CentOS 5.x Samba Domain Controller With LDAP Backend - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by galexander (Contact Author) (Forums) on Fri, 2009-11-06 17:52. ::

Setting up remote administration of the ldap directory

Edit /etc/php.ini and make sure memory_limit is set to at least 32 MB:

memory_limit = 32M

Last I checked, the version of phpldapadmin available via yum is broken, so we'll get the latest & extract it: Go To http://sourceforge.net/project/showfiles.php?group_id=61828&package_id=177751 & download the latest version. In my case that resulted in the following commands, your package may be newer:

mkdir /var/www/html/samba && cd /var/www/html/samba
wget http://softlayer.dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-1.1.0.7.tar.gz
tar zxf phpldapadmin-1.1.0.7.tar.gz
ln -s phpldapadmin-1.1.0.7 pla
cp pla/config/config.php.example pla/config/config.php

Now edit ./pla/config/config.php and uncommment the following line:

$config->custom->jpeg['tmpdir'] = "/tmp";

 

Make newly setup software available

service httpd restart
chkconfig httpd on

Edit /etc/sysconfig/iptables and copy & modify line about ssh (--dport 22 -j ACCEPT), and right after it, add (assuming your CentOS install produced the default iptables file):

#Allow Https://
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#Allow samba:
-A RH-Firewall-1-INPUT -m multiport -p udp --dport 137,138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m multiport -p tcp --dport 139,445 -j ACCEPT

Now open your webbrowser and visit https://192.168.0.5/samba/pla/ and login with Username cn=root,dc=DOMAINNAME & your password. You should be able to look around and see some junk.

 

Integrate ldap and Samba

mv /etc/samba/smb.conf /etc/samba/smb.conf.dist
cp /usr/share/doc/smbldap-tools-0.9.5/smb.conf /etc/samba/smb.conf

Edit /etc/samba/smb.conf to your likings, the default ldap part should be fine.
Under [global], you will need to add these three settings not there by default:

ldap ssl = off
nt acl support = yes

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE

cp /usr/share/doc/smbldap-tools-0.9.5/smbldap.conf /etc/smbldap-tools/smbldap.conf
net getlocalsid

Note, net getlocalsid will error a bunch until the end, because you haven't fully configured samba yet -- but will produce the sid you need for the next step.

Edit /etc/smbldap-tools/smbldap.conf and insert sid, domain, etc, all throughout the file till the end.

Edit /etc/smbldap-tools/smbldap_bind.conf and change both applicable lines, change "secret" to your password.

chmod 644 /etc/smbldap-tools/smbldap.conf
chmod 600 /etc/smbldap-tools/smbldap_bind.conf
authconfig-tui

Check that the output from authconfig-tui contains:

[ ] Local authorization is sufficient

Now test your samba config:

testparm

smbpasswd -w YOUR_ROOT_LDAP_PASS_HERE
smbldap-populate

smbldap-populate will ask for the password, enter it.

 

Start the LDAP Samba installation up

/etc/init.d/smb start
chkconfig smb on

Add users/groups, correlate between unix and ldap:

useradd user1
smbldap-useradd -a -G 'Domain Users' -m -s /bin/bash -d /home/user2 -F "" -P user1

Get a picture of the UNIX groups that aren't there yet that LDAP assumes:

net groupmap list

Output is something like:

Domain Admins (S-1-5-21-990788473-1556064292-4137819756-512) -> domain_admins
Domain Users (S-1-5-21-990788473-1556064292-4137819756-513) -> domain_users
Domain Guests (S-1-5-21-990788473-1556064292-4137819756-514) -> 514
Domain Computers (S-1-5-21-990788473-1556064292-4137819756-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552

Add correlating groups to unix, using the suggested GIDs:

groupadd -g 514 samba_domain_guests
groupadd -g 515 samba_domain_computers
groupadd -g 544 samba_administrator
groupadd -g 548 samba_account_operators
groupadd -g 550 samba_print_operators
groupadd -g 551 samba_backup_operators
groupadd -g 552 samba_replicators

If you want to add a non-built-in group to LDAP/Samba, say for controlling which users can write/read files on a share, and have it determine that by groups:

smbldap-groupadd -a "People In Our Office"

