[samba-jp:18764] Samba+OpenLDAPでUsrmgr.exeが使えない。

2006年 7月 2日 (日) 18:10:02 JST

こんばんは、お世話になります、吉原です。
標題の件、Fedora Core 4(2.6.17-1.2139_FC4 i686)上でSamba(samba-3.0.14a-2)+OpenLDAP(openldap-2.2.29-1.FC4)で構築を行ったのですが、
Usrmgr.exe上でユーザー追加・変更やグループ追加・変更を行おうとすると、『アクセスを拒否されました』や『グループが存在しません』というエラーメッセージが出て正常操作が出来ません。
smbldap-toolsはsmbldap-tools-0.9.2-2.fc4を使っていますが、LDAP Browser上で確認するときちんと各コンテナは参照出来ます。
またSambaマシン上でnet groupmap listを打つと現在以下のような状態です。
[root @ server ~]# net groupmap list
Domain Admins (S-1-5-21-3844345059-1490840216-351516261-512) -> Domain 
Admins
Domain Users (S-1-5-21-3844345059-1490840216-351516261-513) -> Domain Users
Domain Guests (S-1-5-21-3844345059-1490840216-351516261-514) -> Domain 
Guests
Domain Computers (S-1-5-21-3844345059-1490840216-351516261-515) -> Domain 
Computers
Administrators (S-1-5-32-544) -> Administrators
Power Users (S-1-5-32-547) -> Power Users
Account Operators (S-1-5-32-548) -> Account Operators
System Operators (S-1-5-32-549) -> System Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
users (S-1-5-32-545) -> Users
Guests (S-1-5-32-546) -> Guests
尚、Sambaドメインに参加させたマシンからはグローバルグループの参照も出来ます。 
以下にsmb.confの内容を記載致します。
# Global parameters
[global]
 unix charset = UTF-8
 dos charset = CP932
 display charset = UTF-8
 workgroup = YOSHIHARAS
 netbios name = SERVER
 admin users = Administrator
 guest account = Guest
 security = USER
 enable privileges = yes
 interfaces = 127.0.0.1 eth0
 bind interfaces only = yes
 #username map = /etc/samba/smbusers
 server string = Samba Server %v
 #security = ads
 encrypt passwords = Yes
 #min passwd length = 3
 #pam password change = no
 #obey pam restrictions = No
 ldap passwd sync = Yes
 unix password sync = Yes
 passwd program = /usr/local/sbin/smbldap-passwd -u %u
 passwd chat = "Changing password for*\nNew password*" %n\n "*Retype 
new password*" %n\n"
 #passwd chat debug = Yes
 log level = 0
 syslog = 0
 log file = /var/log/samba/log.%m
 max log size = 100000
 time server = Yes
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 mangling method = hash2
 logon script = %U.cmd
 logon drive = Z:
 logon home = //SERVER/%U/profiles
 logon path = //SERVER/profiles/%U
 domain logons = Yes
 domain master = Yes
 os level = 64
 preferred master = Yes
 wins support = yes
 template shell = /bin/false
 winbind use default domain = no
 passdb backend = ldapsam:ldap://localhost/
 ldap admin dn = cn=Manager,dc=takao,dc=dyndns,dc=org
 #ldap admin dn = cn=samba,ou=DSA,dc=idealx,dc=org
 ldap suffix = dc=takao,dc=dyndns,dc=org
 ldap group suffix = ou=Group
 ldap user suffix = ou=People
 ldap machine suffix = ou=Computers
 #ldap idmap suffix = ou=Idmap
 add user script = /usr/local/sbin/smbldap-useradd -m "%u"
 #ldap delete dn = Yes
 delete user script = /usr/local/sbin/smbldap-userdel -r "%u"
 add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
 add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
 #delete group script = /usr/local/sbin/smbldap-groupdel "%g"
 add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" 
"%g"
 delete user from group script = /usr/local/sbin/smbldap-groupmod -x 
"%u" "%g"
 set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' 
'%u'
 # printers configuration
 printer admin = @"Print Operators"
 load printers = Yes
 create mask = 0640
 directory mask = 0750
 #force create mode = 0640
 #force directory mode = 0750
 nt acl support = No
 printing = cups
 printcap name = cups
 deadtime = 10
 #guest account = nobody
 #map to guest = Bad User
 dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
 show add printer wizard = yes
 ; to maintain capital letters in shortcuts in any of the profile 
folders:
 preserve case = yes
 short preserve case = yes
 case sensitive = no
 idmap uid = 16777216-33554431
 idmap gid = 16777216-33554431
[homes]
 comment = Home Directories
 browseable = no
 writable = yes
 vfs objects = recycle
 recycle:repository = .recycle
 recycle:keeptree = no
 recycle:versions = yes
 recycle:touch = no
 recycle:maxsize = 0
 recycle:exclude = *.tmp ~$*
[netlogon]
 path = /home/netlogon/
 browseable = No
 read only = yes
[profiles]
 comment = User profiles directory
 path = /profiles
 read only = No
 create mask = 0600
 directory mask = 0700
 browseable = No
 profile acls = Yes
[printers]
 comment = Network Printers
 printer admin = @"Print Operators"
 guest ok = yes
 printable = yes
 path = /home/spool/
 browseable = No
 read only = Yes
 printable = Yes
 print command = /usr/bin/lpr -P%p -r %s
 lpq command = /usr/bin/lpq -P%p
 lprm command = /usr/bin/lprm -P%p %j
 # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
 # lpq command = /usr/bin/lpq -U%U@%M -P%p
 # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
 # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
 # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
 # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
 # queueresume command = /usr/sbin/lpc -U%U@%M start %p
[print$]
 path = /home/printers
 guest ok = No
 browseable = Yes
 read only = Yes
 valid users = @"Print Operators"
 write list = @"Print Operators"
 create mask = 0664
 directory mask = 0775
[public]
 comment = Public Stuff
 path = /home/samba
 writable = yes
 vfs objects = recycle
 recycle:repository = .recycle
 recycle:keeptree = no
 recycle:versions = yes
 recycle:touch = no
 recycle:maxsize = 0
 recycle:exclude = *.tmp ~$*
以上です。何か考えられる原因等御座いましたらご教授宜しくお願い致します。
吉原 隆夫
takao.yoshihara @ nifty.com