PDA

View Full Version : FC4 Samba PDC + LDAP How To


thomasdaly2005
15th October 2005, 10:53 AM
After spending hours trying to find a tutorial or how to on setting up a Samba Domain Controller with LDAP - that was comprehensive and and wasn't written for people who knew ins and outs of LDAP, I got fustrated. So I decided I would have a go by trial and error and fully document what I did once everything was working.

So here you go, I will post replies for each stage of the how to. (It could be a couple of days befre it is complete because I have to work)

I should probably mention that I wrote it for absolute beginners so skip what you need to.

thomasdaly2005
15th October 2005, 10:54 AM
First I completed a fresh install:

Installing Fedora Core 4:

Insert the FC4 CD and wait for it to boot.
We want to use text mode so type linux text and press enter.
Wait for it to load and skip the media test. Go through and select what is necessary in anaconda.
When at the installation type box, select server.
Select Autopartition, then select ok at the partitioning box.
We want to use GRUB loader, we don’t need any boot loader configuration.
Select all defaults until network configuration. Try and use a static IP address if you can and make sure eth0 is activated on boot.
Create a manual hostname (I chose linuxserver).
Make sure there is no firewall, Select proceed.
Disable SELinux, select ok.
Select your timezone,
Enter your root password
Make sure the following packages are selected only:
• Editors
• Server Config Tools
• Mail Server
• Windows File Server
• Development Tools
• Admin Tools
• System Tools
Select all defaults and change cds when you need to.
Install done!

thomasdaly2005
15th October 2005, 10:55 AM
SSH Access:

The next thing you need to do is jump on a windows xp pro box and download putty.
Run putty and enter the ip address of your linux box, select SSH and click open. Click yes to the security warning.
Login as root with your password and you’re in!

thomasdaly2005
15th October 2005, 10:56 AM
Some Basic Config First:

We need to tell FC4 what to load on startup so type ntsysv and press enter.
Deselect the following:
• Bluetooth
• ISDN
• PCMCIA
And select the following:
• Smb

Next we need to start the samba server, type service smb start and press enter.

We will need to configure samba to be apart of your workgroup (mine is MSHOME) so type the following: vi /etc/samba/smb.conf and press enter. Press i and scroll down to the part that says workgroup = MYGROUP and change it so it reads workgroup = MSHOME. Press esc, hold down shift and press w & q. Type exit.

Restart the samba service: service smb restart

We then need to add the root user to the samba password file for share access. Type smbpasswd –a root and press enter, and type your root password.

Now we can access root’s home folder from windows. Go to My Network Places and type in the address bar \\<your-server-name>\root\ and press enter. (in my case \\linuxserver\root\) You will be prompted for a username and password, enter root as the username and your root password for the password. You should now be able to transfer files to this folder from windows.

thomasdaly2005
15th October 2005, 10:57 AM
Webmin

Webmin is a web-based linux administration tool. It is very helpful and it saves doing a lot of tasks at the command line. Before we can install it we must first download it onto the windows pc from www.webmin.com. Select the .noarch.rpm file for redhat.

Copy the file to the root share that we accessed earlier.

Back in putty issue the following command:
rpm –i webmin-1.220-1.noarch.rpm (or whatever file name you have)

You will be notified when it has installed. You can then go to http://<server-ip-address>:10000 (in my case http://192.168.1.52:10000/) in your web browser on your windows pc. Login with your root password and have a quick look around.

We don’t need webmin at the moment but we may need it later.

thomasdaly2005
16th October 2005, 03:22 AM
OpenLDAP

OpenLDAP is the authentication database that we will be using in conjunction with samba.

Fedora Core 4 has OpenLDAP mostly installed already and only requires one other package to be installed.

Issue the following command to install the OpenLDAP servers package: (you will require internet access on the linux box)
yum install openldap-servers.i386
Enter yes to any questions and wait for it to download and install.

We need to tell LDAP to run at startup so issue:

ntsysv

And enable ldap.

To integrate Samba and LDAP you need to install a few tools:
Go to http://dag.wieers.com/packages/perl-Crypt-SmbHash/ and download the fc3 noarch.rpm file. Once downloaded copy it to the root share accessed earlier.

Go to http://www.idealx.org/prj/samba/dist/ and click on the latest version .noarch.rpm file to download it. Once downloaded copy it to the root share accessed earlier.

Back in putty issue the following commands:
rpm –i perl-Crypt-SmbHash-0.02-1.1.fc3.rf.noarch.rpm
rpm –i smbldap-tools-0.9.1-1.noarch.rpm
(changing file versions where necessary)

Next we must copy the samba scema for the LDAP server:
cp /usr/share/doc/samba-3.0.14a/LDAP/samba.schema /etc/openldap/schema/

To configure the LDAP server for our samba configuration you must edit the conf file:

vi /etc/openldap/slapd.conf

Add the following line under the ‘include section’ so it looks like this:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema

Under the ‘database’ section, alter it so it looks like this, (altering DOMAIN to the name you want your domain to be):

database bdb
directory /var/lib/ldap

suffix "dc=DOMAIN,dc=COM"
rootdn "cn=Manager,dc=DOMAIN,dc=COM"

rootpw mysecretpwd

Change the rootpw to whatever you want – I just left it as is.

Next we need to edit some more conf files:

vi /etc/openldap/ldap.conf

Edit so it looks like this: (replacing DOMAIN of course)

HOST 127.0.0.1
BASE dc=DOMAIN,dc=COM

Next we need to configure the LDAP client:

vi /etc/ldap.conf

Find the section that looks like this:
# Your LDAP server. Must be resolvable without using LDAP.
And add below it:
host 127.0.0.1

Find the section that looks like this:
# The distinguished name of the search base.
Add/Change Below It:
base dc=DOMAIN,dc=COM
Replacing DOMAIN where necessary.

Find the section that looks like this:
# The distinguished name to bind to the server with if the effective user ID
# is root. Password must be stored in /etc/ldap.secret (mode 600)
Add/Change Below It:
rootbinddn cn=nssldap,ou=DSA,dc=DOMAIN,dc=COM
Replacing DOMAIN where necessary.

Find the section that looks like this:
# RFC2307bis naming contexts
# we use ?sub (and not the default ?one) because we
# separated sambaAccounts on ou=Computer,dc=DOMAIN,dc=COM
# and ou=Users,dc=DOMAIN,dc=COM
Add/Change Below It:
nss_base_passwd ou=Users,dc=DOMAIN,dc=COM?one
nss_base_passwd ou=Computers,dc=DOMAIN,dc=COM?one
nss_base_shadow ou=Users,dc=DOMAIN,dc=COM?one
nss_base_group ou=Groups,dc=DOMAIN,dc=COM?one
Replacing DOMAIN where necessary.

One last conf file:

vi /etc/nsswitch.conf

Find the section that looks like this:
# significative entries for /etc/nsswitch.conf using
# Samba and OpenLDAP
Add/Change below it:
passwd: files ldap
shadow: files ldap
group: files ldap

We should have a go at starting the LDAP server now:

service ldap start

thomasdaly2005
16th October 2005, 04:09 AM
Samba:

Because we have to make so many changes to the smb.conf file, it is easier to do it through notepad on a windows pc. But first we must make a share to access the file.
First, access webmin. In webmin, click servers, then go to Samba Windows File Sharing. Click Create a new file share, call it rootdir, make the directory / and click create.
Click on the name of the rootdir share in the table, click security and access control, select yes for writable?, and add root to read/write users, click save, then save again.

To access smb.conf you need to go to My Network Places on the windows pc and type the following into the address bar: \\<hostname-of-server>\rootdir\ and press enter. Type your root password if necessary.

