[OpenIndiana-discuss] Could not setup LDAP for SAMBA

Jonathan Adams t12nslookup at gmail.com
Mon Mar 5 17:55:36 UTC 2012


Samba with LDAP is a PITA ... and we use it ...

First off, all users who want to use samba must have real uids on the
system, which means that the host has to be an LDAP client.

Second, since 3.0.24 if you're planning on being a domain server you
need to get hold of the smb-ldap perl tools.

have you remembered to run smbpasswd -W ?

Jon

On 5 March 2012 17:41, IVO GELOV (CRM) <ivo at crm.walltopia.com> wrote:
> I have installed the latest OpenIndiana 151a, SAMBA 3.5.5 and OpenLDAP
> 2.4.13
> SAMBA works in workgroup setup, LDAP server also works - I can bind with the
> root DN and I have 5-6 profiles inside (posixAccount).
> Unfortunately SAMBA does not trust the uidNumber from LDAP and tries
> Get_PwNam without success.
> "getent passwd ldap_user" does not show anything, and "tcpdump" reveals
> there is not even an attempt for LDAP connection.
> I am totally confused what could be wrong.
>
> /etc/openldap/slapd.conf:
> =================
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/solaris.schema
> include /etc/openldap/schema/samba.schema
>
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
>
> database bdb
> suffix "dc=domain,dc=com"
> rootdn "cn=admin,dc=domain,dc=com"
>
> rootpw my-secret
> password-hash {CLEARTEXT}
>
> directory /var/openldap
> monitoring off
>
> authz-regexp uid=([^,]*),cn=[^,]*,cn=[^,]*,cn=auth
> uid=$1,OU=users,DC=domain,DC=com
> authz-regexp uid=([^,]*),cn=[^,]*,cn=auth uid=$1,OU=users,DC=domain,DC=com
> authz-regexp uid=([^,]*),cn=[^,]*,cn=auth cn=$1,DC=domain,DC=com
> authz-policy to
>
> access to attrs=userPassword,shadowLastChange by anonymous auth by self
> write by * none
> access to attrs=sambaLMPassword,sambaNTPassword by
> dn="uid=samba_admin,dc=domain,dc=com" read by * none
> access to dn.base="" by * read
>
>
>
> /etc/openldap/init.ldif:
> ===============
> dn: dc=domain,dc=com
> dc: domain
> o: Office
> objectclass: dcObject
> objectclass: organization
> objectclass: top
>
> dn: cn=admin,dc=domain,dc=com
> cn: admin
> objectclass: organizationalRole
>
> dn: ou=groups,dc=domain,dc=com
> objectclass: organizationalUnit
> objectclass: top
> ou: groups
>
> dn: ou=machines,dc=domain,dc=com
> objectclass: organizationalUnit
> objectclass: top
> ou: machines
>
> dn: ou=users,dc=domain,dc=com
> objectclass: organizationalUnit
> objectclass: top
> ou: users
>
> dn: sambaDomainName=domain,dc=domain,dc=com
> objectclass: sambaDomain
> objectclass: top
> sambaalgorithmicridbase: 10000
> sambadomainname: domain
> sambasid: S-1-5-21-1
>
> dn: uid=samba_admin,dc=domain,dc=com
> objectclass: account
> objectclass: simpleSecurityObject
> objectclass: top
> uid: samba_admin
> userpassword: {SSHA}V4aSjZpxJs0jroIXrKAZKYRdDf7+M9H/
>
>
> /etc/nsswitch.conf:
> ==============
> passwd: files ldap
> group: files ldap
> hosts: files dns mdns
> ipnodes: files dns mdns
>
> networks: files
> protocols: files
> rpc: files
> ethers: files
> netmasks: files
> bootparams: files
> publickey: files
> netgroup: files
> automount: files
> aliases: files
> services: files
> printers: user files
>
> auth_attr: files
> prof_attr: files
> project: files
>
> tnrhtp: files
> tnrhdb: files
>
>
>
> I have added into /etc/pam.conf:
> ========================
> login auth sufficient pam_ldap.so.1
> other auth sufficient pam_ldap.so.1
> other account sufficient pam_ldap.so.1
>
>
> I have set up the USER profile with nwamcfg:
> =================================
> activation-mode manual
> enabled true
> nameservices files,dns,ldap
> nameservices-config-file "/etc/nsswitch.conf"
> dns-nameservice-configsrc manual
> dns-nameservice-domain "domain.com"
> dns-nameservice-servers "192.168.2.1"
> dns-nameservice-search "domain.com"
> ldap-nameservice-configsrc manual
> ldap-nameservice-servers "127.0.0.1"
> default-domain "domain.com"
>
>
> /var/ldap/ldap_client_cred:
> ======================
> NS_LDAP_BINDDN= cn=admin,dc=domain,dc=com
> NS_LDAP_BINDPASSWD= my-secret
>
>
> /var/ldap/ldap_client_file:
> ====================
> NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= 127.0.0.1
> NS_LDAP_SEARCH_BASEDN= dc=domain,dc=com
> NS_LDAP_CACHETTL= 0
> NS_LDAP_AUTH= simple
> NS_LDAP_SEARCH_SCOPE= one
> NS_LDAP_SEARCH_REF= TRUE
> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=users,dc=domain,dc=com
> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=domain,dc=com
> NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=users,dc=domain,dc=com
>
>
> This is my first touch with non-Linux OS and it is unfamiliar enough to me
> ...
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss



More information about the OpenIndiana-discuss mailing list