Re: [Samba] Samba/LDAP/PDC Questions
Hello Eric, I just want to make sure we are on the same page. After vampiring, I got all the user accounts, computer accounts, groups, and membership created correctly. For somereason, the login is disabled. Once I do "smbpasswd -e ", I am able to login to that account with the right password. So the NT password migratted OK. smbPassword field only contains '{Crypt}x' but once I copied the hashed password from NIS map to that field prefixed with {Crypt}, I can also login to the Unix account. All together it means that I have ways to make sure the user authentication will work fine with Windows and Unix login. But at what point and in what way the password synchronization work and in what direction? The only remaining obatacle is that the computer authentication failed. The comptuer cannot loginto the doamin unless I rejoin it to the domain. I think this is where you failed also. I wonder if there is anyway to get all the computer account hash in text format from the original NT PDC and just write script to stick the hash to the corresponding smbNTPassword field, just like what I did with the userPassword field. Any suggestion. Finally, I did get some kind of smbNTPassword during vampiring, does it at least look right? Is there anyway I can compare it to the original on the NT Server? Here is my machine account looks like: Thanks! --- Kang Sun dn: uid=KSUN$,ou=People,dc=ab,dc=com objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount cn: KSUN$ sn: KSUN$ uid: KSUN$ uidNumber: 1801 homeDirectory: /dev/null loginShell: /bin/false description: Computer sambaSID: S-1-5-21-72881033-379349262-1855928443-4737 displayName: KSUN$ sambaLogonTime: 1090863161 sambaNTPassword: BCE2D22F8B6638F72008CA16CDEA1F4D sambaPwdLastSet: 1089841247 sambaAcctFlags: [W ] gidNumber: 1000 sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-515 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Attempting vampire here when everything else works results in user accounts being created in the LDAP directory (and with a slight ugly hackish modification to the idealx smbldap-useradd script, posix accounts being created) and NTLM password hashes being set in the LDAP tree, and computer accounts being created *but* here is the catch, the NTLM password hashes for computer accounts are not created. So if we think of it as a four step process; 1. Create user accounts *OK* 2. Set user account password hashes *OK* 3. Create Machine accounts *OK* 4. Set Machine account password hashes *FAIL* Of course I'm not bothering to mention the other stuff that it does cause it's all a bit of black magic to me, but you get the general idea, it creates user groups as well and associates the appropriate accounts with the appropriate groups and handles the Unix UID / GID mapping to the NT equivalent security information. I'm trying to get more information on the entire process to provide debug logs to the samba team et al, but I've just been flat out on other stuff in the meantime which unfortunately has a higher priority than this at the moment, but I'll endeavour to get the diagnostic info asap, if someone else wanted to do it before me though, I assume the interesting stuff would be; smbd -d 10 -i > smbd.log 2>&1 tcpdump packet capture of traffic between NT PDC and Linux vampire process strace -f net rpc vampire -S pdc -U administrator%password > vampire.log 2>&1 And try to make sure you're not broadcasting your password hashes in potentially public bug logs. ^^ What I can tell you from looking at the process so far, is that the NT PDC is *definitely* providing machine account password hashes, it just appears that whatever samba should be doing with them, it is not. Best of luck Regards Eric J Bennett Paul Gienger wrote: | I'm not at all experienced with the vampire command, but I believe it is | supposed to bring passwords over. Perhaps someone can interject here | who does know what they're talking about??? | | (note: bringing back on list from an accidental, i suspect, pm) | | Kang Sun wrote: | |> |> Hello Paul, |> |> I have questions on migration. Some other people like Eric |> Bennet and Mike Brodbelt posted the similar questions. But I cannot |> find a definite answer to this question: would vampiring using |> samba/ldap/smbldap-tools actually migrates passwords at all? |> |> If the "add user/machine script" from smb.conf is the only |> tool vampiring process is calling, it certainly won't create password. |> Below are the conversation between me and Mike. I hope you can help us. |> |> -- Kang |> |> Kang Sun wrote: |> > Hello Mike, |> > |> > I did similar things and have similar problems. |> > I looked at the ldap database, the migration did nothing but get all |> the |> > names of users and machines. |> > If the smbldap-* scripts are the only things vampire process is |> calling, I |> > don't see how would it would get anything else. |> |> Agreed,
Re: [Samba] Samba/LDAP/PDC Questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Attempting vampire here when everything else works results in user accounts being created in the LDAP directory (and with a slight ugly hackish modification to the idealx smbldap-useradd script, posix accounts being created) and NTLM password hashes being set in the LDAP tree, and computer accounts being created *but* here is the catch, the NTLM password hashes for computer accounts are not created. So if we think of it as a four step process; 1. Create user accounts *OK* 2. Set user account password hashes *OK* 3. Create Machine accounts *OK* 4. Set Machine account password hashes *FAIL* Of course I'm not bothering to mention the other stuff that it does cause it's all a bit of black magic to me, but you get the general idea, it creates user groups as well and associates the appropriate accounts with the appropriate groups and handles the Unix UID / GID mapping to the NT equivalent security information. I'm trying to get more information on the entire process to provide debug logs to the samba team et al, but I've just been flat out on other stuff in the meantime which unfortunately has a higher priority than this at the moment, but I'll endeavour to get the diagnostic info asap, if someone else wanted to do it before me though, I assume the interesting stuff would be; smbd -d 10 -i > smbd.log 2>&1 tcpdump packet capture of traffic between NT PDC and Linux vampire process strace -f net rpc vampire -S pdc -U administrator%password > vampire.log 2>&1 And try to make sure you're not broadcasting your password hashes in potentially public bug logs. ^^ What I can tell you from looking at the process so far, is that the NT PDC is *definitely* providing machine account password hashes, it just appears that whatever samba should be doing with them, it is not. Best of luck Regards Eric J Bennett Paul Gienger wrote: | I'm not at all experienced with the vampire command, but I believe it is | supposed to bring passwords over. Perhaps someone can interject here | who does know what they're talking about??? | | (note: bringing back on list from an accidental, i suspect, pm) | | Kang Sun wrote: | |> |> Hello Paul, |> |> I have questions on migration. Some other people like Eric |> Bennet and Mike Brodbelt posted the similar questions. But I cannot |> find a definite answer to this question: would vampiring using |> samba/ldap/smbldap-tools actually migrates passwords at all? |> |> If the "add user/machine script" from smb.conf is the only |> tool vampiring process is calling, it certainly won't create password. |> Below are the conversation between me and Mike. I hope you can help us. |> |> -- Kang |> |> Kang Sun wrote: |> > Hello Mike, |> > |> > I did similar things and have similar problems. |> > I looked at the ldap database, the migration did nothing but get all |> the |> > names of users and machines. |> > If the smbldap-* scripts are the only things vampire process is |> calling, I |> > don't see how would it would get anything else. |> |> Agreed, although when migrating with a tdbsam backend, the vampire |> process will populate the tdbsam with NT passwords and suchlike, but |> also runs the useradd scripts to add the posix users, so I thought that |> there may be some other data that Samba puts into LDAP directly, not via |> invoking the scripts. |> |> The documentation from John Terpstra's book (available online at |> http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828) |> suggests that the process should work with an LDAP backend, but I'm |> currently at a loss to see howm and I'm unable to replicate this, even |> on a test network, with various versions of the Idealx smbldap-tools. It |> doesn't appear to work as advertised at the moment. |> |> > After vampiring, |> > |> > 1. All the computer accounts and user accounts (posixAccount as |> well) are |> > created just like being created by by smbldap-useradd, with the default |> > parameters as defined in the smbldap.conf or smbldap_config.pm, eg, |> > profiles, logon scripts, etc, user name, etc. |> |> Yes, this seems to work when run from the command line. Vampiring seems |> to throw up some errors that I've not tracked down yet though. |> |> > 2. Users lost its domain membership. Every user accounts are now |> belonging |> > to "Domain Users" group. No one in "Domain Admins" group except |> > Administrator. |> > |> > The migration process must have done more than just calling these |> > smbldap-tools scripts, but I just don't see the effect. |> > |> > What do you see if you do |> > smbldap-usershow or $ ? |> |> # smbldap-usershow detritus |> dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk |> objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSAMAccount |> cn: rwind |> sn: rwind |> uid: rwind |> uidNumber: 1006 |> gidNumber: 513 |> homeDirectory: /home/rwind |> loginShell: /bin/bash |> gecos: System User |> description: System User |> userPassword: {crypt}x |> samba
Re: [Samba] Samba/LDAP/PDC Questions
oops - meant to send to list On Mon, 2004-07-26 at 07:23, Paul Gienger wrote: > I'm not at all experienced with the vampire command, but I believe it is > supposed to bring passwords over. Perhaps someone can interject here > who does know what they're talking about??? > > (note: bringing back on list from an accidental, i suspect, pm) > my experience with vampire command is that it is tricky and needs to be isolated so that your ldap isn't trashed. Thus prior to running net rpc vampire etc. - you should slapcat your ldap so you can trash the resulting ldap, slapadd the entries back in and try again after fixing things that don't work. Also, you need to REALLY follow the instructions to the TEE - no shortcuts as any misconfiguration will cause it to fail. Join the domain - set the localsid - set smb.conf to a BDC type configuration. These steps are absolutely vital in addition to having ldap properly configured in smbldap, smb.conf etc. The first few efforts will almost always fail because of all of the necessary details. But to affirm, yes, net rpc vampire process works, user accounts and groups, machine accounts and passwords can all be migrated. After vampire migration, elevate settings on samba so that the system becomes PDC and start samba services and turn netlogon service on NT4 system off. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP/PDC Questions
I'm not at all experienced with the vampire command, but I believe it is supposed to bring passwords over. Perhaps someone can interject here who does know what they're talking about??? (note: bringing back on list from an accidental, i suspect, pm) Kang Sun wrote: Hello Paul, I have questions on migration. Some other people like Eric Bennet and Mike Brodbelt posted the similar questions. But I cannot find a definite answer to this question: would vampiring using samba/ldap/smbldap-tools actually migrates passwords at all? If the "add user/machine script" from smb.conf is the only tool vampiring process is calling, it certainly won't create password. Below are the conversation between me and Mike. I hope you can help us. -- Kang Kang Sun wrote: > Hello Mike, > > I did similar things and have similar problems. > I looked at the ldap database, the migration did nothing but get all the > names of users and machines. > If the smbldap-* scripts are the only things vampire process is calling, I > don't see how would it would get anything else. Agreed, although when migrating with a tdbsam backend, the vampire process will populate the tdbsam with NT passwords and suchlike, but also runs the useradd scripts to add the posix users, so I thought that there may be some other data that Samba puts into LDAP directly, not via invoking the scripts. The documentation from John Terpstra's book (available online at http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828) suggests that the process should work with an LDAP backend, but I'm currently at a loss to see howm and I'm unable to replicate this, even on a test network, with various versions of the Idealx smbldap-tools. It doesn't appear to work as advertised at the moment. > After vampiring, > > 1. All the computer accounts and user accounts (posixAccount as well) are > created just like being created by by smbldap-useradd, with the default > parameters as defined in the smbldap.conf or smbldap_config.pm, eg, > profiles, logon scripts, etc, user name, etc. Yes, this seems to work when run from the command line. Vampiring seems to throw up some errors that I've not tracked down yet though. > 2. Users lost its domain membership. Every user accounts are now belonging > to "Domain Users" group. No one in "Domain Admins" group except > Administrator. > > The migration process must have done more than just calling these > smbldap-tools scripts, but I just don't see the effect. > > What do you see if you do > smbldap-usershow or $ ? # smbldap-usershow detritus dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSAMAccount cn: rwind sn: rwind uid: rwind uidNumber: 1006 gidNumber: 513 homeDirectory: /home/rwind loginShell: /bin/bash gecos: System User description: System User userPassword: {crypt}x sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: System User sambaAcctFlags: [UX] sambaSID: S-1-5-21-2704678572-2069052080-1039482078-3012 sambaLMPassword: XXX sambaPrimaryGroupSID: S-1-5-21-2704678572-2069052080-1039482078-513 sambaProfilePath: \\TALITHA\profiles\rwind sambaHomePath: \\TALITHA\home\rwind sambaHomeDrive: M: sambaNTPassword: XXX # smbldap-usershow "quirm$" dn: uid=quirm$,ou=Computers,dc=acu,dc=ac,dc=uk objectClass: top,inetOrgPerson,posixAccount cn: quirm$ sn: quirm$ uid: quirm$ uidNumber: 1013 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer > or smbldap-groupshow ? # smbldap-groupshow "Domain Admins" dn: cn=Domain Admins,ou=Groups,dc=acu,dc=ac,dc=uk objectClass: posixGroup,sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: Administrator description: Netbios Domain Administrators sambaSID: S-1-5-21-2704678572-2069052080-1039482078-512 sambaGroupType: 2 displayName: Domain Admins So all that seems to have worked. It's just that some of the information hasn't migrated across, and in the context of a transparent migration off the NT4 server, the information that hasn't propagated is a showstopper. Despite reading all the docs I can lay hands on, I still can't see why, and the vampire process is not transparent to me - the docs just assume it'll work completely or not at all - there's nothing to tell one how to try and troubleshoot it if it half works, which is what's happening for me. Mike. ForwardSourceID:NT9A52 "Eric J Bennett" <[EMAIL PROTECTED]> wrote in message news:<[EMAIL PROTECTED]>... > Hi all, > > I'm really lost here, I do net rpc vampire and it works perfectly for > user accounts (sets NTLM pass etc) and creates machine accounts, but > fails to allocate their password hashes, I think it's calling the > smbldap-useradd utility to add accounts for machines, but I don't see > why this would make the hashes transfer for users but not machines? > > Any help much appreciated. > > Regards > E
Re: [Samba] Samba/LDAP/PDC Questions
1. In what situtation do I need People group as the group for machines? Always. Until they fix the bug/design issue that is. 2. Should the PDC itself be in the ldap backend database? I haven't found a good reason that it 'has' to in my tests. 3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot log in to the dmain anymore. It said "User does not exist". Can you expand on this a bit more? From what you've said (which isn't much) it almost sounds like you didn't have ldap working as the posix auth system before you layered on samba. Here are the specs of my setup: Fedora 2 (kernel 2.6.5-1.358) samba-3.0.3-5 openldap-2.1.29-1 smbldap-tools-0.8.5-1.1.fc2.dag ### /etc/samba/smb.conf # [global] workgroup = ab netbios name = pdc username map = /etc/samba/smbusers admin users= @"Domain Admins" server string = Samba Server %v security = user encrypt passwords = Yes min passwd length = 3 obey pam restrictions = No ldap passwd sync = Yes time server = Yes mangling method = hash2 domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=ab,dc=com ldap suffix = dc=ab,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap ssl = no add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" preserve case = yes short preserve case = yes case sensitive = no [homes] comment = repertoire de %U, %u read only = No create mask = 0644 directory mask = 0775 browseable = No [netlogon] path = /home/netlogon/ browseable = No read only = yes [profiles] path = /home/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U "Domain Admins" # /etc/openldap/slap.conf # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/samba.schema allow bind_v2 pidfile /var/run/slapd.pid databaseldbm suffix "dc=ab,dc=com" rootdn "cn=Manager,dc=ab,dc=com" rootpw some secret directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShelleq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntryeq,pres,sub # /etc/smbldap-tools/smbldap.conf SID="S-1-5-21-324808091-3910462042-2848579765" slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" ldapTLS="0" suffix="dc=ab,dc=com" usersdn="ou=Users,${suffix}" computersdn="ou=Computers,${suffix}" groupsdn="ou=Groups,${suffix}" idmapdn="ou=Idmap,${suffix}" sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" scope="sub" hash_encrypt="SSHA" crypt_salt_format="%s" userLoginShell="/bin/tcsh" userHome="/u/%U" userGecos="System User" defaultUserGid="513" defaultComputerGid="515" skeletonDir="/etc/skel" userSmbHome="\\pdc\%U" userProfile="" userHomeDrive="H:" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" /etc/ldap.conf # host 127.0.0.1 base dc=ab,dc=com # nss_base_passwdou=Users,dc=ab,dc=com?one # nss_base_shadowou=Users,dc=ab,dc=com?one # nss_base_group ou=Group,dc=ab,dc=com?one ssl no pam_password md5 --- Kang Sun -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to
Re: [Samba] Samba-ldap-pdc questions
> You have more than one suffix in slapd.conf - why? The one you use in smb.conf ist a > mixture of the two - that doesn't work. Use one of them - the one under which your > user data is stored. Multiple suffixes for a single database is supported in OpenLDAP until very recently, (don't know exact version), when it was dropped because 'it didn't make sense'. At least thats my understanding of the situation. Wether or not it makes sense in this persons circustance is another issue altogether. > > databaseldbm > > suffix "o=mydomain" > > suffix "dc=mydomain,dc=com" > > rootdn "cn=tsadmin,dc=mydomain,dc=com" > > # Cleartext passwords, especially for the rootdn, should > > # be avoided. See slappasswd(8) and slapd.conf(5) for details. > > # Use of strong authentication encouraged. > > # rootpwsecret > > rootpw {SSHA}nzEMEVTSdQYIy3jLsWn4xmQLQI/Cb0Tn > > # The database directory MUST exist prior to running slapd AND > > # should only be accessible by the slapd and slap tools. > > # Mode 700 recommended. > > directory /var/lib/ldap/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba-ldap-pdc questions
Thank you all for your help 1. I do have a netlogon share in smb.conf. samba pdc works well if I use smbpasswd backend. I did used: smbpasswd -w ROOT_DN_PASSWORD to setup the ldap rootdn password. Also I used ldappasswd to generate the encrypted rootpw entry for slapd.conf. Is this necessary? Thanks Ron -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, January 05, 2004 11:26 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Samba-ldap-pdc questions On Mon, 2004-01-05 at 16:50, Ron Liu wrote: > Hi, There > I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. > I used the RPMs for the installations. After setup, start both smb and ldap > without problem. However when I tried to add users with smbpasswd -a userid, > it gave me the following errors. Can someone point me to right direction, is > there anything I can do to do more test and diagnosis. I've copied the error > message, and the conf file for samba.conf and slapd.conf > > Thank you for your help! > > Ron Liu > Information Technology Consultant > Biology Department > San Jose State University > 408-924-4860 > [EMAIL PROTECTED] > > > [EMAIL PROTECTED] openldap]# smbpasswd -a bliu > New SMB password: > Retype new SMB password: > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > ldapsam_search_one_group: Problem during the LDAP search: LDAP error: > (unknown) (Invalid credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > Failed to add entry for user bliu. > Failed to modify password entry for user bliu > > > > #=== Global Settings > = > [global] >workgroup = mydomain >netbios name = ts010 >encrypt passwords = yes >passdb backend = ldapsam:ldap://localhost/ >ldap suffix = o=mydomain,dc=mydomain,dc=com >ldap machine suffix = ou=Comupters >ldap user suffix = ou=Users >ldap group suffix = ou=Groups >ldap admin dn = "cn=tsadmin,dc=mydomain,dc=com" > # ldap ssl = start tls >ldap delete dn = no >server string = mydomain Samba Server >hosts allow = 10.101.0. 10.101.1. 127. >printcap name = cups >load printers = yes >printing = cups >log file = /var/log/samba/%m.log >max log size = 50 >security = user >password level = 8 > ; username level = 8 >smb passwd file = /etc/samba/smbpasswd >unix password sync = Yes >passwd program = /usr/bin/passwd %u >passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n > *passwd *all*authentication*tokens*updated*successfully* > ; username map = /etc/samba/smbusers > ; include = /etc/samba/smb.conf.%m >socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >local master = yes >os level = 33 >domain master = yes >preferred master = yes >domain logons = yes >logon script = scripts\logscript.bat >logon path = \\%L\Profiles\%U >logon drive = H: >logon home = \\%L\%U > ; name resolve order = wins lmhosts bcast >wins support = yes >dns proxy = no >write list = @tsadmin >add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s > /bin/false -M %u > [home] > ... > * > my slapd.conf > > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 > 23:19:14 kurt Exp $ > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/redhat/autofs.schema
Re: [Samba] Samba-ldap-pdc questions
