjCWiKOGBQ== # Where the database file are physically stored for database #1 directory /var/lib/ldap # Indexing options for database #1 index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,eq,sub index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq # default index index default eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile/var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword by dn=cn=admin,dc=rahim-dale,dc=org write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you
Re: [Samba] Samba LDAP rootpw error
Sorry Matt, I've got it going now - at least to the point of getting the smbldap-populate to work. The next issue is smbpasswd -a root. It's not working. Also, I've installed phpldapadmin and can't get it to connect either. The issue now seems to be a TLS connection between Samba and LDAP. I didn't think I was using one, but LDAP seems to think otherwise. For example, both phpldapadmin and lsmbldap-usermod -J Administrator complain about TLS connections to the LDAP server. I've been looking at the idealx.org instructions for TLS with LDAP but still not getting it working. --- Further to the above: Trying to get TLS working is a pain. I've also had only slightly better luck with trying to not use it. When I don't use it, I can get ldapsearch to return a result. However, Samba doesn't seem to want to talk to it. When I try to get TLS running, I get TLS errors everywhere. :( Right now I've got it configured, I believe, to not use TLS. When I run smbpasswd, I get: semper:/etc/smbldap-tools# smbpasswd -a root fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP server failed for the 1 try! I've attached my various .conf files again. Sorry to be such a pain, but I am not having any luck by myself. - BTW - Here's the results of an ldapsearch: semper:/var/lib/ldap# smbldap-populate -a Administrator -b nobody -semper:/var/lib/ldap# ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b dc=rahim-dale,dc=org -h 127.0.0.1 -x -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=rahim-dale,dc=org with scope sub # filter: (objectclass=*) # requesting: # # rahim-dale.org dn: dc=rahim-dale,dc=org # admin, rahim-dale.org dn: cn=admin,dc=rahim-dale,dc=org # Users, rahim-dale.org dn: ou=Users,dc=rahim-dale,dc=org # Groups, rahim-dale.org dn: ou=Groups,dc=rahim-dale,dc=org # Computers, rahim-dale.org dn: ou=Computers,dc=rahim-dale,dc=org # Idmap, rahim-dale.org dn: ou=Idmap,dc=rahim-dale,dc=org # rahim-dale, rahim-dale.org dn: sambaDomainName=rahim-dale,dc=rahim-dale,dc=org # Administrator, Users, rahim-dale.org dn: uid=Administrator,ou=Users,dc=rahim-dale,dc=org # nobody, Users, rahim-dale.org dn: uid=nobody,ou=Users,dc=rahim-dale,dc=org # Domain Admins, Groups, rahim-dale.org dn: cn=Domain Admins,ou=Groups,dc=rahim-dale,dc=org # Domain Users, Groups, rahim-dale.org dn: cn=Domain Users,ou=Groups,dc=rahim-dale,dc=org # Domain Guests, Groups, rahim-dale.org dn: cn=Domain Guests,ou=Groups,dc=rahim-dale,dc=org # Domain Computers, Groups, rahim-dale.org dn: cn=Domain Computers,ou=Groups,dc=rahim-dale,dc=org # Administrators, Groups, rahim-dale.org dn: cn=Administrators,ou=Groups,dc=rahim-dale,dc=org # Print Operators, Groups, rahim-dale.org dn: cn=Print Operators,ou=Groups,dc=rahim-dale,dc=org # Backup Operators, Groups, rahim-dale.org dn: cn=Backup Operators,ou=Groups,dc=rahim-dale,dc=org # Replicators, Groups, rahim-dale.org dn: cn=Replicators,ou=Groups,dc=rahim-dale,dc=org # search result search: 2 result: 0 Success # numResponses: 18 # numEntries: 17 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP rootpw error
Sorry Matt, I've got it going now - at least to the point of getting the smbldap-populate to work. The next issue is smbpasswd -a root. It's not working. Also, I've installed phpldapadmin and can't get it to connect either. The issue now seems to be a TLS connection between Samba and LDAP. I didn't think I was using one, but LDAP seems to think otherwise. For example, both phpldapadmin and lsmbldap-usermod -J Administrator complain about TLS connections to the LDAP server. I've been looking at the idealx.org instructions for TLS with LDAP but still not getting it working. --- Further to the above: Trying to get TLS working is a pain. I've also had only slightly better luck with trying to not use it. When I don't use it, I can get ldapsearch to return a result. However, Samba doesn't seem to want to talk to it. When I try to get TLS running, I get TLS errors everywhere. :( Right now I've got it configured, I believe, to not use TLS. When I run smbpasswd, I get: semper:/etc/smbldap-tools# smbpasswd -a root fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP server failed for the 1 try! :) glad its working, hehe er. ldap_connect_system: Failed to retrieve password from secrets.tdb from the http://samba.idealx.org/smbldap-tools.en.html doc ... don't forget to also set the samba account password in secrets.tdb file : smbpasswd -w samba ... from man smbpasswd ... -w password This parameter is only available if Samba has been compiled with LDAP support. The -w switch is used to specify the password to be used with theldap admin dn. Note that the password is stored in the secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the pass- word will need to be manually updated as well. HTH Matt. I've attached my various .conf files again. Sorry to be such a pain, but I am not having any luck by myself. - BTW - Here's the results of an ldapsearch: semper:/var/lib/ldap# smbldap-populate -a Administrator -b nobody -semper:/var/lib/ldap# ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b dc=rahim-dale,dc=org -h 127.0.0.1 -x -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=rahim-dale,dc=org with scope sub # filter: (objectclass=*) # requesting: # # rahim-dale.org dn: dc=rahim-dale,dc=org # admin, rahim-dale.org dn: cn=admin,dc=rahim-dale,dc=org # Users, rahim-dale.org dn: ou=Users,dc=rahim-dale,dc=org # Groups, rahim-dale.org dn: ou=Groups,dc=rahim-dale,dc=org # Computers, rahim-dale.org dn: ou=Computers,dc=rahim-dale,dc=org # Idmap, rahim-dale.org dn: ou=Idmap,dc=rahim-dale,dc=org # rahim-dale, rahim-dale.org dn: sambaDomainName=rahim-dale,dc=rahim-dale,dc=org # Administrator, Users, rahim-dale.org dn: uid=Administrator,ou=Users,dc=rahim-dale,dc=org # nobody, Users, rahim-dale.org dn: uid=nobody,ou=Users,dc=rahim-dale,dc=org # Domain Admins, Groups, rahim-dale.org dn: cn=Domain Admins,ou=Groups,dc=rahim-dale,dc=org # Domain Users, Groups, rahim-dale.org dn: cn=Domain Users,ou=Groups,dc=rahim-dale,dc=org # Domain Guests, Groups, rahim-dale.org dn: cn=Domain Guests,ou=Groups,dc=rahim-dale,dc=org # Domain Computers, Groups, rahim-dale.org dn: cn=Domain Computers,ou=Groups,dc=rahim-dale,dc=org # Administrators, Groups, rahim-dale.org dn: cn=Administrators,ou=Groups,dc=rahim-dale,dc=org # Print Operators, Groups, rahim-dale.org dn: cn=Print Operators,ou=Groups,dc=rahim-dale,dc=org # Backup Operators, Groups, rahim-dale.org dn: cn=Backup Operators,ou=Groups,dc=rahim-dale,dc=org # Replicators, Groups, rahim-dale.org dn: cn=Replicators,ou=Groups,dc=rahim-dale,dc=org # search result search: 2 result: 0 Success # numResponses: 18 # numEntries: 17 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: :) glad its working, hehe er. ldap_connect_system: Failed to retrieve password from secrets.tdb from the http://samba.idealx.org/smbldap-tools.en.html doc ... don't forget to also set the samba account password in secrets.tdb file : smbpasswd -w samba ... from man smbpasswd ... -w password This parameter is only available if Samba has been compiled with LDAP support. The -w switch is used to specify the password to be used with theldap admin dn. Note that the password is stored in the secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the pass- word will need to be manually updated as well. HTH Matt. I found section 8.2 in the text about changing the administrative account. I followed the directions to change it from admin to samba (the samba-access.conf file is now a lot larger) and I now seem to have some kind of connection. However, when I try the smbpasswd -a root, I get errors: semper:/var/lib/ldap# smbpasswd -a root New SMB password: Retype new SMB password: ldapsam_modify_entry: Failed to add user dn= uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access no write access to parent ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = uid=root,ou=Users,dc=rahim-dale,dc=org) Failed to add entry for user root. Failed to modify password entry for user root -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP rootpw error
Further to my previous message: I've gone over section 8.1 of http://samba.idealx.org/smbldap-tools.en.html, which shows some working .conf files, and put back a few things the way I'd previously had them. The example files use Manager while I use admin is the main thing. I've kept samba in smb.conf however. Because there is now a samba user in the LDAP database, this seems to work now. However, I still can't do smbpasswd -a root. I'm still getting: semper:/etc/ldap# smbpasswd -a root New SMB password: Retype new SMB password: ldapsam_modify_entry: Failed to add user dn= uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access no write access to parent ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = uid=root,ou=Users,dc=rahim-dale,dc=org) Failed to add entry for user root. Failed to modify password entry for user root I have a samba-access.conf file that is included in slapd.conf that combines the 8.2 samba uid stuff with a shorter list from the original howto I was following. I've attached it in case it helps. An ldap search gives the following results: semper:/etc/ldap# ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b dc=rahim-dale,dc=org -h 127.0.0.1 -x -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=rahim-dale,dc=org with scope sub # filter: (objectclass=*) # requesting: # # rahim-dale.org dn: dc=rahim-dale,dc=org # admin, rahim-dale.org dn: cn=admin,dc=rahim-dale,dc=org # Users, rahim-dale.org dn: ou=Users,dc=rahim-dale,dc=org # Groups, rahim-dale.org dn: ou=Groups,dc=rahim-dale,dc=org # Computers, rahim-dale.org dn: ou=Computers,dc=rahim-dale,dc=org # Idmap, rahim-dale.org dn: ou=Idmap,dc=rahim-dale,dc=org # rahim-dale, rahim-dale.org dn: sambaDomainName=rahim-dale,dc=rahim-dale,dc=org # Administrator, Users, rahim-dale.org dn: uid=Administrator,ou=Users,dc=rahim-dale,dc=org # nobody, Users, rahim-dale.org dn: uid=nobody,ou=Users,dc=rahim-dale,dc=org # Domain Admins, Groups, rahim-dale.org dn: cn=Domain Admins,ou=Groups,dc=rahim-dale,dc=org # Domain Users, Groups, rahim-dale.org dn: cn=Domain Users,ou=Groups,dc=rahim-dale,dc=org # Domain Guests, Groups, rahim-dale.org dn: cn=Domain Guests,ou=Groups,dc=rahim-dale,dc=org # Domain Computers, Groups, rahim-dale.org dn: cn=Domain Computers,ou=Groups,dc=rahim-dale,dc=org # Administrators, Groups, rahim-dale.org dn: cn=Administrators,ou=Groups,dc=rahim-dale,dc=org # Print Operators, Groups, rahim-dale.org dn: cn=Print Operators,ou=Groups,dc=rahim-dale,dc=org # Backup Operators, Groups, rahim-dale.org dn: cn=Backup Operators,ou=Groups,dc=rahim-dale,dc=org # Replicators, Groups, rahim-dale.org dn: cn=Replicators,ou=Groups,dc=rahim-dale,dc=org # samba, Users, rahim-dale.org dn: uid=samba,ou=Users,dc=rahim-dale,dc=org # search result search: 2 result: 0 Success # numResponses: 19 # numEntries: 18 # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn=uid=samba,ou=Users,dc=rahim-dale,dc=org write by self write by anonymous auth by * none # some attributes need to be readable anonymously so that 'id user' can answer correctly access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn=uid=samba,ou=Users,dc=rahim-dale,dc=org write by * read # somme attributes can be writable by users themselves access to attrs=description,telephoneNumber by dn=uid=samba,ou=Users,dc=rahim-dale,dc=org write by self write by * read # some attributes need to be writable for samba access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase by dn=uid=samba,ou=Users,dc=rahim-dale,dc=org write by self read by * none # samba need to be able to create the samba domain account access to dn.base=dc=rahim-dale,dc=org by dn=uid=samba,ou=Users,dc=rahim-dale,dc=org write by * none # samba need to be able to create new users account access to dn=ou=Users,dc=rahim-dale,dc=org by dn=uid=samba,ou=Users,dc=rahim-dale,dc=org write by * none # samba need to be able to create new groups account access to dn=ou=Groups,dc=rahim-dale,dc=org by dn=uid=samba,ou=Users,dc=rahim-dale,dc=org write by * none # samba need to be able to create new computers account access to dn=ou=Computers,dc=rahim-dale,dc=org by dn=uid=samba,ou=Users,dc=rahim-dale,dc=org write by * none # this can be omitted but we leave it: there could be other branch # in the directory access to * by self read by * none access to
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdncn=admin,dc=toronto,dc=ontario,dc=ca your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix dc=rahim-dale,dc=org rootdncn=admin,dc=rahim-dale,dc=org try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at 5.4 set the samba ldap admin password. I can set the admin password and get the expected response, but when I try smbldap-populate -a Administrator -b nobody -u 2000 -g 2000, it fails to add the various groups. I get failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, GEN1 line 3. for each ou=groupname it tries to add. Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdncn=admin,dc=toronto,dc=ontario,dc=ca your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix dc=rahim-dale,dc=org rootdncn=admin,dc=rahim-dale,dc=org try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at 5.4 set the samba ldap admin password. I can set the admin password and get the expected response, but when I try smbldap-populate -a Administrator -b nobody -u 2000 -g 2000, it fails to add the various groups. I get failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, GEN1 line 3. for each ou=groupname it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdncn=admin,dc=toronto,dc=ontario,dc=ca your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix dc=rahim-dale,dc=org rootdncn=admin,dc=rahim-dale,dc=org try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at 5.4 set the samba ldap admin password. I can set the admin password and get the expected response, but when I try smbldap-populate -a Administrator -b nobody -u 2000 -g 2000, it fails to add the various groups. I get failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, GEN1 line 3. for each ou=groupname it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped (\) but that didn't change anything. # Global parameters [global] workgroup = RAHIM-DALE netbios name = SEMPER #interfaces = 192.168.5.11 username map = /etc/samba/smbusers enable privileges = yes server string = %h PDC (Samba %v) security = user encrypt passwords = Yes min passwd length = 5 obey pam restrictions = No ldap passwd sync = Yes #unix password sync = Yes #passwd program = /usr/sbin/smbldap-passwd -u %u #passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n ldap passwd sync = Yes log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 admin users = garydale, root hosts allow = 192.168.2. logon script = scripts\logon.bat logon path = \\%L\Profiles\%U logon drive = M: logon home = \\%L\%U domain logons = Yes os level = 65 preferred master = Yes domain master = Yes
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdncn=admin,dc=toronto,dc=ontario,dc=ca your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix dc=rahim-dale,dc=org rootdncn=admin,dc=rahim-dale,dc=org try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at 5.4 set the samba ldap admin password. I can set the admin password and get the expected response, but when I try smbldap-populate -a Administrator -b nobody -u 2000 -g 2000, it fails to add the various groups. I get failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, GEN1 line 3. for each ou=groupname it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped (\) but that didn't change anything. ok i have looked over everything and the only thing i can see at this moment is this ... in your smbldap_bind.conf file you arn't using a bind dn of cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the ldap server but the line in the config i gave you before was rootdn cn=admin,dc=rahim-dale,dc=org ... when you first setup ldap no accounts exist in the ldap database the rootdn account is like a virtual account that will always have full access and because of this (and i'm guessing your ldap tree is blank) you will only be able to use the rootdn to bind at this time. there are a few lines you can try to attempt to bind to the ldap server ... ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W the first the the bind dn in your smbldap_bind.conf and the second is using the rootdn from the other email. as your ldap tree is blank you wont get much output but one should fail with a bind error and the other should say something like no such object. HTH, let me know if they work will see if i can see anything else that may be wrong. Matt. -- To unsubscribe from this list go to the following URL and read the
Re: [Samba] Samba LDAP rootpw error
