-------- Original - Text --------
What are you having problems with? Is this a new installation or an existing system?
It is an new installation on an opensuse 11.4. I have both services running on the same box: ldap and samba
When I try to connect using a smb client, the debug log ist stating "key expired". Before that I got an NT_USER_NOT_KNOW. But right now I remember that I added the Netbios-Statement in smb.conf and in that time the debug message changed from user not known to key expired. I do not want to use netbios if possible - it was just added as another try to get it running. Could it be that I have to
From my understanding one needs the samba3.schema because Windows
stores passwords different than unix does and there is no way to convert. Therefore you only need to set the 2 passwordNT/LM fields and the sambaSID - the passwords are taken from those NT/LM fields. Is that right?
The group matching will be done without any problems using the group value defined in posixAccount. Is that right or am I mistaken? So for example: If stefan has defined gidNumber 100, based on this information it will be possible to find out that in the config below stefan belongs to group users (based again on gidNumber and memberUiD). Right or wrong?
Here are the essentials of my configuration details for both services.
I do have dn: ou=Group,dc=xxxxx,dc=de dn: ou=People,dc=xxxxx,dc=de
also I have:
dn: uid=stefan,ou=People,dc=xxxxx,dc=de uid: stefan cn: stefan objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount shadowLastChange: 13572 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 632 gidNumber: 100 homeDirectory: /home/users/stefan structuralObjectClass: account entryUUID: 57264e20-2261-102c-9ecf-9fa815f26773 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20071108161351Z sambaSID: S-1-5-21-38098927-3018186934-2063245418 sambaLMPassword: c02717a286a249086de605daecb45436 sambaNTPassword: c02717a286a249086de605daecb45436 userPassword:: 1111111111111111111111111= = sambaPwdLastSet: 0 sambaPwdMustChange: 0 entryCSN: 20110321231822.373017Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321231822Z
Note: the sambaLMPassword and the sambaNTPassword values are created via a php script which first builds the md4-sum of the base password and after that does another binary transformation. I read this should be the format samba is expecting the value. Is that right or did I something wrong at this step?
-------------------------------------------------------------------------------- I have this definition also dn: cn=users,ou=Group,dc=xxxxx,dc=de objectClass: posixGroup objectClass: namedObject objectClass: top cn: users userPassword:: 1111111111111111 gidNumber: 100 memberUid: sadmin memberUid: stefan structuralObjectClass: namedObject entryUUID: 106c209a-226b-102c-9f4d-9fa815f26773 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20071108172328Z entryCSN: 20110321210104.815232Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321210104Z
---------------------------------------------------------------------
Also I do have that, which confuses me: Why does the root user only have the value sambaAcctFlags set? Where does this entry come from - I did not define it in my ldif import.
dn: uid=root,ou=People,dc=xxxxx,dc=de uid: root sambaSID: S-1-5-21-38098927-3018186934-2063245418-1000 displayName: root sambaPwdCanChange: 1300747942 sambaNTPassword: 111111111111111111 sambaPwdLastSet: 1300747942 sambaAcctFlags: [U ] objectClass: sambaSamAccount objectClass: account structuralObjectClass: account entryUUID: a0626f44-e859-102f-8432-f5e997da80c3 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20110321225222Z entryCSN: 20110321225222.093965Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321225222Z
This is my slapd.conf:
ldapnix:~ # cat /etc/openldap/slapd.conf | grep -vi "^#" include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args access to dn.base="" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read database bdb monitoring on suffix "dc=xxxxx,dc=de" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=xxxxx,dc=de" rootpw secret directory /var/lib/ldap index objectClass eq
------------------------------------------------------------------------- This is my smb.conf:
[global] unix charset = UTF-8 workgroup = PRIVAT interfaces = 192.168.1.46 update encrypted = Yes map to guest = Bad User root directory = / #username map = /etc/samba/smbusers # Logging - 5000 KB, Samba behält eine .old-Datei log level = 3 max log size = 5000 printcap name = cups logon path = \%L\profiles.msprofile logon drive = P: logon home = \%L%U.9xprofile domain master = No ldap ssl = Off idmap uid = 10000-20000 idmap gid = 10000-20000 printer admin = @ntadmin, root, administrator ldap admin dn = cn=Manager,dc=xxxxx,dc=de passdb backend = ldapsam:ldap://ldap.privat.xxxxx.de/ ldapsam:trusted = yes ldapsam:editposix = yes ldap debug level = 1 ldap user suffix = ou=People #ldap group suffix = ou=Groups ldap group suffix = ou=Group ldap machine suffix = ou=Computers ldap suffix = dc=xxxxx,dc=de wins support = No add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$ domain logons = No ldap idmap suffix = ou=Idmap ldap passwd sync = No netbios name = LDAPNIX security = user wins server =
I do have a share definition like that:
[users] comment = All users path = /home/users valid users = @users, @susers, root read only = No inherit permissions = Yes
I added the password for the "cn=Manager,dc=xxxxx,dc=de" using smbpasswd -w secret The tdbdump /etc/samba/secrets.tdb command shows thoses entries: key(53) = "SECRETS/LDAP_BIND_PW/cn=Manager,dc=xxxxx,dc=de" data(7) = "secret\00" } { key(21) = "SECRETS/SID/PRIVAT" data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00\EFWE\02\B6\E0\E5\B3j\A0\FAz\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00" } { key(19) = "SECRETS/SID/LDAPNIX" data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00\EFWE\02\B6\E0\E5\B3j\A0\FAz\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00" }
I get this output also: ldapnix:~ # net getlocalsid SID der Domäne LDAPNIX ist: S-1-5-21-38098927-3018186934-2063245418
I really like to understand. If you guide me what to do and it would make sense I would also set it up from scratch to understand what is going on. But I do not want to use libs or "special" scripts which will hide the process without the chance to understand.
Thanks for your help.
-fuz