Fedora Servers :: Samba And OpenLDAP Centralized Authentication
Aug 27, 2011
A time ago I've been trying to implement a PDC linux server with Samba and Openldap for centralized authentication for windows and linux clients, but I can NOT get it. So I read somewhere that there is another option called Directory Server and maybe that is possible to do. According to your experience do you recommend any 'how to' or 'tutorial' that will permit implement a PDC server for authenticating and sharing files and printers for windows and linux clients?
View 2 Replies
ADVERTISEMENT
Dec 29, 2008
I have been able to accomplish my goal of creating an AD-like authentication using LDAP,SAMBA and LAM. From what I have seen you can have this type of setup but it doesn't allow the passing of group policies to the desktops of the users.
View 2 Replies
View Related
Jun 14, 2011
Is it possible/advisable to have centralized authentication across fedora 14, ubuntu 10.04, and win7 machines? I'm attempting to use 389 Directory Server on Fedora as the repository and not getting very far.
View 5 Replies
View Related
Apr 29, 2010
This is what I have... An existing network with about 2 dozen Linux servers, varied distros, and about 3 dozen workstations, the vast majority of which are Windows XP pro, but there is one Windows Vista business, two Ubuntu, one Mac, and soon to be a Windows 7 pro. User accounts vary across all servers. There are 4 samba servers hosting different file shares.
This is what I need to do... I must centralize the user password database for all workstations if possible, if not, at least for all the windows workstations. I also need the user passwords for the samba file shares to be synchronized with those of the workstations. I need to have the workstation/file-share passwords expire every 90 days. I also must centralize the user passwords for all Linux Servers, but this can be done separately and I know there are tools like Kerberos available for this.
Is this possible to do with so many user accounts already existing in so many different places on the network, or would this "centralized authentication" require new user accounts to be created across the network?
If this is possible, what tools/services are the easiest and fastest to set this up with? As usual, I have an urgent deadline looming over me for this project and am trying as hard as I can to avoid the company slipping back into the realm of M$ or other proprietary software to accomplish this. Keep in mind, I don't need any additional services, such as roaming profiles, or anything like that. I really just need a centralized password database that can be referenced by Windows, and the Samba file shares.
View 4 Replies
View Related
Apr 20, 2010
I've been working for hours with Samba on Ubuntu Server 9.10 (Samba version 3.4.0), trying to get it setup simply as a fileserver that performs authentication to an NT 4 server (yes, I know, old and out of date). After much struggling, I finally realized that my configuration *was* working when the clients connecting (from XP, and Win2k clients, mostly) were actually joined to the domain (where the PDC is the NT 4 Server) and logged into the domain.For various reasons, many of the Windows clients at this location don't actually log into the domain, even though they have login/passwords that are valid users on the domain and they'll typically have some drives mapped to the PDC.
By the way, I have this working on another Linux box running Samba 3.0.28, so I'm sure it's possible, I'm just lost as to how to do it.I can provide plenty more information if it would help diagnose the situation. Does anyone have an idea of how I can get this to work? I'm sure it's possible, since the exact scenario worked in a recent version of Samba.
View 1 Replies
View Related
Oct 24, 2010
Making a Samba Server with LDAP authentication. Will post as I go along. Found these sources, anything/hiccups I should know before jumping in? Figure would follow the official documentation then check the others for comparative errors.
https://help.ubuntu.com/10.04/server...ap-server.html
https://help.ubuntu.com/10.04/server...amba-ldap.html
http://tuxnetworks.blogspot.com/2010...cid-short.html
Also Do other computers that want access to server also need samba installed (or just client)?
The server is 10.04 and my proposed client is 10.10, does this create problems?
Do I need to use ACL? I see them only in certain places.
Using xfce after Ubuntu install, not sure if this matters.
View 9 Replies
View Related
Feb 10, 2010
I maintain a samba PDC for a small business, our current setup does not work very well; on a hardware upgrade I directled imported the old ldap database and attempting to add machines to the domain causes all sorts of trouble.
I'm 95% sure the original database (which predates my employment) was created using the idealx smb-ldap tools, unfortunately on our current platform (debian lenny) these tools seem to be broken; the only things hey seem to do reliably are set passwords and add posix users, asking them to do anything involving samba/windows causes errors. The idealx tools seem to be abandoned, and I don't know enough perl to try and fix them.
Since the idealx scripts seem to be abandoned, and most of the good samba+ldap how-tos references the idealx tools, I was wondering what people use nowadays to manage there ldap directories; surely they aren't importing .ldif files to add new users/machines like I've been doing. Are people just writing thier own management scripts/web-apps? Or are the smb=ldap tools just broke on debian?how to generate the NT/LM password hashes and proper SIDs, does anybody have anything they could point me to about this?
View 1 Replies
View Related
Aug 24, 2010
I was thinking of merging my openldap and samba bdc servers. Is it ok for a server to authenticate against itself? (ie ldap.conf points to localhost)
View 1 Replies
View Related
May 24, 2010
Is it possible to monitor WiFi connections and identify who are connected through OpenLDAP? If so, how will authentication be possible? By the way, I'm open if OpenLDAP is inappropriate for such authentication purposes and scenario.
View 2 Replies
View Related
Dec 22, 2010
I have configured a ldap server and trying to login to same ldap server using a ldap user. However, I am not able to login and getting the following in /var/log/secure:
Dec 22 20:06:29 redhat5 sshd[7241]: Invalid user ldapu1 from 192.168.85.1
Dec 22 20:06:31 redhat5 sshd[7242]: input_userauth_request: invalid user ldapu1
Dec 22 20:06:37 redhat5 sshd[7241]: pam_unix(sshd:auth): check pass; user unknown
Dec 22 20:06:37 redhat5 sshd[7241]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.85.1
Dec 22 20:06:37 redhat5 sshd[7241]: pam_succeed_if(sshd:auth): error retrieving information about user ldapu1
Dec 22 20:06:39 redhat5 sshd[7241]: Failed password for invalid user ldapu1 from 192.168.85.1 port 4461 ssh2
I can see that if I use the ldapsearch with same filter, I am not able to locate the user "ldapu1". However, if I change the filter to (|(objectClass=posixAccount)(uid=ldapu1))", it shows me the ldap user:
[root@redhat5 ~]# ldapsearch -x -b "ou=Users,dc=homeldap,dc=com" -D "cn=Manager,dc=homeldap,dc=com" -W -H "ldap://127.0.0.1/" "(|(objectClass=posixAccount)(uid=ldapu1))"
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <ou=Users,dc=homeldap,dc=com> with scope subtree
# filter: (|(objectClass=posixAccount)(uid=ldapu1))
# requesting: ALL
# ldapu1, Users, homeldap.com
dn: cn=ldapu1,ou=Users,dc=homeldap,dc=com
objectClass: inetOrgPerson
cn: ldapu1
sn: ldapu1
uid: ldapu1
userPassword:: bGRhcHV1MQ==
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Where I have made a mistake?
- Is it necessary to create an account on Linux box and then migrate it to ldap?
- I was just wondering if I can somehow change the default filter from AND to OR at the time of login. I used "pam_filter |objectClass=inetOrgPerson" in ldap.conf.
However, it didn't change the filter.
View 5 Replies
View Related
Aug 6, 2010
Is it possible to set up slapd to authenticate users using a simple name instead of a dn?
View 1 Replies
View Related
Jun 8, 2009
I am planning to deploy an OpenLDAP server in my LAN for basic authentication, but I have no idea how to do it. I would like to know how to configure an OpenLDAP Server, and I would also like to know about knowledge resources, if any.
View 3 Replies
View Related
Nov 30, 2009
After installing F11, I installed OpenLdap with the command "yum -y install openldap*" And added the password obtained through the command "slappasswd -s password -h {MD5}" into /etc/openldap/slapd.conf. Also, I specified the domain information within the file on "suffix" and "rootdn". I also modified the domain name in both /etc/openldap/ldap.conf and /etc/ldap.conf. I copied the Copied the /usr/share/doc/openldap-servers-2.4.15/DB_CONFIG.example to /var/lib/ldap/DB_CONFIG. Then started the server with the command /etc/rc.d/init.d/ldap start I then was able to create and delete OU's and CN's with the help of ldapadd and ldapdelete. I also created PERSON records using the base.ldif file with the content ;
dn: cn=user1, ou=domain, dc=example, dc=com
objectClass: person
cn: user1
sn: user1
Everything is OK until I try to add a person with an email address in the "mail" attribute. The error message is ;
***************************
adding new entry "cn=user1, ou=domain, dc=example, dc=com
ldap_add: Object class violation (65)
additional info: attribute 'mail' not allowed
***************************
This error message is appearing also with "uid" attribute. I have searched some forums and found some suggestions to include the line
"include /etc/openldap/schema/inetorgperson.scheme" in the file /etcopenldap/slapd.conf, which is already in.
View 1 Replies
View Related
May 21, 2010
I've setup an openldap server, and am trying to add .ldif files to the database.
I am constantly getting the following error, no matter what I do:
View 18 Replies
View Related
Jun 8, 2011
I've been trying to set up my printer that I'm sharing through a desktop running Windows 7 and am having trouble getting the authentication details to stay saved, or even work, for that matter.
No matter whether or not I tell the New Printer program to remember my authentication details, it doesn't. If I tell it to prompt me if it needs details, I get no prompt. So, in order for me to print a document, I have to tell it to print, then go into the print queue and authenticate it from there.
1. IIs there a way, either manually or through GUI, to either save my authentication details or just have it prompt me upon printing to save me from going into the print queue?
2. This isn't exactly on-topic, but it came up while I tried to set up the printer. Has anyone else had their SMB URI come up incorrectly with the spaces incorrectly rendered as "20" instead of "%20:?
View 1 Replies
View Related
Jan 29, 2010
I need to centralize the logging of several machine on one machine with syslog-ng.I'm currently using fail2ban for security enhancement and logwatch for log reports, which are based on file log on each machine. is it possible to keep local logging for fail2ban and logwatch (logwatch can be dropped, but not fail2ban). One other need is to move old logs to a ftp site for archiving, as in france we have to keep one year of logs.
Another thing I've seen, is that logging goes to a MySQL database instead of the filesystem which allow to have some nice feature as web frontend, search capabilities.how is it compatible with the ftp save?
View 7 Replies
View Related
Feb 13, 2010
i have configured samba as file server in fedora 11,it works fine for both windows and linux machines .but i want to configure ldap and samba as domain controller. Googled a lot on internet every thing is confusing me .
View 2 Replies
View Related
May 6, 2010
I have OpenLDAP 2.4.12 and Samba 3.5.1 installed. When I try to change the password with smbpasswd, it changes the Windows password fine. But userPassword is not updated in LDAP. The error message is: "smbldap_check_root_dse: Expected one rootDSE, got 0" when I run smbpasswd -D 10 <username>.
I added the following to slapd.conf:
access to dn.base=""
by * read
password-hash {md5}
in hopes of allowing samba to read the root DSE, even though Samba is configured with the root DN.
how to make samba find what it needs in the root DSE of my LDAP server?
View 4 Replies
View Related
Dec 17, 2010
I have setuped OpenLDAP+Samba PDC. When I create user and group -> Errors.
smbldap-group -a admin
No such object at /usr/sbin/smbldap_tools.pm line 457
smbldap-useradd -am -g admin admin
Could not find base dn, to get next uidNumber at /usr/sbin/smbldap_tools.pm line 1192
View 3 Replies
View Related
Feb 7, 2010
In my desire to learn, mess around and set up something useful on my home network, I'm looking for something that can do centralized login and remote home directories. When someone in my family logs in to a computer, windows or linux based, I want them to be able to use their credentials, then have their remote drive mounted and ready for use. I've looked over ldap solutions, attempted to set up an OpenLDAP server and realized I have no idea what was going on. Is an ldap implementation the proper way to go for my desired solution or am I barking up the wrong tree? I've just now set up OpenDS on a VM for testing but I need to do some research there.
View 7 Replies
View Related
Aug 16, 2010
I'm trying to set up a centralized log-on scheme in a research lab with about 10 computers. It's looking like we're going with LDAP - this decision may be out of my control (but if there's an alternative that would be REALLY better, do let me know). My question is we don't really have a domain name, so when all the tutorials say cn=example,cn=com, I can't mimic this exactly. I've been trying to get away with just one, like cn=researchlab. Will LDAP work with just one, or do I need to invent a second also? On the flipside, will it work with more? Our server can be reached by
lab.department.school.edu, could I do cn=lab,cn=department,cn=school,cn=edu?
View 3 Replies
View Related
Jun 8, 2010
Code:
$ su -c 'yum install wine'
this forum won't let me put all the text in Transaction Check Error: package openldap-2.4.21-6.fc13.x86_64 (which is newer than openldap-2.4.21-4.fc13.i686) is already installed package nss-softokn-freebl-3.12.4-19.fc13.x86_64 (which is newer than nss-softokn-freebl-3.12.4-17.fc13.i686) is already installed
View 4 Replies
View Related
Mar 18, 2010
I wish to prevent the samba messages (mainly nmbd and winbindd) from appearing in the system log (/var/log/messages). I want to allow samba logging to the standard samba logfiles, but prevent the syslog getting clogged up by samba. I added syslog = 0 to smb.conf and reloaded the config but the messages were still appearing. I also tried the following (and restarted the syslog via /sbin/service syslog restart) # Suppress messages from samba.
nmbd.* /dev/null
smbd.* /dev/null
winbindd.* /dev/null
For interests sake the messages I'm getting are below (I'm not concerned about the messages themselves, I can chase them up at my leisure via the samba logs) Mar 18 09:58:29 SERVER nmbd[3808]: query_name_response: Multiple (2) responses received for a query on subnet xx.yy.z.zz for name DOMAIN<1d>. Mar 18 09:58:29 SERVER nmbd[3808]: This response was from IP xx.yy.z.zz, reporting an IP address of xx.yy.z.zz.
View 1 Replies
View Related
Jul 3, 2010
I've been searching around the web for help and have been really pulling my hair on this one. I have a Windows 2003 Server w/ AD on it. I have two linux machine, both running the same version of RHEL 5 (compute-1, compute-4)
When I log into compute-1, and do an "id dhuynh", I get this:
uid=1501(dhuynh) gid=1500(domain users) groups=1500(domain users),2013(dusers),1501(certsvc_dcom_access),1507 (BUILTIN+users)
When I log into compute-4, do do the same command, I get this:
uid=1500(dhuynh) gid=1504(domain users) groups=1504(domain users),1505(certsvc_dcom_access),1501(BUILTIN+user s)
Notice that the uid and gid are different. How do I get them to be the same? This is affective the file permissions in certain shared directories. I've check /etc/samba/smb.conf and they are identical. I also check /etc/nsswitch.conf and they are identical too.
View 2 Replies
View Related
Jul 25, 2010
I am trying to setup my opensue 11.3 server as a pdc using openldap and samba
I am continuously getting a network path not found error message on my windows xp box. I already verified that the network settings are good.
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2010-07-05
[global]
[Code]....
View 5 Replies
View Related
Jul 24, 2010
I finished setup Samba PDC with Openldap backend. I can joint Winxp client to domain but can not change pass by press Ctrl + Alt + Delete and choose Change password button
This is my conf.
I used
samba3x-3.3.8
openldap 2.3.43
slapd.access.conf
Code:
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=Manager,dc=microhdesk,dc=net" write
by anonymous auth
by self write
by * none
[Code]....
View 1 Replies
View Related
Mar 14, 2011
On Ubuntu server 10.10, with a relay smtp server with authentication via postfix; I keep getting 535: Incorrect authentication data. I'm sure my username and password is correct. Heres how I set up postfix: I created a file called smarthosts.conf in my /etc/postfix/ directory that contains the following:
[Code].....
my server uses plain text authentication on port 25. I would like to use security like SSL, but this particular server is unsecured.
View 9 Replies
View Related
Feb 13, 2011
Trying to setup a Kerberos + OpenLDAP server to manage users for our Samba shares (was going to use just OpenLDAP, but apparently it is less secure than using Kerberos with it). (Distro: CentOS 5.5) Haven't even gotten to the point of connecting either to Samba yet. I have set up a Kerberos server, and configured it as necessary. I am happy that it is working as intended, as I can login and manage principals from both the local terminal and remotely on other clients.
I have setup a server (sv1.myhost.net), and configured it to talk to Kerberos (auth.myhost.net). I have created both a [URL] principal, and a testuser principal. I have set the password on the testuser but not on the host/sv1.myhost.net. I have added the keys for both users to the keytab file on the sv1.myhost.net. I am at a Windows 7 machine (on the same internal network), and have installed the Network Identity Manager. It is able to request a ticket successfully for the testuser account.
When I use putty w/GSSAPI (0.58) to remote login to the system, it says using 'testuser' and then just hangs there. Eventually putty connection times out. The fact that both machines can connect to the auth server to communicate with kerberos correctly suggests firewalls are correct. The relevant entries in sshd_config have been uncommented to tell srv1 to use Kerberos authentication.
View 3 Replies
View Related
Aug 1, 2010
I am setting up a LDAP server in Fedora 13 system. I did the installation of the packages of openldap-server, openldap-client and openldap-server-sql (beause I may use sql as backend, install first). However, when I did the setup check by command: dapadd -f stooges.ldif -xv -D "cn=StoogeAmin,o=stooges" -h 127.0.0.1 -w secret1
and always says: ldap_bind: Invalid credentials (49) I am using slapd.conf for test as below. I did check the password are same.
[Code]...
View 7 Replies
View Related
Jul 19, 2011
We have small requirement, we need to connect to ssh server through ey+Passphrase+password. Is it possible to configure this type of authentication in any version of openssh/fedora.
View 3 Replies
View Related
