[Samba] Problems with OpenLDAP 2.2.20/Samba 3.0.10 and smbpasswd

William Jojo jojowil at hvcc.edu
Tue Jan 11 18:16:46 GMT 2005






On Tue, 11 Jan 2005, [ISO-8859-1] Harry Rüter wrote:

> Hi ;o)
>
> here are more informations :
>
> Because just testing and not public you get to know all my secrets ;o)
>
> PW is : secret
>
> slapd.conf (partly ..):
>
> ---snipp---
> database        bdb
> suffix          "dc=hrnet,dc=de"
> rootdn          "cn=ldapmanager,dc=hrnet,dc=de"
> rootpw          secret
> directory       /usr/local/openldap-2.2/var/openldap-data
> index    objectClass    eq
> index    sambaSID    eq
> index    sambaPrimaryGroupSID    eq
> index    sambaDomainName    eq
> index    uid,uidNumber,gidNumber,memberUid eq
> index    cn,mail,surname,givenname   eq,subinitial
> access to *
>         by * write
> ---snipp---
>
> smb.conf (partly, what's of interest) :
>
> ---snipp---
>
> # now without passdb backend
> #        passdb backend = ldapsam:ldap://486dx66.hrnet.de:1389/
>
>          ldap server = 486dx66.hrnet.de
>          ldap suffix = "dc=hrnet,dc=de"
>          ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))"
>          ldap port = 1389
>          ldap admin dn = "cn=ldapmanager,dc=hrnet,dc=de"
>          ldap ssl = off
>
>          ldap user suffix = ou=users
>          ldap group suffix = ou=groups
>          ldap machine suffix = ou=machines
> ---snipp---
>
>
> William Jojo schrieb:
> >
> > I'm using 3.0.10 and 2.2.20 without any problems, so assuming it's
> > compiled ok, which I believe it is since you are getting errors about not
> > finding the rootdn password.
> >
> > Hmmm, well, here's a couple of things:
> >
> > 1) How tight do you have the restrictions on slapd.conf with respect to
> > accessing certain containers?
>
> See above, no restrictions now ..
>
> > 2) be certain the rootdn in slapd.conf exactly matches "ldap admin dn".
>
> See above ...
>
> > 3) don't run smbpasswd -w rootdnpw until *after* the smb.conf changes are
> > in place. (i've done that myself :-)
>
> Okay, i did this again after having finished smb.conf ...
>
> > 4) tdbdump the secrets.tdb to verify that the entry in the database shows
> > the correct rootdn and password selected.
>
> Seems to be okay ....
>
> ---snipp---
>
> [PTS2] 486dx66:/usr/local/samba3 # bin/tdbdump private/secrets.tdb         {
> key = "SECRETS/LDAP_BIND_PW/cn=ldapmanager,dc=hrnet,dc=de"
> data = "secret\00"
> }
> {
> key = "SECRETS/SID/HRDOMAIN"
> data =
> "\01\04\00\00\00\00\00\05\15\00\00\00L\9B\E6\9F\B1\E1\FF#'\C3\B6G\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
> }
> {
> key = "SECRETS/SID/486DX66"
> data =
> "\01\04\00\00\00\00\00\05\15\00\00\00L\9B\E6\9F\B1\E1\FF#'\C3\B6G\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
> }
> ---snipp---
>
> Here's the output i have now ..
>
> ---snipp---
>
> [PTS2] root at 486dx66:/usr/local/samba3 # bin/smbpasswd -D 10 -c
> etc/smb.conf tina
> Netbios name list:-
> my_netbios_names[0]="486DX66"
> Trying to load: ldapsam_compat
> Attempting to register passdb backend ldapsam
> Successfully added passdb backend 'ldapsam'
> Attempting to register passdb backend ldapsam_compat
> Successfully added passdb backend 'ldapsam_compat'
> Attempting to register passdb backend smbpasswd
> Successfully added passdb backend 'smbpasswd'
> Attempting to register passdb backend tdbsam
> Successfully added passdb backend 'tdbsam'
> Attempting to register passdb backend guest
> Successfully added passdb backend 'guest'
> Attempting to find an passdb backend to match ldapsam_compat
> (ldapsam_compat)
> Found pdb backend ldapsam_compat
> pdb backend ldapsam_compat has a valid init
> Attempting to find an passdb backend to match guest (guest)
> Found pdb backend guest
> pdb backend guest has a valid init
> New SMB password:
> New SMB password:
> Retype new SMB password:
> smbldap_search: base => [dc=hrnet,dc=de], filter =>
> [(&(&(uid=tina)(objectclass=sambaSamAccount))(objectclass=sambaAccount))],
> scope => [2]

this is going to be a problem if the account is not created with both
object classes, but I can't say for sure as I've never even tried it. I'd
pick the newer --with-ldap option and go from there.

> smbldap_open_connection: ldap://486dx66.hrnet.de:1389
> smbldap_open_connection: connection opened
> ldap_connect_system: Binding to ldap server ldap://486dx66.hrnet.de:1389
> as "cn=ldapmanager,dc=hrnet,dc=de"
> failed to bind to server with dn= cn=ldapmanager,dc=hrnet,dc=de Error:
> Can't contact LDAP server
>          (unknown)
> Connection to LDAP server failed for the 1 try!

check for firewall/DNS issues here. everything else looks good.

> smbldap_open_connection: ldap://486dx66.hrnet.de:1389
> smbldap_open_connection: connection opened
> ldap_connect_system: Binding to ldap server ldap://486dx66.hrnet.de:1389
> as "cn=ldapmanager,dc=hrnet,dc=de"
> [ -- cut here -- ]
> ---snipp---
>
>
> So what's wrong ?
> Is it that i compiled in --with-ldap AND --with-ldapsam =
>

there's really no need to use --with-ldapsam unless you need to comply
with 2.x samba.schema


Bill


>
> greets Harry
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


More information about the samba mailing list