[lugm.org] Openldap and Samba issue
Avinash Meetoo
avinash at noulakaz.net
Thu Jul 8 05:14:15 UTC 2010
Dear all,
A friend of mine, Bernard Auguste (bauguste at aclmauritius.com), is
having some problems setting up openldap and samba. Anyone can offer
some insight on what is happening (feel free to contact Bernard
directly if you have a solution.)
---------- Forwarded message ----------
From: Bernard Auguste <bauguste at aclmauritius.com>
I have a server called labo where I have setup openldap but I have an
issue.Grateful if you could help.
Please see details
Ldap server has been set up and service is up and running (file:slapd.conf)
User has been successfully added through an ldif file with ldapadd
User was successfully created. User entry is found with ldapsearch and slapcat
User successfully changed password with ldappasswd
User can successfully log in with credentials in his particular
account where ldap server is running (with ldap as password backend)
Samba is working correctly. Shares can be seen on server and accessed
from client PC with user credentials.
Workstation was created with samba utility -> smbpasswd -a -m workstation$
Client PC successfully joined domain where samba running as a PDC.
Issue
User cannot authenticate with his credentials on client PC when using
ldap as the password backend.
Windows logon message says "The system could not log you on. Make
sure the username and domain are correct..."
However, if smbpasswd is used as password backend in samba server and
user authentication sources is changed to smbpasswd, user is able to
successfully authenticate from client PC with credentials.
How to make user(client) authenticate successfully with ldap server
with ldap as the password backend?
Thanks in advance
Regards
Bernard
--
avinash at noulakaz.net - http://www.noulakaz.net/ - (230) 493-9394
Those who fail to understand C++ are doomed to reimplement it. Better. [Jez]
-------------- next part --------------
dn:uid=ba,ou=group,dc=labomauritius,dc=com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: ba
uidNumber: 10010
gidNumber: 100
cn: Bernard Auguste
givenName: bernard
sn: Auguste
homeDirectory: /home/bernard
loginShell: /bin/bash
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowMin: 0
shadowLastChange: 12609
-------------- next part --------------
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2009-09-05
[global]
netbios name = labo1
workgroup = laboadmin
interfaces = 176.16.1.1/255.255.0.0
hosts allow = 176.16.1.2
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
#
obey pam restrictions = Yes
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon home = \\%L\%U
logon drive = H:
usershare allow guests = Yes
wins support = Yes
passdb backend = ldapsam:ldap://176.16.1.1
username map = /etc/samba/smbusers
#Path to IDEALX scripts
####################################
# add user script = /usr/local/sbin/smbldap-useradd -m %u
# delete user script = /usr/local/sbin/smbldap-userdel %u
# add group script = /usr/local/sbin/smbldap-groupadd -p %g
# delete group script = /usr/local/sbin/smbldap-groupdel %g
# add user to group script = /usr/local/sbin/smbldap-groupmod -m %g %u
# delete user from group script = /usr/local/sbin/smbldap-groupmod -x %g %u
# set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
# add machine script = /usr/local/sbin/smbldap-useradd -w %u
####################################
usershare max shares = 100
domain logons = Yes
domain master = Yes
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
security = user
local master = Yes
os level = 44
preferred master = Yes
ldap admin dn = cn=Administrator,dc=labomauritius,dc=com
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
ldap ssl = No
ldap suffix = dc=labomauritius,dc=com
ldap user suffix = ou=group
# Defining logging faclity
########################################
log level = 2
log file = /var/log/samba/%m.log
# Virus scanning Definition
#######################################
vfs object = vscan-clamav
vfs objects = vscan-clamav
ldap delete dn = No
ldap replication sleep = 1000
ldap timeout = 5
idmap backend = ldap:ldap://176.16.1.1
[homes]
comment = Home Directories
valid users = %S
# valid users = %S, %D%w%S
browseable = No
read only = No
# inherit acls = Yes
[profiles]
comment = Roaming Profiles
path = /var/lib/samba/profiles
read only = No
browsable = No
force user = %U
valid users = %U "Domain Admins"
profile acls = Yes
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
# path = /var/tmp
path = /var/spool/samba
printer admin = @"Print Operators"
read only = Yes
guest ok = Yes
printable = Yes
# create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
guest ok = No
browseable = Yes
read only = Yes
valid users = @"Print Operators"
write list = @"Print Operators"
# force group = ntadmin
create mask = 0664
directory mask = 0775
[sharedir]
comment = data
path = /sharedir/data
read only = no
guest ok = Yes
create mask = 0777
directory mask = 0777
browseable = Yes
#Defining arbritary share resource
[share]
comment = data share
path = /opt/stuff
valid users = %U
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
guest ok = Yes
browseable = No
[jino]
comment = Jino's home folder
inherit acls = Yes
path = /home/jino/
read only = No
-------------- next part --------------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/dnszone.schema
include /etc/openldap/schema/samba3.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
## Yast2 samba hack ACL
## allow the "ldap admin dn" access, but deny everyone else
access to attrs=SambaLMPassword,SambaNTPassword
by dn="cn=Administrator,dc=labomauritius,dc=com" write
by * none
## Yast2 samba hack ACL done
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
loglevel 8
database bdb
suffix "dc=labomauritius,dc=com"
rootdn "cn=Administrator,dc=labomauritius,dc=com"
rootpw "123456"
directory /var/lib/ldap/
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
database bdb
suffix "dc=labo2,dc=com"
rootdn "cn=manager,dc=labo2,dc=com"
rootpw "12345678"
directory /var/lib/ldap/dc=labo2_dc=com
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
More information about the Discuss
mailing list