[gentoo-user] LDAP + Samba as PDC

[gentoo-user] LDAP + Samba as PDC

[Raphael Melo de Oliveira Bastos Sales]

Hi everyone,

   I've been trying to set up an authentication server for a mixed LAN
(Windows and Linux clientes ) and I'm having problems with Samba.

   The way it is today, the Windows clients can access the Samba
server and each user can access it's home, by double-clicking on the
server icon on the screen that shows all the machines on the network.

   But I'm unable to register the client workstations on the server.
It says something like "user name not found" when I try to do it. But
the odd thing is, when I look in the LDAP server, there is a registry
of the client there.

   I'd like to know if anyone has managed to do this type of thing
and, if possible, could send me the Samba config file (smb.conf) so I
can see what I'm doing wrong.

  Here is my smb.conf file. If anyone detects what I'm doing wrong,
I'd be grateful.  :)

[global]
server string = %L
workgroup = WORKGROUP
announce as = NT Server

hosts allow = 192.168.0.0/24
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = lo eth1
bind interfaces only = yes

local master = yes
os level = 100
domain master = yes
preferred master = yes

null passwords = no
#hide unreadable = yes

enable privileges = yes

domain logons = yes
logon script = login.bat
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U\.9xprofile

wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no

time server = yes
log file = /var/log/samba/log.%m
max log size = 50

passdb backend = ldapsam:ldaps://127.0.0.1:636/

ldap admin dn = cn=Laboratorio,dc=lara,dc=cic,dc=unb,dc=br
ldap port = 636
ldap suffix = dc=lara,dc=cic,dc=unb,dc=br
ldap server = ldaps://127.0.0.1:636/
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap delete dn = Yes
ldap password sync = yes

add group script = /usr/sbin/smbldap-groupadd -p "%g"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
passwd program = /usr/sbin/smbldap-passwd
passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \
"*Password changed*"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

idmap backend = ldap:ldaps://127.0.0.1:636/
idmap uid = 10000-20000
idmap gid = 10000-20000

unix charset = ISO8859-1

profile acls = yes

[netlogon]
 path = /var/lib/samba/netlogon
 guest ok = no
 read only = yes
 browseable = no

[profiles]
 path = /var/lib/samba/profiles
 browseable = no
 writeable = yes
 default case = lower
 preserve case = no
 short preserve case = no
 case sensitive = no
 hide files = /desktop.ini/ntuser.ini/NTUSER.*/
 write list = @smbusers @root
 create mask = 0600
 directory mask = 0700
 csc policy = disable

[homes]
 path = /home/%U
 browseable = no
 valid users = %S
 read only = no
 guest ok = no
 inherit permissions = yes
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] LDAP + Samba as PDC

[Cameron Lowe]

Raphael Melo de Oliveira Bastos Sales wrote:
> Hi everyone,
>
>   I've been trying to set up an authentication server for a mixed LAN
> (Windows and Linux clientes ) and I'm having problems with Samba.
>
>   The way it is today, the Windows clients can access the Samba
> server and each user can access it's home, by double-clicking on the
> server icon on the screen that shows all the machines on the network.
>
>   But I'm unable to register the client workstations on the server.
> It says something like "user name not found" when I try to do it. But
> the odd thing is, when I look in the LDAP server, there is a registry
> of the client there.
>
>   I'd like to know if anyone has managed to do this type of thing
> and, if possible, could send me the Samba config file (smb.conf) so I
> can see what I'm doing wrong.
>
>  Here is my smb.conf file. If anyone detects what I'm doing wrong,
> I'd be grateful.  :)
>
> [global]
> server string = %L
> workgroup = WORKGROUP
> announce as = NT Server
>
> hosts allow = 192.168.0.0/24
> security = user
> encrypt passwords = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> interfaces = lo eth1
> bind interfaces only = yes
>
> local master = yes
> os level = 100
> domain master = yes
> preferred master = yes
>
> null passwords = no
> #hide unreadable = yes
>
> enable privileges = yes
>
> domain logons = yes
> logon script = login.bat
> logon path = \\%L\profiles\%U
> logon drive = H:
> logon home = \\%L\%U\.9xprofile
>
> wins support = yes
> name resolve order = wins lmhosts host bcast
> dns proxy = no
>
> time server = yes
> log file = /var/log/samba/log.%m
> max log size = 50
>
> passdb backend = ldapsam:ldaps://127.0.0.1:636/
>
> ldap admin dn = cn=Laboratorio,dc=lara,dc=cic,dc=unb,dc=br
> ldap port = 636
> ldap suffix = dc=lara,dc=cic,dc=unb,dc=br
> ldap server = ldaps://127.0.0.1:636/
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap delete dn = Yes
> ldap password sync = yes
>
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> passwd program = /usr/sbin/smbldap-passwd
> passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \
> "*Password changed*"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>
> idmap backend = ldap:ldaps://127.0.0.1:636/
> idmap uid = 10000-20000
> idmap gid = 10000-20000
>
> unix charset = ISO8859-1
>
> profile acls = yes
>
> [netlogon]
> path = /var/lib/samba/netlogon
> guest ok = no
> read only = yes
> browseable = no
>
> [profiles]
> path = /var/lib/samba/profiles
> browseable = no
> writeable = yes
> default case = lower
> preserve case = no
> short preserve case = no
> case sensitive = no
> hide files = /desktop.ini/ntuser.ini/NTUSER.*/
> write list = @smbusers @root
> create mask = 0600
> directory mask = 0700
> csc policy = disable
>
> [homes]
> path = /home/%U
> browseable = no
> valid users = %S
> read only = no
> guest ok = no
> inherit permissions = yes
Last time I had to do something similar (no LDAP). I had to put a reg 
hack on the XP machines. A quick search in Google shoud come up with the 
reg hack.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] LDAP + Samba as PDC