You have more than one suffix in slapd.conf - why? The one you use in smb.conf ist a mixture of the two - that doesn't work. Use one of them - the one under which your user data is stored. Jesore > [global] >workgroup = mydomain >netbios name = ts010 >encrypt passwords = yes >passdb backend = ldapsam:ldap://localhost/ >ldap suffix = o=mydomain,dc=mydomain,dc=com >ldap machine suffix = ou=Comupters >ldap user suffix = ou=Users >ldap group suffix = ou=Groups >ldap admin dn = "cn=tsadmin,dc=mydomain,dc=com" > # ldap ssl = start tls >ldap delete dn = no %n\n > databaseldbm > suffix "o=mydomain" > suffix "dc=mydomain,dc=com" > rootdn "cn=tsadmin,dc=mydomain,dc=com" > # Cleartext passwords, especially for the rootdn, should > # be avoided. See slappasswd(8) and slapd.conf(5) for details. > # Use of strong authentication encouraged. > # rootpwsecret > rootpw {SSHA}nzEMEVTSdQYIy3jLsWn4xmQLQI/Cb0Tn > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > directory /var/lib/ldap/ > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba-ldap-pdc questions
You need to set ldap admin passowd like this. smbpasswd -w to create the domain user account use smbldap-useradd.pl command. SR > Hi, There > I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. > I used the RPMs for the installations. After setup, start both smb and > ldap > without problem. However when I tried to add users with smbpasswd -a > userid, > it gave me the following errors. Can someone point me to right direction, > is > there anything I can do to do more test and diagnosis. I've copied the > error > message, and the conf file for samba.conf and slapd.conf > > Thank you for your help! > > Ron Liu > Information Technology Consultant > Biology Department > San Jose State University > 408-924-4860 > [EMAIL PROTECTED] > > > [EMAIL PROTECTED] openldap]# smbpasswd -a bliu > New SMB password: > Retype new SMB password: > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > ldapsam_search_one_group: Problem during the LDAP search: LDAP error: > (unknown) (Invalid credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > Failed to add entry for user bliu. > Failed to modify password entry for user bliu > > > > #=== Global Settings > = > [global] >workgroup = mydomain >netbios name = ts010 >encrypt passwords = yes >passdb backend = ldapsam:ldap://localhost/ >ldap suffix = o=mydomain,dc=mydomain,dc=com >ldap machine suffix = ou=Comupters >ldap user suffix = ou=Users >ldap group suffix = ou=Groups >ldap admin dn = "cn=tsadmin,dc=mydomain,dc=com" > # ldap ssl = start tls >ldap delete dn = no >server string = mydomain Samba Server >hosts allow = 10.101.0. 10.101.1. 127. >printcap name = cups >load printers = yes >printing = cups >log file = /var/log/samba/%m.log >max log size = 50 >security = user >password level = 8 > ; username level = 8 >smb passwd file = /etc/samba/smbpasswd >unix password sync = Yes >passwd program = /usr/bin/passwd %u >passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n > *passwd *all*authentication*tokens*updated*successfully* > ; username map = /etc/samba/smbusers > ; include = /etc/samba/smb.conf.%m >socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >local master = yes >os level = 33 >domain master = yes >preferred master = yes >domain logons = yes >logon script = scripts\logscript.bat >logon path = \\%L\Profiles\%U >logon drive = H: >logon home = \\%L\%U > ; name resolve order = wins lmhosts bcast >wins support = yes >dns proxy = no >write list = @tsadmin >add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s > /bin/false -M %u > [home] > ... > * > my slapd.conf > > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 > 23:19:14 kurt Exp $ > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/redhat/autofs.schema > #rliu, 12/31/03 > include /etc/openldap/schema/samba.schema > > # Allow LDAPv2 client connections. This is NOT the default. > allow bind_v2 > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /var/run/slapd.pid > #argsfile //var/run/slapd.args > > # Load dynamic backend modules: > # modulepath/usr/sbin/openldap > # moduleloadback_bdb.la > # moduleloadback_ldap.la > # moduleloadback_ldbm.la > # moduleloadback_passwd.la > # moduleloadback_shell.la > > # The next three lines allow use of TLS for connections using a dummy test > # certificate, but you should generate a proper certificate by changing t
Re: [Samba] Samba-ldap-pdc questions
On Mon, 2004-01-05 at 16:50, Ron Liu wrote: > Hi, There > I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. > I used the RPMs for the installations. After setup, start both smb and ldap > without problem. However when I tried to add users with smbpasswd -a userid, > it gave me the following errors. Can someone point me to right direction, is > there anything I can do to do more test and diagnosis. I've copied the error > message, and the conf file for samba.conf and slapd.conf > > Thank you for your help! > > Ron Liu > Information Technology Consultant > Biology Department > San Jose State University > 408-924-4860 > [EMAIL PROTECTED] > > > [EMAIL PROTECTED] openldap]# smbpasswd -a bliu > New SMB password: > Retype new SMB password: > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > ldapsam_search_one_group: Problem during the LDAP search: LDAP error: > (unknown) (Invalid credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > Failed to add entry for user bliu. > Failed to modify password entry for user bliu > > > > #=== Global Settings > = > [global] >workgroup = mydomain >netbios name = ts010 >encrypt passwords = yes >passdb backend = ldapsam:ldap://localhost/ >ldap suffix = o=mydomain,dc=mydomain,dc=com >ldap machine suffix = ou=Comupters >ldap user suffix = ou=Users >ldap group suffix = ou=Groups >ldap admin dn = "cn=tsadmin,dc=mydomain,dc=com" > # ldap ssl = start tls >ldap delete dn = no >server string = mydomain Samba Server >hosts allow = 10.101.0. 10.101.1. 127. >printcap name = cups >load printers = yes >printing = cups >log file = /var/log/samba/%m.log >max log size = 50 >security = user >password level = 8 > ; username level = 8 >smb passwd file = /etc/samba/smbpasswd >unix password sync = Yes >passwd program = /usr/bin/passwd %u >passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n > *passwd *all*authentication*tokens*updated*successfully* > ; username map = /etc/samba/smbusers > ; include = /etc/samba/smb.conf.%m >socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >local master = yes >os level = 33 >domain master = yes >preferred master = yes >domain logons = yes >logon script = scripts\logscript.bat >logon path = \\%L\Profiles\%U >logon drive = H: >logon home = \\%L\%U > ; name resolve order = wins lmhosts bcast >wins support = yes >dns proxy = no >write list = @tsadmin >add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s > /bin/false -M %u > [home] > ... > * > my slapd.conf > > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 > 23:19:14 kurt Exp $ > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/redhat/autofs.schema > #rliu, 12/31/03 > include /etc/openldap/schema/samba.schema > > # Allow LDAPv2 client connections. This is NOT the default. > allow bind_v2 > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /var/run/slapd.pid > #argsfile //var/run/slapd.args > > # Load dynamic backend modules: > # modulepath/usr/sbin/openldap > # moduleloadback_bdb.la > # moduleloadback_ldap.la > # moduleloadback_ldbm.la > # moduleloadback_passwd.la > # moduleloadback_shell.la > > # The next three lines allow use of TLS for connections using a dummy test > # certificate, but you should generate a proper certificate by changing to > # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on > # s
Re: [Samba] Samba-ldap-pdc questions
On Mon, 2004-01-05 at 16:50, Ron Liu wrote: > Hi, There > I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. > I used the RPMs for the installations. After setup, start both smb and ldap > without problem. However when I tried to add users with smbpasswd -a userid, > it gave me the following errors. Can someone point me to right direction, is > there anything I can do to do more test and diagnosis. I've copied the error > message, and the conf file for samba.conf and slapd.conf > > Thank you for your help! > > Ron Liu > Information Technology Consultant > Biology Department > San Jose State University > 408-924-4860 > [EMAIL PROTECTED] > > > [EMAIL PROTECTED] openldap]# smbpasswd -a bliu > New SMB password: > Retype new SMB password: > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > ldapsam_search_one_group: Problem during the LDAP search: LDAP error: > (unknown) (Invalid credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > Failed to add entry for user bliu. > Failed to modify password entry for user bliu > > > > #=== Global Settings > = > [global] >workgroup = mydomain >netbios name = ts010 >encrypt passwords = yes >passdb backend = ldapsam:ldap://localhost/ >ldap suffix = o=mydomain,dc=mydomain,dc=com >ldap machine suffix = ou=Comupters >ldap user suffix = ou=Users >ldap group suffix = ou=Groups >ldap admin dn = "cn=tsadmin,dc=mydomain,dc=com" > # ldap ssl = start tls >ldap delete dn = no >server string = mydomain Samba Server >hosts allow = 10.101.0. 10.101.1. 127. >printcap name = cups >load printers = yes >printing = cups >log file = /var/log/samba/%m.log >max log size = 50 >security = user >password level = 8 > ; username level = 8 >smb passwd file = /etc/samba/smbpasswd >unix password sync = Yes >passwd program = /usr/bin/passwd %u >passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n > *passwd *all*authentication*tokens*updated*successfully* > ; username map = /etc/samba/smbusers > ; include = /etc/samba/smb.conf.