No me funciona Samba PDC+LDAP
Esssssssssssssssssssos!!!!
A ver que el tema tiene tema...
Estoy intentando configurar una woody con un Samba PDC autentificando con
LDAP. Solo quiero que se autentifique por LDAP el Samba.
Utilizo Samba 3.
Samba funciona perfectamente como PDC. El problema surge al auntetificar
con LDAP.
Os detallo los pasos:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Where to store the replica logs
replogfile /var/lib/ldap/replog
# Read slapd.conf(5) for possible values
loglevel 2# The backend type, ldbm, is the default standard
database ldbm
# The base of your directory
suffix "dc=GRUPO_TRABAJO"
# Where the database file are physically stored
directory "/var/lib/ldap"
#rootdn "cn=Manager, dc=GRUPO_TRABAJO"
rootdn "cn=manager,ou=People,dc=GRUPO_TRABAJO"
rootpw secret
# Indexing options
# Indices to maintain
## required by OpenLDAP
index objectclass eq
index cn pres,sub,eq
index sn pres,sub,eq
## required to support pdb_getsampwnam
index uid pres,sub,eq
## required to support pdb_getsambapwrid()
index displayName pres,sub,eq
## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
##index uidNumber eq
##index gidNumber eq
##index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
lastmod on
# By default, only read access is allowed
defaultaccess read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
access to dn=".*,ou=Roaming,dc="
by dnattr=owner write
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attribute=userPassword
by dn="cn=admin,ou=People,dc=" write
by self write
by * none
# The admin dn has full write access
access to * by dn="cn=manager,ou=People,dc=GRUPO_TRABAJO" write
access to *
by dn="cn=manager,ou=People,dc=GRUPO_TRABAJO" write
by dn="cn=nss,dc=GRUPO_TRABAJO" read
by * auth
#access to dn=".*,dc=GRUPO_TRABAJO"
#attribute=userPassword,lmPassword,ntPassword
access to attribute=userPassword
by dn="cn=manager,ou=People,dc=GRUPO_TRABAJO" write
by anonymous auth
by * none
----------------------------------------------------------------------------
Mi smb.conf es el siguiente:
[global]
workgroup = GRUPO_TRABAJO
server string = %h server (Samba %v) PDC
interfaces = 192.168.1.69/24
bind interfaces only = Yes
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://localhost
passwd program = /usr/local/sbin/smbldap-passwd.pl .o %u
passwd chat = *new*password* %n\n *new*password* %n\n *sucessfully*
unix password sync = Yes
log file = /var/log/samba/log.%m
max log size = 1000
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192
logon script = netlogon.bat
logon drive = H:
logon home = \\%h\%U
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap suffix = "ou=People,dc=GRUPO_TRABAJO"
ldap machine suffix = ou=Computers,"ou=People,dc=GRUPO_TRABAJO"
ldap user suffix = ou=People,"ou=People,dc=GRUPO_TRABAJO"
ldap group suffix = ou=Groups,"ou=People,dc=GRUPO_TRABAJO"
ldap idmap suffix = "ou=People,dc=GRUPO_TRABAJO"
ldap admin dn = "cn=manager,ou=People,dc=GRUPO_TRABAJO"
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
invalid users = root
[homes]
comment = Home Directories
read only = No
create mask = 0700
directory mask = 0700
browseable = No
[netlogon]
comment = Network Logon Service
path = /home/samba
browseable = No
[printers]
comment = All Printers
path = /tmp
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[recurso1]
comment = Recurso 1
path = /home/samba/recurso1
read only = No
browseable = No
----------------------------------------------------------------------------
Bueno hasta aquí no se si hay mucho problema. Como mucho el tema de LDAP.
Despues de esto utilizo un fichero dif para añadir la estructura a mi LDAP:
# Organizacion para Samba Base
dn: dc=GRUPO_TRABAJO
objectclass: dcObject
objectclass: organization
dc: GRUPO_TRABAJO
o: Red GRUPO_TRABAJO
description: Ejemplo de Red Samba-3 LDAP
# Organizational Role for Directory Management
dn: cn=Manager,dc=GRUPO_TRABAJO
objectclass: organizationalRole
cn: Manager
description: Directory Manager
# Setting up container for users
dn: ou=People,dc=GRUPO_TRABAJO
objectclass: top
objectclass: organizationalUnit
ou: People
# Setting up admin handle for People OU
dn: cn=manager,ou=People,dc=GRUPO_TRABAJO
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
# Setting up container for groups
dn: ou=Groups,dc=GRUPO_TRABAJO
objectclass: top
objectclass: organizationalUnit
ou: Groups
# Setting up admin handle for Groups OU
dn: cn=manager,ou=Groups,dc=GRUPO_TRABAJO
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
# Setting up container for computers
dn: ou=Computers,dc=GRUPO_TRABAJO
objectclass: top
objectclass: organizationalUnit
ou: Computers
# Setting up admin handle for Computers OU
dn: cn=manager,ou=Computers,dc=GRUPO_TRABAJO
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
Añado esta estructura y mediante un slapcat me aseguro de que es asi.
Ahora llega el tema polémico, más que los labios de la Tamara...
Intento añadir un usuario con smbpasswd -a usuario1 y me aparece este error:
#smbpasswd -a usuario1
New SMB password:
Retype new SMB password:
failed to bind to server with dn= cn=manager,ou=People,dc=GRUPO_TRABAJO
Error: Invalid credentials
Connection to LDAP Server failed for the 1 try!
smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid
credentials)
Connection to LDAP Server failed for the 1 try!
smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid
credentials)
Connection to LDAP Server failed for the 1 try!
ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(unknown) (Invalid credentials)Connection to LDAP Server failed for the 1
try!
smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid
credentials)
Failed to add entry for user usuario1.
Failed to modify password entry for user usuario1
La contraseña esta correctamente puesta, o eso creo. En el fichero de
configuracion de ldap pongo como password secret. Y es más, antes de
añadir un usuario me aseguro emdiante la orden :
# smbpasswd -w secret
Setting stored password for "cn=manager,ou=People,dc=GRUPO_TRABAJO" in
secrets.tdb
Despues de esta pedazo chapa, alguna sugerencia de que me puede estar
pasando.
GRACIAS por aguantar la chapa
;)
atilaX - Eduardo Marroquin
Reply to: