[Samba] Getting Winbind IDMAP into LDAP?

Gibbs, Simon Simon.Gibbs at informa.com
Mon Aug 15 10:15:46 GMT 2005 

Hi,

I¹ve been trying to populate an LDAP directory with IDMAP information from
Winbind using NSS_LDAP without much success over the last week.
Can anybody tell me if I¹ve done anything obviously wrong?

I¹ve followed the example shown in the Samba ³By Example² doc and am at the
stage where the LDAP directory has been created and configured, NSS_LDAP
config is amended, smb.conf contains entries to use LDAP as a backend and I
have deleted /var/cache/samba/winbindd_cache.tdb and winbindd_idmap.tdb. Now
wbinfo ­u and wbinfo ­g show users and groups on the domain but getent
passwd/groups only displays local users. The winbindd_cache.tdb and
winbindd_idmap.tdb files have been recreated but only winbindd_cache.tdb
holds any information. When I attempt to access a Samba share I¹m prompted
to enter a username and password.

As I understand it once the wbinfo commands have been run this process
should automatically populate the Idmap ou with the ID mappings ­ is this
correct? If so there must be something wrong with my config.

Here¹s the current config and relevent info ­ sorry it¹s a bit long:

/etc/samba/smb.conf

[global]
workgroup = UKCORPLAN
netbios name = UKFS01
server string = UKFS01 Samba Server
winbind separator = /
ldap ssl = no
idmap uid = 10000-10000000
idmap gid = 10000-10000000
ldap admin dn = cn=Manager,dc=uk,dc=corplan,dc=net
ldap idmap suffix = ou=Idmap
ldap suffix = dc=uk,dc=corplan,dc=net
idmap backend = ldap:ldap://10.10.4.111/
winbind enum users = yes
winbind enum groups = yes
template homedir = /mnt/emcpowerb/user/%D/%U
template shell = /bin/bash
password server = ukdc01.uk.corplan.net
security = ADS
#encrypt passwords = yes
realm = uk.corplan.net
browseable = yes
username map = /etc/samba/smbusers
log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10
syslog = 0
log file = /var/log/samba/%m
max log size = 50
#============================ Share Definitions
==============================
[homes]
comment = Home Directories
browseable = no
writable = yes

[public]
comment = Public Stuff
path = /home/samba
public = yes
read only = no

[test]
comment = test share
path = /mnt/emcpowera/shared/test
public = yes
browseable = yes
writeable = yes

/etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

/etc/openldap/slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
## schema files (core.schema is required by default)
include         /etc/openldap/schema/core.schema

## needed for sambaSamAccount
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/sbin/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
#access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix           "dc=uk,dc=corplan,dc=net"
rootdn          "cn=Manager,dc=uk,dc=corplan,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap/samba

# Indices to maintain for this database
# Required by OpenLDAP
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Indices required for Samba
index   sambaSID              eq
index   sambaPrimaryGroupSID  eq
index   sambaDomainName       eq
index   default               sub

/etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
HOST 10.10.4.111
BASE dc=uk,dc=corplan,dc=net
#TLS_CACERTDIR /etc/openldap/cacerts

/etc/ldap.conf - nss_ldap config - only shows changes the rest is as default

# @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 10.10.4.111

# The distinguished name of the search base.
base dc=uk,dc=corplan,dc=net

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://10.10.4.111/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Manager,dc=uk,dc=corplan,dc=net

# The credentials to bind with.
# Optional: default is no credential.
bindpw secret

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password exop

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd         ou=People,dc=uk,dc=corplan,dc=net?one
nss_base_shadow         ou=People,dc=uk,dc=corplan,dc=net?one
nss_base_group          ou=Groups,dc=uk,dc=corplan,dc=net?one
#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
#nss_base_services      ou=Services,dc=example,dc=com?one
#nss_base_networks      ou=Networks,dc=example,dc=com?one
#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one

[root at UKFS01 etc]# slapcat | grep -i IDMAP
o: Samba Idmap Directory
dn: ou=Idmap,dc=uk,dc=corplan,dc=net
ou: idmap

I've googled about a bit and haven't bee able to find to much except this
thread:
http://www.mail-archive.com/samba@lists.samba.org/msg30905.html

But most I've checked most of the info and it looks OK in comparison to my
setup.

Any help with this is much appreciated...

Thanks,

Simon





********************************************************************************
The information contained in this email message may be confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Although this message and any attachments are believed to be free of viruses, no responsibility is accepted by T&F Informa for any loss or damage arising in any way from receipt or use thereof.  Messages to and from the company are monitored for operational reasons and in accordance with lawful business practices. 
If you have received this message in error, please notify us by return and delete the message and any attachments.  Further enquiries/returns can be sent to postmaster at tfinforma.com

More information about the samba mailing list