| View previous topic :: View next topic |
| Author |
Message |
petrjanda
Veteran
Joined: 05 Sep 2003
Posts: 1557
Location: Brno, Czech Republic
|
 Posted: Tue Mar 08, 2005 5:59 am Post subject: Which How-To for SAMBA+LDAP PDC? |
 |
|
ive tried using at least 3 how-to's, but I just cant get it working. Either because its outdated or because the how-to wasnt done on Gentoo and its different. So which how-to did you use? What modifications did you have to do to get it working on your system?
_________________
There is, a not-born, a not-become, a not-made, a not-compounded. If that unborn, not-become, not-made, not-compounded were not, there would be no escape from this here that is born, become, made and compounded. - Gautama Siddharta |
|
| Back to top |
|
 |
AppleMasher
n00b
Joined: 09 Jul 2004
Posts: 11
Location: Chattanooga, TN
|
|
| Back to top |
|
|
petrjanda
Veteran
Joined: 05 Sep 2003
Posts: 1557
Location: Brno, Czech Republic
|
| Posted: Tue Mar 08, 2005 12:17 pm Post subject: |
|
|
Using the idealx guide, these lines in slapd.conf dont work
| Code: |
# some attributes need to be readable so that 'id user' can answer correctly
access to attrs=@posixAccount,@posixGroup,@inetOrgPerson
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=nssldap,ou=DSA,dc=idealx,dc=org" read
by self read
# some attributes need to be writable for samba
access to attrs=@sambaSamAccount,@sambaGroupMapping,@sambaTrustPassword,@sambaDomain,@sambaShare,@sambaConfigOption,@sambaPrivilege
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by self read
|
slapd wouldnt start, its complaining about the attrs not existing.
_________________
There is, a not-born, a not-become, a not-made, a not-compounded. If that unborn, not-become, not-made, not-compounded were not, there would be no escape from this here that is born, become, made and compounded. - Gautama Siddharta |
|
| Back to top |
|
|
AppleMasher
n00b
Joined: 09 Jul 2004
Posts: 11
Location: Chattanooga, TN
|
| Posted: Tue Mar 08, 2005 10:30 pm Post subject: |
|
|
just because im such a nice guy 
The first issue is the @ sybmols aren't supposed to be there and secondly smbldap-tools is missing unless ur using the samba user for both and thirdly we need to allow samba and smbldap-tools users to write to objectClass,entry
Im sure its still not perfect, but it should be a lot closer.
| Code: | # users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=nssldap,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write
by self write
by anonymous auth
# some attributes need to be readable by everyone
access to attrs=uidNumber,gidNumber,gecos,homeDirectory,uid,cn,memberUid,objectClass,entry
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write
by self read
# the objectClass needed for everyone
access to attrs=objectClass,entry
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" read
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" read
by dn="cn=nssldap,ou=DSA,dc=idealx,dc=org" read
by dn="cn=postfix-auth,ou=DSA,dc=idealx,dc=org" read
by self read
# some attributes can be writable by users themselves
access to attrs=description,telephoneNumber
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools",ou=DSA,dc=idealx,dc=org" write
by self write
by users read
# some attributes need to be readable so that 'id user' can answer correctly
access to attrs=posixAccount,posixGroup,inetOrgPerson
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write
by dn="cn=nssldap,ou=DSA,dc=idealx,dc=org" read
by self read
# some attributes need to be writable for samba
access to attrs=sambaSamAccount,sambaGroupMapping,sambaTrustPassword,sambaDomain,sambaShare,sambaConfigOption,sambaPrivilege,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb
aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,
sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write
by self read
# samba need to be able to create the samba domain account
access to dn.base="dc=idealx,dc=org"
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write
# samba need to be able to create the sambaDomain account and NextFreeUnixId
access to dn="dc=idealx,dc=org" attrs=children
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write
access to dn="cn=NextFreeUnixId,dc=idealx,dc=org"
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
access to dn.one="dc=idealx,dc=org" filter="(objectClass=sambaDomain)"
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
# samba need to be able to create new users account
access to dn="ou=People,dc=idealx,dc=org"
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=idealx,dc=org"
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=idealx,dc=org"
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write
# samba need to be able to create new idmap entries
access to dn="ou=Idmap,dc=idealx,dc=org"
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write
# Default access rights
access to *
by self read
|
|
|
| Back to top |
|
|
petrjanda
Veteran
Joined: 05 Sep 2003
Posts: 1557
Location: Brno, Czech Republic
|
| Posted: Wed Mar 09, 2005 12:17 am Post subject: |
|
|
Thanx a lot!
