[Samba] 3.0.7/LDAP/referrals...

William Jojo jojowil at hvcc.edu
Wed Sep 22 14:20:39 GMT 2004

AIX 5.2 OpenLDAP 2.2.15 Samba 3.0.7 (no winbindd)

I've got a stupid problem with referrals that I can't seem to ferret out.

Each Samba DC has a localhost-based LDAP replica for scalability (my
idea anyway). So the only way they will talk to the Master is if there is
need for an update. Ok.

If I make the updatedn the same as the rootdn of the replica, it updates
the local database; *NOT* what I want obviously, but at least I know Samba
is talking to *something* and being successful with say a workstation

If I make the updatedn the known DN that slurpd will use (NOT the rootdn
of the replica) Samba doesn't seem to follow the referral. I've verified
the referral is offered using a simple ldapmodify command. Samba just
doesn't seem to be *seeing* the referral?

Log level 10 snippet:

[2004/09/22 08:55:39, 4]
  ldapsam_update_sam_account: user CRK7$ to be modified has dn:
[2004/09/22 08:55:39, 2] passdb/pdb_ldap.c:init_ldap_from_sam(864)
  init_ldap_from_sam: Setting entry for user: CRK7$
[2004/09/22 08:55:39, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaLMPassword] = [<does not exist>]
[2004/09/22 08:55:39, 5] lib/smbldap.c:smbldap_modify(1009)
  smbldap_modify: dn => [uid=CRK7$,ou=People,dc=hvcc,dc=edu]
[2004/09/22 08:55:39, 5] lib/smbldap.c:rebindproc_connect_with_state(698)
  rebindproc_connect_with_state: Rebinding as "cn=root,dc=hvcc,dc=edu"
[2004/09/22 08:55:39, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1422)
  ldapsam_modify_entry: Failed to modify user dn=
uid=CRK7$,ou=People,dc=hvcc,dc=edu with: No such attribute
        modify/delete: sambaPwdCanChange: no such attribute
[2004/09/22 08:55:39, 0]
  ldapsam_update_sam_account: failed to modify user with uid = CRK7$,
error: modify/delete: sambaPwdCanChange: no such attribute (Success)
[2004/09/22 08:55:39, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 samr_io_r_set_userinfo
[2004/09/22 08:55:39, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
      0000 status: NT_STATUS_ACCESS_DENIED

I'm not sure why the "no such attribute" is occuring. It's there;
ldapsearch snippet:

dn: uid=CRK7$,ou=People,dc=hvcc,dc=edu
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
uid: CRK7$
cn: CRK7$
sn: CRK7$
sambaSID: S-1-5-21-1908802895-3536710745-1580887524-41700
sambaPrimaryGroupSID: S-1-5-21-1908802895-3536710745-1580887524-515
sambaAcctFlags: [W          ]
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1095858128
sambaNTPassword: C7389145F8AF64E09B75D48214E02B6B
sambaPwdLastSet: 1095858128

Maybe it's a mistake in processing the referral?

I'm going through the source, but haven't found enything yet.

snippet from smb.conf:

   ldap passwd sync = yes

   passdb backend = ldapsam:"ldap://localhost"
   ldap suffix = dc=hvcc,dc=edu
   ldap machine suffix = ou=People,dc=hvcc,dc=edu
   ldap user suffix = ou=People,dc=hvcc,dc=edu
   ldap group suffix = ou=Groups,dc=hvcc,dc=edu
   ldap idmap suffix = ou=Idmap,dc=hvcc,dc=edu
   ldap admin dn = cn=root,dc=hvcc,dc=edu
   idmap backend = ldap:ldap://localhost

Can anyone shed some light here? I'd *really like to use this "every DC is
also a LDAP replica" approach...

On a separate note, I've noticed that Samba doesn't seem to be using
alternate suffix values to override "ldap suffix" when knowledge of
machine, user, group or idmap may be known as indicated in
smb.conf(5)...I'm sure I'm missing something...



More information about the samba mailing list