Matt Richards wrote: Matt Richards wrote: Matt Richards wrote: I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdncn=admin,dc=toronto,dc=ontario,dc=ca your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix dc=rahim-dale,dc=org rootdncn=admin,dc=rahim-dale,dc=org try it n let us know what happens :). HTH Matt. You got it in one! I've got slapd running. Now I'm stuck at 5.4 set the samba ldap admin password. I can set the admin password and get the expected response, but when I try smbldap-populate -a Administrator -b nobody -u 2000 -g 2000, it fails to add the various groups. I get failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 460, GEN1 line 3. for each ou=groupname it tries to add. Any ideas? the smbldap-populate scripts requires authentication to the ldap server there is probuly a problem with the login you have set in smbldap.conf .. if you have set any at! i would recommend looking through the smbldap-tools howto at http://samba.idealx.org/smbldap-tools.en.html and see if there is anything you have missed out, but the first thing i would try is this .. ... 3 Configuring the smbldap-tools As mentioned in the previous section, you'll have to update two configuration files. The first (smbldap.conf) allows you to set global parameter that are readable by everybody, and the second (smbldap_bind.conf) defines two administrative accounts to bind to a slave and a master ldap server: this file must thus be readable only by root. A script is named configure.pl can help you to set their contents up. It is located in the tarball downloaded or in the documentation directory if you got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it: /usr/share/doc/smbldap-tools/configure.pl ... note : the smbldap-tools dir might not be located in your /usr/share/doc/ directory. if this doesn't work you could attach your smbldap config file (with the passwd taken out of cause) so we can have a little look. Matt. I can't see anything wrong with my setup but even when I tweak the settings a little, I get the same result. Here are: smbldap.conf, smbldap_bind.conf (with passwords removed) and the smb.conf I'm using for ldap (renamed right now because I'm keeping my old setup available until I get this working). One issue is my password does have an apostrophe and a period in it. It shouldn't be an issue because the bind file has them in quotes. I've also tried them escaped (\) but that didn't change anything. ok i have looked over everything and the only thing i can see at this moment is this ... in your smbldap_bind.conf file you arn't using a bind dn of cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the ldap server but the line in the config i gave you before was rootdn cn=admin,dc=rahim-dale,dc=org ... when you first setup ldap no accounts exist in the ldap database the rootdn account is like a virtual account that will always have full access and because of this (and i'm guessing your ldap tree is blank) you will only be able to use the rootdn to bind at this time. there are a few lines you can try to attempt to bind to the ldap server ... ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W the first the the bind dn in your smbldap_bind.conf and the second is using the rootdn from the other email. as your ldap tree is blank you wont get much output but one should fail with a bind error and the other should say something like no such object. HTH, let me know if they work will see if i can see anything else that may be wrong. Matt. It's
[Samba] Samba LDAP rootpw error
I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: Hi everybody, I made a pretty complete howto for samba on debian servers. This howto covers samba + ldap + cups + recycle bin + samba-vscan + phpldapadmin + ACL + Extended Attributes. this howto is also based on the idealx howto If you do this setup, you should be able to use the NT4 Usermanager, setup Point en Print Printing. set rights from explorer etc. other nice tools is ldapadmin ( ldapadmin.sf.net ) a must check it out. We will use a Debian Sarge as setup. If you never used Debian before, you can follow this how-to (http://www.howtoforge.com/perfect_setup_debian_sarge ) , please read the comment below the pages first, this can save you time and problems or install Debian without any software packaged, we will install them later when needed. Checking the kernel of compile your own kernel if needed. I try to give a complete solution for this how-to, this is because lots of people where asking the same things on the samba list and lots of people make the same mistakes. This is my company's running setup. I run this on a P866, 512 Ram, Scsi Raid 1 ( 15rpms 73 Gb ) , with 50 users 25 printers which do about 150.000 prints a month. I thank my company to let me make this document. Please if you have improvements, comments, send them to me. Louis van Belle INDEX Page nr. 1 Checking the kernel or compile your own kernel3 1.1 Preparing apt configuration3 1.2 Preparing the kernel3 1.3 setup the /etc/fstab3 1.4 final touch, lilo (or grub) 3 2 Pre-installation of the debian packages 4 2.1 Samba and Ldap 4 2.2 basic rights setup for samba4 2.3 why this rights setup. 4 3 LDAP Server configuration 5 4 installation/configuration libnss, libpam (-ldap) 7 5 Samba and smbldap-tools Configuration 8 5.1 smbldap-tools installation/configuration8 5.2 setting up samba base config8 5.3 Configuring smbldap.conf9 5.4 set the samba ldap admin password 9 5.5 Samba PRIVILEGES Setup 10 6 CUPS - Printer software 11 6.1 Setup Cups 11 6.2 Setup Cups PDF Printer. - Creating a PDF Printer11 7 Configuring phpldapadmin 12 7.1 installation of phpldapadmin ( and apache ) 12 8.0 On-Access virus scanning on samba (samba-clamav)13 8.1 Installing ClamAV 13 8.2 get the sources ( samba samba-vscan ) 13 9.0 Recycle bin on samba14 9.1 Recycle bin configuration 14 Appendix 1 (complex samba-access.conf ) SETUP WITH DSA USERS15 Appendix 2 APT 16 2.1 APT HOWTO 16 2.2 Files from /etc/apt 17 2.2.1 /etc/apt/apt.conf 17 2.2.2 /etc/apt/preferences 17 1 Checking the kernel or compile your own kernel 1.1 Preparing apt configuration for this go check out my apt howto. if you apt config is setup rights, follow the steps below. ncurses interface for compiling the kernel apt-get install libncurses5-dev get the kernel source apt-get install kernel-source-2.6.8 kernel-package installer right kernel and activate EXT2/3 + Extended attributes and setup CIFS kernel support to in kernel. 1.2 Preparing the kernel apt-get install kernel-source-2.6.8 kernel-package fakeroot libc6-dev libncurses5-dev cd /usr/src tar -jxf kernel-source-2.6.8.tar.bz2 ln -s /usr/src/linux /usr/src/kernel-source-2.6.8 cp /boot/config-2.6.8-2-* /usr/src/linux/.config cd linux make menuconfig - File systems - Ext2/3 + extended options also File systems - Miscellaneous filesystems - CramFS and File systems - Network File Systems - CIFS support + extended Attributes now create the kernel and install it. fakeroot make-kpkg --append-to-kernel=-mykernel --initrd kernel_image This create a file kernel-image-2.6.8.custom.1.0_i386.deb under
Re: [Samba] Samba LDAP rootpw error
I was following the howto below (originally posted on this list as BIG Samba howto for debian only.) to see if I could get my not-quite-working Samba 3.0.14a (debian) server fully working and able to handle my Linux logins too. The problem I'm having with my Samba setup is that I can't change user passwords except through Swat. Users can't change them from their machines using the Windows password change - but they are notified to change them by when they expire. Anyway, my attempts to follow the howto hit a roadblock at 3 LDAP Server configuration. Neither slapindex nor slapd will run. It looks like it doesn't like something about my root password, but I'm not sure what it wants (I'm no expert on LDAP). :) Slapindex complains bad configuration file. Slapd gives the more detailed: line 65 (rootpw ***) /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is under suffix I've attached my slapd.conf file if that is of any assistance. Any help will be greatly appreciated. Louis van Belle wrote: [..snip..] humm well looking at the config file the first thing that i notice is this ... # The base of your directory in database #1 suffix dc=rahim-dale,dc=org rootdncn=admin,dc=toronto,dc=ontario,dc=ca your root dn isn't in the base of your ldap tree, this should probuly be something like ... suffix dc=rahim-dale,dc=org rootdncn=admin,dc=rahim-dale,dc=org try it n let us know what happens :). HTH Matt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Wed, 2006-03-22 at 08:43 -0500, Matt Ingram wrote: Craig White wrote: -- why fly by the seat of your pants on this when the documentation tells you what you need to know? see http://www.samba.org/samba/docs - the By Example where it discusses PDC's and BDC's and how to manage them hmm are you referring to the chapter on Making Happy Users? That chapter does not address the the scenario I am going for. The sample given is still using home drives that reside on the PDC and mounted on the BDC via NFS; which is not what I'm looking for. What I'm looking for is, Site one's users home drives exclusively running off of BDC1; site 2's users home drives exclusively running off of BDC2, and so on. Here's what I've tried: on the BDC's smbldap-tools I've set the smbldap-tools.conf SID to that of the PDC instead of the BDC's SID, while things like the home drive are pointing to the BDC, instead of the PDC. This seems to work, the way I was hoping.. are you aware of any problems having the setup like this? let's keep this on list please. doesn't sound remotely like the samba documentation describes it and if it works for you - great. The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. Since a passdb of LDAP or tdb types actually permit you to have user home drives and profiles set individually, it really isn't much effort to assign these paths individually for users to whichever server you want them to use. Am I aware of any problems having the setup like you have described yours to be? No - but I tend towards setting things up as they were intended to be done. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Wed, 2006-03-22 at 07:16 -0700, Craig White wrote: The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. Sorry to get into the discussion, the previous statement is not clear to me and I would like to make it clear that in an NT4 style domain all the DCs must have the same SID, as the DCs have only the DOMAIN SID, this is different from domain members which have a local machine SID but recognize domain users with the domain SID. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
hmm are you referring to the chapter on Making Happy Users? That chapter does not address the the scenario I am going for. The sample given is still using home drives that reside on the PDC and mounted on the BDC via NFS; which is not what I'm looking for. What I'm looking for is, Site one's users home drives exclusively running off of BDC1; site 2's users home drives exclusively running off of BDC2, and so on. Here's what I've tried: on the BDC's smbldap-tools I've set the smbldap-tools.conf SID to that of the PDC instead of the BDC's SID, while things like the home drive are pointing to the BDC, instead of the PDC. This seems to work, the way I was hoping.. are you aware of any problems having the setup like this? let's keep this on list please. doesn't sound remotely like the samba documentation describes it and if it works for you - great. The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. which is what I'm doing. The BDC still does have its own SID and it uses the exact same ldap data as the PDC. It's just in the /etc/smbldap-tools/smbldap.conf file on the BDC, I set the SID to use that of the PDC. When I had the SID set to the BDC (in the smbldap.conf), logons didn't work when an account was generated with the smbldap-useradd on the BDC. I'm assuming the SID of a user on the domain has to have the SID prefix of the PDC, not any other server on the domain. Since a passdb of LDAP or tdb types actually permit you to have user home drives and profiles set individually, it really isn't much effort to assign these paths individually for users to whichever server you want them to use. you're right, it isn't much effort to modify the home drives a users on different servers. But being able to use the smbldap-tools to do all of that for you, is a smoother solution, imo - assuming there is no issues in doing it. Am I aware of any problems having the setup like you have described yours to be? No - but I tend towards setting things up as they were intended to be done. I don't think I'm doing anything that strange here.. I've just added the smbldap-tools to the BDC as well, and modified the smbldap.conf file so that it will create users home drives and ldap settings to use a home drive on the BDC. If I am doing something strange here, in a way samba is not intended to be used, please point it out to me. I don't want to shoot myself in the foot later on ;). Thanks greatly for your help. Matt -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
if I run # net getdomainsid is get this: PDC (hostname home): SID for domain HOME is: S-1-5-21-3186883984-1813041273-1898769360 SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 BDC: SID for domain BDC is: S-1-5-21-1908730498-1878741769-688260909 SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 Simo, are you saying that my BDC should have the SID of S-1-5-21-3186883984-1813041273-1898769360 ? Thanks, Matt simo wrote: On Wed, 2006-03-22 at 07:16 -0700, Craig White wrote: The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. Sorry to get into the discussion, the previous statement is not clear to me and I would like to make it clear that in an NT4 style domain all the DCs must have the same SID, as the DCs have only the DOMAIN SID, this is different from domain members which have a local machine SID but recognize domain users with the domain SID. Simo. -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Wed, 2006-03-22 at 10:01 -0500, Matt Ingram wrote: hmm are you referring to the chapter on Making Happy Users? That chapter does not address the the scenario I am going for. The sample given is still using home drives that reside on the PDC and mounted on the BDC via NFS; which is not what I'm looking for. What I'm looking for is, Site one's users home drives exclusively running off of BDC1; site 2's users home drives exclusively running off of BDC2, and so on. Here's what I've tried: on the BDC's smbldap-tools I've set the smbldap-tools.conf SID to that of the PDC instead of the BDC's SID, while things like the home drive are pointing to the BDC, instead of the PDC. This seems to work, the way I was hoping.. are you aware of any problems having the setup like this? let's keep this on list please. doesn't sound remotely like the samba documentation describes it and if it works for you - great. The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. which is what I'm doing. The BDC still does have its own SID and it uses the exact same ldap data as the PDC. It's just in the /etc/smbldap-tools/smbldap.conf file on the BDC, I set the SID to use that of the PDC. When I had the SID set to the BDC (in the smbldap.conf), logons didn't work when an account was generated with the smbldap-useradd on the BDC. I'm assuming the SID of a user on the domain has to have the SID prefix of the PDC, not any other server on the domain. Since a passdb of LDAP or tdb types actually permit you to have user home drives and profiles set individually, it really isn't much effort to assign these paths individually for users to whichever server you want them to use. you're right, it isn't much effort to modify the home drives a users on different servers. But being able to use the smbldap-tools to do all of that for you, is a smoother solution, imo - assuming there is no issues in doing it. Am I aware of any problems having the setup like you have described yours to be? No - but I tend towards setting things up as they were intended to be done. I don't think I'm doing anything that strange here.. I've just added the smbldap-tools to the BDC as well, and modified the smbldap.conf file so that it will create users home drives and ldap settings to use a home drive on the BDC. If I am doing something strange here, in a way samba is not intended to be used, please point it out to me. I don't want to shoot myself in the foot later on ;). That sort of makes sense. How are the scripts being accessed on the BDC? Are you running them from command line on each BDC? I hope that the LDAP referenced in your smb.conf is your 'master' LDAP server and that the changes to the master propogate to the 'slaves' (your BDC) and that make take a few seconds. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
It should have the same DOMAIN and SID (Simo made me check) ;-) Craig On Wed, 2006-03-22 at 10:07 -0500, Matt Ingram wrote: if I run # net getdomainsid is get this: PDC (hostname home): SID for domain HOME is: S-1-5-21-3186883984-1813041273-1898769360 SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 BDC: SID for domain BDC is: S-1-5-21-1908730498-1878741769-688260909 SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 Simo, are you saying that my BDC should have the SID of S-1-5-21-3186883984-1813041273-1898769360 ? Thanks, Matt simo wrote: On Wed, 2006-03-22 at 07:16 -0700, Craig White wrote: The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. Sorry to get into the discussion, the previous statement is not clear to me and I would like to make it clear that in an NT4 style domain all the DCs must have the same SID, as the DCs have only the DOMAIN SID, this is different from domain members which have a local machine SID but recognize domain users with the domain SID. Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
That sort of makes sense. How are the scripts being accessed on the BDC? Are you running them from command line on each BDC? I hope that the LDAP referenced in your smb.conf is your 'master' LDAP server and that the changes to the master propogate to the 'slaves' (your BDC) and that make take a few seconds. Craig I am just running the scripts from the command line on the BDC (so far just the one BDC). Our current plan for the domain is: Building A: PDC is a server that will just handle the the duties of being a PDC, little to no fileshares. The Master LDAP is running on this server. BDCa1 is the primary file server for Building A Building B BDCb1 is the primary file server for Building B Building C BDCc1 is the primary file server for Building C Currently, the BDC I've talked about so far, is just a dummy server for testing. And as of right now, we are not using a Slave LDAP server. Thanks again, Craig. -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
The only SID that matters on a DC is the domain SID, if they are identical all should be fine, setting the BDC local SID to that of the domain does not harm anyway. Simo. On Wed, 2006-03-22 at 10:07 -0500, Matt Ingram wrote: if I run # net getdomainsid is get this: PDC (hostname home): SID for domain HOME is: S-1-5-21-3186883984-1813041273-1898769360 SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 BDC: SID for domain BDC is: S-1-5-21-1908730498-1878741769-688260909 SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 Simo, are you saying that my BDC should have the SID of S-1-5-21-3186883984-1813041273-1898769360 ? Thanks, Matt simo wrote: On Wed, 2006-03-22 at 07:16 -0700, Craig White wrote: The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. Sorry to get into the discussion, the previous statement is not clear to me and I would like to make it clear that in an NT4 style domain all the DCs must have the same SID, as the DCs have only the DOMAIN SID, this is different from domain members which have a local machine SID but recognize domain users with the domain SID. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/LDAP Domains and multiple File Servers