Open etc, then samba, then open smb.conf in notepad.
Delete everything in the file and paste the following into it, changing DOMAIN where necessary:

# Global parameters
[global]
workgroup = DOMAIN
netbios name = linuxserver
enable privileges = yes
username map = /etc/samba/smbusers
server string = linuxserver
security = user
encrypt passwords = yes
obey pam restrictions = no
ldap password sync = yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1

logon drive = H:
logon path = \\linuxserver\profiles\%u
domain logons = yes
os level = 65
preferred master = yes
domain master = yes
wins support = yes

passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=DOMAIN,dc=com
ldap suffix = dc=DOMAIN,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = yes
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

preserve case = yes
short preserve case = yes
case sensitive = no

[homes]
comment = Home Directory
read only = No
create mask = 0644
directory mask = 0775
browseable = No

[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes

[profiles]
path = /home/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = No
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U @"Domain Admins"

#Remove this if you want
[rootdir]
writeable = yes
guest ok = yes
path = /

Close the open window.
Save the file and issue the following commands in putty:
service smb restart this could take awhile
smbpasswd –w mysecretpwd change this to your rootpw from slapd.conf
service smb restart
mkdir /home/samba
mkdir /home/samba/netlogon
mkdir /home/samba/profiles
chmod 1777 /home/samba/profiles

thomasdaly2005
16th October 2005, 04:33 AM
smbldap-tools:

We need to configure the tools for adding domain users and populating LDAP.

net getlocalsid
copy the SID for domain number down somewhere.

vi /etc/opt/IDEALX/smbldap-tools/smbldap.conf

Change in the SID = “ your SID number from before
Change sambaDomain = “ to your domain name
Change ldapTLS = “1” to = “0”
Change suffix = “ to “dc=DOMAIN,dc=COM” (changing DOMAIN)
Change userSmbHome="\\<your-server-name>\%U" (mine being linuxserver)
Change userProfile="\\<your-server-name>\profiles\%U" (mine being linuxserver)
Change verify="require" to =”none”
Change sambaUnixIdPooldn="sambaDomainName=DOMAIN,${suffix}" to your domain name

vi /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf

Change so it reads:

slaveDN="cn=Manager,dc=DOMAIN,dc=COM
masterPw="secret""
masterDN="cn=Manager,dc=DOMAIN,dc=COM"
masterPw="secret"

Changing DOMAIN to your domain name and secret to your rootpw from slapd.conf

We should be able to populate the LDAP database now:

/opt/IDEALX/sbin/smbldap-populate

Type a password for domain management when prompted.

thomasdaly2005
16th October 2005, 05:07 AM
Users:

To add an domain admin user (necessary for joining computers to the domain)
Issue the following:

/opt/IDEALX/sbin/smbldap-useradd -a -m -g 512 <admin-name> e.g. admin
/opt/IDEALX/sbin/smbldap-passwd admin

To add a computer to the domain issue the following:

/opt/IDEALX/sbin/smbldap-useradd -w <machine-name> e.g. pc01

To add normal users to the domain issue the following:

/opt/IDEALX/sbin/smbldap-useradd –a –m –c “<full-name>” <user-name>
/opt/IDEALX/sbin/smbldap-passwd user1

thomasdaly2005
16th October 2005, 05:08 AM
Thats it from me, I hope this helped someone. If it did please let me know.

If anyone knows how to get the samba console for IMC configured and working it would be much appreciated if you could post a how to or tutorial.

jdinkel
19th October 2005, 03:01 PM
Interesting. I do wonder though since it has dc=DOMAIN,dc=COM does that mean the domain name is domain.com? What if I want domain.local for my domain name, should I use dc=DOMAIN,dc=LOCAL? Or does the dc=COM not have anything to do with adding .com onto the domain?

Personally, I'm holding out until Samba4 when they are supposed to have most (if not all or more) features of Active Directory and Group Policies.

thomasdaly2005
19th October 2005, 10:32 PM
Yes you are correct. But the dc=DOMAIN,dc=COM is only an LDAP suffix for the directory structure. You could probably make it anything you want without problems.
I am pretty sure that Samba-TNG supports active directory although I havn't used it yet.

thomasdaly2005
30th October 2005, 09:10 AM
Please note the pdf format of this how-to is available at www.creeksidepc.com/sambapdc.pdf (http://www.creeksidepc.com/sambapdc.pdf)

BlueSky-Software
9th November 2005, 02:05 PM
Hi,

Thanks for the HowTo, but I just can't get it to work. I've re-started from scratch several times and I'm wondering if it's me ot the HowTo thats wrong.

First off, I get an errorwhen populating the ldap database, and the only way I can clear it is to modify this line

Change sambaUnixIdPooldn="sambaDomainName=DOMAIN,${suffix}" to your domain name

and use one of the pre-typed examples, something like $(DOMAIN),${suffix}...sorry I'm not at mt Linux box just now and can't be more exact.

The User Names and passwords then seem to go through OK, but I've never been able to join my Windows Workstation to the new domain. I just get an error box saying that I'm trying to join the domain with an unknown user account. I use the Username of admin that is created near the end of teh HowTo.

Any advice would be GREATLY appreciated.
Derek

thomasdaly2005
9th November 2005, 11:06 PM
If you can add users that is excellent - everything seems to be working.
When you populated the ldap with the populate script it should of asked you to enter a password for domain management. Try using this password along with the username of root to join computers to the domain.

Following my own how-to recently I also came accross the error when populating. I used the pretyped example changing the DOMAIN bit to my domain but leaving the rest. Please note it is possible to populate the ldap database again even if you've already tried.

Hope This Helps.

BlueSky-Software
12th November 2005, 04:33 PM
HI,

Thanks for the response. I was just about to give up after the Nth re-try, this time I’ll log what I am doing:-

Tried again but could not get passed the perl install, so I downloaded teh FC4 versions of the perl and smbldap tools.


So here we go again.....

Install & format & restart OK
PuTTY into the FC4 box no problem.
Stop & start services changed OK
Start SAMBA OK
Modify smb.conf OK
Restart SMB OK
Add root to smb password OK
View \\server\root through MyNetPlaces OK
Install webmin-1.240-1.noarch.rpm and log in via InternetExplorer. OK
Create the RootDir share from the SAMBA section of this HowTo & navigate back to root

Yum install openldap-servers..... version seems to be 0:2.2.29-1.fc4 OK
Enable Ldap OK
copy
perl-Crypt-SmbHash-0.12-1.2.fc4.rf.noarch.rpm
smbldap-tools-0.9.1-1.2.fc4.rf.noarch.rpm
to root and install.
Warning about NOKEY on both installs but install OK

Check that the schema for Samba is not in place.
Copy the schema & verify it’s copied. OK

vi the slapd.conf file
Added Samba.schema
Added /var/lib/ldap
Replace Domain with mydomain and second “dc with co.uk OK
Make the rootpw entry the same as my root user PW.
(The file moans about clear text PasssWords but put one in anyway)

vi the /etc/openldap/ldap.conf file OK
vi the /etc/ldap.conf file OK
vi the /etc/nsswitch.conf file
No matching comments found but entries for
passwd
shadow
group
modified OK

Start ldap OK
slapd stsarted OK too
Install the smb.conf file with mods for Domain,co.uk and netbios names OK
Restart Samba OK

smbpasswd –w PASSWD OK
message saying that its setting stored password for cn=Manager,dc=MyDom,dc=co.uk in secrets.tdb

restart samba OK

Make dirs & set chmod OK

GetLocalSid
complains about
smbldap_search_suffix Problem during the LDAP search: (No Such object)
SID for domain MyNetBiosServerName= S-1-5-21-.......


vi /etc/smbldap-tools/smbldap.conf
use sambaUnixPooldn=”sambaDomainName=${sambaDomain},${ suffix}

vi /etc//smbldap-tools/smbldap_bind.conf OK

/usr/sbin/smbldap-populate OK

/usr/sbin/smbldap-useradd –a –m –g administrator OK and Password OK too
/usr/sbin/smbldap-useradd –w machine-name OK
/usr/sbin/smbldap-useradd –a –m –c “My Name” me OK and Password for me OK too

So far so good.....NO ERRORS!

Hop onto the Win2K (machine name added above)
system properties/Network Identification
click Domain and fill in domain name and press OK


ERROR DIALOGUE:-
The following error occurred attempting to join the domain “MyDomain”
The credentials supplied conflict with an existing set of credentials


BUM, I’m so close......but I can’t see what I’m missing.

Any Ideas what I’m doing wrong?

This is driving me CRAZY! :mad: :mad:

Thanks in advance for any help or advice.
Derek

BlueSky-Software
12th November 2005, 04:41 PM
P.S.

Should have said I used teh administrator name and password entered at this step
/usr/sbin/smbldap-useradd –a –m –g administrator OK and Password OK too

I tried user root, me and just about every other user name I could think of, same result.

Derek

BlueSky-Software
12th November 2005, 07:08 PM
Hi,

OK, IT WORKS!

Following the failed attempt detailed above, my long-suffering-wife dragged me off to the pub saying that she was not going top be married to some recluse who kept shouting about some girl called Samba in his sleep! :eek:

I shut it all down, and when I came back re-started everything. I renamed my workgroup to the domain name to check I could see the server, re-started and browsed the server through MyNetPlaces. I then pressed to join domain and joined first time!

I don't know if it was the re-starts or the workgroup rename but it works OK now. :) :) :D


Thanks for the HowTo! I hope my notes help anyone else working with FC4.

Cheers all,
I'm off for another pint!
Derek

thomasdaly2005
12th November 2005, 11:14 PM
Sorry about all the hassles, I did my best to right a thorough how-to. I'm just glad its working for you.
Have a good one.

Thomas

P.S. I think it was the network restarts that helped you out, I never tested this out on Win2K b4.

dba7dba
17th November 2005, 12:30 AM
Thanks for the excellent posting. I'm following your manual to build my own server and found a possible error.
---Your Post---
To configure the LDAP server for our samba configuration you must edit the conf file:

vi /etc/openldap/slapd.conf
------

In my FC4 server, I couldn't find /etc/openldap/slapd.conf to edit.
So I did 'rpm -q openldap' and got 'openldap-2.2.29-1.FC4' back. Than I went to Add/Remove Applications -> Network Servers. Here I found out that 'openldap-servers - OpenLDAP servers and related files' WAS NOT checked on my box. To install it I did 'yum install openldap-servers'. After that I did ntsysv and enabled ldap.

thomasdaly2005
17th November 2005, 01:01 AM
Issue the following command to install the OpenLDAP servers package: (you will require internet access on the linux box)
yum install openldap-servers.i386
Enter yes to any questions and wait for it to download and install.

Its there - just hidden

paul_mat
21st November 2005, 02:03 PM
well this is just another samba & OpenLDAP & LAM as PDC also it's on fedora core 3.

i've posted a few how-to guides on my website.

http://www.opensourcehowto.org/how-to/samba/openldap-lam-samba-as-pdc.html

the other option is to try my ServerSetup v0.06 script

http://www.opensourcehowto.org/uploads/serversetup/

just copy the contents into a file and make it executable

vi /home/serversetup
*copy the contents into that file*
chmod a+x /home/serversetup

and it's pretty easy to follow, the script is still in it's very beta stages, it's only been around for a few days, i'm still find better ways to do things and bugs in it and it was written for adding a linux machine to a windows domain, but it can't hurt to try, even if it dosn't work it'll put you on the right trace ... , so if you try it and it works or dosn't let me know by posting back here.

if your looking at a little more fun you could try, 'Samba Primary Domain Controller with Group Policies'

http://www.opensourcehowto.org/how-to/samba/samba-primary-domain-controller-with-group-policies.html

dio
20th February 2006, 02:46 PM
I have tried this how to 3 times with a fresh install each time but I still get the error when populating. The error I get is listed below, any help would be appreciated.
[root@fedora /]# /opt/IDEALX/sbin/smbldap-populate
Use of uninitialized value in substitution (s///) at /opt/IDEALX/sbin//smbldap_tools.pm line 140, <CONFIGFILE> line 25.
Populating LDAP directory for domain zelenkanc (S-1-5-21-3343428985-1113661380-1278260334)
(using builtin directory structure)

adding new entry: dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 2.
adding new entry: ou=Users,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 3.
adding new entry: ou=Groups,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 4.
adding new entry: ou=Computers,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 5.
adding new entry: ou=Idmap,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 6.
adding new entry: uid=root,ou=Users,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 7.
adding new entry: uid=nobody,ou=Users,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 8.
adding new entry: cn=Domain Admins,ou=Groups,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 9.
adding new entry: cn=Domain Users,ou=Groups,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 10.
adding new entry: cn=Domain Guests,ou=Groups,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 11.
adding new entry: cn=Domain Computers,ou=Groups,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 12.
adding new entry: cn=Administrators,ou=Groups,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 16.
adding new entry: cn=Account Operators,ou=Groups,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 18.
adding new entry: cn=Print Operators,ou=Groups,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 19.
adding new entry: cn=Backup Operators,ou=Groups,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 20.
adding new entry: cn=Replicators,ou=Groups,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 21.
adding new entry: sambaDomainName=zelenkanc,dc=zelnkanc,dc=com
failed to add entry: no global superior knowledge at /opt/IDEALX/sbin/smbldap-populate line 495, <GEN1> line 21.

Please provide a password for the domain root:
Use of uninitialized value in substitution (s///) at /opt/IDEALX/sbin//smbldap_tools.pm line 140, <CONFIGFILE> line 25.
No such object at /opt/IDEALX/sbin//smbldap_tools.pm line 353.

BlueSky-Software
20th February 2006, 07:38 PM
Hi dio,

Have patience and try it again!

To me, it looks like you have made a mistake with the domain name in one of the config files. You have to get them all the same but some of them are quoted (“dc=domain, dc=com” ) and some not (dc=domain, dc=com). Follow Thomas instructions to the letter and you should be OK, but bare in mind that some of the paths to the config may be different.

Good luck,
Derek

P.S.
One tip I learned is to use SLAPCAT as soon as you add a user and then, when things go pear-shaped, you can delete the database and use SLAPADD to restore your settings.

Cheers!
D

dio
21st February 2006, 04:47 PM
I was able to populate this time, but now I get errors trying to add users computers or groups. here is what I get:
[root@fedora ~]# /opt/IDEALX/sbin/smbldap-useradd -a -m -g administrator
Use of uninitialized value in substitution (s///) at /opt/IDEALX/sbin//smbldap_tools.pm line 135, <CONFIGFILE> line 25.
Thanks,
David

dio
24th February 2006, 01:59 PM
The problem I was having was errors in my config files. I compared them to a working copy and found the errors. While looking for answers I cam across a script that does this all for you, all you have to do is install Fedora Core and run the script. It will automatically yum the stuff you need and then it asks you a few questions ie.. domain name, passwords, net bios name, and such. I ran that and then compared the config files it made to mine and found the errors, if anyone is interested in this script it is located at
http://web.vcs.u52.k12.me.us/linux/smbldap/
I reloaded my server and done the config files by hand after I used this to find my errors, but I done it by hand just to get the satisfaction of it. This tool worked well for me and also helped me troubleshoot my errors, this has been a definite learning experience. Thanks for all the help from everyone and now I am on to my next challenge.

David

forkyxol
7th April 2006, 10:34 PM
everything seems to work find until the Users part. When i try to smbldap -a -m -g 512 admin, I get and error: unknown group 512. I went through the steps again and always run into this problem.

i can add a machine and user with smbldap-useradd fine btw. I join the domain from my windows machine with root and that was fine, but when rebooting and trying to login with my username to the domain, which i created it doesn't work.

looking though my ldap server with phpldapamin, i see the Domain Admin group there with uid 512 under Group and my username i created under People was also there. Like i said, i can't access the server with my username. ssh to the server with my username denied as well.

thomasdaly2005
8th April 2006, 12:17 AM
Group 512 is assumed to be the domain admins group. Try finding out what group number the Domain Admins group is and change accordingly,

Thomas

djidji
27th April 2006, 03:41 PM
How about having samba authenticate agains ldap but as a stand-alone server and not a PDC? Whould it be sufficient to include correct schemas into ldap configuration and have

passdb backend = ldapsam:ldap://127.0.0.1/

in smb.config?

mevunky
3rd May 2006, 02:40 AM
everything seems to work find until the Users part. When i try to smbldap -a -m -g 512 admin, I get and error: unknown group 512. I went through the steps again and always run into this problem.

i can add a machine and user with smbldap-useradd fine btw. I join the domain from my windows machine with root and that was fine, but when rebooting and trying to login with my username to the domain, which i created it doesn't work.

looking though my ldap server with phpldapamin, i see the Domain Admin group there with uid 512 under Group and my username i created under People was also there. Like i said, i can't access the server with my username. ssh to the server with my username denied as well.

Exact same problem on FC5, as well as that I get....

bdb_db_open : Warning - No DB_CONFIG file found in directory

When I service ldap start.

I had it all going fine on FC4 but not on FC5 I have the above problems, some things are in different places, buy by searching ive had no problems...

ccrvic
3rd May 2006, 08:25 AM
Hi Thomas.

*Superb* write-up - and very handy for me, too - I'm just about to have to build a PDC, for the first time :-)

I'll just make one note, though :

Because we have to make so many changes to the smb.conf file, it is easier to do it through notepad on a windows pc

Aside from the fact that many of us find using an editor on Windows to be excessive hussle, you do need to be very careful when using Notepad to edit Linux config files - it silently converts all LFs to CRLFs. This breaks a number of config files, and you need to run dos2unix to reverse the changes...

Personally, I'd have put "gedit" in place of Notepad. And then used vi :-)

Vic.

pparks1
27th August 2006, 03:02 PM
Thomas,

Thanks for the handy write up. I gave it a shot over the past couple of days and it worked just fine. Now, to just go back and dig through the configs and make sure that I understand all of the moving pieces and how to recover from any disasters and I will be all set.

Once again, thanks for taking the time to post how to do this.

pparks1
27th August 2006, 06:22 PM
Could somebody give me some help with something.

I set up the above and everything is working. I can join a Windows machine to the domain and I can create additional users by using
smbldap-useradd –a –m –c “<full-name>” <user-name>

When I look at /home, I see a folder for user1 that looks like this

drwx------ 2 user1 Domain Users 4096 Aug 27 09:56 user1


Now, on my system, the user account is stored within LDAP and samba is using it.


Now, if I want to create a folder called /data and give all "Domain Users" rights, what command do I type in on the Linux server to do this. Because in my case, there is no local group called "Domain Users" in /etc/group?

Essentially, I want

drwxr-xr-x 2 root Domain Users 4096 Aug 27 12:51 downloads


I know this is simple, but I cannot figure it out.

jdinkel
28th August 2006, 05:59 PM
Hi Thomas.

*Superb* write-up - and very handy for me, too - I'm just about to have to build a PDC, for the first time :-)

I'll just make one note, though :



Aside from the fact that many of us find using an editor on Windows to be excessive hussle, you do need to be very careful when using Notepad to edit Linux config files - it silently converts all LFs to CRLFs. This breaks a number of config files, and you need to run dos2unix to reverse the changes...

Personally, I'd have put "gedit" in place of Notepad. And then used vi :-)

Vic.
google for "notepad2" and use it instead on Windows as it does not have the end line problem.