[Raphael Melo de Oliveira Bastos Sales]

On 11/13/06, Cameron Lowe <cameron@cameronlowe.com> wrote:
> Raphael Melo de Oliveira Bastos Sales wrote:
> > Hi everyone,
> >
> >   I've been trying to set up an authentication server for a mixed LAN
> > (Windows and Linux clientes ) and I'm having problems with Samba.
> >
> >   The way it is today, the Windows clients can access the Samba
> > server and each user can access it's home, by double-clicking on the
> > server icon on the screen that shows all the machines on the network.
> >
> >   But I'm unable to register the client workstations on the server.
> > It says something like "user name not found" when I try to do it. But
> > the odd thing is, when I look in the LDAP server, there is a registry
> > of the client there.
> >
> >   I'd like to know if anyone has managed to do this type of thing
> > and, if possible, could send me the Samba config file (smb.conf) so I
> > can see what I'm doing wrong.
> >
> >  Here is my smb.conf file. If anyone detects what I'm doing wrong,
> > I'd be grateful.  :)
> >
> > [global]
> > server string = %L
> > workgroup = WORKGROUP
> > announce as = NT Server
> >
> > hosts allow = 192.168.0.0/24
> > security = user
> > encrypt passwords = yes
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > interfaces = lo eth1
> > bind interfaces only = yes
> >
> > local master = yes
> > os level = 100
> > domain master = yes
> > preferred master = yes
> >
> > null passwords = no
> > #hide unreadable = yes
> >
> > enable privileges = yes
> >
> > domain logons = yes
> > logon script = login.bat
> > logon path = \\%L\profiles\%U
> > logon drive = H:
> > logon home = \\%L\%U\.9xprofile
> >
> > wins support = yes
> > name resolve order = wins lmhosts host bcast
> > dns proxy = no
> >
> > time server = yes
> > log file = /var/log/samba/log.%m
> > max log size = 50
> >
> > passdb backend = ldapsam:ldaps://127.0.0.1:636/
> >
> > ldap admin dn = cn=Laboratorio,dc=lara,dc=cic,dc=unb,dc=br
> > ldap port = 636
> > ldap suffix = dc=lara,dc=cic,dc=unb,dc=br
> > ldap server = ldaps://127.0.0.1:636/
> > ldap machine suffix = ou=Computers
> > ldap user suffix = ou=Users
> > ldap group suffix = ou=Groups
> > ldap idmap suffix = ou=Idmap
> > ldap delete dn = Yes
> > ldap password sync = yes
> >
> > add group script = /usr/sbin/smbldap-groupadd -p "%g"
> > add machine script = /usr/sbin/smbldap-useradd -w "%u"
> > add user script = /usr/sbin/smbldap-useradd -m "%u"
> > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> > delete group script = /usr/sbin/smbldap-groupdel "%g"
> > delete user script = /usr/sbin/smbldap-userdel "%u"
> > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> > passwd program = /usr/sbin/smbldap-passwd
> > passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \
> > "*Password changed*"
> > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> >
> > idmap backend = ldap:ldaps://127.0.0.1:636/
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> >
> > unix charset = ISO8859-1
> >
> > profile acls = yes
> >
> > [netlogon]
> > path = /var/lib/samba/netlogon
> > guest ok = no
> > read only = yes
> > browseable = no
> >
> > [profiles]
> > path = /var/lib/samba/profiles
> > browseable = no
> > writeable = yes
> > default case = lower
> > preserve case = no
> > short preserve case = no
> > case sensitive = no
> > hide files = /desktop.ini/ntuser.ini/NTUSER.*/
> > write list = @smbusers @root
> > create mask = 0600
> > directory mask = 0700
> > csc policy = disable
> >
> > [homes]
> > path = /home/%U
> > browseable = no
> > valid users = %S
> > read only = no
> > guest ok = no
> > inherit permissions = yes
> Last time I had to do something similar (no LDAP). I had to put a reg
> hack on the XP machines. A quick search in Google shoud come up with the
> reg hack.

Hi Cameron,

    thanks for the reply. Unfortunately, all the reg hacks I found
didn't work. If I find one that does, I'll post it here. :)

Regards,

Raphael

> --
> gentoo-user@gentoo.org mailing list
>
>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] LDAP + Samba as PDC

[Joshua Schmidlkofer]

> Hi Cameron,
>
>     thanks for the reply. Unfortunately, all the reg hacks I found
> didn't work. If I find one that does, I'll post it here. :)
>
> Regards,
>
> Raphael


This sounds exactly like you do not have the nsswitch.conf environment
correct on your Linux box.   Are you using Winbind or nss_ldap?  Once
you verify that, does getent find the user/workstation?   Are you
using nscd?


Sincerely,
  Joshua
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] LDAP + Samba as PDC

[Raphael Melo de Oliveira Bastos Sales]

On 11/14/06, Joshua Schmidlkofer <joshland@gmail.com> wrote:
> > Hi Cameron,
> >
> >     thanks for the reply. Unfortunately, all the reg hacks I found
> > didn't work. If I find one that does, I'll post it here. :)
> >
> > Regards,
> >
> > Raphael
>
>
> This sounds exactly like you do not have the nsswitch.conf environment
> correct on your Linux box.   Are you using Winbind or nss_ldap?  Once
> you verify that, does getent find the user/workstation?   Are you
> using nscd?

Sorry for taking this long, rough week. I didn't understand your
answer. The Linux box you're talking about is the Samba server?

What is Winbind? Or nss_ldap?

getent returns users, I don't know how to check for workstations.

What is nscd?

>
>
> Sincerely,
>   Joshua
> --
> gentoo-user@gentoo.org mailing list
>
>
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] LDAP + Samba as PDC

[Joshua Schmidlkofer]

> Sorry for taking this long, rough week. I didn't understand your
> answer. The Linux box you're talking about is the Samba server?

Yes, the Samba server

>
> What is Winbind? Or nss_ldap?
>

 How did you setup a PDC without using either nss_ldap or winbind?

nss_ldap:
 * requires modification to /etc/ldap.conf
 * requires the nss_ldap package.
 * requires modification of /etc/nsswitch.conf

winbind:
 * requires the winbind flag for the samba ebuild
 * requires modification of /etc/nsswitch.conf

getent passwd
 * returns users
 * returns workstations & servers also they will have a '$' at the end
of the username).

Normally this is completed via nss_ldap, but I have used winbind
before, for the sake of not depending on the bleeding sore that is
nss_ldap.  So, how is the local box finding the network users?   From
your config, it appears that you are using smb-ldap tools, but is that
the case?   If you cat /etc/passwd - do you see the users?

What does /etc/ldap.conf look like?

Sincerely,
  Joshua
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] LDAP + Samba as PDC

[Joshua Schmidlkofer]

http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC_Basic_Setup#Configure_NSS_LDAP


Did you see this wiki on this?  Have you read these sections?


Sincerely,
  Joshua
-- 
gentoo-user@gentoo.org mailing list