Hi All, I have a domain setup soon to go into production. We have 3 buildings, each containing a fileserver for that buildings users (home drives/share drives). I've been using the smbldap-tools on the PDC, which is all working fine. Is it possible to join another server to the domain, also using the smbldap-tools, with a different config, that will setup a users home drive, etc on that server, or will a setup like this need to be done manually? I have a test BDC that I've been playing with trying to do this, but if I do smbldap-useradd from the BDC the user can't get logged on with an error message A device attached to the system is not functioning on the windows client (the account does get setup in ldap). In the smbldap-tools config I used the SID of the BDC, which I'm guessing might be my problem... should I change that to the SID of the PDC? Also, with a samba/ldap domains setup - how can I allow a user to have shell access on one server on the domain, but not on the other servers on the domain? Can this be done through the domain/ldap, or in this scenario will shell logons have to be managed locally on the individual servers ? Thanks, Matt. -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Tue, 2006-03-21 at 09:26 -0500, Matt Ingram wrote: Hi All, I have a domain setup soon to go into production. We have 3 buildings, each containing a fileserver for that buildings users (home drives/share drives). I've been using the smbldap-tools on the PDC, which is all working fine. Is it possible to join another server to the domain, also using the smbldap-tools, with a different config, that will setup a users home drive, etc on that server, or will a setup like this need to be done manually? I have a test BDC that I've been playing with trying to do this, but if I do smbldap-useradd from the BDC the user can't get logged on with an error message A device attached to the system is not functioning on the windows client (the account does get setup in ldap). In the smbldap-tools config I used the SID of the BDC, which I'm guessing might be my problem... should I change that to the SID of the PDC? why fly by the seat of your pants on this when the documentation tells you what you need to know? see http://www.samba.org/samba/docs - the By Example where it discusses PDC's and BDC's and how to manage them Also, with a samba/ldap domains setup - how can I allow a user to have shell access on one server on the domain, but not on the other servers on the domain? Can this be done through the domain/ldap, or in this scenario will shell logons have to be managed locally on the individual servers ? I'm quite certain that is possible but I haven't done it. It is not a samba question at all but working through your LDAP implementation as it relates to the posix structures on each UNIX/Linux system that you offer shell accounts and thus, well out of the scope of this list. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA - LDAP
Bonjour Comment ajouter un compte machine dans samba s'il est deja dans la branche computer du serveur ldap. Dans mon cas, samba voit les utilisateurs de la branche users mais pas les pc dans la branche computers. Merci pour toute aide. Boukari -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA+LDAP in a Workgroup
HiHo Tom! Tom Haerens wrote: Hi, This may be a dumb question (I'm new with this), but is it possible to use SAMBA in combination with LDAP in a Workgroup? All the manuals and examples I can find, are talking about Domains and PDCs. I've such a setup running here and I'm quite satisfied. We once migrated from NIS to LDAP and later added the Samba scheme to our LDAP server. We are just using simple file- and print services with Samba. We don't use the PDC functionality as, up to now, I don't see an advantage for us - just more administration effort. Roughly said, the LDAP is just used for user accounts and groups, i.e. passwords and userid/group matching. There are enough websites that describe such a setup, by the way. Start with these here: http://www.ofb.net/~jheiss/samba/ldap.shtml http://www.coe.tamu.edu/cs/Manuals/Samba/Samba-LDAP-HOWTO.html Markus -- Senior Executive - Systemadministration Direct Phone: + 49 / 234 9787-57 Direct Fax: +49 / 234 9787-77 Viisage Technology AG Universitaetsstrasse 160 44801 Bochum Germany http://www.viisage.com -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA+LDAP in a Workgroup
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ]On Behalf Of Markus Korth Sent: 17 March 2006 08:28 To: samba@lists.samba.org Subject: Re: [Samba] SAMBA+LDAP in a Workgroup HiHo Tom! Tom Haerens wrote: Hi, This may be a dumb question (I'm new with this), but is it possible to use SAMBA in combination with LDAP in a Workgroup? All the manuals and examples I can find, are talking about Domains and PDCs. LDAP is a heavyweight store for massive amounts of passwords and extended data needed to run 100s or 1000s of PCs. In a workgroup there is no central password store. In a workgroup each windows client has local users and would never consult a central authentication database so the LDAP would only hold accounts for the local Linux machine/samba users. This is a Sledgehammer + nut situation Look at the normal samba database Regards Rob I've such a setup running here and I'm quite satisfied. We once migrated from NIS to LDAP and later added the Samba scheme to our LDAP server. We are just using simple file- and print services with Samba. We don't use the PDC functionality as, up to now, I don't see an advantage for us - just more administration effort. Roughly said, the LDAP is just used for user accounts and groups, i.e. passwords and userid/group matching. There are enough websites that describe such a setup, by the way. Start with these here: http://www.ofb.net/~jheiss/samba/ldap.shtml http://www.coe.tamu.edu/cs/Manuals/Samba/Samba-LDAP-HOWTO.html Markus -- Senior Executive - Systemadministration Direct Phone: + 49 / 234 9787-57 Direct Fax: +49 / 234 9787-77 Viisage Technology AG Universitaetsstrasse 160 44801 Bochum Germany http://www.viisage.com -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA+LDAP in a Workgroup
Hi, This may be a dumb question (I'm new with this), but is it possible to use SAMBA in combination with LDAP in a Workgroup? All the manuals and examples I can find, are talking about Domains and PDCs. I have to set up a new Samba server and checkout LDAP but I'm not allowed to change the Workgroup settings... Now we use smbpasswd... Is LDAP worth the effort and time? Kind Regards, ToHa -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA+LDAP in a Workgroup
Tom, Personally I believe LDAP is an excellent backend database for Samba, especially if you are looking for Single-Sign-On capabilities. PC's do not have to join the Samba Domain in order to still gain domain access, however users will be prompted for username and password when accessing a share for your Samba Domain. One way around this is to use the same username and password for your LDAP database as you do currently for their machine logon accounts. Also, in order to find samba shares on Samba/LDAP servers with a different domain your current WINS servers should be able to find the new domain and list it within your Network List so you should be able to browse to them. Otherwise you can use DNS. Good Luck! James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Haerens Sent: Thursday, March 16, 2006 1:00 AM To: samba@lists.samba.org Subject: [Samba] SAMBA+LDAP in a Workgroup Hi, This may be a dumb question (I'm new with this), but is it possible to use SAMBA in combination with LDAP in a Workgroup? All the manuals and examples I can find, are talking about Domains and PDCs. I have to set up a new Samba server and checkout LDAP but I'm not allowed to change the Workgroup settings... Now we use smbpasswd... Is LDAP worth the effort and time? Kind Regards, ToHa -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA+LDAP in a Workgroup
On Thu, 2006-03-16 at 10:00 +0100, Tom Haerens wrote: Hi, This may be a dumb question (I'm new with this), but is it possible to use SAMBA in combination with LDAP in a Workgroup? All the manuals and examples I can find, are talking about Domains and PDCs. I have to set up a new Samba server and checkout LDAP but I'm not allowed to change the Workgroup settings... Now we use smbpasswd... Is LDAP worth the effort and time? for maintaining user accounts on one UNIX/Linux system to interface with Samba? Doubtful for maintaining user accounts on more than one UNIX/Linux system so there is across the board continuity of uid's, gid's passwords, integration with Samba and other services such as mail...Yes. The reason that the documentation always uses the Windows Domain model when talking about LDAP is because the Windows Domain model is a basic logical and security structure in any group of Windows computers. That doesn't mean you have to use Samba LDAP in a Windows Domain model...it means that almost all Administrators and Users would prefer to have it integrate into a Windows Domain model because there is less password management, access management, security management in a predictable way and it would only be the rare case for someone to set up LDAP and not integrate it. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba LDAP gidNumber=-1 queries?
Greetings, using samba-3.0.20b. I've been doing some packet traces of Samba's LDAP queries, and I notice that it does a lot of queries on various idmaps for gidnumber=-1 before it performs functions. What happens if this object is present in the directory? Does it disable functionality? It'd be good to know if it provides a system-wide disable feature. Thanks. -Justin Grote -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba LDAP SID and Local SID
Hi All, I am running Samba - 3 using a ldap backend, recently I have needed to change the domain of the computers as I am migrating to other server, I have the ldap database and populated the ldap database on the new server, but I am facing a problem with SID's as the SambaSID in the ldap backend is from the old samba server which is different from the current SambaSID(net getlocalsid) but Its not really feasible for me to create all the user accounts again on LDAP. Can any one advise me on how to get around this? Without changing the SID's I am unable to join the machines to the new domain and get an error *o mapping between account names and security Id's . * thanks in advance, Pavan. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP SID and Local SID
On Tue, 2006-03-07 at 14:34 +1100, Pavan wrote: Hi All, I am running Samba - 3 using a ldap backend, recently I have needed to change the domain of the computers as I am migrating to other server, I have the ldap database and populated the ldap database on the new server, but I am facing a problem with SID's as the SambaSID in the ldap backend is from the old samba server which is different from the current SambaSID(net getlocalsid) but Its not really feasible for me to create all the user accounts again on LDAP. Can any one advise me on how to get around this? Without changing the SID's I am unable to join the machines to the new domain and get an error *o mapping between account names and security Id's . * you could slapcat your DSA to a text file and do a find/replace operation to change the SID's in bulk and of course, you can change the SID for the domain directly in LDAP - simply with net setlocalsid (provided you have idealx-tools properly configured) but it would seem that the thing you aren't saying is that you know of course, if you do that, you will have to rejoin all the machines to the new domain and migrate the user profiles to the new domain too. You probably need to check out the migration information in Samba-by-Example Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP PDC BDC quit working
Hi philip I have installed ldap 2.3 with samba 3.0.21c and restored back the ldif file , this time also i had rejoin systems to the domain after having computer accounts in the ldif file (with RID and Object classes intact). i had taken backup of my ldap using the following command slapcat -l ldiff-filename. can you suggest any other better way of taking backup of ldap so that while restoration i don't have to rejoin systems. Regards Niranjan On 2/23/06, mallapadi niranjan [EMAIL PROTECTED] wrote: Hi philip the samba pdc with openldap 2.2.13, i have lot of troubles, i have compiled samba 3.0.21.when at the first time was released , i am not sure it's called samba 3.0.21a or something. openldap 2.2.13 (shipped with Redhat Enterprise linux 4) also need to be tweaked for having a good cachesize, checkpoints etc. so i have decided to go with samba 3.0.21b with openldap 2.3.19. see to take backup in ldif and restore it , and check whether it works. as i was told that openldap 2.3.19 has auto recovery in case of unclean shutdowns. hope this works Regards Niranjan On 2/22/06, Philip Washington [EMAIL PROTECTED] wrote: mallapadi niranjan wrote: Hi Philip yes, I have the same properties, (for checking i did the rid*2+1000 and object class test. , but once the computer are rejoined, it gets new rid, not the rid which is in the LDIF. Regards Niranjan Okay, then this is something else I don't understand. If the LDAP database is getting corrupted then I can see how this problem could happen. But if the PDC goes down as you describe in scenario-2 then it doesn't make sense that the computers should have to rejoin the domain, unless there is some information which is not being stored in the LDAP database. On 2/21/06, *Philip Washington* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: mallapadi niranjan wrote: Hi Craig Thanks for replying, The samba PDC gets rebooted because of Power outage, at night times. After the system gets rebooted, Scenario -01 1. Either some times the ldap gets hanged, (2.2.13) may be because of inconsistency. 2. since ldap hangs, samba doesn't come up properly. 3. so i run db_recover and try to start the ldap service and then samba Scenario-02 if LDAP doesn't hang, and samba comes up nicely, the computer had to rejoin. but in my ldapdatabase, in OU=Computers, all the computer accounts exist. with rid and Object class intact. but some how i don't know why i have to rejoin, Okay I just want to clarify this. After an unplanned reboot (power outage) , your PDC comes back up and you find that some of the computers in your domain need to rejoin the domain?? Do you have recent ldiff or slapcats indicating that most of these computers have the same properties in the LDAP database as before. Scenario-03. I take the regular backup of LDAP, to LDIF file, and restore with latest LDIF file, eventhough i don't get the Computer Accounts and also i lose user 's passwords, After restoring from LDIF file. Scenario-04 If i do safe reboot or shutdown, there 's no problem , the server works properly without any problem Regards Niranjan On 2/20/06, *Craig White* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote: Hi all I too have the same problem , i am also using samba 3.0.21 with openldap version 2.2.13 on Redhat Enterprise Linux 4 enterprise server. if the samba PDC gets rebooted aburuptly, some of my clients workstations (Windows 2000 professional) have to rejoin. i was asked to check whether RID of the computer name is correct(uid*2 + 1000) , ans whether computer names have SambaSAMAccount object class. eventhough my computernames' exist in the database with correct object class and rid, the clients have to be rejoined. this happens only when samba PDC with ldap gets rebooted abruptly. having said that, so i assume that LDAP is unable to maintain consistency when it gets rebooted. so i had kept DB_CONFIG file in /var/lib/ldap(this is where all bdb files are there) and use db_recover in case of any crash of ldap. But if we take
Re: [Samba] Samba LDAP PDC BDC quit working
mallapadi niranjan wrote: Hi Philip yes, I have the same properties, (for checking i did the rid*2+1000 and object class test. , but once the computer are rejoined, it gets new rid, not the rid which is in the LDIF. Regards Niranjan Okay, then this is something else I don't understand. If the LDAP database is getting corrupted then I can see how this problem could happen. But if the PDC goes down as you describe in scenario-2 then it doesn't make sense that the computers should have to rejoin the domain, unless there is some information which is not being stored in the LDAP database. On 2/21/06, *Philip Washington* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: mallapadi niranjan wrote: Hi Craig Thanks for replying, The samba PDC gets rebooted because of Power outage, at night times. After the system gets rebooted, Scenario -01 1. Either some times the ldap gets hanged, (2.2.13) may be because of inconsistency. 2. since ldap hangs, samba doesn't come up properly. 3. so i run db_recover and try to start the ldap service and then samba Scenario-02 if LDAP doesn't hang, and samba comes up nicely, the computer had to rejoin. but in my ldapdatabase, in OU=Computers, all the computer accounts exist. with rid and Object class intact. but some how i don't know why i have to rejoin, Okay I just want to clarify this. After an unplanned reboot (power outage) , your PDC comes back up and you find that some of the computers in your domain need to rejoin the domain?? Do you have recent ldiff or slapcats indicating that most of these computers have the same properties in the LDAP database as before. Scenario-03. I take the regular backup of LDAP, to LDIF file, and restore with latest LDIF file, eventhough i don't get the Computer Accounts and also i lose user 's passwords, After restoring from LDIF file. Scenario-04 If i do safe reboot or shutdown, there 's no problem , the server works properly without any problem Regards Niranjan On 2/20/06, *Craig White* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote: Hi all I too have the same problem , i am also using samba 3.0.21 with openldap version 2.2.13 on Redhat Enterprise Linux 4 enterprise server. if the samba PDC gets rebooted aburuptly, some of my clients workstations (Windows 2000 professional) have to rejoin. i was asked to check whether RID of the computer name is correct(uid*2 + 1000) , ans whether computer names have SambaSAMAccount object class. eventhough my computernames' exist in the database with correct object class and rid, the clients have to be rejoined. this happens only when samba PDC with ldap gets rebooted abruptly. having said that, so i assume that LDAP is unable to maintain consistency when it gets rebooted. so i had kept DB_CONFIG file in /var/lib/ldap(this is where all bdb files are there) and use db_recover in case of any crash of ldap. But if we take backup in LDIF file and restore it, but still my computer accounts are not getting back, i had to rejoin. this is the problem that i am having, but still could not find the correct solution. No - as you and he describe it, these are separate problems. Your issues is that PDC shouldn't get rebooted abruptly and newer versions of openldap have a script that automatically runs db_recover. This however doesn't come in the version of openldap that ships with RHEL You might want to set up a cron script that performs a slapcat on a more frequent basis so that if it is necessary to dump the entire LDAP DSA and reload from an ldif, the ldif is much more current and thus, you wouldn't have to rejoin many if any computers to the domain. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP PDC BDC quit working
