[389-users] samba+ldap

upen upendra.gandhi at gmail.com
Fri Nov 9 14:10:57 UTC 2012 

Hello Dan,

On 11/9/12, Dan Lavu <dan at lavu.net> wrote:
> So I think you're missing one fundamental thing here. You still need to
> create the users in 389 to get this working correctly and have them show up
> in 'getent password', you might have to enumerate the users too. So adding
> the samba schema extends and adds the samba attributes to 389 but nothing
> is
> filling out the information
>
> For example,
> objectclass: sambaDomain
> objectclass: sambaUnixIdPool
> sambaDomainName: <YOURWORKGROUP>
> sambaSID: S-1-5-21-1803520230-1543781662-649387223 << You have to ask
> yourself what generates this?
>
> Nothing in 389 will, but smbpasswd -a will, so first make sure you can get
> a
> userlist on your linux machine,
>
> getent passwd  -s ldap $userid
>
> Does the user show up? If it doesn't, configure your
> ldap.conf/nsswitch.conf/pam.d/* again or sssd.
>
> Dan

Well, 389-ds was already configured, so all posix users in the ldap
were able to login into this server because I had configured the
server as ldap client using nss_ldap libs being RHEL 5.8.

getent passwd pulls local as well as ldap users fine.

ldapsearch -x -Z '(uid=ugandhi)'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (uid=ugandhi)
# requesting: ALL
#

# ugandhi, People, blah
dn: uid=ugandhi,ou=People,dc=abc,dc=def,dc=ghi
givenName: Upendra
sn: Gan
loginShell: /bin/bash
uidNumber: 200
gidNumber: 600
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: ugandhi
cn: Upendra Gan
homeDirectory: /home/ugandhi

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

 getent passwd  -s ldap ugandhi
ugandhi:*:200:600:Upendra Gan:/home/ugandhi:/bin/bash

So this part was always good (389-ds server and client and home
directory mounts via autofs)

Now my question is: Does the user need to exist in ldap (examlple
ugandhi above) and then smbpasswd -a ugandhi will work? I can ofcourse
try it myself but is that the way it is supposed to be?

I think I had worked on different implementation of SMB+OpenLDAP on
Ubuntu where smb-ldap utils package was also used and smbldap-useradd
would add the user in both samba and ldap and both places had uid/gid
fields matching for that user.

The howto above didn't mention that testuser was existing in 389-ds
directory, or did I miss that part? The ldapsearch for testuser does
show uidNumber and gidNumber. So probably testuser already existed in
389-ds directory and smbpasswd -a testuser added those additional
samba fields as you said in your email. Correct me if I am
understanding this incorrectly.

Thanks again.
Upen
>
>
> -----Original Message-----
> From: upen [mailto:upendra.gandhi at gmail.com]
> Sent: Thursday, November 8, 2012 10:09 PM
> To: Dan Lavu
> Cc: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] samba+ldap
>
> On 11/8/12, Dan Lavu <dan at lavu.net> wrote:
>> I also found the samba/ldap docs lacking, when I first tried to setup
>> this up. Then I turned around and configured Kerberos/AD with samba
>> and used Kerberos auth for my Linux machines.
>>
>> Now that I've done quite a few 389 implementations and going through
>> that doc again, it's makes sense to me. What part are you having trouble
> with?
>>
>> Dan
>>
>>  *From:* upen <upendra.gandhi at gmail.com>
>> *Sent:* November 8, 2012 5:33 PM
>> *To:* General discussion list for the 389 Directory server project.
>> *Subject:* [389-users] samba+ldap
>>
>> Hello,
>>
>> I am trying to setup Samba with existing 389-ds on the same server.
>> Following http://directory.fedoraproject.org/wiki/Howto:Samba didn't
>> help.
>> Does anyone know if there is any other useful updated document for
>> this purpose?
>
> Thanks for your feedback Dan.
>
> I started noticing issue after completing the steps from that Howto.
> First problem I encountered was smbadduser -a didn't work.
>
> smbpasswd -a testuser
> New SMB password:
> Retype new SMB password:
> Failed to modify password entry for user testuser
>
> Then, out of curiosity I added a testuser account in local unix account(non
> ldap) and smbpasswd -a testuser worked after than change.
> I really don't want to follow this path. Why would there be a need to add
> local users in unix? Isn't there any other simpler way? I wonder.
>
> After doing smbpasswd -a, I checked ldap database for user account.
>
> ldapsearch -x -Z '(uid=testuser)'
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope subtree
> # filter: (uid=testuser)
> # requesting: ALL
> #
>
> # testuser, People,
> dn: uid=testuser,ou=People,dc=abc,dc=def,dc=ghi
> uid: testuser
> sambaSID: S-1-5-21-21252568-3149985612-3984985731-2004
> sambaLMPassword: 19DA5A9CC97F169BAAD3B435B51404EE
> sambaNTPassword: 0B6549421B2E7333E0E281F3BA5EEA94
> sambaPasswordHistory:
> 00000000000000000000000000000000000000000000000000000000
>  00000000
> sambaPwdLastSet: 1352429483
> sambaAcctFlags: [U          ]
> objectClass: sambaSamAccount
> objectClass: account
> objectClass: top
>
> I don't see uidnumber and gidnumber. Not sure what went wrong.
>
> Thanks.
>
>


-- 
upen,
emerge -uD life (Upgrade Life with dependencies)

More information about the 389-users mailing list