DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th August 2008
coppermine's Avatar
coppermine coppermine is offline
Port Guard
 
Join Date: May 2008
Posts: 40
Default Samba + Ldap... permission problem

Though, long time passed since Ive posted the very first post regarding this subject. There I promised to show configuration files... so, Ive got authentication working but the Windows client machines are complaining about profile directory permissions. It says that it should be owned by that user or Admin Users group. I did try different permissions but the problem stays as it is.
The question : what folder is XP talknig about? The profiles folder where sits all the user profiles or just users profile?

Here are configuration files.
rc.conf:
Code:
defaultrouter="192.168.1.1"

hostname="varde.skola.local"

#ifconfig_rl0="inet 192.168.1.100  netmask 255.255.255.0"
ifconfig_rl0="DHCP"

linux_enable="YES"
sshd_enable="YES"
named_enable="NO"
cupsd_enable="YES"
nscd_enable="NO"
samba_enable="YES"
apache22_enable="YES"

slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:///"'
slapd_sockets="/var/run/openldap/ldapi"
The Samba configuration file:
Code:
# Global parameters
[global]
        workgroup = SKOLA
        netbios name = VARDE
        security = user
        username map = /usr/local/etc/samba/smbusers
        server string = Serveris Varde %v
        encrypt passwords = Yes

        #unix password sync = yes
        #ldap passwd sync = no
        #passwd program = /usr/local/sbin/smbldap-passwd -u "%u"
        #passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

        log level = 0
        syslog = 0
        log file = /var/log/samba/log.%U
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        Dos charset = 850
        Unix charset = ISO8859-1

        logon script = logon.bat
        logon drive = H:
        logon home = \\%L\%U
        logon path = \\%N\profiles\%U

        domain logons = Yes
        domain master = Yes
        local master = yes
        os level = 33
        preferred master = auto
        wins support = yes
        passdb backend = ldapsam:ldap://127.0.0.1
        ldap admin dn = cn=Manager,dc=skola,dc=local
        ldap suffix = dc=skola,dc=local
        ldap group suffix = ou=Groups
        ldap user suffix = ou=People
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap
        idmap backend = ldap:ldap://ldap.skola.local
        idmap uid = 10000-20000
        idmap gid = 10000-20000

        #winbind uid = 10000-20000
        #winbind gid = 10000-20000
        #winbind separator = .
        #winbind enum users = yes
        #winbind enum groups = yes
        #winbind use default domain = yes

        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/local/sbin/smbldap-userdel "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -t 0 -w "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/local/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'

        create mask = 0640
        directory mask = 0750
        nt acl support = No
        deadtime = 10
        guest account = nobody
        map to guest = Bad User
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        preserve case = yes
        short preserve case = yes
        case sensitive = no

[netlogon]
        path = /home/netlogon
        comment = Network Logon Service
        read only = yes

[profiles]
        path = /home/profiles
        read only = no
        #hide files = /desktop.ini/
        create mask = 0600
        directory mask = 0700

[public]
        path = /tmp
        guest ok = yes
        browseable = Yes
        writeable = yes

[homes]
        writeable = yes
        browseable = no
        guest ok = no
        admin users = xeon juris "Domain Admins"
The OpenLDAP configuration file:
Code:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/samba.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb
# moduleload    back_ldap
# moduleload    back_ldbm
# moduleload    back_passwd
# moduleload    back_shell

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

access to dn.base=""
        by self write
        by * auth

access to attrs=userPassword
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

access to *
        by * read
        by anonymous auth

loglevel 256

schemacheck     on
idletimeout     30
backend         bdb
checkpoint      1024 5
cachesize       10000

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=skola,dc=local"
rootdn          "cn=Manager,dc=skola,dc=local"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {CRYPT}QKBN0WohKsFyg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data

# Indices to maintain
index   objectClass             eq
index   cn                      pres,sub,eq
index   sn                      pres,sub,eq
index   uid                     pres,sub,eq
index   displayName             pres,sub,eq
index   uidNumber               eq
index   gidNumber               eq
index   memberUID               eq
index   sambaSID                eq
index   sambaPrimaryGroupSID    eq
index   sambaDomainName         eq
index   default                 sub
Global ldap client configuration (I understood that it is used by NSS_LDAP module):
Code:
host 127.0.0.1

base dc=skola,dc=local

binddn dc=skola,dc=local

rootbinddn cn=Manager,dc=skola,dc=local

ldap_version 3
port 389
scope sub
timelimit 30
bind_timelimit 30
bind_policy soft
idle_timelimit 3600

pam_filter objectClass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password crypt

nss_base_passwd ou=People,dc=skola,dc=local?one
nss_base_shadow ou=People,dc=skola,dc=local?one
nss_base_passwd ou=Computers,dc=skola,dc=local?one
nss_base_shadow ou=Computers,dc=skola,dc=local?one
#nss_base_group ou=Groups,dc=skola,dc=local?one
NSS_LDAP module configuration file is exactly the same as ldap.conf... I don't remember which guide told to do so...

DB_CONFIG file:
Code:
# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.1.2.4 2007/12/18 11:51:46 ghenry Exp $
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
#
# See the Oracle Berkeley DB documentation
#   <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/db_config.html>
# for detail description of DB_CONFIG syntax and semantics.
#
# Hints can also be found in the OpenLDAP Software FAQ
#       <http://www.openldap.org/faq/index.cgi?file=2>
# in particular:
#   <http://www.openldap.org/faq/index.cgi?file=1075>

# Note: most DB_CONFIG settings will take effect only upon rebuilding
# the DB environment.

# one 0.25 GB cache
set_cachesize 0 268435456 1

# Data Directory
#set_data_dir db

# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
#set_lg_dir logs

# Note: special DB_CONFIG flags are no longer needed for "quick"
# slapadd(8) or slapindex(8) access (see their -q option).
The PAM is configured by two files. The ldap file was added as include into system.
The ldap file:
Code:
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn try_first_pass
The system file:
Code:
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            include         ldap
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
That's it. Sometimes I'am getting the LDAP server is unavailable in first FreeBSD virtual console but I have checked browsability and also authentication on XP machines... everything is working. I just can't understand where is the problem with the permissions... I am reading Samba HOWTO and also "by Example" the second time
Reply With Quote
  #2   (View Single Post)  
Old 8th August 2008
coppermine's Avatar
coppermine coppermine is offline
Port Guard
 
Join Date: May 2008
Posts: 40
Default

"That's nice"... at least I will work out it myself and somebody can use the examples for LDAP authentication in FreeBSD. I thought that LDAP implementation will be more difficult than the Samba with it's permissions problem... I will post my results here anyway.
Reply With Quote
  #3   (View Single Post)  
Old 22nd August 2008
coppermine's Avatar
coppermine coppermine is offline
Port Guard
 
Join Date: May 2008
Posts: 40
Default

I am still stuck with it. However, I have found the good tip how to get XP shut up complaining about these permissions, but for me it is unacceptable. This hack should be applied to ALL machines and I like to get things working normally - without any special windows-side hacks!

The windows-side hack is the last link.

All of this can help:

http://itdump.wordpress.com/2007/11/...c-using-samba/
http://www.linuxquestions.org/questi...ssions-657093/
http://www.usenet-forums.com/samba/3...rmissions.html
http://www.oregontechsupport.com/samba/samba-roam.php
Reply With Quote
  #4   (View Single Post)  
Old 13th October 2008
businessgeeks businessgeeks is offline
New User
 
Join Date: May 2008
Posts: 9
Default

Dude, just have a quick question...

How many users can a single Samba Opendap PDC in FreeBSD handle? im evaluating this solution for a network of 150 to 300 users.

any inputs?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Dav+ldap rifqi OpenBSD General 0 13th March 2009 08:51 AM
Samba 3.0 problem to setting up private folder - FreeBSD 71-pre bsduser FreeBSD General 7 27th September 2008 03:34 PM
LDAP revzalot General software and network 0 16th August 2008 02:39 PM
samba problem sniper007 FreeBSD Ports and Packages 3 22nd June 2008 05:59 PM
Apache Problem ( Permission ) dctr FreeBSD General 8 27th May 2008 09:48 PM


All times are GMT. The time now is 11:33 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick