[OpenIndiana-discuss] Could not setup LDAP for SAMBA
Jonathan Adams
t12nslookup at gmail.com
Tue Mar 6 14:18:15 UTC 2012
/etc/passwd still exists for local users (root should always exist as
a local user) ... ldap is additional to it (and likewise should never
have root in it)
zones are really straight forward,
http://wiki.openindiana.org/oi/7.+Virtualization
you just need a space you want to install the zone in ( a slice of
disk ) and an IP address ... there are advanced things you can do if
you want to use virtual nics, and we now have an OI server doing
stupendous things in zones that we couldn't have done in 4 machines in
the past.
however, if you don't want to do zones you probably need to run
"ldapclient" on the server to allow it to authenticate against the
LDAP server.
something like (if you use an LDAP server name, remember to put it in
/etc/hosts):
ldapclient manual -a domainName=dc=domain,dc=com -a
preferredServerList=<LDAP Server ip/name> -a
authenticationMethod=simple
you may want to set the credentialLevel=proxy (if you have protection
on who can see the password field of users), or to specify the
defaultsearchbase ... you should be able to find out more with "man
ldapclient" ...
you then might need to change /etc/nsswitch.conf to have "passwd:
files ldap" and "group: files ldap"
make sure files comes first.
you should then be able to "getent passwd administrator"
Jon
On 6 March 2012 12:55, IVO GELOV (CRM) <ivo at crm.walltopia.com> wrote:
> On Tue, 06 Mar 2012 12:01:21 +0200, Jonathan Adams <t12nslookup at gmail.com>
> wrote:
>
> I am including the "samba.schema" in slapd.conf - and I have also this in
> LDAP:
>
> # Entry 1: ou=users,dc=domain,dc=com
>
> dn: ou=users,dc=domain,dc=com
> objectclass: organizationalUnit
> objectclass: top
> ou: users
>
> # Entry 2: uid=administration,ou=users,dc=domain,dc=com
> dn: uid=administration,ou=users,dc=domain,dc=com
> cn: administration
> gidnumber: 101
> homedirectory: /tmp
> objectclass: top
> objectclass: account
> objectclass: posixAccount
> objectclass: sambaSamAccount
> sambaacctflags: [UX ]
> sambalmpassword: C4B274309D14EC00AAD3B435B51404EE
> sambantpassword: 02ECCB1802088A4C42E17664D55819E5
> sambasid: S-1-5-21-1-10208
> uid: administration
> uidnumber: 104
> userpassword:
>
> I am still not familiar enough with Solaris, so zones are still dark place
> for me :)
> May be I am not understanding very well the things. I assume that LDAP
> replaces
> /etc/passwd - i.e. instead of poluting /etc/passwd I will populate LDAP.
> From both,
> the latter is more convenient for me. The exact thing I want is to have only
> 2 UIDs
> and about 50 user SAMBA accounts which should map to one or the other of my
> 2 UIDs.
> These UIDs are 104 and 105 and already exist.
> The problem is, that SAMBA - or most probably the Solaris itself - can not
> do this
> mapping.
> Issuing "getent passwd administration" gives me no output. And I do not know
> how
> to debug "getent" in order to see what is wrong .....
>
> So this is the issue which I need some help for :(
>
> PS: we do not have a Windows domain currently (please do not laugh), so I
> only need
> a workgroup mode for SAMBA.
>
>
>> ok, well thats relatively straight forward ...
>>
>> you might want to do this in a zone on Solaris, if you're worried
>> about polluting the passwd file because each samba user _does_ need a
>> user on the system, if you do it in a zone then the zone can be an
>> LDAP client and you can disable all ssh, telnet and ftp access so that
>> people can only access their user partitions using samba.
>>
>> after you have the zone as an LDAP client, you need to configure the
>> LDAP for samba and the smb.conf file.
>>
>> If you are brave and know your way around LDAP you can do this
>> manually if you get the Samba LDAP Schema from the Samba source tar
>> file ( https://www.samba.org/samba/download/ ) and loading it into the
>> LDAP server.
>>
>> the users you want to have access to the domain will need to have the
>> class of "posixAccount" and "sambaSamAccount" ... and you will need to
>> know your sambaSID ...
>>
>> otherwise you can look to getting smbldap tools, written in perl (
>> http://gna.org/projects/smbldap-tools ) essential if you are planning
>> on having domain logons, or even look at other tools from
>> https://wiki.samba.org/index.php/Samba_&_LDAP
>>
>> I'm a script'er so we have in house tools.
>>
>> logging in to the first share for the first time is the hardest bit
>> ... after that it is just setting up groups and access levels.
>>
>> Jon
>>
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
More information about the OpenIndiana-discuss
mailing list