Samba LDAP Questions

Message

pgb · Post by **pgb** » Wed Feb 09, 2005 2:14 pm

Hello,
I have a server with LDAP Authentication working.
I just emerged samba, and configured like this:

[global]
        workgroup = DOMAIN
        server string = Domain Development Server
        map to guest = Bad User
        obey pam restrictions = yes
        passdb backend = ldapsam:ldap://auth.domain.com
        #username map = /etc/samba/smbusers
        log file = /var/log/samba/log.%m
        max log size = 50
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        os level = 65
        preferred master = yes
        domain master = yes
        dns proxy = no
        wins support = yes
        add user script = /usr/share/samba/scripts/smbldap-useradd '%u'
        ldap admin dn = cn=Manager,dc=domain,dc=com
        ldap delete dn = Yes
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=People
        ldap passwd sync = yes
        ldap suffix = dc=domain,dc=com
        ldap user suffix = ou=People

[homes]
        comment = Home Directories
        path = /home/%u
        read only = no
        browseable = no

Samba starts ok, and I can see it from the Windows workstations (I don't intend to run a PDC, just a samba server), but can't login using the Unix accounts.
The errors in the logs read:

Code: Select all

[2005/02/09 08:06:31, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1982)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  (No such object)

anytime I try to login to the computer. Any pointer or hint?
Thanks in advance.

Adamal · Post by **Adamal** » Tue Feb 22, 2005 5:35 pm

Looks like you didn't build your ldap database. Look into smbldap-tools.

pgb · Post by **pgb** » Tue Feb 22, 2005 5:39 pm

Thanks, I had already solved my issue, but forgot to post about.
smbldap-tools made it.

Adamal · Post by **Adamal** » Tue Feb 22, 2005 5:58 pm

pgb wrote:Thanks, I had already solved my issue, but forgot to post about.
smbldap-tools made it.

I'm still working with the smbldap-tools. Did you have to make any modifications to the scripts to get them to work?

pgb · Post by **pgb** » Tue Feb 22, 2005 6:19 pm

I changed /etc/smbldap-tools/smbldap.conf and /etc/smbldap-tools/smbldap_bind.conf according to my DNS server.
What I had to do is set the Samba server as a WINS server. To do that, I changed smb.conf as needed, and added the needed DHCP options to my dnsmasq.conf (I'm using dnsmasq as the dhcp server, installed on the same server as the Samba PDC).
Hope this helps!

Adamal · Post by **Adamal** » Tue Feb 22, 2005 7:03 pm

pgb wrote:I changed /etc/smbldap-tools/smbldap.conf and /etc/smbldap-tools/smbldap_bind.conf according to my DNS server.
What I had to do is set the Samba server as a WINS server. To do that, I changed smb.conf as needed, and added the needed DHCP options to my dnsmasq.conf (I'm using dnsmasq as the dhcp server, installed on the same server as the Samba PDC).
Hope this helps!

That helps a little.

One more question if you don't mind. Are you usign LDAP to authenticate Linux users as well or only for Samba? I think that is where I am having my issues.

pgb · Post by **pgb** » Tue Feb 22, 2005 7:17 pm

I'm using it for linux users too.

Adamal · Post by **Adamal** » Tue Feb 22, 2005 7:20 pm

pgb wrote:I'm using it for linux users too.

I know I said last question but I have some more. Just trying to get this thing working...

did you follow this ldap doc (http://www.gentoo.org/doc/en/ldap-howto.xml)?
did you run smbldap-populate.pl?

if you ran smbldap-populate did you run it before or after the base.ldif, group.ldif, passwd.ldif, host.ldif from (http://www.gentoo.org/doc/en/ldap-howto.xml)?

I'm just trying to narrow down my problems. BTW thanks for the help.

pgb · Post by **pgb** » Tue Feb 22, 2005 7:29 pm

I followed the ldap-howto first, and only after installed samba and run smldap-populate.
Also, if you have linux users created and want to add the Samba attributes you have to run:
smbldap-usermod -a for that user.
You need to do that for root, as root will be your domain Administrator, and you'll need that account in order to join the domain.
Also, beware that the ldap-howto recommends setting:

Code: Select all

pam_password exop

in /etc/ldap.conf
I was suggested to change that to:

Code: Select all

pam_password crypt

and it worked better (I had problems changing the users passwords).
Let me know if I can help yoo any more.

