[ Résolu ] aide au paramétrage de LDAP

Bonjour à tous,

J’essaye de monter un PDC sous wheezy à partir de ce tuto :
fondation-misericorde.fr/sit … -misc.html

testparm, smbldap-populate et les autres commandes de test indiquées dans le tuto renvoient toutes des messages qui indiquent que les test ont réussit mais lorsque je tente de joindre une machine seven au domaine impossible. Le seul truc que j’arrive à joindre c’est le domaine…

voici un extrait des logs du pc client sur le PDC :

root@ns2:~# tail -f /var/log/samba/log.seven-test [2013/08/22 12:19:34.931702, 0] passdb/lookup_sid.c:1684(get_primary_group_sid) Failed to find a Unix account for vremycheck_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'

Les lopgs de nbd :

[code][2013/08/22 12:37:40, 0] nmbd/nmbd_browsesync.c:248(domain_master_node_status_fail)
Doing a node status request to the domain master browser
for workgroup LAREGIE at IP failed.
Cannot sync browser lists.
[2013/08/22 12:51:40, 0] nmbd/nmbd.c:66(terminate)
Got SIGTERM: going down…
[2013/08/22 12:51:43, 0] nmbd/nmbd.c:861(main)
nmbd version 3.6.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
[2013/08/22 12:51:43, 0] param/loadparm.c:7969(lp_do_parameter)
Ignoring unknown parameter “domain logon”
[2013/08/22 12:51:43, 0] param/loadparm.c:7969(lp_do_parameter)
Ignoring unknown parameter “domain logon”
[2013/08/22 12:52:06, 0] nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)

Samba name server LA-REGIE is now a local master browser for workgroup LAREGIE on subnet


Je ne comprend pas bien cette histoire de subnet, cette ip est celle du PDC ce n’est pas une adresse réseau, je ne sais pas où samba va pêcher ça…

ceux de smbd :

[2013/08/22 12:51:43, 0] param/loadparm.c:7969(lp_do_parameter) Ignoring unknown parameter "domain logon" [2013/08/22 12:51:43.512277, 0] param/loadparm.c:7969(lp_do_parameter) Ignoring unknown parameter "domain logon" [2013/08/22 12:51:43.512507, 0] param/loadparm.c:8004(lp_do_parameter) Global parameter usershare allow guests found in service section! [2013/08/22 12:51:43.520836, 0] passdb/passdb.c:632(lookup_global_sam_name) User root with invalid SID S-1-5-21-341964290-3538917840-674299705-500 in passdb [2013/08/22 12:51:43.533857, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connexion refusée [2013/08/22 12:51:43.533983, 0] printing/print_cups.c:487(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2013/08/22 12:52:43.552032, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connexion refusée [2013/08/22 12:52:43.552196, 0] printing/print_cups.c:487(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL

et enfin mon smb.conf :

[code]root@ns2:~# cat /etc/samba/smb.conf

Sample configuration file for the Samba suite for Debian GNU/Linux.

This is the main Samba configuration file. You should read the

smb.conf(5) manual page in order to understand the options listed

here. Samba has a huge number of configurable options most of which

are not shown in this example

Some options that are often worth tuning have been included as

commented-out examples in this file.

- When such options are commented with “;”, the proposed setting

differs from the default Samba behaviour

- When commented with “#”, the proposed setting is the default

behaviour of Samba but the option is considered important

enough to be mentioned here

NOTE: Whenever you modify this file you should run the command

“testparm” to check that you have not made any basic syntactic


A well-established practice is to name the original file

“smb.conf.master” and create the “real” config file with

testparm -s smb.conf.master >smb.conf

This minimizes the size of the really used smb.conf file

which, according to the Samba Team, impacts performance

However, use this with caution if your smb.conf file contains nested

“include” statements. See Debian bug #483187 for a case

where using a master file is not a good idea.

#======================= Global Settings =======================



client plaintext auth = yes

client lanman auth = yes

client ntlmv2 auth = yes

lanman auth = yes

ntlm auth = yes

security = user

Change this to the workgroup/NT-domain name your Samba server will part of

workgroup = LAREGIE

server string is the equivalent of the NT Description field

server string = LA-REGIE

Windows Internet Name Serving Support Section:

WINS Support - Tells the NMBD component of Samba to enable its WINS Server

wins support = no

wins support = yes

WINS Server - Tells the NMBD components of Samba to be a WINS Client

Note: Samba can be either a WINS Server, or a WINS Client, but NOT both

; wins server = w.x.y.z

This will prevent nmbd to search for NetBIOS names through DNS.

dns proxy = no

What naming service and in what order should we use to resolve host names

to IP addresses

; name resolve order = lmhosts host wins bcast

netbios name = la-regie


The specific set of interfaces / networks to bind to

This can be either the interface name or an IP address/netmask;

interface names are normally preferred

; interfaces = eth0

Only bind to the named interfaces and/or networks; you must use the

‘interfaces’ option above to use this.

It is recommended that you enable this feature if your Samba machine is

not protected by a firewall or is a firewall itself. However, this

option cannot handle dynamic or non-broadcast interfaces correctly.

; bind interfaces only = yes


This tells Samba to use a separate log file for each machine

that connects

log file = /var/log/samba/log.%m

Cap the size of the individual log files (in KiB).

max log size = 1000

If you want Samba to only log through syslog then set the following

parameter to ‘yes’.

syslog only = no

We want Samba to log a minimum amount of information to syslog. Everything

should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log

through syslog you should set the following parameter to something higher.

syslog = 0

Do something sensible when Samba crashes: mail the admin a backtrace

panic action = /usr/share/samba/panic-action %d

####### Authentication #######

“security = user” is always a good idea. This will require a Unix account

in this server for every user accessing the server. See


in the samba-doc package for details.

security = user

You may wish to use password encryption. See the section on

‘encrypt passwords’ in the smb.conf(5) manpage before enabling.

encrypt passwords = true

If you are using encrypted passwords, Samba will need to know what

password database type you are using.

passdb backend = tdbsam

obey pam restrictions = yes

This boolean parameter controls whether Samba attempts to sync the Unix

password with the SMB password when the encrypted SMB password in the

passdb is changed.

unix password sync = yes

For Unix password sync to work on a Debian GNU/Linux system, the following

parameters must be set (thanks to Ian Kahan <kahan@informatik.tu-muenchen.de for

sending the correct chat script for the passwd program in Debian Sarge).

passwd program = /usr/bin/passwd %u
passwd chat = Enter\snew\s\spassword:* %n\n Retype\snew\s\spassword:* %n\n password\supdated\ssuccessfully .

This boolean controls whether PAM will be used for password changes

when requested by an SMB client instead of the program listed in

‘passwd program’. The default is ‘no’.

pam password change = yes

This option controls how unsuccessful authentication attempts are mapped

to anonymous connections

map to guest = bad user
os level = 40
ldap ssl = off
ldap passwd sync = yes
passdb backend = ldapsam:ldap://
ldap admin dn = cn=admin,dc=test,dc=lan
ldap suffix = dc=test,dc=lan
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Machines
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%m"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” "%g"
set primary group script = /usr/sbin/smbldap-usermod -g “%g” "%u"
logon path = \%L\profile%U
logon drive = P:
logon home = \%L%U
logon script = %m.bat
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
case sensitive = No
default case = lower
preserve case = yes
short preserve case = Yes
hosts allow =
winbind use default domain = Yes
nt acl support = Yes
msdfs root = Yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/

########## Domains ###########

Is this machine able to authenticate users. Both PDC and BDC

must have this setting enabled. If you are the BDC you must

change the ‘domain master’ setting to no

domain logons = yes

local master = yes

domain logon = yes

The following setting only takes effect if ‘domain logons’ is set

It specifies the location of the user’s profile directory

from the client point of view)

The following required a [profiles] share to be setup on the

samba server (see below)

; logon path = \%N\profiles%U

Another common choice is storing the profile in the user’s home directory

(this is Samba’s default)

logon path = \%N%U\profile

The following setting only takes effect if ‘domain logons’ is set

It specifies the location of a user’s home directory (from the client

point of view)

; logon drive = H:

logon home = \%N%U

The following setting only takes effect if ‘domain logons’ is set

It specifies the script to run during logon. The script must be stored

in the [netlogon] share

NOTE: Must be store in ‘DOS’ file format convention

; logon script = logon.cmd

This allows Unix users to be created on the domain controller via the SAMR

RPC pipe. The example command creates a user account with a disabled Unix

password; please adapt to your needs

; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos “” %u

This allows machine accounts to be created on the domain controller via the

SAMR RPC pipe.

