openchange_provision problem? HowTO to install manual

Sassy Natan sassyn at
Sun Dec 21 20:40:23 GMT 2008

Dear OpenChange / Samab4 Users

First of all I want to thanks to all Samba4 and OpenChange developers for
this project! I'm sure that once those projects will be stable enough I will
replace it with my current Micro$oft infrastructure.

I have been playing a little with samba4 and openchange during this week and
I willing to write a fully document HOWTO install for those who not sure
how. But before I can handle this I need some help from you guys to help me

All the work was done on the wonderful upcoming Debian distribution name
Lenny (pair of binoculars with feet from the Toy Story movie J ).

Lenny is still in RC1 mode but I found it stable enough to run even in a
production environment. I have used the AMD64 distribution version which can
be downloaded at

After installation all the gcc, binutils and all other dependencies I have
compile Samba4 git head version (Version 4.0.0alpha6-GIT-138283c) (Checkout
was done in 16/12/2008).

This was quite easy, no special problem. I haven manage to compile it debian
style which mean using the --enable-fhs and some other configuration

I build my own DEB file and packed all the files together.

Since I wanted to use OpenLDAP as my backend server I install the OpenLDAP
using apt-get. SLAPD version which is installed is 2.4.11-1.

Then I started my provisions backed as appears in Samba4 Wiki. I notice some
bug in the provision script (file
/usr/lib/python2.5/site-packages/samba/ in my DEB File near line
1378). I had to fix the path for the ad2oLschema command.

After that I run the ./setup/provision-backend --realm=edu.local
--domain=edu --ldap-admin-pass=admin --ldap-backend-type=openldap
--server-role='domain controller' --host-name=DC.

Output was:

Converted 536 records (skipped 13) with 0 failures

Your openldap Backend for Samba4 is now configured, and is ready to be

Server Role:         domain controller

Hostname:            dc

DNS Domain:      edu.local

Base DN:             DC=edu,DC=local

LDAP admin user:     samba-admin

LDAP admin password: admin

Start slapd with:    slapd -f /var/lib/samba-4.0/ldap/slapd.conf -h

Run provision with:  --ldap-backend=ldapi --ldap-backend-type=openldap
--password=manager11 --username=samba-admin

I started the LDAP server as the script suggested, not before I change the
modules.conf of the LDAP Server (/var/lib/samba-4.0/ldap/modules.conf in my

I don't know way the modules.conf doesn't include the following modules
already inside it, I guess that maybe Andrew Bartlett (Which I must say
seems to know everything!!!  based on his answers everywhere on the
internet)  assume you should compile your OpenLDAP by yourslef with the
modules included in the slapd binary file. For me I manage to run the
OpenLDAP server with no problem after adding the following to the
modules.conf file:

moduleload refint

moduleload memberof

moduleload back_hdb

moduleload syncprov

Next task was to run the setup/provision command. Again this was easy, no
problem and my samab4 server was almost done and ready. I restarted my
OpenLDAP server with debug on (using –d-1) and run the e "smbd -i -M single
-d3". Server was up but still minor problem accord.  I notice in the debug
windows that some directories couldn't be found.

Don't know why the "make install" didn't created the following directories:





 chmod 750 /var/lib/samba/winbindd_privileged

I run the ./configure like 4 times and it seems to me like a bug in this

Any way I fixed that – and also update my DEB file.

SO NOW I HAVE samba4 server running. Manage to add user, add Windows XP to
the domain, create a login script, change the GPO – works Like Charm. Andrew
Bartlett and Samba4 Developer – U R COOOOL!

My next task was to create my own DEB file for OpenChange! – I already
started to think about collaboration with WebMail and openchange
(squirrelmail or RoundCube could be nice tools for this).

So I used the lastest snapshot from the openchange SVN (r937) and installed
some other C++, C dependencies as appear in there  HowTO.txt file (in the
doc directory).

Compile was easy. But I had to change some issue with the $PKG_CONFIG_PATH.
 To my observation it seems that the $PKG_CONFIG_PATH  environment set is
being rewritten . So no matter what you will have in the PKG_CONFIG_PATH the
./configure will tell you – you don't have samab4 installed. Fix that by
edit the file configure after running autogen. Should appear in line 1970.

Mines look like this:


        PKG_CONFIG_PATH="$PKG_CONFIG_PATH:$sambaprefix/lib/pkgconfig" (I add

        if test -n "$PKG_CONFIG" && \

Now I compile the package, copy the man files, copy the setup folder (after
compile) to my package since the "make install" don't do. I also copied the
files and directory inside the python folder to my
/usr/lib/python2.5/site-packages/ folder.

Finally I have my DEB file!!!!!

So I installed it and was excited to try it out.

What Next? Well I'm not sure the HOWTO seems to me very old.

To my understating I should now run the ./openchange_provision command. So
LDAP will have the schema update for exchange.

But if someone know about previous step please let me know.

So I started the ./openchange_provision. I remember that for creating the
schema I used the samba-admin user as Andrew Bartlett point out. I looked in
the slapd.conf to make sure samba-admin as full permission on the LDAP tree
and yes – it do has!

So my command was as follow:

./openchange_provision --password=admin --username=samba-admin

Look quite nice right? But then here I'm stuck. While running this I'm
getting the following:

Dev:/usr/share/openchange/setup#  ./openchange_provision --password=admin
--username=samba-admin  --simple-bind-dn=cn=samba-admin,cn=samba

NOTE: This operation can take several minutes

[+] Step 1: Register Exchange OIDs

[+] Step 2: Add new Exchange classes and attributes to Samba schema

Traceback (most recent call last):

  File "./openchange_provision", line 53, in <module>

    openchange.provision(setup_path, lp, creds, firstorg=opts.firstorg,

  File "/usr/lib/python2.5/site-packages/openchange/", line 309,
in provision

    install_schemas(setup_path, names, lp, creds)

  File "/usr/lib/python2.5/site-packages/openchange/", line 144,
in install_schemas

    "SCHEMADN": names.schemadn

  File "/usr/lib/python2.5/site-packages/samba/", line 163, in


  File "/usr/lib/python2.5/site-packages/samba/", line 188, in


_ldb.LdbError: (19, 'LDAP error 19 LDAP_CONSTRAINT_VIOLATION -  <entryDN: no
user modification allowed> <>')

In the OpenLDAP log (running –d-1 debug level) I getting the following

ber_scanf fmt (}) ber:

>>> dnPrettyNormal:

<<< dnPrettyNormal:

>>> dnPretty:

<<< dnPretty:

>>> dnNormalize:

<<< dnNormalize:

>>> dnPretty: <CN=Class-Schema,CN=Schema,CN=Configuration,DC=edu,DC=local>

<<< dnPretty: <cn=Class-Schema,cn=Schema,cn=Configuration,dc=edu,dc=local>

>>> dnNormalize:

<<< dnNormalize:

>>> dnPretty:

<<< dnPretty:

>>> dnNormalize:

<<< dnNormalize:



<= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found

hdb_referrals: tag=104

send_ldap_result: conn=3 op=60 p=3

send_ldap_response: msgid=61 tag=105 err=19

ber_flush2: 51 bytes to sd 28

connection_get(30): got connid=5

connection_read(30): checking for input on id=5


ber_get_next on fd 30 failed errno=0 (Success)

connection_closing: readying conn=5 sd=30 for close

connection_close: conn=5 sd=30

connection_get(29): got connid=4

connection_read(29): checking for input on id=4


ber_get_next on fd 29 failed errno=0 (Success)

connection_closing: readying conn=4 sd=29 for close

connection_close: conn=4 sd=29

connection_get(28): got connid=3

connection_read(28): checking for input on id=3


ber_get_next on fd 28 failed errno=0 (Success)

connection_closing: readying conn=3 sd=28 for close

connection_close: conn=3 sd=28

I used ldapsearch and LDP.exe from Microsoft Support Tools and look under
the Schema. Indeed the cn=ms-exch-active-directory-connector doesn't exist
in my OpenLDAP, but isn't this what the openchange_provision need to do?

Does someone can let me know where I go worng? 5 hours searching  and

Sassy Natan

More information about the samba-technical mailing list