Adamal · Post by **Adamal** » Tue Feb 22, 2005 7:33 pm

pgb wrote:I followed the ldap-howto first, and only after installed samba and run smldap-populate.
Also, if you have linux users created and want to add the Samba attributes you have to run:
smbldap-usermod -a for that user.
You need to do that for root, as root will be your domain Administrator, and you'll need that account in order to join the domain.
Also, beware that the ldap-howto recommends setting:
Code: Select all
pam_password exop
in /etc/ldap.conf
I was suggested to change that to:
Code: Select all
pam_password crypt
and it worked better (I had problems changing the users passwords).
Let me know if I can help yoo any more.

Thanks that helps alot. How did you make root the domain Admin?

pgb · Post by **pgb** » Tue Feb 22, 2005 8:01 pm

By default, Administrator is mapped as root (see the file /etc/samba/smbusers).
I added it the ldap attributes by running smbldap-usermod, and then smbpasswd to change root's password.
Also, be aware that passwd will change only the linux password, while smbpasswd (if samba is configured properly) will change both the windows and linux passwords.

Adamal · Post by **Adamal** » Tue Feb 22, 2005 9:01 pm

That helped a lot thanks again.

I'm still having a few more issues but I think I know of to fix those. Someone really needs to do a writeup on how to configure Samba and LDAP.

Arkanjo · Post by **Arkanjo** » Tue Feb 22, 2005 11:20 pm

Someone already did

http://www.idealx.org/prj/samba/smbldap-howto.en.html

Adamal · Post by **Adamal** » Tue Feb 22, 2005 11:49 pm

Arkanjo wrote:Someone already did
http://www.idealx.org/prj/samba/smbldap-howto.en.html

I meant something more gentoo specific, its great from a generic standpoint.

nabbed · Post by **nabbed** » Sat May 14, 2005 6:09 am

If you have the whole LDAP Samba PDC deal working what are the chances of you posting a couple of your conf files?
In particular
/etc/openldap/slapd.conf
/etc/openldap/ldap.conf
/etc/conf.d/slapd
/etc/pam.d/system-auth
/etc/nsswitch.conf
/etc/ldap.conf
/etc/samba/smb.conf
/usr/share/migrationtools/migrate_common.ph

thanks

Adamal · Post by **Adamal** » Sat May 14, 2005 7:18 am

slapd.conf

Code: Select all

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/extension.schema

# Use md5 to hash the passwords
password-hash {md5}

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Define SSL and TLS properties (optional)
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem


# Load dynamic backend modules:
# modulepath    /usr/lib/openldap/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy is:
#       Allow read by all
#
# rootdn can always write!

#access to attrs=userPassword,sambaLMPassword,sambaNTPassword
#      by self write
#      by anonymous auth
#      by * none
#      access to *
#      by * read

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
#checkpoint     32      30 # <kbyte> <min>
suffix          "dc=my-domain,dc=com"
rootdn          "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {MD5}qMKu9pNBWW6S8eJNsh5KsA==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/openldap-ldbm
# Indices to maintain
#index  objectClass     eq
index      objectClass,uidNumber,gidNumber                  eq
index      cn,sn,uid,displayName                            pres,sub,eq
index      memberUid,mail,givenname                         eq,subinitial
index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq

ldap.conf

Code: Select all

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE            dc=my-domain, dc=com
URI             ldaps://servername.my-domain.com:636/
TLS_REQCERT     allow
#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

slapd

Code: Select all

# conf.d file for the openldap-2.1 series
#
# To enable both the standard unciphered server and the ssl encrypted
# one uncomment this line or set any other server starting options
# you may desire.
#
# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
#OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

system-auth

Code: Select all

#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok shadow
auth       sufficient   /lib/security/pam_ldap.so use_first_pass
auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so
account    sufficient   /lib/security/pam_ldap.so
#account    required     /lib/security/pam_deny.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok use_authtok shadow md5
#password   sufficient  /lib/security/pam_unix.so nullok md5 shadow use_authtok
password   sufficient   /lib/security/pam_ldap.so use_authtok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
#session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0
session    optional     /lib/security/pam_ldap.so

# If you want to enable pam_console, uncomment the following line
# and read carefully README.pam_console in /usr/share/doc/pam*
#session    optional    /lib/security/pam_console.so

nsswitch.conf

Code: Select all

# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

#passwd:      compat
#shadow:      compat
#group:       compat

passwd:      files ldap
group:       files ldap
shadow:      files ldap

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns wins
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

smb.conf

Code: Select all

#======================= Global Settings =====================================
[global]

# 1. Server Naming Options:
# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = My-Domain

# netbios name is the name you will see in "Network Neighbourhood",
# but defaults to your hostname
   netbios name = servername

# server string is the equivalent of the NT Description field
   server string = Home Server %v

# Message command is run by samba when a "popup" message is sent to it.
# The example below is for use with LinPopUp:
; message command = /usr/bin/linpopup "%f" "%m" %s; rm %s

# 2. Printing Options:
# CHANGES TO ENABLE PRINTING ON ALL CUPS PRINTERS IN THE NETWORK
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   printcap name = cups
   load printers = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx, cups
   printing = cups

# Samba 3.x supports the Windows NT-style point-and-print feature. To
# use this, you need to be able to upload print drivers to the samba
# server. The printer admins (or root) may install drivers onto samba.
# Note that this feature uses the print$ share, so you will need to
# enable it below.
# printer admin = @<group> <user>
   printer admin = @adm
# This should work well for winbind:
;   printer admin = @"Domain Admins"

# 3. Logging Options:
# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 500

# Set the log (verbosity) level (0 <= log level <= 10)
 log level = 1
 syslog = 0
# 4. Security and Domain Membership Options:
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page. Do not enable this if (tcp/ip) name resolution does
# not work for all the hosts in your network.
;   hosts allow = 192.168.1. 192.168.2. 127.

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
  guest account = nobody
# Allow users to map to guest:
  map to guest = bad user

# Security mode. Most people will want user level security. See
# security_level.txt for details.
  security = user
# Use password server option only with security = server or security = domain
# When using security = domain, you should use password server = *
;   password server = <NT-Server-Name>
;   password server = *

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
;  password level = 8
;  username level = 8
  time server = Yes
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
# Encrypted passwords are required for any use of samba in a Windows NT domain
# The smbpasswd file is only required by a server doing authentication, thus
# members of a domain do not need one.
;  encrypt passwords = yes
;  smb passwd file = /etc/samba/private/smbpasswd

# The following are needed to allow password changing from Windows to
# also update the Linux system password.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
#        the encrypted SMB passwords. They allow the Unix password
#        to be kept in sync with the SMB password.
;  unix password sync = Yes
# You either need to setup a passwd program and passwd chat, or
# enable pam password change
;  pam password change = yes
;  passwd program = /usr/bin/passwd %u
;  passwd program = /var/lib/samba/sbin/ldapsync.pl -o %u
;  passwd chat = *New*password* %n\n *Retype*new*password* %n\n *modifying*
;  passwd chat = *New*UNIX*password* %n\n *Re*ype*new*UNIX*password* %n\n \
;*passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names
  username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /etc/samba/smb.conf.%m

# Options for using winbind. Winbind allows you to do all account and
# authentication from a Windows or samba domain controller, creating
# accounts on the fly, and maintaining a mapping of Windows RIDs to unix uid's
# and gid's. winbind uid and winbind gid are the only required parameters.
#
# winbind uid is the range of uid's winbind can use when mapping RIDs to uid's
;  winbind uid = 10000-20000
#
# winbind gid is the range of uid's winbind can use when mapping RIDs to gid's
;  winbind gid = 10000-20000
#
# winbind separator is the character a user must use between their domain
# name and username, defaults to "\"
;  winbind separator = +
#
# winbind use default domain allows you to have winbind return usernames
# in the form user instead of DOMAIN+user for the domain listed in the
# workgroup parameter.
;  winbind use default domain = yes
#
# template homedir determines the home directory for winbind users, with
# %D expanding to their domain name and %U expanding to their username:
;  template homedir = /home/%D/%U

# When using winbind, you may want to have samba create home directories
# on the fly for authenticated users. Ensure that /etc/pam.d/samba is
# using 'service=system-auth-winbind' in pam_stack modules, and then
# enable obedience of pam restrictions below:
  obey pam restrictions = yes

