samba4 alpha5 with openldap

Oliver Liebel oliver at
Thu Jul 24 10:22:20 GMT 2008

i tried to setup latest samba4 version from git with ol 2.4.11
and ran into some trouble during provisioning.
following the steps in the wiki -as andrew mentioned below-
the provision-backend script runs ok with the following directives:

#> setup/provision-backend --domain=local 
--ldap-backend-type=openldap --server-role='domain controller'
Converted 536 records (skipped 13) with 0 failures
Your openldap Backend for Samba4 is now configured, and is ready to be 
Server Role:         domain controller
Hostname:            ldapmaster
DNS Domain:
Base DN:             DC=local,DC=site
LDAP admin user:     samba-admin
LDAP admin password: linux
Start slapd with:    slapd -f /usr/local/samba/private/ldap/slapd.conf 
-h ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi

next starting slapd in debug mode, everything ok.

the final provisioning works only if the 
<--simple-bind-dn="cn=samba-admin,cn=samba">  option is set, otherwise 
an authentication error rises:
(ldb.LdbError: (8, 'LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -  
<modifications require authentication> <>')

using the following settings:
#> setup/provision --domain=local --adminpass=linux
--ldap-backend-type=openldap --ldap-backend=ldapi --server-role='domain 
--simple-bind-dn="cn=samba-admin,cn=samba" --password=linux
Server Role:    domain controller
Hostname:       ldapmaster
DNS Domain:
DOMAIN SID:     S-1-5-21-924630919-2254292606-675636976
Admin password: linux

everything seems to work so far, but after setting up dns,krb and 
starting smbd (-i -d 4)
i got the following errors:
ldb: pdc_fsmo_init: no domain object present: (skip loading of domain 
ldb: schema_fsmo_init: no schema head present: (skip schema loading)
ldb: naming_fsmo_init: no partitions dn present: (skip loading of naming 
contexts details)
ldb: pdc_fsmo_init: no domain object present: (skip loading of domain 
Searching for fSMORoleOwner in DC=local,DC=site failed: LDAP error 32 
Failed to find if we are the PDC for this ldb
Failed to find our own NTDS Settings objectGUID in the ldb!

and i cant access the dit anyway.

the next point:
in the auto-generated slapd.conf there are several rootdn used
(for the subcontexts user,config,schema), which is ok so far.
but the rootdn  cn=Manager,cn=Samba  is the
rootdn for ...what? and is it ok that there is no corresponding rootpw 
at all?
during provisioning, the object
LDAP admin user:     samba-admin
is created, and seems only to be used with the refint_modifiersname
(regarding to the thread "memberOf search ACLs" between andrew bartlett
an pierangelo masarati)

maybe i got the wrong view, but the provisioning-options
(--adminpass, --password, --simple-bind-dn)
in conjunction with the used rootdns  seems to me a little bit confusing.


Andrew Bartlett schrieb:
> On Wed, 2008-07-23 at 15:00 +0200, Oliver Liebel wrote:
>> hi andrew,
>> i had just setup samba4 alpha5 with openldap 2.4.10, using the following 
>> configuration:
> Can you use a current GIT snapshot?  The changed documentation in the
> wiki represents the changes in the current GIT tree (I should make that
> clear).
> Andrew Bartlett

Virus checked by G DATA AntiVirusKit
Version: AVK 18.4617 from 24.07.2008
Virus news:

More information about the samba-technical mailing list