Besoin de votre aide sur installation OpenLDAP/Samba

Support Debian
#1

Bonjour a tous,

J’essaie d’installer OpenLdap en contrôleur de domaine couplé avec Samba, cependant j’ai un problème.
En effet lorsque j’essaie d’ajouter un groupe j’ai le message d’erreur suivant :

J’ai cherché un peu partout, j’ai regarder des exemples de smbldap.conf et je ne trouve pas la solution a mon problème …

En espérant que vous pourrez m’aider … :smiley:

Je vous mets en dessous les fichier de config :

smbldap.conf :

[quote]# $Source: /opt/cvs/samba/smbldap-tools/configure.pl,v

smbldap-tools.conf : Q & D configuration file for smbldap-tools

This code was developped by IDEALX (IDEALX.org/) and

contributors (their names can be found in the CONTRIBUTORS file).

Copyright © 2001-2002 IDEALX

This program is free software; you can redistribute it and/or

modify it under the terms of the GNU General Public License

as published by the Free Software Foundation; either version 2

of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,

but WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

GNU General Public License for more details.

You should have received a copy of the GNU General Public License

along with this program; if not, write to the Free Software

Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,

USA.

Purpose :

. be the configuration file for all smbldap-tools scripts

##############################################################################

General Configuration

##############################################################################

Put your own SID. To obtain this number do: “net getlocalsid”.

If not defined, parameter is taking from “net getlocalsid” return

SID=“S-1-5-21-1832087512-763905416-3676029977”

Domain name the Samba server is in charged.

If not defined, parameter is taking from smb.conf configuration file

Ex: sambaDomain=“IDEALX-NT”

sambaDomain=“longwy”

##############################################################################

LDAP Configuration

##############################################################################

Notes: to use to dual ldap servers backend for Samba, you must patch

Samba with the dual-head patch from IDEALX. If not using this patch

just use the same server for slaveLDAP and masterLDAP.

Those two servers declarations can also be used when you have

. one master LDAP server where all writing operations must be done

. one slave LDAP server where all reading operations must be done

(typically a replication directory)

Slave LDAP server

Ex: slaveLDAP=127.0.0.1

If not defined, parameter is set to “127.0.0.1”

slaveLDAP=“192.168.0.200”

Slave LDAP port

If not defined, parameter is set to “389”

slavePort=“389”

Master LDAP server: needed for write operations

Ex: masterLDAP=127.0.0.1

If not defined, parameter is set to “127.0.0.1”

masterLDAP=“192.168.0.200”

Master LDAP port

If not defined, parameter is set to “389”

masterPort=“389”

Use TLS for LDAP

If set to 1, this option will use start_tls for connection

(you should also used the port 389)

If not defined, parameter is set to “1”

ldapTLS=“0”

How to verify the server’s certificate (none, optional or require)

see “man Net::LDAP” in start_tls section for more details

verify=""

CA certificate

see “man Net::LDAP” in start_tls section for more details

cafile=""

certificate to use to connect to the ldap server

see “man Net::LDAP” in start_tls section for more details

clientcert=""

key certificate to use to connect to the ldap server

see “man Net::LDAP” in start_tls section for more details

clientkey=""

LDAP Suffix

Ex: suffix=dc=IDEALX,dc=ORG

suffix=“dc=longwy,dc=local”

Where are stored Users

Ex: usersdn=“ou=Users,dc=IDEALX,dc=ORG”

Warning: if ‘suffix’ is not set here, you must set the full dn for usersdn

usersdn=“ou=Users,${suffix}”

Where are stored Computers

Ex: computersdn=“ou=Computers,dc=IDEALX,dc=ORG”

Warning: if ‘suffix’ is not set here, you must set the full dn for computersdn

computersdn=“ou=Computers,${suffix}”

Where are stored Groups

Ex: groupsdn=“ou=Groups,dc=IDEALX,dc=ORG”

Warning: if ‘suffix’ is not set here, you must set the full dn for groupsdn

groupsdn=“ou=Groups,${suffix}”

Where are stored Idmap entries (used if samba is a domain member server)

Ex: groupsdn=“ou=Idmap,dc=IDEALX,dc=ORG”

Warning: if ‘suffix’ is not set here, you must set the full dn for idmapdn

idmapdn=“ou=Idmap,${suffix}”

Where to store next uidNumber and gidNumber available for new users and groups

If not defined, entries are stored in sambaDomainName object.

Ex: sambaUnixIdPooldn=“sambaDomainName=${sambaDomain},${suffix}”

Ex: sambaUnixIdPooldn=“cn=NextFreeUnixId,${suffix}”

sambaUnixIdPooldn=“sambaDomainName=longwy,${suffix}”

Default scope Used

scope=“sub”

Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt=“MD5”

if hash_encrypt is set to CRYPT, you may set a salt format.

default is “%s”, but many systems will generate MD5 hashed

passwords if you use “$1$%.8s”. This parameter is optional!

crypt_salt_format=""

##############################################################################

Unix Accounts Configuration

##############################################################################

Login defs

Default Login Shell

Ex: userLoginShell="/bin/bash"

userLoginShell="/bin/bash"

Home directory

Ex: userHome="/home/%U"

userHome="/home/%U"

Default mode used for user homeDirectory

userHomeDirectoryMode=“700”

Gecos

userGecos=“System User”

Default User (POSIX and Samba) GID

defaultUserGid=“513”

Default Computer (Samba) GID

defaultComputerGid=“515”

Skel dir

skeletonDir="/etc/skel"

Default password validation time (time in days) Comment the next line if

you don’t want password to be enable for defaultMaxPasswordAge days (be

careful to the sambaPwdMustChange attribute’s value)

defaultMaxPasswordAge=“45”

##############################################################################

SAMBA Configuration

##############################################################################

The UNC path to home drives location (%U username substitution)

Just set it to a null string if you want to use the smb.conf ‘logon home’

directive and/or disable roaming profiles

Ex: userSmbHome="\PDC-SMB3%U"

userSmbHome="\SRVPDC%U"

The UNC path to profiles locations (%U username substitution)

Just set it to a null string if you want to use the smb.conf ‘logon path’

directive and/or disable roaming profiles

Ex: userProfile="\PDC-SMB3\profiles%U"

userProfile="\SRVPDC\profiles%U"

The default Home Drive Letter mapping

(will be automatically mapped at logon time if home directory exist)

Ex: userHomeDrive=“H:”

userHomeDrive=“H:”

The default user netlogon script name (%U username substitution)

if not used, will be automatically username.cmd

make sure script file is edited under dos

Ex: userScript=“startup.cmd” # make sure script file is edited under dos

userScript=“logon.bat”

Domain appended to the users “mail”-attribute

when smbldap-useradd -M is used

Ex: mailDomain=“idealx.com

mailDomain=""

##############################################################################

SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

##############################################################################

Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but

prefer Crypt::SmbHash library

with_smbpasswd=“0"
smbpasswd=”/usr/bin/smbpasswd"

Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)

but prefer Crypt:: libraries

with_slappasswd=“0"
slappasswd=”/usr/sbin/slappasswd"

comment out the following line to get rid of the default banner

no_banner=“1”

[/quote]

smbldap_bind.conf :

[quote]############################

Credential Configuration

############################

Notes: you can specify two differents configuration if you use a

master ldap for writing access and a slave ldap server for reading access

By default, we will use the same DN (so it will work for standard Samba

release)

slaveDN="cn=admin,dc=longwy,dc=local"
slavePw="monmdp"
masterDN="cn=admin,dc=longwy,dc=local"
masterPw=“monmdp”
[/quote]

smb.conf :

[quote][global]
workgroup = longwy
netbios name = SRVPDC
security = user
server string = Samba Server %v

 encrypt passwords = Yes
 ldap passwd sync = yes

 passwd program = /usr/sbin/smbldap-passwd -u "%u"
 passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

log level = 3
syslog = 3
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
Dos charset = CP932
Unix charset = UTF-8
domain logons = Yes
domain master = Yes
local master = Yes
logon home = \SRVPDC%U
logon path = \SRVPDC\profiles%U
logon script = logon.bat
logon drive = H:
os level = 65
preferred master = Yes
dns proxy = no
wins support = yes
passdb backend = ldapsam:ldap://192.168.0.200/

ldap admin dn = cn=admin,dc=longwy,dc=local
ldap suffix = dc=longwy,dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers

add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” "%g"
set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’

  ldap ssl = no                            
  create mask = 0640                       
  directory mask = 0750                    
  guest account = nobody                   
  map to guest = Bad User

[homes]
comment = Dossiers personnels
browseable = no
writable = yes
guest ok = no
valid users = %U, longwy%U

[netlogon]
path = /home/netlogon/%G
browseable = No
read only = yes
guest ok = no

[profiles]
comment = profils itinerants
path = /home/profiles
browseable = no
writable = yes
guest ok = no
create mask = 0700
directory mask = 0700
valid users = %U, longwy%U

[public]
comment = Dossier public
path = /home/public
writable = yes
public = yes
create mask = 0777
directory mask = 0777
[/quote]

#2

Personne ? :cry:

#3

Up :006 Personne pour donner un coup de main ? :cry:

#4

Salut,

Quelles(s) documentation(s) as-tu suivit pour ce faire, un lien(s) ?

[quote=“piims94”]En effet lorsque j’essaie d’ajouter un groupe j’ai le message d’erreur suivant :

[mono]No such object at /usr/share/perl5/smbldap_tools.pm line 454.[/mono][/quote]

Quelle est la commande (exacte) lancée lors de tes tentatives de création (group) ?

[mono]#
…blabla…

[/mono]

[quote=“piims94”]# Domain name the Samba server is in charged.

If not defined, parameter is taking from smb.conf configuration file

Ex: sambaDomain=“IDEALX-NT”

sambaDomain=“longwy
[/quote]

?

[quote]vous devez déterminer ce que la racine de votre répertoire LDAP sera.

Par défaut, votre arbre sera déterminé par votre nom de domaine pleinement qualifié (FQDN).

Si votre domaine est example.com (que nous utiliserons dans cet exemple), votre nœud racine sera dc=example,dc=com. [/quote]

Que contient ce fichier [mono]/usr/share/perl5/smbldap_tools.pm[/mono] ? (line 454)

[mono]$ cat /etc/ldapscripts/ldapscripts.conf[/mono] ?

[quote=“piims94”]# Where are stored Groups

Ex: groupsdn=“ou=Groups,dc=IDEALX,dc=ORG”

Warning: if ‘suffix’ is not set here, you must set the full dn for groupsdn

groupsdn=“ou=Groups,${suffix}”[/quote]

?

[quote=“piims94”]add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” "%g"
set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’
[/quote]

?

#5

Bonjour BelZéButh,

Merci de ton aide.

Je m’aide du PDF présent sur ce site :

google.fr/url?q=http://samue … enLDAP.pdf

Pour créer un groupe, je lance la commande suivante :

[quote]piims94 a écrit:

Domain name the Samba server is in charged.

If not defined, parameter is taking from smb.conf configuration file

Ex: sambaDomain=“IDEALX-NT”

sambaDomain=“longwy”

?[/quote]

longwy est le nom de mon domaine.

[quote]Citation:
vous devez déterminer ce que la racine de votre répertoire LDAP sera.

Par défaut, votre arbre sera déterminé par votre nom de domaine pleinement qualifié (FQDN).

Si votre domaine est example.com (que nous utiliserons dans cet exemple), votre nœud racine sera dc=example,dc=com.

Que contient ce fichier /usr/share/perl5/smbldap_tools.pm ? (line 454)

$ cat /etc/ldapscripts/ldapscripts.conf ?[/quote]

quand je rentre cette commande j’ai cette reponse.

[quote]root@SRVPDC:/etc/smbldap-tools# cat /etc/ldapscripts/ldapscripts.conf
cat: /etc/ldapscripts/ldapscripts.conf: Aucun fichier ou dossier de ce type[/quote]

A la ligne 454 du fichier /usr/share/perl5/smbldap_tools.pm j’ai ca :

[quote] $mesg->code && die $mesg->error;
[/quote]

[quote]piims94 a écrit:

Where are stored Groups

Ex: groupsdn=“ou=Groups,dc=IDEALX,dc=ORG”

Warning: if ‘suffix’ is not set here, you must set the full dn for groupsdn

groupsdn=“ou=Groups,${suffix}”

?

piims94 a écrit:
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” "%g"
set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’

?[/quote]

Je ne comprend pas ta question :s

Je reste a disposition pour tous renseignements complémentaires.

PS : Si la doc que j’utilise n’est pas a jour ou pas bonne et que vous avez une doc a jour et efficace je suis prêt a recommencer mon TP avec la bonne doc si il le faut … :slightly_smiling:

#6

Re,

[quote=“piims94”]Pour créer un groupe, je lance la commande suivante :

[mono]smbldap-groupadd -a Groupe direction[/mono]
[/quote]

J’ai parcouru la doc (excellente et archivée) et il semblerait (à moins que ce ne soit une erreur/oubli de frappe) que la syntaxe ne soit pas respectée.

[quote]1.7.1.Création d’un groupe

Nous allons maintenant créer un groupe d’utilisateurs (par exemple, ici le groupe «Atelier de saisie») et nous verrons par la suite comment l’exploiter.
Pour ce faire nous allons utiliser l’une des commandes de la suite smbldap-tools:

[mono]root@LDAP1:~# smbldap-groupadd -a 'Groupe test[/mono]

#Commande:-a
permet l’auto-mappage à la création du groupe (création de l’identifiant de sécurité et de groupe (SID et GID))[/quote]

[mono]:~# smbldap-groupadd -a 'Groupe test[/mono] non ?

#7

Au niveau de la syntaxe j’ai tout essayé … Et a chaque fois j’ai le même message d’erreur … Je ne sais plus quoi faire.

#8

Salut,

L’ajout d’un group se faisant via la commande : [mono]smbldap-groupadd[/mono].

Cette dernière est issue du paquet [mono]smbldap-tools[/mono]

[10:35:59] ~ # apt-file search smbldap-groupadd smbldap-tools: /usr/sbin/smbldap-groupadd smbldap-tools: /usr/share/man/man8/smbldap-groupadd.8.gz [10:36:29] ~ #

Bon nombre de bugs lui sont imputés (corrigés où non).

[10:39:10] ~ # apt-listbugs list smbldap-tools -s all Récupération des rapports de bogue… Fait Analyse des informations Trouvé/Corrigé… Fait Bogues de gravité normal sur smbldap-tools (-> ) <transféré> #582388 - The smbldap-useradd command appears to have some support for user private groups, but it is incomplete. Bogues de gravité wishlist sur smbldap-tools (-> ) <transféré> #323797 - smbldap-useradd -w does not add sambaSamAccount objectClass #339468 - smbldap-tools: No man page for smbldap.conf and smbldap_bind.conf Bogues de gravité important sur smbldap-tools (-> ) <non corrigé> #548713 - smbldap-tools: smbldap -i fails because objectClass 'account' cant transform to 'inetOrgPerson' #512260 - smbldap-tools: Quotes in the arguments are not handled correctly #691329 - smbldap-grouplist fails: Can't use string ("['gid','cn']") as an ARRAY ref while "strict refs" in use #579399 - smbldap-tools: Error adding Windows User #505914 - smbldap-tools: smdldap-useradd strangely parses options #711933 - smbldap-tools: Some samba attributes are not added when using smbldap-useradd #692530 - [regression] option -h of smbldap-usershow doesn't show non date fields #572394 - smbldap-populate: wrong default administrator login name #566400 - smbldap-tools: sambaDomain not read from smb.conf Bogues de gravité normal sur smbldap-tools (-> ) <non corrigé> #401846 - Warning: getdate(): Cannot perform date calculation #636256 - smbldap-tools: Fail to join Windows 7 or Windows 2008 Machine to Samba Domain #595799 - smbldap-tools userinfo doesn't set LDAP field "displayName" #344422 - smbldap-tools: LDAP + SSL not working #697225 - smbldap-tools: config(ure).pl script not included #339307 - /usr/sbin/smbldap-usershow: Two Perl errors while using smbldap-usershow #435233 - smbldap-tools Passwords expire regardless of settings #521160 - smbldap-tools: error with passwd chat in README.Debian #339314 - /usr/sbin/smbldap-useradd: Lots of Perl errors with various commands from smbldap-tools #578861 - -T option incorrectly split parameters #520517 - smbldap-utils -i Switch is required for add-machine-script #679936 - smbldap-tools: smbldap-useradd does not work with -M Bogues de gravité minor sur smbldap-tools (-> ) <non corrigé> #511222 - smbldap-tools: Small error in instructions from README.Debian Bogues de gravité wishlist sur smbldap-tools (-> ) <non corrigé> #378170 - Set sn, givenName and cn to more sensibale values #378172 - Support for shadow attributes #286218 - Configuration files omitted in package installation Résumé : smbldap-tools(28 bogues) [10:39:23] ~ #

Bug : #680939
Bug : #681350
Bug : #670246

La liste est longue …

Ces derniers affichent :

[mono]Found in version smbldap-tools/0.9.7-1
Fixed in version smbldap-tools/0.9.9-1[/mono]

Bug : #566400

Tu devrais envisager d’upgrader ce paquet vers la version Testing (Jessie). Ça ne mange pas de pain … :wink:

Install Samba+OpenLDAP on Debian 7 Wheezy

[mono][10:50:58] ~ # apt-cache policy smbldap-tools
smbldap-tools:
Installé : (aucun)
Candidat : 0.9.7-1+deb7u1
Table de version :
0.9.9-1 0
97 ftp.fr.debian.org/debian/ testing/main i386 Packages
95 ftp.fr.debian.org/debian/ unstable/main i386 Packages
0.9.7-1+deb7u1 0
990 ftp.fr.debian.org/debian/ stable/main i386 Packages
0.9.5-1 0
500 ftp.fr.debian.org/debian/ oldstable/main i386 Packages
[10:51:01] ~ #[/mono]

Accroches toi Jeannot … :wink: