| View previous topic :: View next topic |
| Author |
Message |
xarses
n00b
Joined: 24 Oct 2005
Posts: 40
Location: California, USA
|
 Posted: Tue Dec 13, 2005 3:58 am Post subject: How-To LDAP Samba PDC Support |
 |
|
I've been writing a HowTo on successfully setting up a Samba Primary Domain Controller that uses a LDAP backend over on gentoo-wiki.com it can be found here: http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC
It is my intention that this HowTo will help guide Gentoo Admins in Setting up Their Own Primary Domain Controller (PDC) using Samba and OpenLDAP. Setting up, configuring and understanding the arrays of options and their implications can be quite and daunting task.
This thread is intended to be used for support, corrections, gripes and compaints regarding my HowTo. Currently Sections 1-4 are complete and I'm still working on the rest. |
|
| Back to top |
|
 |
!equilibrium
Bodhisattva
Joined: 06 Jun 2004
Posts: 2109
Location: MI/BG/LC
|
| Posted: Wed Dec 14, 2005 5:30 pm Post subject: |
|
|
i have read the howto very quick, and i have found that you suggest to use '-J3'.
i'ts wrong, on old single cpu without HT can creare broken binary, mainly on AMD cpus.
so is better to remove it, or put the right suggestions.
however, thanks a lot for the HOWTO 
_________________
Arch Tester for Gentoo/FreeBSD
Equilibrium's Universe
all my contents are released under the Creative Commons Licence by-nc-nd 2.5 |
|
| Back to top |
|
|
daeghrefn
Tux's lil' helper
Joined: 02 Jan 2005
Posts: 112
|
| Posted: Wed Dec 14, 2005 10:39 pm Post subject: |
|
|
| One suggestion I thought of... for the use flags, it might be better to have people put the use flags in /etc/portage/package.use rather than in /etc/make.conf, that way they don't mess up their system if they prefer to not have their other packages changed. |
|
| Back to top |
|
|
georgemj
n00b
Joined: 11 Jan 2005
Posts: 6
|
| Posted: Fri Dec 16, 2005 3:26 pm Post subject: How-To LDAP Samba PDC Support |
|
|
I've been working on a similar document at our company (I guess I won't have to send it up to the gentoo site, now... ) and I ran into a snag recently that I thought you might want to be aware of. Perhaps you can give me some guidance, too, as I don't knowall that much about Samba PDC's.
Rather than making just the changes to nsswitch.conf that you suggest, we were putting nsswitch.ldap from nss_ldap into place and then cut services: and protocols: just down to "files".
This worked fine until a system update about 3-4 week ago. At that time the system could no longer boot right because udev was not able to load the devices correctly and /dev/sdaX were not available (among other problems I'm sure we would have run into).
It turned out that the problem was the hosts entry:
hosts: files dns ldap
If we drop the " ldap" all is fine. If we have it in there udev is broken. (The PDC is the LDAP server, so presumably udev is referencing it, though there is no networking or LDAP running, I don't know how it possibly could.)
In your docs, you only suggest changing passwd: group: and shadow:. Is that all that's necessary? (Remember, I don't know much about PDC's...) If so, I can just change our internal docs to direct those changes and not replace nsswitch.conf with nsswitch.ldap. |
|
| Back to top |
|
|
xarses
n00b
Joined: 24 Oct 2005
Posts: 40
Location: California, USA
|
| Posted: Sat Dec 17, 2005 3:09 am Post subject: Re: How-To LDAP Samba PDC Support |
|
|
georgemj
| Quote: | | hosts: files dns ldap |
hmm that might be why my udev gaged awhile back as ive had that line in there.
essentualy nsswitch is used for telling the OS where to look when trying to find various peices of information. in this case you are telling your system that hosts (host names) can be translated first by files (usualy /etc/hosts) then by dns (first dns cache, then query) and if thoes two dont return a result ldap is then queried. so if you dont want to use ldap to help resolve name translations (usualy dns services are more effective) then you can resonably leave the line set to
in my docs only passwd, group, and shadow are changed to include ldap because they are the only information parts critical to user authentication. Again these settings are used for local system authentication, dont get me wrong though passwd, group, and shadow resolves must work or samba wont be able to save files on the server's system. as far as im aware all of the other settings are not critical to the purpose of a ldap samba PDC
sorry, i do ramble. in short the answer is YES should not affect PDC functionality (your probly not storing hosts information anyway or, have /etc/ldap.conf configured to be able to find hosts information
if you have some doc's that got you to a working point, i would like to examine them and perhapse discuss them with you so that the HowTo may be improved upon |
|
| Back to top |
|
|
Po0ky
Tux's lil' helper
Joined: 21 Apr 2005
Posts: 142
Location: Belgium
|
|
| Back to top |
|
|
georgemj
n00b
Joined: 11 Jan 2005
Posts: 6
|
| Posted: Wed Dec 21, 2005 1:11 pm Post subject: Re: How-To LDAP Samba PDC Support |
|
|
That would be fine with me (dicuss our common findings). I am still putting the final touches on our system and we have to thoroughly test it (it goes into a customer's site, and we *really* don't want it dorked) before I'm confident that it's finalized.
I updated the OS on it (gentoo, and I stepped it through the gcc-3.4 update) and my phpldapadmin is being problematic on it, but prior to the rebuild I did some remedial testing with ssh and Win98 logging in and it seemed to work.
I have my docs in a mediawiki installation. Would you like a PDF of what I have so far, or the mediawiki input for it? |
|
| Back to top |
|
|
xarses
n00b
Joined: 24 Oct 2005
Posts: 40
Location: California, USA
|
| Posted: Fri Dec 23, 2005 5:18 am Post subject: |
|
|
georgemj: either would work find with me, pdf is more portable, ill send you a pm with my email addy
po0ky: awesome when i get a chance and stop working two jobs (end of the week) ill check it out and get and get through it |
|
| Back to top |
|
|
Dr.Dran
l33t
Joined: 08 Oct 2004
Posts: 766
Location: Imola - Italy
|
| Posted: Wed Dec 28, 2005 10:11 pm Post subject: |
|
|
@xarses & @Po0ky: very very nice Howto Now I study the integration of Linux in Active Directory Domain, I will hope to obtain the *.schema file that merge the classical inetorgperson.schema with the Active Directory schema, the Novell Directory service and so on...
For case study I will suggest u to watch that howto... is interesting:
http://enterprise.linux.com/enterprise/04/12/09/2318244.shtml?tid=102&tid=101&tid=100
If anyone have experience on it please tell me something.
Best regards 
_________________
:: [Dr.Dran] Details ::
- Linux User # 286282
- IT FreeLance Consultant
- President of ImoLUG [Imola & Faenza Linux User Group] |
|
| Back to top |
|
|
xarses
n00b
Joined: 24 Oct 2005
Posts: 40
Location: California, USA
|
| Posted: Thu Dec 29, 2005 2:26 am Post subject: |
|
|
ya, thats my larger goal, get all three to work  |
|
| Back to top |
|
|
Po0ky
Tux's lil' helper
Joined: 21 Apr 2005
Posts: 142
Location: Belgium
|
|
| Back to top |
|
|
Dr.Dran
l33t
Joined: 08 Oct 2004
Posts: 766
Location: Imola - Italy
|
| Posted: Thu Dec 29, 2005 9:28 pm Post subject: |
|
|
So Cool we are in the right version... but I hope that in future I will grab the LDAP schema of Active Directory for the real integration 
Thanx and cool
_________________
:: [Dr.Dran] Details ::
- Linux User # 286282
- IT FreeLance Consultant
- President of ImoLUG [Imola & Faenza Linux User Group] |
|
| Back to top |
|
|
Po0ky
Tux's lil' helper
Joined: 21 Apr 2005
Posts: 142
Location: Belgium
|
| Posted: Wed Jan 04, 2006 4:18 pm Post subject: |
|
|
Bump!
Is there still some action going on here?
_________________
-- I'll eat it-- |
|
| Back to top |
|
|
lkarayan
n00b
Joined: 28 Mar 2005
Posts: 14
|
| Posted: Wed Jan 04, 2006 9:14 pm Post subject: Thanks for the Howto |
|
|
| It's well organized, however I don't know how many people I share this preference with, but a single HTML page would be nicer IMO. |
|
| Back to top |
|
|
bruor
Apprentice
Joined: 08 Jul 2003
Posts: 239
|
| Posted: Mon Jan 23, 2006 4:53 pm Post subject: |
|
|
i recently followed this howto and have come across an issue.
i got to the end of setup and it seems like everything is working except being able to join the domain.
i get an error that the dns SRV record was not returned when searching etc.
what i have read so far seems to point to the fact that the domain i am using resembles a dns resolvable name in smb.conf such as
| Code: | | workgroup = test.example.org |
it says that changing it to something like
will keep windows from thinking the PDC is actually AD, and will keep it from looking for SRV records in dns. making it resort to WINS
can anyone confirm that this will keep it from searching DNS for SRV records? |
|
| Back to top |
|
|
locovaca
n00b
Joined: 22 Jul 2002
Posts: 29
Location: Raleigh, NC
|
| Posted: Fri Jan 27, 2006 12:16 pm Post subject: One small issue... |
|
|
I'm not able to get PAM/NSS set up... my files:
| Code: | caprice pam.d # cat system-auth
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_ldap.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
|
| Code: |
caprice etc # cat nsswitch.conf
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v 1.1 2005/05/17 00:52:41 vapier Exp $
passwd: files ldap
shadow: files ldap
group: files ldap
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
|
| Code: |
caprice openldap # cat ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=burke,dc=local
HOST 127.0.0.1
nss_base_passwd ou=Computers,dc=burke,dc=local
nss_base_passwd ou=Users,dc=burke,dc=local
nss_base_shadow ou=Users,dc=burke,dc=local
nss_base_group ou-Groups,dc=burke,dc=local
pam_password exop
debug 256
logdir /var/log/nss_ldap
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
|
This results in...
| Code: |
caprice etc # getent passwd | grep 0:0
root:x:0:0:root:/root:/bin/bash
|
| Code: |
caprice openldap # ldapsearch -b "ou=Users,dc=burke,dc=local"
...
# root, Users, burke.local
dn: uid=root,ou=Users,dc=burke,dc=local
cn: root
sn: root
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\Caprice\root
sambaHomeDrive: H:
sambaProfilePath: \\Caprice\profiles\root
sambaPrimaryGroupSID: S-1-5-21-1253800008-2809828810-751333459-512
sambaSID: S-1-5-21-1253800008-2809828810-751333459-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: hash
sambaAcctFlags: [U]
sambaNTPassword: hash
sambaPwdLastSet: 1138331557
sambaPwdMustChange: 1142219557
userPassword:: hash
...
# search result
search: 2
result: 0 Success
# numResponses: 7
# numEntries: 6
|
Any thoughts? There's nothing in /var/log/nss_ldap, either... |
|
| Back to top |
|
|
locovaca
n00b
Joined: 22 Jul 2002
Posts: 29
Location: Raleigh, NC
|
| Posted: Fri Jan 27, 2006 12:31 pm Post subject: |
|
|
NM, figured it out, /etc/ldap.conf isn't the same as /etc/openldap/ldap.conf  |
|
| Back to top |
|
|
thedd
n00b
Joined: 01 Jul 2003
Posts: 20
Location: sweden
|
|
| Back to top |
|
|
butchie3980
n00b
Joined: 01 Aug 2006
Posts: 1
|
| Posted: Tue Aug 01, 2006 11:20 pm Post subject: smbk5pwd and MIT Kerberos? |
|
|
Is there a way to compile the smbk5pwd for use with MIT Kerberos? No success so far, but I'm hopeful.
Thanks |
|
| Back to top |
|
|
flipy
Apprentice
Joined: 15 Jul 2004
Posts: 236
|
| Posted: Thu Aug 24, 2006 8:14 am Post subject: |
|
|
I've followed this how-to and it works great!
However, could someone explain how to add support for a MTA and IMAP?
Thanks |
|
| Back to top |
|
|
DiezelMax
n00b
Joined: 25 Aug 2006
Posts: 5
|
| Posted: Fri Aug 25, 2006 2:13 pm Post subject: |
|
|
ldap.conf
| Code: |
nss_base_passwd ou=People,dc=example,dc=net?sub
nss_base_shadow ou=People,dc=example,dc=net?sub
|
|
|
| Back to top |
|
|
h0mer`-
Apprentice
Joined: 02 Aug 2004
Posts: 215
|
| Posted: Sun Sep 03, 2006 9:12 am Post subject: |
|
|
I followed this tutorial but i get an error when running "smbldap-populate"
| Code: |
Populating LDAP directory for domain test (S-1-5-21-4205727931-4131263253-1851132061)
(using builtin directory structure)
adding new entry: dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 2.
adding new entry: ou=Users,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 3.
adding new entry: ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 4.
adding new entry: ou=Computers,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 5.
adding new entry: ou=Idmap,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 6.
adding new entry: uid=root,ou=Users,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 7.
adding new entry: uid=nobody,ou=Users,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 8.
adding new entry: cn=Domain Admins,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 9.
adding new entry: cn=Domain Users,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 10.
adding new entry: cn=Domain Guests,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 11.
adding new entry: cn=Domain Computers,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 12.
adding new entry: cn=Administrators,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 16.
adding new entry: cn=Account Operators,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 18.
adding new entry: cn=Print Operators,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 19.
adding new entry: cn=Backup Operators,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 20.
adding new entry: cn=Replicators,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 21.
adding new entry: sambaDomainName=test,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 21.
Please provide a password for the domain root:
No such object at /usr/sbin//smbldap_tools.pm line 341.
|
This is my "smbldap_bind.conf"
(I removed my plaintext pw)
| Code: |
#slaveDN="cn=Manager,dc=test,dc=lan"
#slavePw="secret"
#masterDN="cn=Manager,dc=test,dc=lan"
#masterPw="secret"
rootdn="cn=Manager,dc=test,dc=lan"
rootpw=""
|
... and the "smbldap.conf"
| Code: |
# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-4205727931-4131263253-1851132061"
# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="test"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"
# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"
# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="none"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=test,dc=lan"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=test,${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome=""
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile=""
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="S:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="test.lan"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
no_banner="1"
|
|
|
| Back to top |
|
|
whitetux
n00b
Joined: 17 Mar 2004
Posts: 20
|
| Posted: Tue Sep 12, 2006 6:47 pm Post subject: |
|
|
| I get the same as above...I tried for a few days trying to get it to work. Eventually have given up trying to use smbldap-tools. |
|
| Back to top |
|
|
GoVirtual
n00b
Joined: 26 Sep 2006
Posts: 1
|
| Posted: Tue Sep 26, 2006 8:07 pm Post subject: Feedback while following the how to. |
|
|
I am just running through the HOW TO without a lot of Gentoo knowledge.
As I was following the instructions step by step I ran into a "warning" when doing the emerge after doing the keyword command.
A module was masked and it did not even start the emerge.
It took me a quick question to a Gentoo guru to get the situation explained and shown how I could get that module added and then get the emerge on the go.
An enhancement of the HOW TO could have a helper on how to take care of such an instance as I just ran into.
Thanks. |
|
| Back to top |
|
|
RAPHEAD
Tux's lil' helper
Joined: 20 Jun 2003
Posts: 134
Location: Germany
|
| Posted: Sun Oct 29, 2006 11:08 pm Post subject: Problem with starting slapd in default runlevel |
|
|
Hi,
I've basically a similar setup like described in this nice howto but I have encountered two problems of which one is not quite resolved:
1.) If you use the nsswitch.conf settings as described in the howto, you will encounter the problem described here: https://bugs.gentoo.org/show_bug.cgi?id=99564
This can be resolved by using a ~x86 udev version -- currently I'm using 087.
2.) A chicken egg problem when starting slapd in the default runlevel.
If slapd starts on system boot, it hangs for quite a while and will even never start if you do not have defined timeouts in /etc/ldap.conf
In /var/log/messages the corresponding logs read:
| Code: |
Oct 30 02:01:06 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Oct 30 02:01:06 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Oct 30 02:01:06 slapd[5585]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Oct 30 02:01:10 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
...
|
I guess linux tries to find out something about the user "ldap" but it can't because the ldap backend is just starting.
However, the user ldap IS defined in /etc/shadow and my /etc/nsswitch.conf is:
| Code: |
passwd: files ldap
shadow: files ldap
group: files ldap
...
|
I think it should not be neccesary to ask the ldap backend about the user ldap as it can be found in the "files" backend but obviously this is not the way how linux interprets this file.
The same problem is discussed here:
http://lists.freebsd.org/pipermail/freebsd-stable/2006-July/026916.html
Any ideas how this can be fixed? I think switching nsswitch.conf while booting is not a nice solution. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
