On 11/9/12, upen <upendra.gandhi@xxxxxxxxx> wrote: > Hello Dan, > > On 11/9/12, Dan Lavu <dan@xxxxxxxx> wrote: >> So I think you're missing one fundamental thing here. You still need to >> create the users in 389 to get this working correctly and have them show >> up >> in 'getent password', you might have to enumerate the users too. So >> adding >> the samba schema extends and adds the samba attributes to 389 but nothing >> is >> filling out the information >> >> For example, >> objectclass: sambaDomain >> objectclass: sambaUnixIdPool >> sambaDomainName: <YOURWORKGROUP> >> sambaSID: S-1-5-21-1803520230-1543781662-649387223 << You have to ask >> yourself what generates this? >> >> Nothing in 389 will, but smbpasswd -a will, so first make sure you can >> get >> a >> userlist on your linux machine, >> >> getent passwd -s ldap $userid >> >> Does the user show up? If it doesn't, configure your >> ldap.conf/nsswitch.conf/pam.d/* again or sssd. >> >> Dan > > Well, 389-ds was already configured, so all posix users in the ldap > were able to login into this server because I had configured the > server as ldap client using nss_ldap libs being RHEL 5.8. > > getent passwd pulls local as well as ldap users fine. > > ldapsearch -x -Z '(uid=ugandhi)' > # extended LDIF > # > # LDAPv3 > # base <> with scope subtree > # filter: (uid=ugandhi) > # requesting: ALL > # > > # ugandhi, People, blah > dn: uid=ugandhi,ou=People,dc=abc,dc=def,dc=ghi > givenName: Upendra > sn: Gan > loginShell: /bin/bash > uidNumber: 200 > gidNumber: 600 > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > uid: ugandhi > cn: Upendra Gan > homeDirectory: /home/ugandhi > > # search result > search: 3 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > getent passwd -s ldap ugandhi > ugandhi:*:200:600:Upendra Gan:/home/ugandhi:/bin/bash > > So this part was always good (389-ds server and client and home > directory mounts via autofs) > > Now my question is: Does the user need to exist in ldap (examlple > ugandhi above) and then smbpasswd -a ugandhi will work? I can ofcourse > try it myself but is that the way it is supposed to be? I think I didn't read this line in the HowTo, correctly - Finally start the Samba service and map an "existing" user entry to a Samba user So that does probably mean that I need to have 'testuser' in the 389-ds directory prior to runnning smbpassws -a testuser. Sorry for the ignorance. > > I think I had worked on different implementation of SMB+OpenLDAP on > Ubuntu where smb-ldap utils package was also used and smbldap-useradd > would add the user in both samba and ldap and both places had uid/gid > fields matching for that user. > > The howto above didn't mention that testuser was existing in 389-ds > directory, or did I miss that part? The ldapsearch for testuser does > show uidNumber and gidNumber. So probably testuser already existed in > 389-ds directory and smbpasswd -a testuser added those additional > samba fields as you said in your email. Correct me if I am > understanding this incorrectly. > > Thanks again. > Upen >> >> >> -----Original Message----- >> From: upen [mailto:upendra.gandhi@xxxxxxxxx] >> Sent: Thursday, November 8, 2012 10:09 PM >> To: Dan Lavu >> Cc: General discussion list for the 389 Directory server project. >> Subject: Re: samba+ldap >> >> On 11/8/12, Dan Lavu <dan@xxxxxxxx> wrote: >>> I also found the samba/ldap docs lacking, when I first tried to setup >>> this up. Then I turned around and configured Kerberos/AD with samba >>> and used Kerberos auth for my Linux machines. >>> >>> Now that I've done quite a few 389 implementations and going through >>> that doc again, it's makes sense to me. What part are you having trouble >> with? >>> >>> Dan >>> >>> *From:* upen <upendra.gandhi@xxxxxxxxx> >>> *Sent:* November 8, 2012 5:33 PM >>> *To:* General discussion list for the 389 Directory server project. >>> *Subject:* samba+ldap >>> >>> Hello, >>> >>> I am trying to setup Samba with existing 389-ds on the same server. >>> Following http://directory.fedoraproject.org/wiki/Howto:Samba didn't >>> help. >>> Does anyone know if there is any other useful updated document for >>> this purpose? >> >> Thanks for your feedback Dan. >> >> I started noticing issue after completing the steps from that Howto. >> First problem I encountered was smbadduser -a didn't work. >> >> smbpasswd -a testuser >> New SMB password: >> Retype new SMB password: >> Failed to modify password entry for user testuser >> >> Then, out of curiosity I added a testuser account in local unix >> account(non >> ldap) and smbpasswd -a testuser worked after than change. >> I really don't want to follow this path. Why would there be a need to add >> local users in unix? Isn't there any other simpler way? I wonder. >> >> After doing smbpasswd -a, I checked ldap database for user account. >> >> ldapsearch -x -Z '(uid=testuser)' >> # extended LDIF >> # >> # LDAPv3 >> # base <> with scope subtree >> # filter: (uid=testuser) >> # requesting: ALL >> # >> >> # testuser, People, >> dn: uid=testuser,ou=People,dc=abc,dc=def,dc=ghi >> uid: testuser >> sambaSID: S-1-5-21-21252568-3149985612-3984985731-2004 >> sambaLMPassword: 19DA5A9CC97F169BAAD3B435B51404EE >> sambaNTPassword: 0B6549421B2E7333E0E281F3BA5EEA94 >> sambaPasswordHistory: >> 00000000000000000000000000000000000000000000000000000000 >> 00000000 >> sambaPwdLastSet: 1352429483 >> sambaAcctFlags: [U ] >> objectClass: sambaSamAccount >> objectClass: account >> objectClass: top >> >> I don't see uidnumber and gidnumber. Not sure what went wrong. >> >> Thanks. >> >> > > > -- > upen, > emerge -uD life (Upgrade Life with dependencies) > -- upen, emerge -uD life (Upgrade Life with dependencies) -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