I will post more later if I have problems.
_________________
There is, a not-born, a not-become, a not-made, a not-compounded. If that unborn, not-become, not-made, not-compounded were not, there would be no escape from this here that is born, become, made and compounded. - Gautama Siddharta |
|
| Back to top |
|
|
petrjanda
Veteran
Joined: 05 Sep 2003
Posts: 1557
Location: Brno, Czech Republic
|
| Posted: Wed Mar 09, 2005 3:09 am Post subject: |
|
|
Well Ive got another problem: When I run smbldap-populate, everything works fine but I never see an entry like this one:
| Code: |
adding new entry: sambaDomainName=A216NETWORK.EDU,dc=a216network,dc=edu
|
When I tried to add a user
| Code: |
smbldap-useradd -m -a testuser
|
getent passwd displays testuser
| Code: |
testuser1:x:1500:513:System User:/home/testuser1:/bin/bash
|
but id testuser says theres no such user.
| Code: |
id: testuser1: No such user
|
_________________
There is, a not-born, a not-become, a not-made, a not-compounded. If that unborn, not-become, not-made, not-compounded were not, there would be no escape from this here that is born, become, made and compounded. - Gautama Siddharta |
|
| Back to top |
|
|
AppleMasher
n00b
Joined: 09 Jul 2004
Posts: 11
Location: Chattanooga, TN
|
| Posted: Wed Mar 09, 2005 4:14 am Post subject: |
|
|
hmm smbldap-populate takes the value for sambaDomainName from the workgroup parmeter in smb.conf, hmm i suppose it could be possible that this part
| Code: | # samba need to be able to create the samba domain account
access to dn.base="dc=idealx,dc=org"
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write |
Is not actually giving the required permission to smbldap-tools. Im not sure I imported the initial accounts with Manager and then switched to the restricted account. You may want to try executing the script with Manager and see if it fixes it. As for the testuser is there no errors at all? Do you have the ou=Users,dc=idealx,dc=lan? This is used to store the windows accounts. |
|
| Back to top |
|
|
petrjanda
Veteran
Joined: 05 Sep 2003
Posts: 1557
Location: Brno, Czech Republic
|
| Posted: Wed Mar 09, 2005 4:28 am Post subject: |
|
|
| AppleMasher wrote: | hmm smbldap-populate takes the value for sambaDomainName from the workgroup parmeter in smb.conf, hmm i suppose it could be possible that this part
| Code: | # samba need to be able to create the samba domain account
access to dn.base="dc=idealx,dc=org"
by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write
by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write |
Is not actually giving the required permission to smbldap-tools. Im not sure I imported the initial accounts with Manager and then switched to the restricted account. You may want to try executing the script with Manager and see if it fixes it. As for the testuser is there no errors at all? Do you have the ou=Users,dc=idealx,dc=lan? This is used to store the windows accounts. |
What Ive done so far:
For some reason, I can actually join computer to the domain using the "Administrator" account(but only after I actually added the "root" account to the LDAP database). I can ALSO login with testuser1, and logout, and everything seems to work. My current slapd ACL's are(i found these to be the simplest):
| Code: |
access to dn.base=""
by self write
by * auth
access to attr=userPassword
by self write
by * auth
access to attr=shadowLastChange
by self write
by * read
access to *
by * read
by anonymous auth
|
When I logged in with testuser1, i had the Password has expired popup coming up, so I attempted to change the password, but it told me I dont have persmissions for this untill I removed these lines from smb.conf
| Code: |
unix password sync = yes
pam password change = yes
|
Then I indeed could change the password, but in future I'd like the unix password sync to work. Any ideas how to do that?
I should also say that Im using the RootDN(Manager) account (not the samba account) in smb.conf so that samba can access the LDAP backend.
I have ou=People,dc=idealx,dc=lan (not ou=Users)
Im also usign the People container to store computer accounts because I have been told that theres a bug in samba that prevents samba to search the Computers container.
_________________
There is, a not-born, a not-become, a not-made, a not-compounded. If that unborn, not-become, not-made, not-compounded were not, there would be no escape from this here that is born, become, made and compounded. - Gautama Siddharta |
|
| Back to top |
|
|
petrjanda
Veteran
Joined: 05 Sep 2003
Posts: 1557
Location: Brno, Czech Republic
|
| Posted: Wed Mar 09, 2005 6:43 am Post subject: |
|
|
Actually, I still cant change passwords... I dont know what I did.
When I run smbldap-populate using the Manger account still doesnt print out anything like
adding new entry: sambaDomainName=A216NETWORK.EDU,dc=a216network,dc=edu
_________________
There is, a not-born, a not-become, a not-made, a not-compounded. If that unborn, not-become, not-made, not-compounded were not, there would be no escape from this here that is born, become, made and compounded. - Gautama Siddharta |
|
| Back to top |
|
|
petrjanda
Veteran
Joined: 05 Sep 2003
Posts: 1557
Location: Brno, Czech Republic
|
| Posted: Wed Mar 09, 2005 9:15 am Post subject: |
|
|
Ok, something really weird is happening: when i add a user, who then tries to log in and change his password, it complains about him not having permissions to do so, but when I actually restart the whole server he can change his password. I think its time to have a look at the logs:
smb.conf
| Code: |
# Global parameters
[global]
workgroup = A216NETWORK.EDU
netbios name = PDC-SRV
server string = PDC-SRV
interfaces = eth2, lo
# bind interfaces only = Yes
passdb backend = ldapsam:ldap://localhost
# passwd program = /bin/passwd %u
# passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *\n*
username map = /etc/samba/smbusers
# unix password sync = Yes
ldap passwd sync = yes
pam password change = yes
log level = 99
log file = /var/log/samba/log.%m
max log size = 50
name resolve order = wins bcast hosts
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
logon script = logon.bat
logon drive = Q:
domain logons = Yes
os level = 50
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Manager,dc=a216network,dc=edu
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=People
ldap suffix = dc=a216network,dc=edu
ldap user suffix = ou=People
idmap backend = ldap:ldap://localhost
idmap uid = 10000-20000
idmap gid = 10000-20000
printer admin = root
map acl inherit = Yes
fstype = RS3.6
[homes]
comment = Home Directories
valid users = %U
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[profiles]
path = /home/samba/profiles
valid users = %U, "@Domain Admins"
force user = %U
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
profile acls = Yes
browseable = No
csc policy = disable
[netlogon]
path = /home/samba/netlogon/
browseable = No
|
slapd.conf
| Code: |
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to dn.base=""
by self write
by * auth
access to attr=userPassword,sambaNTPassword,sambaLMPassword
by self write
by * auth
access to attr=shadowLastChange
by self write
by * read
access to *
by * read
by anonymous auth
#loglevel 256
schemacheck on
idletimeout 30
backend bdb
database bdb
checkpoint 1024 5
cachesize 10000
suffix "dc=a216network,dc=edu"
rootdn "cn=Manager,dc=a216network,dc=edu"
# rootpw = not24get
rootpw {SSHA}hdzrlk+a4NW4VXe5VZXCnyyed6J4Wqb8
directory /var/lib/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
|
/etc/ldap.conf
| Code: |
# @(#)$Id: ldap.conf,v 2.37 2004/09/09 06:31:07 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1
# The distinguished name of the search base.
base dc=a216network,dc=edu
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Manager,dc=a216network,dc=edu
# The credentials to bind with.
# Optional: default is no credential.
bindpw asterix132
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=nssldap,ou=DSA,dc=a216network,dc=edu
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
timelimit 50
# Bind/connect timelimit
bind_timelimit 50
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
bind_policy hard
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=posixaccount
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
#W value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
# Group member attribute
pam_member_attribute memberuid
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# If you are using XAD, you can set pam_password
# to racf, ad, or exop. Make sure that you have
# SSL enabled.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password md5
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=a216network,dc=edu?one
nss_base_shadow ou=People,dc=a216network,dc=edu?one
nss_base_group ou=Groups,dc=a216network,dc=edu?one
|
_________________
There is, a not-born, a not-become, a not-made, a not-compounded. If that unborn, not-become, not-made, not-compounded were not, there would be no escape from this here that is born, become, made and compounded. - Gautama Siddharta |
|
| Back to top |
|
|
gambi
n00b
Joined: 30 Nov 2004
Posts: 71
Location: Leipzig
|
| Posted: Sun Mar 13, 2005 1:12 pm Post subject: |
|
|
hi, does it work now?
Because i'll gone have to do the same next week. If not, i'll will give it a try and report later on my reached goals.
_________________
moderne Physik ist wie das Lächeln einer Katze, die es garnicht gibt. - Einstein
"Kunst kommt von Können, käme sie von wollen, so würde sie Wulst heißen" Max Liebermann (1847-1835)
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
