[Samba] Re: Getting Winbind IDMAP into LDAP?
gints neimanis
gints at venta.lv
Tue Aug 16 08:57:48 GMT 2005
Hi,
to use ldap as winbind idamp backend, you don't need the NSS_LDAP at all.
All queries and updates to ldap is performed by winbind itself.
Your smb.conf looks fine.
You may check 2 things:
* Have you stored the LDAP Manager password to LDAP database with
command "smbpasswd -w 'verysecretldapmanager password'" ?
* and look if you have added winbind to /etc/nsswitch.conf (and then
command "getent passwd" should show all domain users with id from ldap)?
like:
===
...
passwd: files winbind
group: files winbind
...
===
Next - you may increase the loglevel (loglevel 256) for LDAP server and
look in ldap messages what is wrong in connection.
Gints
Gibbs, Simon wrote:
> Hi,
>
> I¹ve been trying to populate an LDAP directory with IDMAP information from
> Winbind using NSS_LDAP without much success over the last week.
> Can anybody tell me if I¹ve done anything obviously wrong?
>
> I¹ve followed the example shown in the Samba ³By Example² doc and am at the
> stage where the LDAP directory has been created and configured, NSS_LDAP
> config is amended, smb.conf contains entries to use LDAP as a backend and I
> have deleted /var/cache/samba/winbindd_cache.tdb and winbindd_idmap.tdb. Now
> wbinfo u and wbinfo g show users and groups on the domain but getent
> passwd/groups only displays local users. The winbindd_cache.tdb and
> winbindd_idmap.tdb files have been recreated but only winbindd_cache.tdb
> holds any information. When I attempt to access a Samba share I¹m prompted
> to enter a username and password.
>
> As I understand it once the wbinfo commands have been run this process
> should automatically populate the Idmap ou with the ID mappings is this
> correct? If so there must be something wrong with my config.
>
> Here¹s the current config and relevent info sorry it¹s a bit long:
>
> /etc/samba/smb.conf
>
> [global]
> workgroup = UKCORPLAN
> netbios name = UKFS01
> server string = UKFS01 Samba Server
> winbind separator = /
> ldap ssl = no
> idmap uid = 10000-10000000
> idmap gid = 10000-10000000
> ldap admin dn = cn=Manager,dc=uk,dc=corplan,dc=net
> ldap idmap suffix = ou=Idmap
> ldap suffix = dc=uk,dc=corplan,dc=net
> idmap backend = ldap:ldap://10.10.4.111/
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /mnt/emcpowerb/user/%D/%U
> template shell = /bin/bash
> password server = ukdc01.uk.corplan.net
> security = ADS
> #encrypt passwords = yes
> realm = uk.corplan.net
> browseable = yes
> username map = /etc/samba/smbusers
> log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10
> syslog = 0
> log file = /var/log/samba/%m
> max log size = 50
> #============================ Share Definitions
> ==============================
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
>
> [public]
> comment = Public Stuff
> path = /home/samba
> public = yes
> read only = no
>
> [test]
> comment = test share
> path = /mnt/emcpowera/shared/test
> public = yes
> browseable = yes
> writeable = yes
>
> /etc/nsswitch.conf
>
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> #hosts: db files nisplus nis dns
> hosts: files dns
>
> /etc/openldap/slapd.conf
>
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> ## schema files (core.schema is required by default)
> include /etc/openldap/schema/core.schema
>
> ## needed for sambaSamAccount
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/samba.schema
>
> # Allow LDAPv2 client connections. This is NOT the default.
> allow bind_v2
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
>
> # Load dynamic backend modules:
> # modulepath /usr/sbin/openldap
> # moduleload back_bdb.la
> # moduleload back_ldap.la
> # moduleload back_ldbm.la
> # moduleload back_passwd.la
> # moduleload back_shell.la
>
> # Sample access control policy:
> # Root DSE: allow anyone to read it
> # Subschema (sub)entry DSE: allow anyone to read it
> # Other DSEs:
> # Allow self write access
> # Allow authenticated users read access
> # Allow anonymous users to authenticate
> # Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> #access to *
> # by self write
> # by users read
> # by anonymous auth
> #
> # if no access controls are present, the default policy
> # allows anyone and everyone to read anything but restricts
> # updates to rootdn. (e.g., "access to * by * read")
> #
> # rootdn can always read and write EVERYTHING!
