[Samba] Re: Getting Winbind IDMAP into LDAP?
Gibbs, Simon
Simon.Gibbs at informa.com
Tue Aug 16 09:35:16 GMT 2005
Hi Gints,
Changing nsswitch.conf from:
passwd: files ldap
group: files ldap
to
passwd: files winbind
group: files winbind
did the trick. Running getent passwd/group began populating LDAP and I can
search all the records using ldapsearch and slapcat.
Would this be an error in the documentation as (unless I was reading the
wrong section) it uses the ldap entries in it's example?
My one concern is that when winbind is stopped and restarted the
winbindd_idmap.tdb and winbindd_cache.tdb files are recreated and entries
are added. Would this be expected?
I guess I can test this today when I begin configuring a second node.....
Thanks for your help.
Simon
> From: gints neimanis <gints at venta.lv>
> Date: Tue, 16 Aug 2005 11:57:48 +0300
> To: "Gibbs, Simon" <Simon.Gibbs at informa.com>, <samba at lists.samba.org>
> Subject: Re: Getting Winbind IDMAP into LDAP?
>
> Hi,
>
> to use ldap as winbind idamp backend, you don't need the NSS_LDAP at all.
> All queries and updates to ldap is performed by winbind itself.
>
> Your smb.conf looks fine.
> You may check 2 things:
> * Have you stored the LDAP Manager password to LDAP database with
> command "smbpasswd -w 'verysecretldapmanager password'" ?
> * and look if you have added winbind to /etc/nsswitch.conf (and then
> command "getent passwd" should show all domain users with id from ldap)?
> like:
> ===
> ...
> passwd: files winbind
> group: files winbind
> ...
> ===
>
> Next - you may increase the loglevel (loglevel 256) for LDAP server and
> look in ldap messages what is wrong in connection.
>
> Gints
>
> Gibbs, Simon wrote:
>> Hi,
>>
>> I?ve been trying to populate an LDAP directory with IDMAP information from
>> Winbind using NSS_LDAP without much success over the last week.
>> Can anybody tell me if I?ve done anything obviously wrong?
>>
>> I?ve followed the example shown in the Samba ?By Example? doc and am at the
>> stage where the LDAP directory has been created and configured, NSS_LDAP
>> config is amended, smb.conf contains entries to use LDAP as a backend and I
>> have deleted /var/cache/samba/winbindd_cache.tdb and winbindd_idmap.tdb. Now
>> wbinfo ?u and wbinfo ?g show users and groups on the domain but getent
>> passwd/groups only displays local users. The winbindd_cache.tdb and
>> winbindd_idmap.tdb files have been recreated but only winbindd_cache.tdb
>> holds any information. When I attempt to access a Samba share I?m prompted
>> to enter a username and password.
>>
>> As I understand it once the wbinfo commands have been run this process
>> should automatically populate the Idmap ou with the ID mappings ? is this
>> correct? If so there must be something wrong with my config.
>>
>> Here?s the current config and relevent info ? sorry it?s a bit long:
>>
>> /etc/samba/smb.conf
>>
>> [global]
>> workgroup = UKCORPLAN
>> netbios name = UKFS01
>> server string = UKFS01 Samba Server
>> winbind separator = /
>> ldap ssl = no
>> idmap uid = 10000-10000000
>> idmap gid = 10000-10000000
>> ldap admin dn = cn=Manager,dc=uk,dc=corplan,dc=net
>> ldap idmap suffix = ou=Idmap
>> ldap suffix = dc=uk,dc=corplan,dc=net
>> idmap backend = ldap:ldap://10.10.4.111/
>> winbind enum users = yes
>> winbind enum groups = yes
>> template homedir = /mnt/emcpowerb/user/%D/%U
>> template shell = /bin/bash
>> password server = ukdc01.uk.corplan.net
>> security = ADS
>> #encrypt passwords = yes
>> realm = uk.corplan.net
>> browseable = yes
>> username map = /etc/samba/smbusers
>> log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10
>> syslog = 0
>> log file = /var/log/samba/%m
>> max log size = 50
>> #============================ Share Definitions
>> ==============================
>> [homes]
>> comment = Home Directories
>> browseable = no
>> writable = yes
>>
>> [public]
>> comment = Public Stuff
>> path = /home/samba
>> public = yes
>> read only = no
>>
>> [test]
>> comment = test share
>> path = /mnt/emcpowera/shared/test
>> public = yes
>> browseable = yes
>> writeable = yes
>>
>> /etc/nsswitch.conf
>>
>> passwd: files ldap
>> shadow: files ldap
>> group: files ldap
>>
>> #hosts: db files nisplus nis dns
>> hosts: files dns
>>
>> /etc/openldap/slapd.conf
>>
>> #
>> # See slapd.conf(5) for details on configuration options.
>> # This file should NOT be world readable.
>> #
>> ## schema files (core.schema is required by default)
>> include /etc/openldap/schema/core.schema
>>
>> ## needed for sambaSamAccount
>> include /etc/openldap/schema/cosine.schema
>> include /etc/openldap/schema/inetorgperson.schema
>> include /etc/openldap/schema/nis.schema
>> include /etc/openldap/schema/samba.schema
>>
>> # Allow LDAPv2 client connections. This is NOT the default.
>> allow bind_v2
>>
>> # Do not enable referrals until AFTER you have a working directory
>> # service AND an understanding of referrals.
>> #referral ldap://root.openldap.org
>>
>> pidfile /var/run/slapd.pid
>> argsfile /var/run/slapd.args
>>
>> # Load dynamic backend modules:
>> # modulepath /usr/sbin/openldap
>> # moduleload back_bdb.la
>> # moduleload back_ldap.la
>> # moduleload back_ldbm.la
>> # moduleload back_passwd.la
>> # moduleload back_shell.la
>>
>> # Sample access control policy:
>> # Root DSE: allow anyone to read it
>> # Subschema (sub)entry DSE: allow anyone to read it
>> # Other DSEs:
>> # Allow self write access
>> # Allow authenticated users read access
>> # Allow anonymous users to authenticate
>> # Directives needed to implement policy:
>> # access to dn.base="" by * read
>> # access to dn.base="cn=Subschema" by * read
>> #access to *
>> # by self write
>> # by users read
>> # by anonymous auth
>> #
>> # if no access controls are present, the default policy
>> # allows anyone and everyone to read anything but restricts
>> # updates to rootdn. (e.g., "access to * by * read")
>> #
>> # rootdn can always read and write EVERYTHING!
>>
>> #######################################################################
>> # ldbm and/or bdb database definitions
>> #######################################################################
>>
>> database bdb
>> suffix "dc=uk,dc=corplan,dc=net"
>> rootdn "cn=Manager,dc=uk,dc=corplan,dc=net"
>> # Cleartext passwords, especially for the rootdn, should
>> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
>> # Use of strong authentication encouraged.
>> rootpw secret
>>
>> # The database directory MUST exist prior to running slapd AND
>> # should only be accessible by the slapd and slap tools.
>> # Mode 700 recommended.
>> directory /var/lib/ldap/samba
>>
>> # Indices to maintain for this database
>> # Required by OpenLDAP
>> index objectClass eq,pres
>> index ou,cn,mail,surname,givenname eq,pres,sub
>> index uidNumber,gidNumber,loginShell eq,pres
>> index uid,memberUid eq,pres,sub
>> index nisMapName,nisMapEntry eq,pres,sub
>>
>> # Indices required for Samba
>> index sambaSID eq
>> index sambaPrimaryGroupSID eq
>> index sambaDomainName eq
>> index default sub
>>
>> /etc/openldap/ldap.conf
>>
>> #
>> # LDAP Defaults
>> #
>>
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>>
>> #BASE dc=example, dc=com
>> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
>>
>> #SIZELIMIT 12
>> #TIMELIMIT 15
>> #DEREF never
>> HOST 10.10.4.111
>> BASE dc=uk,dc=corplan,dc=net
>> #TLS_CACERTDIR /etc/openldap/cacerts
>>
>> /etc/ldap.conf - nss_ldap config - only shows changes the rest is as default
>>
>> # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $
>> #
>> # This is the configuration file for the LDAP nameservice
>> # switch library and the LDAP PAM module.
>> #
>> # PADL Software
>> # http://www.padl.com
>> #
>>
>> # Your LDAP server. Must be resolvable without using LDAP.
>> # Multiple hosts may be specified, each separated by a
>> # space. How long nss_ldap takes to failover depends on
>> # whether your LDAP client library supports configurable
>> # network or connect timeouts (see bind_timelimit).
>> host 10.10.4.111
>>
>> # The distinguished name of the search base.
>> base dc=uk,dc=corplan,dc=net
>>
>> # Another way to specify your LDAP server is to provide an
>> # uri with the server name. This allows to use
>> # Unix Domain Sockets to connect to a local LDAP Server.
>> uri ldap://10.10.4.111/
>> #uri ldaps://127.0.0.1/
>> #uri ldapi://%2fvar%2frun%2fldapi_sock/
>> # Note: %2f encodes the '/' used as directory separator
>>
>> # The LDAP version to use (defaults to 3
>> # if supported by client library)
>> #ldap_version 3
>>
>> # The distinguished name to bind to the server with.
>> # Optional: default is to bind anonymously.
>> binddn cn=Manager,dc=uk,dc=corplan,dc=net
>>
>> # The credentials to bind with.
>> # Optional: default is no credential.
>> bindpw secret
>>
>> # Do not hash the password at all; presume
>> # the directory server will do it, if
>> # necessary. This is the default.
>> pam_password exop
>>
>> # RFC2307bis naming contexts
>> # Syntax:
>> # nss_base_XXX base?scope?filter
>> # where scope is {base,one,sub}
>> # and filter is a filter to be &'d with the
>> # default filter.
>> # You can omit the suffix eg:
>> # nss_base_passwd ou=People,
>> # to append the default base DN but this
>> # may incur a small performance impact.
>> nss_base_passwd ou=People,dc=uk,dc=corplan,dc=net?one
>> nss_base_shadow ou=People,dc=uk,dc=corplan,dc=net?one
>> nss_base_group ou=Groups,dc=uk,dc=corplan,dc=net?one
>> #nss_base_hosts ou=Hosts,dc=example,dc=com?one
>> #nss_base_services ou=Services,dc=example,dc=com?one
>> #nss_base_networks ou=Networks,dc=example,dc=com?one
>> #nss_base_protocols ou=Protocols,dc=example,dc=com?one
>> #nss_base_rpc ou=Rpc,dc=example,dc=com?one
>> #nss_base_ethers ou=Ethers,dc=example,dc=com?one
>> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne
>> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one
>> #nss_base_aliases ou=Aliases,dc=example,dc=com?one
>> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
>>
>> [root at UKFS01 etc]# slapcat | grep -i IDMAP
>> o: Samba Idmap Directory
>> dn: ou=Idmap,dc=uk,dc=corplan,dc=net
>> ou: idmap
>>
>> I've googled about a bit and haven't bee able to find to much except this
>> thread:
>> http://www.mail-archive.com/samba@lists.samba.org/msg30905.html
>>
>> But most I've checked most of the info and it looks OK in comparison to my
>> setup.
>>
>> Any help with this is much appreciated...
>>
>> Thanks,
>>
>> Simon
>>
>>
>>
>>
>>
>> *****************************************************************************
>> ***
>> The information contained in this email message may be confidential. If you
>> are not the intended recipient, any use, interference with, disclosure or
>> copying of this material is unauthorised and prohibited. Although this
>> message and any attachments are believed to be free of viruses, no
>> responsibility is accepted by T&F Informa for any loss or damage arising in
>> any way from receipt or use thereof. Messages to and from the company are
>> monitored for operational reasons and in accordance with lawful business
>> practices.
>> If you have received this message in error, please notify us by return and
>> delete the message and any attachments. Further enquiries/returns can be
>> sent to postmaster at tfinforma.com
>>
>
More information about the samba
mailing list