# Samba LDAP Questions

## pgb

Hello,

I have a server with LDAP Authentication working.

I just emerged samba, and configured like this:

```

[global]

        workgroup = DOMAIN

        server string = Domain Development Server

        map to guest = Bad User

        obey pam restrictions = yes

        passdb backend = ldapsam:ldap://auth.domain.com

        #username map = /etc/samba/smbusers

        log file = /var/log/samba/log.%m

        max log size = 50

        time server = Yes

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        os level = 65

        preferred master = yes

        domain master = yes

        dns proxy = no

        wins support = yes

        add user script = /usr/share/samba/scripts/smbldap-useradd '%u'

        ldap admin dn = cn=Manager,dc=domain,dc=com

        ldap delete dn = Yes

        ldap group suffix = ou=Groups

        ldap idmap suffix = ou=People

        ldap passwd sync = yes

        ldap suffix = dc=domain,dc=com

        ldap user suffix = ou=People

[homes]

        comment = Home Directories

        path = /home/%u

        read only = no

        browseable = no

```

Samba starts ok, and I can see it from the Windows workstations (I don't intend to run a PDC, just a samba server), but can't login using the Unix accounts.

The errors in the logs read:

```

[2005/02/09 08:06:31, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1982)

  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  (No such object)

```

anytime I try to login to the computer. Any pointer or hint?

Thanks in advance.

----------

## Adamal

Looks like you didn't build your ldap database.  Look into smbldap-tools.

----------

## pgb

Thanks, I had already solved my issue, but forgot to post about.

smbldap-tools made it.

----------

## Adamal

 *pgb wrote:*   

> Thanks, I had already solved my issue, but forgot to post about.
> 
> smbldap-tools made it.

 

I'm still working with the smbldap-tools.  Did you have to make any modifications to the scripts to get them to work?

----------

## pgb

I changed /etc/smbldap-tools/smbldap.conf and /etc/smbldap-tools/smbldap_bind.conf according to my DNS server.

What I had to do is set the Samba server as a WINS server. To do that, I changed smb.conf as needed, and added the needed DHCP options to my dnsmasq.conf (I'm using dnsmasq as the dhcp server, installed on the same server as the Samba PDC).

Hope this helps!

----------

## Adamal

 *pgb wrote:*   

> I changed /etc/smbldap-tools/smbldap.conf and /etc/smbldap-tools/smbldap_bind.conf according to my DNS server.
> 
> What I had to do is set the Samba server as a WINS server. To do that, I changed smb.conf as needed, and added the needed DHCP options to my dnsmasq.conf (I'm using dnsmasq as the dhcp server, installed on the same server as the Samba PDC).
> 
> Hope this helps!

 

That helps a little.  

One more question if you don't mind.  Are you usign LDAP to authenticate Linux users as well or only for Samba?  I think that is where I am having my issues.

----------

## pgb

I'm using it for linux users too.

----------

## Adamal

 *pgb wrote:*   

> I'm using it for linux users too.

 

I know I said last question but I have some more.  Just trying to get this thing working...

did you follow this ldap doc (http://www.gentoo.org/doc/en/ldap-howto.xml)?

did you run smbldap-populate.pl?  

if you ran smbldap-populate did you run it before or after the base.ldif, group.ldif, passwd.ldif, host.ldif from (http://www.gentoo.org/doc/en/ldap-howto.xml)?

I'm just trying to narrow down my problems.  BTW thanks for the help.

----------

## pgb

I followed the ldap-howto first, and only after installed samba and run smldap-populate.

Also, if you have linux users created and want to add the Samba attributes you have to run:

smbldap-usermod -a for that user.

You need to do that for root, as root will be your domain Administrator, and you'll need that account in order to join the domain.

Also, beware that the ldap-howto recommends setting:

```

pam_password exop

```

in /etc/ldap.conf

I was suggested to change that to:

```

pam_password crypt

```

and it worked better (I had problems changing the users passwords).

Let me know if I can help yoo any more.

----------

## Adamal

 *pgb wrote:*   

> I followed the ldap-howto first, and only after installed samba and run smldap-populate.
> 
> Also, if you have linux users created and want to add the Samba attributes you have to run:
> 
> smbldap-usermod -a for that user.
> ...

 

Thanks that helps alot.  How did you make root the domain Admin?

----------

## pgb

By default, Administrator is mapped as root (see the file /etc/samba/smbusers).

I added it the ldap attributes by running smbldap-usermod, and then smbpasswd to change root's password.

Also, be aware that passwd will change only the linux password, while smbpasswd (if samba is configured properly) will change both the windows and linux passwords.

----------

## Adamal

That helped a lot thanks again.

I'm still having a few more issues but I think I know of to fix those.  Someone really needs to do a writeup on how to configure Samba and LDAP.

----------

## Arkanjo

Someone already did  :Wink: 

http://www.idealx.org/prj/samba/smbldap-howto.en.html

----------

## Adamal

 *Arkanjo wrote:*   

> Someone already did 
> 
> http://www.idealx.org/prj/samba/smbldap-howto.en.html

 

I meant something more gentoo specific, its great from a generic standpoint.

----------

## nabbed

If you have the whole LDAP Samba PDC deal working what are the chances of you posting a couple of your conf files?

In particular

/etc/openldap/slapd.conf

/etc/openldap/ldap.conf

/etc/conf.d/slapd

/etc/pam.d/system-auth

/etc/nsswitch.conf

/etc/ldap.conf

/etc/samba/smb.conf

/usr/share/migrationtools/migrate_common.ph

thanks

----------

## Adamal

slapd.conf

```

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/samba.schema

include         /etc/openldap/schema/extension.schema

# Use md5 to hash the passwords

password-hash {md5}

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

# Define SSL and TLS properties (optional)

TLSCertificateFile /etc/ssl/ldap.pem

TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem

TLSCACertificateFile /etc/ssl/ldap.pem

# Load dynamic backend modules:

# modulepath    /usr/lib/openldap/openldap

# moduleload    back_bdb.la

# moduleload    back_ldap.la

# moduleload    back_ldbm.la

# moduleload    back_passwd.la

# moduleload    back_shell.la

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy is:

#       Allow read by all

#

# rootdn can always write!

#access to attrs=userPassword,sambaLMPassword,sambaNTPassword

#      by self write

#      by anonymous auth

#      by * none

#      access to *

#      by * read

#######################################################################

# ldbm database definitions

#######################################################################

database        ldbm

#checkpoint     32      30 # <kbyte> <min>

suffix          "dc=my-domain,dc=com"

rootdn          "cn=Manager,dc=my-domain,dc=com"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw          {MD5}qMKu9pNBWW6S8eJNsh5KsA==

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/openldap-ldbm

# Indices to maintain

#index  objectClass     eq

index      objectClass,uidNumber,gidNumber                  eq

index      cn,sn,uid,displayName                            pres,sub,eq

index      memberUid,mail,givenname                         eq,subinitial

index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq

```

ldap.conf

```
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE            dc=my-domain, dc=com

URI             ldaps://servername.my-domain.com:636/

TLS_REQCERT     allow

#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never

```

slapd

```
# conf.d file for the openldap-2.1 series

#

# To enable both the standard unciphered server and the ssl encrypted

# one uncomment this line or set any other server starting options

# you may desire.

#

# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

#OPTS="-h 'ldaps:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

```

system-auth

```
#%PAM-1.0

auth       required     /lib/security/pam_env.so

auth       sufficient   /lib/security/pam_unix.so likeauth nullok shadow

auth       sufficient   /lib/security/pam_ldap.so use_first_pass

auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so

account    sufficient   /lib/security/pam_ldap.so

#account    required     /lib/security/pam_deny.so

password   required     /lib/security/pam_cracklib.so retry=3

password   sufficient   /lib/security/pam_unix.so nullok use_authtok shadow md5

#password   sufficient  /lib/security/pam_unix.so nullok md5 shadow use_authtok

password   sufficient   /lib/security/pam_ldap.so use_authtok

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so

session    required     /lib/security/pam_unix.so

#session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0

session    optional     /lib/security/pam_ldap.so

# If you want to enable pam_console, uncomment the following line

# and read carefully README.pam_console in /usr/share/doc/pam*

#session    optional    /lib/security/pam_console.so

```

nsswitch.conf

```
# /etc/nsswitch.conf:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

#passwd:      compat

#shadow:      compat

#group:       compat

passwd:      files ldap

group:       files ldap

shadow:      files ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns wins

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

smb.conf

```
#======================= Global Settings =====================================

[global]

