Server :: Connect Samba With Ldap To Make It Simpler For The Users To Login?
Jun 24, 2011
I`am just trying to connect Samba with ldap to make it simpler for the users to log in. We have already attached squid, so by that we thought it would be easy to do the same with samba. I think we did something wrong with the ldap config for the os with is btw:
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 1
ldap admin dn = cn=xxx,o=xxx
In the past I found some great help on this forum, so here goes. Bare with me because it's a long story. I'll try to be as complete as possible. I've installed and configured OpenLdap on a virtual machine with ip 192.168.39.134. I've added 2 users via LAM. In the ou WikiUsers and the domain is wiki.local.
I've then created another host with ip 192.168.39.133 with mediawiki installed on it. Then I added the extension LDAPAuthenthication. In the LdapAuthentication file I added this code (only the last paragraph is mine, I added the others to show it's location in the script):
I know I'm close because I can't register any new users or accounts on the mediawiki site. Although I could before I added the LDAP service. This is indeed all just to test and get to know how LDAP works. That's why it's all virtual in VMWare. I did not really configure anything on the LDAP, i just installed it and chose a domain (wiki.local).
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.
1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?
2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?
3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?
4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?
I installed CentOS 5.2 and then run yum update. I configured this server as LDAP/Samba primary domain controller. LDAP seems to be OK and for testing I am able to create users with:smbldap-tools useradd -am usernameI can ssh into the server as root and also as a Linux user which was locally created in the server. But ssh into the server as LDAP user fails (from a Fedora 11 machine) with "Permission denied, please try again", prompting again for password.Some data:
I am using RackMonkey to map out my lab. Unfortunately, due to RM limitations, every user who accesses the site has write access UNLESS they are logged in as a user named "guest". I currently have Apache allowing only the users (sysadmins) in an LDAP group access to RM, but I would like to allow read-only access for other users as well.I found mod_authn_anon, but I am having trouble combining the two authentication methods. I am using Apache 2.2.18 (compiled myself) on SLES 11.1.
This is the common part:
AuthType Basic AuthBasicProvider ldap anon Order allow,deny Allow from all
This part by itself works for the LDAP authentication:
Anonymous guest Anonymous_VerifyEmail Off Anonymous_MustGiveEmail Off Anonymous_LogEmail on Require valid-user
But if I have both of the previous blocks enabled at once, then guest access does not work. If I throw in a "Satisfy any", then I am not prompted for a username at all. How can I allow access to this LDAP group and to a user named "guest", but not allow all valid LDAP users to log in?
I have an ubuntu 11,04 samba domain server, I want to also configure this machine to work as a dhcp server, however this have give me some issues with te windows 7 workstations, my guest is that it have something to do with the iptables because those station do join the samba domain went both server and workstation are conected to a router.
This is the script I use at boot
#FOR SHARED INTERNET /sbin/iptables -P FORWARD ACCEPT /sbin/iptables --table nat -A POSTROUTING -o eth2 -j MASQUERADE
I haven't test it with windows xp station but I have use the same code in the past with no problems, and since this is my first time joining windows 7 station i belive there must be some other port that need fowarding.
I have an Ubuntu 9.10 server and i need to use an ftp server. I installed vsftp but i can't make it to work. What doesn't work is that can't login to the ftp server with my user(s).I created a user ("AddressBookUser") that should access to some files located on "/var/www/fpt/rubriche/". I set this folder as his home.Here is the row for this user in /etc/passwd:
vsftpd.chroot_list exists, but as you see above the chroot_list_file directive is disabled.When i try to connect to the FTP server the connections is established but after i insert "AddressBookUser" as user name and confirm i get a "530 permission denied" message. This occurs both from the network (LAN) computers and locally:
webs@webs:/etc$ ftp localhost Connected to localhost. 220 Welcome to WEBS FTP service!
I can't figure out what is the problem but my thought was that it's a problem related to the user configuration rather than vsftp configuration, but it's only my supposition. If i try to login with the "main" user of my Ubuntu server, "webs" i can login correctly.
