Authenticating Windows to openLDAP server on Ubuntu 9.10

[Overcast32]

This worked well, thanks a ton to ingcabral for the original thread and the abishur on this one, kudos guys.

The only thing I had to do in the end was give that user permissions to the home folder. I'm going to try a few tweaks... I hope they work, but I think if I have to do this a second time, it will be much faster, I made a copy of all the config files after my edits.



Well - Oddly, last night right after joining initially it whined about loosing connection with the DC, but after I rebooted - copied profiles with a different user (copy local profile to domain profile) account in windows and re-logged into the domain, it hasn't complained one bit.

[Overcast32]

One question though - if I want to setup H: drives in windows for the users - not profiles at all, just an H: drive mapping to /ldaphome/username.. what all would I need to add?

I tried this - but no luck just yet.

Added to smbldap.conf

Code:

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\192.168.0.2\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile=

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"

And then added to smb.conf

Code:

        logon drive = H:
        logon home = \\192.168.0.2\%u
        logon path =
        logon script = logon.cmd

Am I missing something?

Should I only be editing one of the two or should I be using the Debian path on any of those? (like /ldaphome/%U)

I can browse/read/create manually in the folder, so it's not permissions - I don't think, it's set to '700'

[arylinth]

I have followed your guide, but when I get to

Code:

  			 				 ldapsearch   -xLLL -b  "dc=example,dc=com"

I get the following output:

Code:

 ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

When I do a

Code:

 ldapsearch -xLLL -b "dc=greenburghlibrary,dc=org" -h 127.0.0.1

I get

Code:

 dn: dc=greenburghlibrary,dc=org
objectClass: dcObject
objectClass: organizationalUnit
dc: greenburghlibrary
ou:: SECRET

dn: cn=admin,dc=greenburghlibrary,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

dn: ou=Users,dc=greenburghlibrary,dc=org
objectClass: organizationalUnit
ou:: VXNlcnMg

dn: ou=Groups,dc=greenburghlibrary,dc=org
objectClass: organizationalUnit
ou:: R3JvdXBzIA==

dn: ou=Computers,dc=greenburghlibrary,dc=org
objectClass: organizationalUnit
ou:: Q29tcHV0ZXJzIA==

dn: ou=Idmap,dc=greenburghlibrary,dc=org
objectClass: organizationalUnit
ou: Idmap

When I get to net getlocalsid I get the following error:

Code:

 [2010/02/23 14:30:26,  0] lib/smbldap.c:656(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Protocol error
[2010/02/23 14:30:27,  0] lib/smbldap.c:656(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Protocol error
[2010/02/23 14:30:28,  0] passdb/secrets.c:71(secrets_init)
  Failed to open /var/lib/samba/secrets.tdb
[2010/02/23 14:30:28,  0] lib/util.c:1480(smb_panic)
  PANIC (pid 1972): could not open secrets db
[2010/02/23 14:30:28,  0] lib/util.c:1584(log_stack_trace)
  BACKTRACE: 13 stack frames:
   #0 net(log_stack_trace+0x1a) [0x7effba310bca]
   #1 net(smb_panic+0x1f) [0x7effba310c8f]
   #2 net(get_global_sam_sid+0x6dd) [0x7effba2428dd]
   #3 net [0x7effba52f0c6]
   #4 net(smbldap_search_domain_info+0x2fe) [0x7effba52f68e]
   #5 net(pdb_init_ldapsam+0x173) [0x7effba2ce493]
   #6 net(make_pdb_method_name+0xe9) [0x7effba2bfc39]
   #7 net [0x7effba2c000c]
   #8 net(initialize_password_db+0x14) [0x7effba2c2e74]
   #9 net [0x7effba1c14a2]
   #10 net(main+0x7f9) [0x7effba1c0ed9]
   #11 /lib/libc.so.6(__libc_start_main+0xfd) [0x7effb7738abd]
   #12 net [0x7effba1c0609]
[2010/02/23 14:30:28,  0] lib/util.c:1485(smb_panic)
  smb_panic(): calling panic action [/usr/share/samba/panic-action 1972]
[2010/02/23 14:30:28,  0] lib/util.c:1493(smb_panic)
  smb_panic(): action returned status 0
[2010/02/23 14:30:28,  0] lib/fault.c:307(dump_core)
  Can not dump core: corepath not set up

I am also unable to add users or change passwords.


Any ideas?

[cbhr4u]

Hey Abishur,
Just wanted to say thanks for all your help and for the tutorial, learned so much about linux and I have a working PDC without paying Microsoft a cent. I appreciate you taking your time to do a tutorial like this. Thanks again.
Josh

[Pablo Alonso]

Hi everyone,

When I execute

agnes@old:~$ sudo slapadd -v -l /etc/ldap/init.ldif

I have this :

/etc/ldap/slapd.conf: line 116: rootdn is always granted unlimited privileges.
/etc/ldap/slapd.conf: line 133: rootdn is always granted unlimited privileges.
added: "dc=example,dc=local" (00000001)
added: "cn=admin,dc=example,dc=local" (00000002)
added: "ou=Users,dc=example,dc=local" (00000003)
added: "ou=Groups,dc=example,dc=local" (00000004)
added: "ou=Computers,dc=example,dc=local" (00000005)
added: "ou=Idmap,dc=example,dc=local" (00000006)
_#################### 100.00% eta none elapsed none fast!
Closing DB...

I would like to know if the two first line are an errors ? or just an information ?

Hi to all !!!

Makak06 and everybody have you found out an answer, I'm stuck in same question!
Thanks!

Pablo

[cbhr4u]

Hi to all !!!

Makak06 and everybody have you found out an answer, I'm stuck in same question!
Thanks!

Pablo

I believe that the first two lines will always appear as long as you are getting the 100% on the end I believe you should be good to go.

[Pablo Alonso]

I believe that the first two lines will always appear as long as you are getting the 100% on the end I believe you should be good to go.

Hi cbhr4u, thanks for the reply and confirmation! Finally yesterday I thought that because everybody has posted similar results...

I have another issue that was mentioned already but I cannot get rid of it the way it was suggested, maybe you have a clue...

when doing: smbldap-populate I get this same error of RomanJr and I have triple checked the correct password supplied in /etc/smbldap-tools/smbldap_bind.conf and it is the same as provided in steps:

slappasswd -s YOUR-PASSWORD-GOES-HERE

and

smbpasswd -W

I don't understand whats wrong! ... help appreciated....

regards,
Pablo

Hi..First off thanks for this great tutorial.

rromanjr@ubuntu-svr:/usr/sbin$ sudo smbldap-populate
Populating LDAP directory for domain RTECH (S-1-5-21-2673721247-2330088800-401481966)
(using builtin directory structure)

entry dc=RTECH,dc=local already exist.
entry ou=Users,dc=RTECH,dc=local already exist.
entry ou=Groups,dc=RTECH,dc=local already exist.
entry ou=Computers,dc=RTECH,dc=local already exist.
entry ou=Idmap,dc=RTECH,dc=local already exist.
adding new entry: uid=root,ou=Users,dc=RTECH,dc=local
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499, <GEN1> line 55.
adding new entry: uid=nobody,ou=Users,dc=RTECH,dc=local
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499, <GEN1> line 83.
adding new entry: cn=Domain Admins,ou=Groups,dc=RTECH,dc=local
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499, <GEN1> line 95.
adding new entry: cn=Domain Users,ou=Groups,dc=RTECH,dc=local
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499, <GEN1> line 106.
adding new entry: cn=Domain Guests,ou=Groups,dc=RTECH,dc=local
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499, <GEN1> line 117.
adding new entry: cn=Domain Computers,ou=Groups,dc=RTECH,dc=local
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499, <GEN1> line 128.
adding new entry: cn=Administrators,ou=Groups,dc=RTECH,dc=local
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499, <GEN1> line 173.
adding new entry: cn=Account Operators,ou=Groups,dc=RTECH,dc=local
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499, <GEN1> line 195.
adding new entry: cn=Print Operators,ou=Groups,dc=RTECH,dc=local
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499, <GEN1> line 206.
adding new entry: cn=Backup Operators,ou=Groups,dc=RTECH,dc=local
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499, <GEN1> line 217.
adding new entry: cn=Replicators,ou=Groups,dc=RTECH,dc=local
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499, <GEN1> line 228.
entry sambaDomainName=RTECH,dc=RTECH,dc=local already exist. Updating it...
failed to modify entry: modifications require authentication at /usr/sbin/smbldap-populate line 492, <GEN1> line 236.

Please provide a password for the domain root:
/usr/sbin/smbldap-passwd: user root doesn't exist
rromanjr@ubuntu-svr:/usr/sbin$


not sure where to go from here...I did not have any errors up till now and I am not sure how to fix the root doesn't exist.

[cbhr4u]

No means am I a Linux expert but it almost looks like you dont have admin rights wehn you run the smbldap-populate are you doing it as root? If not you may try that, or do a sudo when you run it.

Hi cbhr4u, thanks for the reply and confirmation! Finally yesterday I thought that because everybody has posted similar results...

I have another issue that was mentioned already but I cannot get rid of it the way it was suggested, maybe you have a clue...

when doing: smbldap-populate I get this same error of RomanJr and I have triple checked the correct password supplied in /etc/smbldap-tools/smbldap_bind.conf and it is the same as provided in steps:

slappasswd -s YOUR-PASSWORD-GOES-HERE

and

smbpasswd -W

I don't understand whats wrong! ... help appreciated....

regards,
Pablo

[Pablo Alonso]

No means am I a Linux expert but it almost looks like you dont have admin rights wehn you run the smbldap-populate are you doing it as root? If not you may try that, or do a sudo when you run it.

Hi cbhr4u, I have found and overcome the problem!!!

the answer is:

in smbldap_bind.conf is says by default "Manager" instead of "admin"
I figured it out looking in the installldap.sh automated script posted here: http://ubuntuforums.org/showpost.php...9&postcount=24

############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN=\"cn=admin,$LdapDomain\"
slavePw=\"$Ldappasswd\"
masterDN=\"cn=admin,$LdapDomain\"
masterPw=\"$Ldappasswd\"

Thanks for your help !!! I'm going to continue now to achive ultimate success !!!

Regards,
Pablo

[Pablo Alonso]

One question though - if I want to setup H: drives in windows for the users - not profiles at all, just an H: drive mapping to /ldaphome/username.. what all would I need to add?

I tried this - but no luck just yet.

Added to smbldap.conf

Code:

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\192.168.0.2\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile=

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"

And then added to smb.conf

Code:

        logon drive = H:
        logon home = \\192.168.0.2\%u
        logon path =
        logon script = logon.cmd

Am I missing something?

Should I only be editing one of the two or should I be using the Debian path on any of those? (like /ldaphome/%U)

I can browse/read/create manually in the folder, so it's not permissions - I don't think, it's set to '700'

Hi, I have it working now.
forget using smbldap.conf
use /etc/samba/smb.conf to do this.

Suggestion: have tried using %U instead of %u ? I have read somewhere you can try %S instead. don know why.

also I have configured just in case is useful somehow...
logon path = \\servername\%U


Good luck,
Pablo