samba4 alpha5 with openldap

Andrew Bartlett abartlet at samba.org
Fri Jul 25 07:12:41 GMT 2008 

On Thu, 2008-07-24 at 12:22 +0200, Oliver Liebel wrote:
> i tried to setup latest samba4 version from git with ol 2.4.11
> and ran into some trouble during provisioning.
> following the steps in the wiki -as andrew mentioned below-
> the provision-backend script runs ok with the following directives:
> 
> #> setup/provision-backend --realm=local.site --domain=local 
> --ldap-admin-pass=linux
> --ldap-backend-type=openldap --server-role='domain controller'
> ....
> Converted 536 records (skipped 13) with 0 failures
> Your openldap Backend for Samba4 is now configured, and is ready to be 
> started
> Server Role:         domain controller
> Hostname:            ldapmaster
> DNS Domain:          local.site
> Base DN:             DC=local,DC=site
> LDAP admin user:     samba-admin
> LDAP admin password: linux
> Start slapd with:    slapd -f /usr/local/samba/private/ldap/slapd.conf 
> -h ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi
> ....
> 
> next starting slapd in debug mode, everything ok.
> 
> the final provisioning works only if the 
> <--simple-bind-dn="cn=samba-admin,cn=samba">  option is set, otherwise 
> an authentication error rises:
> (ldb.LdbError: (8, 'LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -  
> <modifications require authentication> <>')

You should specify --username=samba-admin.  This will then allow a SASL
bind, but it seems OpenLDAP is being flexible today, so it seemed to
work.  However, as I mention below, I think this is the cause of your
problems. 

> using the following settings:
> #> setup/provision --realm=local.site --domain=local --adminpass=linux
> --ldap-backend-type=openldap --ldap-backend=ldapi --server-role='domain 
> controller' 
> --simple-bind-dn="cn=samba-admin,cn=samba" --password=linux
> ....
> Server Role:    domain controller
> Hostname:       ldapmaster
> NetBIOS Domain: LOCAL
> DNS Domain:     local.site
> DOMAIN SID:     S-1-5-21-924630919-2254292606-675636976
> Admin password: linux
> ....
> 
> everything seems to work so far, but after setting up dns,krb and 
> starting smbd (-i -d 4)
> i got the following errors:
> ....
> ldb: pdc_fsmo_init: no domain object present: (skip loading of domain 
> details)
> ldb: schema_fsmo_init: no schema head present: (skip schema loading)
> ldb: naming_fsmo_init: no partitions dn present: (skip loading of naming 
> contexts details)
> ldb: pdc_fsmo_init: no domain object present: (skip loading of domain 
> details)
> Searching for fSMORoleOwner in DC=local,DC=site failed: LDAP error 32 
> LDAP_NO_SUCH_OBJECT -  <> <>
> Failed to find if we are the PDC for this ldb
> Failed to find our own NTDS Settings objectGUID in the ldb!
> ....
> 
> and i cant access the dit anyway.

This is odd, but quite possibly related to you using --simple-bind-dn
rather than --username (as the settings used for the provision are
recorded for long-term use, but the test scripts only hit the preferred
option, being --username). 

> the next point:
> in the auto-generated slapd.conf there are several rootdn used
> (for the subcontexts user,config,schema), which is ok so far.
> but the rootdn  cn=Manager,cn=Samba  is the
> rootdn for ...what? and is it ok that there is no corresponding rootpw 
> at all?

correct.  I wanted to move away from having the administrator password
clear in the config file.  We use the samba-admin account instead. 

> during provisioning, the object
> LDAP admin user:     samba-admin
> is created, and seems only to be used with the refint_modifiersname
> (regarding to the thread "memberOf search ACLs" between andrew bartlett
> an pierangelo masarati)
> 
> 
> maybe i got the wrong view, but the provisioning-options
> (--adminpass, --password, --simple-bind-dn)
> in conjunction with the used rootdns  seems to me a little bit confusing.

--adminpass sets the "Administrator" password for that account.
--password is confusing, I agree, but sets the password that the
provision script should use to talk to the backend.  --simple-bind-dn
and --username both set the credentials to use with that password. 

I considered changing this again, to use --authentication-file=<a file
generated by provision-backend>, so administrators only have the 'right'
choice' available, and your feedback confirms this.  

Please re-run your provision, using --username=samba-admin, and things
should be better. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080725/c8816bfc/attachment.bin

More information about the samba-technical mailing list