Then get the output from net groupmap list again and correlate the newly created group # just like last time, adding the group to the unix system:

groupadd -g 1001 samba_people_in_our_office

Add users to LDAP groups via the web interface, then correlate in unix:

usermod -a -G UNIX_GROUP_NAME UNIX_USERNAME

Also add computer accounts to unix, using the group "samba_domain_computers" from above, and where your allowed computer names end with a "$":

useradd -M -g 515 -s /bin/false officecomp1$

Last, but certainly not neccessary, you may want to turn off the unneccesary services CentOS runs by default. I determined that I, specifically, don't need any of the following. You might be different, so look them up before you turn them off:

chkconfig ntpd off
chkconfig bluetooth off
chkconfig xinetd off
chkconfig smartd off
chkconfig yum-updatesd off
chkconfig rpcidmapd off
chkconfig rpcgssd off
chkconfig restorecond off
chkconfig portmap off
chkconfig pcscd off
chkconfig nfslock off
chkconfig mcstrans off
chkconfig mdmonitor off
chkconfig irqbalance off
chkconfig kudzu off
chkconfig ip6tables off
chkconfig hidd off
chkconfig gpm off
chkconfig haldaemon off
chkconfig autofs off
chkconfig avahi-daemon off
service ntpd stop
service bluetooth stop
service xinetd stop
service smartd stop
service yum-updatesd stop
service rpcidmapd stop
service rpcgssd stop
service restorecond stop
service portmap stop
service pcscd stop
service nfslock stop
service mcstrans stop
service mdmonitor stop
service irqbalance stop
service kudzu stop
service ip6tables stop
service hidd stop
service gpm stop
service haldaemon stop
service autofs stop
service avahi-daemon stop

(Optional) Upgrade Samba so Windows 7 computers can join the domain

Make sure ldap ssl = off is set in /etc/samba/smb.conf, as this wasn't required for the CentOS distro version of Samba to run properly, but will be required once we upgrade (3.0.x vs 3.3.x, which supports Windows 7).

We will get the newer samba RPMs built for CentOS from Sernet:

cd /etc/yum.repos.d/
wget http://ftp.sernet.de/pub/samba/3.3/centos/5/sernet-samba.repo
yum update

Your samba packages will update from the Sernet repo.
Since the upgrade, our CentOS service for samba disappeared; let's re-add it:

chkconfig --add smb
chkconfig smb on

Now add the Windows 7 computer to Unix (assuming your domain computers' group name is "samba_domain_computers"):

useradd -M -g `cat /etc/group|grep samba_domain_computers|cut -d: -f3` -s /bin/false win7-computername$
usermod -a -G samba_domain_computers win7-computername$

Now join your Windows 7 PC to the domain using this official Samba mini guide:
http://wiki.samba.org/index.php/Windows7


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Tue, 2012-10-02 08:44.

"You should be able to look around and see some junk."

Nope.  I can't seem to log in.  I can cut and paste the rootdn and password to my heart's content, but I can't seem to log in .  

 To make matters worse, I know not the slightest how to even begin to debug the problem I'm having.  I can forward along the custom kickstart I've been building as I go.

 "If you need help, please use our forum"

 ... which requires YET ANOTHER login and YET ANOTHER username.  I don't need my comments posted.  I just need help to figure out where I've fallen off the tracks.  I'm just about at my wit's end, and a cheap imitation of usenet where messages seem to expire like mayflies isn't going to help! ;-)   Can you help?

Submitted by ecollins (registered user) on Fri, 2011-07-01 18:35.
window XP /system/properties/computer name, when trying to setup the network id through the network identification wizard, I can enter the user info and click next.  When I enter the computer name and computer domain I am asked to enter the name & password of an account with permissions to join the domain.  I get a message your computer could not be joined to the domain because the following error has occurred,  the user's password must be changed before logging on the first time.  What do you do?
Submitted by Anonymous (not registered) on Sun, 2011-03-13 15:29.

Need help plz

I have a problem when i run the command net groupmap list

 [root@localhost samba]# net groupmap list
[2011/03/14 16:17:54, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3107)
  ldapsam_setsamgrent: LDAP search failed: No such object
[2011/03/14 16:17:54, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3179)
  ldapsam_enum_group_mapping: Unable to open passdb

 

output of slapcat

dn: dc=ines
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: ines
structuralObjectClass: organization
entryUUID: da44fbe6-e291-102f-8e9c-29d89cefd736
creatorsName: cn=root,dc=ines
modifiersName: cn=root,dc=ines
createTimestamp: 20110314141944Z
modifyTimestamp: 20110314141944Z
entryCSN: 20110314141944Z#000000#00#000000

dn: cn=root,dc=ines
objectClass: organizationalRole
cn: root
structuralObjectClass: organizationalRole
entryUUID: da464a50-e291-102f-8e9d-29d89cefd736
creatorsName: cn=root,dc=ines
modifiersName: cn=root,dc=ines
createTimestamp: 20110314141944Z
modifyTimestamp: 20110314141944Z

Submitted by Boss (not registered) on Thu, 2010-08-05 11:55.

Hi, 

Able to connect the WinXP & 7  with out any issue, not able to connect the linux clients

 

Please help me to add/connect a linux client pc into the ldap+samba domain...

Submitted by mirmit (not registered) on Wed, 2010-07-21 12:56.

In order to startover with a fresh ldap database, I found the following solution:

 stop the ldap server:

 service ldap stop

delete all datbase file

rm -f /var/lib/ldap/*

restart server 

service ldap start

you can the repopulate the database

smbldap-populate

Submitted by Anonymous (not registered) on Thu, 2011-05-26 10:22.

I have the same problem, and i still have it depiste have do the solution.

Someone can help please?

Submitted by Patrick Peres (not registered) on Tue, 2010-07-06 13:39.

hi,

 I try config my server but the server show me this error

 [root@srvapp01 samba]# smbldap-populate

Populating LDAP directory for domain DOMSMB (S-1-5-21-723961999-3622360822-1265576354)

(using builtin directory structure)


Could not start_tls: Operations error at /usr/sbin//smbldap_tools.pm line 341.

 congratulations for this post.

 Tks 

 Patrick

Submitted by zebmckey (registered user) on Fri, 2010-12-10 12:04.
in  /etc/smbldap-tools/smbldap.conf set ldapTLS="0"
Submitted by Ashish Awasthi (not registered) on Mon, 2010-04-26 11:15.
Hello !!!!!! How would I come to know what is my password. The password that I generated using slappasswd command is in encrypted mode so how will I know my real password.Please help........
Submitted by Anonymous (not registered) on Thu, 2010-07-29 16:30.
slappasswd ask for a password. The password you type in is your password :-). The hash which was created is the password which you typed in encryped in a one way hash.
Submitted by Harshad (not registered) on Wed, 2010-03-03 12:42.

Executing smbldap-populate command as per stated above, following error occurs

"erreur LDAP: Can't contact master ldap server for writing (IO::Socket::INET: connect: Connection refused) at /usr/sbin//smbldap_tools.pm line 322"

Can you please suggest solution for this

//my smbldap.conf file

# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

#  Purpose :
#       . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3963180848-190588318-1689166184"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="PDC-SRV"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
#slaveLDAP="ldap.iallanis.info"

# Slave LDAP port
# If not defined, parameter is set to "389"
#slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="ldap.harh.com"

# Master LDAP port
# If not defined, parameter is set to "389"
#masterPort="389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
ldapTLS="1"

# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
ldapSSL="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=harh,dc=com"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\PDC-SRV\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\PDC-SRV\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="harh.com"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="1"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="1"
slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner
# no_banner="1"

//My smbldap_bind.conf file

 ############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
#slaveDN="cn=Manager,dc=iallanis,dc=info"
#slavePw="secret"
masterDN="cn=root,dc=harh,dc=com"
masterPw="{SSHA}t8TQ6dmgClsyXobAWe+VvOeDnup0RyuW"

//My Slapd.conf file

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/nis.schema
include        /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org

pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/lib/openldap

# modules available in openldap-servers-overlays RPM package:
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#        Allow self write access
#        Allow authenticated users read access
#        Allow anonymous users to authenticate
#    Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database    bdb
suffix        "dc=harh,dc=com"
rootdn        "cn=root,dc=harh,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw        {SSHA}t8TQ6dmgClsyXobAWe+VvOeDnup0RyuW
password-hash    {SSHA}
# rootpw        {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory    /var/lib/ldap

# Indices to maintain for this database
index cn,sn,uid,displayname        pres,sub,eq
index uidNumber,gidNumber        eq
index sambaSID                 eq
index sambaPrimaryGroupSID         eq
index sambaDomainName             eq
index objectClass             pres,eq
index default                 sub
#index objectClass                       eq,pres
#index ou,cn,mail,surname,givenname      eq,pres,sub
#index uidNumber,gidNumber,loginShell    eq,pres
#index uid,memberUid                     eq,pres,sub
#index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM
 

Submitted by walterwn (not registered) on Tue, 2010-06-29 09:08.

the services no start:

#service smb start 

#service ldap start

and 

#smbldap-populate

 problem fix  :)

Submitted by ambicapathy (not registered) on Tue, 2011-07-26 20:08.

The ldap and smb service restart didnt resolve the problem...

still i am getting  the same error.

 

erreur LDAP: Can't contact master ldap server for writing (IO::Socket::INET: connect: No route to host) at /usr/sbin//smbldap_tools.pm line 322

 

Please help me with this.

Submitted by mice (not registered) on Wed, 2009-11-18 09:16.


[root@samba openldap]# slapadd -l /etc/openldap/init.ldif
str2entry: entry -1 has multiple DNs "dc=mice" and "cn=root,dc=mice"
slapadd: could not parse entry (line=9)

anybody same me ?

Submitted by Anonymous (not registered) on Wed, 2010-01-13 18:56.

try

o: CentOS Directory Server

dc:  mice

Submitted by snapfla (not registered) on Wed, 2010-03-24 05:05.

Thank you for publishing this howto!

A couple hints that may help people:

  1. This may be too late for the former poster, but... Make sure a newline is between records in your init.ldif file:
  2. dn: dc=example,dc=com
    objectclass: dcObject
    objectclass: organization
    o: CentOS Directory Server
    dc: example
            <leave a space here>
    dn: cn=root,dc=example,dc=com
    objectclass: organizationalRole
    cn: root

     

  3. If you aren't using TLS/SSL, make sure you set the following in your /etc/smbldap-tools/smbldap.conf file:
    • ldapTLS="0"
    • ldapSSL="0"
    • verify="none"

     

  4. I got an error about the following line being invalid, so you can just comment this out in /etc/samba/smb.conf:
    • #min passwd length = 3

     

  5. In general, when you are instructed to add config variables to a file, make sure you check the file first and just change the config variable if it's already there.  I'm not sure how it will behave when two variables are present with conflicting values.  In my case, the "socket options" and "nt acl support" variables were already present in the /etc/samba/smb.conf file.
  6.  

  7. If you choose "cn=root,dc=example,dc=com" as your admin, make sure references to "cn=Manager,dc=example,dc=com" are changed to use root.  There are a few different files referencing this:
    • /etc/openldap/slapd.conf
    • /etc/openldap/init.ldif
    • /etc/samba/smb.conf

 

Again, I'm not criticizing the author, but I ran into these "snags" and I wanted to try and help others avoid the same problems.

Thank you for a concise, well put together howto!

-snapfla

Submitted by galexander (registered user) on Wed, 2010-03-24 21:51.
Thanks for your comments and tips!  I will see about integrating them into the HowTo, along with a picture of smb.conf
Submitted by Anonymous (not registered) on Thu, 2012-06-21 10:51.

I am stuck at 

 [root@dc1 smbldap-tools]# smbldap-populate

Use of uninitialized value in substitution (s///) at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 154, <CONFIGFILE> line 3.

Use of uninitialized value in substitution (s///) at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 154, <CONFIGFILE> line 13.

Can't exec "/usr/bin/netx": No such file or directory at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 246.

Failed to get SID from Samba net command at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 250.

Compilation failed in require at /usr/sbin/smbldap-populate line 30.

BEGIN failed--compilation aborted at /usr/sbin/smbldap-populate line 30.

Submitted by Anonymous (not registered) on Fri, 2010-05-07 17:58.

hi

i ha probleme with   smbldap-populate
can any one help me please


[root@mbis-server ~]# smbldap-populate
Populating LDAP directory for domain MBIS-GROUP (S-1-5-21-799153913-2964028359-2795995528)
(using builtin directory structure)

entry dc=mbis-algerie,dc=com already exist.
adding new entry: ou=Users,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 3.
adding new entry: ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 4.
adding new entry: ou=Computers,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 5.
adding new entry: ou=Idmap,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 6.
adding new entry: uid=root,ou=Users,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 7.
adding new entry: uid=nobody,ou=Users,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 8.
adding new entry: cn=Domain Admins,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 9.
adding new entry: cn=Domain Users,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 10.
adding new entry: cn=Domain Guests,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 11.
adding new entry: cn=Domain Computers,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 12.
adding new entry: cn=Administrators,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 16.
adding new entry: cn=Account Operators,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 18.
adding new entry: cn=Print Operators,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 19.
adding new entry: cn=Backup Operators,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 20.
adding new entry: cn=Replicators,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 21.
adding new entry: sambaDomainName=MBIS-GROUP,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 21.

Please provide a password for the domain root:
/usr/sbin/smbldap-passwd: user root doesn't exist

Submitted by Alex (not registered) on Mon, 2010-05-17 15:08.

I had the exact same error and found a solution.

You probably (as I have ) used the default in ldapadmin (e.g. cn=Manager,dc=yourdomain,dc=com)

in /etc/smbldap-tools/smbldap_bind.conf:

provide the proper config for the masterDN and masterPw like so:

masterDN="cn=Manager,dc=yourdomain,dc=com

masterPw="pa$$w0rd"

 

Now smbldap-populate runs without error.

 

Submitted by Neil Schneider (not registered) on Thu, 2011-04-14 22:06.

It fails for me. I've been trying to get the smbldap-populate to run. Doesn't prompt for a password and it fails with the following error:

Please provide a password for the domain root:

Use of uninitialized value in string at /usr/lib/perl/vendor_perl/5.8.8/smbldap_tools.pm line 348.

/usr/sbin/smldap-passswd: user root doesn't exist. 

I use ldapsearch to make sure that the user root is in the ldap tree, I wiped the ldap databases, started all over and ran through the instructions again, in fact three times, and I'm stuck on this part of the howto, and can't proceed. I'm going looking for a samba ldif file that I can just read in. 

I hate when this happens.

Submitted by sujit (not registered) on Thu, 2012-04-26 15:22.

change the value of  /etc/smbldap-tools/smbldap.conf 

masterLDAP="localhostname.domainname"

 

check now. 

Submitted by Kyle (not registered) on Sun, 2012-01-15 20:11.

I think the issue might be the cn=manager. When I changed it to cn=root, with the right password it worked properly - nowhere have I seen anyone suggest that...

/etc/smbldap-tools/smbldap_bind.conf:

slaveDN="cn=root,dc=DOMAIN"
slavePw="pa$$word"
masterDN="cn=root,dc=DOMAIN"
masterPw="passwd"

Submitted by Luciano Pontes (not registered) on Fri, 2010-06-11 00:45.
Please, send-me the smb.conf file...
Submitted by Anonymous (not registered) on Fri, 2010-06-25 16:03.

I can't join any client, even XP.

Please help

Submitted by Anonymous (not registered) on Thu, 2010-09-16 11:31.

Me too.

Configure all correctly.

But no windows clients can join.

Submitted by itsme (not registered) on Wed, 2011-04-20 12:41.
Even i configured correctly ,, I can access samba , but not able to join computers.
Submitted by aagjaket (registered user) on Tue, 2011-09-27 14:38.
I am also stuck with joining PCs with Domain... still no luck.. please help us all..
Submitted by jhquentin (registered user) on Sat, 2010-09-25 09:31.

You need to say your system to allow auth again ldap...

vim /etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap
  
 

 

Submitted by Null (not registered) on Thu, 2012-09-20 20:47.

First I want to thank you for the tutorial

second, I've as people above, I've a great problem to connect my clients hosts to the "samba_ldap PDC", and the error message of "winxp" is always user cannot be fount, knowing that I have executed your last recommendation.

knowing also that every thing is working properly, even the client host names are added automatically to the directory information tree. but no login to the domain.

your help on this please.

thanks in advance.