[389-users] samba+ldap

[upen]

On 11/9/12, upen <upendra.gandhi at gmail.com> wrote:
> Hello Dan,
>
> On 11/9/12, Dan Lavu <dan at lavu.net> wrote:
>> So I think you're missing one fundamental thing here. You still need to
>> create the users in 389 to get this working correctly and have them show
>> up
>> in 'getent password', you might have to enumerate the users too. So
>> adding
>> the samba schema extends and adds the samba attributes to 389 but nothing
>> is
>> filling out the information
>>
>> For example,
>> objectclass: sambaDomain
>> objectclass: sambaUnixIdPool
>> sambaDomainName: <YOURWORKGROUP>
>> sambaSID: S-1-5-21-1803520230-1543781662-649387223 << You have to ask
>> yourself what generates this?
>>
>> Nothing in 389 will, but smbpasswd -a will, so first make sure you can
>> get
>> a
>> userlist on your linux machine,
>>
>> getent passwd  -s ldap $userid
>>
>> Does the user show up? If it doesn't, configure your
>> ldap.conf/nsswitch.conf/pam.d/* again or sssd.
>>
>> Dan
>
> Well, 389-ds was already configured, so all posix users in the ldap
> were able to login into this server because I had configured the
> server as ldap client using nss_ldap libs being RHEL 5.8.
>
> getent passwd pulls local as well as ldap users fine.
>
> ldapsearch -x -Z '(uid=ugandhi)'
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope subtree
> # filter: (uid=ugandhi)
> # requesting: ALL
> #
>
> # ugandhi, People, blah
> dn: uid=ugandhi,ou=People,dc=abc,dc=def,dc=ghi
> givenName: Upendra
> sn: Gan
> loginShell: /bin/bash
> uidNumber: 200
> gidNumber: 600
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> uid: ugandhi
> cn: Upendra Gan
> homeDirectory: /home/ugandhi
>
> # search result
> search: 3
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>  getent passwd  -s ldap ugandhi
> ugandhi:*:200:600:Upendra Gan:/home/ugandhi:/bin/bash
>
> So this part was always good (389-ds server and client and home
> directory mounts via autofs)
>
> Now my question is: Does the user need to exist in ldap (examlple
> ugandhi above) and then smbpasswd -a ugandhi will work? I can ofcourse
> try it myself but is that the way it is supposed to be?

I think I didn't read this line in the HowTo, correctly - Finally
start the Samba service and map an "existing" user entry to a Samba
user

So that does probably mean that I need to have 'testuser' in the
389-ds directory prior to runnning smbpassws -a testuser. Sorry for
the ignorance.

>
> I think I had worked on different implementation of SMB+OpenLDAP on
> Ubuntu where smb-ldap utils package was also used and smbldap-useradd
> would add the user in both samba and ldap and both places had uid/gid
> fields matching for that user.
>
> The howto above didn't mention that testuser was existing in 389-ds
> directory, or did I miss that part? The ldapsearch for testuser does
> show uidNumber and gidNumber. So probably testuser already existed in
> 389-ds directory and smbpasswd -a testuser added those additional
> samba fields as you said in your email. Correct me if I am
> understanding this incorrectly.
>
> Thanks again.
> Upen
>>
>>
>> -----Original Message-----
>> From: upen [mailto:upendra.gandhi at gmail.com]
>> Sent: Thursday, November 8, 2012 10:09 PM
>> To: Dan Lavu
>> Cc: General discussion list for the 389 Directory server project.
>> Subject: Re: [389-users] samba+ldap
>>
>> On 11/8/12, Dan Lavu <dan at lavu.net> wrote:
>>> I also found the samba/ldap docs lacking, when I first tried to setup
>>> this up. Then I turned around and configured Kerberos/AD with samba
>>> and used Kerberos auth for my Linux machines.
>>>
>>> Now that I've done quite a few 389 implementations and going through
>>> that doc again, it's makes sense to me. What part are you having trouble
>> with?
>>>
>>> Dan
>>>
>>>  *From:* upen <upendra.gandhi at gmail.com>
>>> *Sent:* November 8, 2012 5:33 PM
>>> *To:* General discussion list for the 389 Directory server project.
>>> *Subject:* [389-users] samba+ldap
>>>
>>> Hello,
>>>
>>> I am trying to setup Samba with existing 389-ds on the same server.
>>> Following http://directory.fedoraproject.org/wiki/Howto:Samba didn't
>>> help.
>>> Does anyone know if there is any other useful updated document for
>>> this purpose?
>>
>> Thanks for your feedback Dan.
>>
>> I started noticing issue after completing the steps from that Howto.
>> First problem I encountered was smbadduser -a didn't work.
>>
>> smbpasswd -a testuser
>> New SMB password:
>> Retype new SMB password:
>> Failed to modify password entry for user testuser
>>
>> Then, out of curiosity I added a testuser account in local unix
>> account(non
>> ldap) and smbpasswd -a testuser worked after than change.
>> I really don't want to follow this path. Why would there be a need to add
>> local users in unix? Isn't there any other simpler way? I wonder.
>>
>> After doing smbpasswd -a, I checked ldap database for user account.
>>
>> ldapsearch -x -Z '(uid=testuser)'
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> with scope subtree
>> # filter: (uid=testuser)
>> # requesting: ALL
>> #
>>
>> # testuser, People,
>> dn: uid=testuser,ou=People,dc=abc,dc=def,dc=ghi
>> uid: testuser
>> sambaSID: S-1-5-21-21252568-3149985612-3984985731-2004
>> sambaLMPassword: 19DA5A9CC97F169BAAD3B435B51404EE
>> sambaNTPassword: 0B6549421B2E7333E0E281F3BA5EEA94
>> sambaPasswordHistory:
>> 00000000000000000000000000000000000000000000000000000000
>>  00000000
>> sambaPwdLastSet: 1352429483
>> sambaAcctFlags: [U          ]
>> objectClass: sambaSamAccount
>> objectClass: account
>> objectClass: top
>>
>> I don't see uidnumber and gidnumber. Not sure what went wrong.
>>
>> Thanks.
>>
>>
>
>
> --
> upen,
> emerge -uD life (Upgrade Life with dependencies)
>


-- 
upen,
emerge -uD life (Upgrade Life with dependencies)