READY
06.04.04, 14:17
Hallo,
seit mehreren Wochen befasse ich mich nun mit LDAP im Zusammenhang mit Samba. Bin grade dabei eine Testumgebung mit Openldap 2.1 mit Samba 3.02a als PDC aufzubauen.
Ich las bereits sämtliche Dokumentationen, Howto's die irgendwo greifbar waren.
Doch leider wird mir der Versuch die PDC Domäne zu betreten mit einer (unter Windows) Fehlermeldung quittiert:
"Zuordnungen von Kontennamen und Sicherheitskennungen wurden nicht durchgeführt"
Unter mit "net join" (Linux):
[2004/04/06 14:59:44, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(240)
error looking up rid for user burnstation$: NT_STATUS_NONE_MAPPED
Zur Umgebung:
Burnstation ist der Samba Server. (SuSE 9.0)
Mobil1 der Windows XP Pro Test Client.
TEST.INT ist die Samba Domäne.
Ich verwende Group Mapping (Konfiguration aus der Ldif Struktur ersichtlich).
Zu meiner Konfiguration:
Samba (smb.conf):
[global]
netbios name = burnstation
workgroup = test.int
#passwd backend = tdbsam
os level = 34
domain master = yes
domain logons = yes
preferred master = yes
local master = yes
wins support = yes
log level = 50
log file = /var/log/samba/log.smbd
logon path = \\%N\profiles\%u
logon drive = H:
logon home = \\burnstation\%u\winprofile
logon script = logon.cmd
server string = %h PDC
valid chars = 148:153 132:142 129:154 225
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
map archive = No
mangled names = No
character set = ISO8859-1
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
security = user
null passwords = Yes
encrypt passwords = Yes
# LDAP
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=burnstation,dc=smb-net
ldap admin dn = uid=root,o=users,dc=burnstation,dc=smb-net
ldap port = 389
ldap server = 127.0.0.1
ldap ssl = no
ldap user suffix = o=users
ldap group suffix = o=groups
ldap machine suffix = o=computers
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
[netlogon]
path = /var/lib/samba/netlogon
read only = yes
write list = ntadmin,root
[profiles]
path = /var/lib/samba/profiles
comment = Profiles
browseable = yes
public = yes
read only = no
writeable = yes
create mask = 0644
directory mask = 0755
[homes]
comment = Home Directories
browseable = yes
public = yes
read only = no
writeable = yes
create mask = 0644
directory mask = 0755
Openldap (slapd.conf):
TLSCertificateFile /etc/openldap/certificates/servercrt.pem
TLSCertificateKeyFile /etc/openldap/certificates/serverkey.pem
TLSCACertificateFile /etc/openldap/certificates/cacert.pem
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/uidpool.schema
include /etc/openldap/slapd.access.conf
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
database ldbm
suffix "dc=burnstation,dc=smb-net"
rootdn "cn=Manager,dc=burnstation,dc=smb-net"
rootpw ******
directory /var/lib/ldap
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
Die Openldap Ldif Struktur:
dn: o=users,dc=burnstation,dc=smb-net
o: users
objectClass: organization
structuralObjectClass: organization
dn: uid=root,o=users,dc=burnstation,dc=smb-net
cn: root
displayName: root root
gecos: root root
gidNumber: 0
homeDirectory: /root
loginShell: /bin/bash
sambaAcctFlags: [U ]
sambaPrimaryGroupSID: S-1-5-21-1033472183-1631895051-3950298177-512
shadowLastChange: 11778
uid: root
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
structuralObjectClass: account
sambaDomainName: TEST.INT
uidNumber: 0
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-500
sambaPwdMustChange: 2147483647
sambaLMPassword: ******
sambaNTPassword: ******
userPassword:: ******
sambaPwdCanChange: 1080739329
sambaPwdLastSet: 1080739329
dn: uid=deruser,o=users,dc=burnstation,dc=smb-net
uid: deruser
cn: der
sn: user
userPassword:: ******
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/deruser
shadowMin: -1
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
structuralObjectClass: person
dn: o=groups,dc=burnstation,dc=smb-net
o: groups
objectClass: organization
structuralObjectClass: organization
dn: cn=users,o=groups,dc=burnstation,dc=smb-net
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
gidNumber: 100
cn: users
structuralObjectClass: posixGroup
sambaGroupType: 2
displayName: Domain Users
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-513
dn: cn=admins,o=groups,dc=burnstation,dc=smb-net
cn: admins
gidNumber: 200
structuralObjectClass: posixGroup
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-512
displayName: Domain Admins
dn: cn=computers,o=groups,dc=burnstation,dc=smb-net
cn: computers
gidNumber: 300
sambaGroupType: 2
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
structuralObjectClass: posixGroup
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-515
displayName: Domain Computers
dn: cn=root,o=groups,dc=burnstation,dc=smb-net
cn: root
gidNumber: 0
sambaGroupType: 2
memberUid: root
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
structuralObjectClass: posixGroup
displayName: System Operators
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-512
dn: cn=controllers,o=groups,dc=burnstation,dc=smb-net
cn: controllers
displayName: Domain Controllers
sambaGroupType: 2
memberUid: $burnstation
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
structuralObjectClass: posixGroup
gidNumber: 400
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-516
dn: cn=nobody,o=groups,dc=burnstation,dc=smb-net
cn: nobody
displayName: Domain Guests
sambaGroupType: 2
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
structuralObjectClass: posixGroup
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-514
gidNumber: 65533
dn: o=computers,dc=burnstation,dc=smb-net
o: computers
objectClass: organization
structuralObjectClass: organization
dn: uid=mobil1__$,o=computers,dc=burnstation,dc=smb-net
gidNumber: 300
uid: mobil1__$
cn: mobil1
homeDirectory: /dev/null
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
structuralObjectClass: account
uidNumber: 1004
sambaAcctFlags: [W ]
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-3008
dn: uid=burnstation$,o=computers,dc=burnstation,dc=smb-net
gidNumber: 300
uid: burnstation$
cn: burnstation
homeDirectory: /dev/null
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
structuralObjectClass: account
sambaPrimaryGroupSID: S-1-5-21-1033472183-1631895051-3950298177-515
uidNumber: 1005
sambaAcctFlags: [W ]
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-3010
dn: uid=mobil1$,o=computers,dc=burnstation,dc=smb-net
cn: mobil1
gidNumber: 300
homeDirectory: /dev/null
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
sambaPrimaryGroupSID: S-1-5-21-1033472183-1631895051-3950298177-515
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-3006
uid: mobil1$
uidNumber: 1003
structuralObjectClass: account
sambaAcctFlags: [W ]
dn: sambaDomainName=TEST.INT,dc=burnstation,dc=smb-net
sambaDomainName: TEST.INT
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-516
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
structuralObjectClass: sambaDomain
Falls ihr mir Hinweise/Tipps geben könnt: her damit!
Auf Wunsch poste ich auch Ldap/Samba/Ethereal Debugging.
Mich peröhnlich hat esn icht weiter gebracht obwohl ich die Unmengen an Logs sehr genau durch gegangen bin.
Hoffe auf Antwort!
-ready
seit mehreren Wochen befasse ich mich nun mit LDAP im Zusammenhang mit Samba. Bin grade dabei eine Testumgebung mit Openldap 2.1 mit Samba 3.02a als PDC aufzubauen.
Ich las bereits sämtliche Dokumentationen, Howto's die irgendwo greifbar waren.
Doch leider wird mir der Versuch die PDC Domäne zu betreten mit einer (unter Windows) Fehlermeldung quittiert:
"Zuordnungen von Kontennamen und Sicherheitskennungen wurden nicht durchgeführt"
Unter mit "net join" (Linux):
[2004/04/06 14:59:44, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(240)
error looking up rid for user burnstation$: NT_STATUS_NONE_MAPPED
Zur Umgebung:
Burnstation ist der Samba Server. (SuSE 9.0)
Mobil1 der Windows XP Pro Test Client.
TEST.INT ist die Samba Domäne.
Ich verwende Group Mapping (Konfiguration aus der Ldif Struktur ersichtlich).
Zu meiner Konfiguration:
Samba (smb.conf):
[global]
netbios name = burnstation
workgroup = test.int
#passwd backend = tdbsam
os level = 34
domain master = yes
domain logons = yes
preferred master = yes
local master = yes
wins support = yes
log level = 50
log file = /var/log/samba/log.smbd
logon path = \\%N\profiles\%u
logon drive = H:
logon home = \\burnstation\%u\winprofile
logon script = logon.cmd
server string = %h PDC
valid chars = 148:153 132:142 129:154 225
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
map archive = No
mangled names = No
character set = ISO8859-1
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
security = user
null passwords = Yes
encrypt passwords = Yes
# LDAP
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=burnstation,dc=smb-net
ldap admin dn = uid=root,o=users,dc=burnstation,dc=smb-net
ldap port = 389
ldap server = 127.0.0.1
ldap ssl = no
ldap user suffix = o=users
ldap group suffix = o=groups
ldap machine suffix = o=computers
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
[netlogon]
path = /var/lib/samba/netlogon
read only = yes
write list = ntadmin,root
[profiles]
path = /var/lib/samba/profiles
comment = Profiles
browseable = yes
public = yes
read only = no
writeable = yes
create mask = 0644
directory mask = 0755
[homes]
comment = Home Directories
browseable = yes
public = yes
read only = no
writeable = yes
create mask = 0644
directory mask = 0755
Openldap (slapd.conf):
TLSCertificateFile /etc/openldap/certificates/servercrt.pem
TLSCertificateKeyFile /etc/openldap/certificates/serverkey.pem
TLSCACertificateFile /etc/openldap/certificates/cacert.pem
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/uidpool.schema
include /etc/openldap/slapd.access.conf
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
database ldbm
suffix "dc=burnstation,dc=smb-net"
rootdn "cn=Manager,dc=burnstation,dc=smb-net"
rootpw ******
directory /var/lib/ldap
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
Die Openldap Ldif Struktur:
dn: o=users,dc=burnstation,dc=smb-net
o: users
objectClass: organization
structuralObjectClass: organization
dn: uid=root,o=users,dc=burnstation,dc=smb-net
cn: root
displayName: root root
gecos: root root
gidNumber: 0
homeDirectory: /root
loginShell: /bin/bash
sambaAcctFlags: [U ]
sambaPrimaryGroupSID: S-1-5-21-1033472183-1631895051-3950298177-512
shadowLastChange: 11778
uid: root
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
structuralObjectClass: account
sambaDomainName: TEST.INT
uidNumber: 0
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-500
sambaPwdMustChange: 2147483647
sambaLMPassword: ******
sambaNTPassword: ******
userPassword:: ******
sambaPwdCanChange: 1080739329
sambaPwdLastSet: 1080739329
dn: uid=deruser,o=users,dc=burnstation,dc=smb-net
uid: deruser
cn: der
sn: user
userPassword:: ******
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/deruser
shadowMin: -1
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
structuralObjectClass: person
dn: o=groups,dc=burnstation,dc=smb-net
o: groups
objectClass: organization
structuralObjectClass: organization
dn: cn=users,o=groups,dc=burnstation,dc=smb-net
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
gidNumber: 100
cn: users
structuralObjectClass: posixGroup
sambaGroupType: 2
displayName: Domain Users
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-513
dn: cn=admins,o=groups,dc=burnstation,dc=smb-net
cn: admins
gidNumber: 200
structuralObjectClass: posixGroup
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-512
displayName: Domain Admins
dn: cn=computers,o=groups,dc=burnstation,dc=smb-net
cn: computers
gidNumber: 300
sambaGroupType: 2
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
structuralObjectClass: posixGroup
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-515
displayName: Domain Computers
dn: cn=root,o=groups,dc=burnstation,dc=smb-net
cn: root
gidNumber: 0
sambaGroupType: 2
memberUid: root
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
structuralObjectClass: posixGroup
displayName: System Operators
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-512
dn: cn=controllers,o=groups,dc=burnstation,dc=smb-net
cn: controllers
displayName: Domain Controllers
sambaGroupType: 2
memberUid: $burnstation
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
structuralObjectClass: posixGroup
gidNumber: 400
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-516
dn: cn=nobody,o=groups,dc=burnstation,dc=smb-net
cn: nobody
displayName: Domain Guests
sambaGroupType: 2
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
structuralObjectClass: posixGroup
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-514
gidNumber: 65533
dn: o=computers,dc=burnstation,dc=smb-net
o: computers
objectClass: organization
structuralObjectClass: organization
dn: uid=mobil1__$,o=computers,dc=burnstation,dc=smb-net
gidNumber: 300
uid: mobil1__$
cn: mobil1
homeDirectory: /dev/null
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
structuralObjectClass: account
uidNumber: 1004
sambaAcctFlags: [W ]
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-3008
dn: uid=burnstation$,o=computers,dc=burnstation,dc=smb-net
gidNumber: 300
uid: burnstation$
cn: burnstation
homeDirectory: /dev/null
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
structuralObjectClass: account
sambaPrimaryGroupSID: S-1-5-21-1033472183-1631895051-3950298177-515
uidNumber: 1005
sambaAcctFlags: [W ]
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-3010
dn: uid=mobil1$,o=computers,dc=burnstation,dc=smb-net
cn: mobil1
gidNumber: 300
homeDirectory: /dev/null
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
sambaPrimaryGroupSID: S-1-5-21-1033472183-1631895051-3950298177-515
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-3006
uid: mobil1$
uidNumber: 1003
structuralObjectClass: account
sambaAcctFlags: [W ]
dn: sambaDomainName=TEST.INT,dc=burnstation,dc=smb-net
sambaDomainName: TEST.INT
sambaSID: S-1-5-21-1033472183-1631895051-3950298177-516
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
structuralObjectClass: sambaDomain
Falls ihr mir Hinweise/Tipps geben könnt: her damit!
Auf Wunsch poste ich auch Ldap/Samba/Ethereal Debugging.
Mich peröhnlich hat esn icht weiter gebracht obwohl ich die Unmengen an Logs sehr genau durch gegangen bin.
Hoffe auf Antwort!
-ready