mallapadi niranjan wrote: Hi Philip yes, I have the same properties, (for checking i did the rid*2+1000 and object class test. , but once the computer are rejoined, it gets new rid, not the rid which is in the LDIF. Regards Niranjan You might check your MS client event logs for this error. error 3224 Changing machine account password for account COMPUTER$ failed with the following error: A remote procedure call (RPC) protocol error occurred. On 2/21/06, *Philip Washington* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: mallapadi niranjan wrote: Hi Craig Thanks for replying, The samba PDC gets rebooted because of Power outage, at night times. After the system gets rebooted, Scenario -01 1. Either some times the ldap gets hanged, (2.2.13) may be because of inconsistency. 2. since ldap hangs, samba doesn't come up properly. 3. so i run db_recover and try to start the ldap service and then samba Scenario-02 if LDAP doesn't hang, and samba comes up nicely, the computer had to rejoin. but in my ldapdatabase, in OU=Computers, all the computer accounts exist. with rid and Object class intact. but some how i don't know why i have to rejoin, Okay I just want to clarify this. After an unplanned reboot (power outage) , your PDC comes back up and you find that some of the computers in your domain need to rejoin the domain?? Do you have recent ldiff or slapcats indicating that most of these computers have the same properties in the LDAP database as before. Scenario-03. I take the regular backup of LDAP, to LDIF file, and restore with latest LDIF file, eventhough i don't get the Computer Accounts and also i lose user 's passwords, After restoring from LDIF file. Scenario-04 If i do safe reboot or shutdown, there 's no problem , the server works properly without any problem Regards Niranjan On 2/20/06, *Craig White* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote: Hi all I too have the same problem , i am also using samba 3.0.21 with openldap version 2.2.13 on Redhat Enterprise Linux 4 enterprise server. if the samba PDC gets rebooted aburuptly, some of my clients workstations (Windows 2000 professional) have to rejoin. i was asked to check whether RID of the computer name is correct(uid*2 + 1000) , ans whether computer names have SambaSAMAccount object class. eventhough my computernames' exist in the database with correct object class and rid, the clients have to be rejoined. this happens only when samba PDC with ldap gets rebooted abruptly. having said that, so i assume that LDAP is unable to maintain consistency when it gets rebooted. so i had kept DB_CONFIG file in /var/lib/ldap(this is where all bdb files are there) and use db_recover in case of any crash of ldap. But if we take backup in LDIF file and restore it, but still my computer accounts are not getting back, i had to rejoin. this is the problem that i am having, but still could not find the correct solution. No - as you and he describe it, these are separate problems. Your issues is that PDC shouldn't get rebooted abruptly and newer versions of openldap have a script that automatically runs db_recover. This however doesn't come in the version of openldap that ships with RHEL You might want to set up a cron script that performs a slapcat on a more frequent basis so that if it is necessary to dump the entire LDAP DSA and reload from an ldif, the ldif is much more current and thus, you wouldn't have to rejoin many if any computers to the domain. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP PDC BDC quit working
Hi philip the samba pdc with openldap 2.2.13, i have lot of troubles, i have compiled samba 3.0.21.when at the first time was released , i am not sure it's called samba 3.0.21a or something. openldap 2.2.13 (shipped with Redhat Enterprise linux 4) also need to be tweaked for having a good cachesize, checkpoints etc. so i have decided to go with samba 3.0.21b with openldap 2.3.19. see to take backup in ldif and restore it , and check whether it works. as i was told that openldap 2.3.19 has auto recovery in case of unclean shutdowns. hope this works Regards Niranjan On 2/22/06, Philip Washington [EMAIL PROTECTED] wrote: mallapadi niranjan wrote: Hi Philip yes, I have the same properties, (for checking i did the rid*2+1000 and object class test. , but once the computer are rejoined, it gets new rid, not the rid which is in the LDIF. Regards Niranjan Okay, then this is something else I don't understand. If the LDAP database is getting corrupted then I can see how this problem could happen. But if the PDC goes down as you describe in scenario-2 then it doesn't make sense that the computers should have to rejoin the domain, unless there is some information which is not being stored in the LDAP database. On 2/21/06, *Philip Washington* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: mallapadi niranjan wrote: Hi Craig Thanks for replying, The samba PDC gets rebooted because of Power outage, at night times. After the system gets rebooted, Scenario -01 1. Either some times the ldap gets hanged, (2.2.13) may be because of inconsistency. 2. since ldap hangs, samba doesn't come up properly. 3. so i run db_recover and try to start the ldap service and then samba Scenario-02 if LDAP doesn't hang, and samba comes up nicely, the computer had to rejoin. but in my ldapdatabase, in OU=Computers, all the computer accounts exist. with rid and Object class intact. but some how i don't know why i have to rejoin, Okay I just want to clarify this. After an unplanned reboot (power outage) , your PDC comes back up and you find that some of the computers in your domain need to rejoin the domain?? Do you have recent ldiff or slapcats indicating that most of these computers have the same properties in the LDAP database as before. Scenario-03. I take the regular backup of LDAP, to LDIF file, and restore with latest LDIF file, eventhough i don't get the Computer Accounts and also i lose user 's passwords, After restoring from LDIF file. Scenario-04 If i do safe reboot or shutdown, there 's no problem , the server works properly without any problem Regards Niranjan On 2/20/06, *Craig White* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote: Hi all I too have the same problem , i am also using samba 3.0.21 with openldap version 2.2.13 on Redhat Enterprise Linux 4 enterprise server. if the samba PDC gets rebooted aburuptly, some of my clients workstations (Windows 2000 professional) have to rejoin. i was asked to check whether RID of the computer name is correct(uid*2 + 1000) , ans whether computer names have SambaSAMAccount object class. eventhough my computernames' exist in the database with correct object class and rid, the clients have to be rejoined. this happens only when samba PDC with ldap gets rebooted abruptly. having said that, so i assume that LDAP is unable to maintain consistency when it gets rebooted. so i had kept DB_CONFIG file in /var/lib/ldap(this is where all bdb files are there) and use db_recover in case of any crash of ldap. But if we take backup in LDIF file and restore it, but still my computer accounts are not getting back, i had to rejoin. this is the problem that i am having, but still could not find the correct solution. No - as you and he describe it, these are separate problems. Your issues is that PDC shouldn't get rebooted abruptly and newer versions of openldap have a script that automatically runs db_recover. This however doesn't come in the version of openldap that ships with RHEL You might
Re: [Samba] Samba LDAP PDC BDC quit working
mallapadi niranjan wrote: Hi Craig Thanks for replying, The samba PDC gets rebooted because of Power outage, at night times. After the system gets rebooted, Scenario -01 1. Either some times the ldap gets hanged, (2.2.13) may be because of inconsistency. 2. since ldap hangs, samba doesn't come up properly. 3. so i run db_recover and try to start the ldap service and then samba Scenario-02 if LDAP doesn't hang, and samba comes up nicely, the computer had to rejoin. but in my ldapdatabase, in OU=Computers, all the computer accounts exist. with rid and Object class intact. but some how i don't know why i have to rejoin, Okay I just want to clarify this. After an unplanned reboot (power outage) , your PDC comes back up and you find that some of the computers in your domain need to rejoin the domain?? Do you have recent ldiff or slapcats indicating that most of these computers have the same properties in the LDAP database as before. Scenario-03. I take the regular backup of LDAP, to LDIF file, and restore with latest LDIF file, eventhough i don't get the Computer Accounts and also i lose user 's passwords, After restoring from LDIF file. Scenario-04 If i do safe reboot or shutdown, there 's no problem , the server works properly without any problem Regards Niranjan On 2/20/06, *Craig White* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote: Hi all I too have the same problem , i am also using samba 3.0.21 with openldap version 2.2.13 on Redhat Enterprise Linux 4 enterprise server. if the samba PDC gets rebooted aburuptly, some of my clients workstations (Windows 2000 professional) have to rejoin. i was asked to check whether RID of the computer name is correct(uid*2 + 1000) , ans whether computer names have SambaSAMAccount object class. eventhough my computernames' exist in the database with correct object class and rid, the clients have to be rejoined. this happens only when samba PDC with ldap gets rebooted abruptly. having said that, so i assume that LDAP is unable to maintain consistency when it gets rebooted. so i had kept DB_CONFIG file in /var/lib/ldap(this is where all bdb files are there) and use db_recover in case of any crash of ldap. But if we take backup in LDIF file and restore it, but still my computer accounts are not getting back, i had to rejoin. this is the problem that i am having, but still could not find the correct solution. No - as you and he describe it, these are separate problems. Your issues is that PDC shouldn't get rebooted abruptly and newer versions of openldap have a script that automatically runs db_recover. This however doesn't come in the version of openldap that ships with RHEL You might want to set up a cron script that performs a slapcat on a more frequent basis so that if it is necessary to dump the entire LDAP DSA and reload from an ldif, the ldif is much more current and thus, you wouldn't have to rejoin many if any computers to the domain. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP PDC BDC quit working
mallapadi niranjan wrote: Hi all I too have the same problem , i am also using samba 3.0.21 with openldap version 2.2.13 on Redhat Enterprise Linux 4 enterprise server. if the samba PDC gets rebooted aburuptly, some of my clients workstations (Windows 2000 professional) have to rejoin. i was asked to check whether RID of the computer name is correct(uid*2 + 1000) , ans whether computer names have SambaSAMAccount object class. eventhough my computernames' exist in the database with correct object class and rid, the clients have to be rejoined. this happens only when samba PDC with ldap gets rebooted abruptly. having said that, so i assume that LDAP is unable to maintain consistency when it gets rebooted. so i had kept DB_CONFIG file in /var/lib/ldap(this is where all bdb files are there) and use db_recover in case of any crash of ldap. But if we take backup in LDIF file and restore it, but still my computer accounts are not getting back, i had to rejoin. this is the problem that i am having, but still could not find the correct solution. Regards Niranjan Do you have a BDC? If not then this is very interesting information. On 2/19/06, *Philip Washington* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Craig White wrote: On Sat, 2006-02-18 at 11:11 -0600, Philip Washington wrote: We have had a Samba LDAP-PDC-BDC system setup for close to 3 months with about 60 computers in the domain. Earlier we had a power outage and about 30 computers no longer were able to log into the domain or authenticate. Some were NT Workstations and some were W2k. But not all NT or W2K workstations were affected. If we went to network neighborhood we would see the error message The trust relationship between this workstation and the primary domain failed When someone tries to login to these computers then they get the error The system cannot log you on to this domain because the system's computer account in it's primary domain is missing or the password on that account is incorrect. We were able to fix the problem on the computers by taking the computers out of the domain and re-entering them into the domain.Went into System-Network Identification- put the machine in a workgroup - reboot - Go back in and put the machine back into the domain. No manual deletion on the PDC was done. This was all done on the client. I reviewed LDAP backups and thus far have not found any descrepancies with the systems profiles before or after the power outage. The records indicate that there has not been any change in the LDAP information in the last 2 months for the machines which have the problem. Of course once the systems have been relogged into the domain the SambaNTPassword changes. I am currently both baffled and concerned as to how or why this would happen. If anybody could shed more light on what could have happened I would appreciate it. I would also like to know if there is a way to re-add or add a client on the Samba-LDAP-PDC instead of going to each individual client. probably would be a good idea to figure out how to troubleshoot your setup as one could only conjecture about what your problem is as you describe it. I do know that there is some faulty logic in your assumptions above since the workstations will automatically change their password with the passdb approximately once each month and I am quite certain that this is documented in the samba documentation. Yep, this does throw a bad domino into the logic. ( I wonder if MS will give me my money back for all of those MCSE classes). Once I fixed that domino and started looking at the BDC again, I realized that it's samba configuration files look identical to the ones on the PDC with the exception that ldap is pointing to the ldap on the BDC. So it currently looks like the BDC is misconfigured (Basically I'm seeing a configuration that deviates quite a bit from what I see in Samba-3 by Example). I shutdown the BDC for now and put the PDC on a UPS (Yeah it should have been on one in the first place, but money is tight and we're operating under, if it ain't broke don't pay money to fix it). This should hold us over until the BDC is configured correctly. Thanks for the enlightenment. So in view of your faulty assumption, my guess would be that your PDC/BDC setup in LDAP probably isn't working properly as there should be evidence in some log somewhere when the workstations change their password and that the password changes propagate from LDAP server to LDAP server and assuming that you are using something like 'slurpd' to replicate changes in LDAP,
Re: [Samba] Samba LDAP PDC BDC quit working
On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote: Hi all I too have the same problem , i am also using samba 3.0.21 with openldap version 2.2.13 on Redhat Enterprise Linux 4 enterprise server. if the samba PDC gets rebooted aburuptly, some of my clients workstations (Windows 2000 professional) have to rejoin. i was asked to check whether RID of the computer name is correct(uid*2 + 1000) , ans whether computer names have SambaSAMAccount object class. eventhough my computernames' exist in the database with correct object class and rid, the clients have to be rejoined. this happens only when samba PDC with ldap gets rebooted abruptly. having said that, so i assume that LDAP is unable to maintain consistency when it gets rebooted. so i had kept DB_CONFIG file in /var/lib/ldap(this is where all bdb files are there) and use db_recover in case of any crash of ldap. But if we take backup in LDIF file and restore it, but still my computer accounts are not getting back, i had to rejoin. this is the problem that i am having, but still could not find the correct solution. No - as you and he describe it, these are separate problems. Your issues is that PDC shouldn't get rebooted abruptly and newer versions of openldap have a script that automatically runs db_recover. This however doesn't come in the version of openldap that ships with RHEL You might want to set up a cron script that performs a slapcat on a more frequent basis so that if it is necessary to dump the entire LDAP DSA and reload from an ldif, the ldif is much more current and thus, you wouldn't have to rejoin many if any computers to the domain. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP PDC BDC quit working
Hi phlip No i don't have a BDC, Regards Niranjan On 2/20/06, Philip Washington [EMAIL PROTECTED] wrote: mallapadi niranjan wrote: Hi all I too have the same problem , i am also using samba 3.0.21 with openldap version 2.2.13 on Redhat Enterprise Linux 4 enterprise server. if the samba PDC gets rebooted aburuptly, some of my clients workstations (Windows 2000 professional) have to rejoin. i was asked to check whether RID of the computer name is correct(uid*2 + 1000) , ans whether computer names have SambaSAMAccount object class. eventhough my computernames' exist in the database with correct object class and rid, the clients have to be rejoined. this happens only when samba PDC with ldap gets rebooted abruptly. having said that, so i assume that LDAP is unable to maintain consistency when it gets rebooted. so i had kept DB_CONFIG file in /var/lib/ldap(this is where all bdb files are there) and use db_recover in case of any crash of ldap. But if we take backup in LDIF file and restore it, but still my computer accounts are not getting back, i had to rejoin. this is the problem that i am having, but still could not find the correct solution. Regards Niranjan Do you have a BDC? If not then this is very interesting information. On 2/19/06, *Philip Washington* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Craig White wrote: On Sat, 2006-02-18 at 11:11 -0600, Philip Washington wrote: We have had a Samba LDAP-PDC-BDC system setup for close to 3 months with about 60 computers in the domain. Earlier we had a power outage and about 30 computers no longer were able to log into the domain or authenticate. Some were NT Workstations and some were W2k. But not all NT or W2K workstations were affected. If we went to network neighborhood we would see the error message The trust relationship between this workstation and the primary domain failed When someone tries to login to these computers then they get the error The system cannot log you on to this domain because the system's computer account in it's primary domain is missing or the password on that account is incorrect. We were able to fix the problem on the computers by taking the computers out of the domain and re-entering them into the domain.Went into System-Network Identification- put the machine in a workgroup - reboot - Go back in and put the machine back into the domain. No manual deletion on the PDC was done. This was all done on the client. I reviewed LDAP backups and thus far have not found any descrepancies with the systems profiles before or after the power outage. The records indicate that there has not been any change in the LDAP information in the last 2 months for the machines which have the problem. Of course once the systems have been relogged into the domain the SambaNTPassword changes. I am currently both baffled and concerned as to how or why this would happen. If anybody could shed more light on what could have happened I would appreciate it. I would also like to know if there is a way to re-add or add a client on the Samba-LDAP-PDC instead of going to each individual client. probably would be a good idea to figure out how to troubleshoot your setup as one could only conjecture about what your problem is as you describe it. I do know that there is some faulty logic in your assumptions above since the workstations will automatically change their password with the passdb approximately once each month and I am quite certain that this is documented in the samba documentation. Yep, this does throw a bad domino into the logic. ( I wonder if MS will give me my money back for all of those MCSE classes). Once I fixed that domino and started looking at the BDC again, I realized that it's samba configuration files look identical to the ones on the PDC with the exception that ldap is pointing to the ldap on the BDC. So it currently looks like the BDC is misconfigured (Basically I'm seeing a configuration that deviates quite a bit from what I see in Samba-3 by Example). I shutdown the BDC for now and put the PDC on a UPS (Yeah it should have been on one in the first place, but money is tight and we're operating under, if it ain't broke don't pay money to fix it). This should hold us over until the BDC is configured correctly. Thanks for the enlightenment. So in view of your faulty assumption, my guess would be that your
Re: [Samba] Samba LDAP PDC BDC quit working
Hi Craig Thanks for replying, The samba PDC gets rebooted because of Power outage, at night times. After the system gets rebooted, Scenario -01 1. Either some times the ldap gets hanged, (2.2.13) may be because of inconsistency. 2. since ldap hangs, samba doesn't come up properly. 3. so i run db_recover and try to start the ldap service and then samba Scenario-02 if LDAP doesn't hang, and samba comes up nicely, the computer had to rejoin. but in my ldapdatabase, in OU=Computers, all the computer accounts exist. with rid and Object class intact. but some how i don't know why i have to rejoin, Scenario-03. I take the regular backup of LDAP, to LDIF file, and restore with latest LDIF file, eventhough i don't get the Computer Accounts and also i lose user 's passwords, After restoring from LDIF file. Scenario-04 If i do safe reboot or shutdown, there 's no problem , the server works properly without any problem Regards Niranjan On 2/20/06, Craig White [EMAIL PROTECTED] wrote: On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote: Hi all I too have the same problem , i am also using samba 3.0.21 with openldap version 2.2.13 on Redhat Enterprise Linux 4 enterprise server. if the samba PDC gets rebooted aburuptly, some of my clients workstations (Windows 2000 professional) have to rejoin. i was asked to check whether RID of the computer name is correct(uid*2 + 1000) , ans whether computer names have SambaSAMAccount object class. eventhough my computernames' exist in the database with correct object class and rid, the clients have to be rejoined. this happens only when samba PDC with ldap gets rebooted abruptly. having said that, so i assume that LDAP is unable to maintain consistency when it gets rebooted. so i had kept DB_CONFIG file in /var/lib/ldap(this is where all bdb files are there) and use db_recover in case of any crash of ldap. But if we take backup in LDIF file and restore it, but still my computer accounts are not getting back, i had to rejoin. this is the problem that i am having, but still could not find the correct solution. No - as you and he describe it, these are separate problems. Your issues is that PDC shouldn't get rebooted abruptly and newer versions of openldap have a script that automatically runs db_recover. This however doesn't come in the version of openldap that ships with RHEL You might want to set up a cron script that performs a slapcat on a more frequent basis so that if it is necessary to dump the entire LDAP DSA and reload from an ldif, the ldif is much more current and thus, you wouldn't have to rejoin many if any computers to the domain. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP PDC BDC quit working
Hi all I too have the same problem , i am also using samba 3.0.21 with openldap version 2.2.13 on Redhat Enterprise Linux 4 enterprise server. if the samba PDC gets rebooted aburuptly, some of my clients workstations (Windows 2000 professional) have to rejoin. i was asked to check whether RID of the computer name is correct(uid*2 + 1000) , ans whether computer names have SambaSAMAccount object class. eventhough my computernames' exist in the database with correct object class and rid, the clients have to be rejoined. this happens only when samba PDC with ldap gets rebooted abruptly. having said that, so i assume that LDAP is unable to maintain consistency when it gets rebooted. so i had kept DB_CONFIG file in /var/lib/ldap(this is where all bdb files are there) and use db_recover in case of any crash of ldap. But if we take backup in LDIF file and restore it, but still my computer accounts are not getting back, i had to rejoin. this is the problem that i am having, but still could not find the correct solution. Regards Niranjan On 2/19/06, Philip Washington [EMAIL PROTECTED] wrote: Craig White wrote: On Sat, 2006-02-18 at 11:11 -0600, Philip Washington wrote: We have had a Samba LDAP-PDC-BDC system setup for close to 3 months with about 60 computers in the domain. Earlier we had a power outage and about 30 computers no longer were able to log into the domain or authenticate. Some were NT Workstations and some were W2k. But not all NT or W2K workstations were affected. If we went to network neighborhood we would see the error message The trust relationship between this workstation and the primary domain failed When someone tries to login to these computers then they get the error The system cannot log you on to this domain because the system's computer account in it's primary domain is missing or the password on that account is incorrect. We were able to fix the problem on the computers by taking the computers out of the domain and re-entering them into the domain.Went into System-Network Identification- put the machine in a workgroup - reboot - Go back in and put the machine back into the domain. No manual deletion on the PDC was done. This was all done on the client. I reviewed LDAP backups and thus far have not found any descrepancies with the systems profiles before or after the power outage. The records indicate that there has not been any change in the LDAP information in the last 2 months for the machines which have the problem. Of course once the systems have been relogged into the domain the SambaNTPassword changes. I am currently both baffled and concerned as to how or why this would happen. If anybody could shed more light on what could have happened I would appreciate it. I would also like to know if there is a way to re-add or add a client on the Samba-LDAP-PDC instead of going to each individual client. probably would be a good idea to figure out how to troubleshoot your setup as one could only conjecture about what your problem is as you describe it. I do know that there is some faulty logic in your assumptions above since the workstations will automatically change their password with the passdb approximately once each month and I am quite certain that this is documented in the samba documentation. Yep, this does throw a bad domino into the logic. ( I wonder if MS will give me my money back for all of those MCSE classes). Once I fixed that domino and started looking at the BDC again, I realized that it's samba configuration files look identical to the ones on the PDC with the exception that ldap is pointing to the ldap on the BDC. So it currently looks like the BDC is misconfigured (Basically I'm seeing a configuration that deviates quite a bit from what I see in Samba-3 by Example). I shutdown the BDC for now and put the PDC on a UPS (Yeah it should have been on one in the first place, but money is tight and we're operating under, if it ain't broke don't pay money to fix it). This should hold us over until the BDC is configured correctly. Thanks for the enlightenment. So in view of your faulty assumption, my guess would be that your PDC/BDC setup in LDAP probably isn't working properly as there should be evidence in some log somewhere when the workstations change their password and that the password changes propagate from LDAP server to LDAP server and assuming that you are using something like 'slurpd' to replicate changes in LDAP, there should be evidence of some failures (aka rejects) unless you are allowing changes directly to the 'slave' LDAP server in which case, you have a lot to fix. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba LDAP PDC BDC quit working
We have had a Samba LDAP-PDC-BDC system setup for close to 3 months with about 60 computers in the domain. Earlier we had a power outage and about 30 computers no longer were able to log into the domain or authenticate. Some were NT Workstations and some were W2k. But not all NT or W2K workstations were affected. If we went to network neighborhood we would see the error message The trust relationship between this workstation and the primary domain failed When someone tries to login to these computers then they get the error The system cannot log you on to this domain because the system's computer account in it's primary domain is missing or the password on that account is incorrect. We were able to fix the problem on the computers by taking the computers out of the domain and re-entering them into the domain.Went into System-Network Identification- put the machine in a workgroup - reboot - Go back in and put the machine back into the domain. No manual deletion on the PDC was done. This was all done on the client. I reviewed LDAP backups and thus far have not found any descrepancies with the systems profiles before or after the power outage. The records indicate that there has not been any change in the LDAP information in the last 2 months for the machines which have the problem. Of course once the systems have been relogged into the domain the SambaNTPassword changes. I am currently both baffled and concerned as to how or why this would happen. If anybody could shed more light on what could have happened I would appreciate it. I would also like to know if there is a way to re-add or add a client on the Samba-LDAP-PDC instead of going to each individual client. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP PDC BDC quit working
On Sat, 2006-02-18 at 11:11 -0600, Philip Washington wrote: We have had a Samba LDAP-PDC-BDC system setup for close to 3 months with about 60 computers in the domain. Earlier we had a power outage and about 30 computers no longer were able to log into the domain or authenticate. Some were NT Workstations and some were W2k. But not all NT or W2K workstations were affected. If we went to network neighborhood we would see the error message The trust relationship between this workstation and the primary domain failed When someone tries to login to these computers then they get the error The system cannot log you on to this domain because the system's computer account in it's primary domain is missing or the password on that account is incorrect. We were able to fix the problem on the computers by taking the computers out of the domain and re-entering them into the domain.Went into System-Network Identification- put the machine in a workgroup - reboot - Go back in and put the machine back into the domain. No manual deletion on the PDC was done. This was all done on the client. I reviewed LDAP backups and thus far have not found any descrepancies with the systems profiles before or after the power outage. The records indicate that there has not been any change in the LDAP information in the last 2 months for the machines which have the problem. Of course once the systems have been relogged into the domain the SambaNTPassword changes. I am currently both baffled and concerned as to how or why this would happen. If anybody could shed more light on what could have happened I would appreciate it. I would also like to know if there is a way to re-add or add a client on the Samba-LDAP-PDC instead of going to each individual client. probably would be a good idea to figure out how to troubleshoot your setup as one could only conjecture about what your problem is as you describe it. I do know that there is some faulty logic in your assumptions above since the workstations will automatically change their password with the passdb approximately once each month and I am quite certain that this is documented in the samba documentation. So in view of your faulty assumption, my guess would be that your PDC/BDC setup in LDAP probably isn't working properly as there should be evidence in some log somewhere when the workstations change their password and that the password changes propagate from LDAP server to LDAP server and assuming that you are using something like 'slurpd' to replicate changes in LDAP, there should be evidence of some failures (aka rejects) unless you are allowing changes directly to the 'slave' LDAP server in which case, you have a lot to fix. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP PDC BDC quit working
Craig White wrote: On Sat, 2006-02-18 at 11:11 -0600, Philip Washington wrote: We have had a Samba LDAP-PDC-BDC system setup for close to 3 months with about 60 computers in the domain. Earlier we had a power outage and about 30 computers no longer were able to log into the domain or authenticate. Some were NT Workstations and some were W2k. But not all NT or W2K workstations were affected. If we went to network neighborhood we would see the error message The trust relationship between this workstation and the primary domain failed When someone tries to login to these computers then they get the error The system cannot log you on to this domain because the system's computer account in it's primary domain is missing or the password on that account is incorrect. We were able to fix the problem on the computers by taking the computers out of the domain and re-entering them into the domain.Went into System-Network Identification- put the machine in a workgroup - reboot - Go back in and put the machine back into the domain. No manual deletion on the PDC was done. This was all done on the client. I reviewed LDAP backups and thus far have not found any descrepancies with the systems profiles before or after the power outage. The records indicate that there has not been any change in the LDAP information in the last 2 months for the machines which have the problem. Of course once the systems have been relogged into the domain the SambaNTPassword changes. I am currently both baffled and concerned as to how or why this would happen. If anybody could shed more light on what could have happened I would appreciate it. I would also like to know if there is a way to re-add or add a client on the Samba-LDAP-PDC instead of going to each individual client. probably would be a good idea to figure out how to troubleshoot your setup as one could only conjecture about what your problem is as you describe it. I do know that there is some faulty logic in your assumptions above since the workstations will automatically change their password with the passdb approximately once each month and I am quite certain that this is documented in the samba documentation. Yep, this does throw a bad domino into the logic. ( I wonder if MS will give me my money back for all of those MCSE classes). Once I fixed that domino and started looking at the BDC again, I realized that it's samba configuration files look identical to the ones on the PDC with the exception that ldap is pointing to the ldap on the BDC. So it currently looks like the BDC is misconfigured (Basically I'm seeing a configuration that deviates quite a bit from what I see in Samba-3 by Example). I shutdown the BDC for now and put the PDC on a UPS (Yeah it should have been on one in the first place, but money is tight and we're operating under, if it ain't broke don't pay money to fix it). This should hold us over until the BDC is configured correctly. Thanks for the enlightenment. So in view of your faulty assumption, my guess would be that your PDC/BDC setup in LDAP probably isn't working properly as there should be evidence in some log somewhere when the workstations change their password and that the password changes propagate from LDAP server to LDAP server and assuming that you are using something like 'slurpd' to replicate changes in LDAP, there should be evidence of some failures (aka rejects) unless you are allowing changes directly to the 'slave' LDAP server in which case, you have a lot to fix. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP Windows Join Domain
James Taylor wrote: I am currently running samba 3.0.13. I have set the samba server up as a NT4 Domain controller and I have also integrated my LDAP configuration with samba. When I try to join the samba domain from any Windows 2000 or Windows XP machine I get the error message The user could not be found. My smbldap-tools scripts are working in the sense that the Machine Add script is adding the machinename$ domain account. Does getent passwd machinename$ produce the expected result? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba + LDAP Windows Join Domain
I figured out the issues I was having... Basically when the machine accounts were created the smbldap-tools I was using did not add the sambaSAMAccount objectclass and the appropriate sub information needed for the Domain lookup. I made several modifications to my scripts and viola! It works. Thank you James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Messmer Sent: Friday, February 17, 2006 4:41 PM To: samba@lists.samba.org Subject: Re: [Samba] Samba + LDAP Windows Join Domain James Taylor wrote: I am currently running samba 3.0.13. I have set the samba server up as a NT4 Domain controller and I have also integrated my LDAP configuration with samba. When I try to join the samba domain from any Windows 2000 or Windows XP machine I get the error message The user could not be found. My smbldap-tools scripts are working in the sense that the Machine Add script is adding the machinename$ domain account. Does getent passwd machinename$ produce the expected result? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + LDAP Windows Join Domain
