[Samba] idmap LDAP backend

Theodore Jencks tjencks at navis.com
Tue Mar 22 01:37:22 GMT 2005 

Ok so things seem to be working better now.  The LDAP backend is
populated with SID to Unix ID mappings however if I run "getent passwd"
the local user list is returned followed by a long pause then nothing.
I would like to correct this behavior because it means that something is
screwed up someplace.

I have created a couple file shares in my smb.conf as follows:

[software]
   comment = Software for IT personnel
   path = /share/software
   read only = no
   public = no
   writable = yes
   printable = no
   browseable = yes
   valid users = @"HQ+Domain Admins"

[backup]
   comment = Misc. data backups
   path = /share/backup
   read only = no
   public = no
   writable = yes
   printable = no
   browseable = yes
   valid users = HQ+tjencks

I can access both of these shares from my windows domain account however
other users that are in the Domain Admins group get prompted for a
password when trying to access the "software" share.  I can't figure out
why my domain account is the only one that seems to work for this share.
I've checked permissions on the /share/software directory and they were
set as follows:

'chown "HQ+tjencks":"HQ+Domain Admins" software' then I did
'chmod 775 software'

Ls -l shows
drwxrwxr-x  4 tjencks domain admins 96 Mar 21 07:10 software


I don't know what could be wrong?

Thanks in advance for any and all help, tip or snippet of info.
Theo


-----Original Message-----
From: samba-bounces+tjencks=navis.com at lists.samba.org
[mailto:samba-bounces+tjencks=navis.com at lists.samba.org] On Behalf Of
Theodore Jencks
Sent: Monday, March 21, 2005 11:30 AM
To: samba at lists.samba.org
Subject: RE: [Samba] idmap LDAP backend

Figure this out a little further:

I had the following in my smb.conf:
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap backend = ldap:ldap://localhost
ldap admin dn = cn=manager,dc=navis,dc=net
ldap suffix = "ou=smb,dc=navis,dc=net"
ldap idmap suffix = "ou=idmap"

I took the quotes off and now Winbind seems to connect to LDAP fine:
ldap suffix = ou=smb,dc=navis,dc=net
ldap idmap suffix = ou=idmap


I'm now getting this when I start Winbind in the Winbind log:
[2005/03/21 11:16:25, 5] lib/gencache.c:gencache_init(59)
  Opening cache file at /var/lock/samba/gencache.tdb
[2005/03/21 11:16:25, 5] libsmb/namecache.c:namecache_enable(58)
  namecache_enable: enabling netbios namecache, timeout 660 seconds
[2005/03/21 11:16:25, 5] sam/idmap.c:smb_register_idmap(91)
  smb_register_idmap: Successfully added idmap backend 'ldap'
[2005/03/21 11:16:25, 5] sam/idmap.c:smb_register_idmap(91)
  smb_register_idmap: Successfully added idmap backend 'tdb'
[2005/03/21 11:16:25, 3] sam/idmap.c:idmap_init(132)
  idmap_init: using 'ldap' as remote backend
[2005/03/21 11:16:25, 5] lib/smbldap.c:smbldap_search(1038)
  smbldap_search: base => [ou=idmap,ou=smb,dc=navis,dc=net], filter =>
[(objectclass=sambaUnixIdPool)], scope => [2]
[2005/03/21 11:16:25, 5] lib/smbldap.c:smbldap_close(949)
  The connection to the LDAP server was closed
[2005/03/21 11:16:25, 2] lib/smbldap.c:smbldap_open_connection(692)
  smbldap_open_connection: connection opened
[2005/03/21 11:16:26, 3] lib/smbldap.c:smbldap_connect_system(866)
  ldap_connect_system: succesful connection to the LDAP server
  ldap_connect_system: LDAP server does support paged results
[2005/03/21 11:16:26, 4] lib/smbldap.c:smbldap_open(929)
  The LDAP server is succesfully connected
[2005/03/21 11:16:26, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
  Registered MSG_REQ_POOL_USAGE
[2005/03/21 11:16:26, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2005/03/21 11:16:26, 2]
nsswitch/winbindd_util.c:add_trusted_domain(175)
  Added domain HQ HQ.NAVIS.NET S-0-0
[2005/03/21 11:16:26, 4]
passdb/secrets.c:secrets_fetch_trust_account_password(290)
  Using cleartext machine password


However I still think there is a problem because getent passwd only
returns local usernames.  When I'm not using the ldap idmap backend
getent passwd runs as expected giving both local and domain usernames.

