LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-10-2007, 11:08 PM   #1
Cottsay
Member
 
Registered: Feb 2004
Location: Chaska, MN
Distribution: Fedora
Posts: 195

Rep: Reputation: 31
OpenLDAP and Samba IDMAP


Hello - I have samba configured as follows...

##START /etc/samba/smb.conf##
[global]
workgroup = cottsaynet
# realm = cottsaynet
server string = cottsaynetsmb
netbios name = cottsaynetsmb
wins support = yes
os level = 33
preferred master = yes
domain master = yes
local master = yes
domain logons = yes
guest account = nobody
guest ok = yes
time server = yes
hide dot files = yes
security = user
encrypt passwords = yes
log level = 2
log file = /var/log/samba/main.log
max log size = 2048
debug timestamp = yes
syslog = 1
logon script = %u.bat
# logon path = \\cottsaynetnasa\profiles\%u
logon path =
logon drive = U:
logon home = \\cottsaynetnasa\%u
add machine script = /usr/sbin/useradd -d /dev/null -g 502 -s /bin/false -M %m$
add user script = /usr/sbin/useradd -M -g 501 %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
smb passwd file = /etc/samba/smbpasswd
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
winbind nested groups = no
winbind use default domain = yes
passdb backend = smbpasswd
# ldap admin dn = cn=Manager,dc=cottsay,dc=net
# ldap idmap suffix = ou=idmap
# ldap suffix = dc=cottsay,dc=net
# idmap backend = ldap:ldap://cottsaynetsmb.cottsay.net
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap backend = idmap_rid:COTTSAYNET=16777216-33554431
##END /etc/samba/smb.conf##

...on my Fedora Core 6 server (all packages up to date) and this is the LDAP...

##START /etc/openldap/slapd.conf##
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateFile /etc/openldap/cacerts/server.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server.pem

access to *
by self write
by users read
by anonymous auth

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix "dc=cottsay,dc=net"
rootdn "cn=Manager,dc=cottsay,dc=net"
rootpw {SSHA}xxxxx
directory /var/lib/ldap
index objectClass eq
index uidNumber eq
index gidNumber eq
index cn eq
index sambaSID eq
##END /etc/openldap/slapd.conf##

Whenever I try an LDAP command such as:

ldapadd -x -D "cn=Manager,dc=cottsay,dc=net" -W

it just sits there on a new line without a prompt...what am I doing wrong?

Thanks,

Scott K Logan
CottsayNet
logans@cottsay.net
 
Old 05-12-2007, 07:40 PM   #2
Cottsay
Member
 
Registered: Feb 2004
Location: Chaska, MN
Distribution: Fedora
Posts: 195

Original Poster
Rep: Reputation: 31
Nevermind...gave up on LDAP...just using the RID stuff now.
 
Old 08-01-2008, 11:37 AM   #3
chozz
LQ Newbie
 
Registered: Jul 2008
Posts: 5

Rep: Reputation: 0
Cannot make Samba + ldap talk

Hi, having similar problems. Seems like this setup is not done by many people that's why the replies on the forum are so few; actually I got none on my former post. Not complaining though because these configuration files are just so many.

If you ever got a solution, kindly tell me about it because now Im very stuck on a project.

Cannot add computers nor read user information from ldap through Samba

Samba logs say there is no connection but I can telnet to my ldap server on localhost:389

smbd.log
[2008/07/31 15:06:09, 0] smbd/server.c:main(948)
smbd version 3.0.28-1.el5_2.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2007
[2008/07/31 15:13:24, 0] smbd/server.c:main(948)
smbd version 3.0.28-1.el5_2.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2007
[2008/07/31 15:47:27, 0] lib/util_sock.c:get_peer_addr(1224)
getpeername failed. Error was Transport endpoint is not connected
[2008/07/31 15:47:27, 0] lib/util_sock.c:get_peer_addr(1224)
getpeername failed. Error was Transport endpoint is not connected

Tried to redirect ldaplogs to /var/log/ without success

These are my config files; dont seem to be able to see any error

/etc/ldap.conf
--------------
host letter.example.org
base dc=letter,dc=example,dc=org
binddn cn=config
bindpw mysecret
rootbinddn uid=zimbra,cn=admins,cn=zimbra
port 389

timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
nss_base_passwd ou=people,dc=letter,dc=example,dc=org?one
nss_base_shadow ou=people,dc=letter,dc=example,dc=org?one
nss_base_passwd ou=machines,dc=letter,dc=example,dc=org?one
nss_base_shadow ou=machines,dc=letter,dc=example,dc=org?one

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
uri ldap://letter.example.org/

ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

/etc/samba/smb.conf
-------------------
[global]
workgroup = EXAMPLE
netbios name = EXAMPLE_SERVER
server string = Samba Server Version %v
password server = ldap://letter.example.org
passdb backend = ldapsam:ldap://letter.example.org
guest account = games

log file = /var/log/samba/%m.log
max log size = 50

add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/groupdel "%g"
delete user from group script = /usr/sbin/userdel "%u" "%g"

add machine script = /usr/local/sbin/smbldap-useradd -w -g Workstations "%u"
logon script = %u.bat
logon path = \\EXAMPLE_SERVER\profiles\%U

domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=config
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap suffix = dc=letter,dc=example,dc=org

ldap user suffix = ou=people
guest ok = Yes
cups options = raw
[homes]
comment = Home Directories
valid users = example\%S

read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = No

printable = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
share modes = No

