[Samba] Samba, ldap and winbind - almost there!

Stephen sdw2 at shineonline.co.nz
Mon Oct 18 06:40:56 GMT 2004 

Hi All,

I'm in the process of setting up samba with ldap and winbind and haven't 
been able to find an article anywhere on how to do this. I've managed to 
troll together everything except the directory setup.

I'm stuck on what I need to add into the directory (ldif files) to make 
it all go. I've included the steps I took and so hopefully it'll be easy 
to spot what needs doing.

Here is where I'm up to so far and then below are the errors I'm getting.
1. System is Gentoo Linux with openldap 2.1.30,  samba 3.0.5. Working to 
an AD system on a Windows 2003 server.
[1a. Set up a working winbind system prior to adding LDAP to the mix 
then deleted /etc/samba/secrets.tdb, /var/cache/samba/*.tdb and run "net 
ads leave"]
2. /etc/slapd.conf. No openldap ACLs are defined as Winbind accesses the 
directory as root (I can tie it down later). Also, I haven't included 
the indexes for brevity.

	include     /etc/openldap/schema/core.schema
	include     /etc/openldap/schema/cosine.schema
	include     /etc/openldap/schema/inetorgperson.schema
	include     /etc/openldap/schema/nis.schema
	include     /etc/openldap/schema/samba.schema
	database    bdb
	suffix      "dc=abc,dc=local"
	rootdn      "cn=Manager,dc=abc,dc=local"
	rootpw      <password>

3. smbpasswd -w <password>
4. Edited ldap.conf

	host 127.0.0.1
	base dc=abc,dc=local
	binddn  cn=Manager,dc=abc,dc=local
	bindpw    <password>
	pam_password exop
	ssl     no
5. Edit smb.conf and added
	idmap backend = ldap:ldap://127.0.0.1
   	ldap suffix = "dc=abc,dc=local"
   	ldap idmap suffix = ou=idmap
   	ldap admin dn = "cn=Manager,dc=abc,dc=local"
7. net ads join -U administrator     ---> result was joined to the domain successfully
8. wbinfo -u and wbinfo -g work successfully
9. getent passwd and getent groups don't show domain accounts.

---------------------------------------------------------------------------
The winbind idmaps aren't being written to the directory
1. slapcat shows nothing at all
2. tail /var/log/syslog
	Oct 18 18:53:58 fluoron slapd[2030]: do_search: invalid dn(ou=idmap,"dc=abc,dc=local")
	Oct 18 18:53:58 fluoron slapd[2030]: conn=4 op=842 RESULT tag=101 err=34 text=invalid DN
	Oct 18 18:53:58 fluoron slapd[2030]: do_search: invalid dn (ou=idmap,"dc=abc,dc=local")
	Oct 18 18:53:58 fluoron slapd[2030]: conn=4 op=843 RESULT tag=101 err=34 text=invalid DN
	Oct 18 18:53:58 fluoron slapd[2030]: do_search: invalid dn (ou=idmap,"dc=abc,dc=local")
3. tail /var/log/samba/log/smbd
	[2004/10/18 18:53:58, 1] nsswitch/winbindd_user.c:winbindd_getpwent(571) could not lookup domain user jack
	[2004/10/18 18:53:58, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-1949245599-2602856593-3224012141-4049
	[2004/10/18 18:53:58, 1] nsswitch/winbindd_user.c:winbindd_getpwent(571) could not lookup domain user jill
	[2004/10/18 18:53:58, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid 
S-1-5-21-1949245599-2602856593-3224012141-4052


-----------------------------------------------------------------------------
I figured it needs some structure there and tried this...
$> cat  idmap.ldif

	dn: ou=Idmap,dc=abc,dc=local
	objectClass: organizationalUnit
	ou: idmap

$> ldapadd -x -D "cn=Manager,dc=abc,dc=local" -W < /etc/openldap/idmap.ldif
Enter LDAP Password:
adding new entry "ou=Idmap,dc=abc,dc=local"
ldapadd: update failed: ou=Idmap,dc=abc,dc=local
ldap_add: Constraint violation (19)
     additional info: structuralObjectClass: no user modification allowed
structuralObjectClass: organizationalUnit


-------------------------------------

Help would be really appreciated.

Thank you

Cheers
Stephen

More information about the samba mailing list