smbldap-populate erro

Discussion in 'Installation/Configuration' started by kashikar.harsh, Mar 3, 2010.

  1. kashikar.harsh

    kashikar.harsh New Member

    Hi,
    I am trying to configure sSamba domain controller on CentOS 5.1. When I try to execute smbldap-populate command it fails with the following error

    "Please provide a password for the domain root:
    /usr/sbin/smbldap-passwd: user root doesn't exist"

    Also service smb status says

    smbd dead but pid file exists
    nmbd (pid 2077 2076) is running...

    Can anybody tell me what the problem is?
    Thanks in advance



    // My slapd.conf file

    #
    # See slapd.conf(5) for details on configuration options.
    # This file should NOT be world readable.
    #
    include /etc/openldap/schema/core.schema
    include /etc/openldap/schema/cosine.schema
    include /etc/openldap/schema/inetorgperson.schema
    include /etc/openldap/schema/nis.schema
    include /etc/openldap/schema/samba.schema

    # Allow LDAPv2 client connections. This is NOT the default.
    allow bind_v2

    # Do not enable referrals until AFTER you have a working directory
    # service AND an understanding of referrals.
    #referral ldap://root.openldap.org

    pidfile /var/run/openldap/slapd.pid
    argsfile /var/run/openldap/slapd.args

    # Load dynamic backend modules:
    # modulepath /usr/lib/openldap

    # modules available in openldap-servers-overlays RPM package:
    # moduleload accesslog.la
    # moduleload auditlog.la
    # moduleload denyop.la
    # moduleload dyngroup.la
    # moduleload dynlist.la
    # moduleload lastmod.la
    # moduleload pcache.la
    # moduleload ppolicy.la
    # moduleload refint.la
    # moduleload retcode.la
    # moduleload rwm.la
    # moduleload smbk5pwd.la
    # moduleload syncprov.la
    # moduleload translucent.la
    # moduleload unique.la
    # moduleload valsort.la

    # modules available in openldap-servers-sql RPM package:
    # moduleload back_sql.la

    # The next three lines allow use of TLS for encrypting connections using a
    # dummy test certificate which you can generate by changing to
    # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
    # slapd.pem so that the ldap user or group can read it. Your client software
    # may balk at self-signed certificates, however.
    # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
    # TLSCertificateFile /etc/pki/tls/certs/slapd.pem
    # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

    # Sample security restrictions
    # Require integrity protection (prevent hijacking)
    # Require 112-bit (3DES or better) encryption for updates
    # Require 63-bit encryption for simple bind
    # security ssf=1 update_ssf=112 simple_bind=64

    # Sample access control policy:
    # Root DSE: allow anyone to read it
    # Subschema (sub)entry DSE: allow anyone to read it
    # Other DSEs:
    # Allow self write access
    # Allow authenticated users read access
    # Allow anonymous users to authenticate
    # Directives needed to implement policy:
    # access to dn.base="" by * read
    # access to dn.base="cn=Subschema" by * read
    # access to *
    # by self write
    # by users read
    # by anonymous auth
    #
    # if no access controls are present, the default policy
    # allows anyone and everyone to read anything but restricts
    # updates to rootdn. (e.g., "access to * by * read")
    #
    # rootdn can always read and write EVERYTHING!

    #######################################################################
    # ldbm and/or bdb database definitions
    #######################################################################

    database bdb
    suffix "dc=harh,dc=com"
    rootdn "cn=root,dc=harh,dc=com"
    # Cleartext passwords, especially for the rootdn, should
    # be avoided. See slappasswd(8) and slapd.conf(5) for details.
    # Use of strong authentication encouraged.
    rootpw {SSHA}l7muSEk+AZs1OEou0Y4phSFh8lEaWTUr
    #password-hash {SSHA}
    # rootpw {crypt}ijFYNcSNctBYg

    # The database directory MUST exist prior to running slapd AND
    # should only be accessible by the slapd and slap tools.
    # Mode 700 recommended.
    directory /var/lib/ldap

