[KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM)
fm 2.2.8a anybody?
Adam Williams
members@kalamazoolinux.org
Mon, 05 Jan 2004 18:21:32 -0500
> |> I've got it almost working but right now it is allowing anyone to
> |> access the shares and wont add a machine even if there is
> |> already a record in the machines ou. I've been watching the logs
> |> but can't find any recognizable errors.
> | What error do you get when you try to join the domain (I assume
> | thats what you mean by "add a machine")?
> "Access is denied" This seems odd since it otherwise grants access
> without a password or anything.
You are using the root username and password? You have to have a root
account in LDAP. And a posixAccount already exists for the machine with
a unique uidNumber and VALID gidNumber?
> | What do you ldap related entries in smb.conf look like; mine for
> | example - passdb backend = ldapsam:ldap://localhost/ guest ldap
> | admin dn = cn=CIFS DC,ou=System Accounts,o=Morrison Industries,c=US
> | ldap suffix = o=Morrison Industries,c=US ldap group suffix =
> | ou=Groups ldap user suffix = ou=People ldap machine suffix =
> | ou=System Accounts idmap backend = ldap:ldap://localhost/ ldap
> | idmap suffix = ou=idMap,ou=CIFS,ou=SubSystems idmap uid =
> | 40000-50000 idmap gid = 40000-50000
> Well they are:
> ~ passdb backend = ldapsam:ldap://127.0.0.1, smbpasswd, guest
Try using just ldapsam till you get that working for sure; daisy chained
SAMs while you troubleshoot will leave you bald and fried. This will
make your unfettered access problem go away I suspect (the guest SAM
just says OK).
> ~ ldap suffix = dc=j9starr,dc=net
> ~ ldap machine suffix = ou=Computers
> ~ ldap user suffix = ou=People
> ~ ldap group suffix = ou=Group
> ~ ldap admin dn = cn=root,dc=j9starr,dc=net
> ~ ldap ssl = no
> ~ printer admin = @adm
This ("printer admin") doesn't do anything under 3.0.x
> ~ printing = cups
> LDAP ssl is turned off because Samba and OpenLDAP live on the same box.
Right, do the same thing here.
> For some reason I don't remember anything about idmaps from my
> previous attempts at this. Are they new? It didn't seem to me like
> they were required.
> If they are, then perhaps my database needs further editing?
You don't need them unless you have trusted domains.