I'm trying out Samba for the first time, the main directory is called "workplease", and I have 2 users, "keith" and "aspire". I set the permission on "workplease" to aspire by doing "chown aspire:aspire workplease". Then on my windows7 machine I can connect to the samba server using aspire login, see my "aspire" folder and the "workplease" folder, I can create txt files, folders ...ect
But I would like the user account "keith" to be able to read/write to the same "workplease" folder. I added both users to the group "networkg" by doing
"usermod -a -G networkg aspire" "usermod -a -G networkg keith"
So my question is how can I make the folder "workplease" have permissions to let any group members of "networkg" read/write/execute anything they put in that folder, or sub folders? Im getting rid of my Windows Home Server , and trying to use samba to do the file sharing for my buddy and I.
edit: Seems doing "chmod 774 -R workplease" changes the permissions on all the files/subfolders, to give owner and group full access only, but is there a way anytime someone creates a txt file, or copies over an mp3 for example, it auto-maticly has 774 permission?
I am switching to Gnome because its look and feel is closer to Windows for my workgroup. LDAP and NFS are working fine with KDE and SSH. but I cant login with LDAP users both directly or via NX client. When logging in directly on the server it shows this error:
Code: "Xsession: Login for <user> is disabled " When logging via NX client it says, it authenticated successfully and then quited with this popup message: Code: Could not connect to session bus: Failed to connect to socket /tmp/dbus-0frstajyNE: Connection refused I closed this popup window and one more appeared: Code: Could not acquire name on session bus
I'm trying to set up a Linux server and I am new to this. I have gone through most of the configuration using SAMBA 3.0 and when I populate the ldap directory all I get this error before the password request:
Then when I perform an ldapsearch to see if the directory is populated I get this message:
I've done all this config [URL] This config for the "foo" folder:
("pruebas" its a user)
[foo] path = /home/pruebas ready only = no guest ok = yes
I have the [HOME] code too, its everything fine with it, and I cant connect with another user ("alfredo") from Red Hat to Windows XP with no problem... but as soon as I double click in "foo" directory, appears this:
Already tried to disconnect from windows the directories with "net use" but it doesn't work
"Merging" may not be quite the right word but that is the desired end result.
Scenario: many Solaris 10 servers, each with various local users. We want to set up LDAP for all for all of them. LDAP server is set up, procedure for getting other servers to use it for user authentication is documented and tested. The question is how to handle users that are in LDAP who also exist as a local user on a given machine.
It appears that the usernames on both sides follow a convention and therefore match but obviously the userids will not match. Local user joe has userid 1234, LDAP user joe has userid 56789.
The way I see it we'll have to:
1. move local user joe's home directory to the path that LDAP user joe will want
2. change local user joe's userid to that of LDAP user joe
3. change joe's files' owner to his new userid
4. remove local user joe
5. finally configure LDAP
Is this a rational procedure? Is there a more effective method? I'm not looking forward to this as there are many servers and each of them have a different set of local users, each with different userids which will have to be handled manually and individually therefore not even scriptable much.
I'm trying to get samba working on a debian/xebian box to use as a fileserver. I have a HTPC which is win 7 and a laptop which is OS X. I've installed SWAT and Samba to manage the whole settings. I'm trying to get it setup so that there's a user which has access to my ~/ and a guest user which just has read access to ~/Media/ so that the Media centre can read all the files from it without having to login.
The problem is when I have map to guest set as NEVER I can access the samba ~/ and I'm asked for a username and password which I login with fine and can access the files on both share ~/ and ~/Media. However when I set the map to guest to bad user or bad password I can access the share for ~/Media. But when I try and access the share ~/ I don't get any login box and I immediately get the error "Can't access share permission denied" or an error along those lines.
Here's my /etc/samba/smb.conf # Samba config file created using SWAT # from 192.168.1.65 (192.168.1.65) # Date: 2010/07/10 20:39:16
# Global parameters [global] workgroup = MS_HOME server string = %h server (Samba %v) obey pam restrictions = Yes passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u passwd chat = *EntersnewsUNIXspassword:* %n .....
How to get it working so I can have a guest share for my HTPC and a logged in user for my private files?
I currently have an LDAP database on my Suse 10.2 server for managing authentication and controlling emails for my Cyrus email server. I use this setup to provide email functionality to my web and email hosting clients, as well as DNS functionality, and it uses the default LDAP database that was setup when OpenLDAP was initially configured. Email support is working wonderfully, I might add. I also tested and verified the use of an email lookup directory in two different email clients (Outlook and Evolution) so that I can tell one of my clients how to lookup the email address of users who are setup in the LDAP server, and it works beautifully.
However, I'd also like to be able to allow my clients to build a shared contact database that can also be used in their email clients so that they can share them among all of their users. Ideally, I would need to be able to allow each client to have their own database of shared contacts, and I assume this would be done by creating a new LDAP database for each client company (i.e. group of users) that can contain the list of shared contacts for any of that client's users. When they configure their email client directory settings, they would enter the base path to their database in order to retrieve their shared contact database entries.
In my web searches, I've found plenty of CRM solutions on the web that claim to provide this type of functionality, but I believe that OpenLDAP contains everything I need to make this work without adding another layer of software to the server solution. (I subscribe to the "Keep it Simple, Stupid!" approach whenever possible.) Essentially, I need to have People entries in a client's LDAP database that are NOT email users on the system. The fields in the standard people schema are all the fields they would need - as long as I can figure out how best to add these non-user entries in the LDAP database. Are there any potential difficulties in creating additional LDAP databases expressly for this purpose?
Are there any tricks to adding contact entries into a client's LDAP database without them also being current email users on the server, so that those entries can be retrieved through an Email Client directory lookup? I will also want to provide an easy method for my client users to add new entries to their LDAP contact database, most likely through a web interface for them that could then issue LDAP commands on the server based on the input fields for the new contact. (I don't believe this is possible from within the email client itself.) Is there any reason this could not be done with the proper configuration? What should I be aware of as I setup this contact management web interface? Is there a better way for non-technical client users to manage this list of shared contacts?
I installed and configured LDAP server and client on RHEL5 successfully. Problem is that when I add more than one user on server and clients, It shows error 'invalid user'.When I run the command:-#chown -R user:users /home/user, It shows error 'invalid user'. by step for adding and modifying more users in ldap servers.
I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to filter my web traffic. My squid3 is authenticating users properly and parsing all rules. The problem is with squidguard which doesn't seem to filter out users. below is my squidguard config.
I've compiled openssh-5.4p1 on RHEL 4.8 with Openssl 0.9.8m + pam It works perfect without pam (pam-0.77-66), both with password and public key auth. Whith pam enabled and LDAP (openldap-2.4.21, from scratch) something strange happens: system users: I can do ssh with both password and public key LDAP users: public key works for remote users, still I cannot do ssh with just password. I'm trying a custom PAM configuration, because the default one (even with authconfig + LDAP ) blocks ssh even with system users.
I know of /etc/security/limits.conf and that can be used to limit all sorts of good things, but I haven't found anything that talks about using this when the users come from LDAP. Would I be able to do something like
@"Domain Users" soft nproc 25 @"Domain Users" hard nproc 40
where Domain Users is the group all users belong to in our system.
So, I have mail server ( posfix ) and ldap server, they works fine. I can add/delete users from posfix, and they can send / receive mails to/from any address. At same time my ldap server works fine, I have also users in it, my "simple" question would be...if I have user "test1" in ldap, what I have to do to connect--enable that user to send mails ?
Install and configure Samba as a primary domain controller with LDAP on Linux.i setup it step by step following article without error until step 10.i want to join windows client when press user name and password for domain then display message:The following error occurred attempting to join the domain BIGTIME: The network path was not found.
I've been testing a PDC with samba and LDAP these days with the following unsolved issue. 1. I can add the client PC (Windows XP SP3) with the Domain Admin user (Manager) from the client PC, but when i try to add a user I get this message "The trust relationship between this workstation and primary domain failed", so as it can be added later I ignored this message and choose 'close' and reboot the PC. 2. Since the login screen is showed, the message 'Duplicate name exists on the network' appears. So I try to log on with a valid domain username and password after pressing ctrl+alt+del and get the error message: "System cannot log you on because domain rmprb is not available"