[Samba] IDMAP storage in LDAP using winbind

Meli Marco Marco.Meli at gknsintermetals.com
Wed Mar 30 18:23:28 GMT 2005


Hi,
I running samba-3.0.13-1 on RH9
(openldap-2.0.27-8,krb5-1.2.7-10,nss_ldap-202-5) and configured as show
below, my intention is only to make IDMAP storage in LDAP using winbind.
I've looked on SAMBA3 by example book and relatives official guide on the
site.
First I have try to run samba and winbind retriving users and groups from
ADS and storing them in winbindd_idmap.tdb and winbindd_cache.tdb files and
it seems to work fine.
After I have introduce the LDAP backend and relative configuration as shown
below, but I have received the errors at the bottom of the message.
Why it doesn't work? I found only example that show domains with only one
prefix could I wrong the ldap configuration?
Thanks.
Marco.

/etc/samba/smb.conf
        netbios name = XXXX03
        os level = 16
        wins server = XXX.XXX.XXX.XXX
        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
        unix charset = LOCALE
        workgroup = WORKGROUP
        realm = PREFIX1.PREFIX2.COM
        security = ADS
        password server = kdc01.sinter.gkn.com
        encrypt passwords = yes
        winbind use default domain = Yes
        winbind separator = /
        winbind enum users = Yes
        winbind enum groups = Yes
        ldap ssl = No
        ldap admin dn = cn=Manager,dc=prefix1,dc=prefix2,dc=com
        ldap idmap suffix = ou=Idmap
        ldap suffix = dc=prefix1,dc=prefix2,dc=com
        idmap backend = ldap:ldap://localhost
        idmap uid = 10000-40000
        idmap gid = 10000-40000
        hide unreadable = Yes
        template homedir = /data/user/%U
        template shell = /bin/false
        use sendfile = Yes

/etc/nsswitch.conf
passwd:     compat ldap
shadow:     compat ldap
group:        compat ldap
hosts:        files dns wins

/etc/ldap.conf
host 127.0.0.1
base dc=prefix1,dc=prefix2,dc=com
binddn cn=Manager,dc=prefix1,dc=prefix2,dc=com
bindpw secret
pam_password exop
nss_base_passwd         ou=People,dc=prefix1,dc=prefix2,dc=com?one
nss_base_shadow         ou=People,dc=prefix1,dc=prefix2,dc=com?one
nss_base_group          ou=Group,dc=prefix1,dc=prefix2,dc=com?one
ssl no

/etc/openldap/idmap.ldif
dn: dc=prefix1,dc=prefix2,dc=com
objectClass: dcObject
objectClass: organization
dc: prefix1.prefix2
o: xxx
description: xxx

dn: cn=Manager,dc=prefix1,dc=prefix2,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=Idmap,dc=prefix1,dc=prefix2,dc=com
objectClass: organizationalUnit
ou: idmap

/etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log <FILE:/var/log/krb5libs.log> 
 kdc = FILE:/var/log/krb5kdc.log <FILE:/var/log/krb5kdc.log> 
 admin_server = FILE:/var/log/kadmind.log <FILE:/var/log/kadmind.log> 

[libdefaults]
 ticket_lifetime = 24000
 default_realm = PREFIX1.PREFIX2.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 PREFIX1.PREFIX2.COM = {
  kdc = KDC01.PREFIX1.PREFIX2.COM
 }

[domain_realm]
 .prefix1.prefix2.com = PREFIX1.PREFIX2.COM
 prefix1.prefix2.com = PREFIX1.PREFIX2.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

/var/spool/samba/log.winbindd
[2005/03/30 17:53:26, 0] sam/idmap.c:idmap_init(138)
  idmap_init: failed to initialize remote backend!
[2005/03/30 17:53:26, 1] nsswitch/winbindd.c:main(897)
  Could not init idmap -- netlogon proxy only
[2005/03/30 17:54:34, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid
S-1-5-21-597916725-1483147915-620655208-19426
[2005/03/30 17:54:34, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid
S-1-5-21-597916725-1483147915-620655208-19426



More information about the samba mailing list