[OpenIndiana-discuss] Could not setup LDAP for SAMBA
IVO GELOV (CRM)
ivo at crm.walltopia.com
Tue Mar 6 16:59:02 UTC 2012
My native language is not English - so it is possible that am not able to properly
describe the situation. I am patient and will repeat some key moments from my setup:
1) I have run ldapclient and it produced the following files:
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=users,dc=domain,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=domain,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=users,dc=domain,dc=com
2) I have added "ldap" to nsswitch.conf
passwd: files ldap
group: files ldap
3) I have issued "svcadm restart network/ldap/client"
4) I have entries in /etc/passwd
5) I have entry in /etc/group
6) I am expecting "getent passwd administration" to show info about the LDAP user account
"administration" with password "samba" and same UID/GID as the entry UNIX in /etc/passwd
7) However, getent does not show anything - neither error message nor the expected information
8) And I do not know what is wrong in my setup - because the OS does not tell me the error.
How would I debug the problem ? Probably there is some gotcha, which is not covered in the
All I wanted is for SAMBA to require different password for each share, but all files
and directories to be owned by a single local OS account (actually 2 accounts - "unix" and "boss")
I am thankful for all your responses - but unfortunately, I am still far from reaching my goal :(
On Tue, 06 Mar 2012 16:18:15 +0200, Jonathan Adams <t12nslookup at gmail.com> wrote:
> /etc/passwd still exists for local users (root should always exist as
> a local user) ... ldap is additional to it (and likewise should never
> have root in it)
> zones are really straight forward,
> you just need a space you want to install the zone in ( a slice of
> disk ) and an IP address ... there are advanced things you can do if
> you want to use virtual nics, and we now have an OI server doing
> stupendous things in zones that we couldn't have done in 4 machines in
> the past.
> however, if you don't want to do zones you probably need to run
> "ldapclient" on the server to allow it to authenticate against the
> LDAP server.
> something like (if you use an LDAP server name, remember to put it in
> ldapclient manual -a domainName=dc=domain,dc=com -a
> preferredServerList=<LDAP Server ip/name> -a
> you may want to set the credentialLevel=proxy (if you have protection
> on who can see the password field of users), or to specify the
> defaultsearchbase ... you should be able to find out more with "man
> ldapclient" ...
> you then might need to change /etc/nsswitch.conf to have "passwd:
> files ldap" and "group: files ldap"
> make sure files comes first.
> you should then be able to "getent passwd administrator"
More information about the OpenIndiana-discuss