The following assumes a “machines” group exists on the system

; add machine script = /usr/sbin/useradd -g machines -c “%u machine account” -d /var/lib/samba -s /bin/false %u

This allows Unix groups to be created on the domain controller via the SAMR

RPC pipe.

; add group script = /usr/sbin/addgroup --force-badname %g



path = /home/netlogon

writable = No

browseable = No

write list = admin


path = /home/export/profile

browseable = No

writeable = Yes

profile acls = yes

create mask = 0700

directory mask = 0700


comment = Repertoire Personnel

browseable = No

writeable = Yes


#comment = Repertoire commun

#browseable = Yes

#writeable = Yes

#public = No

#path = /home/partage


comment = le partage de votre groupe numero 1

#browseable = Yes

#writeable = Yes

#read only = no

#read list =

public = No

path = /home/groupe1

valid users = @GRPE_groupe1

write list = @GRPE_groupe1

force group = @GRPE_groupe1

force user = root

force create mode = 0770

force directory mode = 0770


comment = le partage de votre groupe numéro 2

#browseable = Yes

#writeable =

#read only = no

public = No

#read list =

path = /home/groupe2

valid users = @GRPE_group2

write list = @GRPE_group2

#force l’utilisateur de la création d’un fichier

force user = root

#force le groupe de création d’un fichier / dossier

force group = @GRPE_group2

#force les acl d’un fichier à 770

force create mode = 0770

#force les acl d’un répertoire nouveau à 770

force directory mode = 0770


comment = le partage commun aux deux groupes

public = no

path = /home/groupe1groupe2

#lecture ok pour deux groupes

valid users = @GRPE_groupe1,@GRPE_groupe2

#ecriture uniquement pour le groupe coincoin

write list = @GRPE_groupe1,@GRPE_groupe2

force user = root

#parce qu’il en faut bien un propriétaire …

force group = @GRPE_groupe1

force create mode = 0770

force directory mode = 0770

########## Printing ##########

If you want to automatically load your printer list rather

than setting them up individually then you’ll need this

load printers = yes

lpr(ng) printing. You may wish to override the location of the

printcap file

; printing = bsd
; printcap name = /etc/printcap

CUPS printing. See also the cupsaddsmb(8) manpage in the

cupsys-client package.

; printing = cups
; printcap name = cups

comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No

############ Misc ############

Using the following line enables you to customise your configuration

on a per machine basis. The %m gets replaced with the netbios name

of the machine that is connecting

; include = /home/samba/etc/smb.conf.%m

Most people will find that this option gives better performance.

See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html

for details

You may want to add the following on a Linux system:


socket options = TCP_NODELAY

The following parameter is useful only if you have the linpopup package

installed. The samba maintainer and the linpopup maintainer are

working to ease installation and configuration of linpopup and samba.

; message command = /bin/sh -c ‘/usr/bin/linpopup “%f” “%m” %s; rm %s’ &

Domain Master specifies Samba to be the Domain Master Browser. If this

machine will be configured as a BDC (a secondary logon server), you

must set this to ‘no’; otherwise, the default behavior is recommended.

domain master = auto

Some defaults for winbind (make sure you’re not using the ranges

for something else.)

; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash

The following was the default behaviour in sarge,

but samba upstream reverted the default because it might induce

performance issues in large organizations.

See Debian bug #368251 for some of the consequences of not

having this setting and smb.conf(5) for details.

; winbind enum groups = yes
; winbind enum users = yes

Setup usershare options to enable non-root users to share folders

with the net usershare command.

Maximum number of usershare. 0 (default) means that usershare is disabled.

; usershare max shares = 100

Allow users who’ve been granted usershare privileges to create

public shares, not just authenticated ones

usershare allow guests = yes

#======================= Share Definitions =======================

comment = Home Directories
browseable = no

By default, the home directories are exported read-only. Change the

next parameter to ‘no’ if you want to be able to write to them.

read only = yes

File creation mask is set to 0700 for security reasons. If you want to

create files with group=rw permissions, set next parameter to 0775.

create mask = 0700

Directory creation mask is set to 0700 for security reasons. If you want to

create dirs. with group=rw permissions, set next parameter to 0775.

directory mask = 0700

By default, \server\username shares can be connected to by anyone

with access to the samba server.

The following parameter makes sure that only “username” can connect

to \server\username

This might need tweaking when using external authentication schemes

valid users = %S

Un-comment the following and create the netlogon directory for Domain Logons

(you need to configure Samba to act as a domain controller too.)

; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes

Un-comment the following and create the profiles directory to store

users profiles (see the “logon path” option above)

(you need to configure Samba to act as a domain controller too.)

The path below should be writable by all users so that their

profile directory may be created the first time they log on

; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700

comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700

Windows clients look for this share name as a source of downloadable

printer drivers

comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no

Uncomment to allow remote administration of Windows print drivers.

You may need to replace ‘lpadmin’ with the name of the group your

admin users are members of.

Please note that you also need to set appropriate Unix permissions

to the drivers directory for these users to have write rights in it

; write list = root, @lpadmin

A sample share for sharing your CD-ROM with others.

; comment = Samba server’s CD-ROM
; read only = yes
; locking = no
; path = /cdrom
; guest ok = yes

The next two parameters show how to auto-mount a CD-ROM when the

cdrom share is accesed. For this to work /etc/fstab must contain

an entry like this:

/dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0

The CD-ROM gets unmounted automatically after the connection to the

If you don’t want to use auto-mounting/unmounting make sure the CD

is mounted on /cdrom

; preexec = /bin/mount /cdrom
; postexec = /bin/umount /cdrom[/code]

Je suis désolé de poster quasiment toute ma conf (c’est un peu long à lire…) mais je pense que si quelqu’un peut m’aider ça sera nécessaire…

Je remercie par avance mes sauveurs !

Le sage a dit :
Ubuntu est un mot africain qui signifie : Celui qui ne sait pas paramétrer Debian.


Que renvoi la commande :

Peux tu nous poster tes logs aussi stp ?



merci de prendre du temps pour répondre, kinit n’est pas installé. En fait je n’ai absolument pas installé/paramétré kerberos (peut-être à tords)…
Quels logs dois-je poster ?

dans le syslog j’ai moult lignes du type :

L’arborescence de mon ldap :

+--> dc=test,dc=lan (8) ---> cn=admin +--> ou=Groups (9) | ---> cn=Account Operators | ---> cn=Administrators | ---> cn=Backup Operators | ---> cn=Domain Admins | ---> cn=Domain Computers | ---> cn=Domain Guests | ---> cn=Domain Users | ---> cn=Print Operators | ---> cn=Replicators | ---> Créer une nouvelle entrée ici ---> ou=Idmap +--> ou=Machines (1) | ---> uid=vincent | ---> Créer une nouvelle entrée ici +--> ou=Users (3) | ---> uid=nobody | ---> uid=root | ---> uid=vremy | ---> Créer une nouvelle entrée ici ---> sambaDomainName=LA-REGIE ---> sambaDomainName=LAREGIE ---> sambaDomainName=NS2

Merci encore


Derien c’est normal !
Je ne suis vraiment pas un GURU en la matière, donc n’ai pas trop espoir en moi lol, par contre ca fait toujours du bien d’avoir une réponse, on se sent moins seul !

As tu regarder ce lien ?
wiki.samba.org/index.php/Registr … le_domains

Lorsque j’avais configurer un PDC (for testing purpose) j’avais suivi le tuto de samba. As tu regarder de ce côté la ?
EDIT : wiki.samba.org/index.php/Samba_AD_DC_HOWTO

As tu essayer cette commande (à adapter) et si oui fonctionne t’elle?

smbclient -U " WINDOMAIN\winuser" -L sambapdc

Que te renvoi Win quand tu essai de l’ajouter au domaine ?



Ce matin j’ai testé ta commande mais sans grand succès :

root@ns2:~# smbclient -U "la-regie/vremy" -L sambapdc Enter la-regie/vremy's password: Connection to sambapdc failed (Error NT_STATUS_BAD_NETWORK_NAME)

J’avais effectivement modifié la base de registre sous le client windows 7 tel que montré dans le premier lien.

Voici la liste des partages vu par smbclient :

[code]root@ns2:~# smbclient -L localhost -U%
Domain=[LAREGIE] OS=[Unix] Server=[Samba 3.6.6]

Sharename       Type      Comment
---------       ----      -------
IPC$            IPC       IPC Service (LA-REGIE)
print$          Disk      Printer Drivers
groupe1groupe2  Disk      le partage commun aux deux groupes
partage2        Disk      le partage de votre groupe numéro 2
partage1        Disk      le partage de votre groupe numero 1

Domain=[LAREGIE] OS=[Unix] Server=[Samba 3.6.6]

Server               Comment
---------            -------
LA-REGIE             LA-REGIE

Workgroup            Master
---------            -------
LAREGIE              LA-REGIE[/code]

enfin la commande de test avec smbclient :

root@ns2:~# smbclient //localhost/netlogon -U root% -c 'ls' Anonymous login successful Domain=[LAREGIE] OS=[Unix] Server=[Samba 3.6.6] tree connect failed: NT_STATUS_ACCESS_DENIED

Par contre pour le paramétrage de bind (9.8), je ne comprends pas car je n’ai aucun des fichier de samba sur mon serveur. Je dois ajouter ça au named.conf de bind :

include "/usr/local/samba/private/named.conf";

mais impossible de “locate”, la doc dit qu’il ne faut pas chrooter bind :imp: !

root@ns2:/usr/share/samba# locate named.conf /etc/bind.old/named.conf /etc/bind.old/named.conf.default-zones /etc/bind.old/named.conf.local /etc/bind.old/named.conf.options /usr/share/bind9/named.conf.options /usr/share/man/man5/named.conf.5.gz /var/bind9/chroot/etc/bind/named.conf /var/bind9/chroot/etc/bind/named.conf.default-zones /var/bind9/chroot/etc/bind/named.conf.local /var/bind9/chroot/etc/bind/named.conf.log /var/bind9/chroot/etc/bind/named.conf.options

Un PDC sous linux c’est super hardcore, je ne sais pas pourquoi je me suis lancé là dedans c’est peut être trop pour moi !


Le problème vient que le -L sambapdc était à adapter avec le nom de ton PDC. Réessaie avec les bons paramètres et dis moi ce que ca donne :wink: !
Pour info, cette commande sert à authentifier un user sur ton PDC. Donc tant qu’elle ne fonctionnera pas tu ne pourras joindre tes machines au domaine.

Lorsque tu as des erreurs de type NT_MACHINBIDULE, n’hésite pas à googliser cette erreur en apposant “samba PDC” derrière => C’est magique le nombre de réponse que tu auras :smiley:

As tu une vision globale de comment fonctionne un AD sous windows ? le rapport qu’il a avec les DNS, le DHCP, etc ? Si c’est flou essai d’investiguer la dessus.

Il m’est difficile de comprendre ce qui bloque mais installer un PDC samba 4 avec la doc que le wiki de samba 4 est à la portée de n’importe qui ayant 2,3 bases d’anglais et d’informatique.
Je ne saurais que te conseiller de recommencer la config en suivant ce wiki…

Bon courage !

ok merci du conseil, je retenterai la semaine prochaine. :pray:

en remplaçant par le nom du SRV :

root@ns2:~# smbclient -U "" -L ns2.test.lan Enter's password: session setup failed: NT_STATUS_UNSUCCESSFUL :078

Le problème vient probablement du fait que j’ai chrooté bind. Je vais retenter sans installer de DNS sur la même machine.

dans les liens que tu as posté tout à l’heure, il semble que l’auteur a compilé samba je regarderai aussi si ça change quelque chose car il me manque pas mal d’outils utilisés dans les wiki…

Merci de ton aide.

Si jamais quelqu’un connaît un tuto valable pour la config d’openldap/samba je prends !

The best ! The one ! My everything :

Bonne chance !

Hello world,

J’ai finalement décidé de conserver mon install et de la déboguer et VICTOIRE !!! Après m’être débattu avec Samba je me suis aperçu que j’avais mal déclaré une des directives dans le smb.conf. ==> domain logon au lieu de domain logons !!!

Je vais essayer de le remonter pour être spur de capte ce que j’ai fais puis je posterai un tuto à ma sauce si j’y arrive.

Merci quand même à Zenitude qui a tenté de m’aider (je n’ai pas eu à utiliser kerberos et avec ma méthode pas besoin de Samba 4.xxx, la version fournie par les dépôts suffit! )…

Content pour toi !!
N’hésite pas à marquer ton sujet comme résolu !