#
# template shell determines the shell users authenticated by winbind get
;  template shell = /bin/bash

# 5. Browser Control and Networking Options:
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;   interfaces = 192.168.12.2/24 192.168.13.2/24
   interfaces = eth0, lo
   bind interfaces only = Yes
# Configure remote browse list synchronisation here
#  request announcement to, or browse list sync from:
#       a specific host or from / to a whole subnet (see below)
;   remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
   remote announce = 192.168.1.255

# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
   local master = yes

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
;   os level = 33
    os level = 65

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
   preferred master = yes

# 6. Domain Control Options:
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations or Primary Domain Controller for WinNT and Win2k
   domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
   logon script = %U.bat
;    logon script = logon.bat

# Where to store roaming profiles for WinNT and Win2k
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
 ;  logon path = \\%L\Profiles\%U

# Where to store roaming profiles for Win9x. Be careful with this as it also
# impacts where Win2k finds it's /HOME share
; logon home = \\%L\%U\.profile


# The add user script is used by a domain member to add local user accounts
# that have been authenticated by the domain controller, or when adding
# users via the Windows NT Tools (ie User Manager for Domains).

# Scripts for file (passwd, smbpasswd) backend:
; add user script = /usr/sbin/useradd -s /bin/false '%u'
; delete user script = /usr/sbin/userdel '%s'
; add user to group script = /usr/bin/gpasswd -a '%u' '%g'
; delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
; set primary group script = /usr/sbin/usermod -g '%g' '%u'
; add group script = /usr/sbin/groupadd %g && getent group '%g'|awk -F: '{print $3}'
; delete group script = /usr/sbin/groupdel '%g'

# Scripts for LDAP backend (assumes nss_ldap is in use on the domain controller.
# Needs IDEALX scripts, and configuration in smbldap_conf.pm.
# This assumes you've installed the IDEALX scripts into /usr/share/samba/scripts...
 add user script = /var/lib/samba/sbin/smbldap-useradd.pl '%u'
 delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
 add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
 delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
 set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u'
 add group script = /var/lib/samba/sbin/smbldap-groupadd.pl '%g' && /var/lib/samba/sbin/smbldap-groupshow.pl %g|
awk '/^gidNumber:/ {print $2}'
 delete group script = /var/lib/samba/sbin/smbldap-userdel.pl '%g'


# The add machine script is use by a samba server configured as a domain
# controller to add local machine accounts when adding machines to the domain.
# The script must work from the command line when replacing the macros,
# or the operation will fail. Check that groups exist if forcing a group.
# Script for domain controller for adding machines:
; add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M %u
; add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u
# Script for domain controller with LDAP backend for adding machines (You need
# the IDEALX scripts, and to configure the smbldap_conf.pm first):
  add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w -d /dev/null -s /bin/false %u

  hide files = /desktop.ini/
# Domain groups:
# Domain groups are now configured by using the 'net groupmap' tool

# Samba Password Database configuration:
# Samba now has runtime-configurable password database backends. Multiple
# passdb backends may be used, but users will only be added to the first one
# Default:
; passdb backend = smbpasswd guest
# TDB backen with fallback to smbpasswd and guest
; passdb backend = tdbsam smbpasswd guest
# LDAP with fallback to smbpasswd guest
# Enable SSL by using an ldaps url, or enable tls with 'ldap ssl' below.
; passdb backend = ldapsam:ldaps://servername.my-domain.com smbpasswd guest
  passdb backend = ldapsam:ldap://servername.my-domain.com
# Use the samba2 LDAP schema:
; passdb backend = ldapsam_compat:ldaps://ldap.mydomain.com smbpasswd guest

# idmap uid account range:
# This is a range of unix user-id's that samba will map non-unix RIDs to,
# such as when using Winbind
# idmap backend = ldap:ldap://servername.my-domain.com
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 map acl inherit = Yes

# LDAP configuration for Domain Controlling:
# The account (dn) that samba uses to access the LDAP server
# This account needs to have write access to the LDAP tree
# You will need to give samba the password for this dn, by
# running 'smbpasswd -w mypassword'
 ldap admin dn = cn=Manager,dc=my-domain,dc=com
# ldap ssl = start_tls
# start_tls should run on 389, but samba defaults incorrectly to 636
; ldap port = 389
 ldap suffix = dc=my-domain,dc=com
; ldap server = servername.my-domain.com
# Seperate suffixes are available for machines, users, groups, and idmap, if
# ldap suffix appears first, it is appended to the specific suffix.
# Example for a unix-ish directory layout:
 ldap machine suffix = ou=People
 ldap user suffix = ou=People
 ldap group suffix = ou=Group
 ldap idmap suffix = ou=People
 ldap passwd sync = yes
 ldap delete dn = Yes
# Example for AD-ish layout:
; ldap machine suffix = cn=Computers
; ldap user suffix = cn=Users
; ldap group suffix = cn=Groups
; ldap idmap suffix = cn=Idmap