>
> #######################################################################
> # ldbm and/or bdb database definitions
> #######################################################################
>
> database bdb
> suffix "dc=uk,dc=corplan,dc=net"
> rootdn "cn=Manager,dc=uk,dc=corplan,dc=net"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw secret
>
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory /var/lib/ldap/samba
>
> # Indices to maintain for this database
> # Required by OpenLDAP
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
> index nisMapName,nisMapEntry eq,pres,sub
>
> # Indices required for Samba
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index default sub
>
> /etc/openldap/ldap.conf
>
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> #BASE dc=example, dc=com
> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
>
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
> HOST 10.10.4.111
> BASE dc=uk,dc=corplan,dc=net
> #TLS_CACERTDIR /etc/openldap/cacerts
>
> /etc/ldap.conf - nss_ldap config - only shows changes the rest is as default
>
> # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $
> #
> # This is the configuration file for the LDAP nameservice
> # switch library and the LDAP PAM module.
> #
> # PADL Software
> # http://www.padl.com
> #
>
> # Your LDAP server. Must be resolvable without using LDAP.
> # Multiple hosts may be specified, each separated by a
> # space. How long nss_ldap takes to failover depends on
> # whether your LDAP client library supports configurable
> # network or connect timeouts (see bind_timelimit).
> host 10.10.4.111
>
> # The distinguished name of the search base.
> base dc=uk,dc=corplan,dc=net
>
> # Another way to specify your LDAP server is to provide an
> # uri with the server name. This allows to use
> # Unix Domain Sockets to connect to a local LDAP Server.
> uri ldap://10.10.4.111/
> #uri ldaps://127.0.0.1/
> #uri ldapi://%2fvar%2frun%2fldapi_sock/
> # Note: %2f encodes the '/' used as directory separator
>
> # The LDAP version to use (defaults to 3
> # if supported by client library)
> #ldap_version 3
>
> # The distinguished name to bind to the server with.
> # Optional: default is to bind anonymously.
> binddn cn=Manager,dc=uk,dc=corplan,dc=net
>
> # The credentials to bind with.
> # Optional: default is no credential.
> bindpw secret
>
> # Do not hash the password at all; presume
> # the directory server will do it, if
> # necessary. This is the default.
> pam_password exop
>
> # RFC2307bis naming contexts
> # Syntax:
> # nss_base_XXX base?scope?filter
> # where scope is {base,one,sub}
> # and filter is a filter to be &'d with the
> # default filter.
> # You can omit the suffix eg:
> # nss_base_passwd ou=People,
> # to append the default base DN but this
> # may incur a small performance impact.
> nss_base_passwd ou=People,dc=uk,dc=corplan,dc=net?one
> nss_base_shadow ou=People,dc=uk,dc=corplan,dc=net?one
> nss_base_group ou=Groups,dc=uk,dc=corplan,dc=net?one
> #nss_base_hosts ou=Hosts,dc=example,dc=com?one
> #nss_base_services ou=Services,dc=example,dc=com?one
> #nss_base_networks ou=Networks,dc=example,dc=com?one
> #nss_base_protocols ou=Protocols,dc=example,dc=com?one
> #nss_base_rpc ou=Rpc,dc=example,dc=com?one
> #nss_base_ethers ou=Ethers,dc=example,dc=com?one
> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne
> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one
> #nss_base_aliases ou=Aliases,dc=example,dc=com?one
> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
>
> [root at UKFS01 etc]# slapcat | grep -i IDMAP
> o: Samba Idmap Directory
> dn: ou=Idmap,dc=uk,dc=corplan,dc=net
> ou: idmap
>
> I've googled about a bit and haven't bee able to find to much except this
> thread:
> http://www.mail-archive.com/samba@lists.samba.org/msg30905.html
>
> But most I've checked most of the info and it looks OK in comparison to my
> setup.
>
> Any help with this is much appreciated...
>
> Thanks,
>
> Simon
>
>
>
>
>
> ********************************************************************************
> The information contained in this email message may be confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Although this message and any attachments are believed to be free of viruses, no responsibility is accepted by T&F Informa for any loss or damage arising in any way from receipt or use thereof. Messages to and from the company are monitored for operational reasons and in accordance with lawful business practices.
> If you have received this message in error, please notify us by return and delete the message and any attachments. Further enquiries/returns can be sent to postmaster at tfinforma.com
>
More information about the samba
mailing list