Hello Dan,
On 11/9/12, Dan Lavu <dan(a)lavu.net> wrote:
So I think you're missing one fundamental thing here. You still
need to
create the users in 389 to get this working correctly and have them show up
in 'getent password', you might have to enumerate the users too. So adding
the samba schema extends and adds the samba attributes to 389 but nothing
is
filling out the information
For example,
objectclass: sambaDomain
objectclass: sambaUnixIdPool
sambaDomainName: <YOURWORKGROUP>
sambaSID: S-1-5-21-1803520230-1543781662-649387223 << You have to ask
yourself what generates this?
Nothing in 389 will, but smbpasswd -a will, so first make sure you can get
a
userlist on your linux machine,
getent passwd -s ldap $userid
Does the user show up? If it doesn't, configure your
ldap.conf/nsswitch.conf/pam.d/* again or sssd.
Dan
Well, 389-ds was already configured, so all posix users in the ldap
were able to login into this server because I had configured the
server as ldap client using nss_ldap libs being RHEL 5.8.
getent passwd pulls local as well as ldap users fine.
ldapsearch -x -Z '(uid=ugandhi)'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (uid=ugandhi)
# requesting: ALL
#
# ugandhi, People, blah
dn: uid=ugandhi,ou=People,dc=abc,dc=def,dc=ghi
givenName: Upendra
sn: Gan
loginShell: /bin/bash
uidNumber: 200
gidNumber: 600
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: ugandhi
cn: Upendra Gan
homeDirectory: /home/ugandhi
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
getent passwd -s ldap ugandhi
ugandhi:*:200:600:Upendra Gan:/home/ugandhi:/bin/bash
So this part was always good (389-ds server and client and home
directory mounts via autofs)
Now my question is: Does the user need to exist in ldap (examlple
ugandhi above) and then smbpasswd -a ugandhi will work? I can ofcourse
try it myself but is that the way it is supposed to be?
I think I had worked on different implementation of SMB+OpenLDAP on
Ubuntu where smb-ldap utils package was also used and smbldap-useradd
would add the user in both samba and ldap and both places had uid/gid
fields matching for that user.
The howto above didn't mention that testuser was existing in 389-ds
directory, or did I miss that part? The ldapsearch for testuser does
show uidNumber and gidNumber. So probably testuser already existed in
389-ds directory and smbpasswd -a testuser added those additional
samba fields as you said in your email. Correct me if I am
understanding this incorrectly.
Thanks again.
Upen
-----Original Message-----
From: upen [mailto:upendra.gandhi@gmail.com]
Sent: Thursday, November 8, 2012 10:09 PM
To: Dan Lavu
Cc: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] samba+ldap
On 11/8/12, Dan Lavu <dan(a)lavu.net> wrote:
> I also found the samba/ldap docs lacking, when I first tried to setup
> this up. Then I turned around and configured Kerberos/AD with samba
> and used Kerberos auth for my Linux machines.
>
> Now that I've done quite a few 389 implementations and going through
> that doc again, it's makes sense to me. What part are you having trouble
with?
>
> Dan
>
> *From:* upen <upendra.gandhi(a)gmail.com>
> *Sent:* November 8, 2012 5:33 PM
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* [389-users] samba+ldap
>
> Hello,
>
> I am trying to setup Samba with existing 389-ds on the same server.
> Following
http://directory.fedoraproject.org/wiki/Howto:Samba didn't
> help.
> Does anyone know if there is any other useful updated document for
> this purpose?
Thanks for your feedback Dan.
I started noticing issue after completing the steps from that Howto.
First problem I encountered was smbadduser -a didn't work.
smbpasswd -a testuser
New SMB password:
Retype new SMB password:
Failed to modify password entry for user testuser
Then, out of curiosity I added a testuser account in local unix account(non
ldap) and smbpasswd -a testuser worked after than change.
I really don't want to follow this path. Why would there be a need to add
local users in unix? Isn't there any other simpler way? I wonder.
After doing smbpasswd -a, I checked ldap database for user account.
ldapsearch -x -Z '(uid=testuser)'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (uid=testuser)
# requesting: ALL
#
# testuser, People,
dn: uid=testuser,ou=People,dc=abc,dc=def,dc=ghi
uid: testuser
sambaSID: S-1-5-21-21252568-3149985612-3984985731-2004
sambaLMPassword: 19DA5A9CC97F169BAAD3B435B51404EE
sambaNTPassword: 0B6549421B2E7333E0E281F3BA5EEA94
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1352429483
sambaAcctFlags: [U ]
objectClass: sambaSamAccount
objectClass: account
objectClass: top
I don't see uidnumber and gidnumber. Not sure what went wrong.
Thanks.
--
upen,
emerge -uD life (Upgrade Life with dependencies)