[OpenIndiana-discuss] Could not setup LDAP for SAMBA

Jonathan Adams t12nslookup at gmail.com
Tue Mar 6 17:16:43 UTC 2012 

you can have it set up to have all files owned by a single user if
that is what you want, you can do that in the samba configuration ...

as I said, the hardest issue is to make your solaris machine an LDAP
client ... I take it that the LDAP server is running on the local
machine?

I'm wondering if it is to do with your LDAP_SEARCH_SCOPE ... I think
you'll need "subtree".

I also have a NS_LDAP_CREDENTIAL_LEVEL=proxy ... I'm not sure if you
need that ...

can you run:

ldapsearch -b dc=domain,dc=com uid=Administrator

do you have access to JXplorer, can you access the LDAP server from within that?

Jon

On 6 March 2012 16:59, IVO GELOV (CRM) <ivo at crm.walltopia.com> wrote:
> My native language is not English - so it is possible that am not able to
> properly
> describe the situation. I am patient and will repeat some key moments from
> my setup:
>
> 1) I have run ldapclient and it produced the following files:
>
>
> /var/ldap/ldap_client_cred:
> ======================
> NS_LDAP_BINDDN= cn=admin,dc=domain,dc=com
> NS_LDAP_BINDPASSWD= my-secret
>
> /var/ldap/ldap_client_file:
> ====================
> NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= 127.0.0.1
> NS_LDAP_SEARCH_BASEDN= dc=domain,dc=com
> NS_LDAP_CACHETTL= 0
> NS_LDAP_AUTH= simple
> NS_LDAP_SEARCH_SCOPE= one
> NS_LDAP_SEARCH_REF= TRUE
> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=users,dc=domain,dc=com
> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=domain,dc=com
> NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=users,dc=domain,dc=com
>
> 2) I have added "ldap" to nsswitch.conf
>
>
> /etc/nsswitch.conf:
> ==============
> passwd: files ldap
> group: files ldap
>
> 3) I have issued "svcadm restart network/ldap/client"
>
> 4) I have entries in /etc/passwd
>
> unix:x:104:101::/home/unix:/bin/bash
> boss:x:105:101::/home/boss:/bin/bash
>
> 5) I have entry in /etc/group
>
> depart::101:tmcdos,unix,boss
>
> 6) I am expecting "getent passwd administration" to show info about the LDAP
> user account
> "administration" with password "samba" and same UID/GID as the entry UNIX in
> /etc/passwd
>
> 7) However, getent does not show anything - neither error message nor the
> expected information
>
> 8) And I do not know what is wrong in my setup - because the OS does not
> tell me the error.
> How would I debug the problem ? Probably there is some gotcha, which is not
> covered in the
> popular HOWTOs.
>
> All I wanted is for SAMBA to require different password for each share, but
> all files
> and directories to be owned by a single local OS account (actually 2
> accounts - "unix" and "boss")
>
> I am thankful for all your responses - but unfortunately, I am still far
> from reaching my goal :(
>
>
>
> On Tue, 06 Mar 2012 16:18:15 +0200, Jonathan Adams <t12nslookup at gmail.com>
> wrote:
>
>> /etc/passwd still exists for local users (root should always exist as
>> a local user) ... ldap is additional to it (and likewise should never
>> have root in it)
>>
>> zones are really straight forward,
>> http://wiki.openindiana.org/oi/7.+Virtualization
>>
>> you just need a space you want to install the zone in ( a slice of
>> disk ) and an IP address ... there are advanced things you can do if
>> you want to use virtual nics, and we now have an OI server doing
>> stupendous things in zones that we couldn't have done in 4 machines in
>> the past.
>>
>> however, if you don't want to do zones you probably need to run
>> "ldapclient" on the server to allow it to authenticate against the
>> LDAP server.
>>
>> something like (if you use an LDAP server name, remember to put it in
>> /etc/hosts):
>>
>> ldapclient manual  -a domainName=dc=domain,dc=com -a
>> preferredServerList=<LDAP Server ip/name> -a
>> authenticationMethod=simple
>>
>> you may want to set the credentialLevel=proxy (if you have protection
>> on who can see the password field of users), or to specify the
>> defaultsearchbase ... you should be able to find out more with "man
>> ldapclient" ...
>>
>> you then might need to change /etc/nsswitch.conf to have "passwd:
>> files ldap" and "group: files ldap"
>>
>> make sure files comes first.
>>
>> you should then be able to "getent passwd administrator"
>>
>> Jon
>>
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss

More information about the OpenIndiana-discuss mailing list