"net sam provision" and samba 3.4.0
in [Samba]
|
Prev: [Samba] "net sam provision" and samba 3.4.0
Next: [Samba] smbd uses 10 to 15% CPU w/Vista client
From: David Markey on 6 Sep 2009 19:00 These are the settings i use: [global] workgroup = TESTDOM encrypt passwords = true passdb backend = ldapsam:ldapi:/// domain logons = yes ldapsam:trusted=yes ldapsam:editposix=yes restrict anonymous = 0 log level = 10 log file = /var/log/samba ldap admin dn = cn=admin,dc=samba,dc=org ldap delete dn = yes ldap passwd sync = yes ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap user suffix = ou=users ldap suffix = dc=samba,dc=org ldap ssl = off logon path = template homedir = /home/%U template shell = /bin/bash idmap backend = ldap:ldapi:/// idmap uid = 1000000-1999999 idmap gid = 1000000-1999999 idmap alloc backend = ldap idmap alloc config : ldap_url = ldapi:/// idmap alloc config : ldap_base_dn = ou=idmap,dc=samba,dc=org idmap alloc config : ldap_user_dn = cn=admin,dc=samba,dc=org Don't forget net idmap secret alloc "password" The docs should probably be updated. On Sun, 6 Sep 2009 21:16:59 +0200, "Zeller, Jan" <jan.zeller(a)id.unibe.ch> wrote: > Dear list, > > i had some problems with "net sam provision" using samba 3.4.0 > I followed the instructions described on > http://wiki.samba.org/index.php/Ldapsam_Editposix and those published by iX > 4-6/2008 (www.ix.de) > but the result of "net sam provision" was always : > > # bin/net sam provision > Checking for Domain Users group. > Adding the Domain Users group. > Unable to allocate a new gid to create Domain Users group! > Checking for Domain Admins group. > Adding the Domain Admins group. > Unable to allocate a new gid to create Domain Admins group! > Check for Administrator account. > Adding the Administrator user. > Can't create Administrator user, Domain Admins group not available! > > The "only configuration" which is working under 3.4.0 regarding "net sam > provision" seems to be : > > [global] > workgroup = MYDOM > netbios name = > passdb backend = ldapsam:ldap://yoda.home.lan > ldap admin dn = cn=ldapadm,o=it,dc=home,dc=lan > ldap suffix = o=it,dc=home,dc=lan > ldap ssl = no > idmap alloc backend = ldap > idmap uid = 10000-19999 > idmap gid = 10000-19999 > idmap config MYDOM : range = 20000-29999 > idmap config MYDOM : backend = ldap > idmap alloc config:ldap_url = ldap://yoda.home.lan > idmap alloc config:ldap_user_dn = cn=ldapadm,o=it,dc=home,dc=lan > idmap alloc config:ldap_base_dn = o=it,dc=home,dc=lan > ldapsam:editposix = yes > ldapsam:trusted = yes > > If I omit > idmap uid = > idmap gid = > I obtain the error message mentioned above. > > The only info I get about that problem is from : > Michael Adam (Samba Team, SerNet): ID Mapping Re-Revisited (sambaxp.org) > > "idmap domains" seem to be obsolete. testparm always complains about : > Unknown parameter encountered: "idmap domains" > Ignoring unknown parameter "idmap domains" > > Honestly I don't understand the difference between "idmap alloc backend = " > and "idmap backend = " > > idmap alloc backend (G) > The idmap alloc backend provides a plugin interface for Winbind to use when > allocating Unix uids/gids for Windows SIDs. > This option is to be used in conjunction with the idmap domains parameter > and refers to the name of the idmap module which will provide the id > allocation functionality. > > idmap backend (G) > The idmap backend provides a plugin interface for Winbind to use varying > backends to store SID/uid/gid mapping > tables. This option is mutually exclusive with the newer and more flexible > idmap domains parameter. The main > difference between the "idmap backend" and the "idmap domains" is that the > former only allows one backend for all > domains while the latter supports configuring backends on a per domain > basis. > > Quite confusing for people like me ... > > kind regards, > > Jan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Zeller, Jan on 7 Sep 2009 02:40 thank you ! But what's "net idmap secret alloc <password>" ? Is it different from "smbpasswd -w" ? "man net" says : Store a secret for the specified domain, used primarily for domains that use idmap_ldap as a backend. In this case the secret is used as the password for the user DN used to bind to the ldap server. hmmm... > -----Ursprüngliche Nachricht----- > Von: David Markey [mailto:dmarkey(a)dodds.dmarkey.com] > Gesendet: Montag, 7. September 2009 00:53 > An: Zeller, Jan > Cc: samba(a)lists.samba.org > Betreff: Re: [Samba] "net sam provision" and samba 3.4.0 > > > These are the settings i use: > [global] > workgroup = TESTDOM > encrypt passwords = true > passdb backend = ldapsam:ldapi:/// > domain logons = yes > ldapsam:trusted=yes > ldapsam:editposix=yes > restrict anonymous = 0 > log level = 10 > log file = /var/log/samba > ldap admin dn = cn=admin,dc=samba,dc=org > ldap delete dn = yes > ldap passwd sync = yes > ldap group suffix = ou=groups > ldap machine suffix = ou=computers > ldap user suffix = ou=users > ldap suffix = dc=samba,dc=org > ldap ssl = off > logon path = > template homedir = /home/%U > template shell = /bin/bash > idmap backend = ldap:ldapi:/// > idmap uid = 1000000-1999999 > idmap gid = 1000000-1999999 > idmap alloc backend = ldap > idmap alloc config : ldap_url = ldapi:/// > idmap alloc config : ldap_base_dn = ou=idmap,dc=samba,dc=org > idmap alloc config : ldap_user_dn = cn=admin,dc=samba,dc=org > > > Don't forget net idmap secret alloc "password" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: David Markey on 7 Sep 2009 05:50 Yes smbpasswd -w is for user/group/domain information. net idmap secret alloc is specifically for the idmap part of the directory. IMO if there is no idmap password set, it should fall back to the global ldap dn/password. On Mon, 7 Sep 2009 08:35:20 +0200, "Zeller, Jan" <jan.zeller(a)id.unibe.ch> wrote: > thank you ! But what's "net idmap secret alloc <password>" ? > Is it different from "smbpasswd -w" ? > > "man net" says : > Store a secret for the specified domain, used primarily for domains that > use idmap_ldap as a backend. In this case the secret is used as the > password for the user DN used to bind to the ldap server. > > hmmm... > >> -----Ursprüngliche Nachricht----- >> Von: David Markey [mailto:dmarkey(a)dodds.dmarkey.com] >> Gesendet: Montag, 7. September 2009 00:53 >> An: Zeller, Jan >> Cc: samba(a)lists.samba.org >> Betreff: Re: [Samba] "net sam provision" and samba 3.4.0 >> >> >> These are the settings i use: >> [global] >> workgroup = TESTDOM >> encrypt passwords = true >> passdb backend = ldapsam:ldapi:/// >> domain logons = yes >> ldapsam:trusted=yes >> ldapsam:editposix=yes >> restrict anonymous = 0 >> log level = 10 >> log file = /var/log/samba >> ldap admin dn = cn=admin,dc=samba,dc=org >> ldap delete dn = yes >> ldap passwd sync = yes >> ldap group suffix = ou=groups >> ldap machine suffix = ou=computers >> ldap user suffix = ou=users >> ldap suffix = dc=samba,dc=org >> ldap ssl = off >> logon path = >> template homedir = /home/%U >> template shell = /bin/bash >> idmap backend = ldap:ldapi:/// >> idmap uid = 1000000-1999999 >> idmap gid = 1000000-1999999 >> idmap alloc backend = ldap >> idmap alloc config : ldap_url = ldapi:/// >> idmap alloc config : ldap_base_dn = ou=idmap,dc=samba,dc=org >> idmap alloc config : ldap_user_dn = cn=admin,dc=samba,dc=org >> >> >> Don't forget net idmap secret alloc "password" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: [Samba] "net sam provision" and samba 3.4.0 Next: [Samba] smbd uses 10 to 15% CPU w/Vista client |