samba with openldap provisioning

Nadezhda Ivanova nivanova at samba.org
Wed Sep 4 19:27:49 CEST 2013


Hi Andrew,
At which point are you getting the invalid dn error?

I can't get this far, at this point I cannot make an ldapsearch with
Administrator, according to the logs the dn is not being found, so I'll dig
on that. Anonymous bind works though. I am seeing some "Unrecognised
control" messages in the slapd log, hopefully tomorrow I'll find out what
the problem is.

Also I see this: scripts like dnsupdate and samba_kcc seem to have a
problem with kerberos, I keep getting this in the logs:

/usr/local/samba/sbin/samba_dnsupdate: Starting GENSEC mechanism
gssapi_krb5_sasl
Kerberos: AS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
192.168.11.146:46353 for krbtgt/TESTDOMAIN.NADYA.ORG at TESTDOMAIN.NADYA.ORG
Child /usr/local/samba/sbin/samba_spnupdate exited with status 0 - Success
Completed SPN update check OK
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- DRIZZIT$@
TESTDOMAIN.NADYA.ORG
/usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
287
Kerberos: AS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
192.168.11.146:40831 for krbtgt/TESTDOMAIN.NADYA.ORG at TESTDOMAIN.NADYA.ORG
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- DRIZZIT$@TESTDOMAIN.NADYA.ORG
Kerberos: Looking for ENC-TS pa-data -- DRIZZIT$@TESTDOMAIN.NADYA.ORG
Kerberos: ENC-TS Pre-authentication succeeded -- DRIZZIT$@
TESTDOMAIN.NADYA.ORG using arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2013-09-04T20:16:14 starttime: unset endtime:
2013-09-05T06:16:14 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: forwardable
/usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
1283
Kerberos: TGS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
192.168.11.146:52105 for ldap/
DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG [canonicalize]
Kerberos: Searching referral for DRIZZIT.testdomain.nadya.org
Kerberos: Server not found in database: ldap/
DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG: no such entry found in
hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.11.146:52105
/usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
107
Kerberos: TGS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
192.168.11.146:33524 for ldap/
DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG
Kerberos: Server not found in database: ldap/
DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG: no such entry found in
hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.11.146:33524
/usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
107
Kerberos: TGS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
192.168.11.146:45045 for ldap/
DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG [canonicalize]
Kerberos: Searching referral for DRIZZIT.testdomain.nadya.org
Kerberos: Server not found in database: ldap/
DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG: no such entry found in
hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.11.146:45045
/usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
107
Kerberos: TGS-REQ DRIZZIT$@TESTDOMAIN.NADYA.ORG from ipv4:
192.168.11.146:39297 for ldap/
DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG
Kerberos: Server not found in database: ldap/
DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG: no such entry found in
hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.11.146:39297
/usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length
107
/usr/local/samba/sbin/samba_dnsupdate: Server ldap/
DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG is not registered with
our KDC:  Miscellaneous failure (see text): Server (ldap/
DRIZZIT.testdomain.nadya.org at TESTDOMAIN.NADYA.ORG) unknown

When tested with kinit it works fine though, so I suppose it is a problem
for a later time.

Regards,
Nadya



On Tue, Sep 3, 2013 at 11:24 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Tue, 2013-09-03 at 12:16 -0700, Howard Chu wrote:
> > > Date: Tue, 03 Sep 2013 11:29:05 +1200
> > > From: Andrew Bartlett <abartlet at samba.org>
> > > To: Nadezhda Ivanova <nivanova at samba.org>
> > > Cc: Samba Technical <samba-technical at lists.samba.org>
> >
> > > On Tue, 2013-09-03 at 10:42 +1200, Andrew Bartlett wrote:
> > >> > On Tue, 2013-09-03 at 08:29 +1200, Andrew Bartlett wrote:
> > >>> > > On Mon, 2013-09-02 at 17:09 +0300, Nadezhda Ivanova wrote:
> > >>>> > > > Hi Andrew,
> > >>>> > > >
> > >>>> > > > I was also able to provision, after applying your patches and
> removing
> > >>>> > > > --use-rfc2307 and adding --use-ntvfs in my provision command.
> Phew!
> > >>>> > > > One step forward! Now I get a bigger shovel and continue
> digging on
> > >>>> > > > the openldap side, I'll keep you posted on the progress.
> > >>> > >
> > >>> > > Great!  So I can reproduce exactly what you did, was this with
> OpenLDAP
> > >>> > > from CVS or from GIT?
> > >>> > >
> > >>> > > Let's keep digging, we will make this pig fly again!
> > >> >
> > >> > I've found the missing patch.  We ripped this out when we dropped
> the
> > >> > LDAP backend.  With this patch, we now connect in 'samba', and are
> ready
> > >> > to pass the baton back over to the OpenLDAP side of things.  The
> next
> > >> > error is from slapd, with one of the reasons we stopped doing this:
> > >> > 'invalid' (presumably extended) DNs.
> > >> >
> > >> > dn: cn=NTDS
> > >> >
> Settings,cn=RUTH,cn=Servers,cn=Default-First-Site-Name,cn=Sites,cn=Configuration,dc=ldap,dc=samba,dc=example,dc=com
> > >> >
> > >> >
> > >> >
> > >> > ldb: ldb_trace_response: DONE
> > >> > error: 0
> > >> >
> > >> > ldb: ldb_trace_next_request: (partition)->search
> > >> > ldb: ldb_trace_next_request: (schema_data)->search
> > >> > ldb: ldb_trace_next_request: (entryuuid)->search
> > >> > ldb: ldb_trace_next_request: (paged_searches)->search
> > >> > ldb: ldb_trace_next_request: (simple_dn)->search
> > >> > ldb: ldb_trace_next_request: (ldap)->search
> > >> > ldb: ldb_asprintf/set_errstring: LDAP error 34
> LDAP_INVALID_DN_SYNTAX -
> > >> > <invalid DN> <>
> > >> >
> > >> > Andrew Bartlett
> > >
> > > I can confirm it fails in the same way with OpenLDAP from GIT.
> > >
> > > The next step will be to have OpenLDAP communicate over LDAP, not
> LDAPi.
> > > The key for that will be again handling more provision options that
> were
> > > removed with 696a70c9faac27bcd473b6c2f1444abd267ae6e6 so that we start
> > > ldapd listening in TCP, and connect to it over TCP.  That way,
> wireshark
> > > can see what is on the wire.
> >
> > The next step is to read the docs or talk to us... :P
>
> I'm just mentioning how I did this last time (as so little of how this
> worked was written down).  I always used wireshark as my 'trusted third
> party' for reference as to who said what ;-)
>
> > You don't need wireshark for this. Just run slapd with packet debug
> enabled. I
> > usually use slapd -d7 as a starting point.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Catalyst IT                   http://catalyst.net.nz
>
>
>


More information about the samba-technical mailing list