Samba PDC + Ldap - Debian Wheezy

shikimaru
(usa Gentoo)

Enviado em 18/09/2013 - 10:09h

Pessoal,

Estou fazendo uma implantação no Debian Wheezy utilizando Ldap e o Samba tudo na ultima versão.

A rede irá trabalhar mesclada Hosts Windows e Linux.

O LDAP já esta configurado esta sendo populado perfeitamente.

O Samba aparentemente está 100% também pois as máquinas enxergam ele.

Ai vem meu problema:

Quando integro as duas ferramentas ele está funcionando parcialmente.

Problemas:
Os usuários não estão autenticado, apresentam o seguinte erro:
LINUX
$smbclient -L localhost -U hugo.prudente
Server's Role (logon server) NOT ADVISED with domain-level security
Enter hugo.prudente's password:
session setup failed: NT_STATUS_LOGON_FAILURE
WINDOWS
Sep 18 10:03:35 akira smbd[11901]: check_ntlm_password: Authentication for user [hugo.prudente] -> [hugo.prudente] FAILED with error NT_STATUS_NO_SUCH_USER
Sep 18 10:03:46 akira smbd[11901]: receive_smb_raw_talloc failed for client 192.168.254.173 read error = NT_STATUS_CONNECTION_RESET.

E se eu testo o smbldap-populate ele fala que não pode ingressar o domínio no LDAP
Use of qw(...) as parentheses is deprecated at /usr/share/perl5/smbldap_tools.pm line 1423, <DATA> line 558.
Populating LDAP directory for domain FX (S-1-5-21-4009107152-4057897960-1818412871)
(using builtin directory structure)

entry dc=fx,dc=com,dc=br already exist.
entry ou=pessoas,dc=fx,dc=com,dc=br already exist.
entry ou=grupos,dc=fx,dc=com,dc=br already exist.
entry ou=computadores,dc=fx,dc=com,dc=br already exist.
entry ou=idmap,dc=fx,dc=com,dc=br already exist.
failed to search entry: invalid DN at /usr/sbin/smbldap-populate line 480.

syslog:
Sep 18 10:08:46 akira slapd[11497]: conn=1125 op=6 do_search: invalid dn: "sambaDomainName=FX,dc=fx,dc=com,dc=br"

Obrigado!

danielmb
(usa Gentoo)

Enviado em 18/09/2013 - 10:17h

Shikamaru,
parece que o problema é na configuração do smbldaptools.
Você verificou se o arquivo /etc/smbldaptools_bind.conf possui o DN correto para o administrador do ldap?

shikimaru
(usa Gentoo)

Enviado em 18/09/2013 - 11:19h

Daniel,

Blz?

Então segue meu smbldap.conf

# $Id$
#
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=fx,dc=com,dc=br"
slavePw="secret"
masterDN="cn=admin,dc=fx,dc=com,dc=br"
masterPw="secret"


NO secret eu coloquei o password do LDAP já e ja coloquei como secret que é o nome do arquivo.

danielmb
(usa Gentoo)

Enviado em 18/09/2013 - 13:16h

shikamaru, as informações são as que você autentica no servidor LDAP?

shikimaru
(usa Gentoo)

Enviado em 18/09/2013 - 14:21h

Daniel,

Sim, este dc eu utilizo no phpldapadmin e fucniona normalmente

o _bind é para colocar a senha por si certo e não o arquivo só para garantir que não fiz errado.

danielmb
(usa Gentoo)

Enviado em 18/09/2013 - 15:01h

shikimaru, posta as informações relevantes a seu smbldaptools.conf.
Você inseriu o SID de forma correta neste arquivo?
Posta as informações relevantes do smb.conf também.

shikimaru
(usa Gentoo)

Enviado em 18/09/2013 - 15:34h

root@akira:/mnt/samba/sistemas# cat /etc/smbldap-tools/smbldap.conf
# $Id$
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.

# Purpose :
# . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-4009107152-4057897960-1818412871"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="FX"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="192.168.254.1"

# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="192.168.254.1"

# Master LDAP port
# If not defined, parameter is set to "389"
#masterPort="389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
ldapTLS="0"

# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
ldapSSL="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.example.com.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.example.com.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=fx,dc=com,dc=br"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=pessoas,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=computadores,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=grupos,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=FX,dc=fx,dc=com,dc=br"

# Default scope Used
scope="sub"

# Unix password hash scheme (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
# If set to "exop", use LDAPv3 Password Modify (RFC 3062) extended operation.
password_hash="SSHA"

# if password_hash is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
password_crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/mnt/samba/profiles/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Treat shadowAccount object or not
shadowAccount="1"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\AKIRA\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\AKIRA\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="N:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
#mailDomain="example.com"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd="0" in smbldap.conf) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd="0" in smbldap.conf)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner
# no_banner="1"

danielmb
(usa Gentoo)

Enviado em 18/09/2013 - 16:17h

Não vi nada que possa estar ausente?
você executou o comando smbpasswd -w e o comando smbldap-passwd -w?