Discussion :

[ghostrider95]

Bonjour à tous j'ai un problème de couplage entre ces deux services ( même machine ) et un test avec un client XP,

Si quelqu'un s'y connaît je poste mes confs

Merci

[ok.Idriss]

Bonjour.

Si quelqu'un s'y connaît je poste mes confs

Au contraire, il vaut mieux fournir un maximum de détails sur votre problème afin que les contributeurs voient s'ils peuvent vous aider ou pas .
Ici c'est trop peu précis...

Merci d'avance.

Idriss

[ghostrider95]

Bonjour,

Voici mes différentes configurations
Je rappel que le résultat final doit permettre dans un premier temps de réussir à authentifier mon client XP sur mon domaine samba couplé à mon annuaire LDAP:

smbldap.conf

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
# $Id: smbldap.conf 26 2010-11-15 14:28:01Z mm1 $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
 
#  This code was developped by IDEALX (<a href="http://IDEALX.org/" target="_blank">http://IDEALX.org/</a>) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.
 
#  Purpose :
#       . be the configuration file for all smbldap-tools scripts
 
##############################################################################
#
# General Configuration
#
##############################################################################
 
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
#SID="S-1-5-21-2252255531-4061614174-2474224977"
SID="S-1-5-21-3267847655-2191841252-335441746"
 
# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="TOTO"
 
##############################################################################
#
# LDAP Configuration
#
##############################################################################
 
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have 
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)
 
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"
 
# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"
 
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"
 
# Master LDAP port
# If not defined, parameter is set to "389"
#masterPort="389"
masterPort="389"
 
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
#ldapTLS="1"
 
# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
ldapSSL="0"
 
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"
 
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"
 
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"
 
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"
 
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=TOTO,dc=COM"
 
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"
 
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"
 
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
 
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
 
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
 
# Default scope Used
scope="sub"
 
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"
 
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
 
##############################################################################
# 
# Unix Accounts Configuration
# 
##############################################################################
 
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
 
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
 
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
 
# Gecos
userGecos="System User"
 
# Default User (POSIX and Samba) GID
defaultUserGid="513"
 
# Default Computer (Samba) GID
defaultComputerGid="515"
 
# Skel dir
skeletonDir="/etc/skel"
 
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
 
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
 
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\PDC-SRV\%U"
 
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\PDC-SRV\profiles\%U"
 
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
 
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
 
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="iallanis.info"
 
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
 
# Allows not to use smbpasswd (if with_smbpasswd="0" in smbldap.conf) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
 
# Allows not to use slappasswd (if with_slappasswd="0" in smbldap.conf)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
 
# comment out the following line to get rid of the default banner
# no_banner="1"
[/quote]
 
smbldap_bind
 
[quote]# $Id: smbldap_bind.conf 26 2010-11-15 14:28:01Z mm1 $
##:wq
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=root,dc=toto,dc=com"
slavePw="alonso"
masterDN="cn=root,dc=toto,dc=com"
masterPw="alonso"

smb.conf

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Global parameters
[global]
      workgroup = TOTO
      server string = Samba Server
      netbios name = smb-server01
      hosts allow = 192.168.1. 127.
      interfaces = em0,lo0
      bind interfaces only = yes
#        security = domain
 
 
# passwd backend
      encrypt passwords = yes
      passdb backend   = ldapsam:ldap://192.168.1.15
      enable privileges = yes
      pam password change= yes
      passwd program = /usr/local/sbin/smbldap-passwd -u %u
      ldap password sync = yes
 
# Log options
      log level = 1
      log file = /var/log/samba/%m
      max log size = 50
      syslog = 0
 
# Name resolution
      name resolve order = wins bcast host
 
# misc / tuning
      timeserver = yes
      socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 
      veto files = /*.eml/*.nws/*.{*}/
      veto oplock files = /*.doc/*.xls/*.mdb/
      deadtime = 120
      strict locking = no
      strict sync = no
      sync always = no
      read raw = yes
      min receivefile size=16384
      use sendfile = yes
      aio read size = 16384
      aio write size = 16384
      aio write behind = true
 
# Dos-Attribute
      map hidden = no
      map system = no
      map archive = no
      map read only = no
      store dos attributes = yes
 
# printers - configured to use CUPS and automatically load them
      load printers = yes
      printcap name = CUPS
      printing = cups
      cups options = Raw
      show add printer wizard = no
 
# scripts invoked by samba
      add user script               = /usr/local/sbin/smbldap-useradd -m %u
      delete user script            = /usr/local/sbin/smbldap-userdel %u
      add group script              = /usr/local/sbin/smbldap-groupadd -p %g
      delete group script           = /usr/local/sbin/smbldap-groupdel %g
      add user to group script      = /usr/local/sbin/smbldap-groupmod -m %u %g
      delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
      set primary group script      = /usr/local/sbin/smbldap-usermod -g %g %u
      add machine script            = /usr/local/sbin/smbldap-useradd -w %m
 
 
# LDAP-Configuration
      ldap delete dn                = Yes
      ldap ssl                      = off
      ldap passwd sync              = Yes
      ldap suffix                   = dc=toto,dc=com
      ldap machine suffix           = ou=Computers
      ldap user suffix              = ou=People
      ldap group suffix             = ou=Groups
      ldap idmap suffix             = ou=Idmap
      ldap admin dn                 = cn=root,dc=toto,dc=com
      idmap backend                 = ldap:ldap://127.0.0.1
      idmap uid                     = 10000-20000
      idmap gid                     = 10000-20000
 
# logon options
      logon script = logon.bat
      logon path = \%L\profiles\%u
      logon path =
      logon home = \%L\%U
      logon drive = H:
 
# setting up as domain controller
#      username map = /usr/local/etc/samba/usermap
      preferred master = yes
      wins support = yes
      domain logons = yes
      domain master = yes
      local master = yes
      os level = 64
      map acl inherit = yes
      unix charset     = UTF8
 
#============================ Share Definitions ==============================
 
[netlogon]
      comment = Network Logon Service
      path = /usr/local/var/samba/netlogon
      guest ok = yes
      locking = no
 
[homes]
      comment = Home Directories
      valid users = %S
      read only = No
      browseable = No
 
[Profiles]
      comment = Network Profiles Service
      path = /usr/local/var/samba/profiles
      read only = No
      profile acls = yes
      hide files = /desktop.ini/ntuser.ini/NTUSER.*/
      profile acls = Yes
 
[printers]
      comment = All Printers
      path = /var/spool/samba
      browseable = No
      guest ok = Yes
      printable = Yes
      use client driver = Yes
      default devmode = Yes
 
[print$]
      comment = Printer Drivers
      path = /usr/local/var/samba/printer-drivers
      browseable = yes
      guest ok = no
      read only = yes
      write list = root
 
[data]
      comment = Data Directory
      path = /usr/local/var/samba/data
      write list = @testdomain
      read only = No
      create mask = 0777
      directory mask = 0777

slapd.conf

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/samba.schema
 
# Define global ACLs to disable default read access.
 
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org
 
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
 
# Load dynamic backend modules:
modulepath	/usr/local/libexec/openldap
moduleload	back_bdb
# moduleload	back_hdb
# moduleload	back_ldap
 
# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
 
# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
 access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
	#by users read
#	by anonymous auth
 
 access to *
       by dn="cn=root,dc=toto,dc=com" write
       by * read
 
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
 
#######################################################################
# BDB database definitions
#######################################################################
 
database	bdb
suffix		"dc=toto,dc=com"
rootdn		"cn=root,dc=toto,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw		{SSHA}Q3Y2FZR+vQvjJkGe9TxjR5QecgsZwH6h
 
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/var/db/openldap-data
# Indices to maintain
index	objectClass	eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   uid             pres,sub,eq
index   displayName     pres,sub,eq
index   uidNumber               eq
index   gidNumber               eq
index   memberUID               eq
index   sambaSID                eq
index   sambaPrimaryGroupSID    eq
index   sambaDomainName         eq
index   default                 sub

Voici un extrait de mon fichier de log samba pour mon client Xp:

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
[2012/02/18 16:57:13.525278,  1] auth/auth_util.c:580(make_server_info_sam)
  User pdupont in passdb, but getpwnam() fails!
[2012/02/18 16:57:13.525284,  0] auth/auth_sam.c:493(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
[2012/02/18 16:57:13.530700,  0] groupdb/mapping.c:803(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_GROUP_EXISTS)
[2012/02/18 16:57:13.536301,  0] passdb/pdb_get_set.c:212(pdb_get_group_sid)
  pdb_get_group_sid: Failed to find Unix account for pdupont

PS: mon utilisateur ...etc existe bien sur mon annuaire LDAP ( ok via ldap browser)

Merci