Hello all, I have been working on this issue for some time and I know I am close to a solution. I am currently running samba 3.0.13. I have set the samba server up as a NT4 Domain controller and I have also integrated my LDAP configuration with samba. When I try to join the samba domain from any Windows 2000 or Windows XP machine I get the error message The user could not be found. My smbldap-tools scripts are working in the sense that the Machine Add script is adding the machinename$ domain account. I have read several different Samba Windows Join Domain documents and have tried different variations of my config's to see if I can resolve this issue. I know my Samba LDAP configuration is good as I am able to authenticate to SMB file shares on the samba server with groups mapped to my LDAP database. I am also seeing successful LDAP binds as well in the logs. Any pointers on things I may be able to try would be great. Configs as follows: # Global parameters [global] workgroup = MYDOMAIN realm = MYDOMAIN.COM server string = Samba Server %v interfaces = 192.168.0.8/16 min password length = 3 map to guest = Bad User passdb backend = ldapsam:ldap://myldapsvr/ enable privileges = Yes passwd program = /usr/sbin/smbldap-passwd username map = /etc/samba/smbusers client NTLMv2 auth = No client lanman auth = No client plaintext auth = No syslog = 7 log file = /var/log/samba/log.%m max log size = 10 smb ports = 135 445 min protocol = NT1 time server = Yes deadtime = 10 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' /usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false '%u' logon script = logon.bat logon path = logon drive = H: logon home = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Manager,dc=mydomain,dc=com ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Users ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=mydomain,dc=com ldap ssl = no ldap user suffix = ou=Users printer admin = @adm, root create mask = 0755 directory mask = 0750 hosts allow = 192.168., 127. nt acl support = No case sensitive = No dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd [printers] comment = All Printers path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes browseable = No [print$] path = /var/lib/samba/printers write list = @adm, root inherit permissions = Yes guest ok = Yes [admin] path = / valid users = @adm, root, jtaylor admin users = @adm, root, jtaylor read only = No browseable = No Thank you all James Taylor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba, LDAP, and unix account
Ether: If you're new to samba, you may want to start w/ smbpasswd, or tdb authentication before going to LDAP. http://us5.samba.org/samba/docs/man/Samba3-ByExample/simple.html#id2517375 http://us5.samba.org/samba/docs/man/Samba3-HOWTO/install.html#tdbdocs -Bill Ether wrote: Hi every one! Until now, I used samba as a simple public share server... and now, I would like to use it with many account. I know it's possible, but I would like something particular: I would like to have SAMBA account independent from the unix account system! Here is how I think my system: all files on the server will be owned by a unix account dedicated to samba storage, but I would like to set owner and access right from user of the samba acount system. I also would like to be able to set up right on each directory from windows and being able to get the samba account list from windows without creating a PDC with samba and registering each pc to this domain Is it possible, or Do I have to create a PDC? Franck thanks to every one for your answers ! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba, LDAP, and unix account
Hi every one! Until now, I used samba as a simple public share server... and now, I would like to use it with many account. I know it's possible, but I would like something particular: I would like to have SAMBA account independent from the unix account system! Here is how I think my system: all files on the server will be owned by a unix account dedicated to samba storage, but I would like to set owner and access right from user of the samba acount system. I also would like to be able to set up right on each directory from windows and being able to get the samba account list from windows without creating a PDC with samba and registering each pc to this domain Is it possible, or Do I have to create a PDC? Franck thanks to every one for your answers ! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + ldap, acounts expiring? but pdbedit says otherwise
Apologies if this is a RTFM issue... My first question is: anyone know of code that can assist in going through samba logfiles (looking for errors, etc.)? I have what appears to be a password expiration problem. User X has been able to mount a shared drive off the samba box using his login/password. Suddenly it doesn't appear to work: he can run net use Z: \\server\share from his XP box, it tries to mount the drive, pops up with an invalid user/pw type of error, prompts for credentials. Enter what had been valid credentials, doesn't work. I ssh over to samba box, run pdbedit -L -v, his account expiration stuff looks like this: Logon time: 0 Logoff time: Mon, 18 Jan 2038 19:14:07 GMT Kickoff time: Mon, 18 Jan 2038 19:14:07 GMT Password last set:Wed, 11 Jan 2006 00:11:57 GMT Password can change: 0 Password must change: Fri, 11 Jan 2008 00:11:57 GMT Also, if I slapcat the ldap morass into a file and check the expiration time it's also in the future: sambaPwdMustChange: 1200039117 - by my calculation the same date as listed above. We tried again, no soap. Reset password on server using the smbldap-password command, drive mounts fine. You could say that he was typing in the wrong password, but for one he administers a bunch of machines and is used to typing in passwords, and for two I had to run through all my users over the course of a couple of days and have them reset their passwords, same type of thing. Is there any other place I should be looking for something that would cause credentials not to work? I thought PAM, but all the account cruft is in LDAP and the data therein looks good (e.g. this user doesn't have an entry in /etc/password or /etc/shadow also). XP weirdness? It's probably worth mentioning that we don't do any kind of policy management on XP, stock xp pro installs from CD. Samba 3.0.20b openldap-2.2.13-4 idealx tools 0.9.1 Red Hat AS4 If that matters. Thanks for any hints or clues where to look! -- Joe Mailander [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba/ldap network and domain setup advice
Hi, I am sure this has been discussed before but all the documentation I could find seems to be old. I have two main sites that make the core part of our network. They are connected by a link that is usually congested. On the first site, of about 500 users, we have implemented Samba/LDAP. I now need to work out what to do with the second site of about 1000 users. So the requirements are. 1. Some other applications are uisng LDAP authentication and all users from both sites need to authenticated. 2. Some users often travel between sites so it would be useful if they can log into samba at both places. 3. The link between the two sites is probably too slow for doing anything useful except perhaps LDAP replication. So what is the best way of going about this? Do I setup two domains? If I have two domains what is the best way of segregating users so that other LDAP applications can see all users. What have other people done in these types of situaitons and what things should I avoid or be aware of? Thanks, Abdul-Wahid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba / ldap
hi, I want to upgrade our LDAP server and our SAMBA PDC server whitch support the LDAP for user identification and authentification under windows. The ldap sever release is 2.0.23 and we want to install the last stable one 2.3.19 The samba server release is 2.2.6 and we want to install the last stable 3.0 Could someone tell me if there are no probleme for upgrading ? How to migrate all the windows machine in the domaine Samba PDC/Ldap without réingrating them again ? thanks sincerely -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
We've used slave ldap servers as our local office solution, it seems like PITA at first, but really its not much trouble... we redistribute old Optiplex GX100's with bigger IDE drives as the local pdc. Chris Smith Tomasz Chmielewski wrote: Michael Gasch schrieb: you could set up openldap to do syncrepl and have a full copy of your samba domain stuff that's in ldap. if the connection goes down, the ldap stuff is there and if you have it set up like a bdc, you can still login, etc. Yep, that's how it's normally done. what about setting up a BDC in the subnet the router can access by ethernet (builtin switch, subnet behind the router). this connection is alays on, isn´t it? It's a solution for a small office. A couple of workstations, this tiny router running Samba instead of a server; connection to the outside through ADSL, nothing more. When ADSL doesn't connect (because an employee disconnected the modem, because he needed a power outlet to make tee), we're in trouble. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
you could set up openldap to do syncrepl and have a full copy of your samba domain stuff that's in ldap. if the connection goes down, the ldap stuff is there and if you have it set up like a bdc, you can still login, etc. Yep, that's how it's normally done. what about setting up a BDC in the subnet the router can access by ethernet (builtin switch, subnet behind the router). this connection is alays on, isn´t it? greez -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
Michael Gasch schrieb: you could set up openldap to do syncrepl and have a full copy of your samba domain stuff that's in ldap. if the connection goes down, the ldap stuff is there and if you have it set up like a bdc, you can still login, etc. Yep, that's how it's normally done. what about setting up a BDC in the subnet the router can access by ethernet (builtin switch, subnet behind the router). this connection is alays on, isn´t it? It's a solution for a small office. A couple of workstations, this tiny router running Samba instead of a server; connection to the outside through ADSL, nothing more. When ADSL doesn't connect (because an employee disconnected the modem, because he needed a power outlet to make tee), we're in trouble. -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
It's a solution for a small office. this solution also applies to a small office :) i know, you´re looking for caching, but as long as there´s no productive way with samba and caching (creds) you should go for a BDC greez -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
i guess the real question here is what is your interest? are you more interested in having the login functionality when the network link is down or are you more interested in toying with the notion of having samba run on a mini box? i can certainly help you with the former if you wish. i have set up an old linux box as a bdc at a remote location (my parent's house) to allow them all functionality of being in the domain even when their crappy dsl goes down and we lose the vpn link betweeen us. it works like a charm. My Website: http://messinet.com My Online Gallery: http://messinet.com/modules.php?name=Web_Linksl_op=visitlid=3 Michael Gasch wrote: It's a solution for a small office. this solution also applies to a small office :) i know, you´re looking for caching, but as long as there´s no productive way with samba and caching (creds) you should go for a BDC greez -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
ANTHONY JOSEPH MESSINA schrieb: i guess the real question here is what is your interest? are you more interested in having the login functionality when the network link is down or are you more interested in toying with the notion of having samba run on a mini box? Of course, being able to login at all times is one of the most important factors. Well, there are many factors; in the end I would like it to be a cheap and reliable domain controller for small offices: - cost - this mini router (it even has wireless) + USB stick cost less than a PC - it's small and compact - stability - there is no fan, no hard disk, no moving parts that can break - ease of (remote) management (when it's set up properly) - in case of any trouble, someone just turns the device off and on, it'll be up again in a matter of seconds - it's fun to do something new :) -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
ok, i'll go with you on this. so this mini-router, does it have a hard drive or a place that it could dynamically write data, because it seems to me that samba will need to write data at will and for sure, ldap with syncrepl or any caching program will need to write new data that is not static to someplace. what are the true capabilities of this router? the cheapy routers that use firmware woun't be able to dynamically write this data would they. any change to data would require a firmware upgrade. also, how would you manage the router remotely? ssh? a web interface? how would you alter any smb.conf settings? i agree your router would be a cool thing, but you have very little admin functionality. another option may be a refurb cheap computer with a cheap network card which would do the same thing, but give you total functionality. this is what i did for the bds at my parent's house. i got a dell outlet refurb for $240, installed fc4 and away we went. i do still like the idea though of a plug it in and it works system for stuff like this. My Website: http://messinet.com My Online Gallery: http://messinet.com/modules.php?name=Web_Linksl_op=visitlid=3 Tomasz Chmielewski wrote: ANTHONY JOSEPH MESSINA schrieb: i guess the real question here is what is your interest? are you more interested in having the login functionality when the network link is down or are you more interested in toying with the notion of having samba run on a mini box? Of course, being able to login at all times is one of the most important factors. Well, there are many factors; in the end I would like it to be a cheap and reliable domain controller for small offices: - cost - this mini router (it even has wireless) + USB stick cost less than a PC - it's small and compact - stability - there is no fan, no hard disk, no moving parts that can break - ease of (remote) management (when it's set up properly) - in case of any trouble, someone just turns the device off and on, it'll be up again in a matter of seconds - it's fun to do something new :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
ANTHONY JOSEPH MESSINA schrieb: ok, i'll go with you on this. so this mini-router, does it have a hard drive or a place that it could dynamically write data, because it seems to me that samba will need to write data at will and for sure, ldap with syncrepl or any caching program will need to write new data that is not static to someplace. what are the true capabilities of this router? It's ASUS WL-500g Deluxe. It has a 200 MHz broadcom/mipsel CPU, 4 MB flash, 32 MB ram, 2 USB2 ports, 5 network ports (to use as a switch or 5 separate network cards). I connected a USB stick to one of the USB ports and the root filesystem is there (instead of the 4 MB flash). The router costs about 70 euro / 80 usd. Capabilities? It's Linux, so it can do everything :) http://wiki.openwrt.org/TableOfHardware#head-34991459c386514e56db26b0f51743ce57d27af1 the cheapy routers that use firmware woun't be able to dynamically write this data would they. any change to data would require a firmware upgrade. Exactly - I replaced the original firmware with OpenWRT - http://openwrt.org - a distro for such small routers listed in the link I gave above. also, how would you manage the router remotely? ssh? a web interface? how would you alter any smb.conf settings? It has a basic web interface (for setting network, dns, gateway, wireless etc.), but yes, mostly with SSH. i agree your router would be a cool thing, but you have very little admin functionality. SSH - exactly the same admin functionality as with a PC. another option may be a refurb cheap computer with a cheap network card which would do the same thing, but give you total functionality. But this means noise, disk, fan etc. - I don't want that. this is what i did for the bds at my parent's house. i got a dell outlet refurb for $240, installed fc4 and away we went. So you paid 2x too much :) -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba LDAP caching when LDAP server unavailable -possible?
I was just visiting the opwrt site and noticed the open ldap is in their download section. Larry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tomasz Chmielewski Sent: Thursday, January 19, 2006 2:02 PM To: ANTHONY JOSEPH MESSINA; samba Subject: Re: [Samba] Samba LDAP caching when LDAP server unavailable -possible? ANTHONY JOSEPH MESSINA schrieb: ok, i'll go with you on this. so this mini-router, does it have a hard drive or a place that it could dynamically write data, because it seems to me that samba will need to write data at will and for sure, ldap with syncrepl or any caching program will need to write new data that is not static to someplace. what are the true capabilities of this router? It's ASUS WL-500g Deluxe. It has a 200 MHz broadcom/mipsel CPU, 4 MB flash, 32 MB ram, 2 USB2 ports, 5 network ports (to use as a switch or 5 separate network cards). I connected a USB stick to one of the USB ports and the root filesystem is there (instead of the 4 MB flash). The router costs about 70 euro / 80 usd. Capabilities? It's Linux, so it can do everything :) http://wiki.openwrt.org/TableOfHardware#head-34991459c386514e56db26b0f51743ce57d27af1 the cheapy routers that use firmware woun't be able to dynamically write this data would they. any change to data would require a firmware upgrade. Exactly - I replaced the original firmware with OpenWRT - http://openwrt.org - a distro for such small routers listed in the link I gave above. also, how would you manage the router remotely? ssh? a web interface? how would you alter any smb.conf settings? It has a basic web interface (for setting network, dns, gateway, wireless etc.), but yes, mostly with SSH. i agree your router would be a cool thing, but you have very little admin functionality. SSH - exactly the same admin functionality as with a PC. another option may be a refurb cheap computer with a cheap network card which would do the same thing, but give you total functionality. But this means noise, disk, fan etc. - I don't want that. this is what i did for the bds at my parent's house. i got a dell outlet refurb for $240, installed fc4 and away we went. So you paid 2x too much :) -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable -possible?
