der_angler
08.02.07, 20:22
Nabend alle miteinander,
also ich habe da mal ein kleines Problem mit folgendem HowTo ->
http://de.gentoo-wiki.com/Samba_PDC_mit_LDAP-Backend
Aber zuerst einmal zu meinem Grundsystem. Ich habe mich für ein gentoo
hardened Profil/System entschieden! Warum? Ganz einfach weil ich den
Server so sicher wie nur möglich haben will (ist zu Versuchs-/Lernzweck),
deshalb habe ich auch die hardened-sources installiert.
Okay, soweit lief das ganze auch prima. Alles installiert, Server startet
ohne Fehler, Netzwerk geht -> *freu*
So, jetzt wollte ich daran gehen einen Samba-Server aufzusetzen, welcher
gleichzeitig PDC ist und über ldap verfügt, so das Nutzer sich über Samba am
jedem beliebigen Client anmelden können. Hmm, hoffe man versteht was ich
will? Nein, dann nochmal ein Versuch. Ich will mich von jedem Win-Client aus
anmelden können, und zwar so, das Benutzername & Passwort beim Server
liegen, sprich, egal welcher Client, ich kann mich immer einloggen.
Also was tun? Da ich kein ganz dummes Kind bin (^^) habe ich mir gedacht
schaust dir mal obiges HowTo an und machst alles genauso.
Gesagt getan, ich bin die Anleitung Schritt für Schritt durchgegangen und
als ich dann an den folgenden Punkt gekommen bin lief es schief.
server ~ # smbldap-populate
Populating LDAP directory for domain kanzlei
(S-1-5-21-2385998794-886677818-3740541020)
(using builtin directory structure)
entry dc=mydomain,dc=org already exist.
entry ou=Users,dc=mydomain,dc=org already exist.
entry ou=Groups,dc=mydomain,dc=org already exist.
entry ou=Computers,dc=mydomain,dc=org already exist.
entry ou=Idmap,dc=mydomain,dc=org already exist.
entry uid=root,ou=Users,dc=mydomain,dc=org already exist.
entry uid=nobody,ou=Users,dc=mydomain,dc=org already exist.
entry cn=Domain Admins,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Domain Users,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Domain Guests,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Domain Computers,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Administrators,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Account Operators,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Print Operators,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Backup Operators,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Replicators,ou=Groups,dc=mydomain,dc=org already exist.
entry sambaDomainName=mydomain,dc=mydomain,dc=org already exist. Updating
it...
failed to modify entry: structural object class modification from
'sambaDomain' to 'inetOrgPerson' not allowed at /usr/sbin/smbldap-populate
line 464, <GEN1> line 21.
Please provide a password for the domain root:
Changing password for root
New password :
Retype new password :
Hier tauchte also der erste Fehler auf ->
failed to modify entry:
structural object class modification from 'sambaDomain' to 'inetOrgPerson'
not allowed at /usr/sbin/smbldap-populate line 464, <GEN1> line 21.
Okay, das Skript lief aber nach diesem Fehler ja weiter und verlangte das
LDAP-Admin Passwort. Also dachte ich mir der Fehler kan ja nicht schlimm
sein, sonst würde es nicht weiter gehen. Also auf zum nächsten Schritt, der
darin besteht einen Testuser anzulegen, tja und genau das geht nun nicht und
den Fehler finde ich auch nicht. Folgendes kommt immer beim Versuch einen
User anzulegen
server ~ # smbldap-useradd -a -m testuser
Could not find base dn, to get next uidNumber at /usr/sbin//smbldap_tools.pm
line 995.
Okay, wie gesagt bin ich kein ganz Dummer und habe mal nach dem Fehler
gegoogelt und siehe da, ich bin nicht alleine. Leider gab es keine Lösungen
die für mich funktioniert haben. Z. Bsp. taucht der Fehler bei smbldap-tools
< 0.9.1 auf, aber ich habe keine Version < 0.9.1 -> also nix für mich.
Und auch ansonsten stehe ich auf dem Schlauch weil ich mich wirklich
komplett ans HowTo gehalten habe.
Nunja, damit ihr alles Infos habt nun mal meine Config-Dateien
/etc/make.conf
# These settings were set by the catalyst build script that
automatically built this stage
# Please consult /etc/make.conf.example for a more detailed example
USE="acl -alsa cups -gnome -kde ldap mysql -opengl -oss pam -qt -qt3 -qt4
ssl truetype unicode xml xml2"
CHOST="i686-pc-linux-gnu"
CFLAGS="-march=athlon-tbird -O2 -pipe -fomit-frame-pointer"
CXXFLAGS="${CFLAGS}"
LINGUAS="de"
/etc/portage/package.use
net-fs/samba syslog oav acl
net-nds/openldap samba
net-print/cups dbus jpeg php png samba
dev-lang/php apache2 gd hardenedphp session truetype xml
cli
media-libs/gd jpeg png truetype
net-www/apache apache2
dev-db/mysql latin1 berkdb innodb
sys-apps/lm_sensors sensord
/etc/samba/smb.conf
[global]
netbios name = server
workgroup = kanzlei
server string = Windows %v
hosts allow = 10.0.0.
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = eth0
bind interfaces only = yes
log level = 0
log file = /var/log/samba/log.%m
max log size = 10000
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
logon script = login.bat
logon path = \\%L\profiles\%U
logon drive = P:
null passwords = no
hide unreadable = yes
hide dot files = yes
ldap passwd sync = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=mydomain,dc=org
ldap suffix = dc=mydomain,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
dos charset = 850
unix charset = ISO8859-1
[netlogon]
path = /var/lib/samba/netlogon
public = no
writeable = no
browseable = no
[profiles]
path=/home/samba/profiles
browseable = no
writeable = yes
guest ok = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
write list = "@Domain Users" "@Domain Admins"
create mode = 0600
directory mode = 0700
default case = lower
preserve case = no
case sensitive = no
[homes]
path = /home/%U
browseable = no
valid users = %S
writeable = yes
guest ok = no
inherit permissions = yes
[public]
comment = Public halt
path = /home/public
browseable = yes
valid users = "@Domain Users"
guest ok = no
force group = "@Domain Users"
/etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
schemacheck on
loglevel 0
database ldbm
suffix dc=mydomain,dc=org
rootdn "cn=Manager,dc=mydomain,dc=org"
lastmod on
directory /var/lib/openldap-ldbm
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by self write
by anonymous auth
by * none
access to *
by * read
rootpw *****************
/etc/openldap/ldap.conf
GNU nano 2.0.2 File: /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
HOST 127.0.0.1
BASE dc=mydomain,dc=org
/etc/ldap.conf
# Der LDAP-Server, es werden auch FQDN's akzeptiert.
host 127.0.0.1
# base DN
base dc=mydomain,dc=org
nss_base_passwd ou=Users,dc=mydomain,dc=org?one
nss_base_passwd ou=Computers,dc=mydomain,dc=org?one
nss_base_shadow ou=Users,dc=mydomain,dc=org?one
nss_base_group ou=Groups,dc=mydomain,dc=org?one
ssl no
pam_password md5
/etc/nsswitch.conf
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $
passwd: compat ldap
shadow: compat ldap
group: compat ldap
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
/etc/smbldap-tools/smbldap_bind.conf
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=Manager,dc=mydomain,dc=org"
slavePw="**********"
masterDN="cn=Manager,dc=mydomain,dc=org"
masterPw="********"
/etc/smbldap-tools/smbldap.conf
# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
################################################## ############################
#
# General Configuration
#
################################################## ############################
# Put your own SID
# to obtain this number do: net getlocalsid
SID="S-1-5-21-2385998794-886677818-3740541020"
################################################## ############################
#
# LDAP Configuration
#
################################################## ############################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"
# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connetion
# (you should also used the port 389)
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=mydomain,dc=org"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="sambaDomainName=mydomain,${suffix}"
#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
################################################## ############################
#
# Unix Accounts Configuration
#
################################################## ############################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="99"
################################################## ############################
#
# SAMBA Configuration
#
################################################## ############################
# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
userSmbHome="\\My-PDC-netbios-name\home\%U"
# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
userProfile="\\My-PDC-netbios-name\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="P:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="idealx.com"
################################################## ############################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
################################################## ############################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
Hm, okay, soweit zu den configs die ich verwende. Vielleicht sollte ich noch sagen das ich möchte das der Rechner den Namen "server" bekommt und die Domäne "kanzlei" -> "server.kanzlei" .... leider gibt ein
server ~ # uname -a
Linux server 2.6.18-hardened #1 Tue Feb 6 03:41:28 CET 2007 i686 AMD Duron(tm) AuthenticAMD GNU/Linux nur ein "server" aus, hmm.
Okay, jedenfalls klappt alles bis zu dem Anlegen der Datenbanken, bzw. dem Anlegen eines Users. Kann mir jemand bitte sagen was ich falsch gemacht habe?
PS: Falls jemand um Einträge aus der /var/log/messages erwartet, irgendwie loggt mein syslog-ng nicht, habe zwar alles korrekt installiert, aber syslog loggt nichts mit, muss irgendwie an den hardened Einstellungen liegen.
/etc/syslog-ng/syslog-ng.conf
options { chain_hostnames(off); sync(0); };
#Quelle von der das Log gelesen werden soll
source src { unix-stream("/dev/log"); internal(); };
source kernsrc { file("/proc/kmsg"); };
#Ziele festlegen
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination mail { file("/var/log/mail.log"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
destination xconsole { pipe("/dev/xconsole"); };
#Filter erstellen
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };
#Filter und Ziele verbinden
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#Standard-Protokoll
log { source(src); destination(console_all); };
also ich habe da mal ein kleines Problem mit folgendem HowTo ->
http://de.gentoo-wiki.com/Samba_PDC_mit_LDAP-Backend
Aber zuerst einmal zu meinem Grundsystem. Ich habe mich für ein gentoo
hardened Profil/System entschieden! Warum? Ganz einfach weil ich den
Server so sicher wie nur möglich haben will (ist zu Versuchs-/Lernzweck),
deshalb habe ich auch die hardened-sources installiert.
Okay, soweit lief das ganze auch prima. Alles installiert, Server startet
ohne Fehler, Netzwerk geht -> *freu*
So, jetzt wollte ich daran gehen einen Samba-Server aufzusetzen, welcher
gleichzeitig PDC ist und über ldap verfügt, so das Nutzer sich über Samba am
jedem beliebigen Client anmelden können. Hmm, hoffe man versteht was ich
will? Nein, dann nochmal ein Versuch. Ich will mich von jedem Win-Client aus
anmelden können, und zwar so, das Benutzername & Passwort beim Server
liegen, sprich, egal welcher Client, ich kann mich immer einloggen.
Also was tun? Da ich kein ganz dummes Kind bin (^^) habe ich mir gedacht
schaust dir mal obiges HowTo an und machst alles genauso.
Gesagt getan, ich bin die Anleitung Schritt für Schritt durchgegangen und
als ich dann an den folgenden Punkt gekommen bin lief es schief.
server ~ # smbldap-populate
Populating LDAP directory for domain kanzlei
(S-1-5-21-2385998794-886677818-3740541020)
(using builtin directory structure)
entry dc=mydomain,dc=org already exist.
entry ou=Users,dc=mydomain,dc=org already exist.
entry ou=Groups,dc=mydomain,dc=org already exist.
entry ou=Computers,dc=mydomain,dc=org already exist.
entry ou=Idmap,dc=mydomain,dc=org already exist.
entry uid=root,ou=Users,dc=mydomain,dc=org already exist.
entry uid=nobody,ou=Users,dc=mydomain,dc=org already exist.
entry cn=Domain Admins,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Domain Users,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Domain Guests,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Domain Computers,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Administrators,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Account Operators,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Print Operators,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Backup Operators,ou=Groups,dc=mydomain,dc=org already exist.
entry cn=Replicators,ou=Groups,dc=mydomain,dc=org already exist.
entry sambaDomainName=mydomain,dc=mydomain,dc=org already exist. Updating
it...
failed to modify entry: structural object class modification from
'sambaDomain' to 'inetOrgPerson' not allowed at /usr/sbin/smbldap-populate
line 464, <GEN1> line 21.
Please provide a password for the domain root:
Changing password for root
New password :
Retype new password :
Hier tauchte also der erste Fehler auf ->
failed to modify entry:
structural object class modification from 'sambaDomain' to 'inetOrgPerson'
not allowed at /usr/sbin/smbldap-populate line 464, <GEN1> line 21.
Okay, das Skript lief aber nach diesem Fehler ja weiter und verlangte das
LDAP-Admin Passwort. Also dachte ich mir der Fehler kan ja nicht schlimm
sein, sonst würde es nicht weiter gehen. Also auf zum nächsten Schritt, der
darin besteht einen Testuser anzulegen, tja und genau das geht nun nicht und
den Fehler finde ich auch nicht. Folgendes kommt immer beim Versuch einen
User anzulegen
server ~ # smbldap-useradd -a -m testuser
Could not find base dn, to get next uidNumber at /usr/sbin//smbldap_tools.pm
line 995.
Okay, wie gesagt bin ich kein ganz Dummer und habe mal nach dem Fehler
gegoogelt und siehe da, ich bin nicht alleine. Leider gab es keine Lösungen
die für mich funktioniert haben. Z. Bsp. taucht der Fehler bei smbldap-tools
< 0.9.1 auf, aber ich habe keine Version < 0.9.1 -> also nix für mich.
Und auch ansonsten stehe ich auf dem Schlauch weil ich mich wirklich
komplett ans HowTo gehalten habe.
Nunja, damit ihr alles Infos habt nun mal meine Config-Dateien
/etc/make.conf
# These settings were set by the catalyst build script that
automatically built this stage
# Please consult /etc/make.conf.example for a more detailed example
USE="acl -alsa cups -gnome -kde ldap mysql -opengl -oss pam -qt -qt3 -qt4
ssl truetype unicode xml xml2"
CHOST="i686-pc-linux-gnu"
CFLAGS="-march=athlon-tbird -O2 -pipe -fomit-frame-pointer"
CXXFLAGS="${CFLAGS}"
LINGUAS="de"
/etc/portage/package.use
net-fs/samba syslog oav acl
net-nds/openldap samba
net-print/cups dbus jpeg php png samba
dev-lang/php apache2 gd hardenedphp session truetype xml
cli
media-libs/gd jpeg png truetype
net-www/apache apache2
dev-db/mysql latin1 berkdb innodb
sys-apps/lm_sensors sensord
/etc/samba/smb.conf
[global]
netbios name = server
workgroup = kanzlei
server string = Windows %v
hosts allow = 10.0.0.
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = eth0
bind interfaces only = yes
log level = 0
log file = /var/log/samba/log.%m
max log size = 10000
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
logon script = login.bat
logon path = \\%L\profiles\%U
logon drive = P:
null passwords = no
hide unreadable = yes
hide dot files = yes
ldap passwd sync = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=mydomain,dc=org
ldap suffix = dc=mydomain,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
dos charset = 850
unix charset = ISO8859-1
[netlogon]
path = /var/lib/samba/netlogon
public = no
writeable = no
browseable = no
[profiles]
path=/home/samba/profiles
browseable = no
writeable = yes
guest ok = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
write list = "@Domain Users" "@Domain Admins"
create mode = 0600
directory mode = 0700
default case = lower
preserve case = no
case sensitive = no
[homes]
path = /home/%U
browseable = no
valid users = %S
writeable = yes
guest ok = no
inherit permissions = yes
[public]
comment = Public halt
path = /home/public
browseable = yes
valid users = "@Domain Users"
guest ok = no
force group = "@Domain Users"
/etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
schemacheck on
loglevel 0
database ldbm
suffix dc=mydomain,dc=org
rootdn "cn=Manager,dc=mydomain,dc=org"
lastmod on
directory /var/lib/openldap-ldbm
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by self write
by anonymous auth
by * none
access to *
by * read
rootpw *****************
/etc/openldap/ldap.conf
GNU nano 2.0.2 File: /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
HOST 127.0.0.1
BASE dc=mydomain,dc=org
/etc/ldap.conf
# Der LDAP-Server, es werden auch FQDN's akzeptiert.
host 127.0.0.1
# base DN
base dc=mydomain,dc=org
nss_base_passwd ou=Users,dc=mydomain,dc=org?one
nss_base_passwd ou=Computers,dc=mydomain,dc=org?one
nss_base_shadow ou=Users,dc=mydomain,dc=org?one
nss_base_group ou=Groups,dc=mydomain,dc=org?one
ssl no
pam_password md5
/etc/nsswitch.conf
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $
passwd: compat ldap
shadow: compat ldap
group: compat ldap
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files
bootparams: files
automount: files
aliases: files
/etc/smbldap-tools/smbldap_bind.conf
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=Manager,dc=mydomain,dc=org"
slavePw="**********"
masterDN="cn=Manager,dc=mydomain,dc=org"
masterPw="********"
/etc/smbldap-tools/smbldap.conf
# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
################################################## ############################
#
# General Configuration
#
################################################## ############################
# Put your own SID
# to obtain this number do: net getlocalsid
SID="S-1-5-21-2385998794-886677818-3740541020"
################################################## ############################
#
# LDAP Configuration
#
################################################## ############################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"
# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connetion
# (you should also used the port 389)
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=mydomain,dc=org"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="sambaDomainName=mydomain,${suffix}"
#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
################################################## ############################
#
# Unix Accounts Configuration
#
################################################## ############################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="99"
################################################## ############################
#
# SAMBA Configuration
#
################################################## ############################
# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
userSmbHome="\\My-PDC-netbios-name\home\%U"
# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
userProfile="\\My-PDC-netbios-name\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="P:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="idealx.com"
################################################## ############################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
################################################## ############################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
Hm, okay, soweit zu den configs die ich verwende. Vielleicht sollte ich noch sagen das ich möchte das der Rechner den Namen "server" bekommt und die Domäne "kanzlei" -> "server.kanzlei" .... leider gibt ein
server ~ # uname -a
Linux server 2.6.18-hardened #1 Tue Feb 6 03:41:28 CET 2007 i686 AMD Duron(tm) AuthenticAMD GNU/Linux nur ein "server" aus, hmm.
Okay, jedenfalls klappt alles bis zu dem Anlegen der Datenbanken, bzw. dem Anlegen eines Users. Kann mir jemand bitte sagen was ich falsch gemacht habe?
PS: Falls jemand um Einträge aus der /var/log/messages erwartet, irgendwie loggt mein syslog-ng nicht, habe zwar alles korrekt installiert, aber syslog loggt nichts mit, muss irgendwie an den hardened Einstellungen liegen.
/etc/syslog-ng/syslog-ng.conf
options { chain_hostnames(off); sync(0); };
#Quelle von der das Log gelesen werden soll
source src { unix-stream("/dev/log"); internal(); };
source kernsrc { file("/proc/kmsg"); };
#Ziele festlegen
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination mail { file("/var/log/mail.log"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
destination xconsole { pipe("/dev/xconsole"); };
#Filter erstellen
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };
#Filter und Ziele verbinden
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#Standard-Protokoll
log { source(src); destination(console_all); };