Results 1 to 2 of 2

Thread: Samba MS LDAP authentication

  1. #1

    Default Samba MS LDAP authentication

    On this moment i configure a testenvironment with 1 Microsoft active directory server and 1 Opensuse 11 samba filesharing server. But i have a issue. The samba server is add to the domain and the servers can communicate with eachother. I can login to the domain on the samba server and the LDAP settings tab on yast2 samba configuration tool tell me that samba and the MS LDAP server can communicate with eachother. I can see the shares on the samba server but i can't autenticate myself. When i whant to logon than see i always "domain: domainname.local" and "access denied". My question is now how can i give the MS administrator account rights to view the shares and configure the rights for the other users.

    Samba config file
    PHP Code:
    [global]
            
    workgroup WIN-FVJBNQIJE9O@WOENSDRECHT.LOCAL
            passdb backend 
    ldapsam:ldap://win-fvjbnqije9o.woensdrecht.local
            
    printing cups
            printcap name 
    cups
            printcap cache time 
    750
            cups options 
    raw
            map to guest 
    Bad User
            
    include = /etc/samba/dhcp.conf
            logon path 
    = \\%L\profiles\.msprofile
            logon home 
    = \\%L\%U\.9xprofile
            logon drive 
    P:
            
    usershare allow guests Yes
            add machine script 
    = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$
            
    domain logons Yes
            domain master 
    Yes
            security 
    user
            realm 
    WOENSDRECHT.LOCAL
            wins support 
    Yes
            ldap admin dn 
    Administrator
            ldap group suffix 
    ou=Groups
            ldap idmap suffix 
    ou=Idmap
            ldap machine suffix 
    ou=Machines
            ldap passwd sync 
    Yes
            ldap suffix 
    dc=woensdrecht,dc=local
            ldap user suffix 
    ou=Users
            usershare max shares 
    100
            idmap gid 
    10000-20000
            idmap uid 
    10000-20000
            template homedir 
    = /home/%D/%U
            template shell 
    = /bin/bash
            winbind refresh tickets 
    yes
            idmap backend 
    ldap:ldap://win-fvjbnqije9o.woensdrecht.local
            
    local master Yes
            os level 
    65
            preferred master 
    Yes
    [homes]
            
    comment Home Directories
            valid users 
    = %S, %D%w%S
            browseable 
    No
            read only 
    No
            inherit acls 
    Yes
    [profiles]
            
    comment Network Profiles Service
            path 
    = %H
            read only 
    No
            store dos attributes 
    Yes
            create mask 
    0600
            directory mask 
    0700
    [users]
            
    comment All users
            path 
    = /home
            read only 
    No
            inherit acls 
    Yes
            veto files 
    = /aquota.user/groups/shares/
    [
    groups]
            
    comment All groups
            path 
    = /home/groups
            read only 
    No
            inherit acls 
    Yes
    [printers]
            
    comment All Printers
            path 
    = /var/tmp
            printable 
    Yes
            create mask 
    0600
            browseable 
    No
    [print$]
            
    comment Printer Drivers
            path 
    = /var/lib/samba/drivers
            write 
    list = @ntadmin root
            force group 
    ntadmin
            create mask 
    0664
            directory mask 
    0775

    [netlogon]
            
    comment Network Logon Service
            path 
    = /var/lib/samba/netlogon
            write 
    list = root

    [Files]
            
    comment Bestanden van de medewerkers.
            
    inherit acls Yes
            path 
    = /winshares/files
            read only 
    No
            admin users 
    root Administrator
            writable 
    Yes
            write 
    list = Administrator 

  2. #2

    Default Re: Samba MS LDAP authentication

    I don't know a whole lot about ms active directory and ldap, so don't really know what you can do as the ms administrator in your situation, but for adding samba users the only way I know of is to use the smbpasswd command as root, like this:

    smbpasswd -a [username]

    It then asks you to enter and comfirm a password for the users, after adding your users still as root run the command service smb reload

    I think to give the windows administrator rights to control aspects of samba the ms administrator would need to have an account on the linux box and given access to commands like smbpasswd and smb using sudo, and to view shares run smbpasswd -a for the ms administrator

    Might be 'better' ways to do it in the setup you have, but as I said I don't really know muchg about ms active directory so someone more knowledgeable on the subject could probably confirm (or not) whether this is the case for you

    I'm not all that clear on where the users/password info is being handled as you say you're using active directory but also using a 'samba domain', you have the samba set up as the primary domain controller [PDC] and handling domain logons and I'm not sure where active directory fits into that scenario, I wouldn't expect samba to be the pdc when using active directory

    The more I think about it the more I think setting samba to not be the pdc and changing smb.conf to show security = ADS instead of security =user would be a good place to start, I also believe the preferred master setting should be 'no', you have it set to 'yes'

    It may be worth you checking out the Samba and Active Directory wiki found here: https://wiki.samba.org/index.php/Sam...tive_Directory
    Last edited by Ecky; 08-May-2011 at 16:12. Reason: missed a bit

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •