[Samba] IDMAP LDAP problems

John H Terpstra jht at samba.org
Thu Mar 31 17:40:13 GMT 2005 

On Thursday 31 March 2005 04:40, Meli Marco wrote:
> Hi,
> I running samba-3.0.13-1 on RH9
> (openldap-2.0.27-8,krb5-1.2.7-10,nss_ldap-202-5) and configured as show
> below, my intention is only to make IDMAP storage in LDAP using winbind.
> I've looked on SAMBA3 by example book and relatives official guide on the
> site.
> First I have try to run samba and winbind retriving users and groups from
> ADS and storing them in winbindd_idmap.tdb and winbindd_cache.tdb files and
> it seems to work fine.
> After I have introduce the LDAP backend and relative configuration as shown
> below, but I have received the errors at the bottom of the message.
> Why it doesn't work? I found only example that show domains with only one
> prefix could I wrong the ldap configuration?
> Thanks.
> Marco.
>
> /etc/samba/smb.conf
>         netbios name = XXXX03
>         os level = 16
>         wins server = XXX.XXX.XXX.XXX
>         socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
>         unix charset = LOCALE
>         workgroup = WORKGROUP
>         realm = PREFIX1.PREFIX2.COM
>         security = ADS
>         password server = kdc01.sinter.gkn.com
>         encrypt passwords = yes
>         winbind use default domain = Yes
>         winbind separator = /
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         ldap ssl = No
>         ldap admin dn = cn=Manager,dc=prefix1,dc=prefix2,dc=com
>         ldap idmap suffix = ou=Idmap
>         ldap suffix = dc=prefix1,dc=prefix2,dc=com
>         idmap backend = ldap:ldap://localhost
>         idmap uid = 10000-40000
>         idmap gid = 10000-40000
>         hide unreadable = Yes
>         template homedir = /data/user/%U
>         template shell = /bin/false
>         use sendfile = Yes
>
> /etc/nsswitch.conf
> passwd:     compat ldap
> shadow:     compat ldap
> group:        compat ldap
> hosts:        files dns wins
>
> /etc/ldap.conf
> host 127.0.0.1
> base dc=prefix1,dc=prefix2,dc=com
> binddn cn=Manager,dc=prefix1,dc=prefix2,dc=com
> bindpw secret
> pam_password exop
> nss_base_passwd         ou=People,dc=prefix1,dc=prefix2,dc=com?one
> nss_base_shadow         ou=People,dc=prefix1,dc=prefix2,dc=com?one
> nss_base_group          ou=Group,dc=prefix1,dc=prefix2,dc=com?one
> ssl no
>
> /etc/openldap/idmap.ldif
> dn: dc=prefix1,dc=prefix2,dc=com
> objectClass: dcObject
> objectClass: organization
> dc: prefix1.prefix2
> o: xxx
> description: xxx
>
> dn: cn=Manager,dc=prefix1,dc=prefix2,dc=com
> objectClass: organizationalRole
> cn: Manager
> description: Directory Manager
>
> dn: ou=Idmap,dc=prefix1,dc=prefix2,dc=com
> objectClass: organizationalUnit
> ou: idmap
>
> /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log <FILE:/var/log/krb5libs.log>
> <FILE:/var/log/krb5libs.log <FILE:/var/log/krb5libs.log> >
>  kdc = FILE:/var/log/krb5kdc.log <FILE:/var/log/krb5kdc.log>
> <FILE:/var/log/krb5kdc.log <FILE:/var/log/krb5kdc.log> >
>  admin_server = FILE:/var/log/kadmind.log <FILE:/var/log/kadmind.log>
> <FILE:/var/log/kadmind.log <FILE:/var/log/kadmind.log> >
>
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = PREFIX1.PREFIX2.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>
> [realms]
>  PREFIX1.PREFIX2.COM = {
>   kdc = KDC01.PREFIX1.PREFIX2.COM
>  }
>
> [domain_realm]
>  .prefix1.prefix2.com = PREFIX1.PREFIX2.COM
>  prefix1.prefix2.com = PREFIX1.PREFIX2.COM
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>
> /var/spool/samba/log.winbindd
> [2005/03/30 17:53:26, 0] sam/idmap.c:idmap_init(138)
>   idmap_init: failed to initialize remote backend!
> [2005/03/30 17:53:26, 1] nsswitch/winbindd.c:main(897)
>   Could not init idmap -- netlogon proxy only
> [2005/03/30 17:54:34, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
>   error getting user id for sid
> S-1-5-21-597916725-1483147915-620655208-19426
> [2005/03/30 17:54:34, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
>   error getting user id for sid
> S-1-5-21-597916725-1483147915-620655208-19426

Did you store the LDAP server access password 'secret' into the Samba 
secrets.tdb file?

	smbpasswd -w secret


- John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list