# 7. Name Resolution Options:
# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
 name resolve order = wins bcast hosts lmhosts

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
 wins support = Yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#       Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one  WINS Server on the network. The default is NO.
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = no

# 8. File Naming Options:
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
;  preserve case = no
;  short preserve case = no
# Default case is normally upper case for all DOS files
;  default case = lower
# Be very careful with case sensitivity - it can break things!
;  case sensitive = no

# Enabling internationalization:
# you can match a Windows code page with a UNIX character set.
# Windows: 437 (US), 737 (GREEK), 850 (Latin1 - Western European),
# 852 (Czech), 861 (???), 932 (Japanese),
# 936 (Simplified Chin.), 949 (Korean Hangul),
# 950 (Trad. Chin.).
# More detail about code page is in
# "http://www.microsoft.com/globaldev/reference/oslocversion.mspx"
# UNIX: ISO8859-1 (Western European), ISO8859-2 (Eastern Eu.),
# ISO8859-5 (Russian Cyrillic), KOI8-R (Alt-Russ. Cyril.)
# This is an example for french users:
;   dos charset = 850
;   unix charset = ISO8859-1


#============================ Share Definitions ==============================
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
# You can enable VFS recycle bin on a per share basis:
# Uncomment the next 2 lines (make sure you create a
# .recycle folder in the base of the share and ensure
# all users will have write access to it. See
# examples/VFS/recycle/REAME in the samba docs for details
;   vfs object = /usr/lib/samba/vfs/recycle.so

# Un-comment the following and create the netlogon directory for Domain Logons
 [netlogon]
   comment = Network Logon Service
   path = /var/lib/samba/netlogon
   guest ok = yes
   writable = no
   locking = no

# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
    path = /var/lib/samba/profiles
    browseable = no
    guest ok = yes
    create mask = 0600
    directory mask = 0700
    profile acls = yes
    read only = no
    writable = yes
# This script can be enabled to create profile directories on the fly
# You may want to turn off guest acces if you enable this, as it
# hasn't been thoroughly tested.
;root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ]; \
;                then mkdir -pm700 $PROFILE; chown %u:%g $PROFILE;fi

# NOTE: If you have a CUPS print system there is no need to
# specifically define each individual printer.
# You must configure the samba printers with the appropriate Windows
# drivers on your Windows clients. On the Samba server no filtering is
# done. If you wish that the server provides the driver and the clients
# send PostScript ("Generic PostScript Printer" under Windows), you have
# to swap the 'print command' line below with the commented one.
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# to allow user 'guest account' to print.
   guest ok = yes
   writable = no
   printable = yes
   create mode = 0700
# =====================================
# print command: see above for details.
# =====================================
   print command = lpr-cups -P %p -o raw %s -r   # using client side printer drivers.
;   print command = lpr-cups -P %p %s # using cups own drivers (use generic PostScript on clients).
# The following two commands are the samba defaults for printing=cups
# change them only if you need different options:
;   lpq command = lpq -P %p
;   lprm command = cancel %p-%j

# This share is used for Windows NT-style point-and-print support.
# To be able to install drivers, you need to be either root, or listed
# in the printer admin parameter above. Note that you also need write access
# to the directory and share definition to be able to upload the drivers.
# For more information on this, please see the Printing Support Section of
# /usr/share/doc/samba-<version>/Samba-HOWTO-Collection.pdf
[print$]
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   write list = @adm root
   guest ok = yes

Adamal · Post by **Adamal** » Sat May 14, 2005 7:20 am

migrate_common.ph

Code: Select all

#
# $Id: migrate_common.ph,v 1.22 2003/04/15 03:09:33 lukeh Exp $
#
# Copyright (c) 1997-2003 Luke Howard.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
#    must display the following acknowledgement:
#        This product includes software developed by Luke Howard.
# 4. The name of the other may not be used to endorse or promote products
#    derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE LUKE HOWARD ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL LUKE HOWARD BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#