# 1. Server Naming Options:

# workgroup = NT-Domain-Name or Workgroup-Name

   workgroup = My-Domain

# netbios name is the name you will see in "Network Neighbourhood",

# but defaults to your hostname

   netbios name = servername

# server string is the equivalent of the NT Description field

   server string = Home Server %v

# Message command is run by samba when a "popup" message is sent to it.

# The example below is for use with LinPopUp:

; message command = /usr/bin/linpopup "%f" "%m" %s; rm %s

# 2. Printing Options:

# CHANGES TO ENABLE PRINTING ON ALL CUPS PRINTERS IN THE NETWORK

# if you want to automatically load your printer list rather

# than setting them up individually then you'll need this

   printcap name = cups

   load printers = yes

# It should not be necessary to spell out the print system type unless

# yours is non-standard. Currently supported print systems include:

# bsd, sysv, plp, lprng, aix, hpux, qnx, cups

   printing = cups

# Samba 3.x supports the Windows NT-style point-and-print feature. To

# use this, you need to be able to upload print drivers to the samba

# server. The printer admins (or root) may install drivers onto samba.

# Note that this feature uses the print$ share, so you will need to

# enable it below.

# printer admin = @<group> <user>

   printer admin = @adm

# This should work well for winbind:

;   printer admin = @"Domain Admins"

# 3. Logging Options:

# this tells Samba to use a separate log file for each machine

# that connects

   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).

   max log size = 500

# Set the log (verbosity) level (0 <= log level <= 10)

 log level = 1

 syslog = 0

# 4. Security and Domain Membership Options:

# This option is important for security. It allows you to restrict

# connections to machines which are on your local network. The

# following example restricts access to two C class networks and

# the "loopback" interface. For more examples of the syntax see

# the smb.conf man page. Do not enable this if (tcp/ip) name resolution does

# not work for all the hosts in your network.

;   hosts allow = 192.168.1. 192.168.2. 127.

# Uncomment this if you want a guest account, you must add this to /etc/passwd

# otherwise the user "nobody" is used

  guest account = nobody

# Allow users to map to guest:

  map to guest = bad user

# Security mode. Most people will want user level security. See

# security_level.txt for details.

  security = user

# Use password server option only with security = server or security = domain

# When using security = domain, you should use password server = *

;   password server = <NT-Server-Name>

;   password server = *

# Password Level allows matching of _n_ characters of the password for

# all combinations of upper and lower case.

;  password level = 8

;  username level = 8

  time server = Yes

# You may wish to use password encryption. Please read

# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.

# Do not enable this option unless you have read those documents

# Encrypted passwords are required for any use of samba in a Windows NT domain

# The smbpasswd file is only required by a server doing authentication, thus

# members of a domain do not need one.

;  encrypt passwords = yes

;  smb passwd file = /etc/samba/private/smbpasswd

# The following are needed to allow password changing from Windows to

# also update the Linux system password.

# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.

# NOTE2: You do NOT need these to allow workstations to change only

#        the encrypted SMB passwords. They allow the Unix password

#        to be kept in sync with the SMB password.

;  unix password sync = Yes

# You either need to setup a passwd program and passwd chat, or

# enable pam password change

;  pam password change = yes

;  passwd program = /usr/bin/passwd %u

;  passwd program = /var/lib/samba/sbin/ldapsync.pl -o %u

;  passwd chat = *New*password* %n\n *Retype*new*password* %n\n *modifying*

;  passwd chat = *New*UNIX*password* %n\n *Re*ype*new*UNIX*password* %n\n \

;*passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names

  username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration

# on a per machine basis. The %m gets replaced with the netbios name

# of the machine that is connecting

;   include = /etc/samba/smb.conf.%m

# Options for using winbind. Winbind allows you to do all account and

# authentication from a Windows or samba domain controller, creating

# accounts on the fly, and maintaining a mapping of Windows RIDs to unix uid's

# and gid's. winbind uid and winbind gid are the only required parameters.

#

# winbind uid is the range of uid's winbind can use when mapping RIDs to uid's

;  winbind uid = 10000-20000

#

# winbind gid is the range of uid's winbind can use when mapping RIDs to gid's

;  winbind gid = 10000-20000

#

# winbind separator is the character a user must use between their domain

# name and username, defaults to "\"

;  winbind separator = +

#

# winbind use default domain allows you to have winbind return usernames

# in the form user instead of DOMAIN+user for the domain listed in the

# workgroup parameter.

;  winbind use default domain = yes

#

# template homedir determines the home directory for winbind users, with

# %D expanding to their domain name and %U expanding to their username:

;  template homedir = /home/%D/%U

# When using winbind, you may want to have samba create home directories

# on the fly for authenticated users. Ensure that /etc/pam.d/samba is

# using 'service=system-auth-winbind' in pam_stack modules, and then

# enable obedience of pam restrictions below:

  obey pam restrictions = yes

#

# template shell determines the shell users authenticated by winbind get

;  template shell = /bin/bash

# 5. Browser Control and Networking Options:

# Most people will find that this option gives better performance.

# See speed.txt and the manual pages for details

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces

# If you have multiple network interfaces then you must list them

# here. See the man page for details.

;   interfaces = 192.168.12.2/24 192.168.13.2/24

   interfaces = eth0, lo

   bind interfaces only = Yes

# Configure remote browse list synchronisation here

#  request announcement to, or browse list sync from:

#       a specific host or from / to a whole subnet (see below)

;   remote browse sync = 192.168.3.25 192.168.5.255

# Cause this host to announce itself to local subnets here

   remote announce = 192.168.1.255

# set local master to no if you don't want Samba to become a master

# browser on your network. Otherwise the normal election rules apply

   local master = yes

# OS Level determines the precedence of this server in master browser

# elections. The default value should be reasonable

;   os level = 33

    os level = 65

# Domain Master specifies Samba to be the Domain Master Browser. This

# allows Samba to collate browse lists between subnets. Don't use this

# if you already have a Windows NT domain controller doing this job

   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup

# and gives it a slightly higher chance of winning the election

   preferred master = yes

# 6. Domain Control Options:

# Enable this if you want Samba to be a domain logon server for

# Windows95 workstations or Primary Domain Controller for WinNT and Win2k

   domain logons = yes

# if you enable domain logons then you may want a per-machine or

# per user logon script

# run a specific logon batch file per workstation (machine)

;   logon script = %m.bat

# run a specific logon batch file per username

   logon script = %U.bat

;    logon script = logon.bat

# Where to store roaming profiles for WinNT and Win2k

#        %L substitutes for this servers netbios name, %U is username

#        You must uncomment the [Profiles] share below

 ;  logon path = \\%L\Profiles\%U

# Where to store roaming profiles for Win9x. Be careful with this as it also

# impacts where Win2k finds it's /HOME share

; logon home = \\%L\%U\.profile

# The add user script is used by a domain member to add local user accounts

# that have been authenticated by the domain controller, or when adding

# users via the Windows NT Tools (ie User Manager for Domains).

# Scripts for file (passwd, smbpasswd) backend:

; add user script = /usr/sbin/useradd -s /bin/false '%u'

; delete user script = /usr/sbin/userdel '%s'

; add user to group script = /usr/bin/gpasswd -a '%u' '%g'

; delete user from group script = /usr/bin/gpasswd -d '%u' '%g'

; set primary group script = /usr/sbin/usermod -g '%g' '%u'

; add group script = /usr/sbin/groupadd %g && getent group '%g'|awk -F: '{print $3}'

; delete group script = /usr/sbin/groupdel '%g'

# Scripts for LDAP backend (assumes nss_ldap is in use on the domain controller.

# Needs IDEALX scripts, and configuration in smbldap_conf.pm.

# This assumes you've installed the IDEALX scripts into /usr/share/samba/scripts...

 add user script = /var/lib/samba/sbin/smbldap-useradd.pl '%u'

 delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'

 add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'

 delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'

 set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u'

 add group script = /var/lib/samba/sbin/smbldap-groupadd.pl '%g' && /var/lib/samba/sbin/smbldap-groupshow.pl %g|

awk '/^gidNumber:/ {print $2}'

 delete group script = /var/lib/samba/sbin/smbldap-userdel.pl '%g'

# The add machine script is use by a samba server configured as a domain

# controller to add local machine accounts when adding machines to the domain.

# The script must work from the command line when replacing the macros,

# or the operation will fail. Check that groups exist if forcing a group.

# Script for domain controller for adding machines:

; add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M %u

; add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

# Script for domain controller with LDAP backend for adding machines (You need

# the IDEALX scripts, and to configure the smbldap_conf.pm first):

  add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w -d /dev/null -s /bin/false %u

  hide files = /desktop.ini/

# Domain groups:

# Domain groups are now configured by using the 'net groupmap' tool

# Samba Password Database configuration:

# Samba now has runtime-configurable password database backends. Multiple

# passdb backends may be used, but users will only be added to the first one

# Default:

; passdb backend = smbpasswd guest

# TDB backen with fallback to smbpasswd and guest

; passdb backend = tdbsam smbpasswd guest

# LDAP with fallback to smbpasswd guest

# Enable SSL by using an ldaps url, or enable tls with 'ldap ssl' below.

; passdb backend = ldapsam:ldaps://servername.my-domain.com smbpasswd guest

  passdb backend = ldapsam:ldap://servername.my-domain.com

# Use the samba2 LDAP schema:

; passdb backend = ldapsam_compat:ldaps://ldap.mydomain.com smbpasswd guest

# idmap uid account range:

# This is a range of unix user-id's that samba will map non-unix RIDs to,

# such as when using Winbind

# idmap backend = ldap:ldap://servername.my-domain.com

 idmap uid = 10000-20000

 idmap gid = 10000-20000

 map acl inherit = Yes

# LDAP configuration for Domain Controlling:

# The account (dn) that samba uses to access the LDAP server

# This account needs to have write access to the LDAP tree

# You will need to give samba the password for this dn, by

# running 'smbpasswd -w mypassword'

 ldap admin dn = cn=Manager,dc=my-domain,dc=com

# ldap ssl = start_tls

# start_tls should run on 389, but samba defaults incorrectly to 636

; ldap port = 389

 ldap suffix = dc=my-domain,dc=com

; ldap server = servername.my-domain.com

# Seperate suffixes are available for machines, users, groups, and idmap, if

# ldap suffix appears first, it is appended to the specific suffix.

# Example for a unix-ish directory layout:

 ldap machine suffix = ou=People

 ldap user suffix = ou=People

 ldap group suffix = ou=Group

 ldap idmap suffix = ou=People

 ldap passwd sync = yes

 ldap delete dn = Yes

# Example for AD-ish layout:

; ldap machine suffix = cn=Computers

; ldap user suffix = cn=Users

; ldap group suffix = cn=Groups

; ldap idmap suffix = cn=Idmap

# 7. Name Resolution Options:

# All NetBIOS names must be resolved to IP Addresses

# 'Name Resolve Order' allows the named resolution mechanism to be specified

# the default order is "host lmhosts wins bcast". "host" means use the unix

# system gethostbyname() function call that will use either /etc/hosts OR

# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf

# and the /etc/resolv.conf file. "host" therefore is system configuration

# dependant. This parameter is most often of use to prevent DNS lookups

# in order to resolve NetBIOS names to IP Addresses. Use with care!

# The example below excludes use of name resolution for machines that are NOT

# on the local network segment

# - OR - are not deliberately to be known via lmhosts or via WINS.

 name resolve order = wins bcast hosts lmhosts

# Windows Internet Name Serving Support Section:

# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server

 wins support = Yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client

#       Note: Samba can be either a WINS Server, or a WINS Client, but NOT both

;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on

# behalf of a non WINS capable client, for this to work there must be

# at least one  WINS Server on the network. The default is NO.

;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names

# via DNS nslookups. The built-in default for versions 1.9.17 is yes,

# this has been changed in version 1.9.18 to no.

   dns proxy = no

# 8. File Naming Options:

# Case Preservation can be handy - system default is _no_

# NOTE: These can be set on a per share basis

;  preserve case = no

;  short preserve case = no

# Default case is normally upper case for all DOS files

;  default case = lower

# Be very careful with case sensitivity - it can break things!

;  case sensitive = no

# Enabling internationalization:

# you can match a Windows code page with a UNIX character set.

# Windows: 437 (US), 737 (GREEK), 850 (Latin1 - Western European),

# 852 (Czech), 861 (???), 932 (Japanese),

# 936 (Simplified Chin.), 949 (Korean Hangul),

# 950 (Trad. Chin.).

# More detail about code page is in

# "http://www.microsoft.com/globaldev/reference/oslocversion.mspx"

# UNIX: ISO8859-1 (Western European), ISO8859-2 (Eastern Eu.),

# ISO8859-5 (Russian Cyrillic), KOI8-R (Alt-Russ. Cyril.)

# This is an example for french users:

;   dos charset = 850

;   unix charset = ISO8859-1

#============================ Share Definitions ==============================

[homes]

   comment = Home Directories

   browseable = no

   writable = yes

# You can enable VFS recycle bin on a per share basis:

# Uncomment the next 2 lines (make sure you create a

# .recycle folder in the base of the share and ensure

# all users will have write access to it. See

# examples/VFS/recycle/REAME in the samba docs for details

;   vfs object = /usr/lib/samba/vfs/recycle.so

# Un-comment the following and create the netlogon directory for Domain Logons

 [netlogon]

   comment = Network Logon Service

   path = /var/lib/samba/netlogon

   guest ok = yes

   writable = no

   locking = no

# Un-comment the following to provide a specific roving profile share

# the default is to use the user's home directory

[Profiles]

    path = /var/lib/samba/profiles

    browseable = no

    guest ok = yes

    create mask = 0600

    directory mask = 0700

    profile acls = yes

    read only = no

    writable = yes

# This script can be enabled to create profile directories on the fly

# You may want to turn off guest acces if you enable this, as it

# hasn't been thoroughly tested.

;root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ]; \

;                then mkdir -pm700 $PROFILE; chown %u:%g $PROFILE;fi

# NOTE: If you have a CUPS print system there is no need to

# specifically define each individual printer.

# You must configure the samba printers with the appropriate Windows

# drivers on your Windows clients. On the Samba server no filtering is

# done. If you wish that the server provides the driver and the clients

# send PostScript ("Generic PostScript Printer" under Windows), you have

# to swap the 'print command' line below with the commented one.

[printers]

   comment = All Printers

   path = /var/spool/samba

   browseable = no

# to allow user 'guest account' to print.

   guest ok = yes

   writable = no

   printable = yes

   create mode = 0700

# =====================================

# print command: see above for details.

# =====================================

   print command = lpr-cups -P %p -o raw %s -r   # using client side printer drivers.

