On Tuesday, 22 March 2011 16:42:11 fuzzy_4711 wrote:
-------- Original - Text --------
> What are you having problems with? Is this a new installation or an
> existing system?
It is an new installation on an opensuse 11.4.
I have both services running on the same box: ldap and samba
When I try to connect using a smb client,
Can you be more specific? Of course, testing with client may be premature if
you haven't tested with pdbedit or 'smbpasswd username' or similar.
the debug log ist stating "key expired". Before that I got
I don't believe that is actually a valid error, and with 'map to guest = Bad
User' you shouldn't get anything similar, please provide *actual* error.
But right now I remember that I added the Netbios-Statement in
that time the debug message changed from user not known to
key expired. I do not want to use netbios if possible - it was just
added as another try to get it running. Could it be that I have to
>From my understanding one needs the samba3.schema because Windows
stores passwords different than unix does and there is no way to
convert. Therefore you only need to set the 2 passwordNT/LM fields
and the sambaSID - the passwords are taken from those
NT/LM fields. Is that right?
The group matching will be done without any problems using the
group value defined in posixAccount. Is that right or am I mistaken?
So for example: If stefan has defined gidNumber 100, based on
this information it will be possible to find out that in the config below
stefan belongs to group users (based again on gidNumber and
memberUiD). Right or wrong?
Upstream samba doesn't seem to support use of rfc2307bis groups with
ldapsam:trusted = yes. But, lets not worry about groups yet, if you can't
authenticate a user.
Here are the essentials of my configuration details for both
I do have
also I have:
This looks like a domain sid, not a user sid. Of course, pdbedit should tell
you that ...
How did you create this user? Note that 'smbpasswd -a stefan' should have been
able to do it, and would have done it correctly.
Note: the sambaLMPassword and the sambaNTPassword values are
created via a php script which first builds the md4-sum of the base
password and after that does another binary transformation. I read this
should be the format samba is expecting the value. Is that right or did
I something wrong at this step?
Well, I would exclude software that you may not know works, e.g. use
'smbpasswd username' to set the passwords ...
----- I have this definition also
Also I do have that, which confuses me: Why does the
root user only have the value sambaAcctFlags set?
Where does this entry come from - I did not define
it in my ldif import.
sambaAcctFlags: [U ]
Maybe you can tell us what you did at this time ^^^ ?
This is my slapd.conf:
ldapnix:~ # cat /etc/openldap/slapd.conf | grep -vi "^#"
access to dn.base=""
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
checkpoint 1024 5
index objectClass eq
You will at minimum need more indexes ...
This is my smb.conf:
unix charset = UTF-8
workgroup = PRIVAT
interfaces = 192.168.1.46
update encrypted = Yes
map to guest = Bad User
root directory = /
#username map = /etc/samba/smbusers
# Logging - 5000 KB, Samba behält eine .old-Datei
log level = 3
max log size = 5000
printcap name = cups
logon path = \\%L\profiles\.msprofile
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain master = No
ldap ssl = Off
idmap uid = 10000-20000
idmap gid = 10000-20000
printer admin = @ntadmin, root, administrator
ldap admin dn = cn=Manager,dc=xxxxx,dc=de
passdb backend = ldapsam:ldap://ldap.privat.xxxxx.de/
ldapsam:trusted = yes
ldapsam:editposix = yes
ldap debug level = 1
ldap user suffix = ou=People
#ldap group suffix = ou=Groups
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap suffix = dc=xxxxx,dc=de
wins support = No
add machine script = /sbin/yast
domain logons = No
ldap idmap suffix = ou=Idmap
ldap passwd sync = No
netbios name = LDAPNIX
security = user
wins server =
I do have a share definition like that:
comment = All users
path = /home/users
valid users = @users, @susers, root
read only = No
inherit permissions = Yes
I added the password for the "cn=Manager,dc=xxxxx,dc=de" using
smbpasswd -w secret
What does 'pdbedit -L' say?
If it doesn't list any users, maybe run 'pdbedit -d10 -L', or 'pdbedit
stefan'. If you can't see a problem here, the LDAP server's logs (at, or
including level 256 or 'stats') would be useful.
I get this output also:
ldapnix:~ # net getlocalsid
SID der Domäne LDAPNIX ist: S-1-5-21-38098927-3018186934-2063245418
I really like to understand. If you guide me what to do
and it would make sense I would also set it up from scratch to
understand what is going on. But I do not want to use libs or "special"
You could of course use standard utilities (such as smbpasswd, pdbedit etc.)
instead of your own scripts, which may get things wrong ...
which will hide the process without the chance to understand.
Thanks for your help.
Notice how almost none of my questions have *anything* to do with OpenLDAP