[Samba] Samba LDAP rootpw error
Matt Richards
matt at mattstone.net
Sun Mar 26 16:55:59 GMT 2006
> Matt Richards wrote:
>
>>>Matt Richards wrote:
>>>
>>>
>>>
>>>>>Matt Richards wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>Matt Richards wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>Matt Richards wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>I was following the howto below (originally posted on this list
>>>>>>>>>>> as
>>>>>>>>>>>BIG
>>>>>>>>>>>Samba howto for debian only.) to see if I could get my
>>>>>>>>>>>not-quite-working
>>>>>>>>>>>Samba 3.0.14a (debian) server fully working and able to handle
>>>>>>>>>>> my
>>>>>>>>>>>Linux
>>>>>>>>>>>logins too. The problem I'm having with my Samba setup is that I
>>>>>>>>>>>can't
>>>>>>>>>>>change user passwords except through Swat. Users can't change
>>>>>>>>>>> them
>>>>>>>>>>>from
>>>>>>>>>>>their machines using the Windows password change - but they are
>>>>>>>>>>>notified
>>>>>>>>>>>to change them by when they expire.
>>>>>>>>>>>
>>>>>>>>>>>Anyway, my attempts to follow the howto hit a roadblock at "3
>>>>>>>>>>> LDAP
>>>>>>>>>>>Server configuration". Neither slapindex nor slapd will run. It
>>>>>>>>>>>looks
>>>>>>>>>>>like it doesn't like something about my root password, but I'm
>>>>>>>>>>> not
>>>>>>>>>>>sure
>>>>>>>>>>>what it wants (I'm no expert on LDAP). :)
>>>>>>>>>>>
>>>>>>>>>>>Slapindex complains "bad configuration file". Slapd gives the
>>>>>>>>>>> more
>>>>>>>>>>>detailed:
>>>>>>>>>>>line 65 (rootpw ***)
>>>>>>>>>>>/etc/ldap/slapd.conf: line 65: rootpw can only be set when
>>>>>>>>>>> rootdn
>>>>>>>>>>>is
>>>>>>>>>>>under suffix
>>>>>>>>>>>
>>>>>>>>>>>I've attached my slapd.conf file if that is of any assistance.
>>>>>>>>>>> Any
>>>>>>>>>>>help
>>>>>>>>>>>will be greatly appreciated.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>Louis van Belle wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>[..snip..]
>>>>>>>>>>
>>>>>>>>>>humm well looking at the config file the first thing that i
>>>>>>>>>> notice
>>>>>>>>>>is
>>>>>>>>>>this
>>>>>>>>>>...
>>>>>>>>>>
>>>>>>>>>># The base of your directory in database #1
>>>>>>>>>>suffix "dc=rahim-dale,dc=org"
>>>>>>>>>>rootdn "cn=admin,dc=toronto,dc=ontario,dc=ca"
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>your root dn isn't in the base of your ldap tree, this should
>>>>>>>>>>probuly
>>>>>>>>>>be
>>>>>>>>>>something like ...
>>>>>>>>>>
>>>>>>>>>>suffix "dc=rahim-dale,dc=org"
>>>>>>>>>>rootdn "cn=admin,dc=rahim-dale,dc=org"
>>>>>>>>>>
>>>>>>>>>>try it n let us know what happens :).
>>>>>>>>>>
>>>>>>>>>>HTH
>>>>>>>>>>
>>>>>>>>>>Matt.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>You got it in one! I've got slapd running.
>>>>>>>>>
>>>>>>>>>Now I'm stuck at "5.4 set the samba ldap admin password". I can
>>>>>>>>> set
>>>>>>>>>the
>>>>>>>>>admin password and get the expected response, but when I try
>>>>>>>>>"smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it
>>>>>>>>>fails
>>>>>>>>>to add the various groups. I get "failed to add entry:
>>>>>>>>> modifications
>>>>>>>>>require authentication at /usr/sbin/smbldap-populate line 460,
>>>>>>>>><GEN1>
>>>>>>>>>line 3." for each ou=<groupname> it tries to add.
>>>>>>>>>
>>>>>>>>>Any ideas?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>the smbldap-populate scripts requires authentication to the ldap
>>>>>>>>server
>>>>>>>>there is probuly a problem with the login you have set in
>>>>>>>>smbldap.conf
>>>>>>>>..
>>>>>>>>if you have set any at!
>>>>>>>>
>>>>>>>>i would recommend looking through the smbldap-tools howto at
>>>>>>>>http://samba.idealx.org/smbldap-tools.en.html
>>>>>>>>and see if there is anything you have missed out, but the first
>>>>>>>> thing
>>>>>>>>i
>>>>>>>>would try is this ..
>>>>>>>>
>>>>>>>>...
>>>>>>>>3 Configuring the smbldap-tools
>>>>>>>>As mentioned in the previous section, you'll have to update two
>>>>>>>>configuration files. The first (smbldap.conf) allows you to set
>>>>>>>>global
>>>>>>>>parameter that are readable by everybody, and the second
>>>>>>>>(smbldap_bind.conf) defines two administrative accounts to bind to
>>>>>>>> a
>>>>>>>>slave
>>>>>>>>and a master ldap server: this file must thus be readable only by
>>>>>>>>root.
>>>>>>>>A
>>>>>>>>script is named configure.pl can help you to set their contents up.
>>>>>>>>It
>>>>>>>>is
>>>>>>>>located in the tarball downloaded or in the documentation directory
>>>>>>>>if
>>>>>>>>you
>>>>>>>>got the RPM archive (see /usr/share/doc/smbldap-tools/). Just
>>>>>>>> invoke
>>>>>>>>it:
>>>>>>>>
>>>>>>>>/usr/share/doc/smbldap-tools/configure.pl
>>>>>>>>...
>>>>>>>>
>>>>>>>>note : the smbldap-tools dir might not be located in your
>>>>>>>>/usr/share/doc/
>>>>>>>>directory.
>>>>>>>>
>>>>>>>>if this doesn't work you could attach your smbldap config file
>>>>>>>> (with
>>>>>>>>the
>>>>>>>>passwd taken out of cause) so we can have a little look.
>>>>>>>>
>>>>>>>>Matt.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>I can't see anything wrong with my setup but even when I tweak the
>>>>>>>settings a little, I get the same result. Here are: smbldap.conf,
>>>>>>>smbldap_bind.conf (with passwords removed) and the smb.conf I'm
>>>>>>> using
>>>>>>>for ldap (renamed right now because I'm keeping my old setup
>>>>>>> available
>>>>>>>until I get this working).
>>>>>>>
>>>>>>>One issue is my password does have an apostrophe and a period in it.
>>>>>>>It
>>>>>>>shouldn't be an issue because the bind file has them in quotes. I've
>>>>>>>also tried them escaped ("\") but that didn't change anything.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>ok i have looked over everything and the only thing i can see at this
>>>>>>moment is this ...
>>>>>>
>>>>>>in your smbldap_bind.conf file you arn't using a bind dn of
>>>>>>cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against
>>>>>> the
>>>>>>ldap server but the line in the config i gave you before was rootdn
>>>>>>"cn=admin,dc=rahim-dale,dc=org" ... when you first setup ldap no
>>>>>>accounts
>>>>>>exist in the ldap database the rootdn account is like a virtual
>>>>>> account
>>>>>>that will always have full access and because of this (and i'm
>>>>>> guessing
>>>>>>your ldap tree is blank) you will only be able to use the rootdn to
>>>>>>bind
>>>>>>at this time.
>>>>>>
>>>>>>there are a few lines you can try to attempt to bind to the ldap
>>>>>> server
>>>>>>...
>>>>>>
>>>>>>ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x
>>>>>>-W
>>>>>>""
>>>>>>ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
>>>>>>
>>>>>>the first the the bind dn in your smbldap_bind.conf and the second is
>>>>>>using the rootdn from the other email.
>>>>>>
>>>>>>as your ldap tree is blank you wont get much output but one should
>>>>>> fail
>>>>>>with a bind error and the other should say something like no such
>>>>>>object.
>>>>>>
>>>>>>HTH, let me know if they work will see if i can see anything else
>>>>>> that
>>>>>>may
>>>>>>be wrong.
>>>>>>
>>>>>>Matt.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>It's the one without the "family". The howto I've been following used
>>>>>"internal" in some places, so I've been trying to follow that model,
>>>>>replacing "internal" with "family". I went back and put the "family"
>>>>> in
>>>>>the slapd.conf and now it worked with the "family". However, it still
>>>>>failed to populate. In fact, the "adding new entry" lines still left
>>>>> out
>>>>>family.
>>>>>
>>>>>Next I removed family and tried again (stopping slapd and samba,
>>>>> running
>>>>>slapindex then restarting the services each time). Still getting the
>>>>>same problem.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>ok now I think you have a root of dc=family,dc=rahim-dale,dc=org in
>>>> your
>>>>ldap tree and all the scripts to create the entries in ldap are trying
>>>> to
>>>>create entries under dc=rahim-dale,dc=org .. e.g
>>>>ou=Users,dc=rahim-dale,dc=org.
>>>>
>>>>you have 2 options, ...
>>>>
>>>>1. you can remove everything in the ldap database (including the root
>>>>object) make sure all the config files are pointing to the same place.
>>>>
>>>>for this step it should be only ...
>>>>
>>>># LDAP Suffix
>>>># Ex: suffix=dc=IDEALX,dc=ORG
>>>>suffix="dc=rahim-dale,dc=org"
>>>>
>>>>in smbldap.conf
>>>>
>>>>and cn=admin,dc=rahim-dale,dc=org for the slapd.conf rootdn line and
>>>>smbldap_bind.conf files
>>>>
>>>>and then run the scripts again and everything should go nicely.
>>>>
>>>>as I don't know how to remove everything in the ldap tree and don't
>>>> have
>>>>a
>>>>openldap server lying around to try anything out on I am also sending
>>>>this
>>>>email to the OpenLDAP mailing lists. if anybody could help that would
>>>> be
>>>>great. (ldapdelete i guess?)
>>>>
>>>>
>>>>2. change everything to have a ldap base of
>>>>dc=family,dc=rahim-dale,dc=org
>>>>and re run the scripts, they should skip over everything that already
>>>>exists and just add the objects that don't exist.
>>>>
>>>>oh also ...
>>>>if you re run
>>>>ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
>>>>do you see a base and/or any other objects ?
>>>>
>>>>attaching the output would be useful.
>>>>
>>>>also .. ldap can be quite complicated at first, if your just starting
>>>> to
>>>>use it i would recommend using a nice pretty front end so you can see
>>>>what
>>>>is going on.
>>>>A good front end is ...
>>>>http://phpldapadmin.sf.net/ , however, this also requires a web server
>>>>and
>>>>php being setup.
>>>>
>>>>HTH
>>>>
>>>>Matt.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Actually, your two suggestions were what I'd already tried (except for
>>>removing everything in the ldap database in 1 - how do you do that?). I
>>>guess my language was a little confusing. I even changed the smb.conf.
>>>
>>>Here's the output you requested:
>>>
>>># extended LDIF
>>>#
>>># LDAPv3
>>># base <> with scope sub
>>># filter: (objectclass=*)
>>># requesting:
>>>#
>>>
>>># search result
>>>search: 2
>>>result: 32 No such object
>>>
>>># numResponses: 1
>>>
>>>
>>>
>>>
>>
>>
>>lol oops i forgot to set a base in that command using -b
>>ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b dc=rahim-dale,dc=org -h
>>127.0.0.1 -x -W ""
>>
>>and
>>
>>ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b
>>dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
>>
>>anyway i need to goto my mums now for some mothers day thing and i'm
>>already late .. oops
>>
>>maybe you should try doing all the openldap related stuff from that guide
>>again, and this time make sure you stick to one ldap base
>>(dc=rahim-dale,dc=org).
>>
>>Matt.
>>
>>
>>
> OK, here's the new output (along with the command line I used). To be
> clear, last night I did do exactly what you suggested - going back and
> using just one ldap suffix - tried it with both, going back to the point
> that the suffix is first entered and redoing the instructions (in the
> Debian-only howto - which seems to have some cut-and-pasting from the
> idealx.org howto) from there.
>
> semper:/etc/smbldap-tools# ldapsearch -D cn=admin,dc=rahim-dale,dc=org
> -b dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=rahim-dale,dc=org> with scope sub
> # filter: (objectclass=*)
> # requesting:
> #
>
> # rahim-dale.org
> dn: dc=rahim-dale,dc=org
>
> # admin, rahim-dale.org
> dn: cn=admin,dc=rahim-dale,dc=org
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
>
> Below is the same thing when I try to run smbldap-populate:
> semper:/etc/smbldap-tools# smbldap-populate -a Administrator -b nobody
> -u 2000 -g 2000
> Using workgroup name from sambaUnixIdPooldn (smbldap.conf):
> sambaDomainName=rahim-dale
> Using builtin directory structure
> entry dc=rahim-dale,dc=org already exist.
> adding new entry: ou=Users,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 3.
> adding new entry: ou=Groups,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 4.
> adding new entry: ou=Computers,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 5.
> adding new entry: ou=Idmap,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 6.
> adding new entry: sambaDomainName=rahim-dale,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 7.
> adding new entry: uid=Administrator,ou=Users,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 8.
> adding new entry: uid=nobody,ou=Users,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 9.
> adding new entry: cn=Domain Admins,ou=Groups,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 10.
> adding new entry: cn=Domain Users,ou=Groups,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 11.
> adding new entry: cn=Domain Guests,ou=Groups,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 12.
> adding new entry: cn=Domain Computers,ou=Groups,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 13.
> adding new entry: cn=Administrators,ou=Groups,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 19.
> adding new entry: cn=Print Operators,ou=Groups,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 20.
> adding new entry: cn=Backup Operators,ou=Groups,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 21.
> adding new entry: cn=Replicators,ou=Groups,dc=rahim-dale,dc=org
> failed to add entry: modifications require authentication at
> /usr/sbin/smbldap-populate line 460, <GEN1> line 21.
>
>
ok your ldap base seems fine and by looking at the output from
smbldap-populate ...
Using builtin directory structure
entry dc=rahim-dale,dc=org already exist.
it as successful added the root for you but the res of the lines saying
... modifications require authentication means that you are back to the
authentication problem you had before, however, as you have already over
come this problem before (when the script added the dc=rahim-dale,dc=org
entry) it is defently possible just gotta be something to do with your
configs and the authentication ..
cat /etc/smbldap-tools/* | grep "dc=family"
should return nothing
i cant see there being anything wrong with the scripts, well their wasn't
when i set it up.
the only other thing that might be a problem is are you sure the scripts
are using the config files you think they are ?
if you check the smbldap-populate script you should be able to see if its
using a file somewhere else.
there's not much else I can suggest so what I will do it setup a openldap
server somewhere and run that smbldap-populate script on it with your
settings when I have a free moment ... and send a dump of the ldap
database, they you can try importing it.
will give you the rootdn passwd for it as well and shove that phpldapadmin
on my server so you can have a little play.
will let you know what i got this running.
Matt.
More information about the samba
mailing list