[Samba] samba ldap problem

Morgan Hallgren morgan.hallgren at gmail.com
Fri Jun 10 14:20:56 GMT 2005 

I have tried to create a samba domain with a ldap backend.

This is how my ldap structure looks like.

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: example
dc: example

# groups, example.com
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

# Domain Admins, groups, example.com
dn: cn=Domain Admins,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-3527759599-3696857034-3584459987-512
sambaGroupType: 2
displayName: Domain Admins

# Domain Users, groups, example.com
dn: cn=Domain Users,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-3527759599-3696857034-3584459987-513
sambaGroupType: 2
displayName: Domain Users

# Domain Guests, groups, example.com
dn: cn=Domain Guests,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-3527759599-3696857034-3584459987-514
sambaGroupType: 2
displayName: Domain Guests

# computers, example.com
dn: ou=computers,dc=example,dc=com
objectClass: organizationalUnit
ou: computers

# PDC, example.com
dn: sambaDomainName=PDC,dc=example,dc=com
objectClass: sambaDomain
sambaDomainName: PDC
sambaNextGroupRid: 90000
sambaNextUserRid: 90000
sambaSID: S-1-5-21-3527759599-3696857034-3584459987
sambaNextRid: 90000

# people, example.com
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

# root, people, example.com
dn: uid=root,ou=people,dc=example,dc=com
uid: root
sambaSID: S-1-5-21-3527759599-3696857034-3584459987-500
sambaPrimaryGroupSID: S-1-5-21-3527759599-3696857034-3584459987-512
displayName: root
sambaAcctFlags: [U          ]
objectClass: account
objectClass: sambaSamAccount
sambaPwdMustChange: 2147483647
sambaLMPassword: 63D2114DE42F744B30A84C4AFE5AFFFF
sambaNTPassword: 5460FB29D247C383F63E1E3A417FC39B
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdCanChange: 1118395221
sambaPwdLastSet: 1118395221

# win2k$, Computers, example.com
dn: uid=win2k$,ou=Computers,dc=example,dc=com
uid: win2k$
sambaSID: S-1-5-21-3527759599-3696857034-3584459987-3022
sambaPrimaryGroupSID: S-1-5-21-3527759599-3696857034-3584459987-1201
objectClass: sambaSamAccount
objectClass: account
displayName: win2k$
sambaPwdMustChange: 2147483647
sambaAcctFlags: [W          ]
sambaPwdCanChange: 1118395893
sambaNTPassword: 5C70F10A2EAD0B4FE5588114C98ED1ED
sambaPwdLastSet: 1118395893

# Martin Hallgren, people, example.com
dn: cn=Martin Hallgren,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: sambaSamAccount
krb5PrincipalName: martin at EXAMPLE.COM
krb5KeyVersionNumber: 1
krb5MaxLife: 86400
krb5MaxRenew: 604800
krb5KDCFlags: 126
cn: Martin Hallgren
givenName: Martin
mail: martin at example.com
sn: Hallgren
uid: martin
uidNumber: 1050
gidNumber: 100
homeDirectory: /home/martin
loginShell: /bin/bash
sambaAcctFlags: [U          ]
sambaSID: S-1-5-21-3527759599-3696857034-3584459987-3250
sambaPwdCanChange: 1118395383
sambaPwdMustChange: 2147483647
sambaLMPassword: 01FC5A6BE7BC6929AAD3B435B51404EE
sambaNTPassword: 0CB6948805F797BF2A82807973B89537
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1118395383

# nobody, people, example.com
dn: uid=nobody,ou=people,dc=example,dc=com
objectClass: account
objectClass: sambaSamAccount
objectClass: posixAccount
uid:: bm9ib2R5ICAgICAgICAgICAgICAgICA=
sambaPwdLastSet: 0
sambaLogonTime: 2147483647
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 2147483647
sambaPwdMustChange: 2147483648
displayName: Nobody
cn: Nobody
sambaSID: S-1-5-21-3527759599-3696857034-3584459987-501
sambaPrimaryGroupSID: S-1-5-21-3527759599-3696857034-3584459987-514
gecos:: Tm9ib2R5IG9yIEd1ZXN0ICAgICAgIA==
homeDirectory:: L2Rldi9udWxsICAgICAgICAgICAgIA==
loginShell:: L2Rldi9udWxsICAgICA=
uidNumber: 65534
gidNumber: 65534
sambaAcctFlags: [UX         ]

# Morgan Hallgren, people, example.com
dn: cn=Morgan Hallgren,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: krb5Principal
objectClass: krb5KDCEntry
objectClass: sambaSamAccount
krb5PrincipalName: morgan at EXAMPLE.COM
krb5KeyVersionNumber: 1
krb5MaxLife: 86400
krb5MaxRenew: 604800
krb5KDCFlags: 126
cn: Morgan Hallgren
givenName: Morgan
mail: morgan at example.com
sn: Hallgren
uid: moja
uidNumber: 1000
gidNumber: 100
homeDirectory: /home/morgan
loginShell: /bin/bash
sambaAcctFlags: [U          ]
sambaSID: S-1-5-21-3527759599-3696857034-3584459987-3000
sambaPwdMustChange: 2147483647
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdCanChange: 1118412748
sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE
sambaNTPassword: 32ED87BDB5FDC5E9CBA88547376818D4
sambaPwdLastSet: 1118412748

# nobody, groups, example.com
dn: cn=nobody,ou=groups,dc=example,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 501
cn: nobody
memberUid: nobody
description: Netbios Domain nobody
sambaSID: S-1-5-21-3527759599-3696857034-3584459987-501
sambaGroupType: 2
displayName: Domain nobody


And smb.conf

netbios name = samba
workgroup = PDC
server string = PDC [on Gentoo :: Samba server %v]

hosts allow = 192.168.0.0/24 127.0.0.0/8
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = lo eth0
bind interfaces only = yes

local master = yes
#os level = 65
os level = 99
domain master = yes
preferred master = yes
enable privileges = yes
null passwords = no
hide unreadable = yes
hide dot files = yes

domain logons = yes
logon script = login.bat  OR %U.bat
logon path =  \\%L\%U\profile
logon drive = H:
logon home = \\%L\%U\.9xprofile
#logon home = \\%L\%u\.win_profile\%m

#logon path =
#logon home =

wins support = yes
name resolve order = wins lmhosts hosts bcast
dns proxy = no

time server = yes
log file = /var/log/samba/log.%m
max log size = 50

#smb passwd file = /var/lib/samba/private/smbpasswd

passdb backend = ldapsam:ldap://kerberos.example.com
ldap ssl = start tls
ldap suffix = dc=example,dc=com
ldap user suffix = ou=people,dc=example,dc=com
ldap group suffix = ou=groups,dc=example,dc=com
ldap machine suffix = ou=computers,dc=example,dc=com
# FYI, the password for this user is stored in
# /etc/samba/secrets.tdb.  It is created by running
# 'smbpasswd -w passwd'
ldap admin dn = cn=manager,dc=example,dc=com

#add machine script = /usr/local/sbin/smbldap-useradd -w "%u"


#syncningen med kerberos lösenorden
passwd chat debug = yes
debug level = 100
#ldap password sync = yes
#obey pam restrictions = no
#unix password sync = yes
#passwd program = /usr/sbin/kadmin -l passwd %u at EXAMPLE.COM
#passwd chat = "*" %n\r "*" %n\r "*"

unix charset = ISO8859-1

[netlogon]
 path = /var/lib/samba/netlogon
 public = no
 writeable = no
 browseable = no

[profiles]
 path = /home/%u/profile
 browseable = no
 writeable = yes
 default case = lower
 preserve case = no
 short preserve case = no
 case sensitive = no
 hide files = /desktop.ini/ntuser.ini/NTUSER.*/
 create mode = 0600
 directory mode = 0700

[homes]
 path = /home/%U
 browseable = no
 valid users = %S
 writable = yes
 guest ok = no
 inherit permissions = yes

[public]
 comment = Public Stuff
 path = /var/lib/samba/profiles
 public = yes
 writeable = yes
 browseable = yes
 write list = @users

I have joined the computer win2k to the domain and I can log in as the
user moja. But then I try to open his home dir slapd is searching for
the nobody user.

Jun 10 15:49:39 st_olof slapd[7004]: conn=93 op=1 BIND 
dn="cn=manager,dc=example,dc=com" mech=SIMPLE ssf=0
Jun 10 15:49:39 st_olof slapd[7004]: conn=93 op=1 RESULT tag=97 err=0 
text=
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=2 SRCH 
base="ou=people,dc=example,dc=com" scope=1 
filter="(&(objectClass=posixAccount)(uid=nobody))"
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=2 SRCH attr=uid 
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos 
description objectClass
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=2 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Jun 10 15:49:39 st_olof slapd[7004]: conn=93 op=3 SRCH 
base="ou=people,dc=example,dc=com" scope=1 
filter="(&(objectClass=posixAccount)(uid=nobody))"
Jun 10 15:49:39 st_olof slapd[7004]: conn=93 op=3 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=4 SRCH 
base="ou=Groups,dc=example,dc=com" scope=1 
filter="(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=uid=nobody,ou=people,dc=example,dc=com)))"
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=4 SRCH attr=gidNumber
Jun 10 15:49:39 st_olof slapd[7003]: <= bdb_equality_candidates: 
(uniqueMember) index_param failed (18)
Jun 10 15:49:39 st_olof slapd[7004]: conn=93 op=5 SRCH 
base="ou=Groups,dc=example,dc=com" scope=1 
filter="(&(objectClass=posixGroup)(uniqueMember=cn=nobody,ou=groups,dc=example,dc=com))"
Jun 10 15:49:39 st_olof slapd[7004]: conn=93 op=5 SRCH attr=gidNumber
Jun 10 15:49:39 st_olof slapd[7004]: <= bdb_equality_candidates: 
(uniqueMember) index_param failed (18)
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=4 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Jun 10 15:49:39 st_olof slapd[7004]: conn=93 op=5 SEARCH RESULT tag=101 
err=0 nentries=0 text=
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=6 SRCH 
base="ou=group,dc=example,dc=com" scope=2 
filter="(&(objectClass=posixGroup)(uniqueMember=cn=nobody,ou=groups,dc=example,dc=com))"
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=6 SRCH attr=gidNumber
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=6 RESULT tag=101 err=32 
text=
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=7 SRCH 
base="ou=group,dc=example,dc=com" scope=2 
filter="(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=uid=nobody,ou=people,dc=example,dc=com)))"
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=7 SRCH attr=gidNumber
Jun 10 15:49:39 st_olof slapd[7003]: conn=93 op=7 RESULT tag=101 err=32 
text=
Jun 10 15:49:39 st_olof slapd[7003]: conn=92 op=4 SRCH 
base="ou=groups,dc=example,dc=com,dc=example,dc=com" scope=2 
filter="(&(objectClass=sambaGroupMapping)(gidNumber=501))"

This hangs the system for som secunds. Does anyone know way this
happends and how to get around it?

More information about the samba mailing list