    # Indices to maintain for this database
    index cn,sn,uid,displayname pres,sub,eq
    index uidNumber,gidNumber eq
    index sambaSID eq
    index sambaPrimaryGroupSID eq
    index sambaDomainName eq
    index objectClass pres,eq
    index default sub
    #index objectClass eq,pres
    #index ou,cn,mail,surname,givenname eq,pres,sub
    #index uidNumber,gidNumber,loginShell eq,pres
    #index uid,memberUid eq,pres,sub
    #index nisMapName,nisMapEntry eq,pres,sub

    # Replicas of this database
    #replogfile /var/lib/ldap/openldap-master-replog
    #replica host=ldap-1.example.com:389 starttls=critical
    # bindmethod=sasl saslmech=GSSAPI
    # authcId=host/ldap-master.example.com@EXAMPLE.COM


    // My smb.conf file
    # Global parameters
    [global]
    workgroup = harh.com
    netbios name = PDC-SRV
    security = user
    enable privileges = yes
    #interfaces = 192.168.5.11
    #username map = /etc/samba/smbusers
    server string = Samba Server %v
    #security = ads
    encrypt passwords = Yes
    # min passwd length = 3
    #pam password change = no
    #obey pam restrictions = No

    # method 1:
    #unix password sync = no
    #ldap passwd sync = yes

    # method 2:
    unix password sync = yes
    ldap passwd sync = yes
    # passwd program = /usr/sbin/smbldap-passwd -u "%u"
    # passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

    log level = 0
    syslog = 0
    log file = /var/log/samba/log.%U
    max log size = 100000
    time server = Yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    mangling method = hash2
    Dos charset = 850
    Unix charset = ISO8859-1

    logon script = logon.bat
    logon drive = H:
    logon home =
    logon path =

    domain logons = Yes
    domain master = Yes
    os level = 65
    preferred master = Yes
    wins support = yes
    # passdb backend = ldapsam:"ldap://ldap1.company.com ldap://ldap2.company.com"
    passdb backend = ldapsam:ldap://172.16.14.180/
    ldap admin dn = cn=root,dc=harh,dc=com
    #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
    ldap suffix = dc=harh,dc=com
    ldap group suffix = ou=Groups
    ldap user suffix = ou=Users
    ldap machine suffix = ou=Computers
    #ldap idmap suffix = ou=Idmap
    add user script = /usr/sbin/smbldap-useradd -m "%u"
    #ldap delete dn = Yes
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    #delete group script = /usr/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

    # printers configuration
    #printer admin = @"Print Operators"
    load printers = Yes
    create mask = 0640
    directory mask = 0750
    #force create mode = 0640
    #force directory mode = 0750
    nt acl support = No
    printing = cups
    printcap name = cups
    deadtime = 10
    guest account = nobody
    map to guest = Bad User
    dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
    show add printer wizard = yes
    ; to maintain capital letters in shortcuts in any of the profile folders:
    preserve case = yes
    short preserve case = yes
    case sensitive = no
    ldap ssl = off
    nt acl support = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE

    [netlogon]
    path = /home/netlogon/
    browseable = No
    read only = yes

    [profiles]
    path = /home/profiles
    read only = no
    create mask = 0600
    directory mask = 0700
    browseable = No
    guest ok = Yes
    profile acls = yes
    csc policy = disable
    # next line is a great way to secure the profiles
    #force user = %U
    # next line allows administrator to access all profiles
    #valid users = %U "Domain Admins"

    [printers]
    comment = Network Printers
    #printer admin = @"Print Operators"
    guest ok = yes
    printable = yes
    path = /home/spool/
    browseable = No
    read only = Yes
    printable = Yes
    # print command = /usr/bin/lpr -P%p -r %s
    lpq command = /usr/bin/lpq -P%p
    lprm command = /usr/bin/lprm -P%p %j
    # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
    # lpq command = /usr/bin/lpq -U%U@%M -P%p
    # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
    # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
    # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
    # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
    # queueresume command = /usr/sbin/lpc -U%U@%M start %p

    [print$]
    path = /home/printers
    guest ok = No
    browseable = Yes
    read only = Yes
    valid users = @"Print Operators"
    write list = @"Print Operators"
    create mask = 0664
    directory mask = 0775

    [public]
    path = /tmp
    guest ok = yes
    browseable = Yes
    writable = yes

    // My smbldap.conf file
    # $Source: $
    # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
    #
    # smbldap-tools.conf : Q & D configuration file for smbldap-tools

    # This code was developped by IDEALX (http://IDEALX.org/) and
    # contributors (their names can be found in the CONTRIBUTORS file).
    #
    # Copyright (C) 2001-2002 IDEALX
    #
    # This program is free software; you can redistribute it and/or
    # modify it under the terms of the GNU General Public License
    # as published by the Free Software Foundation; either version 2
    # of the License, or (at your option) any later version.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program; if not, write to the Free Software
    # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
    # USA.

    # Purpose :
    # . be the configuration file for all smbldap-tools scripts

    ##############################################################################
    #
    # General Configuration
    #
    ##############################################################################

    # Put your own SID. To obtain this number do: "net getlocalsid".
    # If not defined, parameter is taking from "net getlocalsid" return
    SID="S-1-5-21-3963180848-190588318-1689166184"

    # Domain name the Samba server is in charged.
    # If not defined, parameter is taking from smb.conf configuration file
    # Ex: sambaDomain="IDEALX-NT"
    sambaDomain="PDC-SRV"

    ##############################################################################
    #
    # LDAP Configuration
    #
    ##############################################################################

    # Notes: to use to dual ldap servers backend for Samba, you must patch
    # Samba with the dual-head patch from IDEALX. If not using this patch
    # just use the same server for slaveLDAP and masterLDAP.
    # Those two servers declarations can also be used when you have
    # . one master LDAP server where all writing operations must be done
    # . one slave LDAP server where all reading operations must be done
    # (typically a replication directory)

    # Slave LDAP server
    # Ex: slaveLDAP=127.0.0.1
    # If not defined, parameter is set to "127.0.0.1"
    #slaveLDAP="ldap.iallanis.info"

    # Slave LDAP port
    # If not defined, parameter is set to "389"
    #slavePort="389"

    # Master LDAP server: needed for write operations
    # Ex: masterLDAP=127.0.0.1
    # If not defined, parameter is set to "127.0.0.1"
    masterLDAP="172.16.14.180"

    # Master LDAP port
    # If not defined, parameter is set to "389"
    #masterPort="389"
    masterPort="389"

    # Use TLS for LDAP
    # If set to 1, this option will use start_tls for connection
    # (you should also used the port 389)
    # If not defined, parameter is set to "0"
    ldapTLS="0"

    # Use SSL for LDAP
    # If set to 1, this option will use SSL for connection
    # (standard port for ldaps is 636)
    # If not defined, parameter is set to "0"
    ldapSSL="0"

    # How to verify the server's certificate (none, optional or require)
    # see "man Net::LDAP" in start_tls section for more details
    verify="require"

    # CA certificate
    # see "man Net::LDAP" in start_tls section for more details
    cafile="/etc/smbldap-tools/ca.pem"

    # certificate to use to connect to the ldap server
    # see "man Net::LDAP" in start_tls section for more details
    clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"

    # key certificate to use to connect to the ldap server
    # see "man Net::LDAP" in start_tls section for more details
    clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"

    # LDAP Suffix
    # Ex: suffix=dc=IDEALX,dc=ORG
    suffix="dc=harh,dc=com"

    # Where are stored Users
    # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
    # Warning: if 'suffix' is not set here, you must set the full dn for usersdn
    usersdn="ou=Users,${suffix}"

    # Where are stored Computers
    # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
    # Warning: if 'suffix' is not set here, you must set the full dn for computersdn
    computersdn="ou=Computers,${suffix}"

    # Where are stored Groups
    # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
    # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
    groupsdn="ou=Groups,${suffix}"

    # Where are stored Idmap entries (used if samba is a domain member server)
    # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
    # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
    idmapdn="ou=Idmap,${suffix}"

    # Where to store next uidNumber and gidNumber available for new users and groups
    # If not defined, entries are stored in sambaDomainName object.
    # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
    # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
    sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

    # Default scope Used
    scope="sub"

    # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
    hash_encrypt="SSHA"

    # if hash_encrypt is set to CRYPT, you may set a salt format.
    # default is "%s", but many systems will generate MD5 hashed
    # passwords if you use "$1$%.8s". This parameter is optional!
    crypt_salt_format="%s"

    ##############################################################################
    #
    # Unix Accounts Configuration
    #
    ##############################################################################

    # Login defs
    # Default Login Shell
    # Ex: userLoginShell="/bin/bash"
    userLoginShell="/bin/bash"

    # Home directory
    # Ex: userHome="/home/%U"
    userHome="/home/%U"

    # Default mode used for user homeDirectory
    userHomeDirectoryMode="700"

    # Gecos
    userGecos="System User"

    # Default User (POSIX and Samba) GID
    defaultUserGid="513"

    # Default Computer (Samba) GID
    defaultComputerGid="515"

    # Skel dir
    skeletonDir="/etc/skel"

    # Default password validation time (time in days) Comment the next line if
    # you don't want password to be enable for defaultMaxPasswordAge days (be
    # careful to the sambaPwdMustChange attribute's value)
    defaultMaxPasswordAge="45"

    ##############################################################################
    #
    # SAMBA Configuration
    #
    ##############################################################################

    # The UNC path to home drives location (%U username substitution)
    # Just set it to a null string if you want to use the smb.conf 'logon home'
    # directive and/or disable roaming profiles
    # Ex: userSmbHome="\\PDC-SMB3\%U"
    userSmbHome="\\PDC-SRV\%U"

    # The UNC path to profiles locations (%U username substitution)
    # Just set it to a null string if you want to use the smb.conf 'logon path'
    # directive and/or disable roaming profiles
    # Ex: userProfile="\\PDC-SMB3\profiles\%U"
    userProfile="\\PDC-SRV\profiles\%U"

    # The default Home Drive Letter mapping
    # (will be automatically mapped at logon time if home directory exist)
    # Ex: userHomeDrive="H:"
    userHomeDrive="H:"

    # The default user netlogon script name (%U username substitution)
    # if not used, will be automatically username.cmd
    # make sure script file is edited under dos
    # Ex: userScript="startup.cmd" # make sure script file is edited under dos
    userScript="logon.bat"

    # Domain appended to the users "mail"-attribute
    # when smbldap-useradd -M is used
    # Ex: mailDomain="idealx.com"
    mailDomain="harh.com"

    ##############################################################################
    #
    # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
    #
    ##############################################################################

    # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
    # prefer Crypt::SmbHash library
    with_smbpasswd="1"
    smbpasswd="/usr/bin/smbpasswd"

    # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
    # but prefer Crypt:: libraries
    with_slappasswd="1"
    slappasswd="/usr/sbin/slappasswd"

    # comment out the following line to get rid of the default banner
    # no_banner="1"

    // My smbldap_bind.conf file
    ############################
    # Credential Configuration #
    ############################
    # Notes: you can specify two differents configuration if you use a
    # master ldap for writing access and a slave ldap server for reading access
    # By default, we will use the same DN (so it will work for standard Samba
    # release)
    #slaveDN="cn=Manager,dc=iallanis,dc=info"
    #slavePw="secret"
    masterDN="cn=root,dc=harh,dc=com"
    masterPw={SSHA}l7muSEk+AZs1OEou0Y4phSFh8lEaWTUr
    #masterPw={SSHA}t8TQ6dmgClsyXobAWe+VvOeDnup0RyuW
    #mstarePw={SSHA}tvoG78XXOB90HSOZm1/6TnPTrCRMmYL4
     
  2. kashikar.harsh

    kashikar.harsh New Member

    [SOLVED]smbldap-populate error

    I have just reinstalled everything and the configuration worked fine for me. I have also managed to log in to windows machine using LDAP user's credentials :)
     

Share This Page