;   print command = lpr-cups -P %p %s # using cups own drivers (use generic PostScript on clients).

# The following two commands are the samba defaults for printing=cups

# change them only if you need different options:

;   lpq command = lpq -P %p

;   lprm command = cancel %p-%j

# This share is used for Windows NT-style point-and-print support.

# To be able to install drivers, you need to be either root, or listed

# in the printer admin parameter above. Note that you also need write access

# to the directory and share definition to be able to upload the drivers.

# For more information on this, please see the Printing Support Section of

# /usr/share/doc/samba-<version>/Samba-HOWTO-Collection.pdf

[print$]

   path = /var/lib/samba/printers

   browseable = yes

   read only = yes

   write list = @adm root

   guest ok = yes

```

----------

## Adamal

migrate_common.ph 

```

#

# $Id: migrate_common.ph,v 1.22 2003/04/15 03:09:33 lukeh Exp $

#

# Copyright (c) 1997-2003 Luke Howard.

# All rights reserved.

#

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions

# are met:

# 1. Redistributions of source code must retain the above copyright

#    notice, this list of conditions and the following disclaimer.

# 2. Redistributions in binary form must reproduce the above copyright

#    notice, this list of conditions and the following disclaimer in the

#    documentation and/or other materials provided with the distribution.

# 3. All advertising materials mentioning features or use of this software

#    must display the following acknowledgement:

#        This product includes software developed by Luke Howard.

# 4. The name of the other may not be used to endorse or promote products

#    derived from this software without specific prior written permission.

#

# THIS SOFTWARE IS PROVIDED BY THE LUKE HOWARD ``AS IS'' AND

# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

# ARE DISCLAIMED.  IN NO EVENT SHALL LUKE HOWARD BE LIABLE

# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

# SUCH DAMAGE.

#

#

# Common defines for MigrationTools

#

# Naming contexts. Key is $PROGRAM with migrate_ and .pl

# stripped off.

$NETINFOBRIDGE = (-x "/usr/sbin/mkslapdconf");

if ($NETINFOBRIDGE) {

        $NAMINGCONTEXT{'aliases'}           = "cn=aliases";

        $NAMINGCONTEXT{'fstab'}             = "cn=mounts";

        $NAMINGCONTEXT{'passwd'}            = "cn=users";

        $NAMINGCONTEXT{'netgroup_byuser'}   = "cn=netgroup.byuser";

        $NAMINGCONTEXT{'netgroup_byhost'}   = "cn=netgroup.byhost";

        $NAMINGCONTEXT{'group'}             = "cn=groups";

        $NAMINGCONTEXT{'netgroup'}          = "cn=netgroup";

        $NAMINGCONTEXT{'hosts'}             = "cn=machines";

        $NAMINGCONTEXT{'networks'}          = "cn=networks";

        $NAMINGCONTEXT{'protocols'}         = "cn=protocols";

        $NAMINGCONTEXT{'rpc'}               = "cn=rpcs";

        $NAMINGCONTEXT{'services'}          = "cn=services";

} else {

        $NAMINGCONTEXT{'aliases'}           = "ou=Aliases";

        $NAMINGCONTEXT{'fstab'}             = "ou=Mounts";

        $NAMINGCONTEXT{'passwd'}            = "ou=People";

        $NAMINGCONTEXT{'netgroup_byuser'}   = "nisMapName=netgroup.byuser";

        $NAMINGCONTEXT{'netgroup_byhost'}   = "nisMapName=netgroup.byhost";

        $NAMINGCONTEXT{'group'}             = "ou=Group";

        $NAMINGCONTEXT{'netgroup'}          = "ou=Netgroup";

        $NAMINGCONTEXT{'hosts'}             = "ou=Hosts";

        $NAMINGCONTEXT{'networks'}          = "ou=Networks";

        $NAMINGCONTEXT{'protocols'}         = "ou=Protocols";

        $NAMINGCONTEXT{'rpc'}               = "ou=Rpc";

        $NAMINGCONTEXT{'services'}          = "ou=Services";

}

# Default DNS domain

#$DEFAULT_MAIL_DOMAIN = "padl.com";

# Default base

$DEFAULT_BASE = "dc=my-domain,dc=com";

# Turn this on for inetLocalMailReceipient

# sendmail support; add the following to

# sendmail.mc (thanks to Petr@Kristof.CZ):

##### CUT HERE #####

#define(`confLDAP_DEFAULT_SPEC',`-h "ldap.padl.com"')dnl

#LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl

#FEATURE(ldap_routing)dnl

##### CUT HERE #####

# where /etc/mail/ldapdomains contains names of ldap_routed

# domains (similiar to MASQUERADE_DOMAIN_FILE).

#$DEFAULT_MAIL_HOST = "mail.padl.com";

# turn this on to support more general object clases

# such as person.

$EXTENDED_SCHEMA = 1;

#

# allow environment variables to override predefines

#

if (defined($ENV{'LDAP_BASEDN'})) {

        $DEFAULT_BASE = $ENV{'LDAP_BASEDN'};

}

if (defined($ENV{'LDAP_DEFAULT_MAIL_DOMAIN'})) {

        $DEFAULT_MAIL_DOMAIN = $ENV{'LDAP_DEFAULT_MAIL_DOMAIN'};

}

if (defined($ENV{'LDAP_DEFAULT_MAIL_HOST'})) {

        $DEFAULT_MAIL_HOST = $ENV{'LDAP_DEFAULT_MAIL_HOST'};

}

# binddn used for alias owner (otherwise uid=root,...)

if (defined($ENV{'LDAP_BINDDN'})) {

        $DEFAULT_OWNER = $ENV{'LDAP_BINDDN'};

}

if (defined($ENV{'LDAP_EXTENDED_SCHEMA'})) {

        $EXTENDED_SCHEMA = $ENV{'LDAP_EXTENDED_SCHEMA'};

}

# If we haven't set the default base, guess it automagically.

if (!defined($DEFAULT_BASE)) {

        $DEFAULT_BASE = &domain_expand($DEFAULT_MAIL_DOMAIN);

        $DEFAULT_BASE =~ s/,$//o;

}

# Default Kerberos realm

if ($EXTENDED_SCHEMA) {

        $DEFAULT_REALM = $DEFAULT_MAIL_DOMAIN;

        $DEFAULT_REALM =~ tr/a-z/A-Z/;

}

if (-x "/usr/sbin/revnetgroup") {

        $REVNETGROUP = "/usr/sbin/revnetgroup";

} elsif (-x "/usr/lib/yp/revnetgroup") {

        $REVNETGROUP = "/usr/lib/yp/revnetgroup";

}

$classmap{'o'} = 'organization';

$classmap{'dc'} = 'domain';

$classmap{'l'} = 'locality';

$classmap{'ou'} = 'organizationalUnit';

$classmap{'c'} = 'country';

$classmap{'nismapname'} = 'nisMap';

$classmap{'cn'} = 'container';

sub parse_args

{

        if ($#ARGV < 0) {

                print STDERR "Usage: $PROGRAM infile [outfile]\n";

                exit 1;

        }

        $INFILE = $ARGV[0];

        if ($#ARGV > 0) {

                $OUTFILE = $ARGV[1];

        }

}

sub open_files

{

        open(INFILE);

        if ($OUTFILE) {

                open(OUTFILE,">$OUTFILE");

                $use_stdout = 0;

        } else {

                $use_stdout = 1;

        }

}

# moved from migrate_hosts.pl

# lukeh 10/30/97

sub domain_expand

{

        local($first) = 1;

        local($dn);

        local(@namecomponents) = split(/\./, $_[0]);

        foreach $_ (@namecomponents) {

                $first = 0;

                $dn .= "dc=$_,";

        }

        $dn .= $DEFAULT_BASE;

        return $dn;

}

# case insensitive unique

sub uniq

{

        local($name) = shift(@_);

        local(@vec) = sort {uc($a) cmp uc($b)} @_;

        local(@ret);

        local($next, $last);

        foreach $next (@vec) {

                if ((uc($next) ne uc($last)) &&

                        (uc($next) ne uc($name))) {

                        push (@ret, $next);

                }

                $last = $next;

        }

        return @ret;

}

# concatenate naming context and

# organizational base

sub getsuffix

{

        local($program) = shift(@_);

        local($nc);

        $program =~ s/^migrate_(.*)\.pl$/$1/;

        $nc = $NAMINGCONTEXT{$program};

        if ($nc eq "") {

                return $DEFAULT_BASE;

        } else {

                return $nc . ',' . $DEFAULT_BASE;