#
# Common defines for MigrationTools
#

# Naming contexts. Key is $PROGRAM with migrate_ and .pl
# stripped off.
$NETINFOBRIDGE = (-x "/usr/sbin/mkslapdconf");

if ($NETINFOBRIDGE) {
        $NAMINGCONTEXT{'aliases'}           = "cn=aliases";
        $NAMINGCONTEXT{'fstab'}             = "cn=mounts";
        $NAMINGCONTEXT{'passwd'}            = "cn=users";
        $NAMINGCONTEXT{'netgroup_byuser'}   = "cn=netgroup.byuser";
        $NAMINGCONTEXT{'netgroup_byhost'}   = "cn=netgroup.byhost";
        $NAMINGCONTEXT{'group'}             = "cn=groups";
        $NAMINGCONTEXT{'netgroup'}          = "cn=netgroup";
        $NAMINGCONTEXT{'hosts'}             = "cn=machines";
        $NAMINGCONTEXT{'networks'}          = "cn=networks";
        $NAMINGCONTEXT{'protocols'}         = "cn=protocols";
        $NAMINGCONTEXT{'rpc'}               = "cn=rpcs";
        $NAMINGCONTEXT{'services'}          = "cn=services";
} else {
        $NAMINGCONTEXT{'aliases'}           = "ou=Aliases";
        $NAMINGCONTEXT{'fstab'}             = "ou=Mounts";
        $NAMINGCONTEXT{'passwd'}            = "ou=People";
        $NAMINGCONTEXT{'netgroup_byuser'}   = "nisMapName=netgroup.byuser";
        $NAMINGCONTEXT{'netgroup_byhost'}   = "nisMapName=netgroup.byhost";
        $NAMINGCONTEXT{'group'}             = "ou=Group";
        $NAMINGCONTEXT{'netgroup'}          = "ou=Netgroup";
        $NAMINGCONTEXT{'hosts'}             = "ou=Hosts";
        $NAMINGCONTEXT{'networks'}          = "ou=Networks";
        $NAMINGCONTEXT{'protocols'}         = "ou=Protocols";
        $NAMINGCONTEXT{'rpc'}               = "ou=Rpc";
        $NAMINGCONTEXT{'services'}          = "ou=Services";
}

# Default DNS domain
#$DEFAULT_MAIL_DOMAIN = "padl.com";

# Default base
$DEFAULT_BASE = "dc=my-domain,dc=com";

# Turn this on for inetLocalMailReceipient
# sendmail support; add the following to
# sendmail.mc (thanks to Petr@Kristof.CZ):
##### CUT HERE #####
#define(`confLDAP_DEFAULT_SPEC',`-h "ldap.padl.com"')dnl
#LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl
#FEATURE(ldap_routing)dnl
##### CUT HERE #####
# where /etc/mail/ldapdomains contains names of ldap_routed
# domains (similiar to MASQUERADE_DOMAIN_FILE).
#$DEFAULT_MAIL_HOST = "mail.padl.com";

# turn this on to support more general object clases
# such as person.
$EXTENDED_SCHEMA = 1;

#
# allow environment variables to override predefines
#
if (defined($ENV{'LDAP_BASEDN'})) {
        $DEFAULT_BASE = $ENV{'LDAP_BASEDN'};
}

if (defined($ENV{'LDAP_DEFAULT_MAIL_DOMAIN'})) {
        $DEFAULT_MAIL_DOMAIN = $ENV{'LDAP_DEFAULT_MAIL_DOMAIN'};
}

if (defined($ENV{'LDAP_DEFAULT_MAIL_HOST'})) {
        $DEFAULT_MAIL_HOST = $ENV{'LDAP_DEFAULT_MAIL_HOST'};
}

# binddn used for alias owner (otherwise uid=root,...)
if (defined($ENV{'LDAP_BINDDN'})) {
        $DEFAULT_OWNER = $ENV{'LDAP_BINDDN'};
}

if (defined($ENV{'LDAP_EXTENDED_SCHEMA'})) {
        $EXTENDED_SCHEMA = $ENV{'LDAP_EXTENDED_SCHEMA'};
}

# If we haven't set the default base, guess it automagically.
if (!defined($DEFAULT_BASE)) {
        $DEFAULT_BASE = &domain_expand($DEFAULT_MAIL_DOMAIN);
        $DEFAULT_BASE =~ s/,$//o;
}

# Default Kerberos realm
if ($EXTENDED_SCHEMA) {
        $DEFAULT_REALM = $DEFAULT_MAIL_DOMAIN;
        $DEFAULT_REALM =~ tr/a-z/A-Z/;
}

if (-x "/usr/sbin/revnetgroup") {
        $REVNETGROUP = "/usr/sbin/revnetgroup";
} elsif (-x "/usr/lib/yp/revnetgroup") {
        $REVNETGROUP = "/usr/lib/yp/revnetgroup";
}

$classmap{'o'} = 'organization';
$classmap{'dc'} = 'domain';
$classmap{'l'} = 'locality';
$classmap{'ou'} = 'organizationalUnit';
$classmap{'c'} = 'country';
$classmap{'nismapname'} = 'nisMap';
$classmap{'cn'} = 'container';

sub parse_args
{
        if ($#ARGV < 0) {
                print STDERR "Usage: $PROGRAM infile [outfile]\n";
                exit 1;
        }

        $INFILE = $ARGV[0];

        if ($#ARGV > 0) {
                $OUTFILE = $ARGV[1];
        }
}

sub open_files
{
        open(INFILE);
        if ($OUTFILE) {
                open(OUTFILE,">$OUTFILE");
                $use_stdout = 0;
        } else {
                $use_stdout = 1;
        }
}

# moved from migrate_hosts.pl
# lukeh 10/30/97
sub domain_expand
{
        local($first) = 1;
        local($dn);
        local(@namecomponents) = split(/\./, $_[0]);
        foreach $_ (@namecomponents) {
                $first = 0;
                $dn .= "dc=$_,";
        }
        $dn .= $DEFAULT_BASE;
        return $dn;
}

# case insensitive unique
sub uniq
{
        local($name) = shift(@_);
        local(@vec) = sort {uc($a) cmp uc($b)} @_;
        local(@ret);
        local($next, $last);
        foreach $next (@vec) {
                if ((uc($next) ne uc($last)) &&
                        (uc($next) ne uc($name))) {
                        push (@ret, $next);
                }
                $last = $next;
        }
        return @ret;
}

# concatenate naming context and
# organizational base
sub getsuffix
{
        local($program) = shift(@_);
        local($nc);
        $program =~ s/^migrate_(.*)\.pl$/$1/;
        $nc = $NAMINGCONTEXT{$program};
        if ($nc eq "") {
                return $DEFAULT_BASE;
        } else {
                return $nc . ',' . $DEFAULT_BASE;
        }
}

sub ldif_entry
{
# remove leading, trailing whitespace
        local ($HANDLE, $lhs, $rhs) = @_;
        local ($type, $val) = split(/\=/, $lhs);
        local ($dn);

        if ($rhs ne "") {
                $dn = $lhs . ',' . $rhs;
        } else {
                $dn = $lhs;
        }

        $type =~ s/\s*$//o;
        $type =~ s/^\s*//o;
        $type =~ tr/A-Z/a-z/;
        $val =~ s/\s*$//o;
        $val =~ s/^\s*//o;

        print $HANDLE "dn: $dn\n";
        print $HANDLE "$type: $val\n";
        print $HANDLE "objectClass: top\n";
        print $HANDLE "objectClass: $classmap{$type}\n";
        if ($EXTENDED_SCHEMA) {
                if ($DEFAULT_MAIL_DOMAIN) {
                        print $HANDLE "objectClass: domainRelatedObject\n";
                        print $HANDLE "associatedDomain: $DEFAULT_MAIL_DOMAIN\n";
                }
        }

        print $HANDLE "\n";
}

# Added Thu Jun 20 16:40:28 CDT 2002 by Bob Apthorpe
# <apthorpe@cynistar.net> to solve problems with embedded plusses in
# protocols and mail aliases.
sub escape_metacharacters
{
        local($name) = @_;

        # From Table 3.1 "Characters Requiring Quoting When Contained
        # in Distinguished Names", p87 "Understanding and Deploying LDAP
        # Directory Services", Howes, Smith, & Good.

