[Samba] Profile Problem with ldap backend

Paul Gienger pgienger at ae-solutions.com
Tue Jul 13 13:01:01 GMT 2004


ds_shadof at uni-altai.ru wrote:

>The Samba 3.0.5rc1 server is configured as a PDC.
>  
>
<snip>

>#WINBIND CONFIG!!!!
>        winbind separator = +
>        winbind use default domain = Yes
>        winbind uid =10000-20000
>        winbind gid =10000-20000
>#If i comment it then
>#[2004/07/14 01:30:40, 0] nsswitch/winbindd_util.c:winbindd_param_init(560)
>#  winbindd: idmap uid range missing or invalid
>#[2004/07/14 01:30:40, 0] nsswitch/winbindd_util.c:winbindd_param_init(561)
>#  winbindd: cannot continue, exiting.
>#  Could not init idmap -- netlogon proxy only
># strange thing.... on 3.0.4 i don't need to write it
>        winbind enum users = yes
>        winbind enum groups = yes
>  
>
Firstoff, is there someplace that people get confused about the use of 
winbind/idmap?  It is strictly for use ONLY with a windows AD server as 
your primary directory... well I guess maybe it would be used if you 
wanted to do some kind of wierd authentication against a different samba 
server, but why?!?!

Anyways, start by removing all your idmap entries and that will clear up 
some log entries.

>        password server= localhost
>  
>
This one too.  This is for authenticating against some other server, 
like if you were simply a member of a domain using domain security.

<snip>

>#LDAP STARTS HERE
>        passdb backend = ldapsam:ldap://localhost
>        ldap admin dn = "cn=Manager,dc=liin,dc=org"
>        ldap server = localhost
>        ldap port = 389
>        ldap suffix = dc=liin,dc=org
>        ldap machine suffix = ou=people
>        ldap user suffix = ou=people
>        ldap group suffix = ou=groups
>#       ldap filter = "(&(uid%=%U)(ObjectClass=sambaSamAccount))"
>#LDAP continue
>        ldap idmap suffix = ou=Idmap
>        idmap backend = ldap:ldap//localhost
>        idmap uid = 10000 - 20000
>        idmap gid = 10000 - 20000
>  
>
The 4 lines above should go too.
<snip the rest of smb.conf>

>When i try to logon WinXP(pro) says:
>"Windows cannot find the server profile and is logging you on with a temporart profile."
> or somenthing like that. I have russian copy of winxp.
>Next hi says:
>"Windows cannot find the local profile and is logging you on with a temporart profile."
>(it because i removed c:\Documents and Settings\Default User)
>  
>
>Problem n2:
>Problem With Winbind(or not?)
>
>[2004/07/14 01:59:55, 3] sam/idmap.c:idmap_init(131)
>  idmap_init: using 'ldap' as remote backend
>[2004/07/14 01:59:55, 5] lib/smbldap.c:smbldap_search(931)
>  smbldap_search: base => [ou=Idmap,dc=liin,dc=org], filter => [(objectclass=sambaUnixIdPool)], scope => [2]
>[2004/07/14 01:59:55, 10] lib/smbldap.c:smbldap_open_connection(543)
>  smbldap_open_connection: ldap//localhost
>[2004/07/14 01:59:55, 0] lib/smbldap.c:smbldap_open_connection(546)
>  ldap_initialize: Time limit exceeded
>[2004/07/14 01:59:55, 1] lib/smbldap.c:smbldap_retry_open(908)
>  Connection to LDAP Server failed for the 1 try!
>  
>
Looks like you're failing to connect to your local server.  You've got 
some confusion because of the multiple specifications here.  Notice that 
this failure is complaining about being able to connect to 
ldap//localhost (see the missing colon?) You need to roto-till your 
smb.conf then try again.  Get the idmap stuff out and see if your errors 
are more specific.

Assuming you do all that and still have issues: Have you verified that 
your ldap setup is correct?  That is: does your system authenticate fine 
against ldap or are you just trying to store samba in ldap?  If you're 
just setting up one linux server then ldap is overkill for both system 
auth and samba, in that case stick to tdb.

>[2004/07/14 01:59:55, 8] lib/util.c:fcntl_lock(1646)
>  fcntl_lock 7 13 0 1 1
>[2004/07/14 01:59:55, 8] lib/util.c:fcntl_lock(1681)
>  fcntl_lock: Lock call successful
>
>I use idealx smbldap-populate to fill ldap directory
>
>  
>

-- 
Paul Gienger                     Office:		701-281-1884
Applied Engineering Inc.         Cell:			701-306-6254
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com




More information about the samba mailing list