Re: [Samba] samba+ldap

[Adam Williams]

Paras pradhan wrote:

On Fri, Oct 23, 2009 at 2:07 PM,   wrote:
  

Most mainstream Linux distros are compiling in LDAP support these days, no
problem.  Debian, Ubuntu, Fedora and SuSE are all compiling in LDAP in their
standard packages, AFAIK.  I'm not sure what BSDs are doing these days, but
I'd bet they're the same way.



I am under solaris 9 (ancient) platform. Now my compilation seems to
be OK, now need to find ways to connect this to the sun ldap server.
Any info on this will be a great help

Thanks
Paras.
in CentOS/Fedora you use nss_ldap, i'm not sure what solaris uses, maybe 
you can compile nss_ldap from source and setup /etc/ldap.conf and 
/etc/nsswitch.conf

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap

[Paras pradhan]

On Fri, Oct 23, 2009 at 2:07 PM,   wrote:
> Most mainstream Linux distros are compiling in LDAP support these days, no
> problem.  Debian, Ubuntu, Fedora and SuSE are all compiling in LDAP in their
> standard packages, AFAIK.  I'm not sure what BSDs are doing these days, but
> I'd bet they're the same way.

I am under solaris 9 (ancient) platform. Now my compilation seems to
be OK, now need to find ways to connect this to the sun ldap server.
Any info on this will be a great help

Thanks
Paras.


>
> On Fri 23/10/09 2:55 PM , Adam Williams  wrote:
>
> mien has about the same, and connects to LDAP fine, so i think you are
> ready.
>
> [r...@missioncontrol BackupPC-3.2.0beta0]# smbd -b|grep LDAP
> HAVE_LDAP_H
> HAVE_LDAP
> HAVE_LDAP_ADD_RESULT_ENTRY
> HAVE_LDAP_INIT
> HAVE_LDAP_INITIALIZE
> HAVE_LDAP_SASL_WRAPPING
> HAVE_LDAP_SET_REBIND_PROC
> HAVE_LIBLDAP
> LDAP_SET_REBIND_PROC_ARGS
>
>
> Paras pradhan wrote:
>> Does this mean that my samba is ready to connect to LDAP server?
>>
>> r...@webdev # ./smbd -b |grep LDAP
>> HAVE_LDAP_H
>> HAVE_LDAP
>> HAVE_LDAP_ADD_RESULT_ENTRY
>> HAVE_LDAP_INIT
>> HAVE_LDAP_INITIALIZE
>> HAVE_LDAP_SET_REBIND_PROC
>> HAVE_LIBLDAP
>> LDAP_SET_REBIND_PROC_ARGS
>> r...@webdev #
>>
>>
>> Thanks!
>> Paras.
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> 
> Message sent via Atmail Open - http://atmail.org/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap

[morgan]

 

Most mainstream Linux distros are compiling in LDAP support these
days, no problem.  Debian, Ubuntu, Fedora and SuSE are all compiling
in LDAP in their standard packages, AFAIK.  I'm not sure what BSDs are
doing these days, but I'd bet they're the same way. 
On Fri 23/10/09  2:55 PM , Adam Williams  wrote:mien has about the
same, and connects to LDAP fine, so i think you are 
 ready.
 [ BackupPC-3.2.0beta0]# smbd -b|grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_ADD_RESULT_ENTRY
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_SASL_WRAPPING
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBLDAP
LDAP_SET_REBIND_PROC_ARGS
 Paras pradhan wrote:
 > Does this mean that my samba is ready to connect to LDAP server?
 >
 >  # ./smbd -b |grep LDAP
 >HAVE_LDAP_H
 >HAVE_LDAP
 >HAVE_LDAP_ADD_RESULT_ENTRY
 >HAVE_LDAP_INIT
 >HAVE_LDAP_INITIALIZE
 >HAVE_LDAP_SET_REBIND_PROC
 >HAVE_LIBLDAP
 >LDAP_SET_REBIND_PROC_ARGS
 >  #
 >
 >
 > Thanks!
 > Paras.
 >   
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba [4]
-
Message sent via Atmail Open - http://atmail.org/

Links:
--
[4]
http://dagda.tuxedo.darktech.org/parse.php?redirect=https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+ldap

[Adam Williams]

mien has about the same, and connects to LDAP fine, so i think you are 
ready.


[r...@missioncontrol BackupPC-3.2.0beta0]# smbd -b|grep LDAP
  HAVE_LDAP_H
  HAVE_LDAP
  HAVE_LDAP_ADD_RESULT_ENTRY
  HAVE_LDAP_INIT
  HAVE_LDAP_INITIALIZE
  HAVE_LDAP_SASL_WRAPPING
  HAVE_LDAP_SET_REBIND_PROC
  HAVE_LIBLDAP
  LDAP_SET_REBIND_PROC_ARGS


Paras pradhan wrote:

Does this mean that my samba is ready to connect to LDAP server?

r...@webdev # ./smbd -b |grep LDAP
   HAVE_LDAP_H
   HAVE_LDAP
   HAVE_LDAP_ADD_RESULT_ENTRY
   HAVE_LDAP_INIT
   HAVE_LDAP_INITIALIZE
   HAVE_LDAP_SET_REBIND_PROC
   HAVE_LIBLDAP
   LDAP_SET_REBIND_PROC_ARGS
r...@webdev #


Thanks!
Paras.
  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba / ldap

[azzouz]

azzouz wrote:

Hi !

il want tow have one ldap backend and tow instance domain in the same 
server.


tow question :

1 - when i start the first instance domain1 i get a SID witch is put 
to secrets.tbd file.


   but when i start the second one it detect the SID in secrets file 
and so don't create an other.


   how can i differenttiate the secrets.tbd file for each instance 
refered to a different smb.conf file and a particular domain ?


2 - this one is related to the first question:
 does someone have tested like this configuration and have user 
connexion to ldap from the tow domain.


Thanks !

Y.
i found one parameter to put in the smb.conf to determine the 
secrets.tbd path:


private dir =


now i test the ldap connexion from the tow domain

Y.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ldap problem

[Johan Hendriks]

 Hi,

 we had this setup working for quite some time but after upgrading  
 the
 samba package things look different:

 we now have the following samba/ldap setup:

 samba-3.0.34p1-cups-ldap
 openldap-server-2.3.43

 the samba-ldap configuration is:
 doing parameter ldap suffix = dc=foo,dc=ch
 doing parameter ldap machine suffix =  
 ou=Computers,ou=Samba,ou=system
 snip
>>
 in this state we don't see any packets going to the ldap server
 anymore.
 Have you seen this behaviour or do you have any hints how we could
 debug
 this better?

>>
>>
>>> Very strange is also teh fact, that the first connection works, but
>>> gets interrupted in the middle somehow and then all subsequent
>>> attempts using smbclient fail:
>>
>>> root:13# pgrep smbd
>>> 4268
>>> 30945
>>> root:14# smbclient -U mbalmer -L tesla
>>> Password:
>>> Domain=[EDUBS] OS=[Unix] Server=[Samba 3.0.34]
>>> snip ..
>>
>>> This is on OpenBSD 4.4/i386, btw.
>>
>>> - Marc
>>
>> Did you copy the new samba schema file from the new samba version to

>> the
>> openldap scheme directory?
>> I had some strange problems once after a update and that was the  
>> case in
>> my situation.

>Yes I did that, but of course the additional fields in the SambaDomain

>object are empty.  Do I need to full them with some values?

>- Marc

As far as i know not, in my case the copy of schema file was enough, i
could not imagine why it needs altering.
I mean this file (On FreeBSD).
/usr/local/share/examples/samba/LDAP/samba.schema

And that needs to be copied to the loaction mentioned in your slapd.conf
file:
in my case:
include /usr/local/etc/openldap/schema/samba.schema

regards,
Johan

Checked by AVG - www.avg.com 
Version: 8.5.387 / Virus Database: 270.13.16/2240 - Release Date:
07/16/09 18:00:00
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ldap problem

[Marc Balmer]

Am 17.07.2009 um 13:55 schrieb Johan Hendriks:


Hi,

we had this setup working for quite some time but after upgrading  
the

samba package things look different:

we now have the following samba/ldap setup:

samba-3.0.34p1-cups-ldap
openldap-server-2.3.43

the samba-ldap configuration is:
doing parameter ldap suffix = dc=foo,dc=ch
doing parameter ldap machine suffix =  
ou=Computers,ou=Samba,ou=system

snip



in this state we don't see any packets going to the ldap server
anymore.
Have you seen this behaviour or do you have any hints how we could
debug
this better?





Very strange is also teh fact, that the first connection works, but
gets interrupted in the middle somehow and then all subsequent
attempts using smbclient fail:



root:13# pgrep smbd
4268
30945
root:14# smbclient -U mbalmer -L tesla
Password:
Domain=[EDUBS] OS=[Unix] Server=[Samba 3.0.34]
snip ..



This is on OpenBSD 4.4/i386, btw.



- Marc


Did you copy the new samba schema file from the new samba version to  
the

openldap scheme directory?
I had some strange problems once after a update and that was the  
case in

my situation.


Yes I did that, but of course the additional fields in the SambaDomain  
object are empty.  Do I need to full them with some values?


- Marc



Regards,
Johan


Checked by AVG - www.avg.com
Version: 8.5.387 / Virus Database: 270.13.16/2240 - Release Date:
07/16/09 18:00:00


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ldap problem

[Johan Hendriks]

>> Hi,
>>
>> we had this setup working for quite some time but after upgrading the
>> samba package things look different:
>>
>> we now have the following samba/ldap setup:
>>
>> samba-3.0.34p1-cups-ldap
>> openldap-server-2.3.43
>>
>> the samba-ldap configuration is:
>> doing parameter ldap suffix = dc=foo,dc=ch
>> doing parameter ldap machine suffix = ou=Computers,ou=Samba,ou=system
>>snip

>> in this state we don't see any packets going to the ldap server  
>> anymore.
>> Have you seen this behaviour or do you have any hints how we could  
>> debug
>> this better?
>>


>Very strange is also teh fact, that the first connection works, but  
>gets interrupted in the middle somehow and then all subsequent  
>attempts using smbclient fail:

>root:13# pgrep smbd
>4268
>30945
>root:14# smbclient -U mbalmer -L tesla
>Password:
>Domain=[EDUBS] OS=[Unix] Server=[Samba 3.0.34]
> snip ..

>This is on OpenBSD 4.4/i386, btw.

>- Marc

Did you copy the new samba schema file from the new samba version to the
openldap scheme directory?
I had some strange problems once after a update and that was the case in
my situation.

Regards,
Johan


Checked by AVG - www.avg.com 
Version: 8.5.387 / Virus Database: 270.13.16/2240 - Release Date:
07/16/09 18:00:00
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba ldap problem

[Marc Balmer]

Am 16.07.2009 um 18:01 schrieb Mischa Diehm:


Hi,

we had this setup working for quite some time but after upgrading the
samba package things look different:

we now have the following samba/ldap setup:

samba-3.0.34p1-cups-ldap
openldap-server-2.3.43

the samba-ldap configuration is:
doing parameter ldap suffix = dc=foo,dc=ch
doing parameter ldap machine suffix = ou=Computers,ou=Samba,ou=system
doing parameter ldap user suffix = ou=Users,ou=Samba,ou=system
doing parameter ldap group suffix = ou=Groups,ou=Samba,ou=system
doing parameter ldap admin dn =
"cn=SambaAdmin,ou=Users,ou=OpenLDAP,ou=system,dc=foo,dc=ch"
doing parameter ldap delete dn = no
doing parameter ldap passwd sync = no
doing parameter ldap replication sleep = 6000
doing parameter ldap timeout = 120
doing parameter ldap ssl = No

when starting the smbd things look ok:
Attempting to find an passdb backend to match ldapsam:ldap:// 
localhost/

(ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=EDUBS))]
smbldap_search_ext: base => [dc=edubs,dc=ch], filter =>
[(&(objectClass=sambaDomain)(sambaDomainName=EDUBS))], scope => [2]
The connection to the LDAP server was closed
smb_ldap_setup_connection: ldap://localhost/
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://localhost/ as
"cn=SambaAdmin,ou=Users,ou=OpenLDAP,ou=system,dc=edubs,dc=ch"
ldap_connect_system: successful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
The LDAP server is successfully connected
smbldap_get_single_attribute: [sambaAlgorithmicRidBase] = []
pdb backend ldapsam:ldap://localhost/ has a valid init


it seems the first connection works:
root:195# smbclient -L localhost -U foo.bar
Password:
Anonymous login successful
Domain=[EDUBS] OS=[Unix] Server=[Samba 3.0.34]

   Sharename   Type  Comment
   -     ---
   IPC$IPC   IPC Service (ICT Fileserver)
read_socket_with_timeout: timeout read. read error = Connection  
reset by peer.

Receiving SMB: Server stopped responding
session request to LOCALHOST failed (Read error: Connection reset by  
peer)

Error connecting to 127.0.0.1 (Connection refused)
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
NetBIOS over TCP disabled -- no workgroup available


but any connection afterwards fails with this:
root:199# smbclient -L localhost -U foo.bar
Password:
Receiving SMB: Server stopped responding
session setup failed: Call returned zero bytes

in this state we don't see any packets going to the ldap server  
anymore.
Have you seen this behaviour or do you have any hints how we could  
debug

this better?




Very strange is also teh fact, that the first connection works, but  
gets interrupted in the middle somehow and then all subsequent  
attempts using smbclient fail:


root:13# pgrep smbd
4268
30945
root:14# smbclient -U mbalmer -L tesla
Password:
Domain=[EDUBS] OS=[Unix] Server=[Samba 3.0.34]

Sharename   Type  Comment
-     ---
IPC$IPC   IPC Service (ICT Fileserver)
mbalmer Disk  Home Directories
Receiving SMB: Server stopped responding
session setup failed: Call returned zero bytes (EOF)
NetBIOS over TCP disabled -- no workgroup available
root:15# smbclient -U mbalmer -L tesla
Password:
Receiving SMB: Server stopped responding
session setup failed: Call returned zero bytes (EOF)


This is on OpenBSD 4.4/i386, btw.

- Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba & LDAP, with XP and Linux clients

[Quinn Fissler]

As you probably realilse, the two separate areas are what samba requires in
ldap and what Linux requires - it's likely that you've only populated the
samba required stuff.

Think of ldap like a /etc/passwd file with many more columns. You only have
the columns for samba but most of the Linix/POSIX columns are missing.

There are many ways to deal with this! Too many :-/

but they're all fun :-)

ldapmodify is one to look at - you can adjust various items.

you could export the whole ldap db using slapcat and then tidy the whole
thing before importing it back...

I think that both require some extra steps and as soon as you look at them,
you'll see which approach suits you.





2009/6/19 Dave Beach 

> Hello list! I believe I may not have a Samba problem, but rather an LDAP
> directory problem. I'm hoping to be redirected towards a more appropriate
> mailing list to which I can post.
>
> I have a Slackware server running Samba and OpenLDAP, and my WinXP clients
> authenticate just fine. I migrated from an smbpasswd backend to OpenLDAP
> with a BD backend some time ago, using the migration tools provided with
> smbldap-tools. Everything has been working fine.
>
> I now want to bring a Ubuntu workstation online, and authenticate to the
> same LDAP database. I've understood that my previous approach was wrong
> (trying to somehow get the Ubuntu box to join the domain), and that I
> instead need to use nss and pam to point directly to the LDAP database on
> the Slackware server. So far, so good. Ubuntu packages sourced and
> installed.
>
> Executing "getent group" on the Ubuntu client produces the expected
> results.
> Executing "getent passwd" does not; it only shows me a subset of the user
> accounts (notably, not my own account which was created prior to
> migration).
> Fiddling about with a couple of Windows-based ldap query clients, I can see
> that there seem to be some differences between accounts that were created
> pre-migration and those created post-migration. As an example, accounts
> created post-migration seem to have different "objectClass" attributes and
> values associated with them than do accounts created pre-migration - and
> the
> post-migration accounts are all visible with "getent passwd" on the Ubuntu
> client. Also, the pre-migration accounts have the "account" objectClass
> associated with them, while the post-migration accounts have the "person"
> objectClass associated with them. The post-migration accounts also seem to
> have the "posixAccount" object class associated with them. There are other
> differences, but these strike me (in my ignorance) as possibly being the
> source of the problem.
>
> In case it isn't obvious, I have zero LDAP experience other than this
> futzing around I'm doing. It seems fairly obvious that I need to somehow
> alter the pre-migration accounts in some way to make them more like the
> post-migration accounts, such that I can then log onto the Ubuntu client
> with the same user ID with which I log onto the WinXp clients. I'm
> reluctant
> to do much so far, in fear that I'll manage to irreparably damage the
> pre-migration accounts (somehow lose the SID, etc) such that they'll need
> to
> be re-created, with all the pain that entails on the WinXP clients (I use
> local profiles only on the WinXP boxes).
>
> So, as I said, probably not a Samba problem per se. Would someone be so
> kind
> as to suggest the proper list in which I can post this problem?
>
> Thanks very much in advance.
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba & LDAP, with XP and Linux clients

[Olivier Nicole]

To add a bit more, my users typically look like:

dn: uid=a103,ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: a103
sn: x
uid: a103
uidNumber: 5072
gidNumber: 95
homeDirectory: /home/a103
loginShell: /bin/sh
mail: a...@cs.ait.ac.th
givenName: 
gecos:  
userPassword: {md5}xx==
sambaSID: S-1-5-21-x-y-z-11144
sambaAcctFlags: [U  ]
sambaPasswordHistory: 

sambaPwdLastSet: 1243416344
sambaNTPassword: y

I think that Unix and samba authentication will not work with anything
less. sambaLMPassord will be necessary too for Win9x/Me
authentication.

Olivier
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba & LDAP, with XP and Linux clients

[Olivier Nicole]

Hi,

> Executing "getent group" on the Ubuntu client produces the expected results.
> Executing "getent passwd" does not; it only shows me a subset of the user
> accounts (notably, not my own account which was created prior to migration).

I am running successfully with the user accounts having the objectClass:

 inetOrgPerson
 posixAccount
 shadowAccount
 top

I think that posixAccount is necessary. Typically, objectClass person
is not what you jneed to store a Unix account, you need to have home
directory, shell, uid number, gid number, etc. and password to
authenticate a Unix user with LDAP.

Adding an objectClass or Attributes to an enxisting entry of your LDAP
will not break anything that is already working.

Bests,

Olivier
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Volker Lendecke]

On Sat, May 16, 2009 at 09:40:16AM +0100, Martin Edwards wrote:
> It looks like we've fixed this.  It seems msdfs is on by default.  By chance
> I disabled it:
> 
> host msdfs = no
> 
> No more memory leak!
> 
> At some point I will endeavour to recreate the old problem on a test box and
> find out why msdfs causes the memory leak and report back to the list.

Any news here?

Thanks,

Volker


pgpzl29SJFaqo.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+Ldap problems

[Tim Bates]

dogbert wrote:

Ok, a little update on this issue.
I've changed the various common-* within /etc/pam.d and I've obtained 
the following.
Now I can connect with ssh or su with a user defined in ldap as long 
as this user is present also in /etc/passwd.
It seems that the system check for the user account in /etc/passwd and 
then it check for password under ldap.
Now if a user try to change his password (with the passwd command) it 
works through ldap.
While using "getent passwd" I still obtain only the users contained in 
/etc/passwd.

I'd suggest having a good read of this page:
https://help.ubuntu.com/community/LDAPClientAuthentication

If you're still having no LDAP results show up with getent, then there's 
issues with nsswitch still. The nsswitch.conf you sent me looks right, 
so I'd put my money on a problem in your ldap client settings. Check 
/etc/ldap.conf and /etc/ldap/ldap.conf and make sure anything set there 
is correct. Also check that a basedn is set in one of them and the host 
is set correctly.


You may also want to check you can access the LDAP data from an LDAP 
viewer... I use phpldapadmin to check actual content, and LAM to manage 
accounts. But any LDAP client that shows the tree will help.


TB

**
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+Ldap problems

[dogbert]

Ok, a little update on this issue.
I've changed the various common-* within /etc/pam.d and I've obtained the 
following.
Now I can connect with ssh or su with a user defined in ldap as long as this 
user is present also in /etc/passwd.
It seems that the system check for the user account in /etc/passwd and then it 
check for password under ldap.
Now if a user try to change his password (with the passwd command) it works 
through ldap.

While using "getent passwd" I still obtain only the users contained in 
/etc/passwd.
These are my /etc/pam.d files:

COMMON-AUTH:
authsufficient  pam_ldap.so
authrequiredpam_unix.so nullok_secure use_first_pass
authrequisite   pam_deny.so
authrequiredpam_permit.so
authoptionalpam_smbpass.so migrate

COMMON-ACCOUNT:
account sufficient  pam_ldap.so
account requiredpam_unix.so
account requisite   pam_deny.so
account requiredpam_permit.so

COMMON-PASSWORD:
passwordsufficient  pam_ldap.so
passwordrequiredpam_unix.so nullok obscure min=4 max=8 md5
passwordrequisite   pam_deny.so
passwordrequiredpam_permit.so
passwordoptionalpam_smbpass.so nullok 
use_authtok use_first_pass


COMMON-SESSION:
session [default=1] pam_permit.so
session requisite   pam_deny.so
session requiredpam_permit.so
session requiredpam_unix.so
session optionalpam_ldap.so
session optionalpam_ck_connector.so nox11

SSHD:
auth   required pam_env.so # [1]
auth   required pam_env.so envfile=/etc/default/locale
@include common-auth
accountrequired pam_nologin.so
@include common-account
@include common-session
sessionoptional pam_motd.so # [1]
sessionoptional pam_mail.so standard noenv # [1]
sessionrequired pam_limits.so
@include common-password

LOGIN:
auth   requisite  pam_securetty.so
auth   requisite  pam_nologin.so
sessionrequired   pam_selinux.so close
session   required   pam_env.so readenv=1
session   required   pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth   optional   pam_group.so
sessionrequired   pam_limits.so
sessionoptional   pam_lastlog.so
sessionoptional   pam_motd.so
sessionoptional   pam_mail.so standard
@include common-account
@include common-session
@include common-password
session required pam_selinux.so open

SU:
auth   sufficient pam_rootok.so
session   required   pam_env.so readenv=1
session   required   pam_env.so readenv=1 envfile=/etc/default/locale
sessionoptional   pam_mail.so nopen
@include common-auth
@include common-account
@include common-session

SAMBA:
@include common-auth
@include common-account
@include common-session


Tim Bates wrote:

dogb...@infinito.it wrote:

Thanks Oliver,
I will check all the files in /etc/pam.d
  

Check /etc/nsswitch.conf first. I think it may be your first problem.

I think that if I can succeed in authenticating via shell or ssh I can 
then

rule-out pam issues and work on samba configuration.
You need that working before you can start the Samba stages. Samba needs 
those accounts working before it can work properly.


TB



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+Ldap problems

[Tim Bates]

dogb...@infinito.it wrote:

Thanks Oliver,
I will check all the files in /etc/pam.d
  

Check /etc/nsswitch.conf first. I think it may be your first problem.


I think that if I can succeed in authenticating via shell or ssh I can then
rule-out pam issues and work on samba configuration.
You need that working before you can start the Samba stages. Samba needs 
those accounts working before it can work properly.


TB
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+Ldap problems

[dogbert]

Thanks Oliver,
I will check all the files in /etc/pam.d

My problems are with samba, but after a little troubleshooting I think that
some of them are originated at PAM/Ldap level, so I'm checking this first.
I've followed the guide taken from Ubuntu site:
https://help.ubuntu.com/8.10/serverguide/C/network-authentication.html

I think that if I can succeed in authenticating via shell or ssh I can then
rule-out pam issues and work on samba configuration.

Thanks,
Riccardo

- Original Message 
Da: Olivier Nicole 
To: 
Cc: samba@lists.samba.org
Oggetto: Re: [Samba] Samba+Ldap problems
Data: 03/06/09 12:42

> 
> 
> Hi,
> 
> > I'm trying to use it to
> > login via ssh. This user cannot authenticate.
> > Here is the result from auth.log and some configurations files
> 
> This is not a samba problem but a SSH/Ubuntu/Ldap problem :)
> 
> You need both packages pam_ldap AND nss_ldap.
> 
> You need to configure both (configuration is very similar, but there
> may be some differences).
> 
> To give a brief explanation:
> 
> pam_ldap is used by ssh (you need to configure /etc/pam.d/ssh !) to
> accept the username and password
> 
> nss_ldap is used by thing slike getent, or to show your correct
> username and group when you do a "ls -l"
> 
> Now it much depends how your LDAP tree is organized, so I cannot give
> much more advise; what is the objectClass you use for your users? I am
> surprised to see that user and password belongs to different place in
> the LDAP tree. I am also surprised that the /etc/pam.d example you
> give do not contain a single reference to ldap...
> 
> There are good how-to floating on Google, that work you step by step.
> 
> 
> Best regards,
> 
> Olivier
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba+Ldap problems

[Olivier Nicole]

Hi,

> I'm trying to use it to
> login via ssh. This user cannot authenticate.
> Here is the result from auth.log and some configurations files

This is not a samba problem but a SSH/Ubuntu/Ldap problem :)

You need both packages pam_ldap AND nss_ldap.

You need to configure both (configuration is very similar, but there
may be some differences).

To give a brief explanation:

pam_ldap is used by ssh (you need to configure /etc/pam.d/ssh !) to
accept the username and password

nss_ldap is used by thing slike getent, or to show your correct
username and group when you do a "ls -l"

Now it much depends how your LDAP tree is organized, so I cannot give
much more advise; what is the objectClass you use for your users? I am
surprised to see that user and password belongs to different place in
the LDAP tree. I am also surprised that the /etc/pam.d example you
give do not contain a single reference to ldap...

There are good how-to floating on Google, that work you step by step.


Best regards,

Olivier
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Volker Lendecke]

On Sat, May 16, 2009 at 09:40:16AM +0100, Martin Edwards wrote:
> It looks like we've fixed this.  It seems msdfs is on by default.  By chance
> I disabled it:
> 
> host msdfs = no
> 
> No more memory leak!
> 
> At some point I will endeavour to recreate the old problem on a test box and
> find out why msdfs causes the memory leak and report back to the list.
> 
> Thank you for all your help.

Thanks a lot for that feedback!

If you can, please run that test box with valgrind --tool=memcheck

If you need any assistance with this, feel free to ask! I
*really* want to fix this :-)

Volker


pgpBMSwr6Xws0.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Martin Edwards]

It looks like we've fixed this.  It seems msdfs is on by default.  By chance
I disabled it:

host msdfs = no

No more memory leak!

At some point I will endeavour to recreate the old problem on a test box and
find out why msdfs causes the memory leak and report back to the list.

Thank you for all your help.

On Mon, May 11, 2009 at 10:00 PM, Martin Edwards <
martin.f.edwa...@googlemail.com> wrote:

> We will endeavour to do this on a test system in the next few days.
>
> Thanks once again for your assistance.
>
>
> On Mon, May 11, 2009 at 10:18 AM, Volker Lendecke <
> volker.lende...@sernet.de> wrote:
>
>> On Mon, May 11, 2009 at 10:11:50AM +0100, Martin Edwards wrote:
>> > Do you think notifies could be responsible for the memory leak?  Despite
>> > there being all of those entries they don't add up to anything like the
>> > usage of the process.
>>
>> It might be possible that we have a leak somewhere around
>> the notifies. Notifies are an operation that normal clients
>> do a lot less than IIS, that's why I think it might be that.
>>
>> Do you see a chance to run a test smbd with comparable load
>> under valgrind? This would almost 100% show the real leak.
>>
>> Volker
>>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Martin Edwards]

We will endeavour to do this on a test system in the next few days.

Thanks once again for your assistance.

On Mon, May 11, 2009 at 10:18 AM, Volker Lendecke  wrote:

> On Mon, May 11, 2009 at 10:11:50AM +0100, Martin Edwards wrote:
> > Do you think notifies could be responsible for the memory leak?  Despite
> > there being all of those entries they don't add up to anything like the
> > usage of the process.
>
> It might be possible that we have a leak somewhere around
> the notifies. Notifies are an operation that normal clients
> do a lot less than IIS, that's why I think it might be that.
>
> Do you see a chance to run a test smbd with comparable load
> under valgrind? This would almost 100% show the real leak.
>
> Volker
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Volker Lendecke]

On Mon, May 11, 2009 at 10:11:50AM +0100, Martin Edwards wrote:
> Do you think notifies could be responsible for the memory leak?  Despite
> there being all of those entries they don't add up to anything like the
> usage of the process.

It might be possible that we have a leak somewhere around
the notifies. Notifies are an operation that normal clients
do a lot less than IIS, that's why I think it might be that.

Do you see a chance to run a test smbd with comparable load
under valgrind? This would almost 100% show the real leak.

Volker


pgpTcqf13opXy.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Martin Edwards]

Do you think notifies could be responsible for the memory leak?  Despite
there being all of those entries they don't add up to anything like the
usage of the process.


On Mon, May 11, 2009 at 9:55 AM, Volker Lendecke
wrote:

> On Mon, May 11, 2009 at 09:31:48AM +0100, Martin Edwards wrote:
> > Sorry it's taken so long to reply.  The pool-usage output for one such
> > process is here:
> >
> > http://samba.dreamhosters.com/pool-usage.txt
>
> Thanks for that output! It seems we need to do something
> with notifies.
>
> Volker
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Volker Lendecke]

On Mon, May 11, 2009 at 09:31:48AM +0100, Martin Edwards wrote:
> Sorry it's taken so long to reply.  The pool-usage output for one such
> process is here:
> 
> http://samba.dreamhosters.com/pool-usage.txt

Thanks for that output! It seems we need to do something
with notifies.

Volker


pgphuQblNMmWy.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Martin Edwards]

Samba version is 3.3.3.

On Mon, May 11, 2009 at 9:31 AM, Martin Edwards <
martin.f.edwa...@googlemail.com> wrote:

> Sorry it's taken so long to reply.  The pool-usage output for one such
> process is here:
>
> http://samba.dreamhosters.com/pool-usage.txt
>
> The problem has been mitigated somewhat just by giving the box more RAM but
> it's very frustrating.
>
>
> On Sat, May 2, 2009 at 9:31 AM, Volker Lendecke  > wrote:
>
>> On Fri, May 01, 2009 at 11:52:13PM +0100, Martin Edwards wrote:
>> > (Sorry, I meant to send this to the list first time around)
>> >
>> > Thanks very much for that.
>> >
>> > On a thread using 1.2GB pool-usage reports:
>> >
>> > full talloc report on 'null_context' (total 5898052 bytes in 39825
>> blocks)
>> >
>> > There are thousands of lib/charcnv.c:601 entries but all using only 1
>> block
>> > each.
>>
>> Can you post the whole output somewhere? Which exact Samba
>> version was this (needed for the line number)?  You wrote
>> that it happens with many versions. And, this obviously does
>> not account for 1.2GB, so there must be something else.
>>
>> Volker
>>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Martin Edwards]

Sorry it's taken so long to reply.  The pool-usage output for one such
process is here:

http://samba.dreamhosters.com/pool-usage.txt

The problem has been mitigated somewhat just by giving the box more RAM but
it's very frustrating.

On Sat, May 2, 2009 at 9:31 AM, Volker Lendecke
wrote:

> On Fri, May 01, 2009 at 11:52:13PM +0100, Martin Edwards wrote:
> > (Sorry, I meant to send this to the list first time around)
> >
> > Thanks very much for that.
> >
> > On a thread using 1.2GB pool-usage reports:
> >
> > full talloc report on 'null_context' (total 5898052 bytes in 39825
> blocks)
> >
> > There are thousands of lib/charcnv.c:601 entries but all using only 1
> block
> > each.
>
> Can you post the whole output somewhere? Which exact Samba
> version was this (needed for the line number)?  You wrote
> that it happens with many versions. And, this obviously does
> not account for 1.2GB, so there must be something else.
>
> Volker
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Volker Lendecke]

On Fri, May 01, 2009 at 11:52:13PM +0100, Martin Edwards wrote:
> (Sorry, I meant to send this to the list first time around)
> 
> Thanks very much for that.
> 
> On a thread using 1.2GB pool-usage reports:
> 
> full talloc report on 'null_context' (total 5898052 bytes in 39825 blocks)
> 
> There are thousands of lib/charcnv.c:601 entries but all using only 1 block
> each.

Can you post the whole output somewhere? Which exact Samba
version was this (needed for the line number)?  You wrote
that it happens with many versions. And, this obviously does
not account for 1.2GB, so there must be something else.

Volker


pgpJSlylMaGF4.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Martin Edwards]

(Sorry, I meant to send this to the list first time around)

Thanks very much for that.

On a thread using 1.2GB pool-usage reports:

full talloc report on 'null_context' (total 5898052 bytes in 39825 blocks)

There are thousands of lib/charcnv.c:601 entries but all using only 1 block
each.

On Fri, May 1, 2009 at 9:29 AM, Volker Lendecke
wrote:

> On Thu, Apr 30, 2009 at 02:55:46PM +0100, Martin Edwards wrote:
> > I'm not sure if this is a bug or a problem we are causing which is why
> I'm
> > posting to the list first in the hope that someone else might have come
> > across it.
> >
> > We have been using Samba quite successfully for a number of years.
>  However,
> > with this new setup we have a problem.
> >
> > We're using Samba as a backend for a web farm - 6 or 7 Windows servers
> > running IIS with all the website data under UNC paths and all the
> anonymous
> > web users and app pools running as domain users.
> >
> > Samba itself uses an LDAP backend.
> >
> > This setup works very nicely for our needs however we have an issue in
> that
> > each Samba process belonging to one of the web servers seems to consume
> RAM
> > indefinitely until it is killed.  When the servers are busy each thread
> can
> > use 1GB in 20 minutes.
> >
> > Obviously this is extremely abnormal memory usage.
> >
> > My only guess is that, when a page is requested on a website and not
> found,
> > Samba allocates the memory and does not free it?
> >
> > We have tried Samba 3.0, 3.2 and 3.3 (various iterations) and have
> > experienced exactly the same problem.
> >
> > Can anyone offer any insight.  I would be most grateful.
>
> Two steps: Can you run "smbcontrol  pool-usage" on a
> moderately large smbd and send the result? If that does not
> show anything suspicious, we will ask you to run it under
> valgrind --tool=memcheck. Be aware that this *significantly*
> slows down operation, so you might need some kind of plan
> how to do this. But it is the safest way to find out
> what's going on.
>
> Volker
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP + IIS = massive memory usage

[Volker Lendecke]

On Thu, Apr 30, 2009 at 02:55:46PM +0100, Martin Edwards wrote:
> I'm not sure if this is a bug or a problem we are causing which is why I'm
> posting to the list first in the hope that someone else might have come
> across it.
> 
> We have been using Samba quite successfully for a number of years.  However,
> with this new setup we have a problem.
> 
> We're using Samba as a backend for a web farm - 6 or 7 Windows servers
> running IIS with all the website data under UNC paths and all the anonymous
> web users and app pools running as domain users.
> 
> Samba itself uses an LDAP backend.
> 
> This setup works very nicely for our needs however we have an issue in that
> each Samba process belonging to one of the web servers seems to consume RAM
> indefinitely until it is killed.  When the servers are busy each thread can
> use 1GB in 20 minutes.
> 
> Obviously this is extremely abnormal memory usage.
> 
> My only guess is that, when a page is requested on a website and not found,
> Samba allocates the memory and does not free it?
> 
> We have tried Samba 3.0, 3.2 and 3.3 (various iterations) and have
> experienced exactly the same problem.
> 
> Can anyone offer any insight.  I would be most grateful.

Two steps: Can you run "smbcontrol  pool-usage" on a
moderately large smbd and send the result? If that does not
show anything suspicious, we will ask you to run it under
valgrind --tool=memcheck. Be aware that this *significantly*
slows down operation, so you might need some kind of plan
how to do this. But it is the safest way to find out
what's going on.

Volker


pgpW4uTTjVPJv.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP

[Volker Lendecke]

On Tue, Apr 28, 2009 at 11:39:48AM +0200, Vladimir Psenicka wrote:
> I have questions about Samba and LDAP.
> 
> I have samba configured as PDC with ldap, users and groups are in ldap,
> functional. I want to add another server as member server, I configured
> samba on that server with users/groups authentication against ldap on
> PDC, functional.
> 
> But I see this in ldap root:
> sambaDomainname=DOMAIN
> *sambaDomainname=HOSTNAME_OF_MEMBER_SERVER*
> 
> Why is member server creating sambaDomainname=HOSTNAME_OF_MEMBER_SERVER
> entry in ldap root? Is this needed for servers trusts?

Every machine with "passdb backend = ldapsam" creates its
own entry, as every machine has its own user database. This
is very much like the local SAM on Windows workstations
where you can log in as local administrator. This won't
happen if you don't set "passdb backend = ldapsam" and join
the servers into the domain.

Volker


pgp2en8gKwPVM.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP = SLOW Help plesase

[Ray Klassen]

mysterious slowness sometimes has a timing out name service at its
back. Is WINS enabled on your server? Do the clients look to your
server as their WINS server? If a WINS lookup fails and then the
clients revert back to broadcast based name resolution, the symptoms
could be similar to what you're seeing.

On Thu, Apr 2, 2009 at 12:20 AM, Grey Karapetyan
 wrote:
> Thanks for answers!
> but i use a Fedora Directory Server.
>
> i try answer on your questions:
> << what indexes do you have in slapd.conf?  what hardware is the server
> running on?
> Core2Quad/8gb ddr2
>
> < just OK. also. would you mind runing slapindex on the server (turn off
> OpenLDAP first)?, then try if it affected your pdc performance
>
> Sorry but i use FDS here is no config. All parametrs places in db. Any
> concrete parametrs i should show you?
>
> < have a reasonable DB-CONFIG file or are you asserting reasonable DB values
> via cn=config? But these are all OpenLDAP questions and not specific to
> Samba. Test your DSA to see if it is fast enough, then move back to testing
> Samba.
>
> This OpenLpad-specific parametrs?
> If i use getent passwd | grep -i username - works realy fast (1-2 seconds).
> (From my Samba server)
>
>
> =
> News:
> Now shares shows and opens fast.
>
> But printers from windows clients (when getting status printer) as before
> SLOW.
> Then i create local user on Samba server and disable ldap backend - printers
> works fast too.
>
> =
> in man smb.conf find 2 params
>  ldapsam:trusted=yes
>  ldapsam:editposix=yes
>
> somebodey use this?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP = SLOW Help plesase

[Grey Karapetyan]

Thanks for answers!
but i use a Fedora Directory Server.

i try answer on your questions:
<< what indexes do you have in slapd.conf?  what hardware is the server
running on?
Core2Quad/8gb ddr2

Re: [Samba] Samba + LDAP = SLOW Help plesase

[Adam Tauno Williams]

 wrote:
>what indexes do you have in slapd.conf?  what hardware is the server 
>running on?

More important than anything else is your Berkley environment.  Do you have 
a reasonable DB-CONFIG file or are you asserting reasonable DB values via 
cn=config?  But these are all OpenLDAP questions and not specific to Samba. 
 Test your DSA to see if it is fast enough, then move back to testing 
Samba.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP = SLOW Help plesase

[Victor Medina]

would you copy your slapd.conf  to us? the index section only would be just OK.

also. would you mind runing slapindex on the server (turn off OpenLDAP
first)?, then try if it affected your pdc performance

Victor Medina

Bob Hope  - "You know you are getting old when the candles cost more
than the cake."


On Thu, Apr 2, 2009 at 12:50 PM, Adam Williams
 wrote:
> what indexes do you have in slapd.conf?  what hardware is the server running
> on?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP = SLOW Help plesase

[Adam Williams]

what indexes do you have in slapd.conf?  what hardware is the server 
running on?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP = SLOW Help plesase

[David Wells]

Grey Karapetyan wrote:

Hi Guys!
Samba suspiciously slow

i have:
CentOS 5.2 final
Samba 3.0.28-0.e15.8


LDAP server placed on anoter (not Samba) Server
In ldap container "ou=Users" about 5000 entries

When Windows client's connect to samba - Authentification process S.L.O.W.
(about 20-30 seconds).
When number entries less - performance grow (when 10 users -
authentification process go 1-2 seconds)

How i can tune up performance?

==
smb.conf


[global]
log file = /var/log/samba/samba.log.%m
log level = 3
domain logons = no
domain master = no
local master = no
preferred master = no
wins support = no
dns proxy = no
os level = 0
#   server setup ---
netbios name = testsrv
workgroup = TEST
security = user
passdb backend = ldapsam:ldap://x.x.x.x
ldap admin dn = cn=Directory Manager
ldap group suffix = ou=NTGroups
ldap idmap suffix = ou=Idmap
ldap suffix = dc=test
ldap user suffix = ou=Users
#   print setup ---
load printers = yes
printing = cups
printcap = cups
use client driver = yes
[printers]
comment = All Printers
path = /var/spool/samba
readonly = no
browseable = no
guest ok = yes
writable = no
printable = yes
[print$]
comment = Printer Driver Download Area
path = /etc/samba/drivers
browseable = yes
guest ok = yes
read only = yes


/etc/ldap.conf

uri ldap://x.x.x.x
basedc=test

binddn cn=Directory Manager
bindpw 


#pam_passwordexop
#pam_filter  objectclass=sambaSamAccount

nss_base_passwd ou=Users,dc=test
nss_base_shadow ou=Users,dc=test
nss_base_group ou=NTGroups,dc=test
ssl no
  
I would bet this is not a samba issue but an LDAP issue, specifically in 
the indexing of your database


Greetings,
David Wells.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba/LDAP Backend: Error NT_STATUS_CONNECTION_REFUSED

[Todd E Thomas]

the answers follow the questions below:

did you run testparm -s and look for errors in smb.conf?
---
  Yes, I ran this a 1000 times. The answer: run it 1,001 times-
  There was a problem with wins
wins support = yes
wins server = 10.0.0.14
I kept wins server as that was in a sample at samba.org:
http://wiki.samba.org/index.php/1.0._Configuring_Samba#1.1._smb.conf_PDC

testparm -s now executes without error.
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
===

you don't need these two lines in smb.conf anymore:
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

since you are using ldap and have ldap passwd sync = yes
---
This I found in the walk-through for combining samba/zimbra. I'm a bit novice
so I ran with it:
http://wiki.zimbra.com/index.php?title=UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI#Configuring_Samba

I'll try to create a few new users without these lines.
===

also, your ldap admin dn is wrong.  what is it in your slapd.conf file? 
it should be something like  ldap admin dn = 
cn=Manager,dc=zmail,dc=ptest,dc=us
---
Actually this is correct for the zimbra implementation of openldap. I don't 
agree with getting so far away from a 'normal' OpenLDAP config but they must
have run into a snag along the way that necessitated this change.
===

did you do smbpasswd -w
---
Yes. It worked as expected. 
===

The error still persists.

# service smb status
smbd dead but pid file exists
nmbd (pid 31030) is running...

It only stays on for a few minutes after you start it, then dies. There is 
nothing dropped in any log. This makes me think that whatever it is - is fatal; 
for the life of me I can't imagine what would cause that.

T




--- awill...@mdah.state.ms.us wrote:

From: Adam Williams 
To: todd_...@ssiresults.com
CC: samba@lists.samba.org
Subject: Re: [Samba] Samba/LDAP Backend: Error NT_STATUS_CONNECTION_REFUSED
Date: Fri, 27 Mar 2009 08:43:24 -0500

did you run testparm -s and look for errors in smb.conf? 

you don't need these two lines in smb.conf anymore:

  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .


since you are using ldap and have ldap passwd sync = yes

also, your ldap admin dn is wrong.  what is it in your slapd.conf file? 
it should be something like  ldap admin dn = 
cn=Manager,dc=zmail,dc=ptest,dc=us

did you do smbpasswd -w

Todd E Thomas wrote:
> When I run this command I am not prompted for a password, I just get the 
> below error.
>
> # smbclient -U root //zmail/homes
> Error connecting to 10.0.0.14 (Connection refused)
> Connection to zmail failed (Error NT_STATUS_CONNECTION_REFUSED)
> ---
> Now for the back story:
>   CentOS v5.2 with Samba v3.0.28-1.el5_2.1 and Zimbra 5.0.11_GA on x86_64 
> hardware.
>
> I'm attempting to connect samba (PDC) with zimbra's included openldap. 
> everything appeared to work correctly on an individual basis (samba, zimbra, 
> openldap) and openldap appears to be working correctly via ldapsearch. 
>
> Once I ran authconfig things went a little crazy for samba. I think it's not 
> able to communicate with ldap and I'm not sure what tools and methods there 
> are for a procedural verification of their intercommunication.
>
> Is there such a resource?
>
> As a result, there are a few errors. The one above and one other; smbd keeps 
> dying on me. As I am a novice I'm not sure if these things are related or 
> not. The conf is below.
>
> # service smb status
> smbd dead but pid file exists
> nmbd (pid 9072) is running...
>
>
> Thanks in advance,
>
> Todd E Thomas
> ===
> The host is zmail = 10.0.0.14
> ---
> [global]
>   netbios name = zmail
>   workgroup = OFFICE
>   security = user
>   server string = Palladium %v
>   wins support = yes
>   dns proxy = no
>   name resolve order = wins hosts lmhosts bcast
>   wins server = 10.0.0.14
>   log file = /var/log/samba/log.%m
>   log level = 6
>   max log size = 1000
>   syslog only = no
>   syslog = 0
>   panic action = /usr/share/samba/panic-action %d
>   enable privileges = yes
>   encrypt passwords = yes
> ## Use ldap for auth
>   ldap passwd sync = yes
>   passdb backend = ldapsam:ldaps://zmail.ptest.us/
> #  ldap port = 636
>   ldap admin dn = "cn=config"
>   ldap suffix = dc=ptest,dc=us
>   ldap group suffix = ou=groups
>   ldap user suffix = ou=people
>   ldap machine suffix = ou=machines
>   obey pam restrictions = no
>   passwd program = /usr/bin/passwd %u
>   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
> *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessf

Re: [Samba] Samba/LDAP Backend: Error NT_STATUS_CONNECTION_REFUSED

[Adam Williams]

did you run testparm -s and look for errors in smb.conf? 


you don't need these two lines in smb.conf anymore:

 passwd program = /usr/bin/passwd %u
 passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .


since you are using ldap and have ldap passwd sync = yes

also, your ldap admin dn is wrong.  what is it in your slapd.conf file? 
it should be something like  ldap admin dn = 
cn=Manager,dc=zmail,dc=ptest,dc=us


did you do smbpasswd -w

Todd E Thomas wrote:

When I run this command I am not prompted for a password, I just get the below 
error.

# smbclient -U root //zmail/homes
Error connecting to 10.0.0.14 (Connection refused)
Connection to zmail failed (Error NT_STATUS_CONNECTION_REFUSED)
---
Now for the back story:
  CentOS v5.2 with Samba v3.0.28-1.el5_2.1 and Zimbra 5.0.11_GA on x86_64 
hardware.

I'm attempting to connect samba (PDC) with zimbra's included openldap. everything appeared to work correctly on an individual basis (samba, zimbra, openldap) and openldap appears to be working correctly via ldapsearch. 


Once I ran authconfig things went a little crazy for samba. I think it's not 
able to communicate with ldap and I'm not sure what tools and methods there are 
for a procedural verification of their intercommunication.

Is there such a resource?

As a result, there are a few errors. The one above and one other; smbd keeps 
dying on me. As I am a novice I'm not sure if these things are related or not. 
The conf is below.

# service smb status
smbd dead but pid file exists
nmbd (pid 9072) is running...


Thanks in advance,

Todd E Thomas
===
The host is zmail = 10.0.0.14
---
[global]
  netbios name = zmail
  workgroup = OFFICE
  security = user
  server string = Palladium %v
  wins support = yes
  dns proxy = no
  name resolve order = wins hosts lmhosts bcast
  wins server = 10.0.0.14
  log file = /var/log/samba/log.%m
  log level = 6
  max log size = 1000
  syslog only = no
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  enable privileges = yes
  encrypt passwords = yes
## Use ldap for auth
  ldap passwd sync = yes
  passdb backend = ldapsam:ldaps://zmail.ptest.us/
#  ldap port = 636
  ldap admin dn = "cn=config"
  ldap suffix = dc=ptest,dc=us
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines
  obey pam restrictions = no
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
  domain master = yes
  domain logons = yes
  os level = 33
  preferred master = yes
  local master = yes
  logon path = \\zmail.ptest.us\%U\profile
  logon home = \\zmail.ptest.us\%U
  add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
  add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet 
--gecos "machine account" --force-badname %u
  socket options = TCP_NODELAY
[homes]
  comment = Home Directories
  browseable = yes
  read only = No
  valid users = %S
[netlogon]
  comment = Network Logon Service
  path = /export/netlogon
  read only = yes
  write list = +ntadmin
  locking = no
===
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba LDAP troubleshooting

[Adam Williams]

Brad C wrote:

Hi There,

Yep, Ok now I understand the SID needs to be the same as the server the
client formed the initial security relationship with,

Is this correct?

Kind Regards
Brad


yes.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba LDAP troubleshooting

[Brad C]

Hi There,

Yep, Ok now I understand the SID needs to be the same as the server the
client formed the initial security relationship with,

Is this correct?

Kind Regards
Brad

On Tue, Mar 17, 2009 at 7:47 PM, Adam Williams wrote:

> well the user's sid is invalid.  does it match the domain's sid with net
> getdomainsid?
>
>
> Brad C wrote:
>
>> Hello
>>
>> I'm hoping someone can provide some insight, sample snippet from smb.conf
>> and the samba log.
>> Password authentication is working & succeeding, complains about an
>> invalid
>> SID which I know is the trust relationship that is formed between server
>> and
>> client, this is a duplicate ldap database from a samba domain controller.
>>
>> On the topic, anyone have a good book to recommend on Samba, I feel I am
>> only using 10% of its capability and not really well at that... something
>> is
>> staring me in the face and Im missing it.
>>
>> [global]
>>workgroup = companyx
>>printing = cups
>> hosts allow = 192.168.1.printcap name = cups
>>printcap cache time = 750
>>cups options = raw
>>map to guest = Bad User
>>include = /etc/samba/dhcp.conf
>>security = user
>>encrypt passwords = Yes
>>obey pam restrictions = No
>>log level = 2
>>passdb backend = ldapsam:ldap://127.0.0.1/
>>ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za
>>ldap suffix = dc=companyx,dc=co,dc=za
>>ldap group suffix = ou=Groups
>>ldap user suffix = ou=Users
>>ldap machine suffix = ou=Computers
>>ldap idmap suffix = ou=Users
>>ldap ssl = off
>>ldap delete dn = Yes
>>
>> [testdir]
>>comment = test1
>>path = "/data/test"
>>browseable = yes
>>writable = yes
>>read only = no
>>available = yes
>>valid users = bradleyc
>>admin users = bradleyc
>>
>>
>>
>> [2009/03/13 08:36:39,  2]
>> lib/access.c:check_access(406)
>>
>>  Allowed connection from ___192.168.2.154
>> (:::192.168.2.154)
>>
>> [2009/03/13 08:36:39,  2]
>> lib/smbldap.c:smbldap_open_connection(796)
>>
>>  smbldap_open_connection: connection
>> opened
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_sam_from_ldap(571)
>>
>>  init_sam_from_ldap: Entry found for user:
>> bradleyc
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 513
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 513
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 1010
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 512
>>
>> [2009/03/13 08:36:39,  2]
>> auth/auth.c:check_ntlm_password(308)
>>
>>  check_ntlm_password:  authentication for user [bradleyc] -> [bradleyc] ->
>> [bradleyc] succeeded
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 544
>>
>> [2009/03/13 08:36:39,  2]
>> lib/access.c:check_access(406)
>>
>>  Allowed connection from :::192.168.2.154
>> (:::192.168.2.154)
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_sam_from_ldap(571)
>>
>>  init_sam_from_ldap: Entry found for user:
>> bradleyc
>>
>> [2009/03/13 08:36:39,  2]
>> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>>
>>  init_group_from_ldap: Entry found for group:
>> 513
>>
>> [2009/03/13 08:36:39,  0]
>> passdb/passdb.c:lookup_global_sam_name(595)
>>
>>  User bradleyc with invalid SID
>> S-1-5-21-1571991244-1820204139-1100571284-3420 in
>> passdb
>> [2009/03/13 08:36:39,  2]
>> smbd/service.c:make_connection_snum(736)
>>
>>  user 'bradleyc' (from session setup) not permitted to access this share
>> (testdir)
>>
>>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba LDAP troubleshooting

[Adam Williams]

well the user's sid is invalid.  does it match the domain's sid with net 
getdomainsid?


Brad C wrote:

Hello

I'm hoping someone can provide some insight, sample snippet from smb.conf
and the samba log.
Password authentication is working & succeeding, complains about an invalid
SID which I know is the trust relationship that is formed between server and
client, this is a duplicate ldap database from a samba domain controller.

On the topic, anyone have a good book to recommend on Samba, I feel I am
only using 10% of its capability and not really well at that... something is
staring me in the face and Im missing it.

[global]
workgroup = companyx
printing = cups
hosts allow = 192.168.1.printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
security = user
encrypt passwords = Yes
obey pam restrictions = No
log level = 2
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za
ldap suffix = dc=companyx,dc=co,dc=za
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap ssl = off
ldap delete dn = Yes

[testdir]
comment = test1
path = "/data/test"
browseable = yes
writable = yes
read only = no
available = yes
valid users = bradleyc
admin users = bradleyc



[2009/03/13 08:36:39,  2]
lib/access.c:check_access(406)

  Allowed connection from ___192.168.2.154
(:::192.168.2.154)

[2009/03/13 08:36:39,  2]
lib/smbldap.c:smbldap_open_connection(796)

  smbldap_open_connection: connection
opened

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_sam_from_ldap(571)

  init_sam_from_ldap: Entry found for user:
bradleyc

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
513

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
513

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
1010

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
512

[2009/03/13 08:36:39,  2]
auth/auth.c:check_ntlm_password(308)

  check_ntlm_password:  authentication for user [bradleyc] -> [bradleyc] ->
[bradleyc] succeeded
[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
544

[2009/03/13 08:36:39,  2]
lib/access.c:check_access(406)

  Allowed connection from :::192.168.2.154
(:::192.168.2.154)

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_sam_from_ldap(571)

  init_sam_from_ldap: Entry found for user:
bradleyc

[2009/03/13 08:36:39,  2]
passdb/pdb_ldap.c:init_group_from_ldap(2344)

  init_group_from_ldap: Entry found for group:
513

[2009/03/13 08:36:39,  0]
passdb/passdb.c:lookup_global_sam_name(595)

  User bradleyc with invalid SID
S-1-5-21-1571991244-1820204139-1100571284-3420 in
passdb
[2009/03/13 08:36:39,  2]
smbd/service.c:make_connection_snum(736)

  user 'bradleyc' (from session setup) not permitted to access this share
(testdir)
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba LDAP troubleshooting

[Brad C]

Hi Julian,

It is not acting as a domain controller, I would like to use the ldap
backend of the pdc to authenticate instead of having to setup separate
passwords.
I have not reset passwords, its a duplicate database of the pdc.

net getlocalsid

SID for domain ITSHARE is: S-1-5-21-1243312448-3956249592-3341015638

Kind Regards
Brad


On Fri, Mar 13, 2009 at 12:39 PM,  wrote:

> Hiya,
>
> A few questions.
>
> Is the machine a PDC
>
> what's the output of the command "net getlocalsid" in a terminal
>
> What scripts are you using to change passwords? smbldaptools?
>
> Cheers,
>
> Julian
>
>
> > Hello
> >
> > I'm hoping someone can provide some insight, sample snippet from smb.conf
> > and the samba log.
> > Password authentication is working & succeeding, complains about an
> > invalid
> > SID which I know is the trust relationship that is formed between server
> > and
> > client, this is a duplicate ldap database from a samba domain controller.
> >
> > On the topic, anyone have a good book to recommend on Samba, I feel I am
> > only using 10% of its capability and not really well at that... something
> > is
> > staring me in the face and Im missing it.
> >
> > [global]
> > workgroup = companyx
> > printing = cups
> > hosts allow = 192.168.1.printcap name = cups
> > printcap cache time = 750
> > cups options = raw
> > map to guest = Bad User
> > include = /etc/samba/dhcp.conf
> > security = user
> > encrypt passwords = Yes
> > obey pam restrictions = No
> > log level = 2
> > passdb backend = ldapsam:ldap://127.0.0.1/
> > ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za
> > ldap suffix = dc=companyx,dc=co,dc=za
> > ldap group suffix = ou=Groups
> > ldap user suffix = ou=Users
> > ldap machine suffix = ou=Computers
> > ldap idmap suffix = ou=Users
> > ldap ssl = off
> > ldap delete dn = Yes
> >
> > [testdir]
> > comment = test1
> > path = "/data/test"
> > browseable = yes
> > writable = yes
> > read only = no
> > available = yes
> > valid users = bradleyc
> > admin users = bradleyc
> >
> >
> >
> > [2009/03/13 08:36:39,  2]
> > lib/access.c:check_access(406)
> >
> >   Allowed connection from ___192.168.2.154
> > (:::192.168.2.154)
> >
> > [2009/03/13 08:36:39,  2]
> > lib/smbldap.c:smbldap_open_connection(796)
> >
> >   smbldap_open_connection: connection
> > opened
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_sam_from_ldap(571)
> >
> >   init_sam_from_ldap: Entry found for user:
> > bradleyc
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 513
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 513
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 1010
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 512
> >
> > [2009/03/13 08:36:39,  2]
> > auth/auth.c:check_ntlm_password(308)
> >
> >   check_ntlm_password:  authentication for user [bradleyc] -> [bradleyc]
> > ->
> > [bradleyc] succeeded
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 544
> >
> > [2009/03/13 08:36:39,  2]
> > lib/access.c:check_access(406)
> >
> >   Allowed connection from :::192.168.2.154
> > (:::192.168.2.154)
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_sam_from_ldap(571)
> >
> >   init_sam_from_ldap: Entry found for user:
> > bradleyc
> >
> > [2009/03/13 08:36:39,  2]
> > passdb/pdb_ldap.c:init_group_from_ldap(2344)
> >
> >   init_group_from_ldap: Entry found for group:
> > 513
> >
> > [2009/03/13 08:36:39,  0]
> > passdb/passdb.c:lookup_global_sam_name(595)
> >
> >   User bradleyc with invalid SID
> > S-1-5-21-1571991244-1820204139-1100571284-3420 in
> > passdb
> > [2009/03/13 08:36:39,  2]
> > smbd/service.c:make_connection_snum(736)
> >
> >   user 'bradleyc' (from session setup) not permitted to access this share
> > (testdir)
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba LDAP troubleshooting

[jpb]

Hiya,

A few questions.

Is the machine a PDC

what's the output of the command "net getlocalsid" in a terminal

What scripts are you using to change passwords? smbldaptools?

Cheers,

Julian


> Hello
>
> I'm hoping someone can provide some insight, sample snippet from smb.conf
> and the samba log.
> Password authentication is working & succeeding, complains about an
> invalid
> SID which I know is the trust relationship that is formed between server
> and
> client, this is a duplicate ldap database from a samba domain controller.
>
> On the topic, anyone have a good book to recommend on Samba, I feel I am
> only using 10% of its capability and not really well at that... something
> is
> staring me in the face and Im missing it.
>
> [global]
> workgroup = companyx
> printing = cups
> hosts allow = 192.168.1.printcap name = cups
> printcap cache time = 750
> cups options = raw
> map to guest = Bad User
> include = /etc/samba/dhcp.conf
> security = user
> encrypt passwords = Yes
> obey pam restrictions = No
> log level = 2
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=manager,dc=companyx,dc=co,dc=za
> ldap suffix = dc=companyx,dc=co,dc=za
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Users
> ldap ssl = off
> ldap delete dn = Yes
>
> [testdir]
> comment = test1
> path = "/data/test"
> browseable = yes
> writable = yes
> read only = no
> available = yes
> valid users = bradleyc
> admin users = bradleyc
>
>
>
> [2009/03/13 08:36:39,  2]
> lib/access.c:check_access(406)
>
>   Allowed connection from ___192.168.2.154
> (:::192.168.2.154)
>
> [2009/03/13 08:36:39,  2]
> lib/smbldap.c:smbldap_open_connection(796)
>
>   smbldap_open_connection: connection
> opened
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_sam_from_ldap(571)
>
>   init_sam_from_ldap: Entry found for user:
> bradleyc
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 513
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 513
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 1010
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 512
>
> [2009/03/13 08:36:39,  2]
> auth/auth.c:check_ntlm_password(308)
>
>   check_ntlm_password:  authentication for user [bradleyc] -> [bradleyc]
> ->
> [bradleyc] succeeded
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 544
>
> [2009/03/13 08:36:39,  2]
> lib/access.c:check_access(406)
>
>   Allowed connection from :::192.168.2.154
> (:::192.168.2.154)
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_sam_from_ldap(571)
>
>   init_sam_from_ldap: Entry found for user:
> bradleyc
>
> [2009/03/13 08:36:39,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2344)
>
>   init_group_from_ldap: Entry found for group:
> 513
>
> [2009/03/13 08:36:39,  0]
> passdb/passdb.c:lookup_global_sam_name(595)
>
>   User bradleyc with invalid SID
> S-1-5-21-1571991244-1820204139-1100571284-3420 in
> passdb
> [2009/03/13 08:36:39,  2]
> smbd/service.c:make_connection_snum(736)
>
>   user 'bradleyc' (from session setup) not permitted to access this share
> (testdir)
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP problem

[plug bert]

Ran into the same problem too. what i did was 

1, create a generic barebones smb.conf(i.e. no ldap backend and such), 
2. started up samba
3. shut down samba
4. edited smb.conf to support ldap backend
5. started up samba

it may have something to do with samba not generating an SID when configured to 
support LDAP at the onset.


*or*, just do the setlocalsid thing as Mr. Björn Jacke has suggested



--- On Wed, 2/4/09, Agustin Eguia  wrote:

> From: Agustin Eguia 
> Subject: [Samba] Samba + LDAP problem
> To: samba@lists.samba.org
> Date: Wednesday, February 4, 2009, 5:44 AM
> Hello everyone, I have a question here that has been giving
> me troubles :
> 
> I installed my PDC with samba + LDAP... everything seems to
> work just fine (user creation, population, groups, users and
> machines connecting to the domain)... but one thing keeps
> not working : net getlocalsid... I keep getting this message
> : Can't fetch domain SID for name: MACHINENAME
> 
> 
> I searched the internet like crazy even asked in IRC
> channels but no luck... can anyone enlight me on this one ?
> 
> 
> Thanks,
> 
> 
> A.
> -- To unsubscribe from this list go to the following URL
> and read the
> instructions: 
> https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP problem

[Björn Jacke]

On 2009-02-03 at 17:44 +0100 Agustin Eguia sent off:
> Hello everyone, I have a question here that has been giving me troubles :
>
> I installed my PDC with samba + LDAP... everything seems to work just fine 
> (user creation, population, groups, users and machines connecting to the 
> domain)... but one thing keeps not working : net getlocalsid... I keep 
> getting this message : Can't fetch domain SID for name: MACHINENAME
>
>
> I searched the internet like crazy even asked in IRC channels but no 
> luck... can anyone enlight me on this one ?

I saw something like that, looks like the localsid initialization logic broken.
Take a look at https://bugzilla.samba.org/show_bug.cgi?id=6033 for description
and workaround.

Cheers
Björn
-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP problem

[Adam Williams]

http://www.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-massive

 Samba-3 generates a Windows Security Identifier (SID) only when smbd  has
been started. For this reason, you start Samba. After a few seconds
delay, execute:

root#  smbclient -L localhost -U%
root#  net getlocalsid

A report such as the following means that the domain SID has not yet been
written to the secrets.tdb or to the LDAP backend:

[2005/03/03 23:19:34, 0] lib/smbldap.c:smbldap_connect_system(852)
  failed to bind to server ldap://massive.abmas.biz
with dn="cn=Manager,dc=abmas,dc=biz" Error: Can't contact LDAP server
(unknown)
[2005/03/03 23:19:48, 0] lib/smbldap.c:smbldap_search_suffix(1169)
  smbldap_search_suffix: Problem during the LDAP search:
(unknown) (Timed out)

The attempt to read the SID will cause and attempted bind to the LDAP
server. Because the LDAP server is not running, this operation will fail
by way of a timeout, as shown previously. This is normal output; do not
worry about this error message. When the domain has been created and
written to the secrets.tdb file, the output should look like this:

SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765

If, after a short delay (a few seconds), the domain SID has still not been
written to the secrets.tdb file, it is necessary to investigate what may
be misconfigured. In this case, carefully check the smb.conf file for
typographical errors (the most common problem). The use of the testparm is
highly recommended to validate the contents of this file.

> Hello everyone, I have a question here that has been giving me troubles :
>
> I installed my PDC with samba + LDAP... everything seems to work just
> fine (user creation, population, groups, users and machines connecting
> to the domain)... but one thing keeps not working : net getlocalsid... I
> keep getting this message : Can't fetch domain SID for name: MACHINENAME
>
>
> I searched the internet like crazy even asked in IRC channels but no
> luck... can anyone enlight me on this one ?
>
>
> Thanks,
>
>
> A.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba / ldap problem with cpu load

[Harry Jede]

Am Freitag, 9. Januar 2009 23:57 schrieb franck molle:
> First of all, I am french. My english is not very good and i am sorry
> for this ;).
>
> One month ago, I have upgrade my server in debian Etch (it was in
> debian sarge). So now, samba is in 3.0.24 version. My server use
> samba and ldap.
>
> Since this upgrade, i have some problems with cpu loading when the
> users log on the samba domain (smbd and slapd services).
>
> I have take a look at samba log but i don't see anything. After that,
> i have take a look on the ldap logs in debug level 256.
>
> I can see the problem in the logs but i can't explain it, i hope you
> can help me about it.
> In the log file, i have this entry thousand of time (2 entry)
> base="ou=Groups,ou=clg-hugo-gisors,ou=ac-rouen,ou=education,o=gouv,c=
>fr" scope=2 deref=0
> filter="(&(objectClass=sambaGroupMapping)(gidNumber=0))"
Reconfigure the package libnss-ldap, so that libnss use an anonymous 
bind.

Or manually disable the rootdn statement in /etc/libnss-ldap.conf and 
restart nscd.

Maybe, you must invalidate the cache with
nscd -i group
nscd -i passwd

> thanks for your help, bye
>
> --
> ~~
>   Franck MOLLE
>   Animateur de Secteur
>   Relais assistance Tice, Louviers-Vernon
> ~~

-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: RE [Samba] samba & ldap how work group ?

[franck dufau]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

PERFECT !

Many thanks !!

Stéphane PURNELLE wrote:
> look for smbldap account as this URL : 
> https://gna.org/projects/smbldap-tools/
> 
> You will find tools for manage user and group in ldap witn same usage than 
>  passwd management.
> You can find here (in french) some ACL information : 
> http://www.linuxplusvalue.be/mylpv.php?id=153
> 
> ---
> Stéphane PURNELLE [EMAIL PROTECTED]
> Service Informatique   Corman S.A.   Tel : 00 32 087/342467
> 
> franck dufau <[EMAIL PROTECTED]> a écrit sur 01/12/2008 15:52:20 :
> 
> YES posixAccount is in my ldap tree !
> 
> perhaps everything is ok in fact !
> 
> i need to find a doc for ACL...!!!
> 
> my pb is all user i create are in group : Domain Users
> 
> i want to add an new/other group for an user
> 
> can a user be in many group in ldap ?
> 
> i don't know how to do this !
> 
> cordialement
> 
> Franck Dufau
> 
> Stéphane PURNELLE wrote:
>>>> Have you posixAccount objectclass in your ldap tree?
>>>>
>>>> If getent work fine, you can set ACL on group same as you want.
>>>>
>>>> Is secure if users cannot connect to samba PDC.
>>>>
>>>>
>>>> ---
>>>> Stéphane PURNELLE [EMAIL PROTECTED]
>>>> Service Informatique   Corman S.A.       Tel : 00 32 
>> 087/342467
>>>>
>>>>
>>>> franck dufau <[EMAIL PROTECTED]> 
>>>> 01/12/2008 15:22
>>>>
>>>> A
>>>> Stéphane PURNELLE <[EMAIL PROTECTED]>
>>>> cc
>>>> samba@lists.samba.org
>>>> Objet
>>>> Re: RE [Samba] samba & ldap how work group ?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> hye tks for answer,
>>>>
>>>> libnss-ldap.conf & libpam-ldap are installed...
>>>>
>>>> actualy i have modifie libnss-ldap.conf like this :
>>>>
>>>> host 127.0.0.1
>>>> base dc=domaine,dc=local
>>>> uri ldap://127.0.0.1
>>>> rootbinddn cn=admin,dc=domaine,dc=local
>>>> bind_policy soft
>>>>
>>>> and pam_ldap.conf like this :
>>>>
>>>> host 127.0.0.1
>>>> base dc=domaine,dc=local
>>>> uri ldap://127.0.0.1/
>>>>
>>>> i have modifie too nsswitch.conf like this :
>>>>
>>>> passwd:  compat  ldap
>>>> group:   compat  ldap
>>>> shadow: compat   ldap
>>>>
>>>> like this win station can use samba pdc with ldap authentification
>>>> but on the pdc samba server users of domaine can NOT logging !!
>>>>
>>>> ldap users are not recognized !
>>>>
>>>> BUT when i do as root getent passwd result looks like OK with my users
>>>> from domaine !?!
>>>>
>>>> What's wrong ?
>>>>
>>>> many tanks for time and help...
>>>>
>>>> Cordialement
>>>>
>>>> Franck Dufau
>>>>
>>>> Stéphane PURNELLE wrote:
>>>>> You must configure nss_ldad and pam_ldap.
>>>>> And Linux will see accounts and groups in your ldap tree same as 
>>>>> /etc/group .
>>>>> Bien à vous
>>>>
>>>>> ---
>>>>> Stéphane PURNELLE [EMAIL PROTECTED]
>>>>> Service Informatique   Corman S.A.   Tel : 00 32 
>> 087/342467
>>>>> [EMAIL PROTECTED] a écrit sur 
> 
>>>>> 01/12/2008 14:43:44 :
>>>>> Hye all,
>>>>> i have install samba as PDC with openldap authentification everything
>>>>> work fine.
>>>>> But i want to create différent group with différent privileges on 
>> folder
>>>>> How gestion of group work with Openldap authentification because 
>> users
>>>>> are not in /etc/passwd and domain group are not in /etc/group !?
>>>>> I don't find information about this...
>>>>> can you help me ?
>>>>> cordialement
>>>>> Franck Dufau
[rattachement "franckdufau.vcf" supprimé par Stéphane
> PURNELLE/COR/SOPARIND] 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkz/8QACgkQrKIazktK/hLLYQCglUJRsyMwVREsIYjd+Dg3laiE
2MUAnjIVT6U5fxc9linXXB0DKRDX3aqS
=Imw7
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: RE [Samba] samba & ldap how work group ?

[Stéphane PURNELLE]

look for smbldap account as this URL : 
https://gna.org/projects/smbldap-tools/

You will find tools for manage user and group in ldap witn same usage than 
 passwd management.
You can find here (in french) some ACL information : 
http://www.linuxplusvalue.be/mylpv.php?id=153

---
Stéphane PURNELLE [EMAIL PROTECTED]
Service Informatique   Corman S.A.   Tel : 00 32 087/342467

franck dufau <[EMAIL PROTECTED]> a écrit sur 01/12/2008 15:52:20 :

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> YES posixAccount is in my ldap tree !
> 
> perhaps everything is ok in fact !
> 
> i need to find a doc for ACL...!!!
> 
> my pb is all user i create are in group : Domain Users
> 
> i want to add an new/other group for an user
> 
> can a user be in many group in ldap ?
> 
> i don't know how to do this !
> 
> cordialement
> 
> Franck Dufau
> 
> Stéphane PURNELLE wrote:
> > Have you posixAccount objectclass in your ldap tree?
> > 
> > If getent work fine, you can set ACL on group same as you want.
> > 
> > Is secure if users cannot connect to samba PDC.
> > 
> > 
> > ---
> > Stéphane PURNELLE [EMAIL PROTECTED]
> > Service Informatique   Corman S.A.   Tel : 00 32 
087/342467
> > 
> > 
> > 
> > franck dufau <[EMAIL PROTECTED]> 
> > 01/12/2008 15:22
> > 
> > A
> > Stéphane PURNELLE <[EMAIL PROTECTED]>
> > cc
> > samba@lists.samba.org
> > Objet
> > Re: RE [Samba] samba & ldap how work group ?
> > 
> > 
> > 
> > 
> > 
> > 
> > hye tks for answer,
> > 
> > libnss-ldap.conf & libpam-ldap are installed...
> > 
> > actualy i have modifie libnss-ldap.conf like this :
> > 
> > host 127.0.0.1
> > base dc=domaine,dc=local
> > uri ldap://127.0.0.1
> > rootbinddn cn=admin,dc=domaine,dc=local
> > bind_policy soft
> > 
> > and pam_ldap.conf like this :
> > 
> > host 127.0.0.1
> > base dc=domaine,dc=local
> > uri ldap://127.0.0.1/
> > 
> > i have modifie too nsswitch.conf like this :
> > 
> > passwd:  compat  ldap
> > group:   compat  ldap
> > shadow: compat   ldap
> > 
> > like this win station can use samba pdc with ldap authentification
> > but on the pdc samba server users of domaine can NOT logging !!
> > 
> > ldap users are not recognized !
> > 
> > BUT when i do as root getent passwd result looks like OK with my users
> > from domaine !?!
> > 
> > What's wrong ?
> > 
> > many tanks for time and help...
> > 
> > Cordialement
> > 
> > Franck Dufau
> > 
> > Stéphane PURNELLE wrote:
> >> You must configure nss_ldad and pam_ldap.
> > 
> >> And Linux will see accounts and groups in your ldap tree same as 
> >> /etc/group .
> > 
> >> Bien à vous
> > 
> > 
> >> ---
> >> Stéphane PURNELLE [EMAIL PROTECTED]
> >> Service Informatique   Corman S.A.   Tel : 00 32 
087/342467
> > 
> >> [EMAIL PROTECTED] a écrit sur 

> >> 01/12/2008 14:43:44 :
> > 
> >> Hye all,
> > 
> >> i have install samba as PDC with openldap authentification everything
> >> work fine.
> > 
> >> But i want to create différent group with différent privileges on 
folder
> > 
> >> How gestion of group work with Openldap authentification because 
users
> >> are not in /etc/passwd and domain group are not in /etc/group !?
> > 
> >> I don't find information about this...
> > 
> >> can you help me ?
> > 
> >> cordialement
> > 
> >> Franck Dufau
> > 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkkz+hwACgkQrKIazktK/hJARACfS6HZUu83yVCPPZDskkdDOz7w
> 8WoAnjHbpWCf8W0tKcEqI5BX2lAM7h3P
> =oA1T
> -END PGP SIGNATURE-
> [rattachement "franckdufau.vcf" supprimé par Stéphane 
PURNELLE/COR/SOPARIND] 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: RE [Samba] samba & ldap how work group ?

[franck dufau]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

YES posixAccount is in my ldap tree !

perhaps everything is ok in fact !

i need to find a doc for ACL...!!!

my pb is all user i create are in group : Domain Users

i want to add an new/other group for an user

can a user be in many group in ldap ?

i don't know how to do this !

cordialement

Franck Dufau

Stéphane PURNELLE wrote:
> Have you posixAccount objectclass in your ldap tree?
> 
> If getent work fine, you can set ACL on group same as you want.
> 
> Is secure if users cannot connect to samba PDC.
> 
> 
> ---
> Stéphane PURNELLE [EMAIL PROTECTED]
> Service Informatique   Corman S.A.   Tel : 00 32 087/342467
> 
> 
> 
> franck dufau <[EMAIL PROTECTED]> 
> 01/12/2008 15:22
> 
> A
> Stéphane PURNELLE <[EMAIL PROTECTED]>
> cc
> samba@lists.samba.org
> Objet
> Re: RE [Samba] samba & ldap how work group ?
> 
> 
> 
> 
> 
> 
> hye tks for answer,
> 
> libnss-ldap.conf & libpam-ldap are installed...
> 
> actualy i have modifie libnss-ldap.conf like this :
> 
> host 127.0.0.1
> base dc=domaine,dc=local
> uri ldap://127.0.0.1
> rootbinddn cn=admin,dc=domaine,dc=local
> bind_policy soft
> 
> and pam_ldap.conf like this :
> 
> host 127.0.0.1
> base dc=domaine,dc=local
> uri ldap://127.0.0.1/
> 
> i have modifie too nsswitch.conf like this :
> 
> passwd:  compat  ldap
> group:   compat  ldap
> shadow: compat   ldap
> 
> like this win station can use samba pdc with ldap authentification
> but on the pdc samba server users of domaine can NOT logging !!
> 
> ldap users are not recognized !
> 
> BUT when i do as root getent passwd result looks like OK with my users
> from domaine !?!
> 
> What's wrong ?
> 
> many tanks for time and help...
> 
> Cordialement
> 
> Franck Dufau
> 
> Stéphane PURNELLE wrote:
>> You must configure nss_ldad and pam_ldap.
> 
>> And Linux will see accounts and groups in your ldap tree same as 
>> /etc/group .
> 
>> Bien à vous
> 
> 
>> ---
>> Stéphane PURNELLE [EMAIL PROTECTED]
>> Service Informatique   Corman S.A.   Tel : 00 32 087/342467
> 
>> [EMAIL PROTECTED] a écrit sur 
>> 01/12/2008 14:43:44 :
> 
>> Hye all,
> 
>> i have install samba as PDC with openldap authentification everything
>> work fine.
> 
>> But i want to create différent group with différent privileges on folder
> 
>> How gestion of group work with Openldap authentification because users
>> are not in /etc/passwd and domain group are not in /etc/group !?
> 
>> I don't find information about this...
> 
>> can you help me ?
> 
>> cordialement
> 
>> Franck Dufau
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkz+hwACgkQrKIazktK/hJARACfS6HZUu83yVCPPZDskkdDOz7w
8WoAnjHbpWCf8W0tKcEqI5BX2lAM7h3P
=oA1T
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: RE [Samba] samba & ldap how work group ?

[Stéphane PURNELLE]

Have you posixAccount objectclass in your ldap tree?

If getent work fine, you can set ACL on group same as you want.

Is secure if users cannot connect to samba PDC.


---
Stéphane PURNELLE [EMAIL PROTECTED]
Service Informatique   Corman S.A.   Tel : 00 32 087/342467



franck dufau <[EMAIL PROTECTED]> 
01/12/2008 15:22

A
Stéphane PURNELLE <[EMAIL PROTECTED]>
cc
samba@lists.samba.org
Objet
Re: RE [Samba] samba & ldap how work group ?






-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hye tks for answer,

libnss-ldap.conf & libpam-ldap are installed...

actualy i have modifie libnss-ldap.conf like this :

host 127.0.0.1
base dc=domaine,dc=local
uri ldap://127.0.0.1
rootbinddn cn=admin,dc=domaine,dc=local
bind_policy soft

and pam_ldap.conf like this :

host 127.0.0.1
base dc=domaine,dc=local
uri ldap://127.0.0.1/

i have modifie too nsswitch.conf like this :

passwd:  compat  ldap
group:   compat  ldap
shadow: compat   ldap

like this win station can use samba pdc with ldap authentification
but on the pdc samba server users of domaine can NOT logging !!

ldap users are not recognized !

BUT when i do as root getent passwd result looks like OK with my users
from domaine !?!

What's wrong ?

many tanks for time and help...

Cordialement

Franck Dufau

Stéphane PURNELLE wrote:
> You must configure nss_ldad and pam_ldap.
> 
> And Linux will see accounts and groups in your ldap tree same as 
> /etc/group .
> 
> Bien à vous
> 
> 
> ---
> Stéphane PURNELLE [EMAIL PROTECTED]
> Service Informatique   Corman S.A.   Tel : 00 32 087/342467
> 
> [EMAIL PROTECTED] a écrit sur 
> 01/12/2008 14:43:44 :
> 
> Hye all,
> 
> i have install samba as PDC with openldap authentification everything
> work fine.
> 
> But i want to create différent group with différent privileges on folder
> 
> How gestion of group work with Openldap authentification because users
> are not in /etc/passwd and domain group are not in /etc/group !?
> 
> I don't find information about this...
> 
> can you help me ?
> 
> cordialement
> 
> Franck Dufau
> 
- --
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkz8fkACgkQrKIazktK/hLxVACdFpZVCQEeMCvcx+nLq1gKFg1p
oKoAn2QNxKcTNrTipUekGoIZW2KiZFMV
=s5FS
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: RE [Samba] samba & ldap how work group ?

[franck dufau]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hye tks for answer,

libnss-ldap.conf & libpam-ldap are installed...

actualy i have modifie libnss-ldap.conf like this :

host 127.0.0.1
base dc=domaine,dc=local
uri ldap://127.0.0.1
rootbinddn cn=admin,dc=domaine,dc=local
bind_policy soft

and pam_ldap.conf like this :

host 127.0.0.1
base dc=domaine,dc=local
uri ldap://127.0.0.1/

i have modifie too nsswitch.conf like this :

passwd: compat  ldap
group:  compat  ldap
shadow: compat  ldap

like this win station can use samba pdc with ldap authentification
but on the pdc samba server users of domaine can NOT logging !!

ldap users are not recognized !

BUT when i do as root getent passwd result looks like OK with my users
from domaine !?!

What's wrong ?

many tanks for time and help...

Cordialement

Franck Dufau

Stéphane PURNELLE wrote:
> You must configure nss_ldad and pam_ldap.
> 
> And Linux will see accounts and groups in your ldap tree same as 
> /etc/group .
> 
> Bien à vous
> 
> 
> ---
> Stéphane PURNELLE [EMAIL PROTECTED]
> Service Informatique   Corman S.A.   Tel : 00 32 087/342467
> 
> [EMAIL PROTECTED] a écrit sur 
> 01/12/2008 14:43:44 :
> 
> Hye all,
> 
> i have install samba as PDC with openldap authentification everything
> work fine.
> 
> But i want to create différent group with différent privileges on folder
> 
> How gestion of group work with Openldap authentification because users
> are not in /etc/passwd and domain group are not in /etc/group !?
> 
> I don't find information about this...
> 
> can you help me ?
> 
> cordialement
> 
> Franck Dufau
> 
- --
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkz8fkACgkQrKIazktK/hLxVACdFpZVCQEeMCvcx+nLq1gKFg1p
oKoAn2QNxKcTNrTipUekGoIZW2KiZFMV
=s5FS
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE [Samba] samba & ldap how work group ?

[Stéphane PURNELLE]

You must configure nss_ldad and pam_ldap.

And Linux will see accounts and groups in your ldap tree same as 
/etc/group .

Bien à vous


---
Stéphane PURNELLE [EMAIL PROTECTED]
Service Informatique   Corman S.A.   Tel : 00 32 087/342467

[EMAIL PROTECTED] a écrit sur 
01/12/2008 14:43:44 :

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hye all,
> 
> i have install samba as PDC with openldap authentification everything
> work fine.
> 
> But i want to create différent group with différent privileges on folder
> 
> How gestion of group work with Openldap authentification because users
> are not in /etc/passwd and domain group are not in /etc/group !?
> 
> I don't find information about this...
> 
> can you help me ?
> 
> cordialement
> 
> Franck Dufau
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkkz6gkACgkQrKIazktK/hInmgCdHNXj1rzoT0L8D7g5kYdCkyBX
> iVEAn0SLop9FZTtAoRODQEGAeLUUbUIc
> =jWCR
> -END PGP SIGNATURE-
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba LDAP Tools

[John Drescher]

On Thu, Oct 2, 2008 at 1:29 PM, Loren M. Lang <[EMAIL PROTECTED]> wrote:
> I am looking for some good tools to manage Samba users in LDAP.  It
> looks like there are several good tools mentioned on the Samba Wiki, but
> I am concerned mostly with the proper addition of new users to LDAP, in
> particular, generating unique SIDs.  smbldap-useradd, for example,
> generates the SIDs for primary user and group based off of a simple
> formula based on the UID and GID, whereas Samba itself using a very
> simple mechanism of storing the next free RID in an LDAP attribute.
> Since I still plan to use the Add Computer to Domain wizard in Windows
> for adding computers, I am concerned that an overlap could occur between
> these two approaches.

I use both smbldap-tools and LAM to add users and machines and there
is no overlap although they do pick different ranges to assign SIDs.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba LDAP Tools

[FC Mario Patty]

Hi Loren,

I don't understand what you meant by transaction, SQL, and so on, but
I've been using samba and open ldap to provide single login mechanism
for qmail-ldap, domain controller, squid, etc, for 2 years now and
they're still running very good. I can join windows machine into the
domain controller or change user's password using windows wizard. If I
wanted to modify the back end database, e.g. to modify a bunch of
user's attribute(s) like mailQuotaSize, I simply created a script that
will create an LDIF file, and then use that LDIF file with openldap's
command like ldapmodify, etc. If you don't want to type any password
manually, you can append the option 'w' (for ldapmodify command), and
put in your password then. To create windows user, we can use
smbldap-tools. So, that's all. I hope it can help.

Regards,

On 10/3/08, Loren M. Lang <[EMAIL PROTECTED]> wrote:
> I am looking for some good tools to manage Samba users in LDAP.  It
> looks like there are several good tools mentioned on the Samba Wiki, but
> I am concerned mostly with the proper addition of new users to LDAP, in
> particular, generating unique SIDs.  smbldap-useradd, for example,
> generates the SIDs for primary user and group based off of a simple
> formula based on the UID and GID, whereas Samba itself using a very
> simple mechanism of storing the next free RID in an LDAP attribute.
> Since I still plan to use the Add Computer to Domain wizard in Windows
> for adding computers, I am concerned that an overlap could occur between
> these two approaches.  AFAIK, there are no SQL-like feature in LDAP like
> transactions, unique indices, or sequences that would allow multiple
> mechanisms to generate a unique SID.  I wouldn't mind a tool like
> pdbedit which goes through Samba to update the backend db, but I want it
> to be scriptable and not ask for a password so I can integrate password
> updates with other systems such as LDAP (using userPassword) and
> Kerberos.
> --
> Loren M. Lang
> [EMAIL PROTECTED]
> http://www.alzatex.com/
>
>
> Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
> Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba LDAP entries for Password Change

[Jorge Concha C.]

Hi...
sorry for my bad english.

- when a new account is created, the user immediately must change the  
password when [s]he first logs in;

- after that, the password shall expire after x days.


sambaMaxPwdAge =  number of seconds  (60 x 60 x 24 x nDays)
sambaPwdLastSet = set to '0'  at create the account.

good luck

Jorge C.

On Tue, 16 Sep 2008 10:27:53 -0400, Albrecht Dreß  
<[EMAIL PROTECTED]> wrote:



Hi all,

I have a question regarding the enforced change of passwords in Samba  
3.0.28 (coming with Ubuntu Hardy) in connection with a LDAP backend.  In  
particular, I am looking for a documentation how the fields  
sambaMinPwdAge, sambaMaxPwdAge (from sambaDomain), sambaPwdCanChange and  
sambaPwdMustChange (from sambaSAMAccount) interact.


I would like to have the following:
- when a new account is created, the user immediately must change the  
password when [s]he first logs in;

- after that, the password shall expire after x days.

Unfortunately, I tried a number of combinations without success.   
Everything seems to be controlled by the sambaMaxPwdAge setting (seconds  
relative to sambaPwdLastSet when the password must be changed?), and the  
other entries seem to be irrelevant?


Any documentation/pointer would be welcome!

Thanks, Albrecht.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba




--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba + LDAP issue

[ganeshs]

Hi Michael,

Thanks for your reply.

1.I don't what to upgrade Samba PDC.I want Samba PDC should point to LDAP
for authentication alone.Currently,Both are in different server.samba is not
pointing to LDAP.
2.Joining Linux Workstation to domain.
 
Is there any step by step document or guide for above two steps would be
helpful.

Why linux client should point to LDAP directly bcs linux client should point
to samba PDC.However,samba will point to LDAP for authentication.

I am new to this configuration.So,Please correct me,If I am wrong 

Regards
S.Ganesh


Michael Heydon-2 wrote:
> 
> ganeshs wrote:
>> My Issue is I don't know how to integrate samba PDC & LDAP
> Is the LDAP server going to to become the PDC? or do you want to migrate 
> the existing PDC?
> 
> In either case, you need to extract your current user data and insert it 
> into the LDAP server, setup NSS, and tell samba to use the new backend.
> 
>> Linux Client PC(Ubuntu) into domain using samba since I can use
>> centralised
>> username and password for Windows and Linux PC.
>>   
> Unix systems need to be setup to do NSS and possibly PAM lookups through 
> LDAP. The PADL *_ldap modules are the most popular way of doing that.
>> where can i find document?
>>   
> Samba by example at samba.org should get you up and running.
> 
> *Michael Heydon - IT Administrator *
> [EMAIL PROTECTED] 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 

-- 
View this message in context: 
http://www.nabble.com/samba-%2B-LDAP-issue-tp19248665p19253470.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba + LDAP issue

[Michael Heydon]

ganeshs wrote:

My Issue is I don't know how to integrate samba PDC & LDAP
Is the LDAP server going to to become the PDC? or do you want to migrate 
the existing PDC?


In either case, you need to extract your current user data and insert it 
into the LDAP server, setup NSS, and tell samba to use the new backend.



Linux Client PC(Ubuntu) into domain using samba since I can use centralised
username and password for Windows and Linux PC.
  
Unix systems need to be setup to do NSS and possibly PAM lookups through 
LDAP. The PADL *_ldap modules are the most popular way of doing that.

where can i find document?
  

Samba by example at samba.org should get you up and running.

*Michael Heydon - IT Administrator *
[EMAIL PROTECTED] 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP integration

[Mugo Martin]

Hi, and thanks so much for your help.
Just can't seem to get out of this quagmire. Did quite some reading and
followed your advice. But now I still get to the same point of failing to
add computers

Samba *logs* say there is no connection but I can telnet to my ldap server
on localhost:389

smbd.log
[2008/07/31 15:06:09, 0] smbd/server.c:main(948)
  smbd version 3.0.28-1.el5_2.1 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2007
[2008/07/31 15:13:24, 0] smbd/server.c:main(948)
  smbd version 3.0.28-1.el5_2.1 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2007
[2008/07/31 15:47:27, 0] lib/util_sock.c:get_peer_addr(1224)
  getpeername failed. Error was Transport endpoint is not connected
[2008/07/31 15:47:27, 0] lib/util_sock.c:get_peer_addr(1224)
  getpeername failed. Error was Transport endpoint is not connected

Tried to redirect ldaplogs to /var/log/ without success

These are my *config* files; dont seem to be able to see any error

*/etc/ldap.conf*
--
host letter.example.org
base dc=letter,dc=example,dc=org
binddn cn=config
bindpw mysecret
rootbinddn uid=zimbra,cn=admins,cn=zimbra
port 389
timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
nss_base_passwd ou=people,dc=letter,dc=example,dc=org?one
nss_base_shadow ou=people,dc=letter,dc=example,dc=org?one
nss_base_passwd ou=machines,dc=letter,dc=example,dc=org?one
nss_base_shadow ou=machines,dc=letter,dc=example,dc=org?one
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
uri ldap://letter.example.org/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

*/etc/samba/smb.conf*
---
[global]
workgroup = EXAMPLE
netbios name = EXAMPLE_SERVER
server string = Samba Server Version %v
password server = ldap://letter.example.org
passdb backend = ldapsam:ldap://letter.example.org
guest account = games
log file = /var/log/samba/%m.log
max log size = 50
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/groupdel "%g"
delete user from group script = /usr/sbin/userdel "%u" "%g"
add machine script = /usr/local/sbin/smbldap-useradd -w -g
Workstations "%u"
logon script = %u.bat
logon path = \\EXAMPLE_SERVER\profiles\%U
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=config
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap suffix = dc=letter,dc=example,dc=org
ldap user suffix = ou=people
guest ok = Yes
cups options = raw
[homes]
comment = Home Directories
valid users = example\%S
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = No
printable = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
share modes = No

[Profiles]
path = /var/lib/samba/profiles
read only = No
profile acls = Yes

*/conf/slapd.conf*

include "/opt/zimbra/openldap/etc/openldap/schema/core.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/cosine.schema"
include
"/opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/amavisd.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/zimbra.schema"
include "/opt/zimbra/lib/conf/zimbra-ext.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/nis.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/samba.schema"
threads 8
pidfile "/opt/zimbra/openldap/var/run/slapd.pid"
argsfile"/opt/zimbra/openldap/var/run/slapd.args"
TLSCertificateFile /opt/zimbra/conf/slapd.crt
TLSCertificateKeyFile /opt/zimbra/conf/slapd.key
TLSVerifyClient never
modulepath  /opt/zimbra/openldap/libexec/openldap
moduleload  back_bdb.la
moduleload  back_monitor.la
moduleload  syncprov.la
moduleload  accesslog.la
access to dn.subtree="ou=people,dc=letter,dc=example,dc=org"
by dn.children="cn=admins,cn=zimbra" write
by * break
access to dn.subtree="ou=groups,dc=letter,dc=example,dc=org"
by dn.children="cn=admins,cn=zimbra" write
by * read
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword
by anonymous auth
by dn.children="cn=admins,cn=zimbra" write
access to dn.subtree="cn=zimbra"
  by dn.children="cn=admins,cn=zimbra" write
access to
attrs=zimbraZimletUserProperti

Re: [Samba] SAMBA+ LDAP+ACL

[Cybionet]

Greeting Saravanesh,

I have done documentation for DC under Gentoo but in french only
(www.cybionet.com). I use Samba with OpenLDAP and the ACL(EA). It work
very well in small and medium entreprise.

I can take time to help you in english but only under Gentoo with
Windows professional (2k/XP/Vista) clients.

Robert

> Hi all.
> please help me to step by step configuration of  how to configure SAMBA DC
> with LDAP.
> We have 143 users ,and i want also to configure ACL
> 
> Thanks in advance
> Saravanesh

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+ LDAP+ACL

[John H Terpstra]

On Monday 28 July 2008 00:35:08 Abigail Anzola wrote:
> Saravanesh d escribió:
> > Hi all.
> > please help me to step by step configuration of  how to configure SAMBA
> > DC with LDAP.
> > We have 143 users ,and i want also to configure ACL
> >
> > Thanks in advance
> > Saravanesh
>
> Step by Step:
>
> Step 1)   Open your favorite internet browser
> Step 2)   Open URL http://www.samba.org
> Step 3)   Look
> http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/or
> http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/

Sorry, wrong URL. Try this one instead:
http://www.samba.org/samba/docs/Samba3-ByExample.pdf

> Step 4)   Read it very slow, specially Chapter 5 "Making Happy Users"
Chapter 5 covers how to configure Samba with an LDAP backend.

- John T.

> Step 5)   Ready? Yes? Good. No? Repeat Step 4
>
>
>
> Regards,
>
> --
> Abigaíl Anzola



-- 
John H Terpstra

Author:
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+ LDAP+ACL

[Abigail Anzola]

Saravanesh d escribió:

Hi all.
please help me to step by step configuration of  how to configure SAMBA DC
with LDAP.
We have 143 users ,and i want also to configure ACL

Thanks in advance
Saravanesh
  

Step by Step:

Step 1)   Open your favorite internet browser
Step 2)   Open URL http://www.samba.org
Step 3)   Look 
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/or  
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/

Step 4)   Read it very slow, specially Chapter 5 "Making Happy Users"
Step 5)   Ready? Yes? Good. No? Repeat Step 4



Regards,

--
Abigaíl Anzola
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA+ LDAP+ACL

[John H Terpstra]

On Sunday 27 July 2008 23:40:33 Saravanesh d wrote:
> Hi all.
> please help me to step by step configuration of  how to configure SAMBA DC
> with LDAP.
> We have 143 users ,and i want also to configure ACL
>
> Thanks in advance
> Saravanesh

http://www.samba.org/samba/docs/Samba3-ByExample.pdf

Refer to chapter 5.  Please let me know of any problems you make have.

- John T.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP integration

[John H Terpstra]

On Saturday 26 July 2008 09:36:25 Mugo Martin wrote:
> Hi people,
>
> Been doing a server installation with Samba as a primary PDC that uses an
> LDAP backend on CentOS 5.
> The thing is that I cannot be able to get Samba and LDAP to talk as they
> should and now Im really stuck.

You sure are stuck.  So let's see if we can pull you out of the hole you are 
in.

> Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents
> to /etc/openldap/ldap.conf too), and smbldap.conf.
> Excuse my long post; trying to be as elaborate as possible.
>
> smb.conf
> **
> [global]
> workgroup = MYDOMAIN
> netbios name = MYDOMAIN

What makes you believe that it is possible to operate with the domain name 
(workgroup) and the server name (netbios name) the same?  The Samab3-HOWTO 
makes rather plain that this is a no-go - they must differ.

Suggest you set them as:
workgroup = MYDOMAIN
netbios name = MYSERVER

> server string = mydomain_office
> passdb backend = ldapsam:ldap://server.example.org

The "passwd program" and "passwd chat" parameters are not needed with the LDAP 
backend. Please delete them.
> passwd program = /usr/local/sbin/smbldap-passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *all*authentication*tokens*updated*

> username map = /etc/samba/smbusers
> log file = /var/log/samba/%m.log
> max log size = 100

> add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g users
change to:
add user script =  /usr/local/sbin/smbldap-useradd -m "%u"

> delete user script = /usr/local/sbin/smbldap-userdel "%u"
> add group script = /usr/local/sbin/smbldap-groupadd "%g"
change to:
add group scipt = /usr/local/sbin/smbldap-groupadd -p "%g"

> delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> "%g"
> delete user from group script = /usr/local/sbin/smbldap-userdel
> "%u" "%g"
change to:
delete user from group script = /usr/local/sbin/smbldap-userdel -x "%u" 
"%g"

> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> "%u"
> add machine script = /usr/local/sbin/smbldap-useradd -n -c
> "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
change to:
add machine script =  /usr/local/sbin/smbldap-useradd -w -g 
Workstations "%u"

> logon script = %m.bat
> logon path = \\server.example.org\%U\profile
change to:
logon path = \\MYSERVER\profiles\%U

> domain logons = Yes
> os level = 33
> preferred master = Yes
> domain master = Yes
> wins support = Yes

> ldap admin dn = cn=config
change this to the same as the value of "rootdn" 
from /etc/openldap/slapd.conf, eg:
ldap admin dn = cn=Manager,dc=example,dc=org

> ldap delete dn = Yes
> ldap group suffix = ou=groups
> ldap machine suffix = ou=machines
> ldap passwd sync = Yes
> ldap suffix = dc=example,dc=org
> ldap user suffix = ou=people
> idmap uid = 1000-1
> idmap gid = 1000-1
> [homes]
> comment = Home Directories
> valid users = DOMAIN\%S
> read only = No
> browseable = No
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = Yes
> share modes = No
Add:
 [profiles]
comment = Profiles Folder
path = /var/lib/samba/profiles
read only = no
profile acls = yes


Now do:
root# > mkdir -p /var/lib/samba/profiles
root# > chown root:users /var/lib/samba/profiles
root# > chmod 2775 /var/lib/samba./profiles

> smbldap.conf
> 
> sambaDomain="MYDOMAIN"
> slaveLDAP="127.0.0.1"
> slavePort="389"
> masterLDAP="127.0.0.1"
> masterPort="389"
> ldapTLS="0"
> suffix="dc=example,dc=org"
> usersdn="ou=people,${suffix}"
> computersdn="ou=machines,${suffix}"
> groupsdn="ou=groups,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
> scope="one"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
> userSmbHome=""
> userProfile=""
> userScript="logon.bat"
> mailDomain="example.org"
> with_smbpasswd="0"
> with_slappasswd="0"
>
> /etc/ldap.conf
> **
> host server.example.org
> base dc=example,dc=org
> binddn cn=config
> bindpw 1w2345FJ
> rootbinddn cn=zimbra,dc=example,dc=org
>
> timelimit 120
> bind_timelimit 120
> bind_policy soft
> idle_timelimit 3600
>
> nss_base_passwd ou=people,dc=example,dc=org?one
> nss_

Re: [Samba] Samba + LDAP integration

[Ryan Bair]

Were the user accounts created with smbldap-tools or were the
pre-existing? If they were preexisting did you reset the passwords
with smbldap-passwd? You will need to do so to set the appropiate
hashes in LDAP.

Have you looked at the logs at all? Posting some samples from there
showing the server startup and failed login would probably be helpful.

--Ryan

On Sat, Jul 26, 2008 at 10:36 AM, Mugo Martin <[EMAIL PROTECTED]> wrote:
> Hi people,
>
> Been doing a server installation with Samba as a primary PDC that uses an
> LDAP backend on CentOS 5.
> The thing is that I cannot be able to get Samba and LDAP to talk as they
> should and now Im really stuck.
> Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents
> to /etc/openldap/ldap.conf too), and smbldap.conf.
> Excuse my long post; trying to be as elaborate as possible.
>
> smb.conf
> **
> [global]
>workgroup = MYDOMAIN
>netbios name = MYDOMAIN
>server string = mydomain_office
>passdb backend = ldapsam:ldap://server.example.org
>passwd program = /usr/local/sbin/smbldap-passwd %u
>passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *all*authentication*tokens*updated*
>username map = /etc/samba/smbusers
>log file = /var/log/samba/%m.log
>max log size = 100
>add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g users
>delete user script = /usr/local/sbin/smbldap-userdel "%u"
>add group script = /usr/local/sbin/smbldap-groupadd "%g"
>delete group script = /usr/local/sbin/smbldap-groupdel "%g"
>add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> "%g"
>delete user from group script = /usr/local/sbin/smbldap-userdel "%u"
> "%g"
>set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> "%u"
>add machine script = /usr/local/sbin/smbldap-useradd -n -c
> "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
>logon script = %m.bat
>logon path = \\server.example.org\%U\profile
>domain logons = Yes
>os level = 33
>preferred master = Yes
>domain master = Yes
>wins support = Yes
>ldap admin dn = cn=config
>ldap delete dn = Yes
>ldap group suffix = ou=groups
>ldap machine suffix = ou=machines
>ldap passwd sync = Yes
>ldap suffix = dc=example,dc=org
>ldap user suffix = ou=people
>idmap uid = 1000-1
>idmap gid = 1000-1
> [homes]
>comment = Home Directories
>valid users = DOMAIN\%S
>read only = No
>browseable = No
> [printers]
>comment = All Printers
>path = /var/spool/samba
>printable = Yes
>browseable = No
> [netlogon]
>comment = Network Logon Service
>path = /var/lib/samba/netlogon
>guest ok = Yes
>share modes = No
>
> smbldap.conf
> 
> sambaDomain="MYDOMAIN"
> slaveLDAP="127.0.0.1"
> slavePort="389"
> masterLDAP="127.0.0.1"
> masterPort="389"
> ldapTLS="0"
> suffix="dc=example,dc=org"
> usersdn="ou=people,${suffix}"
> computersdn="ou=machines,${suffix}"
> groupsdn="ou=groups,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
> scope="one"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
> userSmbHome=""
> userProfile=""
> userScript="logon.bat"
> mailDomain="example.org"
> with_smbpasswd="0"
> with_slappasswd="0"
>
> /etc/ldap.conf
> **
> host server.example.org
> base dc=example,dc=org
> binddn cn=config
> bindpw 1w2345FJ
> rootbinddn cn=zimbra,dc=example,dc=org
>
> timelimit 120
> bind_timelimit 120
> bind_policy soft
> idle_timelimit 3600
>
> nss_base_passwd ou=people,dc=example,dc=org?one
> nss_base_shadow ou=people,dc=example,dc=org?one
>
> nss_base_group  ou=groups,dc=example,dc=org?one
> nss_base_hosts  ou=machines,dc=example,dc=org?one
>
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>
> uri ldap://server.example.org
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
>
> smbldap.conf
> 
> sambaDomain="MYDOMAIN"
> slaveLDAP="127.0.0.1"
> slavePort="389"
> masterLDAP="127.0.0.1"
> masterPort="389"
> ldapTLS="0"
> suffix="dc=example,dc=org"
> usersdn="ou=people,${suffix}"
> computersdn="ou=machines,${suffix}"
> groupsdn="ou=groups,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
> scope="one"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
>

Re: [Samba] Samba LDAP and Ubuntu

[Christian Perrier]

Quoting Marcio Merlone ([EMAIL PROTECTED]):

> It is a known bug, I found on a bugzilla somewhere. The bug consists  
> that the booting process needs the ldap server before it gets started.  
> So, the workaround, for now, is to have a slave ldap server which you  
> can use at least for booting. In my /etc/ldap.conf I have:
>
> # grep host /etc/ldap.conf
> host 127.0.0.1 192.168.0.2

That sounds like the following bug we fixed in the 2:3.0.30-3 Debian
package:

  * add a soft dependency on slapd in init script to allow
proper operation when dependency-based boot sequence is enabled.
Thanks to Petter Reinholdtsen for reporting and providing a patch
Closes: #478800

In Debian, that bug hurts only people who use dependency-based init
(which is not the default for lenny...we'll switch to that for
post-lenny releases).

However, maybe Ubuntu already activated that. In such case, I'd bet
that all Ubuntu releases are affected (including Hardy).

The right fix is:


diff -ur samba-3.0.28a/debian/samba.init samba-3.0.28a-new/debian/samba.init
--- samba-3.0.28a/debian/samba.init 2008-05-01 09:50:43.0 +0200
+++ samba-3.0.28a-new/debian/samba.init 2008-05-01 09:48:12.0 +0200
@@ -4,6 +4,8 @@
 # Provides:  samba
 # Required-Start:$network $local_fs $remote_fs
 # Required-Stop: $network $local_fs $remote_fs
+# Should-Start:  slapd
+# Should-Stop:   slapd
 # Default-Start: 2 3 4 5
 # Default-Stop:  0 1 6
 # Short-Description: start Samba daemons (nmbd and smbd)


(the file to fix is /etc/init.d/samba)

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba LDAP and Ubuntu

[Marcio Merlone]

Gilberto Nunes escreveu:

I install samba and LDAP on Ubuntu Server 7.04.
I using smbldap-tools...
However, when I reboot the system, the Ubuntu server don't work more...
It's stalled on services initialize...
I notice that the file nsswitch.conf on /etc, have this look:

passwd:  files ldap
group:   files ldap
shadow:  files


When I change this lines to this:

passwd:  files
group:   files
shadow:  files

All work fine! So, the system booting normaly...
  


It is a known bug, I found on a bugzilla somewhere. The bug consists 
that the booting process needs the ldap server before it gets started. 
So, the workaround, for now, is to have a slave ldap server which you 
can use at least for booting. In my /etc/ldap.conf I have:


# grep host /etc/ldap.conf
host 127.0.0.1 192.168.0.2

Obviously, 192.168.0.2 is another server on the network which is a slave 
for localhost. This way the booting process will try localhost and then 
192.168.0.2 and boots ok. I am not sure even if it really needs to be a 
real slave, but I happen to have a real slave on my net, so I had no 
problem.


Good luck

--
Marcio Merlone

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba LDAP and Ubuntu

[Gilberto Nunes]

Ok

Thanks for all responses...


Em Ter, Junho 24, 2008 9:46 am, L.P.H. van Belle escreveu:
> and are you using hostnames in your configuration files
> or ipadresses.
>
> if hostnames, than you have dns problemens.
> try ipadresses.
>
> Louis
>
>
>>-Oorspronkelijk bericht-
>>Van: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] Namens
>>Quinn Fissler
>>Verzonden: dinsdag 24 juni 2008 14:29
>>Aan: Gilberto Nunes
>>CC: samba@lists.samba.org
>>Onderwerp: Re: [Samba] Samba LDAP and Ubuntu
>>
>>I've not seen this problem before but maybe you should do some
>>diagnosis of
>>your installation.
>>
>>So - now you've rebooted and you're up and running, edit the
>>nsswitch.conf
>>to put ldap back.
>>
>>Now try some things to test the ldap configuration.
>>
>>*Can you see your ldap database contents?*
>>Can can a try raw dump of the db:
>>slapcat
>>
>>You can try a query to the daemon:
>>ldapsearch 
>>
>>and you can try a test of the nss_ldap library:
>>getent password
>>
>>What do you see?
>>
>>
>>2008/6/24 Gilberto Nunes <[EMAIL PROTECTED]>:
>>
>>> Hi all
>>>
>>> I don't know if it's a bug on Samba, LDAP or ubuntu, but I
>>search for many
>>> times in google
>>> and other sites, however I don't found any solution...
>>> May be any one have the same problem in the past and get help me.
>>> I install samba and LDAP on Ubuntu Server 7.04.
>>> I using smbldap-tools...
>>> However, when I reboot the system, the Ubuntu server don't
>>work more...
>>> It's stalled on services initialize...
>>> I notice that the file nsswitch.conf on /etc, have this look:
>>>
>>> passwd:  files ldap
>>> group:   files ldap
>>> shadow:  files
>>>
>>>
>>> When I change this lines to this:
>>>
>>> passwd:  files
>>> group:   files
>>> shadow:  files
>>>
>>> All work fine! So, the system booting normaly...
>>>
>>> Some can help me please!
>>>
>>> Thanks
>>>
>>>
>>>
>>> --
>>> Atenciosamente
>>>
>>> ---
>>> Gilberto Nunes
>>> MSN: [EMAIL PROTECTED]
>>> Fones: 47-3348-8020
>>>
>>>
>>>
>>> --
>>> Esta mensagem foi verificada pelo sistema de antivírus e
>>>  acredita-se estar livre de perigo.
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.
>
>


-- 
Atenciosamente

---
Gilberto Nunes
MSN: [EMAIL PROTECTED]
Fones: 47-3348-8020



-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba LDAP and Ubuntu

[L.P.H. van Belle]

and are you using hostnames in your configuration files
or ipadresses.

if hostnames, than you have dns problemens.
try ipadresses.

Louis
 

>-Oorspronkelijk bericht-
>Van: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] Namens 
>Quinn Fissler
>Verzonden: dinsdag 24 juni 2008 14:29
>Aan: Gilberto Nunes
>CC: samba@lists.samba.org
>Onderwerp: Re: [Samba] Samba LDAP and Ubuntu
>
>I've not seen this problem before but maybe you should do some 
>diagnosis of
>your installation.
>
>So - now you've rebooted and you're up and running, edit the 
>nsswitch.conf
>to put ldap back.
>
>Now try some things to test the ldap configuration.
>
>*Can you see your ldap database contents?*
>Can can a try raw dump of the db:
>slapcat
>
>You can try a query to the daemon:
>ldapsearch 
>
>and you can try a test of the nss_ldap library:
>getent password
>
>What do you see?
>
>
>2008/6/24 Gilberto Nunes <[EMAIL PROTECTED]>:
>
>> Hi all
>>
>> I don't know if it's a bug on Samba, LDAP or ubuntu, but I 
>search for many
>> times in google
>> and other sites, however I don't found any solution...
>> May be any one have the same problem in the past and get help me.
>> I install samba and LDAP on Ubuntu Server 7.04.
>> I using smbldap-tools...
>> However, when I reboot the system, the Ubuntu server don't 
>work more...
>> It's stalled on services initialize...
>> I notice that the file nsswitch.conf on /etc, have this look:
>>
>> passwd:  files ldap
>> group:   files ldap
>> shadow:  files
>>
>>
>> When I change this lines to this:
>>
>> passwd:  files
>> group:   files
>> shadow:  files
>>
>> All work fine! So, the system booting normaly...
>>
>> Some can help me please!
>>
>> Thanks
>>
>>
>>
>> --
>> Atenciosamente
>>
>> ---
>> Gilberto Nunes
>> MSN: [EMAIL PROTECTED]
>> Fones: 47-3348-8020
>>
>>
>>
>> --
>> Esta mensagem foi verificada pelo sistema de antivírus e
>>  acredita-se estar livre de perigo.
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba LDAP and Ubuntu

[Quinn Fissler]

I've not seen this problem before but maybe you should do some diagnosis of
your installation.

So - now you've rebooted and you're up and running, edit the nsswitch.conf
to put ldap back.

Now try some things to test the ldap configuration.

*Can you see your ldap database contents?*
Can can a try raw dump of the db:
slapcat

You can try a query to the daemon:
ldapsearch 

and you can try a test of the nss_ldap library:
getent password

What do you see?


2008/6/24 Gilberto Nunes <[EMAIL PROTECTED]>:

> Hi all
>
> I don't know if it's a bug on Samba, LDAP or ubuntu, but I search for many
> times in google
> and other sites, however I don't found any solution...
> May be any one have the same problem in the past and get help me.
> I install samba and LDAP on Ubuntu Server 7.04.
> I using smbldap-tools...
> However, when I reboot the system, the Ubuntu server don't work more...
> It's stalled on services initialize...
> I notice that the file nsswitch.conf on /etc, have this look:
>
> passwd:  files ldap
> group:   files ldap
> shadow:  files
>
>
> When I change this lines to this:
>
> passwd:  files
> group:   files
> shadow:  files
>
> All work fine! So, the system booting normaly...
>
> Some can help me please!
>
> Thanks
>
>
>
> --
> Atenciosamente
>
> ---
> Gilberto Nunes
> MSN: [EMAIL PROTECTED]
> Fones: 47-3348-8020
>
>
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
>  acredita-se estar livre de perigo.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba ldap squid dansgardian

[Stefan Dengscherz]

Hello L.P.H.,


Just a note to save you some time:
authentication is unfortunately not possible in transparent mode.
See the following FAQ for details:

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-e56904dd4dfe0e21e5c2903473c473d401533ac7


Kind regards,

-sd

L.P.H. van Belle schrieb:

Hi,
 
Just a question.

I have a samba PDC with LDAP backend.
I want squid / dansguardian use the user auth from samba
NTLM bases.
i need user and group filtering and i want it transparent.
2 steps, auth,
first the NTLM auth on port 80 to be transparent.
second, the dansgadian filter filtering groups.
 
this looks bit like it, but this authenicates against ADS.

http://www.howtoforge.com/dansguardian-with-ntlm-auth-and-multi-group-config
urations-on-debian-etch 
 
Louis
 



  
  _  


De informatie verzonden in en met dit e-mail bericht is uitsluitend bestemd
voor de geadresseerde(n) en is mogelijk vertrouwelijk van aard. Gebruik van
deze informatie door anderen dan de geadresseerde is niet toegestaan. Het is
voorts niet toegestaan deze informatie openbaar te maken, te
verveelvoudigen, te verspreiden en/of aan derden te verstrekken. Bazuin en
Partners staat niet in voor de juiste en volledige overbrenging van de
inhoud van een verzonden e-mail, noch voor de tijdige ontvangst ervan. 
The information contained in this e-mail and in any attachments is intended

solely for the attention and use of the named addressee(s) and may be
confidential. The use of this information by others than the named
addressee(s) is not allowed. Moreover, it is not allowed to disclose, copy
or distribute this information. Bazuin en Partners is neither liable for the
proper and complete transmission of the information contained in this
e-mail, nor for any delay in its receipt. 
  _  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba/ldap setup stopped working (might be a challenge)

[Yvan Vander Sanden]

Ok,

i've found a work-around for now. I made this bash script:

#!/bin/bash

/usr/sbin/smbldap-userdel $1
/usr/sbin/smbldap-useradd -w $1
/usr/sbin/smbldap-usermod -a $1


And called this script from within samba, instead of the original script. It
works, but this is not how it should be. Does anyone else using
smbldap-tools version 0.9.4-1 have this problem?


-- 
Copyright only exists in the imagination of those who do not have any.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba/ldap setup stopped working (might be a challenge)

[Yvan Vander Sanden]

2008/6/4 Adam Williams <[EMAIL PROTECTED]>:

> have you tried taking a misbehaving machine out of the domain, deleting is
> machine account, re-creating it, and readding it to the domain?
>
>
yes. Thing is that the machine account is not recreated correctly. At the
moment, i have added it manually by

smbldap-useradd -w machinename$
smbldap-usermod -a machinename$

apparently the samba information is missing if i just use smbldap-useradd -w

Could this be a bug? Doing it manually works, but it should be enough with
just the first command.

After joining the domain on that pc, i can log in. No errors anymore. It
goes very slowly though and leaves me on an empty screen. But that might be
another problem. I am gonna try another pc to make sure.

Anyway, i'll have to find a way to automaticly join the domain again,
because doing this manually for 200 machines is no fun at all!


-- 
Copyright only exists in the imagination of those who do not have any.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba/ldap setup stopped working (might be a challenge)

[Adam Williams]

have you tried taking a misbehaving machine out of the domain, deleting 
is machine account, re-creating it, and readding it to the domain?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba & ldap

[Charles Marcus]

On 5/16/2008 2:45 AM, Collen Blijenberg wrote:
> I'm new here and I have a doubt... I'm work with windows 2003
> server and now i would change to llnux. My doubt regards the
> share of my server: to authenticate my users what is better:
> samba tdb or ldap? For us is not necessary an active
> directory, domain, ecc... I need only a file server and I
> have arounud 400 users...Anyone have experience? Any
> suggestions?

 always ldap.

>>> Not necessarily...
>>> 
>>> tdb is *very* fast and reliable, much simpler to set up and
>>> maintain, and if you don't *need* all the bells and whistles of
>>> ldap (high availability, SSO, etc), tdb is the better choice - at
>>> least in my opinion...

>> Depends of what is needed, in my opinion if an user must have the
>> same password in samba AND any other service, use LDAP.

> What about the mysql/pgsql backend ??! ideal for the middle class.
> (if your intentions are running a pdc/bdc)

Again - nothing wrong with it... , again, really it just boils down to
what is *needed*, as well as what you *know*... if you are an LDAP
expert, by all means, use LDAP. If you are a MySQL or PostgreSQL guru,
you'll most likely use that... if you're not a guru of anything, and
just need a fast, reliable standalone server, then tdb is an excellent
choice.

-- 

Best regards,

Charles
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba & ldap

[Collen Blijenberg]

What about the mysql/pgsql backend ??!
ideal for the middle class. (if your intentions are running a pdc/bdc)

Collen.

Edmundo Valle Neto wrote:

Charles Marcus escreveu:

On 5/15/2008 3:40 AM, Esteban Torres Rodriguez wrote:
 

I'm new here and I have a doubt... I'm work with windows 2003 server
and now i would change to llnux. My doubt regards the share of my
server: to authenticate my users what is better: samba tdb or ldap?
For us is not necessary an active directory, domain, ecc... I need
only a file server and I have arounud 400 users...Anyone have 
experience? Any suggestions?
  


 

always ldap.



Not necessarily...

tdb is *very* fast and reliable, much simpler to set up and maintain,
and if you don't *need* all the bells and whistles of ldap (high
availability, SSO, etc), tdb is the better choice - at least in my
opinion...


Depends of what is needed, in my opinion if an user must have the same 
password in samba AND any other service, use LDAP.


Regards.

Edmundo Valle Neto

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba & ldap

[Edmundo Valle Neto]

Charles Marcus escreveu:

On 5/15/2008 3:40 AM, Esteban Torres Rodriguez wrote:
  

I'm new here and I have a doubt... I'm work with windows 2003 server
and now i would change to llnux. My doubt regards the share of my
server: to authenticate my users what is better: samba tdb or ldap?
For us is not necessary an active directory, domain, ecc... I need
only a file server and I have arounud 400 users...Anyone have 
experience? Any suggestions?
  


  

always ldap.



Not necessarily...

tdb is *very* fast and reliable, much simpler to set up and maintain,
and if you don't *need* all the bells and whistles of ldap (high
availability, SSO, etc), tdb is the better choice - at least in my
opinion...


Depends of what is needed, in my opinion if an user must have the same 
password in samba AND any other service, use LDAP.


Regards.

Edmundo Valle Neto
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba & ldap

[Charles Marcus]

On 5/15/2008 3:40 AM, Esteban Torres Rodriguez wrote:
>> I'm new here and I have a doubt... I'm work with windows 2003 server
>> and now i would change to llnux. My doubt regards the share of my
>> server: to authenticate my users what is better: samba tdb or ldap?
>> For us is not necessary an active directory, domain, ecc... I need
>> only a file server and I have arounud 400 users...Anyone have 
>> experience? Any suggestions?

> always ldap.

Not necessarily...

tdb is *very* fast and reliable, much simpler to set up and maintain,
and if you don't *need* all the bells and whistles of ldap (high
availability, SSO, etc), tdb is the better choice - at least in my
opinion...

-- 

Best regards,

Charles
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba & ldap

[Esteban Torres Rodriguez]

always ldap.


Esteban Torres Rodríguez
ÁREA DE SOPORTE TÉCNICO - Administración de Servidores
Subdirección de Sistemas Informáticos
Empresa Pública Desarrollo Agrario y Pesquero, 
email: [EMAIL PROTECTED] 


>>> "Rosilene Pagani" <[EMAIL PROTECTED]> 15/5/2008 09:23 >>>
Hi,
I'm new here and I have a doubt...
I'm work with windows 2003 server and now i would change to llnux. My
doubt
regards the share of my server: to authenticate my users what is
better:
samba tdb or ldap? For us is not necessary an active directory,
domain,
ecc... I need only a file server and I have arounud 400 users...Anyone
have
experience? Any suggestions?
Thanks in advance!
telma
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba / LDAP / Idmap

[Adam Williams]

John Drescher wrote:


In my case I was using winbind and it was not populated because
winbind could not allocate a uid or gid. Any ideas how to debug that?

John
  


can't help you there, sorry.  I'm not using winbind, i never could get 
it to work anyway, and I don't really need it for what I do at the moment.


[EMAIL PROTECTED] log]# wbinfo -g
Error looking up domain groups
[EMAIL PROTECTED] log]# wbinfo -u
Error looking up domain users



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba / LDAP / Idmap

[John Drescher]

On Mon, Apr 14, 2008 at 9:32 AM, Adam Williams
<[EMAIL PROTECTED]> wrote:
> idmap will only be populated if you are using winbind.
>
In my case I was using winbind and it was not populated because
winbind could not allocate a uid or gid. Any ideas how to debug that?

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba / LDAP / Idmap

[Adam Williams]

idmap will only be populated if you are using winbind.

Anand Kumria wrote:

Hi,

This is probably documented somewhere very obvious but I do not seem to 
be able to find it.


Many years ago I configured my Samba server with an LDAP backend. I also 
put in the parameter 'ldap idmap suffix = ou=Idmap' in my smb.conf file 
too as per:




Amazingly enough I now have to add two more members servers, checking via 
GQ I see that the ou=Idmap tree is actually empty.


Should it be?

If not, how can I -- is there a way, even -- have it populated with the 
existing Idmaps? My users are able to login to their machines perfectly 
fine (everything is run via LDAP).


Thanks,
Anand

  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba / LDAP / Idmap

[John Drescher]

On Sun, Apr 13, 2008 at 10:23 PM, Anand Kumria <[EMAIL PROTECTED]> wrote:
>
>  Hi,
>
>  This is probably documented somewhere very obvious but I do not seem to
>  be able to find it.
>
>  Many years ago I configured my Samba server with an LDAP backend. I also
>  put in the parameter 'ldap idmap suffix = ou=Idmap' in my smb.conf file
>  too as per:
>
>    member.html#id2571568>
>
>  Amazingly enough I now have to add two more members servers, checking via
>  GQ I see that the ou=Idmap tree is actually empty.
>
>  Should it be?
>
>  If not, how can I -- is there a way, even -- have it populated with the
>  existing Idmaps? My users are able to login to their machines perfectly
>  fine (everything is run via LDAP).
>

For a samba 3.0.28a member server using domain security and  ldap and
winbind enabled I had the same problem a few weeks ago and it ended up
preventing my acls from working correctly. Basically after adding acls
in windows xp they would be removed after applying. There would be an
error in the samba logs. Something like could not allocate a UID or
GID. I checked my ldap and the idmap tree was completely empty. So I
decided to see if I could tell the format of what belongs in there and
if I entered it would that fix the problem. I googled for a while and
found a red hat doc that showed a slapcat with idmap entries. I Then
added the entry for a test user via slapadd and then I added the user
to an acl in windows and clicked accept and it took. So I looked
deeper into the error and I found the two wbinfo allocate calls fail:

# wbinfo --allocate-uid
Could not allocate a uid

# wbinfo --allocate-gid
Could not allocate a gid

but most other wbinfo stuff works ( -u -g -t ...)

So at this point I set my winbind to use tdbsam and then I restarted
samba and sure enough the properties tab of XP worked as expected. At
that point I found a tool that would dump what was in a .tdb file and
I wrote a shell script to populate the ldap with that. I am sorry I am
not more specific but I am not at work and I did this stuff over a
month ago. Anyways after populating the idmap tree from the .tdb file
(in /var/cache/samba/) my acls work in XP for all users and groups
that are in the tree. I switched back to using ldap to store winbind
data because this is by no means the only samba server on our network.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba/LDAP Question

[Hector Blanco]

Hello!

A few days ago, two users of this list sent me examples of a working
"machine" account in Samba, beause the one I get when I try to add a
machine with smbldap doesn't work very well (as I explained in
http://lists.samba.org/archive/samba/2008-February/138639.html) and I
found that in my account some fields didn't appear (as shown in
http://lists.samba.org/archive/samba/2008-February/138860.html)

I'm thinking in adding the missing fields by hand. I guess that the
most important fields are:

---
objectClass: sambaSamAccount
[. . .]
sambaNTPassword:
sambaPrimaryGroupSID:
sambaSID:
---

I suppose I know how to set the sambaNTPassword with smbpasswd but I
don't know what I should write as sambaPrimaryGroupSID and sambaSID. I
think I remember reading somewhere that the sambaSID can be calculated
somehow, but I don't remember now, and I certainly don't know what to
do with the sambaPrimaryGroupSID. Does any of you know how to
calculate them?

Alternatively, I've beenthinking that maybe I can add a machine (or at
least these samba fields) with other commands, besides the
smbldap-tools,I mean... maybe I could get something with the "normal"
samba commands (smbpasswd, and so on). Is it possible? Any
recommendations?

Any hint will be deeply appreciated :)

2008/2/27, Frank J. Pellegrino <[EMAIL PROTECTED]>:
> Below is a sample of a machine entry:
>
>  dn: uid=295mand01$,ou=computers,o=sju.edu
>  cn: 295mand01$
>  description: Computer
>  gecos: Computer
>
> gidNumber: 515
>  homeDirectory: /dev/null
>  loginShell: /bin/false
>
> objectClass: top
>  objectClass: person
>  objectClass: organizationalperson
>
> objectClass: inetOrgPerson
>  objectClass: posixAccount
>  objectClass: sambaSamAccount
>
> sambaAcctFlags: [W  ]
>  sambaNTPassword: 8E5BB69CD089184751166B254347DBD2
>  sambaPrimaryGroupSID: S-1-5-21-1948856034-3740470957-464559834-2031
>  sambaSID: S-1-5-21-1948856034-3740470957-464559834-2005314
>  sn: 295mand01$
>  uid: 295mand01$
>  uidNumber: 1002157
>
>
>
>
>  At 04:02 PM 2/27/2008, Hector Blanco wrote:
>  >Ehm... just to make sure... could anybody who has LDAP+Samba working
>  >send the ldif definition of what he has as a "machine"?
>  >
>  >I've got this as a machine:
>  >
>  >dn: uid=enano$,ou=Hosts,dc=jome
>  >objectClass: top
>  >objectClass: person
>  >objectClass: organizationalPerson
>  >objectClass: inetOrgPerson
>  >objectClass: posixAccount
>  >cn: enano$
>  >sn: enano$
>  >uid: enano$
>  >uidNumber: 1007
>  >gidNumber: 515
>  >homeDirectory: /dev/null
>  >loginShell: /bin/false
>  >description: Computer
>  >gecos: Computer
>  >structuralObjectClass: inetOrgPerson
>  >entryUUID: 0cd59f8e-79a9-102c-8d64-8b73cc15be28
>  >creatorsName: cn=admin,dc=jome
>  >createTimestamp: 20080227175622Z
>  >entryCSN: 20080227175622Z#01#00#00
>  >modifiersName: cn=admin,dc=jome
>  >modifyTimestamp: 20080227175622Z
>  >entryDN: uid=enano$,ou=Hosts,dc=jome
>  >subschemaSubentry: cn=Subschema
>  >hasSubordinates: FALSE
>  >-
>  >
>  >and I don't see any "samba" thing in here... Is that fine?
>  >
>  >Thanks!!
>  >
>  >
>  >
>  >2008/2/27, Frank J. Pellegrino <[EMAIL PROTECTED]>:
>  > > If your solaris box is setup as an LDAP client you can add a search
>  > >  descriptor with the ldapclient command.
>  > >  Below is an example of what we changed to make joining the domain work 
> on
>  > >  the first try.
>  > >
>  > >  NS_LDAP_SERVICE_SEARCH_DESC= passwd:
>  > ou=computers,o=sju.edu;ou=People,o=sju.edu
>  > >
>  > >
>  > >
>  > >
>  > >  At 03:13 PM 2/27/2008, Hector Blanco wrote:
>  > >  >Mmmm..If I understood properly, I'm afraid I can just say... "Welcome
>  > >  >to the club, mate":
>  > >  >
>  > >  >Take a look to this:
>  > >  >http://lists.samba.org/archive/samba/2008-February/138639.html
>  > >  >http://lists.samba.org/archive/samba/2008-February/138442.html
>  > >  >
>  > >  >May it be a bug??  Is the same thing that is happeing to you?
>  > >  >
>  > >  >Regards
>  > >  >
>  > >  >2008/2/4, Frank J. Pellegrino <[EMAIL PROTECTED]>:
>  > >  > > We have just setup Samba 3.0.28 with LDAP support.  We are using a
>  > Sun One
>  > >  > >  5.2 LDAP server.
>  > >  > >
>  > >  > >  We are having a problem when a new machine joins the domain.
>  > >  > >  Here is a snippet of our smb.conf file
>  > >  > >add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>  > >  > >ldap machine suffix = ou=computers
>  > >  > >ldap user suffix = ou=People
>  > >  > >
>  > >  > >  When a new machine attempts to join the domain a new entry is
>  > created in
>  > >  > >  ou=computers as expected.  This entry has only the posixAccount
>  > >  > information
>  > >  > >  and no Samba info.  However, the machine reports that it failed to
>  > >  > join the
>  > >  > >  domain.  Log entries on both samba and LDAP tell me that after the
>  > >  > entry is
>  > >  > >  crea

Re: [Samba] Samba/LDAP Question

[Hector Blanco]

Well... I've got this in the /etc/ldap.conf:

nss_base_passwd ou=People,dc=jome?one
nss_base_shadow ou=People,dc=jome?one
nss_base_group  ou=Group,dc=jome?one
nss_base_hosts  ou=Hosts,dc=jome?one

I added the nss_base_passwd   ou=Hosts,dc=jome?one  but nothing seems
to change... I don't know if I removed properly the nscd cache when
retying... I rebooted the computer... Is that ok or do I have to do
something else?

Thanks for everything

2008/2/29, Jerome Tournier <[EMAIL PROTECTED]>:
> Hi,
>  just one idea: have you configured nss_ldap to resolve account in 
> ou=Computers ?
>  ie, in /etc/ldap.conf, have you the 2 lines:
>  nss_base_passwd   ou=Users,..?sub
>  nss_base_passwd   ou=Computers,..?sub
>
>  If not, add ou=Computers and remove any nscd cache before re-trying.
>  --
>  Jérôme
>
>
>  On Mon, Feb 4, 2008 at 4:33 PM, Frank J. Pellegrino
>  <[EMAIL PROTECTED]> wrote:
>  > We have just setup Samba 3.0.28 with LDAP support.  We are using a Sun One
>  >  5.2 LDAP server.
>  >
>  >  We are having a problem when a new machine joins the domain.
>  >  Here is a snippet of our smb.conf file
>  >add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>  >ldap machine suffix = ou=computers
>  >ldap user suffix = ou=People
>  >
>  >  When a new machine attempts to join the domain a new entry is created in
>  >  ou=computers as expected.  This entry has only the posixAccount 
> information
>  >  and no Samba info.  However, the machine reports that it failed to join 
> the
>  >  domain.  Log entries on both samba and LDAP tell me that after the entry 
> is
>  >  created, samba is trying to find that entry in ou=people instead of
>  >  ou=computers.
>  >
>  >  Attempting to add the machine again gives us an error that the machine
>  >  already exists.
>  >
>  >  I modified smbldap-useradd to include the sambaSamAccount information when
>  >  the entry is created.  The first attempt to join the domain still fails,
>  >  however trying again succeeds.
>  >
>  >  In another test, I removed the modifications from smbldap-useradd and
>  >  modified the smbldap.conf file so that it thought the machines container
>  >  was ou=people.  With this change the new machine was able to join the
>  >  domain on the first try.  The problem here is that we don't want the
>  >  machines mixed in with the users.
>  >
>  >  So from this I determined that after creating the new entry for the
>  >  machine, Samba then goes and looks for that entry in ou=people instead of
>  >  ou=computers.  My guess is that there is a bug in the code that looks at
>  >  the wrong configuration entry.
>  >
>  >  I have tried looking through the C code on my own.  I'm only familiar with
>  >  C so I haven't made as much progress as I'd like.
>  >
>  >  Is this a known bug?  Is it possible that we have a configuration wrong
>  >  somewhere?
>  >
>  >  Can anyone point me to the correct C file so I can try and fix this?
>  >
>  >  I'd appreciate any help I can get.
>  >
>  >  Thanks.
>  >
>  >
>  >  --
>  >  To unsubscribe from this list go to the following URL and read the
>  >  instructions:  https://lists.samba.org/mailman/listinfo/samba
>  >
>
>
>
>
> --
>  Jérôme
>
> --
>  To unsubscribe from this list go to the following URL and read the
>  instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba/LDAP Question

[Jerome Tournier]

Hi,
just one idea: have you configured nss_ldap to resolve account in ou=Computers ?
ie, in /etc/ldap.conf, have you the 2 lines:
nss_base_passwd   ou=Users,..?sub
nss_base_passwd   ou=Computers,..?sub

If not, add ou=Computers and remove any nscd cache before re-trying.
-- 
Jérôme

On Mon, Feb 4, 2008 at 4:33 PM, Frank J. Pellegrino
<[EMAIL PROTECTED]> wrote:
> We have just setup Samba 3.0.28 with LDAP support.  We are using a Sun One
>  5.2 LDAP server.
>
>  We are having a problem when a new machine joins the domain.
>  Here is a snippet of our smb.conf file
>add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>ldap machine suffix = ou=computers
>ldap user suffix = ou=People
>
>  When a new machine attempts to join the domain a new entry is created in
>  ou=computers as expected.  This entry has only the posixAccount information
>  and no Samba info.  However, the machine reports that it failed to join the
>  domain.  Log entries on both samba and LDAP tell me that after the entry is
>  created, samba is trying to find that entry in ou=people instead of
>  ou=computers.
>
>  Attempting to add the machine again gives us an error that the machine
>  already exists.
>
>  I modified smbldap-useradd to include the sambaSamAccount information when
>  the entry is created.  The first attempt to join the domain still fails,
>  however trying again succeeds.
>
>  In another test, I removed the modifications from smbldap-useradd and
>  modified the smbldap.conf file so that it thought the machines container
>  was ou=people.  With this change the new machine was able to join the
>  domain on the first try.  The problem here is that we don't want the
>  machines mixed in with the users.
>
>  So from this I determined that after creating the new entry for the
>  machine, Samba then goes and looks for that entry in ou=people instead of
>  ou=computers.  My guess is that there is a bug in the code that looks at
>  the wrong configuration entry.
>
>  I have tried looking through the C code on my own.  I'm only familiar with
>  C so I haven't made as much progress as I'd like.
>
>  Is this a known bug?  Is it possible that we have a configuration wrong
>  somewhere?
>
>  Can anyone point me to the correct C file so I can try and fix this?
>
>  I'd appreciate any help I can get.
>
>  Thanks.
>
>
>  --
>  To unsubscribe from this list go to the following URL and read the
>  instructions:  https://lists.samba.org/mailman/listinfo/samba
>



-- 
Jérôme
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba/LDAP Question

[Steve Thompson]

On Thu, 28 Feb 2008, Hector Blanco wrote:


It doesn't seem to be that, in my case... I removed the smb.conf lines
that told Samba in which Ldaps "tables" (or OUs) had to look for the
users and so, and it isn't working...


No, I don't think that is the problem. I have the ldap suffix directives 
in my smb.conf's, and it doesn't cause problems. Is the computersdn 
directive (and friends) correct in smbldap.conf? I have:


usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
...

Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba/LDAP Question

[Hector Blanco]

It doesn't seem to be that, in my case... I removed the smb.conf lines
that told Samba in which Ldaps "tables" (or OUs) had to look for the
users and so, and it isn't working...


Just in case, there goes my new smb.conf

Thanks

-- smb.conf 
[global]
#Configuracion basica
workgroup = JOME
security = user
netbios name = 
server string =  PDC server Version %v
encrypt passwords = yes

#Configuración para ser el PDC maestro
os level = 65
preferred master = yes
local master = yes
domain master = yes
domain logons = yes
wins support=yes

#Configuracion de logs
log level = 4
debug level=3
syslog = 3
log file = /var/log/samba/samba.log
max log size = 1000

#Configuracion LDAP
ldap admin dn = cn=Admin,dc=jome
ldap delete dn = no
passdb backend = ldapsam:ldap:///
#ldap user suffix = ou=People
#ldap group suffix = ou=Group
#ldap machine suffix = ou=Hosts
#ldap idmap suffix = ou=Idmap
ldap passwd sync = Yes
ldap suffix =dc=jome

ldap delete dn = No
local master=Yes
os level=65
domain master=yes
preferred master=yes
domain logons=yes
logon path = \\%L\%U\Profiles

#Configuracion programas varios
add machine script =/usr/sbin/smbldap-useradd -w %u
#   add user script = /usr/sbin/smbldap-useradd -a -m '%u'
#   delete user script = /usr/sbin/smbldap-userdel -r %u
#   add group script = /usr/sbin/smbldap-groupadd -p '%g'
#   delete group script = /usr/sbin/smbldap-groupdel '%g'
#   add user to group script = /usr/sbin/smbldap-groupmod -m '%u' 
'%g'
#   delete user from group script = /usr/sbin/smbldap-groupmod
-x '%u' '%g'
#   set primary group script = /usr/sbin/smbldap-usermod -g '%g' 
'%u'
passwd program = /usr/sbin/smbldap-passwd '%u'
printing = cups
printcap name = CUPS
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = H:


[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
browseable = yes
guest ok = no
read only = yes
write list = Administrator


2008/2/28, Adam Tauno Williams <[EMAIL PROTECTED]>:
> > ... I can see something in your Ldifs that I don't have: The
>  > "objectClass: sambaSamAccount"... I bet this is important in order to
>  > have Samba working!! Hehe... I'll keep working on this line... :)
>
>
> The add user / account process should add the sambaSamAccount
>  objectclass and related attributes.  If Samba can't find the new new
>  object to modify then that is the problem.  We have a Samba LDAP PDC and
>  joining machines and adding users works fine.  I think you problem is -
>
>
> ldap machine suffix = ou=computers
> ldap user suffix = ou=People
>
>
> Specifying these causes problems,  it is up to the add script where to
>  create the account object.  Just make use that creates the object where
>  you want it and Samba will modify the object in-place.  Remove these two
>  directives.
>
>  You said in your original message: ":samba is trying to find that entry
>  in ou=people instead of ou=computers.".  That is your problem.
>
>  --
>  Adam Tauno Williams, Network & Systems Administrator
>  Consultant - http://www.whitemiceconsulting.com
>  Developer - http://www.opengroupware.org
>
>
>  --
>
> To unsubscribe from this list go to the following URL and read the
>  instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba/LDAP Question

[Adam Tauno Williams]

> ... I can see something in your Ldifs that I don't have: The
> "objectClass: sambaSamAccount"... I bet this is important in order to
> have Samba working!! Hehe... I'll keep working on this line... :)

The add user / account process should add the sambaSamAccount
objectclass and related attributes.  If Samba can't find the new new
object to modify then that is the problem.  We have a Samba LDAP PDC and
joining machines and adding users works fine.  I think you problem is -

ldap machine suffix = ou=computers
ldap user suffix = ou=People

Specifying these causes problems,  it is up to the add script where to
create the account object.  Just make use that creates the object where
you want it and Samba will modify the object in-place.  Remove these two
directives.

You said in your original message: ":samba is trying to find that entry
in ou=people instead of ou=computers.".  That is your problem.

-- 
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba/LDAP Question

[Hector Blanco]

Thank you Steve and Frank...

... I can see something in your Ldifs that I don't have: The
"objectClass: sambaSamAccount"... I bet this is important in order to
have Samba working!! Hehe... I'll keep working on this line... :)

Thank you again!

2008/2/27, Frank J. Pellegrino <[EMAIL PROTECTED]>:
> Below is a sample of a machine entry:
>
>  dn: uid=295mand01$,ou=computers,o=sju.edu
>  cn: 295mand01$
>  description: Computer
>  gecos: Computer
>
> gidNumber: 515
>  homeDirectory: /dev/null
>  loginShell: /bin/false
>
> objectClass: top
>  objectClass: person
>  objectClass: organizationalperson
>
> objectClass: inetOrgPerson
>  objectClass: posixAccount
>  objectClass: sambaSamAccount
>
> sambaAcctFlags: [W  ]
>  sambaNTPassword: 8E5BB69CD089184751166B254347DBD2
>  sambaPrimaryGroupSID: S-1-5-21-1948856034-3740470957-464559834-2031
>  sambaSID: S-1-5-21-1948856034-3740470957-464559834-2005314
>  sn: 295mand01$
>  uid: 295mand01$
>  uidNumber: 1002157
>
>
>
>
>  At 04:02 PM 2/27/2008, Hector Blanco wrote:
>  >Ehm... just to make sure... could anybody who has LDAP+Samba working
>  >send the ldif definition of what he has as a "machine"?
>  >
>  >I've got this as a machine:
>  >
>  >dn: uid=enano$,ou=Hosts,dc=jome
>  >objectClass: top
>  >objectClass: person
>  >objectClass: organizationalPerson
>  >objectClass: inetOrgPerson
>  >objectClass: posixAccount
>  >cn: enano$
>  >sn: enano$
>  >uid: enano$
>  >uidNumber: 1007
>  >gidNumber: 515
>  >homeDirectory: /dev/null
>  >loginShell: /bin/false
>  >description: Computer
>  >gecos: Computer
>  >structuralObjectClass: inetOrgPerson
>  >entryUUID: 0cd59f8e-79a9-102c-8d64-8b73cc15be28
>  >creatorsName: cn=admin,dc=jome
>  >createTimestamp: 20080227175622Z
>  >entryCSN: 20080227175622Z#01#00#00
>  >modifiersName: cn=admin,dc=jome
>  >modifyTimestamp: 20080227175622Z
>  >entryDN: uid=enano$,ou=Hosts,dc=jome
>  >subschemaSubentry: cn=Subschema
>  >hasSubordinates: FALSE
>  >-
>  >
>  >and I don't see any "samba" thing in here... Is that fine?
>  >
>  >Thanks!!
>  >
>  >
>  >
>  >2008/2/27, Frank J. Pellegrino <[EMAIL PROTECTED]>:
>  > > If your solaris box is setup as an LDAP client you can add a search
>  > >  descriptor with the ldapclient command.
>  > >  Below is an example of what we changed to make joining the domain work 
> on
>  > >  the first try.
>  > >
>  > >  NS_LDAP_SERVICE_SEARCH_DESC= passwd:
>  > ou=computers,o=sju.edu;ou=People,o=sju.edu
>  > >
>  > >
>  > >
>  > >
>  > >  At 03:13 PM 2/27/2008, Hector Blanco wrote:
>  > >  >Mmmm..If I understood properly, I'm afraid I can just say... "Welcome
>  > >  >to the club, mate":
>  > >  >
>  > >  >Take a look to this:
>  > >  >http://lists.samba.org/archive/samba/2008-February/138639.html
>  > >  >http://lists.samba.org/archive/samba/2008-February/138442.html
>  > >  >
>  > >  >May it be a bug??  Is the same thing that is happeing to you?
>  > >  >
>  > >  >Regards
>  > >  >
>  > >  >2008/2/4, Frank J. Pellegrino <[EMAIL PROTECTED]>:
>  > >  > > We have just setup Samba 3.0.28 with LDAP support.  We are using a
>  > Sun One
>  > >  > >  5.2 LDAP server.
>  > >  > >
>  > >  > >  We are having a problem when a new machine joins the domain.
>  > >  > >  Here is a snippet of our smb.conf file
>  > >  > >add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>  > >  > >ldap machine suffix = ou=computers
>  > >  > >ldap user suffix = ou=People
>  > >  > >
>  > >  > >  When a new machine attempts to join the domain a new entry is
>  > created in
>  > >  > >  ou=computers as expected.  This entry has only the posixAccount
>  > >  > information
>  > >  > >  and no Samba info.  However, the machine reports that it failed to
>  > >  > join the
>  > >  > >  domain.  Log entries on both samba and LDAP tell me that after the
>  > >  > entry is
>  > >  > >  created, samba is trying to find that entry in ou=people instead of
>  > >  > >  ou=computers.
>  > >  > >
>  > >  > >  Attempting to add the machine again gives us an error that the
>  > machine
>  > >  > >  already exists.
>  > >  > >
>  > >  > >  I modified smbldap-useradd to include the sambaSamAccount
>  > information when
>  > >  > >  the entry is created.  The first attempt to join the domain still
>  > fails,
>  > >  > >  however trying again succeeds.
>  > >  > >
>  > >  > >  In another test, I removed the modifications from smbldap-useradd 
> and
>  > >  > >  modified the smbldap.conf file so that it thought the machines
>  > container
>  > >  > >  was ou=people.  With this change the new machine was able to join 
> the
>  > >  > >  domain on the first try.  The problem here is that we don't want 
> the
>  > >  > >  machines mixed in with the users.
>  > >  > >
>  > >  > >  So from this I determined that after creating the new entry for the
>  > >  > >  machine, Samba then goes and looks for that entry in ou=people
>  > instead of
>  > >  > >  ou=compu

Re: [Samba] Samba/LDAP Question

[Frank J. Pellegrino]

Below is a sample of a machine entry:

dn: uid=295mand01$,ou=computers,o=sju.edu
cn: 295mand01$
description: Computer
gecos: Computer
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
sambaAcctFlags: [W  ]
sambaNTPassword: 8E5BB69CD089184751166B254347DBD2
sambaPrimaryGroupSID: S-1-5-21-1948856034-3740470957-464559834-2031
sambaSID: S-1-5-21-1948856034-3740470957-464559834-2005314
sn: 295mand01$
uid: 295mand01$
uidNumber: 1002157



At 04:02 PM 2/27/2008, Hector Blanco wrote:

Ehm... just to make sure... could anybody who has LDAP+Samba working
send the ldif definition of what he has as a "machine"?

I've got this as a machine:

dn: uid=enano$,ou=Hosts,dc=jome
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
cn: enano$
sn: enano$
uid: enano$
uidNumber: 1007
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
structuralObjectClass: inetOrgPerson
entryUUID: 0cd59f8e-79a9-102c-8d64-8b73cc15be28
creatorsName: cn=admin,dc=jome
createTimestamp: 20080227175622Z
entryCSN: 20080227175622Z#01#00#00
modifiersName: cn=admin,dc=jome
modifyTimestamp: 20080227175622Z
entryDN: uid=enano$,ou=Hosts,dc=jome
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
-

and I don't see any "samba" thing in here... Is that fine?

Thanks!!



2008/2/27, Frank J. Pellegrino <[EMAIL PROTECTED]>:
> If your solaris box is setup as an LDAP client you can add a search
>  descriptor with the ldapclient command.
>  Below is an example of what we changed to make joining the domain work on
>  the first try.
>
>  NS_LDAP_SERVICE_SEARCH_DESC= passwd: 
ou=computers,o=sju.edu;ou=People,o=sju.edu

>
>
>
>
>  At 03:13 PM 2/27/2008, Hector Blanco wrote:
>  >Mmmm..If I understood properly, I'm afraid I can just say... "Welcome
>  >to the club, mate":
>  >
>  >Take a look to this:
>  >http://lists.samba.org/archive/samba/2008-February/138639.html
>  >http://lists.samba.org/archive/samba/2008-February/138442.html
>  >
>  >May it be a bug??  Is the same thing that is happeing to you?
>  >
>  >Regards
>  >
>  >2008/2/4, Frank J. Pellegrino <[EMAIL PROTECTED]>:
>  > > We have just setup Samba 3.0.28 with LDAP support.  We are using a 
Sun One

>  > >  5.2 LDAP server.
>  > >
>  > >  We are having a problem when a new machine joins the domain.
>  > >  Here is a snippet of our smb.conf file
>  > >add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>  > >ldap machine suffix = ou=computers
>  > >ldap user suffix = ou=People
>  > >
>  > >  When a new machine attempts to join the domain a new entry is 
created in

>  > >  ou=computers as expected.  This entry has only the posixAccount
>  > information
>  > >  and no Samba info.  However, the machine reports that it failed to
>  > join the
>  > >  domain.  Log entries on both samba and LDAP tell me that after the
>  > entry is
>  > >  created, samba is trying to find that entry in ou=people instead of
>  > >  ou=computers.
>  > >
>  > >  Attempting to add the machine again gives us an error that the 
machine

>  > >  already exists.
>  > >
>  > >  I modified smbldap-useradd to include the sambaSamAccount 
information when
>  > >  the entry is created.  The first attempt to join the domain still 
fails,

>  > >  however trying again succeeds.
>  > >
>  > >  In another test, I removed the modifications from smbldap-useradd and
>  > >  modified the smbldap.conf file so that it thought the machines 
container

>  > >  was ou=people.  With this change the new machine was able to join the
>  > >  domain on the first try.  The problem here is that we don't want the
>  > >  machines mixed in with the users.
>  > >
>  > >  So from this I determined that after creating the new entry for the
>  > >  machine, Samba then goes and looks for that entry in ou=people 
instead of
>  > >  ou=computers.  My guess is that there is a bug in the code that 
looks at

>  > >  the wrong configuration entry.
>  > >
>  > >  I have tried looking through the C code on my own.  I'm only 
familiar with

>  > >  C so I haven't made as much progress as I'd like.
>  > >
>  > >  Is this a known bug?  Is it possible that we have a configuration 
wrong

>  > >  somewhere?
>  > >
>  > >  Can anyone point me to the correct C file so I can try and fix this?
>  > >
>  > >  I'd appreciate any help I can get.
>  > >
>  > >  Thanks.
>  > >
>  > >
>  > >
>  > >  --
>  > >  To unsubscribe from this list go to the following URL and read the
>  > >  instructions:  https://lists.samba.org/mailman/listinfo/samba
>  > >
>  >--
>  >To unsubscribe from this list go to the following URL and read the
>  >instructions:  https://lists.samba.org/mailman/listinfo/samba
>
>
>
>
--

Re: [Samba] Samba/LDAP Question

[Frank J. Pellegrino]

If your solaris box is setup as an LDAP client you can add a search 
descriptor with the ldapclient command.
Below is an example of what we changed to make joining the domain work on 
the first try.


NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=computers,o=sju.edu;ou=People,o=sju.edu



At 03:13 PM 2/27/2008, Hector Blanco wrote:

Mmmm..If I understood properly, I'm afraid I can just say... "Welcome
to the club, mate":

Take a look to this:
http://lists.samba.org/archive/samba/2008-February/138639.html
http://lists.samba.org/archive/samba/2008-February/138442.html

May it be a bug??  Is the same thing that is happeing to you?

Regards

2008/2/4, Frank J. Pellegrino <[EMAIL PROTECTED]>:
> We have just setup Samba 3.0.28 with LDAP support.  We are using a Sun One
>  5.2 LDAP server.
>
>  We are having a problem when a new machine joins the domain.
>  Here is a snippet of our smb.conf file
>add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>ldap machine suffix = ou=computers
>ldap user suffix = ou=People
>
>  When a new machine attempts to join the domain a new entry is created in
>  ou=computers as expected.  This entry has only the posixAccount 
information
>  and no Samba info.  However, the machine reports that it failed to 
join the
>  domain.  Log entries on both samba and LDAP tell me that after the 
entry is

>  created, samba is trying to find that entry in ou=people instead of
>  ou=computers.
>
>  Attempting to add the machine again gives us an error that the machine
>  already exists.
>
>  I modified smbldap-useradd to include the sambaSamAccount information when
>  the entry is created.  The first attempt to join the domain still fails,
>  however trying again succeeds.
>
>  In another test, I removed the modifications from smbldap-useradd and
>  modified the smbldap.conf file so that it thought the machines container
>  was ou=people.  With this change the new machine was able to join the
>  domain on the first try.  The problem here is that we don't want the
>  machines mixed in with the users.
>
>  So from this I determined that after creating the new entry for the
>  machine, Samba then goes and looks for that entry in ou=people instead of
>  ou=computers.  My guess is that there is a bug in the code that looks at
>  the wrong configuration entry.
>
>  I have tried looking through the C code on my own.  I'm only familiar with
>  C so I haven't made as much progress as I'd like.
>
>  Is this a known bug?  Is it possible that we have a configuration wrong
>  somewhere?
>
>  Can anyone point me to the correct C file so I can try and fix this?
>
>  I'd appreciate any help I can get.
>
>  Thanks.
>
>
>
>  --
>  To unsubscribe from this list go to the following URL and read the
>  instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba/LDAP Question

[Hector Blanco]

Ehm... just to make sure... could anybody who has LDAP+Samba working
send the ldif definition of what he has as a "machine"?

I've got this as a machine:

dn: uid=enano$,ou=Hosts,dc=jome
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
cn: enano$
sn: enano$
uid: enano$
uidNumber: 1007
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
structuralObjectClass: inetOrgPerson
entryUUID: 0cd59f8e-79a9-102c-8d64-8b73cc15be28
creatorsName: cn=admin,dc=jome
createTimestamp: 20080227175622Z
entryCSN: 20080227175622Z#01#00#00
modifiersName: cn=admin,dc=jome
modifyTimestamp: 20080227175622Z
entryDN: uid=enano$,ou=Hosts,dc=jome
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
-

and I don't see any "samba" thing in here... Is that fine?

Thanks!!



2008/2/27, Frank J. Pellegrino <[EMAIL PROTECTED]>:
> If your solaris box is setup as an LDAP client you can add a search
>  descriptor with the ldapclient command.
>  Below is an example of what we changed to make joining the domain work on
>  the first try.
>
>  NS_LDAP_SERVICE_SEARCH_DESC= passwd: 
> ou=computers,o=sju.edu;ou=People,o=sju.edu
>
>
>
>
>  At 03:13 PM 2/27/2008, Hector Blanco wrote:
>  >Mmmm..If I understood properly, I'm afraid I can just say... "Welcome
>  >to the club, mate":
>  >
>  >Take a look to this:
>  >http://lists.samba.org/archive/samba/2008-February/138639.html
>  >http://lists.samba.org/archive/samba/2008-February/138442.html
>  >
>  >May it be a bug??  Is the same thing that is happeing to you?
>  >
>  >Regards
>  >
>  >2008/2/4, Frank J. Pellegrino <[EMAIL PROTECTED]>:
>  > > We have just setup Samba 3.0.28 with LDAP support.  We are using a Sun 
> One
>  > >  5.2 LDAP server.
>  > >
>  > >  We are having a problem when a new machine joins the domain.
>  > >  Here is a snippet of our smb.conf file
>  > >add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>  > >ldap machine suffix = ou=computers
>  > >ldap user suffix = ou=People
>  > >
>  > >  When a new machine attempts to join the domain a new entry is created in
>  > >  ou=computers as expected.  This entry has only the posixAccount
>  > information
>  > >  and no Samba info.  However, the machine reports that it failed to
>  > join the
>  > >  domain.  Log entries on both samba and LDAP tell me that after the
>  > entry is
>  > >  created, samba is trying to find that entry in ou=people instead of
>  > >  ou=computers.
>  > >
>  > >  Attempting to add the machine again gives us an error that the machine
>  > >  already exists.
>  > >
>  > >  I modified smbldap-useradd to include the sambaSamAccount information 
> when
>  > >  the entry is created.  The first attempt to join the domain still fails,
>  > >  however trying again succeeds.
>  > >
>  > >  In another test, I removed the modifications from smbldap-useradd and
>  > >  modified the smbldap.conf file so that it thought the machines container
>  > >  was ou=people.  With this change the new machine was able to join the
>  > >  domain on the first try.  The problem here is that we don't want the
>  > >  machines mixed in with the users.
>  > >
>  > >  So from this I determined that after creating the new entry for the
>  > >  machine, Samba then goes and looks for that entry in ou=people instead 
> of
>  > >  ou=computers.  My guess is that there is a bug in the code that looks at
>  > >  the wrong configuration entry.
>  > >
>  > >  I have tried looking through the C code on my own.  I'm only familiar 
> with
>  > >  C so I haven't made as much progress as I'd like.
>  > >
>  > >  Is this a known bug?  Is it possible that we have a configuration wrong
>  > >  somewhere?
>  > >
>  > >  Can anyone point me to the correct C file so I can try and fix this?
>  > >
>  > >  I'd appreciate any help I can get.
>  > >
>  > >  Thanks.
>  > >
>  > >
>  > >
>  > >  --
>  > >  To unsubscribe from this list go to the following URL and read the
>  > >  instructions:  https://lists.samba.org/mailman/listinfo/samba
>  > >
>  >--
>  >To unsubscribe from this list go to the following URL and read the
>  >instructions:  https://lists.samba.org/mailman/listinfo/samba
>
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba/LDAP Question

[Hector Blanco]

Mmmm..If I understood properly, I'm afraid I can just say... "Welcome
to the club, mate":

Take a look to this:
http://lists.samba.org/archive/samba/2008-February/138639.html
http://lists.samba.org/archive/samba/2008-February/138442.html

May it be a bug??  Is the same thing that is happeing to you?

Regards

2008/2/4, Frank J. Pellegrino <[EMAIL PROTECTED]>:
> We have just setup Samba 3.0.28 with LDAP support.  We are using a Sun One
>  5.2 LDAP server.
>
>  We are having a problem when a new machine joins the domain.
>  Here is a snippet of our smb.conf file
>add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>ldap machine suffix = ou=computers
>ldap user suffix = ou=People
>
>  When a new machine attempts to join the domain a new entry is created in
>  ou=computers as expected.  This entry has only the posixAccount information
>  and no Samba info.  However, the machine reports that it failed to join the
>  domain.  Log entries on both samba and LDAP tell me that after the entry is
>  created, samba is trying to find that entry in ou=people instead of
>  ou=computers.
>
>  Attempting to add the machine again gives us an error that the machine
>  already exists.
>
>  I modified smbldap-useradd to include the sambaSamAccount information when
>  the entry is created.  The first attempt to join the domain still fails,
>  however trying again succeeds.
>
>  In another test, I removed the modifications from smbldap-useradd and
>  modified the smbldap.conf file so that it thought the machines container
>  was ou=people.  With this change the new machine was able to join the
>  domain on the first try.  The problem here is that we don't want the
>  machines mixed in with the users.
>
>  So from this I determined that after creating the new entry for the
>  machine, Samba then goes and looks for that entry in ou=people instead of
>  ou=computers.  My guess is that there is a bug in the code that looks at
>  the wrong configuration entry.
>
>  I have tried looking through the C code on my own.  I'm only familiar with
>  C so I haven't made as much progress as I'd like.
>
>  Is this a known bug?  Is it possible that we have a configuration wrong
>  somewhere?
>
>  Can anyone point me to the correct C file so I can try and fix this?
>
>  I'd appreciate any help I can get.
>
>  Thanks.
>
>
>
>  --
>  To unsubscribe from this list go to the following URL and read the
>  instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba + ldap bind machine account with user account

[Sadique Puthen]

satish patel wrote:

Dear all

   I have special requirement of samba domain security...i want to bind 
user with machine so that use only ...and only able to login with that same 
machine ...means user can not login in to any other PC or machine only access 
on own machine...is it possible with ldap attirbutes ..?
  


Check with 'userWorkstations' and 'sambaUserWorkstations'.  This is the 
other way where you define these attributes for users and restrict which 
workstations they can log in.


I am not yet 100% whether this feature has actually been implemented in 
the samba code or not. I have not yet tested this. If not, please raise 
a feature request upstream. BTW ldap supports these attributes for samba 
users.


--Sadique



$ cat ~/satish/url.txt  


http://www.linuxbug.org
_

   
-

 Why delete messages? Unlimited storage is just a click away.
  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP cannot get account from NT4

[Stephen Vermeulen]

I recently worked through a migration of an NT4 PDC to a Samba PDC using
the vampire command,
while doing this I ran into some problems, possibly including your problem.

There are at least two steps to this procedure that are not included in
most of the documentation
on how to do this that I found on the net. These are:

1. you need to use the NT4 server's "Server Manager" tool to create a
backup domain
controller account for the Samba box before you issue the "net join" command

2. you need to manually change the SID of the Samba box to be the same as
the SID of the NT4 PDC that it will be replacing

You might also have forgotten to use "smbpasswd" to set the root account
password
into Samba.

I have written up a step-by-step procedure for doing the migration based
on my
experiences. I did repeat this procedure a few times from clean Linux
installs to
verify that it was repeatable.

Take a look at:

http://vermeulen.ca/linux-windows-nt.html

Regards,

Stephen



wilson kwok wrote:
> Can anyone help me to solve this problem ?
>  
> Thx !
>   
>> From: [EMAIL PROTECTED]> To: samba@lists.samba.org> Date: Fri, 28 Dec 2007 
>> 01:15:58 +0800> Subject: [Samba] Samba + LDAP cannot get account from NT4> > 
>> > Hello,> > I do a Migration from NT4 to Samba + LDAP, I already join Samba 
>> to NT4, when I type > net rpc vampire -S NT -U Administrator%nt, the 
>> following error occur,> > [2007/12/28 00:13:16, 0] 
>> rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2673) 
>> cli_rpc_pipe_open_schannel: failed to get schannel session key from server 
>> NT for domain SFA.[2007/12/28 00:13:16, 0] 
>> utils/net_rpc.c:run_rpc_command(151) Could not initialise schannel netlogon 
>> pipe. Error was NT_STATUS_INVALID_NETWORK_RESPONSE> > Thx> 
>> _> Express 
>> yourself instantly with MSN Messenger! Download today it's FREE!> 
>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/> -- > To 
>> unsubscribe from this list go to the following URL and read the> 
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>> 
> _
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>   


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP cannot get account from NT4

[Hans-Wilhelm Heisinger]

I migrated a few NT domains to Samba using the rpc net vampire command
to a tdbsam backend, and then move to a LDAP backend and was successful.
I had tried going directly to LDAP using the rpc net vampire command but
it failed like yours. However I have come across scripts that do this
migration in a book Windows to Linux Migration toolkit.


wilson kwok wrote:
> Can anyone help me to solve this problem ?
>  
> Thx !
>   
>> From: [EMAIL PROTECTED]> To: samba@lists.samba.org> Date: Fri, 28 Dec 2007 
>> 01:15:58 +0800> Subject: [Samba] Samba + LDAP cannot get account from NT4> > 
>> > Hello,> > I do a Migration from NT4 to Samba + LDAP, I already join Samba 
>> to NT4, when I type > net rpc vampire -S NT -U Administrator%nt, the 
>> following error occur,> > [2007/12/28 00:13:16, 0] 
>> rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2673) 
>> cli_rpc_pipe_open_schannel: failed to get schannel session key from server 
>> NT for domain SFA.[2007/12/28 00:13:16, 0] 
>> utils/net_rpc.c:run_rpc_command(151) Could not initialise schannel netlogon 
>> pipe. Error was NT_STATUS_INVALID_NETWORK_RESPONSE> > Thx> 
>> _> Express 
>> yourself instantly with MSN Messenger! Download today it's FREE!> 
>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/> -- > To 
>> unsubscribe from this list go to the following URL and read the> 
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>> 
> _
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>   

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba + LDAP cannot get account from NT4

[wilson kwok]

Can anyone help me to solve this problem ?
 
Thx !
> From: [EMAIL PROTECTED]> To: samba@lists.samba.org> Date: Fri, 28 Dec 2007 
> 01:15:58 +0800> Subject: [Samba] Samba + LDAP cannot get account from NT4> > 
> > Hello,> > I do a Migration from NT4 to Samba + LDAP, I already join Samba 
> to NT4, when I type > net rpc vampire -S NT -U Administrator%nt, the 
> following error occur,> > [2007/12/28 00:13:16, 0] 
> rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2673) 
> cli_rpc_pipe_open_schannel: failed to get schannel session key from server NT 
> for domain SFA.[2007/12/28 00:13:16, 0] utils/net_rpc.c:run_rpc_command(151) 
> Could not initialise schannel netlogon pipe. Error was 
> NT_STATUS_INVALID_NETWORK_RESPONSE> > Thx> 
> _> Express 
> yourself instantly with MSN Messenger! Download today it's FREE!> 
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/> -- > To 
> unsubscribe from this list go to the following URL and read the> 
> instructions: https://lists.samba.org/mailman/listinfo/samba
_
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba+LDAP Group mapping

[Markus Bajones]

Hi,

I had the same problem and solved it for me yesterday.
I downloaded the samba.schema file from the original samba version 3.0.24
available from samba.org and copied it to /etc/ldap/schema/samba.schema,
restartet sladp.

Now I am able to find the groups within the windows security setting
dialog and with the net rpc group  command.

Best regards,

Markus Bajones

> Hi,
> I'm running into weird problems after switching from tdbsam to ldapsam
> user backend. I have transferred all local unix and samba groups with the
> sambaldap-tools scripts. The 'net groupmap list' command prints all
> group mappings correctly, and I also can use all the groups present in
> LDAP for setting local file ownerships.
>
> However these groups don't appear in the windows security setting
> dialogues (e.g. for setting file permissions or matching local groups
> with domain groups). All I get is a list of users. Even the built-in
> groups like 'Domain Administrators', 'Replicator Operators', ... are
> missing.
>
> I'm running the current Debian stable samba and open ldap.
>
> Cheers
> Maro¨
>
>
> LDIF from ldap (just one group as an example):
> dn: cn=Domain Admins, ou=Groups, dc=hui, dc=net
> sambaSID: S-1-5-xx-xx-xx-x-512
> gidNumber: 512
> memberUid: administrator
> displayName: Domain Admins
> sambaGroupType: 2
> description: Netbios Domain Administrators
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: Domain Admins
>
> The relevant parts of the smb.conf:
> [global]
> workgroup = HUINET
> domain logons = Yes
>   [..]
> obey pam restrictions = Yes
> null passwords = no
>   [..]
> passwd program = /usr/sbin/smbldap-passwd "%u"
> passwd chat = ""
> ldap password sync = yes
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=samba,ou=DSA,dc=hui,dc=net
> ldap suffix = dc=hui,dc=net
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> ldap delete dn = no
> delete user script = /usr/sbin/smbldap-userdel "%u"
> delete user script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
> "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g "%u"
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba+LDAP problems

[Edmundo Valle Neto]

Marcelo Mogrovejo escreveu:

Hi John...

John H Terpstra wrote:

(...)

I mean that i don't know why the user linux is not created, why i don't
see him with getent passwd.
The command work fine without errors.

So all of this means smbldap-tools is broken ??



No, it means your NSS is either not configured correctly, or is 
broken.  How have you configured /etc/nsswitch.conf and /etc/ldap.conf?
  

here i show you my /etc/nsswitch.conf and /etc/ldap/ldap.conf

http://pastebin.com/mf74cf2


thanks.

regards


About /etc/ldap/ldap.conf, Debian don't use the config from there (it 
reads from different files when using NSS or PAM), include your 
/etc/nss-ldap.conf instead.


The only use of /etc/ldap/ldap.conf that I remeber now is by ldap-utils 
(ldapsearch for example).


Looking at the file that you sent, I saw that you are trying to use TLS, 
and didn't understood yet if openldap is installed in that same machine 
that you are trying to configure NSS (that in my opinion in this case 
could make TLS useless).


If you never configured an LDAP server before, if possible you should 
try something simpler, don't use TLS and don't set the pam and nss filters.



Regards.

Edmundo Valle Neto
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba