[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx
kristof.bruyninckx at thales-is.com
Thu Sep 29 10:10:48 GMT 2005
Hello,
Ok, so I fixed the ACL to your example
#access to dn.base="" by * read
#access to dn.base="cn=subschema" by * read
access to attr=userPassword
by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
by self write
by anonymous auth
by * none
access to *
by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
by self write
by users read
, but now the following occurs:
When I launch the smb & winbind instances :
>From the LDAP /var/log/messages, debug lvl 220:
snip"
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc38
end=0x08f6dc84 len=76
Sep 29 10:59:52 linux14 slapd: 0000: 02 01 01 60 47 02 01 03 04 1a
63 6e 3d 4d 61 6e ...`G.....cn=Man
Sep 29 10:59:52 linux14 slapd: 0010: 61 67 65 72 2c 64 63 3d 74 68
61 6c 65 73 2c 64 ager,dc=thales,d
Sep 29 10:59:52 linux14 slapd: 0020: 63 3d 62 65 80 26 7b 53 53 48
41 7d 37 41 52 32 c=be.&{SSHA}7AR2
Sep 29 10:59:52 linux14 slapd: 0030: 53 6c 30 53 45 69 46 57 46 75
4a 52 78 38 62 56 Sl0SEiFWFuJRx8bV
Sep 29 10:59:52 linux14 slapd: 0040: 78 41 63 68 55 35 4d 4e 73 6c
4d 76 xAchU5MNslMv
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc3b
end=0x08f6dc84 len=73
Sep 29 10:59:52 linux14 slapd: 0000: 60 47 02 01 03 04 1a 63 6e 3d
4d 61 6e 61 67 65 `G.....cn=Manage
Sep 29 10:59:52 linux14 slapd: 0010: 72 2c 64 63 3d 74 68 61 6c 65
73 2c 64 63 3d 62 r,dc=thales,dc=b
Sep 29 10:59:52 linux14 slapd: 0020: 65 80 26 7b 53 53 48 41 7d 37
41 52 32 53 6c 30 e.&{SSHA}7AR2Sl0
Sep 29 10:59:52 linux14 slapd: 0030: 53 45 69 46 57 46 75 4a 52 78
38 62 56 78 41 63 SEiFWFuJRx8bVxAc
Sep 29 10:59:52 linux14 slapd: 0040: 68 55 35 4d 4e 73 6c 4d 76
hU5MNslMv
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc5c
end=0x08f6dc84 len=40
Sep 29 10:59:52 linux14 slapd: 0000: 00 26 7b 53 53 48 41 7d 37 41
52 32 53 6c 30 53 .&{SSHA}7AR2Sl0S
Sep 29 10:59:52 linux14 slapd: 0010: 45 69 46 57 46 75 4a 52 78 38
62 56 78 41 63 68 EiFWFuJRx8bVxAch
Sep 29 10:59:52 linux14 slapd: 0020: 55 35 4d 4e 73 6c 4d 76
U5MNslMv
Sep 29 10:59:52 linux14 slapd: ==> ldbm_back_bind: dn:
cn=Manager,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=49 matched=""
text=""
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors
Sep 29 10:59:52 linux14 slapd: daemon: activity on: 8r
Sep 29 10:59:52 linux14 slapd: daemon: read activity on 8
Sep 29 10:59:52 linux14 slapd: connection_get(8)
snip"
which to my opinion is odd since it is no longer used in samba. And it
fails to authenticate. I tried a reset off the password, and changed the
entries in ldap.conf and slapd.conf. Once done, I tried to modify an
existing entry with ldapmodify which was successfully. Is samba here
still trying to access the LDAP with this account?
snip"
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce60
end=0x08f4ce97 len=55
Sep 29 10:59:52 linux14 slapd: 0000: 02 01 01 60 32 02 01 03 04 22
75 69 64 3d 73 61 ...`2...."uid=sa
Sep 29 10:59:52 linux14 slapd: 0010: 6d 62 61 2c 6f 75 3d 49 64 6d
61 70 2c 64 63 3d mba,ou=Idmap,dc=
Sep 29 10:59:52 linux14 slapd: 0020: 74 68 61 6c 65 73 2c 64 63 3d
62 65 80 09 61 71 thales,dc=be..secret
Sep 29 10:59:52 linux14 slapd: 0030: 77 31 32 33 7a 73
78
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce63
end=0x08f4ce97 len=52
Sep 29 10:59:52 linux14 slapd: 0000: 60 32 02 01 03 04 22 75 69 64
3d 73 61 6d 62 61 `2...."uid=samba
Sep 29 10:59:52 linux14 slapd: 0010: 2c 6f 75 3d 49 64 6d 61 70 2c
64 63 3d 74 68 61 ,ou=Idmap,dc=tha
Sep 29 10:59:52 linux14 slapd: 0020: 6c 65 73 2c 64 63 3d 62 65 80
09 61 71 77 31 32 les,dc=be..secret
Sep 29 10:59:52 linux14 slapd: 0030: 33 7a 73
78
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce8c
end=0x08f4ce97 len=11
Sep 29 10:59:52 linux14 slapd: 0000: 00 09 61 71 77 31 32 33 7a 73
78 ..secret
Sep 29 10:59:52 linux14 slapd: ==> ldbm_back_bind: dn:
uid=samba,ou=Idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: => access_allowed: auth access to
"uid=samba,ou=Idmap,dc=thales,dc=be" "userPassword" requested
Sep 29 10:59:52 linux14 slapd: => acl_get: [1] attr userPassword
Sep 29 10:59:52 linux14 slapd: => acl_mask: access to entry
"uid=samba,ou=Idmap,dc=thales,dc=be", attr "userPassword" requested
Sep 29 10:59:52 linux14 slapd: => acl_mask: to all values by "", (=n)
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat:
uid=samba,ou=idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat: self
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat: anonymous
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [3] applying auth(=x) (stop)
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [3] mask: auth(=x)
Sep 29 10:59:52 linux14 slapd: => access_allowed: auth access granted by
auth(=x)
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched=""
text=""
Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors
Sep 29 10:59:52 linux14 slapd: daemon: activity on:
snip"
What ever is happening here, it seems that the samba users is not
getting write permissions.
third part
snip"
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce60
end=0x08f4ce97 len=55
Sep 29 10:59:52 linux14 slapd: 0000: 02 01 02 63 32 04 00 0a 01 00
0a 01 00 02 01 00 ...c2...........
Sep 29 10:59:52 linux14 slapd: 0010: 02 01 00 01 01 00 87 0b 6f 62
6a 65 63 74 63 6c ........objectcl
Sep 29 10:59:52 linux14 slapd: 0020: 61 73 73 30 12 04 10 73 75 70
70 6f 72 74 65 64 ass0...supported
Sep 29 10:59:52 linux14 slapd: 0030: 43 6f 6e 74 72 6f 6c
Control
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce63
end=0x08f4ce97 len=52
Sep 29 10:59:52 linux14 slapd: 0000: 63 32 04 00 0a 01 00 0a 01 00
02 01 00 02 01 00 c2..............
Sep 29 10:59:52 linux14 slapd: 0010: 01 01 00 87 0b 6f 62 6a 65 63
74 63 6c 61 73 73 .....objectclass
Sep 29 10:59:52 linux14 slapd: 0020: 30 12 04 10 73 75 70 70 6f 72
74 65 64 43 6f 6e 0...supportedCon
Sep 29 10:59:52 linux14 slapd: 0030: 74 72 6f 6c
trol
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: SRCH "" 0 0 0 0 0
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce76
end=0x08f4ce97 len=33
Sep 29 10:59:52 linux14 slapd: 0000: 87 0b 6f 62 6a 65 63 74 63 6c
61 73 73 30 12 04 ..objectclass0..
Sep 29 10:59:52 linux14 slapd: 0010: 10 73 75 70 70 6f 72 74 65 64
43 6f 6e 74 72 6f .supportedContro
Sep 29 10:59:52 linux14 slapd: 0020: 6c
l
Sep 29 10:59:52 linux14 slapd: filter: (objectClass=*)
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce83
end=0x08f4ce97 len=20
Sep 29 10:59:52 linux14 slapd: 0000: 00 12 04 10 73 75 70 70 6f 72
74 65 64 43 6f 6e ....supportedCon
Sep 29 10:59:52 linux14 slapd: 0010: 74 72 6f 6c
trol
Sep 29 10:59:52 linux14 slapd: attrs: supportedControl
Sep 29 10:59:52 linux14 slapd: => access_allowed: search access to ""
"objectClass" requested
Sep 29 10:59:52 linux14 slapd: => acl_get: [2] attr objectClass
Sep 29 10:59:52 linux14 slapd: => acl_mask: access to entry "", attr
"objectClass" requested
Sep 29 10:59:52 linux14 slapd: => acl_mask: to all values by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat:
uid=samba,ou=idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] applying write(=wrscx)
(stop)
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] mask: write(=wrscx)
Sep 29 10:59:52 linux14 slapd: => access_allowed: search access granted
by write(=wrscx)
Sep 29 10:59:52 linux14 slapd: => access_allowed: read access to ""
"entry" requested
Sep 29 10:59:52 linux14 slapd: => acl_get: [2] attr entry
Sep 29 10:59:52 linux14 slapd: => acl_mask: access to entry "", attr
"entry" requested
Sep 29 10:59:52 linux14 slapd: => acl_mask: to all values by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat:
uid=samba,ou=idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] applying write(=wrscx)
(stop)
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] mask: write(=wrscx)
Sep 29 10:59:52 linux14 slapd: => access_allowed: read access granted by
write(=wrscx)
Sep 29 10:59:52 linux14 slapd: => access_allowed: read access to ""
"supportedControl" requested
Sep 29 10:59:52 linux14 slapd: => acl_get: [2] attr supportedControl
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: access_allowed: no res from state
(supportedControl)
Sep 29 10:59:52 linux14 slapd: => acl_mask: access to entry "", attr
"supportedControl" requested
Sep 29 10:59:52 linux14 slapd: => acl_mask: to value by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat:
uid=samba,ou=idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] applying write(=wrscx)
(stop)
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] mask: write(=wrscx)
Sep 29 10:59:52 linux14 slapd: => access_allowed: read access granted by
write(=wrscx)
Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched=""
text=""
snip"
But here LDAP does grant the samba user the proper permissions.
the log ends with the following:
Sep 29 10:59:52 linux14 slapd: do_modify: dn (ou=Idmap,dc=thales,dc=be)
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6df28 ptr=0x08f6df49
end=0x08f6dfa6 len=93
Sep 29 10:59:52 linux14 slapd: 0000: 30 25 0a 01 00 30 20 04 0b 6f
62 6a 65 63 74 43 0%...0 ..objectC
Sep 29 10:59:52 linux14 slapd: 0010: 6c 61 73 73 31 11 04 0f 73 61
6d 62 61 55 6e 69 lass1...sambaUni
Sep 29 10:59:52 linux14 slapd: 0020: 78 49 64 50 6f 6f 6c 30 19 0a
01 00 30 14 04 09 xIdPool0....0...
Sep 29 10:59:52 linux14 slapd: 0030: 75 69 64 4e 75 6d 62 65 72 31
07 04 05 31 30 30 uidNumber1...100
Sep 29 10:59:52 linux14 slapd: 0040: 30 30 30 19 0a 01 00 30 14 04
09 67 69 64 4e 75 000....0...gidNu
Sep 29 10:59:52 linux14 slapd: 0050: 6d 62 65 72 31 07 04 05 31 30
30 30 30 mber1...10000
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6df28 ptr=0x08f6df70
end=0x08f6dfa6 len=54
Sep 29 10:59:52 linux14 slapd: 0000: 30 19 0a 01 00 30 14 04 09 75
69 64 4e 75 6d 62 0....0...uidNumb
Sep 29 10:59:52 linux14 slapd: 0010: 65 72 31 07 04 05 31 30 30 30
30 30 19 0a 01 00 er1...100000....
Sep 29 10:59:52 linux14 slapd: 0020: 30 14 04 09 67 69 64 4e 75 6d
62 65 72 31 07 04 0...gidNumber1..
Sep 29 10:59:52 linux14 slapd: 0030: 05 31 30 30 30
30 .10000
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6df28 ptr=0x08f6df8b
end=0x08f6dfa6 len=27
Sep 29 10:59:52 linux14 slapd: 0000: 30 19 0a 01 00 30 14 04 09 67
69 64 4e 75 6d 62 0....0...gidNumb
Sep 29 10:59:52 linux14 slapd: 0010: 65 72 31 07 04 05 31 30 30 30
30 er1...10000
Sep 29 10:59:52 linux14 slapd: modifications:
Sep 29 10:59:52 linux14 slapd: add: objectClass
Sep 29 10:59:52 linux14 slapd: one value, length 15
Sep 29 10:59:53 linux14 slapd: add: uidNumber
Sep 29 10:59:53 linux14 slapd: one value, length 5
Sep 29 10:59:53 linux14 slapd: add: gidNumber
Sep 29 10:59:53 linux14 slapd: one value, length 5
Sep 29 10:59:53 linux14 slapd: send_ldap_result: err=21 matched=""
text="objectClass: value #0 invalid per syntax"
entry from the smbd.log
[2005/09/29 10:59:52, 3] sam/idmap.c:idmap_init(132)
idmap_init: using 'ldap' as remote backend
[2005/09/29 10:59:52, 2] lib/smbldap.c:smbldap_open_connection(630)
smbldap_open_connection: connection opened
[2005/09/29 10:59:52, 3] lib/smbldap.c:smbldap_connect_system(805)
ldap_connect_system: succesful connection to the LDAP server
[2005/09/29 10:59:52, 4] lib/smbldap.c:smbldap_open(869)
The LDAP server is succesfully connected
[2005/09/29 10:59:52, 0] sam/idmap.c:idmap_init(138)
idmap_init: failed to initialize remote backend!
[2005/09/29 10:59:52, 1] nsswitch/winbindd.c:main(968)
Could not init idmap -- netlogon proxy only
Any thoughts on this problem?
Kind regards
--
Bruyninckx Kristof
Thales Services Division
GNU&Linux/Unix System Administrator / Test developer
Tel: 02/674.76.49.19
kristof.bruyninckx at thales-is.com
More information about the samba
mailing list