[OpenIndiana-discuss] Could not setup LDAP for SAMBA

Gordon Ross gordon.w.ross at gmail.com
Tue Mar 6 14:31:44 UTC 2012


Also remember the simple trick, if you want accounts where the user
can not logon, just make their shell /bin/false

On Tue, Mar 6, 2012 at 6:18 PM, Jonathan Adams <t12nslookup at gmail.com> wrote:
> /etc/passwd still exists for local users (root should always exist as
> a local user) ... ldap is additional to it (and likewise should never
> have root in it)
>
> zones are really straight forward,
> http://wiki.openindiana.org/oi/7.+Virtualization
>
> you just need a space you want to install the zone in ( a slice of
> disk ) and an IP address ... there are advanced things you can do if
> you want to use virtual nics, and we now have an OI server doing
> stupendous things in zones that we couldn't have done in 4 machines in
> the past.
>
> however, if you don't want to do zones you probably need to run
> "ldapclient" on the server to allow it to authenticate against the
> LDAP server.
>
> something like (if you use an LDAP server name, remember to put it in
> /etc/hosts):
>
> ldapclient manual  -a domainName=dc=domain,dc=com -a
> preferredServerList=<LDAP Server ip/name> -a
> authenticationMethod=simple
>
> you may want to set the credentialLevel=proxy (if you have protection
> on who can see the password field of users), or to specify the
> defaultsearchbase ... you should be able to find out more with "man
> ldapclient" ...
>
> you then might need to change /etc/nsswitch.conf to have "passwd:
> files ldap" and "group: files ldap"
>
> make sure files comes first.
>
> you should then be able to "getent passwd administrator"
>
> Jon
>
> On 6 March 2012 12:55, IVO GELOV (CRM) <ivo at crm.walltopia.com> wrote:
>> On Tue, 06 Mar 2012 12:01:21 +0200, Jonathan Adams <t12nslookup at gmail.com>
>> wrote:
>>
>> I am including the "samba.schema" in slapd.conf - and I have also this in
>> LDAP:
>>
>> # Entry 1: ou=users,dc=domain,dc=com
>>
>> dn: ou=users,dc=domain,dc=com
>> objectclass: organizationalUnit
>> objectclass: top
>> ou: users
>>
>> # Entry 2: uid=administration,ou=users,dc=domain,dc=com
>> dn: uid=administration,ou=users,dc=domain,dc=com
>> cn: administration
>> gidnumber: 101
>> homedirectory: /tmp
>> objectclass: top
>> objectclass: account
>> objectclass: posixAccount
>> objectclass: sambaSamAccount
>> sambaacctflags: [UX         ]
>> sambalmpassword: C4B274309D14EC00AAD3B435B51404EE
>> sambantpassword: 02ECCB1802088A4C42E17664D55819E5
>> sambasid: S-1-5-21-1-10208
>> uid: administration
>> uidnumber: 104
>> userpassword:
>>
>> I am still not familiar enough with Solaris, so zones are still dark place
>> for me :)
>> May be I am not understanding very well the things. I assume that LDAP
>> replaces
>> /etc/passwd - i.e. instead of poluting /etc/passwd I will populate LDAP.
>> From both,
>> the latter is more convenient for me. The exact thing I want is to have only
>> 2 UIDs
>> and about 50 user SAMBA accounts which should map to one or the other of my
>> 2 UIDs.
>> These UIDs are 104 and 105 and already exist.
>> The problem is, that SAMBA - or most probably the Solaris itself - can not
>> do this
>> mapping.
>> Issuing "getent passwd administration" gives me no output. And I do not know
>> how
>> to debug "getent" in order to see what is wrong .....
>>
>> So this is the issue which I need some help for :(
>>
>> PS: we do not have a Windows domain currently (please do not laugh), so I
>> only need
>> a workgroup mode for SAMBA.
>>
>>
>>> ok, well thats relatively straight forward ...
>>>
>>> you might want to do this in a zone on Solaris, if you're worried
>>> about polluting the passwd file because each samba user _does_ need a
>>> user on the system, if you do it in a zone then the zone can be an
>>> LDAP client and you can disable all ssh, telnet and ftp access so that
>>> people can only access their user partitions using samba.
>>>
>>> after you have the zone as an LDAP client, you need to configure the
>>> LDAP for samba and the smb.conf file.
>>>
>>> If you are brave and know your way around LDAP you can do this
>>> manually if you get the Samba LDAP Schema from the Samba source tar
>>> file ( https://www.samba.org/samba/download/ ) and loading it into the
>>> LDAP server.
>>>
>>> the users you want to have access to the domain will need to have the
>>> class of "posixAccount" and "sambaSamAccount" ... and you will need to
>>> know your sambaSID ...
>>>
>>> otherwise you can look to getting smbldap tools, written in perl (
>>> http://gna.org/projects/smbldap-tools ) essential if you are planning
>>> on having domain logons, or even look at other tools from
>>> https://wiki.samba.org/index.php/Samba_&_LDAP
>>>
>>> I'm a script'er so we have in house tools.
>>>
>>> logging in to the first share for the first time is the hardest bit
>>> ... after that it is just setting up groups and access levels.
>>>
>>> Jon
>>>
>>
>> _______________________________________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss



More information about the OpenIndiana-discuss mailing list