[Samba] wbinfo problems and documentation questions
Craig White
craigwhite at azapple.com
Thu Sep 1 05:54:32 GMT 2005
You're trying to bite off too much at one time. This makes it extra
difficult.
I'm gonna suggest that you not worry about samba at all for now.
see answers inline.
On Thu, 2005-09-01 at 00:33 -0400, Tom Diehl wrote:
> Hi all,
>
> I have a samba pdc running 3.0.20 + the patches on
> http://hostopia.samba.org/samba/patches running RHEL4 on an x86_64 platform. I
> have configured it to use an ldapsam backend per
> http://us2.samba.org/samba/docs/man/Samba-Guide/2000users.html
>
> Since there is not much in the way of testing listed in the "2000users" section
> I used the tests listed under the making users happy section. With the
> exception of the ldapsearch -x -b "dc=keenanmotorgroup,dc=com" "(ObjectClass=*)"
> test all work as advertised. It appears to me that in order for this test to
> work I need to have the following in the slapd.conf file:
>
> access to dn.base=""
> by self write
> by * auth
---
seems too restrictive. I would probably just have 'by * read' as the
only ACL here
----
>
> access to attr=userPassword
> by self write
> by * auth
----
this could cause you a lot of issues. Are you ALWAYS gonna 'auth'?
I would suggest this instead...
# allow everybody to try to bind
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by
dn.exact="uid=Administrator,ou=People,dc=keenanmotorgroup,dc=com" write
by self write
by anonymous auth
by * none
----
>
> access to attr=shadowLastChange
> by self write
> by * read
----
perhaps OK - probably just toss it in with previous
----
>
> access to *
> by * read
> by anonymous auth
----
by * read pretty much ends the discussion here, anonymous auth at that
point is useless
----
>
> Without the above in the slapd.conf file I only get the following output:
>
> (pocono pts28) # ldapsearch -x -b "dc=keenanmotorgroup,dc=com" "(ObjectClass=*)"
> # extended LDIF
> #
> # LDAPv3
> # base <dc=keenanmotorgroup,dc=com> with scope sub
> # filter: (ObjectClass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
> (pocono pts28) #
----
seems reasonable
----
>
> This is shown in the config files from :
> http://us2.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-slapdconf
----
I'll let John defend his ldap documentation - we've been down that path
before
----
>
> Am I correct that I only need the above if I want to do the ldap search command??
----
No - that governs all access - whether by openldap client or other
client
----
>
> The other thing that does not work is wbinfo -u or wbinfo -g. When I do wbinfo -g
> I get the following ldap error:
>
> Aug 31 23:37:56 pocono slapd[9183]: conn=0 op=8 SRCH base="ou=Groups,dc=keenanmotorgroup,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaGroupType=5))"
> Aug 31 23:37:56 pocono slapd[9183]: conn=0 op=8 SRCH attr=cn sambaSid displayName description sambaGroupType
> Aug 31 23:37:56 pocono slapd[9183]: <= bdb_equality_candidates: (sambaGroupType) index_param failed (18)
> Aug 31 23:37:56 pocono slapd[9183]: conn=0 op=8 SEARCH RESULT tag=101 err=0 nentries=5 text=
> Aug 31 23:37:56 pocono slapd[9183]: conn=0 op=9 SRCH base="ou=Groups,dc=keenanmotorgroup,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaGroupType=4))"
> Aug 31 23:37:56 pocono slapd[9183]: conn=0 op=9 SRCH attr=cn sambaSid displayName description sambaGroupType
> Aug 31 23:37:56 pocono slapd[9183]: <= bdb_equality_candidates: (sambaGroupType) index_param failed (18)
> Aug 31 23:37:56 pocono slapd[9183]: conn=0 op=9 SEARCH RESULT tag=101 err=0 nentries=0 text=
----
there is no error here...err=0
you probably need to fix nsswitch.conf for ldap in passwd/group
----
>
> In the winbind log I get :
>
> ==> samba/winbindd <==
> [2005/09/01 00:03:07, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460)
> [ 0]: request interface version
> [2005/09/01 00:03:07, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
> [ 0]: request location of privileged pipe
> [2005/09/01 00:03:07, 3] nsswitch/winbindd_group.c:winbindd_list_groups(811)
> [ 0]: list groups
> [2005/09/01 00:03:07, 3] lib/smbldap.c:smbldap_search_paged(1071)
> smbldap_search_paged: base => [ou=Groups,dc=keenanmotorgroup,dc=com], filter => [(&(objectclass=sambaGroupMapping)(sambaGroupType=5))],scope => [2], pagesize => [1024]
> [2005/09/01 00:03:07, 3] lib/smbldap.c:smbldap_search_paged(1110)
> smbldap_search_paged: search was successfull
> [2005/09/01 00:03:07, 3] lib/smbldap.c:smbldap_search_paged(1071)
> smbldap_search_paged: base => [ou=Groups,dc=keenanmotorgroup,dc=com], filter => [(&(objectclass=sambaGroupMapping)(sambaGroupType=4))],scope => [2], pagesize => [1024]
> [2005/09/01 00:03:07, 3] lib/smbldap.c:smbldap_search_paged(1110)
> smbldap_search_paged: search was successfull
> [2005/09/01 00:03:07, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526)
> get_sam_group_entries: Failed to enumerate domain local groups!
----
what does winbindd have to do with all this?
----
>
> and the following output:
> (pocono pts27) # wbinfo -g
> BUILTIN\Administrators
> BUILTIN\Account Operators
> BUILTIN\Print Operators
> BUILTIN\Backup Operators
> BUILTIN\Replicators
> (pocono pts27) #
>
> If I do wbinfo -u there are no entries made in the ldap log, the winbind log
> shows this:
>
> ==> samba/winbindd <==
> [2005/09/01 00:04:44, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460)
> [ 0]: request interface version
> [2005/09/01 00:04:44, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
> [ 0]: request location of privileged pipe
> [2005/09/01 00:04:44, 3] nsswitch/winbindd_user.c:winbindd_list_users(738)
> [ 0]: list users
>
> and the output of the command is as follows:
> pocono pts27) # wbinfo -u
> Error looking up domain users
> (pocono pts27) #
----
DO NOT USE WINBINDD ON THIS SYSTEM IF IT IS TO BE THE PDC
wbinfo commands therefore are pointless here
----
>
> Is wbinfo -u and wbinfo -g supposed to work for this setup??
>
> Configs follow:
>
> smb.conf:
>
> [global]
> unix charset = LOCALE
> workgroup = KEENAN
> interfaces = eth0, lo
> bind interfaces only = Yes
> passdb backend = "ldapsam:ldap://pocono.keenanmotorgroup.com ldap://indy.keenanmotorgroup.com"
> enable privileges = Yes
> username map = /etc/samba/smbusers
> log level = 3
> syslog = 0
> log file = /var/log/samba/%m
> max log size = 50
> smb ports = 139
> name resolve order = wins bcast hosts
> time server = Yes
> printcap name = CUPS
> show add printer wizard = No
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> shutdown script = /home/samba/scripts/shutdown.sh
> abort shutdown script = /sbin/shutdown -c
> logon script = "scripts\logon.bat"
> logon path = \%L\profiles\%U
> logon drive = H:
> logon home = \%L\%U
> domain logons = Yes
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> ldap admin dn = cn=Manager,dc=keenanmotorgroup,dc=com
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=People
> ldap suffix = dc=keenanmotorgroup,dc=com
> ldap user suffix = ou=People
> utmp = Yes
> idmap backend = ldap://pocono.keenanmotorgroup.com
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> map acl inherit = Yes
> veto files = /*.eml/*.nws/*.{*}/
> veto oplock files = /*.doc/*.xls/*.mdb/
>
> [netlogon]
> comment = Network Logon Service
> path = /home/samba/netlogon
> guest ok = Yes
> browseable = No
> locking = No
>
> [profiles]
> comment = Profile Share
> path = /home/samba/profiles
> read only = No
> profile acls = Yes
>
> [profdata]
> comment = Profile Data Share
> path = /home/samba/profdata
> read only = No
> profile acls = Yes
>
> [IPC$]
> path = /tmp
>
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> browseable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
>
> [printers]
> comment = SMB Print Spool
> path = /var/spool/samba
> guest ok = Yes
> printable = Yes
> browseable = No
>
> slapd.conf:
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/samba.schema
>
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
>
> database bdb
> suffix "dc=keenanmotorgroup,dc=com"
> rootdn "cn=Manager,dc=keenanmotorgroup,dc=com"
----
you do have a rootpw entry right?
----
>
> replica host=indy.keenanmotorgroup.com:389
> suffix="dc=keenanmotorgroup,dc=com"
> binddn="cn=updateuser,dc=keenanmotorgroup,dc=com"
> bindmethod=simple credentials=mypass
----
why not put comment out the replication until you get the primary
working?
----
>
> access to attrs=sambaLMPassword,sambaNTPassword
> by dn="cn=sambaadmin,dc=keenanmotorgroup,dc=com" write
> by * none
----
totally different ACL's than you listed above - doesn't make sense to me
----
>
> replogfile /var/lib/ldap/replogfile
>
> directory /var/lib/ldap
>
> # Indices to maintain
> index objectClass eq
> index cn pres,sub,eq
> index sn pres,sub,eq
> index uid pres,sub,eq
> index displayName pres,sub,eq
> index uidNumber eq
> index gidNumber eq
> index memberUID eq
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index default sub
>
> /etc/nsswitch.conf:
>
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> #hosts: db files nisplus nis dns
> hosts: files dns wins
----
does wins work for a hosts entry?
seems like you do have ldap listed in nsswitch.conf for passwd/group -
hmmm... there goes my theory
----
>
> I would be grateful if someone can help me. I am running out of ideas and google
> is not helpful.
>
> What am I missing??
----
1 - make sure the settings are correct in /etc/openldap/ldap.conf
2 - get ldap working a user or two entered into ldap with posix
attributes at least
3 - make sure authentication is set - on redhat stuff, simply run
authconfig and set it for ldap
4 - make sure you can query ldap for the entries via ldapsearch
i.e. # ldapsearch -x -h localhost -D \
'cn=rootdn_user,dc=keenanmotorgroup,dc=com \
-W '(uid=user_you_added_to_ldap)
5 - see documentation (quickstart guide at www.openldap.org)
not a single (valid) question you asked had anything to do with samba.
Craig
More information about the samba
mailing list