[KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a
anybody?
Jim C.
members@kalamazoolinux.org
Mon, 05 Jan 2004 18:10:21 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adam Williams wrote:
|> |> I've got it almost working but right now it is allowing anyone
|> to |> access the shares and wont add a machine even if there is
|> |> already a record in the machines ou. I've been watching the
|> logs |> but can't find any recognizable errors. | What error do
|> you get when you try to join the domain (I assume | thats what
|> you mean by "add a machine")? "Access is denied" This seems odd
|> since it otherwise grants access without a password or anything.
|
|
| You are using the root username and password? You have to have a
| root account in LDAP. And a posixAccount already exists for the
| machine with a unique uidNumber and VALID gidNumber?
|
Hmmmm, in 2.2.8a the builtin accounts like "Administrator" weren't
actually functional. Are you saying that now there are some
functional builtins?
It should be no trouble to change the Admininstrators uid to 0 for a
test. I'll give that a try this evening. Now if I change the
Administrator accounts uid to 0, isn't that going to cause trouble
when Administrator tries to log into one of the Linux boxes? Hmmmm...
I could perhaps fix this by putting it in a different ou or something.
|> | What do you ldap related entries in smb.conf look like; mine
|> for | example - passdb backend = ldapsam:ldap://localhost/ guest
|> ldap | admin dn = cn=CIFS DC,ou=System Accounts,o=Morrison
|> Industries,c=US | ldap suffix = o=Morrison Industries,c=US ldap
|> group suffix = | ou=Groups ldap user suffix = ou=People ldap
|> machine suffix = | ou=System Accounts idmap backend =
|> ldap:ldap://localhost/ ldap | idmap suffix =
|> ou=idMap,ou=CIFS,ou=SubSystems idmap uid = | 40000-50000 idmap
|> gid = 40000-50000 Well they are: ~ passdb backend =
|> ldapsam:ldap://127.0.0.1, smbpasswd, guest
|
|
| Try using just ldapsam till you get that working for sure; daisy
| chained SAMs while you troubleshoot will leave you bald and fried.
| This will make your unfettered access problem go away I suspect
| (the guest SAM just says OK).
Ah... that makes sense.
|> ~ ldap suffix = dc=j9starr,dc=net ~ ldap machine
|> suffix = ou=Computers ~ ldap user suffix = ou=People ~
|> ldap group suffix = ou=Group ~ ldap admin dn =
|> cn=root,dc=j9starr,dc=net ~ ldap ssl = no ~ printer
|> admin = @adm
|
|
| This ("printer admin") doesn't do anything under 3.0.x
|
OK, then I'll axe that too.
|> ~ printing = cups LDAP ssl is turned off because Samba and
|> OpenLDAP live on the same box.
|
| Right, do the same thing here.
Gotcha.
|> or some reason I don't remember anything about idmaps from my
|> previous attempts at this. Are they new? It didn't seem to me
|> like they were required. If they are, then perhaps my database
|> needs further editing?
|
|
| You don't need them unless you have trusted domains.
Can you tell me what a trusted domain is in brief?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/+hkN57L0B7uXm9oRAqFuAJ9xVmEZ8SRWUlMlcWkhxJcFn1881ACfXWHJ
LclrHNkvQ2qOGfGPWxDFv4k=
=fA6B
-----END PGP SIGNATURE-----