Any help appreciated,
Theo


-----Original Message-----
From: samba-bounces+tjencks=navis.com at lists.samba.org
[mailto:samba-bounces+tjencks=navis.com at lists.samba.org] On Behalf Of
Theodore Jencks
Sent: Monday, March 21, 2005 9:52 AM
To: samba at lists.samba.org
Subject: RE: [Samba] idmap LDAP backend

Ok, I made the change however the LDAP backend for idmap is still not
working.  I set Winbind to debugging level 5 and get the following in
the logs:

[2005/03/21 09:45:05, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.192.112 bcast=192.168.195.255
nmask=255.255.252.0
[2005/03/21 09:45:05, 5] lib/util.c:init_names(256)
  Netbios name list:-
  my_netbios_names[0]="THEO"
[2005/03/21 09:45:05, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.192.112 bcast=192.168.195.255
nmask=255.255.252.0
[2005/03/21 09:45:05, 5] lib/gencache.c:gencache_init(59)
  Opening cache file at /var/lock/samba/gencache.tdb
[2005/03/21 09:45:05, 5] libsmb/namecache.c:namecache_enable(58)
  namecache_enable: enabling netbios namecache, timeout 660 seconds
[2005/03/21 09:45:05, 5] sam/idmap.c:smb_register_idmap(91)
  smb_register_idmap: Successfully added idmap backend 'ldap'
[2005/03/21 09:45:05, 5] sam/idmap.c:smb_register_idmap(91)
  smb_register_idmap: Successfully added idmap backend 'tdb'
[2005/03/21 09:45:05, 3] sam/idmap.c:idmap_init(132)
  idmap_init: using 'ldap' as remote backend
[2005/03/21 09:45:05, 5] lib/smbldap.c:smbldap_search(1038)
  smbldap_search: base => ["ou=idmap","ou=smb,dc=navis,dc=net"], filter
=> [(objectclass=sambaUnixIdPool)], scope => [2]
[2005/03/21 09:45:05, 5] lib/smbldap.c:smbldap_close(949)
  The connection to the LDAP server was closed
[2005/03/21 09:45:05, 2] lib/smbldap.c:smbldap_open_connection(692)
  smbldap_open_connection: connection opened
[2005/03/21 09:45:05, 3] lib/smbldap.c:smbldap_connect_system(866)
  ldap_connect_system: succesful connection to the LDAP server
  ldap_connect_system: LDAP server does support paged results
[2005/03/21 09:45:05, 4] lib/smbldap.c:smbldap_open(929)
  The LDAP server is succesfully connected
[2005/03/21 09:45:05, 0] sam/idmap.c:idmap_init(138)
  idmap_init: failed to initialize remote backend!


Looks like it tries to get what are called paged results and then it
fails to initialize remote backend.  I'm not quite sure what is going on
here and any further guidance would be greatly appreciated.

Thanks in advance,
Theo

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
Sent: Friday, March 18, 2005 7:18 AM
To: Theodore Jencks
Cc: samba at lists.samba.org
Subject: Re: [Samba] idmap LDAP backend

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Theodore Jencks wrote:

| ldap idmap suffix = "ou=idmap,ou=smb,dc=navis,dc=net"
| ldap suffix = "ou=smb,dc=navis,dc=net"


change this to

	ldap suffix = "ou=smb,dc=navis,dc=net"
	ldap idmap suffix = "ou=idmap"



cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCOvELIR7qMdg1EfYRAqkxAJ4wivlVYXp6DmKIaXbl786I7CQOLwCfXL6w
XIO2bFqLhparOqZGF0BdgWo=
=MKbV
-----END PGP SIGNATURE-----

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list