%m >socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >local master = yes >os level = 33 >domain master = yes >preferred master = yes >domain logons = yes >logon script = scripts\logscript.bat >logon path = \\%L\Profiles\%U >logon drive = H: >logon home = \\%L\%U > ; name resolve order = wins lmhosts bcast >wins support = yes >dns proxy = no >write list = @tsadmin >add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s > /bin/false -M %u > [home] > ... > * > my slapd.conf > > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 > 23:19:14 kurt Exp $ > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/redhat/autofs.schema > #rliu, 12/31/03 > include /etc/openldap/schema/samba.schema > > # Allow LDAPv2 client connections. This is NOT the default. > allow bind_v2 > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /var/run/slapd.pid > #argsfile //var/run/slapd.args > > # Load dynamic backend modules: > # modulepath/usr/sbin/openldap > # moduleloadback_bdb.la > # moduleloadback_ldap.la > # moduleloadback_ldbm.la > # moduleloadback_passwd.la > # moduleloadback_shell.la > > # The next three lines allow use of TLS for connections using a dummy test > # certificate, but you should generate a proper certificate by changing to > # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on > # s
Re: [Samba] Samba-ldap-pdc questions
On Mon, 5 Jan 2004, Ron Liu wrote: > Hi, There > I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. > I used the RPMs for the installations. After setup, start both smb and ldap > without problem. However when I tried to add users with smbpasswd -a userid, > it gave me the following errors. Can someone point me to right direction, is > there anything I can do to do more test and diagnosis. I've copied the error > message, and the conf file for samba.conf and slapd.conf Did you store the LDAP admin password in secrets.tdb? smbpasswd -w 'secret' - John T. > > Thank you for your help! > > Ron Liu > Information Technology Consultant > Biology Department > San Jose State University > 408-924-4860 > [EMAIL PROTECTED] > > > [EMAIL PROTECTED] openldap]# smbpasswd -a bliu > New SMB password: > Retype new SMB password: > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > ldapsam_search_one_group: Problem during the LDAP search: LDAP error: > (unknown) (Invalid credentials) > fetch_ldap_pw: neither ldap secret retrieved! > ldap_connect_system: Failed to retrieve password from secrets.tdb > Connection to LDAP Server failed for the 1 try! > smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid > credentials) > Failed to add entry for user bliu. > Failed to modify password entry for user bliu > > > > #=== Global Settings > = > [global] >workgroup = mydomain >netbios name = ts010 >encrypt passwords = yes >passdb backend = ldapsam:ldap://localhost/ >ldap suffix = o=mydomain,dc=mydomain,dc=com >ldap machine suffix = ou=Comupters >ldap user suffix = ou=Users >ldap group suffix = ou=Groups >ldap admin dn = "cn=tsadmin,dc=mydomain,dc=com" > # ldap ssl = start tls >ldap delete dn = no >server string = mydomain Samba Server >hosts allow = 10.101.0. 10.101.1. 127. >printcap name = cups >load printers = yes >printing = cups >log file = /var/log/samba/%m.log >max log size = 50 >security = user >password level = 8 > ; username level = 8 >smb passwd file = /etc/samba/smbpasswd >unix password sync = Yes >passwd program = /usr/bin/passwd %u >passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n > *passwd *all*authentication*tokens*updated*successfully* > ; username map = /etc/samba/smbusers > ; include = /etc/samba/smb.conf.%m >socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >local master = yes >os level = 33 >domain master = yes >preferred master = yes >domain logons = yes >logon script = scripts\logscript.bat >logon path = \\%L\Profiles\%U >logon drive = H: >logon home = \\%L\%U > ; name resolve order = wins lmhosts bcast >wins support = yes >dns proxy = no >write list = @tsadmin >add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s > /bin/false -M %u > [home] > ... > * > my slapd.conf > > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 > 23:19:14 kurt Exp $ > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/redhat/autofs.schema > #rliu, 12/31/03 > include /etc/openldap/schema/samba.schema > > # Allow LDAPv2 client connections. This is NOT the default. > allow bind_v2 > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /var/run/slapd.pid > #argsfile //var/run/slapd.args > > # Load dynamic backend modules: > # modulepath/usr/sbin/openldap > # moduleloadback_bdb.la > # moduleloadback_ldap.la > # moduleloadback_ldbm.la > # moduleloadback_passwd.la > # moduleloadback_shell.la > > # The next three lines allow use of TLS for connections using a dummy test > # certificate, but you should generate a proper certificate by changing to > #