[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP / Samba integration
-------- Original - Text --------
> What are you having problems with? Is this a new installation or an
> existing system?
It is an new installation on an opensuse 11.4.
I have both services running on the same box: ldap and samba
When I try to connect using a smb client,
the debug log ist stating "key expired". Before that I got an
NT_USER_NOT_KNOW.
But right now I remember that I added the Netbios-Statement in smb.conf
and in
that time the debug message changed from user not known to
key expired. I do not want to use netbios if possible - it was just
added as another try to get it running. Could it be that I have to
>From my understanding one needs the samba3.schema because Windows
stores passwords different than unix does and there is no way to
convert. Therefore you only need to set the 2 passwordNT/LM fields
and the sambaSID - the passwords are taken from those
NT/LM fields. Is that right?
The group matching will be done without any problems using the
group value defined in posixAccount. Is that right or am I mistaken?
So for example: If stefan has defined gidNumber 100, based on
this information it will be possible to find out that in the config below
stefan belongs to group users (based again on gidNumber and
memberUiD). Right or wrong?
Here are the essentials of my configuration details for both services.
I do have
dn: ou=Group,dc=xxxxx,dc=de
dn: ou=People,dc=xxxxx,dc=de
also I have:
dn: uid=stefan,ou=People,dc=xxxxx,dc=de
uid: stefan
cn: stefan
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowLastChange: 13572
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 632
gidNumber: 100
homeDirectory: /home/users/stefan
structuralObjectClass: account
entryUUID: 57264e20-2261-102c-9ecf-9fa815f26773
creatorsName: cn=Manager,dc=xxxxx,dc=de
createTimestamp: 20071108161351Z
sambaSID: S-1-5-21-38098927-3018186934-2063245418
sambaLMPassword: c02717a286a249086de605daecb45436
sambaNTPassword: c02717a286a249086de605daecb45436
userPassword:: 1111111111111111111111111=
=
sambaPwdLastSet: 0
sambaPwdMustChange: 0
entryCSN: 20110321231822.373017Z#000000#000#000000
modifiersName: cn=Manager,dc=xxxxx,dc=de
modifyTimestamp: 20110321231822Z
Note: the sambaLMPassword and the sambaNTPassword values are
created via a php script which first builds the md4-sum of the base password
and after that does another binary transformation. I read this
should be the format samba is expecting the value. Is that right or did
I something wrong at this step?
--------------------------------------------------------------------------------
I have this definition also
dn: cn=users,ou=Group,dc=xxxxx,dc=de
objectClass: posixGroup
objectClass: namedObject
objectClass: top
cn: users
userPassword:: 1111111111111111
gidNumber: 100
memberUid: sadmin
memberUid: stefan
structuralObjectClass: namedObject
entryUUID: 106c209a-226b-102c-9f4d-9fa815f26773
creatorsName: cn=Manager,dc=xxxxx,dc=de
createTimestamp: 20071108172328Z
entryCSN: 20110321210104.815232Z#000000#000#000000
modifiersName: cn=Manager,dc=xxxxx,dc=de
modifyTimestamp: 20110321210104Z
---------------------------------------------------------------------
Also I do have that, which confuses me: Why does the
root user only have the value sambaAcctFlags set?
Where does this entry come from - I did not define
it in my ldif import.
dn: uid=root,ou=People,dc=xxxxx,dc=de
uid: root
sambaSID: S-1-5-21-38098927-3018186934-2063245418-1000
displayName: root
sambaPwdCanChange: 1300747942
sambaNTPassword: 111111111111111111
sambaPwdLastSet: 1300747942
sambaAcctFlags: [U ]
objectClass: sambaSamAccount
objectClass: account
structuralObjectClass: account
entryUUID: a0626f44-e859-102f-8432-f5e997da80c3
creatorsName: cn=Manager,dc=xxxxx,dc=de
createTimestamp: 20110321225222Z
entryCSN: 20110321225222.093965Z#000000#000#000000
modifiersName: cn=Manager,dc=xxxxx,dc=de
modifyTimestamp: 20110321225222Z
This is my slapd.conf:
ldapnix:~ # cat /etc/openldap/slapd.conf | grep -vi "^#"
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
access to dn.base=""
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
database bdb
monitoring on
suffix "dc=xxxxx,dc=de"
checkpoint 1024 5
cachesize 10000
rootdn "cn=Manager,dc=xxxxx,dc=de"
rootpw secret
directory /var/lib/ldap
index objectClass eq
-------------------------------------------------------------------------
This is my smb.conf:
[global]
unix charset = UTF-8
workgroup = PRIVAT
interfaces = 192.168.1.46
update encrypted = Yes
map to guest = Bad User
root directory = /
#username map = /etc/samba/smbusers
# Logging - 5000 KB, Samba behält eine .old-Datei
log level = 3
max log size = 5000
printcap name = cups
logon path = \\%L\profiles\.msprofile
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain master = No
ldap ssl = Off
idmap uid = 10000-20000
idmap gid = 10000-20000
printer admin = @ntadmin, root, administrator
ldap admin dn = cn=Manager,dc=xxxxx,dc=de
passdb backend = ldapsam:ldap://ldap.privat.xxxxx.de/
ldapsam:trusted = yes
ldapsam:editposix = yes
ldap debug level = 1
ldap user suffix = ou=People
#ldap group suffix = ou=Groups
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap suffix = dc=xxxxx,dc=de
wins support = No
add machine script = /sbin/yast
/usr/share/YaST2/data/add_machine.ycp %m$
domain logons = No
ldap idmap suffix = ou=Idmap
ldap passwd sync = No
netbios name = LDAPNIX
security = user
wins server =
I do have a share definition like that:
[users]
comment = All users
path = /home/users
valid users = @users, @susers, root
read only = No
inherit permissions = Yes
I added the password for the "cn=Manager,dc=xxxxx,dc=de" using
smbpasswd -w secret
The tdbdump /etc/samba/secrets.tdb command shows thoses entries:
key(53) = "SECRETS/LDAP_BIND_PW/cn=Manager,dc=xxxxx,dc=de"
data(7) = "secret\00"
}
{
key(21) = "SECRETS/SID/PRIVAT"
data(68) =
"\01\04\00\00\00\00\00\05\15\00\00\00\EFWE\02\B6\E0\E5\B3j\A0\FAz\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}
{
key(19) = "SECRETS/SID/LDAPNIX"
data(68) =
"\01\04\00\00\00\00\00\05\15\00\00\00\EFWE\02\B6\E0\E5\B3j\A0\FAz\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}
I get this output also:
ldapnix:~ # net getlocalsid
SID der Domäne LDAPNIX ist: S-1-5-21-38098927-3018186934-2063245418
I really like to understand. If you guide me what to do
and it would make sense I would also set it up from scratch to
understand what is going on. But I do not want to use libs or "special"
scripts
which will hide the process without the chance to understand.
Thanks for your help.
-fuz