Larry McElderry schrieb: I was just visiting the opwrt site and noticed the open ldap is in their download section. It's the clients only + libs; no server. Anyway, I think it's not that hard to compile OpenLDAP server for it. The problem would be to authenticate the users against it - in other words, to make system see the users from the LDAP. It's pretty bare and small distro... :) -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
Andrew Bartlett schrieb: On Tue, 2006-01-17 at 10:16 -0500, William Burns wrote: Tomasz: I had heard that some people were interested in caching passwords (which could be stored in NIS, or LDAP) on linux laptops so that a user could log in even when disconnected from their LDAP or NIS domain. The theory was that the nss (name service switch) and nscd (name service cache daemon) system(s) could be tuned/modified to cache this information. As far as I know, this has not been done/tested for use w/ samba the way you describe. For this in an AD domain, there has been a lot of work done in Samba's trunk development tree for this (disconnected laptop) behaviour. Is there anything that might go to the stable anytime soon? -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
could you set up a small instance of an ldap server along with samba on this small box and have it act like a bdc? you could set up openldap to do syncrepl and have a full copy of your samba domain stuff that's in ldap. if the connection goes down, the ldap stuff is there and if you have it set up like a bdc, you can still login, etc. just a thought, i'm fairly new at all this stuff. -anthony My Website: http://messinet.com My Online Gallery: http://messinet.com/modules.php?name=Web_Linksl_op=visitlid=3 Tomasz Chmielewski wrote: I've been using Samba with OpenLDAP with great success on normal servers. Recently however, it appeared to us that for remote locations it is more economically viable to replace Samba servers with Samba running on little routers like ASUS WL-500g with openwrt firmware/software. It has a broadcom/mipsel CPU, and thanks to openwrt (http://openwrt.org), it is possible to run lots of software on it. Pretty nice for small offices - small, no fan, no hard disk etc. other moving parts (you can connect a USB stick to it if you want to store files/profiles). There is one glitch however - no OpenLDAP port. So a Samba domain controller running on these tiny routers would have to authenticate users users against an external OpenLDAP server (probably in the company headquaters). My experience shows that a company with several branches located throughout the city/country/world have connectivity problems from time to time (especiall when there is no IT staff in the branches). With no local LDAP server this would mean users not able to work (as they can't authenticate). Is it possible to set up Samba to cache credentials retrieved from the LDAP, and when LDAP is unavailable, to use these cached credentials? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
ANTHONY JOSEPH MESSINA schrieb: could you set up a small instance of an ldap server along with samba on this small box and have it act like a bdc? That would be great indeed - the problem is, there is no OpenLDAP server port to that thingy yet :) you could set up openldap to do syncrepl and have a full copy of your samba domain stuff that's in ldap. if the connection goes down, the ldap stuff is there and if you have it set up like a bdc, you can still login, etc. Yep, that's how it's normally done. -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba LDAP caching when LDAP server unavailable - possible?
I've been using Samba with OpenLDAP with great success on normal servers. Recently however, it appeared to us that for remote locations it is more economically viable to replace Samba servers with Samba running on little routers like ASUS WL-500g with openwrt firmware/software. It has a broadcom/mipsel CPU, and thanks to openwrt (http://openwrt.org), it is possible to run lots of software on it. Pretty nice for small offices - small, no fan, no hard disk etc. other moving parts (you can connect a USB stick to it if you want to store files/profiles). There is one glitch however - no OpenLDAP port. So a Samba domain controller running on these tiny routers would have to authenticate users users against an external OpenLDAP server (probably in the company headquaters). My experience shows that a company with several branches located throughout the city/country/world have connectivity problems from time to time (especiall when there is no IT staff in the branches). With no local LDAP server this would mean users not able to work (as they can't authenticate). Is it possible to set up Samba to cache credentials retrieved from the LDAP, and when LDAP is unavailable, to use these cached credentials? -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
nscd? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Tue, 17 Jan 2006, Tomasz Chmielewski wrote: I've been using Samba with OpenLDAP with great success on normal servers. Recently however, it appeared to us that for remote locations it is more economically viable to replace Samba servers with Samba running on little routers like ASUS WL-500g with openwrt firmware/software. It has a broadcom/mipsel CPU, and thanks to openwrt (http://openwrt.org), it is possible to run lots of software on it. Pretty nice for small offices - small, no fan, no hard disk etc. other moving parts (you can connect a USB stick to it if you want to store files/profiles). There is one glitch however - no OpenLDAP port. So a Samba domain controller running on these tiny routers would have to authenticate users users against an external OpenLDAP server (probably in the company headquaters). My experience shows that a company with several branches located throughout the city/country/world have connectivity problems from time to time (especiall when there is no IT staff in the branches). With no local LDAP server this would mean users not able to work (as they can't authenticate). Is it possible to set up Samba to cache credentials retrieved from the LDAP, and when LDAP is unavailable, to use these cached credentials? -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
Tomasz: I had heard that some people were interested in caching passwords (which could be stored in NIS, or LDAP) on linux laptops so that a user could log in even when disconnected from their LDAP or NIS domain. The theory was that the nss (name service switch) and nscd (name service cache daemon) system(s) could be tuned/modified to cache this information. As far as I know, this has not been done/tested for use w/ samba the way you describe. See section: 2.1.4 The Name Service Caching Daemon http://www.saas.nsw.edu.au/solutions/ldap-auth-pam.html -Bill Tomasz Chmielewski wrote: I've been using Samba with OpenLDAP with great success on normal servers. Recently however, it appeared to us that for remote locations it is more economically viable to replace Samba servers with Samba running on little routers like ASUS WL-500g with openwrt firmware/software. It has a broadcom/mipsel CPU, and thanks to openwrt (http://openwrt.org), it is possible to run lots of software on it. Pretty nice for small offices - small, no fan, no hard disk etc. other moving parts (you can connect a USB stick to it if you want to store files/profiles). There is one glitch however - no OpenLDAP port. So a Samba domain controller running on these tiny routers would have to authenticate users users against an external OpenLDAP server (probably in the company headquaters). My experience shows that a company with several branches located throughout the city/country/world have connectivity problems from time to time (especiall when there is no IT staff in the branches). With no local LDAP server this would mean users not able to work (as they can't authenticate). Is it possible to set up Samba to cache credentials retrieved from the LDAP, and when LDAP is unavailable, to use these cached credentials? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
On Tue, 17 Jan 2006, Chris St. Pierre wrote: nscd? nscd is known to cause problems with Samba. Regards, --martin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP caching when LDAP server unavailable - possible?
On Tue, 2006-01-17 at 10:16 -0500, William Burns wrote: Tomasz: I had heard that some people were interested in caching passwords (which could be stored in NIS, or LDAP) on linux laptops so that a user could log in even when disconnected from their LDAP or NIS domain. The theory was that the nss (name service switch) and nscd (name service cache daemon) system(s) could be tuned/modified to cache this information. As far as I know, this has not been done/tested for use w/ samba the way you describe. For this in an AD domain, there has been a lot of work done in Samba's trunk development tree for this (disconnected laptop) behaviour. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba / LDAP Wildcard SSL certificate
Anyone successfully use TLS to an OpenLDAP back end using a *wildcard* SSL certificate? Samba 3.0.20b OpenLDAP 2.3.12 OpenSSL 0.9.8 (these are blastwave.org CSW packages, btw) Fresh install of Solaris 9 with very the latest patch cluster. No iPlanet or Sun DS stuff is installed. Here's an excerpt from my smb.conf file... [global] workgroup = EXAMPLE netbios name = TESTBED security = user enable privileges = yes encrypt passwords = yes log file = /var/log/samba/log.smbd ldap passwd sync = yes passdb backend = ldapsam:ldap://localhost/ smbpasswd guest # passdb backend = ldapsam:ldaps://localhost/ smbpasswd guest ldap suffix = dc=example,dc=org ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=samba,ou=DSA,dc=example,dc=org ldap ssl = no # ldap ssl = yes # ldap ssl = start tls When ldap ssl = no then all is well, but I've been unable to use either yes or start tls successfully. If I use ldap ssl = start tls I get [2006/01/03 13:56:20.688388, 0] lib/smbldap.c:(615) Failed to issue the StartTLS instruction: Connect error If I use ldap ssl = yes I see the following... [2006/01/03 15:33:57.807033, 0] lib/smbldap.c:(790) failed to bind to server ldaps://localhost/ with dn=cn=samba,ou=DSA,dc=example,dc=org Error: Can't contact LDAP server TLS: hostname does not match CN in peer certificate (the CN in the cert in this case would be *.example.org) ldap.conf points to the proper certificate and CA: [EMAIL PROTECTED] cat /etc/ldap.conf HOSTlocalhost testbed.example.org BASEdc=example,dc=org SSL start_tls TLS_CACERT /usr/ssl/certs/rapidssl_01.cer TLS_CERT/usr/ssl/certs/example.org.crt TLS_KEY /usr/ssl/private/example.org.key TLS_REQCERT demand and the certificate works as expected for (for instance) https. I have also verified that TLS is working normally by using ldapsearch: [EMAIL PROTECTED] ldapsearch -x -W -ZZ -D cn=samba,ou=dsa,dc=example,dc=org (objectClass=sambaDomain) Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectClass=sambaDomain) # requesting: ALL # # EXAMPLE, example.org dn: sambaDomainName=EXAMPLE,dc=example,dc=org sambaDomainName: EXAMPLE sambaSID: S-*-*-**-**-*-* sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 Any thoughts on how I might get this to work with the wildcard certificate? Thanks! -- Roy McMorran Systems Administrator MDI Biological Laboratory [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap
Hi, all. I carefuly read [samba]ldapsam:trusted = yes kills smbd thread, but it not help me. My samba want use domain-likes SID's. I have 5 (possible, more) distributed over world samba servers. This servers nothing know about neighbours. Today we are using rsync for syncing smbpasswd files. Also, I have several replicated ldap servers with my unix users accounts. And I want use this servers for replacing smbpasswd files. I have to use security = user, instead PDC-BDC, because my samba servers can't interact. I use samba-3.0.20b,1 on FreeBSD 6.0-STABLE Problem is -- I can't authentificate on samba server. My smb.conf, smb.ldif (my tree) and samba log (with log lovel = 10) accessible on http://clh.higis.ru/~dimma/samba/ Plz, help me. On Fri, Nov 25, 2005 at 04:43:43PM +, Daniel Wilson wrote: i had the same problem as this!! well if your using ldapsam:trusted=yes look for the thread titled [samba]ldapsam:trusted = yes kills smbd ..but pretty much it was this.. i have changed the sambaPrimaryGroupSid: S-1-1-0 on uid=nobody and changed sambaSID: S-1-1-0 on group nobody and it now starts yeh!! :) On Fri, 2005-11-25 at 14:37, Dmitriy Kirhlarov wrote: Hi, all. Now my ldap-directory used for storing unix users accounts. I want use it for samba auth too. My samba config and ldap records attached. When I try start smbd I get error in logfile: [2005/11/25 16:30:21, 3]passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2513) primary group of [nobody] not found Any ideas? WBR -- Dmitriy Kirhlarov OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia P:+7 095 105 7247 ext.203 F:+7 095 105 7246 E:[EMAIL PROTECTED] OILspace - The resource enriched - www.oilspace.com __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba LDAP Tools and mkntpwd
I'm in the middle of Samba 3.0.9 == 3.0.14a migration testing. Because I'm using newer tools, I am also using a newer verions of the Samba LDAP Tools. My older version, 0.8.4, used the 'mkntpwd' utility to generate NT passwords. The new version, 0.9.1 defaults to using (what looks like) a Perl module called Crypt::SmbHash. My questions: Do I need to continue to use mkntpwd? Will I need to reset all the passwords for my users if I move to Crypt::SmbHash? Or will it just work if I leave the defaults alone? -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP Tools and mkntpwd
On Fri, 2005-12-02 at 15:43 -0500, Collins, Kevin wrote: I'm in the middle of Samba 3.0.9 == 3.0.14a migration testing. Because I'm using newer tools, I am also using a newer verions of the Samba LDAP Tools. My older version, 0.8.4, used the 'mkntpwd' utility to generate NT passwords. The new version, 0.9.1 defaults to using (what looks like) a Perl module called Crypt::SmbHash. My questions: Do I need to continue to use mkntpwd? Will I need to reset all the passwords for my users if I move to Crypt::SmbHash? Or will it just work if I leave the defaults alone? I think that an smb hashed password is going to be an smb hashed password regardless of the tool used to create it. Otherwise, how could the Windows user log in? Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP Tools and mkntpwd
On Fri, 2005-12-02 at 13:53 -0700, Craig White wrote: On Fri, 2005-12-02 at 15:43 -0500, Collins, Kevin wrote: I'm in the middle of Samba 3.0.9 == 3.0.14a migration testing. Because I'm using newer tools, I am also using a newer verions of the Samba LDAP Tools. My older version, 0.8.4, used the 'mkntpwd' utility to generate NT passwords. The new version, 0.9.1 defaults to using (what looks like) a Perl module called Crypt::SmbHash. My questions: Do I need to continue to use mkntpwd? Will I need to reset all the passwords for my users if I move to Crypt::SmbHash? Or will it just work if I leave the defaults alone? I think that an smb hashed password is going to be an smb hashed password regardless of the tool used to create it. Otherwise, how could the Windows user log in? Yes. One is a perl port of the C routines, while the older mkntwpd is just that particular C file compiled standalone. If the perl code does the unicode translation right, it might even be more accurate for non-ASCII. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba LDAP Tools and mkntpwd
On Sat, 2005-12-03 at 09:10 +1100, Andrew Bartlett wrote: On Fri, 2005-12-02 at 13:53 -0700, Craig White wrote: On Fri, 2005-12-02 at 15:43 -0500, Collins, Kevin wrote: I'm in the middle of Samba 3.0.9 == 3.0.14a migration testing. Because I'm using newer tools, I am also using a newer verions of the Samba LDAP Tools. My older version, 0.8.4, used the 'mkntpwd' utility to generate NT passwords. The new version, 0.9.1 defaults to using (what looks like) a Perl module called Crypt::SmbHash. My questions: Do I need to continue to use mkntpwd? Will I need to reset all the passwords for my users if I move to Crypt::SmbHash? Or will it just work if I leave the defaults alone? I think that an smb hashed password is going to be an smb hashed password regardless of the tool used to create it. Otherwise, how could the Windows user log in? Yes. One is a perl port of the C routines, while the older mkntwpd is just that particular C file compiled standalone. If the perl code does the unicode translation right, it might even be more accurate for non-ASCII. my experiences with perl is that this is never a given. ;-) Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba + ldap
Hi, all. Now my ldap-directory used for storing unix users accounts. I want use it for samba auth too. My samba config and ldap records attached. When I try start smbd I get error in logfile: [2005/11/25 16:30:21, 3]passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2513) primary group of [nobody] not found Any ideas? WBR -- Dmitriy Kirhlarov OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia P:+7 095 105 7247 ext.203 F:+7 095 105 7246 E:[EMAIL PROTECTED] OILspace - The resource enriched - www.oilspace.com dn: uid=root,ou=users,o=oiltest cn: root sn: root objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 0 uid: root uidNumber: 0 homeDirectory: /home/root sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaPrimaryGroupSID: S-1-5-21-3177952046-2209943301-2637743033-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-3177952046-2209943301-2637743033-500 loginShell: /bin/false gecos: Netbios Domain Administrator dn: uid=nobody,ou=users,o=oiltest cn: nobody sn: nobody objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 514 uid: nobody uidNumber: 999 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaPrimaryGroupSID: S-1-5-21-3177952046-2209943301-2637743033-514 sambaLMPassword: NO PASSWORDX sambaNTPassword: NO PASSWORDX sambaAcctFlags: [NU ] loginShell: /bin/false sambaSID: S-1-5-21-3177952046-2209943301-2637743033-501 dn: cn=Domain Admins,ou=groups,o=oiltest objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: root description: Netbios Domain Administrators sambaSID: S-1-5-21-3177952046-2209943301-2637743033-512 sambaGroupType: 2 displayName: Domain Admins dn: cn=Domain Guests,ou=groups,o=oiltest objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users sambaSID: S-1-5-21-3177952046-2209943301-2637743033-514 sambaGroupType: 2 displayName: Domain Guests memberUid: nobody dn: cn=Domain Users,ou=groups,o=oiltest sambaGroupType: 2 displayName: Domain Users description: Netbios Domain Users objectClass: posixGroup objectClass: sambaGroupMapping memberUid: nobody gidNumber: 513 sambaSID: S-1-5-21-3177952046-2209943301-2637743033-513 cn: Domain Users [global] add group script = /usr/local/sbin/smbldap-groupadd -p %g add machine script = /usr/local/sbin/smbldap-useradd -w %u add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g admin users = root Administrator available = yes bind interfaces only = yes client ntlmv2 auth = yes deadtime = 30 delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g delete user script = /usr/local/sbin/smbldap-userdel %u display charset = KOI8-R dont descend = /proc,/dev,/usr/compat/linux/proc dos charset = CP866 dos filetimes = yes interfaces = fxp0 lo0 lanman auth = no ldap admin dn = uid=fbsd-samba-admin,ou=virtusers,o=oiltest ldap group suffix = ou=groups ldap machine suffix = ou=machines ldap passwd sync = Only ldap replication sleep = 2000 ldapsam:trusted = yes ldap ssl = start_tls ldap suffix = o=oiltest ldap user suffix = ou=users log file = /var/log/samba/log log level = 3 passdb:5 auth:10 winbind:2 map to guest = Bad User netbios name = FBSD os level = 65 passdb backend = ldapsam:ldap://fbsd passwd program = /usr/local/sbin/smbldap-passwd %u preload = Guest pub cdrom printers security = USER server signing = auto server string = Samba Server on fbsd.mow.oilspace.com set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u time server = yes workgroup = OILSPACE [Guest] # This share need for map to guest if security not share comment = FTP public share path = /var/ftp/pub read only = yes [pub] hide dot files = no hide special files = yes inherit acls = yes inherit permissions = yes locking = yes map acl inherit = yes available = no comment = FTP public share path = /var/ftp/pub browseable = yes [homes] comment = Home Directory path = /home/%U read only = no browseable = yes -- To unsubscribe from this list go to the following URL and read the instructions:
Re: [Samba] samba + ldap
i had the same problem as this!! well if your using ldapsam:trusted=yes look for the thread titled [samba]ldapsam:trusted = yes kills smbd ..but pretty much it was this.. i have changed the sambaPrimaryGroupSid: S-1-1-0 on uid=nobody and changed sambaSID: S-1-1-0 on group nobody and it now starts yeh!! :) On Fri, 2005-11-25 at 14:37, Dmitriy Kirhlarov wrote: Hi, all. Now my ldap-directory used for storing unix users accounts. I want use it for samba auth too. My samba config and ldap records attached. When I try start smbd I get error in logfile: [2005/11/25 16:30:21, 3]passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2513) primary group of [nobody] not found Any ideas? WBR -- Dmitriy Kirhlarov OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia P:+7 095 105 7247 ext.203 F:+7 095 105 7246 E:[EMAIL PROTECTED] OILspace - The resource enriched - www.oilspace.com __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/LDAP-Backend stability on Debian Sarge
Hi, First, excuse me if this post is a bit offtopic, maybe this should be posted in the debian-users maillist, but I just wanted to read your experiences with this kind of setup, since I've migrated the server to Debian Sarge using LDAP Backend to serve clients using WinXP and Win98, and I've got this serious problems: - Samba segfaults [1] - slapd process crashes very often, almost once per day (i had to create a cron job to restart it periodically). - Slow MS Access database access [2] (I'm still trying to figure this one, maybe is a change of default in some samba option). Any of you is running a setup like this and having similar problems? Any Idea on how I could solve any of this? Thanks, santiago. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314461 [2] http://rubyurl.com/9Dz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP-Backend stability on Debian Sarge
On Sat, 2005-11-12 at 12:35 -0500, Jorge Santiago wrote: Hi, First, excuse me if this post is a bit offtopic, maybe this should be posted in the debian-users maillist, but I just wanted to read your experiences with this kind of setup, since I've migrated the server to Debian Sarge using LDAP Backend to serve clients using WinXP and Win98, and I've got this serious problems: - Samba segfaults [1] - slapd process crashes very often, almost once per day (i had to create a cron job to restart it periodically). - Slow MS Access database access [2] (I'm still trying to figure this one, maybe is a change of default in some samba option). Any of you is running a setup like this and having similar problems? Any Idea on how I could solve any of this? Thanks, santiago. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314461 [2] http://rubyurl.com/9Dz seems as though you have to fix samba segfaulting issue and slapd issue first before you can think about fixing slow Access issue. samba is very stable daemon when properly installed configured openldap is very stable daemon when properly installed configured I haven't a clue on where you might have deviated in installation/configuration processes on either samba or openldap that might be causing your issues and you might want to use debian resources to help you troubleshoot them. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba + ldap + root user
Hello everybody, Simple question : Does the LDAP root user (uid=0) needed for samba must have root as username or just uid=0 ? In other words, can I have samba root user without calling him root ? Thanks ! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap + root user
FM schrieb: Hello everybody, Simple question : Does the LDAP root user (uid=0) needed for samba must have root as username or just uid=0 ? In other words, can I have samba root user without calling him root ? you can call it as you like. I called mine Administrator. -- Tomek http://wpkg.org WPKG - software deployment and upgrades with Samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/Ldap as BDC for ADS
On Mon, 2005-10-31 at 09:12 +0100, Patrick blitz wrote: I'm sorry if this has been asked a quadrillion times before, but i was just wondering about it: I know samba can't be a BDC for ADS. I also know that OpenLDAP can sync with a MS ADS Server. I don't think it can do that to the extent we would require. Samba can also auth against both ldap and ADS. so, shoudln't it be possible to use a Samba/openLdap server combination as a Local Master kind of think as a type of BDC for an ADS Domain? No. Samba3 does not have the technology to be an ADS domain controller. Samba4 development already has this, and we hope to have a technology preview soon. Or are there hugher obstacles like there beeing no way to tell the windows clients who's their second-in-command master? There is just a very big gap between Samba3 and what ADS requires of a DC. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/Ldap as BDC for ADS
I'm sorry if this has been asked a quadrillion times before, but i was just wondering about it: I know samba can't be a BDC for ADS. I also know that OpenLDAP can sync with a MS ADS Server. Samba can also auth against both ldap and ADS. so, shoudln't it be possible to use a Samba/openLdap server combination as a Local Master kind of think as a type of BDC for an ADS Domain? Or are there hugher obstacles like there beeing no way to tell the windows clients who's their second-in-command master? Thanks a bunch, guys Patrick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP + TLS
On 10/24/05, Jukka Hienola [EMAIL PROTECTED] wrote: My question is, how changing passdb backend from ldap.server,name to 127.0.0.1 can have this effect, since the server name should have been resolvable with /etc/hosts file? Does it has something to do with my certificate files, which are generated using ldap.server.name? However, I was able to login with TLS and Apache, so I don't think that's the case. Some LDAP clients are more or less forgiving of certificate name mismatches. OpenLDAP 2.0.27 will work if the name mismatches; OpenLDAP 2.2.23 won't; IIRC, pam_ldap won't, even if linked against OpenLDAP 2.0.27 libraries. So that may explain why some software works and some doesn't. Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + LDAP + TLS
Hi! I'm a bit new to Samba+LDAP integration, and most likely because of that I experienced this morning something I can't fully understand. I would appreciate if someone could explain to me what was really wrong. So, our name server was unavailable this morning due to OS update. Division's Samba and LDAP services are running on same server, and Samba is using TLS in connecting to LDAP service. Because some of the network names were not resolvable, I changed passdb backend = ldapsam:ldap://ldap.server.name/; to passdb backend = ldapsam:ldap://127.0.0.1/; in smb.conf, although I have ldap.server.name also in /etc/hosts, just in case. In file /etc/nsswitch.conf I have line hosts: files dns. After I restarted Samba, I just couldn't login to domain anymore either with any machine or domain user accounts. Samba gave me errors like smbd[1956]: [2005/10/24 11:03:17, 0] lib/smbldap.c:smbldap_open_connection(677) smbd[1956]: Failed to issue the StartTLS instruction: Connect error smbd[1956]: [2005/10/24 11:03:17, 1] lib/smbldap.c:another_ldap_try(1011) smbd[1956]: Connection to LDAP server failed for the 1 try! smbd[1956]: [2005/10/24 11:03:18, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) smbd[1956]: init_sam_from_ldap: Entry found for user: myusr smbd[1956]: [2005/10/24 11:03:18, 1] passdb/pdb_ldap.c:init_sam_from_ldap(553) smbd[1956]: init_sam_from_ldap: no sambaSID or sambaSID attribute found for this user myusr smbd[1956]: [2005/10/24 11:03:18, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1346) smbd[1956]: ldapsam_getsampwnam: init_sam_from_ldap failed for user 'myusr'! smbd[1956]: [2005/10/24 11:03:18, 2] auth/auth.c:check_ntlm_password(312) smbd[1956]: check_ntlm_password: Authentication for user [myusr] - [myusr] FAILED with error NT_STATUS_NO_SUCH_USER so I assume that this issue was somehow related to changes I made in smb.conf file. At the same time I could login to server using ssh, and also e,g, command smbclient -L ldap.server.name -U myusr gave me list of all available services. Also I could authenticate myself through Apache, which also uses TLS to connect to LDAP server. My question is, how changing passdb backend from ldap.server,name to 127.0.0.1 can have this effect, since the server name should have been resolvable with /etc/hosts file? Does it has something to do with my certificate files, which are generated using ldap.server.name? However, I was able to login with TLS and Apache, so I don't think that's the case. Thanks in advance, Jukka Hienola -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP + TLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jukka Hienola wrote: | So, our name server was unavailable this morning due | to OS update. Division's Samba and LDAP services are | running on same server, and Samba is using TLS in | connecting to LDAP service. Because some of the network | names were not resolvable, I changed passdb backend = | ldapsam:ldap://ldap.server.name/; to passdb backend = | ldapsam:ldap://127.0.0.1/; in smb.conf, although I have | ldap.server.name also in /etc/hosts, just in case. In | file /etc/nsswitch.conf I have line hosts: files dns. | After I restarted Samba, I just couldn't login to | domain anymore either with any machine or domain user accounts. | Samba gave me errors like | | smbd[1956]: [2005/10/24 11:03:17, 0] | lib/smbldap.c:smbldap_open_connection(677) | smbd[1956]: Failed to issue the StartTLS instruction: Connect error My immediate guess would be that the conect failed due to a mismatch in the server name's cert. Make sure you can run 'ldapsearch -ZZ -h 127.0.0.1 ...' cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc There's an anonymous coward in all of us. --anonymous -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDXNlMIR7qMdg1EfYRAoiOAKDRMkCzkiI6/0m+rkGSd67q+e65pACg5Lre V6QHbrkidy2wUxlBuou3+OE= =6G47 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP + TLS
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jukka Hienola wrote: | So, our name server was unavailable this morning due | to OS update. Division's Samba and LDAP services are | running on same server, and Samba is using TLS in | connecting to LDAP service. Because some of the network | names were not resolvable, I changed passdb backend = | ldapsam:ldap://ldap.server.name/; to passdb backend = | ldapsam:ldap://127.0.0.1/; in smb.conf, although I have | ldap.server.name also in /etc/hosts, just in case. In | file /etc/nsswitch.conf I have line hosts: files dns. | After I restarted Samba, I just couldn't login to | domain anymore either with any machine or domain user accounts. | Samba gave me errors like | | smbd[1956]: [2005/10/24 11:03:17, 0] | lib/smbldap.c:smbldap_open_connection(677) | smbd[1956]: Failed to issue the StartTLS instruction: Connect error My immediate guess would be that the conect failed due to a mismatch in the server name's cert. Make sure you can run 'ldapsearch -ZZ -h 127.0.0.1 ...' Yes I can. Any other way to connect to LDAP service via TLS works fine except Samba. Jukka -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba+LDAP Groups resolving problem
Hi, I have managed to configure Samba+LDAP+smbldap-tools. Everything works fine, except one strange problem is appearing. When I connect with Windows tool UserManagerForDomains or I want to create a share on a Wndows box I can see the users but no groups. With UserManagerForDomains is see following: Users:All the users Groups: none, just description of Replicators Group and the description Domain Unix Group When I try to add a group on share via selecting it I see nothing. The strange thing is that everything works fine and when I add a group like DOMAIN\group it works normally. The only error I found was the LDAP error bdb_equality_candidates: (sambaGroupType) index_param failed (18) but I can't find any clues. In the slapd.conf file I use access control policy like in the idealx manual. The LDAP log file : Oct 20 14:34:31 kope slapd[6707]: conn=1 op=28 SRCH base=ou=Users,dc=r-kb,dc=si scope=2 deref=0 filter=((uid=*)(objectClass=sambaSamAccount)) Oct 20 14:34:31 kope slapd[6707]: conn=1 op=28 SRCH attr=uid sambaSid displayName description sambaAcctFlags Oct 20 14:34:32 kope slapd[6707]: conn=1 op=28 SEARCH RESULT tag=101 err=0 nentries=511 text= Oct 20 14:34:32 kope slapd[6707]: conn=1 op=29 SRCH base=ou=Groups,dc=r-kb,dc=si scope=2 deref=0 filter=((objectClass=sambaGroupMapping)(sambaGroupType=4)) Oct 20 14:34:32 kope slapd[6707]: conn=1 op=29 SRCH attr=cn sambaSid displayName description sambaGroupType Oct 20 14:34:32 kope slapd[6707]: = bdb_equality_candidates: (sambaGroupType) index_param failed (18) Oct 20 14:34:32 kope slapd[6707]: conn=1 op=29 SEARCH RESULT tag=101 err=0 nentries=0 text= Oct 20 14:34:32 kope slapd[6707]: conn=1 op=30 SRCH base=ou=Groups,dc=r-kb,dc=si scope=2 deref=0 filter=((objectClass=sambaGroupMapping)(sambaGroupType=5)) Oct 20 14:34:32 kope slapd[6707]: conn=1 op=30 SRCH attr=cn sambaSid displayName description sambaGroupType Oct 20 14:34:32 kope slapd[6707]: = bdb_equality_candidates: (sambaGroupType) index_param failed (18) Oct 20 14:34:32 kope slapd[6707]: conn=1 op=30 SEARCH RESULT tag=101 err=0 nentries=5 text= Oct 20 14:34:32 kope slapd[6707]: conn=1 op=31 SRCH base=ou=Groups,dc=r-kb,dc=si scope=2 deref=0 filter=((objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-544)) Oct 20 14:34:32 kope slapd[6707]: conn=1 op=31 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Oct 20 14:34:32 kope slapd[6707]: conn=1 op=31 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 20 14:34:32 kope slapd[6707]: conn=1 op=32 SRCH base=ou=Groups,dc=r-kb,dc=si scope=2 deref=0 filter=((objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-548)) Oct 20 14:34:32 kope slapd[6707]: conn=1 op=32 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Oct 20 14:34:32 kope slapd[6707]: conn=1 op=32 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 20 14:34:32 kope slapd[6707]: conn=1 op=33 SRCH base=ou=Groups,dc=r-kb,dc=si scope=2 deref=0 filter=((objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-550)) Oct 20 14:34:32 kope slapd[6707]: conn=1 op=33 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Oct 20 14:34:32 kope slapd[6707]: conn=1 op=33 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 20 14:34:32 kope slapd[6707]: conn=1 op=34 SRCH base=ou=Groups,dc=r-kb,dc=si scope=2 deref=0 filter=((objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-551)) Oct 20 14:34:32 kope slapd[6707]: conn=1 op=34 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Oct 20 14:34:32 kope slapd[6707]: conn=1 op=34 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 20 14:34:32 kope slapd[6707]: conn=1 op=35 SRCH base=ou=Groups,dc=r-kb,dc=si scope=2 deref=0 filter=((objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-552)) Oct 20 14:34:32 kope slapd[6707]: conn=1 op=35 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Oct 20 14:34:32 kope slapd[6707]: conn=1 op=35 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 20 14:34:32 kope slapd[6707]: conn=1 op=36 SRCH base=ou=Groups,dc=r-kb,dc=si scope=2 deref=0 filter=((objectClass=sambaGroupMapping)(sambaGroupType=2)) Oct 20 14:34:32 kope slapd[6707]: conn=1 op=36 SRCH attr=cn sambaSid displayName description sambaGroupType Oct 20 14:34:32 kope slapd[6707]: = bdb_equality_candidates: (sambaGroupType) index_param failed (18) Oct 20 14:34:32 kope slapd[6707]: conn=1 op=36 SEARCH RESULT tag=101 err=0 nentries=6 text= Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba