[Samba] Some progress - Re: Access remote ldap for classicupgrade

Robert Moskowitz rgm at htt-consult.com
Fri Sep 18 21:22:42 UTC 2015 

tls error gone, but no import of users..

On 09/18/2015 04:30 PM, Rowland Penny wrote:
> On 18/09/15 21:19, Robert Moskowitz wrote:
>>
>>
>> On 09/18/2015 03:25 PM, Rowland Penny wrote:
>>> On 18/09/15 19:50, Robert Moskowitz wrote:
>>>> OK. So I added to /etc/samba/smb.conf in the [Global] section:
>>>>
>>>> passdb backend = ldapsam:ldaps://192.168.128.2
>>>> ldap admin dn = cn=manager,ou=Internal,dc=home,dc=htt
>>>> ldap group suffix = ou=Groups,ou=Accounts
>>>> ldap idmap suffix = ou=Idmap
>>>> ldap machine suffix = ou=Computers,ou=Accounts
>>>> ldap passwd sync = No
>>>> ldap suffix = dc=home,dc=htt
>>>> ldap user suffix = ou=Users,ou=Accounts
>>>> ldap connection timeout = 8
>>>> ldap ssl = Off
>>>>
>>>> I ran:
>>>>
>>>> # samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/ 
>>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ 
>>>> /root/samba.PDC/etc/smb.conf
>>>>
>>>> And it failed as folllows:
>>>>
>>>> Reading smb.conf
>>>> NOTE: Service printers is flagged unavailable.
>>>> NOTE: Service print$ is flagged unavailable.
>>>> Unknown parameter encountered: "force directory security mode"
>>>> Ignoring unknown parameter "force directory security mode"
>>>> Provisioning
>>>> failed to bind to server ldaps://192.168.128.2 with 
>>>> dn="cn=manager,ou=Internal,dc=home,dc=htt" Error: Can't contact 
>>>> LDAP server
>>>>     TLS error -8172:Peer's certificate issuer has been marked as 
>>>> not trusted by the user.
>>>> Connection to LDAP server failed for the 1 try!
>>>> Connection to LDAP server failed for the 2 try!
>>>> Connection to LDAP server failed for the 3 try!
>>>> Connection to LDAP server failed for the 4 try!
>>>> Connection to LDAP server failed for the 5 try!
>>>> Connection to LDAP server failed for the 6 try!
>>>> Connection to LDAP server failed for the 7 try!
>>>> Connection to LDAP server failed for the 8 try!
>>>> Connection to LDAP server failed for the 9 try!
>>>> Connection to LDAP server failed for the 10 try!
>>>> Connection to LDAP server failed for the 11 try!
>>>> Connection to LDAP server failed for the 12 try!
>>>> Connection to LDAP server failed for the 13 try!
>>>> Connection to LDAP server failed for the 14 try!
>>>> Connection to LDAP server failed for the 15 try!
>>>> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one 
>>>> to the domain. We cannot work reliably without it.
>>>> pdb backend ldapsam:ldaps://192.168.128.2 did not correctly init 
>>>> (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
>>>> ERROR(<class 'passdb.error'>): uncaught exception - Cannot load 
>>>> backend methods for 'ldapsam:ldaps://192.168.128.2' backend 
>>>> (-1073741606,Configuration information could not be read from the 
>>>> domain controller, either because the machine is unavailable or 
>>>> access has been denied.)
>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>>> line 175, in _run
>>>>     return self.run(*args, **kwargs)
>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/domain.py", 
>>>> line 1452, in run
>>>>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>>>   File "/usr/lib/python2.7/site-packages/samba/upgrade.py", line 
>>>> 483, in upgrade_from_samba3
>>>>     s3db = samba3.get_sam_db()
>>>>   File "/usr/lib/python2.7/site-packages/samba/samba3/__init__.py", 
>>>> line 394, in get_sam_db
>>>>     return passdb.PDB(self.lp.get('passdb backend'))
>>>>
>>>>
>>>
>>> I wonder if you can turn off SSL on the old server, what do you have 
>>> in /etc/ldap.conf (or /etc/ldap/ldap.conf or /etc/openldap/ldap.conf 
>>> ) ?
>>
>> On the server (but would it not be slapd.conf for the server?):
>
> No, slapd.conf is for the configuration of the ldap server (it may in 
> fact be slapd.conf.d)
>
>> more /etc/openldap/ldap.conf
>> BASE         dc=home,dc=htt
>> HOST         127.0.0.1
>> TIMELIMIT    30
>> SIZELIMIT    0
>> TLS_REQCERT  allow
>>
>
> Try commenting out 'TLS_REQCERT' , change 'ldaps' to 'ldap' in your 
> old server smb.conf (I would also remove the shares and the lines that 
> the classicupgrade objects to) and try the classicupgrade again.
>
> Rowland
>
>> And on the AD (but I don't know what classicupgrade is using):
>>
>> more /etc/openldap/ldap.conf
>> #
>> # LDAP Defaults
>> #
>>
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>>
>> #BASE    dc=example,dc=com
>> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
>>
>> #SIZELIMIT    12
>> #TIMELIMIT    15
>> #DEREF        never
>>
>> TLS_CACERTDIR    /etc/openldap/certs
>>
>> # Turning this off breaks GSSAPI used with krb5 when rdns = false
>> SASL_NOCANON    on
>>
>>
>
>

on the classicupgrade system's /etc/openldap/ldap.conf added:

TLS_REQCERT     never

and ran classicupgrade:

Reading smb.conf
Unknown parameter encountered: "force directory security mode"
Ignoring unknown parameter "force directory security mode"
Provisioning
Exporting account policy
Exporting groups
Exporting users
Next rid = 1000
Exporting posix attributes
Reading WINS database
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=home,DC=htt
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting acl on sysvol skipped
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=home,DC=htt
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/lib/samba/private/named.conf for an example configuration 
include file for BIND
and /var/lib/samba/private/named.txt for further documentation required 
for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at 
/var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Admin password:        c7+pi?AFnff~g
Server Role:           active directory domain controller
Hostname:              homebase
NetBIOS Domain:        HOME
DNS Domain:            home.htt
DOMAIN SID:            S-1-5-21-4240919292-2417995422-4236335894
Importing WINS database
Importing Account policy
Importing idmap database
Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
Adding groups
Importing groups
Committing 'add groups' transaction to disk
Adding users
Importing users
Committing 'add users' transaction to disk
Adding users to groups
Committing 'add users to groups' transaction to disk


# wbinfo -u
administrator
dns-homebase
krbtgt
guest

I installed openldap-clients so I could run this:

# ldapsearch -H ldaps://192.168.128.2 -b "dc=home,dc=htt" -D 
"cn=manager,ou=Internal,dc=home,dc=htt" -s sub 
"objectclass=GroupOfNames" -x -w m....

And it worked, so I am accessing the ClearOS ldap server.

More information about the samba mailing list