[Profiles]

path = /var/lib/samba/profiles
read only = No
profile acls = Yes

/conf/slapd.conf
----------------
include "/opt/zimbra/openldap/etc/openldap/schema/core.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/cosine.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/amavisd.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/zimbra.schema"
include "/opt/zimbra/lib/conf/zimbra-ext.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/nis.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/samba.schema"
threads 8
pidfile "/opt/zimbra/openldap/var/run/slapd.pid"
argsfile "/opt/zimbra/openldap/var/run/slapd.args"
TLSCertificateFile /opt/zimbra/conf/slapd.crt
TLSCertificateKeyFile /opt/zimbra/conf/slapd.key
TLSVerifyClient never
modulepath /opt/zimbra/openldap/libexec/openldap
moduleload back_bdb.la
moduleload back_monitor.la
moduleload syncprov.la
moduleload accesslog.la
access to dn.subtree="ou=people,dc=letter,dc=example,dc=org"
by dn.children="cn=admins,cn=zimbra" write
by * break
access to dn.subtree="ou=groups,dc=letter,dc=example,dc=org"
by dn.children="cn=admins,cn=zimbra" write
by * read
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword
by anonymous auth
by dn.children="cn=admins,cn=zimbra" write
access to dn.subtree="cn=zimbra"
by dn.children="cn=admins,cn=zimbra" write
access to attrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zimbraGalLdapBindDn,zimbraAuthTokenKey,zi mbraPreAuthKey,zimbraPasswordHistory,zimbraIsAdminAccount,zimbraAuthLdapSearchBindPassword
by dn.children="cn=admins,cn=zimbra" write
by * none
access to attrs=objectclass
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read
by dn.exact="uid=zmamavis,cn=appaccts,cn=zimbra" read
by * read
access to attrs=amavisAccount
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmamavis,cn=appaccts,cn=zimbra" read
by * break
access to attrs=mail
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmamavis,cn=appaccts,cn=zimbra" read
by * break
access to attrs=zimbraAllowFromAddress
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read
access to filter=(!(zimbraHideInGal=TRUE)) attrs=cn,co,company,dc,displayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,post alCode,sn,st,street,streetAddress,telephoneNumber,title,uid
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read
by * read
access to attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCanonicalAddress,zimbraMailCatchAllAddres s,zimbraMailCatchAllCanonicalAddress,zimbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,z imbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,zimbraMai lTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliveryDisabled
by dn.children="cn=admins,cn=zimbra" write
by dn.exact="uid=zmpostfix,cn=appaccts,cn=zimbra" read
by * read
access to attrs=entry
by dn.children="cn=admins,cn=zimbra" write
by * read
database config
rootpw {SSHA}SpVR7qIkga7IB+6fKiYrYPzNE0Vj4bxl

database monitor
rootdn "cn=config"
access to dn.children="cn=monitor"
by dn.children="cn=admins,cn=zimbra" read
database bdb
suffix ""
rootdn "cn=config"
cachesize 10000
idlcachesize 10000
checkpoint 64 5
directory "/opt/zimbra/openldap-data"
index objectClass eq
index zimbraForeignPrincipal eq
index zimbraYahooId eq
index zimbraId eq
index zimbraVirtualHostname eq
index zimbraVirtualIPAddress eq
index zimbraAuthKerberos5Realm eq
index zimbraMailCatchAllAddress eq,sub
index zimbraMailDeliveryAddress eq,sub
index zimbraMailForwardingAddress eq
index zimbraMailAlias eq,sub
index zimbraMailTransport eq
index zimbraDomainName eq,sub
index zimbraShareInfo sub
index uid pres,eq
index mail pres,eq,sub
index cn pres,eq,sub
index displayName pres,eq,sub
index sn pres,eq,sub
index gn pres,eq,sub
index zimbraCalResSite eq,sub
index zimbraCalResBuilding eq,sub
index zimbraCalResFloor eq,sub
index zimbraCalResRoom eq,sub
index zimbraCalResCapacity eq
index entryUUID eq
index entryCSN eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
sizelimit unlimited
timelimit unlimited

/etc/smbldap-tools/smbldap_bind.conf
------------------------------------
slaveDN="cn=config"
slavePw="mysecret"
masterDN="cn=config"
masterPw="mysecret"

-Know this is repitition but put it anyway for smbldap-tools
/etc/smbldap-tools/smbldap_bind.conf
------------------------------------
SID="S-1-5-21-2983891234-811595315-1297521234"
sambaDomain="EXAMPLE"

slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
suffix="dc=letter,dc=example,dc=org"

usersdn="ou=people,${suffix}"
computersdn="ou=machines,${suffix}"
groupsdn="ou=groups,${suffix}"
sambaUnixIdPooldn="sambaDomainName=example,${suffix}"

scope="one"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userScript="logon.bat"
mailDomain="example.org"
with_smbpasswd="0"
with_slappasswd="0"

/etc/nsswitch.conf
------------------
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus

/etc/pam.d/system-auth
----------------------
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

/etc/ldap.secret
----------------
mysecret

Copied the schema files to ldap schema folder and done the following too
smbpasswd -a root
type:
smbpasswd -w mysecret

Someone kindly assist. Im running openldap, samba 3.0.28, smbldap-tools 0.9.2 on Centos 5 Linux.

Yours,
Martin.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenLDAP and SAMBA metallica1973 Linux - Software 0 11-22-2006 04:47 PM
Samba users from openldap barghota Linux - Server 0 09-18-2006 03:57 PM
winbind idmap failure c0m4 Linux - Software 0 05-27-2005 02:18 PM
samba with openldap linuxtesting2 Linux - Networking 0 10-07-2004 10:53 AM
Samba 3 using Openldap on RH9 #samba# Red Hat 2 10-30-2003 07:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration