Bonjour a tous.
L’année dernière pour “m’amuser” j’ai monté un Contrôleur de Domain SAMBA OPENldap.
Cette année je dois justement en faire un PDC avec réplication multimaster.

Bon la n’est pas le problème mais j’ai un petit soucis que je n’arrive pas a résoudre.

J’arrive a accéder a la page de login de mon PDC mais mon Windaube me retourne une erreur.
http://imageshack.us/photo/my-images/834/deb1.png

Au début je pensais que c’était du a la lenteur de mon réseau. Mais j’ai mis toutes mes machines virtuel en VirtualPrivateNetwork
Sachant que 192.168.1.3 est ma machine Windows.

Quand je regarde les logs on remarque que mon SAMABA me refuse les connexions :

log nmbd

[2012/04/03 01:11:22.613770,  0] lib/access.c:410(check_access)
  Denied connection from  (192.168.1.3)
[2012/04/03 01:11:22.614093,  1] smbd/process.c:2295(smbd_process)
  Connection denied from 192.168.1.3
[2012/04/03 01:11:50.863345,  0] lib/access.c:410(check_access)
  Denied connection from  (192.168.1.3)
[2012/04/03 01:11:50.863661,  1] smbd/process.c:2295(smbd_process)
  Connection denied from 192.168.1.3
[2012/04/03 01:12:30,  0] smbd/server.c:1123(main)
  smbd version 3.5.6 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2010
[2012/04/03 01:12:30.677554,  0] printing/print_cups.c:108(cups_connect)
  Unable to connect to CUPS server localhost:631 - Connexion refusée
[2012/04/03 01:12:30.679940,  0] printing/print_cups.c:108(cups_connect)
  Unable to connect to CUPS server localhost:631 - Connexion refusée

log smbd

http://imageshack.us/photo/my-images/404/deb2.png

Fichier smb.conf

[code]### A changer: pas d’espace, ni point === >
workgroup = epsiprojet.fr

A changer, mettre le meme nom que le nom de votre machine === >

netbios name = PDC
server string = Samba-LDAP PDC Server
domain master = Yes
local master = Yes
domain logons = Yes
os level = 40
interfaces = eth0
bind interfaces only = Yes
#passwd program = /usr/sbin/smbldap-passwd ?u %u
ldap passwd sync = Yes
passdb backend = ldapsam:ldap://192.168.1.50/

A changer === >

ldap admin dn = cn=admin,dc=epsiprojet,dc=fr

A changer === >

ldap suffix = dc=epsiprojet,dc=fr
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Machines
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p “%g”
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” "%g"
set primary group script = /usr/sbin/smbldap-usermod -g “%g” "%u"
logon path = \%L\profile%U
logon drive = P:
logon home = \%L%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
case sensitive = No
default case = lower
preserve case = yes
short preserve case = Yes
#character set = iso8859-1
#domain admin group = @admin
dns proxy = No
wins support = Yes
ldap ssl = off

A changer si vous n’utilisez pas ce réau === >

hosts allow = 172.20.116.0 255.255.0.0
winbind use default domain = Yes
nt acl support = Yes
msdfs root = Yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/

FIN DE LA PARTIE GLOBALE

LES PARTAGES

[netlogon]
path = /home/netlogon
writable = No
browseable = No
write list = Administrateur

[profile]
path = /home/export/profile
browseable = No
writeable = Yes
profile acls = yes
create mask = 0700
directory mask = 0700

[homes]
comment = Repertoire Personnel
browseable = No
writeable = Yes

[partage]
comment = Repertoire commun
browseable = Yes
writeable = Yes
public = No
path = /home/partage
[/code]

Fichier smbtools

[code]sambaDomain = epsiprojet
SID="S-1-5-21-904419580-1409684714-593550753"
masterLDAP="192.168.1.50"
masterPort="389"
slaveLDAP="192.168.1.51"
slavePort="389"
ldapTLS="0"
verify="require"
suffix="dc=epsiprojet,dc=fr"
usersdn="ou=Users,${suffix}"
computersdn="ou=Machines,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn=“ou=Idmap,${suffix}”

La ligne ci-dessous est commentee pour eviter une erreur lors de

l’execution de la commande smbldap-populate.

sambaUnixIdPooldn=“cn=NextFreeUnixId,${suffix}”

#sambaUnixIdPooldn="sambaDomainName=dev,${suffix}“
scope=“sub"
hash_encrypt=“SSHA"
crypt_salt_format=”%s"
userLoginShell=”/bin/bash"
userHome=”/home/%U"
userHomeDirectoryMode=“700”
#Nom d’affichage - utiliser smbldap-useradd -c
userGecos="User"
defaultUserGid=“513"
defaultComputerGid=“515"
skeletonDir=”/etc/skel”
#Les mots de passe expirent dans 10ans
defaultMaxPasswordAge=“3650"
with_smbpasswd=“0"
smbpasswd=”/usr/bin/smbpasswd"
with_slappasswd=“0"
slappasswd=”/usr/sbin/slappasswd”

mk_ntpasswd="/usr/local/sbin/mkntpwd"

[/code]

Merci

Questions peut être connes, mais :

• Dans ton smb.conf :

### A changer: pas d'espace, ni point === > workgroup = epsiprojet.fr
Malgré le commentaire pile au dessus, il y a un “point” ; ne faut-il pas mettre workgroup = epsiprojet ?

• As tu bien ajouté ton PC dans tes comptes machines ?

Oui, l’a machine s’ajoute automatiquement.
En effet j’ai supprimé le .fr du fichier smb.conf c’était une mauvaise modification de ma part.

Cependant, quand je regarde les log de mon SAMBA

[2012/04/05 00:37:02.359235,  0] rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate: no challenge sent to client JEANLOUIS-DESKT
[2012/04/05 00:38:13.888972,  0] rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate: no challenge sent to client JEANLOUIS-DESKT
[2012/04/05 00:38:14.467332,  0] passdb/pdb_interface.c:348(pdb_default_create_user)
  _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w "jeanlouis-deskt$"' gave 9

Il autorise désormais mon poste XP, mais il n’envoie pas de Challenge.
Et la en revanche je ne trouve pas de documentation dessus.

Oni’

Tu nous informe que :

Fichier smb.conf :

### A changer si vous n'utilisez pas ce réau === >
hosts allow = 172.20.116.0 255.255.0.0

Puis :

Sachant que 192.168.1.3 est ma machine Windows... Quand je regarde les logs on remarque que mon SAMABA me refuse les connexions :

j’ai la meme erreur que toi :
[2012/04/14 13:21:47.745095, 0] rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate: no challenge sent to client VERVANT

mon smb.conf :

[global]

Browsing/Identification

Change this to the workgroup/NT-domain name your Samba server will part of

workgroup = CDCANGELY2011
netbios name = carene

server string is the equivalent of the NT Description field

server string = %h server

Windows Internet Name Serving Support Section:

WINS Support - Tells the NMBD component of Samba to enable its WINS Server

wins support = yes

WINS Server - Tells the NMBD components of Samba to be a WINS Client

Note: Samba can be either a WINS Server, or a WINS Client, but NOT both

; wins server = w.x.y.z

This will prevent nmbd to search for NetBIOS names through DNS.

dns proxy = no

What naming service and in what order should we use to resolve host names

to IP addresses

; name resolve order = lmhosts host wins bcast

Networking

The specific set of interfaces / networks to bind to

This can be either the interface name or an IP address/netmask;

interface names are normally preferred

; interfaces = 127.0.0.0/8 eth0
; interfaces = 20.0.0.0/24 192.168.17.0/24
interfaces = eth0
; interfaces = 127.0.0.1/8 bond0

Only bind to the named interfaces and/or networks; you must use the

‘interfaces’ option above to use this.

It is recommended that you enable this feature if your Samba machine is

not protected by a firewall or is a firewall itself. However, this

option cannot handle dynamic or non-broadcast interfaces correctly.

bind interfaces only = no

#PVS : Doit etre a non a cause du vpn

Debugging/Accounting

This tells Samba to use a separate log file for each machine

that connects

log file = /var/log/samba/log.%m

Cap the size of the individual log files (in KiB).

max log size = 100

If you want Samba to only log through syslog then set the following

parameter to ‘yes’.

syslog only = no

We want Samba to log a minimum amount of information to syslog. Everything

should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log

through syslog you should set the following parameter to something higher.

syslog = 1

Do something sensible when Samba crashes: mail the admin a backtrace

panic action = /usr/share/samba/panic-action %d

####### Authentication #######

“security = user” is always a good idea. This will require a Unix account

in this server for every user accessing the server. See

/usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html

in the samba-doc package for details.

security = user

You may wish to use password encryption. See the section on

‘encrypt passwords’ in the smb.conf(5) manpage before enabling.

encrypt passwords = true

If you are using encrypted passwords, Samba will need to know what

password database type you are using.

passdb backend = tdbsam

obey pam restrictions = yes

password with the SMB password when the encrypted SMB password in the

passdb is changed.

unix password sync = yes

For Unix password sync to work on a Debian GNU/Linux system, the following

parameters must be set (thanks to Ian Kahan <kahan@informatik.tu-muenchen.de for

sending the correct chat script for the passwd program in Debian Sarge).

passwd program = /usr/bin/smbldap-passwd %u
passwd chat = Enter\snew\s\spassword:* %n\n Retype\snew\s\spassword:* %n\n password\supdated\ssuccessfully .

This boolean controls whether PAM will be used for password changes

when requested by an SMB client instead of the program listed in

‘passwd program’. The default is ‘no’.

pam password change = yes

########## Domains ###########

Is this machine able to authenticate users. Both PDC and BDC

must have this setting enabled. If you are the BDC you must

change the ‘domain master’ setting to no

domain logons = yes

The following setting only takes effect if ‘domain logons’ is set

It specifies the location of the user’s profile directory

from the client point of view)

The following required a [profiles] share to be setup on the

samba server (see below)

logon path = \%N\profiles%U

Another common choice is storing the profile in the user’s home directory

(this is Samba’s default)

logon path = \%N%U\profile

The following setting only takes effect if ‘domain logons’ is set

It specifies the location of a user’s home directory (from the client

point of view)

logon drive = Z:
logon home = \%N%U

The following setting only takes effect if ‘domain logons’ is set

It specifies the script to run during logon. The script must be stored

in the [netlogon] share

NOTE: Must be store in ‘DOS’ file format convention

logon script = logon.bat

This allows Unix users to be created on the domain controller via the SAMR

RPC pipe. The example command creates a user account with a disabled Unix

password; please adapt to your needs

; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos “” %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g

This allows machine accounts to be created on the domain controller via the

SAMR RPC pipe.

The following assumes a “machines” group exists on the system

; add machine script = /usr/sbin/useradd -g machines -c “%u machine account” -d /var/lib/samba -s /bin/false %u

RPC pipe.

; add group script = /usr/sbin/addgroup --force-badname %g
; delete group script = /usr/sbin/groupdel %g

########## Printing ##########

If you want to automatically load your printer list rather

than setting them up individually then you’ll need this

; load printers = yes
; use sendfile = no

lpr(ng) printing. You may wish to override the location of the

printcap file

; printing = bsd
; printcap name = /etc/printcap

CUPS printing. See also the cupsaddsmb(8) manpage in the

cupsys-client package.

; printing = cups
; printcap name = cups

Setting No to this parameter Allow to store printers drivers

on the server

; use client driver = no

When using [print$], root is implicitly a ‘printer admin’, but you can

also give this right to other users to add drivers and set printer

properties

; printer admin = @informatique,@“Domain Admins”,root,@pvs_tic

############ LDAP ############
ldap debug level = 1

ldap passwd sync = yes
obey pam restrictions = no
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=carene,dc=cdc
ldap admin dn = cn=admin,dc=carene,dc=cdc
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Machines
ldap idmap suffix = ou=Idmap
idmap backend = dc=carene,dc=cdc

ldap ssl = off
#Groups
add group script = /usr/sbin/smbldap-groupadd -p “%g”

delete group script = /usr/sbin/smbldap-groupdel “%g”

#Users
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap_userdel "%u"
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” "%g"
set primary group script = /usr/sbin/smbldap-usermod -g “%g” “%u”

#machine
add machine script = /usr/sbin/smbldap-useradd -w “%u”

#supression
ldap delete dn = yes
############ Misc ############

Using the following line enables you to customise your configuration

on a per machine basis. The %m gets replaced with the netbios name

of the machine that is connecting

; include = /home/samba/etc/smb.conf.%m

Most people will find that this option gives better performance.

See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html

for details

You may want to add the following on a Linux system:

SO_RCVBUF=8192 SO_SNDBUF=8192

socket options = TCP_NODELAY

socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384

The following parameter is useful only if you have the linpopup package

installed. The samba maintainer and the linpopup maintainer are

working to ease installation and configuration of linpopup and samba.

; message command = /bin/sh -c ‘/usr/bin/linpopup “%f” “%m” %s; rm %s’ &

Domain Master specifies Samba to be the Domain Master Browser. If this

machine will be configured as a BDC (a secondary logon server), you

must set this to ‘no’; otherwise, the default behavior is recommended.

domain master = yes
local master = yes
preferred master = no
time server = yes

Some defaults for winbind (make sure you’re not using the ranges

for something else.)

; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash

The following was the default behaviour in sarge,

but samba upstream reverted the default because it might induce

performance issues in large organizations.

See Debian bug #368251 for some of the consequences of not

having this setting and smb.conf(5) for details.

; winbind enum groups = yes
; winbind enum users = yes

Setup usershare options to enable non-root users to share folders

with the net usershare command.

Maximum number of usershare. 0 (default) means that usershare is disabled.

; usershare max shares = 100

hide files = DESKTOP/desktop.ini/ntuser.ini/NTUSER.*/

########## Charset Settings ###########
; display charset = ISO8859-15
; unix charset = ISO8859-15
; dos charset = 850

; nt acl support = yes

j’ai refait 3 fois mon install et toujours le meme message d’erreur?
Quelqu’un à une idée?
merci d 'avance

J’ai pas regardé le details de vos fichier de conf mais j’ai moi meme eu a mettre en place un pdc samba avec authentification ldap sur une debian squeeze. Jai eu du mal jusqu’a ce que je trouve ce tuto :

http://www.progenvrac.com/spip.php?article19

Suivez pas a pas et ca marche parfaitement
Donc je sais pas si vous en avez encore besoin mais au cas ou…

Sinon Onitsha, je voulais savoir si tu avais deja avancé sur la réplication de l’annuaire ldap multi-maitre. Par ce que je dois faire ca aussi et jai du mal a trouver de la doc sur le net… (surtout pour ldap v3 sous squeeze ).

Justement je suis encore dessus, je suis en phase de finaliser.
Dans tous les cas je dois faire une documentation et la finaliser.
Donc je la mettrai en ligne

Oni’ ^^

BONJOUR

[quote=“Onitsha”]…
Dans tous les cas je dois faire une documentation et la finaliser.
Donc je la mettrai en ligne
Oni’ ^^[/quote]
Tu pourrai nous aider a poster ce sujet sur le wiki du forum.