[Samba] Re: LDAP weirdness

[Igor Belyi]

Ilia Chipitsine wrote:
> Dear Sirs,
> 
> I installed OpenLDAP and smbldap-tools by IDEALX.
> samba is 3.0.7, smbldap is 0.8.5
> 
> what else did I do:
> 
> 1) smbldap-populate
> 2) pdbedit -i smbpasswd:/usr/local/private/smbpasswd -e 
> ldapsam:ldap://127.0.0.1
> 
> 3) smbpasswd -w <clear text password>
>    what is not very clear, should I use the same Manager account or not.

It should be the password of the 'ldap admin dn' listed in your smb.conf 
file.

> however, account information was exported to LDAP successfully.
> samba is running well over that data. users can log in.
> 
> but, when I do "net groupmap ..." I'm getting errors:
> 
> sol# net groupmap list
> [2004/10/20 19:40:25, 0] lib/smbldap.c:smbldap_search_domain_info(1338)
>   Adding domain info for SOLAR failed with NT_STATUS_UNSUCCESSFUL

This means that 'ldap admin dn' does not have write access to the tree 
listed as 'ldap suffix' in your smb.conf file. You can fix it either in 
slapd.conf file by adding correct 'access' statement or change 'ldap 
admin dn' to the one which already have the right access.

> Domain Admins (S-1-5-21-1906877464-905504629-2230954338-512) -> 512
> Domain Users (S-1-5-21-1906877464-905504629-2230954338-513) -> school
> Domain Guests (S-1-5-21-1906877464-905504629-2230954338-514) -> 514
> Print Operators (S-1-5-32-550) -> 550
> Backup Operators (S-1-5-32-551) -> 551
> Replicators (S-1-5-32-552) -> 552

Those numbers mean that smbldap-populate expects that builtin Domain 
Group SIDs should be mapped into UNIX groups with gid the same as RID 
part of SID. Since you already have one of the gid's reserved for a 
group named 'school' it's not a good assumption for your site. You may 
want to create your own UNIX groups for 'Domain Admins' and so on and 
then use 'net groupmap modify' to update the mapping.

> sol#
> 
> why pdbedit successfully migrated data, but net groupmap doesn't want to 
> work with that ?
> 
> Cheers,
> Ilia Chipitsine
> 

Hope it helps,
Igor