Hello Dan, On 11/9/12, Dan Lavu <dan@xxxxxxxx> wrote: > So I think you're missing one fundamental thing here. You still need to > create the users in 389 to get this working correctly and have them show up > in 'getent password', you might have to enumerate the users too. So adding > the samba schema extends and adds the samba attributes to 389 but nothing > is > filling out the information > > For example, > objectclass: sambaDomain > objectclass: sambaUnixIdPool > sambaDomainName: <YOURWORKGROUP> > sambaSID: S-1-5-21-1803520230-1543781662-649387223 << You have to ask > yourself what generates this? > > Nothing in 389 will, but smbpasswd -a will, so first make sure you can get > a > userlist on your linux machine, > > getent passwd -s ldap $userid > > Does the user show up? If it doesn't, configure your > ldap.conf/nsswitch.conf/pam.d/* again or sssd. > > Dan Well, 389-ds was already configured, so all posix users in the ldap were able to login into this server because I had configured the server as ldap client using nss_ldap libs being RHEL 5.8. getent passwd pulls local as well as ldap users fine. ldapsearch -x -Z '(uid=ugandhi)' # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (uid=ugandhi) # requesting: ALL # # ugandhi, People, blah dn: uid=ugandhi,ou=People,dc=abc,dc=def,dc=ghi givenName: Upendra sn: Gan loginShell: /bin/bash uidNumber: 200 gidNumber: 600 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: ugandhi cn: Upendra Gan homeDirectory: /home/ugandhi # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 getent passwd -s ldap ugandhi ugandhi:*:200:600:Upendra Gan:/home/ugandhi:/bin/bash So this part was always good (389-ds server and client and home directory mounts via autofs) Now my question is: Does the user need to exist in ldap (examlple ugandhi above) and then smbpasswd -a ugandhi will work? I can ofcourse try it myself but is that the way it is supposed to be? I think I had worked on different implementation of SMB+OpenLDAP on Ubuntu where smb-ldap utils package was also used and smbldap-useradd would add the user in both samba and ldap and both places had uid/gid fields matching for that user. The howto above didn't mention that testuser was existing in 389-ds directory, or did I miss that part? The ldapsearch for testuser does show uidNumber and gidNumber. So probably testuser already existed in 389-ds directory and smbpasswd -a testuser added those additional samba fields as you said in your email. Correct me if I am understanding this incorrectly. Thanks again. Upen > > > -----Original Message----- > From: upen [mailto:upendra.gandhi@xxxxxxxxx] > Sent: Thursday, November 8, 2012 10:09 PM > To: Dan Lavu > Cc: General discussion list for the 389 Directory server project. > Subject: Re: samba+ldap > > On 11/8/12, Dan Lavu <dan@xxxxxxxx> wrote: >> I also found the samba/ldap docs lacking, when I first tried to setup >> this up. Then I turned around and configured Kerberos/AD with samba >> and used Kerberos auth for my Linux machines. >> >> Now that I've done quite a few 389 implementations and going through >> that doc again, it's makes sense to me. What part are you having trouble > with? >> >> Dan >> >> *From:* upen <upendra.gandhi@xxxxxxxxx> >> *Sent:* November 8, 2012 5:33 PM >> *To:* General discussion list for the 389 Directory server project. >> *Subject:* samba+ldap >> >> Hello, >> >> I am trying to setup Samba with existing 389-ds on the same server. >> Following http://directory.fedoraproject.org/wiki/Howto:Samba didn't >> help. >> Does anyone know if there is any other useful updated document for >> this purpose? > > Thanks for your feedback Dan. > > I started noticing issue after completing the steps from that Howto. > First problem I encountered was smbadduser -a didn't work. > > smbpasswd -a testuser > New SMB password: > Retype new SMB password: > Failed to modify password entry for user testuser > > Then, out of curiosity I added a testuser account in local unix account(non > ldap) and smbpasswd -a testuser worked after than change. > I really don't want to follow this path. Why would there be a need to add > local users in unix? Isn't there any other simpler way? I wonder. > > After doing smbpasswd -a, I checked ldap database for user account. > > ldapsearch -x -Z '(uid=testuser)' > # extended LDIF > # > # LDAPv3 > # base <> with scope subtree > # filter: (uid=testuser) > # requesting: ALL > # > > # testuser, People, > dn: uid=testuser,ou=People,dc=abc,dc=def,dc=ghi > uid: testuser > sambaSID: S-1-5-21-21252568-3149985612-3984985731-2004 > sambaLMPassword: 19DA5A9CC97F169BAAD3B435B51404EE > sambaNTPassword: 0B6549421B2E7333E0E281F3BA5EEA94 > sambaPasswordHistory: > 00000000000000000000000000000000000000000000000000000000 > 00000000 > sambaPwdLastSet: 1352429483 > sambaAcctFlags: [U ] > objectClass: sambaSamAccount > objectClass: account > objectClass: top > > I don't see uidnumber and gidnumber. Not sure what went wrong. > > Thanks. > > -- upen, emerge -uD life (Upgrade Life with dependencies) -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