        }

}

sub ldif_entry

{

# remove leading, trailing whitespace

        local ($HANDLE, $lhs, $rhs) = @_;

        local ($type, $val) = split(/\=/, $lhs);

        local ($dn);

        if ($rhs ne "") {

                $dn = $lhs . ',' . $rhs;

        } else {

                $dn = $lhs;

        }

        $type =~ s/\s*$//o;

        $type =~ s/^\s*//o;

        $type =~ tr/A-Z/a-z/;

        $val =~ s/\s*$//o;

        $val =~ s/^\s*//o;

        print $HANDLE "dn: $dn\n";

        print $HANDLE "$type: $val\n";

        print $HANDLE "objectClass: top\n";

        print $HANDLE "objectClass: $classmap{$type}\n";

        if ($EXTENDED_SCHEMA) {

                if ($DEFAULT_MAIL_DOMAIN) {

                        print $HANDLE "objectClass: domainRelatedObject\n";

                        print $HANDLE "associatedDomain: $DEFAULT_MAIL_DOMAIN\n";

                }

        }

        print $HANDLE "\n";

}

# Added Thu Jun 20 16:40:28 CDT 2002 by Bob Apthorpe

# <apthorpe@cynistar.net> to solve problems with embedded plusses in

# protocols and mail aliases.

sub escape_metacharacters

{

        local($name) = @_;

        # From Table 3.1 "Characters Requiring Quoting When Contained

        # in Distinguished Names", p87 "Understanding and Deploying LDAP

        # Directory Services", Howes, Smith, & Good.

        # 1) Quote backslash

        # Note: none of these are very elegant or robust and may cause

        # more trouble than they're worth. That's why they're disabled.

        # 1.a) naive (escape all backslashes)

        # $name =~ s#\\#\\\\#og;

        #

        # 1.b) mostly naive (escape all backslashes not followed by

        # a backslash)

        # $name =~ s#\\(?!\\)#\\\\#og;

        #

        # 1.c) less naive and utterly gruesome (replace solitary

        # backslashes)

        # $name =~ s{           # Replace

        #               (?<!\\) # negative lookbehind (no preceding backslash)

        #               \\      # a single backslash

        #               (?!\\)  # negative lookahead (no following backslash)

        #       }

        #       {               # With

        #               \\\\    # a pair of backslashes

        #       }gx;

        # Ugh. Note that s#(?:[^\\])\\(?:[^\\])#////#g fails if $name

        # starts or ends with a backslash. This expression won't work

        # under perl4 because the /x flag and negative lookahead and

        # lookbehind operations aren't supported. Sorry. Also note that

        # s#(?:[^\\]*)\\(?:[^\\]*)#////#g won't work either.  Of course,

        # this is all broken if $name is already escaped before we get

        # to it. Best to throw a warning and make the user import these

        # records by hand.

        # 2) Quote leading and trailing spaces

        local($leader, $body, $trailer) = ();

        if (($leader, $body, $trailer) = ($name =~ m#^( *)(.*\S)( *)$#o)) {

                $leader =~ s# #\\ #og;

                $trailer =~ s# #\\ #og;

                $name = $leader . $body . $trailer;

        }

        # 3) Quote leading octothorpe (#)

        $name =~ s/^#/\\#/o;

        # 4) Quote comma, plus, double-quote, less-than, greater-than,

        # and semicolon

        $name =~ s#([,+"<>;])#\\$1#g;

        return $name;

}

1;

```

----------

## Adamal

Looks like etc-update overwrote my slapd.conf file.  When I rebooted my server today it stopped working.  I fixed the file and updated the one I posted earlier.

----------

## DreameR78

Thanks Pgb. you dont know how long i'v ttried to fix it so that users can change their passwords. the exop=>crypt worked like a charm  :Laughing: 

----------

## nabbed

thanks for fixing up the slapd.conf.

could you also post the contents of /etc/openldap/schema/extension.schema and tell me what version of samba you are using. i suspect it is something to do with kerberos, is that right?

thanks

----------

## Adamal

I'm not using kerberos.  I don't know how much the schema is going to do for you, its for my address book.

 *Quote:*   

> attributetype ( 1.3.6.1.4.1.4203.666.100.121
> 
>         NAME ( 'rdn' )
> 
>         SUP name )
> ...

 

----------

## nabbed

I feel like I am progressing so thanks for your help so far.

Could you post a couple more files?

/etc/ldap.conf

/etc/conf.d/samba

/etc/opt/IDEALX/smbldap-tools/smbldap.conf

/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf

what do you use for dhcp server?

what are the chances of you posting your config file for dhcp as well?

Did you use the winbind USE flag when emerging samba and therfore compile winbind into samba?

what is the version of samba that you used?

what is the version of smbldap-tools that you used?

----------

