samba with openldap provisioning

Andrew Bartlett abartlet at samba.org
Sun Sep 1 23:25:13 MDT 2013 

On Thu, 2013-08-29 at 17:42 +0300, Nadezhda Ivanova wrote:
> Hi Andrew,
> 
> I have re-introduces some of the removed provision options, and
> committed them in my repo: git://git.samba.org/nivanova/samba.git
> 
> The branch is openldap_provision.
> 
> 
> The environment:
> 
> I am running ubuntu 13.04 and installed cyrus sasl and  the latest
> version of berkeley db (6.0.20) from here:
> http://www.oracle.com/technetwork/products/berkeleydb/downloads/index.html
> 
> 
> I installed the latest OpenLdap from the repo:
> git://git.openldap.org/openldap.git
> 
> 
> This is my openldap configure command:
> 
> LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.6.0/lib:/usr/local/ssl/lib" LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.2/lib -L/usr/local/ssl/lib" CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.6.0/include -I/usr/local/ssl/include" ./configure --enable-modules --enable-overlays=mod --with-cyrus-sasl
> 
> 
> And installed the samba4 overlays as described here:
> 
> 
> http://web.archive.org/web/20110210123448/http://wiki.samba.org/index.php/Samba4/LDAP_Backend/OpenLDAP
> 
> 
> Turning ntlm off did solve that particular problem, but there is an
> error later - it appears to be a new part of the script which attempts
> to use ldb with tdb instead of the openldap backend:

Using Debian testing, your branch and these patches, I get a rather
different issue.  The provision succeeds, but we cannot then bind again
to the LDAP backend.

I build OpenLDAP per the link (from CVS), and used your git tree as the
basis.  I didn't notice until writing this reply that they have finally
moved to GIT, but this is an advantage, not a disadvantage, and it gives
us somewhere to start investigating the OL changes, or fix Samba to work
against the last working OL version, before changing that as well. 

I'm guessing we have lost whatever we did to set up and use the shared
secret.  If you can reproduce this much, then dig into the OL logs to
see what user it thinks we are using, and find out where that is or is
not being stored. 

abartlet at ruth:/data/openldap/samba5$ sudo bin/samba -i -M single -d3
-s /data/openldap/prefix/etc/smb.conf 
lpcfg_load: refreshing parameters
from /data/openldap/prefix/etc/smb.conf
params.c:pm_process() - Processing configuration file
"/data/openldap/prefix/etc/smb.conf"
samba version 4.2.0pre1-DEVELOPERBUILD started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
...
ldb_wrap open of secrets.ldb
Got challenge flags:
Got NTLMSSP neg_flags=0x00028205
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x00008205
ldb: Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -
<SASL(-13): user not found: no secret in database> <>
ldb: Failed to connect to 'ldapi://%2Fdata%2Fopenldap%2Fprefix%2Fprivate
%2Fldap%2Fldapi' with backend 'ldapi': (null)
ldb: module partition initialization failed : Operations error
ldb: module show_deleted initialization failed : Operations error
ldb: module extended_dn_out_openldap initialization failed : Operations
error
ldb: module operational initialization failed : Operations error
ldb: module aclread initialization failed : Operations error
ldb: module acl initialization failed : Operations error
ldb: module descriptor initialization failed : Operations error
ldb: module objectclass initialization failed : Operations error
ldb: module asq initialization failed : Operations error
ldb: module server_sort initialization failed : Operations error
ldb: module paged_results initialization failed : Operations error
ldb: module dirsync initialization failed : Operations error
ldb: module schema_load initialization failed : Operations error
ldb: module rootdse initialization failed : Operations error
ldb: module samba_dsdb initialization failed : Operations error
ldb: Unable to load modules for /data/openldap/prefix/private/sam.ldb:
(null)

Do not despair, we will overcome!

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-FIXME-Set-NTLMv2-as-off-by-default-in-the-client-to-.patch
Type: text/x-patch
Size: 1199 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130902/8714cc22/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-FIXME-Remove-search-for-max-USN.patch
Type: text/x-patch
Size: 1577 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130902/8714cc22/attachment-0001.bin>

More information about the samba-technical mailing list