        # 1) Quote backslash
        # Note: none of these are very elegant or robust and may cause
        # more trouble than they're worth. That's why they're disabled.
        # 1.a) naive (escape all backslashes)
        # $name =~ s#\\#\\\\#og;
        #
        # 1.b) mostly naive (escape all backslashes not followed by
        # a backslash)
        # $name =~ s#\\(?!\\)#\\\\#og;
        #
        # 1.c) less naive and utterly gruesome (replace solitary
        # backslashes)
        # $name =~ s{           # Replace
        #               (?<!\\) # negative lookbehind (no preceding backslash)
        #               \\      # a single backslash
        #               (?!\\)  # negative lookahead (no following backslash)
        #       }
        #       {               # With
        #               \\\\    # a pair of backslashes
        #       }gx;
        # Ugh. Note that s#(?:[^\\])\\(?:[^\\])#////#g fails if $name
        # starts or ends with a backslash. This expression won't work
        # under perl4 because the /x flag and negative lookahead and
        # lookbehind operations aren't supported. Sorry. Also note that
        # s#(?:[^\\]*)\\(?:[^\\]*)#////#g won't work either.  Of course,
        # this is all broken if $name is already escaped before we get
        # to it. Best to throw a warning and make the user import these
        # records by hand.

        # 2) Quote leading and trailing spaces
        local($leader, $body, $trailer) = ();
        if (($leader, $body, $trailer) = ($name =~ m#^( *)(.*\S)( *)$#o)) {
                $leader =~ s# #\\ #og;
                $trailer =~ s# #\\ #og;
                $name = $leader . $body . $trailer;
        }

        # 3) Quote leading octothorpe (#)
        $name =~ s/^#/\\#/o;

        # 4) Quote comma, plus, double-quote, less-than, greater-than,
        # and semicolon
        $name =~ s#([,+"<>;])#\\$1#g;

        return $name;
}

1;

Adamal · Post by **Adamal** » Sun May 15, 2005 6:08 am

Looks like etc-update overwrote my slapd.conf file. When I rebooted my server today it stopped working. I fixed the file and updated the one I posted earlier.

DreameR78 · Post by **DreameR78** » Sun May 15, 2005 9:23 pm

Thanks Pgb. you dont know how long i'v ttried to fix it so that users can change their passwords. the exop=>crypt worked like a charm

nabbed · Post by **nabbed** » Tue May 17, 2005 10:53 am

thanks for fixing up the slapd.conf.

could you also post the contents of /etc/openldap/schema/extension.schema and tell me what version of samba you are using. i suspect it is something to do with kerberos, is that right?

thanks

Adamal · Post by **Adamal** » Wed May 18, 2005 3:03 am

I'm not using kerberos. I don't know how much the schema is going to do for you, its for my address book.

attributetype ( 1.3.6.1.4.1.4203.666.100.121
NAME ( 'rdn' )
SUP name )

attributetype ( 1.3.6.1.4.1.4203.666.100.122
NAME ( 'otherFacsimiletelephoneNumber' )
SUP telephoneNumber )

attributetype ( 1.3.6.1.4.1.4203.666.100.123
NAME ( 'IPPhone' )
SUP telephoneNumber )

# This attribute handles MS/Outlook and Netscape Communicator

attributetype ( 1.3.6.1.4.1.4203.666.100.124
NAME ( 'URL' 'homeUrl' )
SUP name )

attributetype ( 1.3.6.1.4.1.4203.666.100.125
NAME ( 'comment' )
SUP name )

attributetype ( 1.3.6.1.4.1.4203.666.100.126
NAME ( 'conferenceInformation' )
SUP name )

attributetype ( 1.3.6.1.4.1.4203.666.100.127
NAME ( 'reports' )
SUP manager )

objectclass ( 1.3.6.1.4.1.4203.666.100.1
NAME 'officePerson'
DESC 'Office employee or computer user'
SUP inetOrgPerson
STRUCTURAL
MAY ( c $
rdn $
otherFacsimiletelephoneNumber $
IPPhone $
URL $
comment $
reports $
conferenceInformation )
)

nabbed · Post by **nabbed** » Mon May 23, 2005 12:16 am

I feel like I am progressing so thanks for your help so far.
Could you post a couple more files?

/etc/ldap.conf
/etc/conf.d/samba
/etc/opt/IDEALX/smbldap-tools/smbldap.conf
/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf

what do you use for dhcp server?
what are the chances of you posting your config file for dhcp as well?
Did you use the winbind USE flag when emerging samba and therfore compile winbind into samba?
what is the version of samba that you used?
what is the version of smbldap-tools that you used?