[Samba] Samba PDC + Openldap (no database connection established
after reboot)
notinh notien
notinhnotien7 at hotmail.com
Fri Sep 2 00:52:18 GMT 2005
Hi, all. I really need your helps in determing what I did wrong. I have
been trying to setup Samba PDC (not using TLS at this initial stage yet) by
hand on SLES 9.1 and did not use YAST because somehow it just did not work.
I followed all the steps from the "The Linux Samba-OpenLDAP Howto (1.10)
from IDEALX.org) and Chapter 5 Making Happy Users from the book and a bunch
of other papers, and finally I got something working. I was able to do:
getent passwd
getent group
getent hosts
getent shadow
ldapsearch -x -b "dc=sample,dc=com" "(ObjectClass=*)"
slapcat
I was able to add a user using
smbldap-useradd -m -a testuser
smbldap-passwd testuser
id testuser
pdbedit -Lv testuser
pdbedit -L -v
net groupmap list
smbclient -L localhost -U%
Basically many steps recommended for testing and all the outputs are correct
according to the example outputs. I did turn on debbuging values for all
components and everything seems to work ok without any errors.
So I rebooted the server and then after everything came up, I tried to do
these testings again,
Now slapcat, ldsearch would show no outputs and the log show no error of any
kinds (from my intepretation).
I set up everything again and backup all the config files just in case. I
rebooted the server and the same problem happened.
>From a Linux box, I could ssh to the server and get this prompt for root:
Password:
LDAP Password:
Log for this:
Sep 1 17:13:43 Ns02 slapd[9137]: conn=218 op=0 RESULT tag=97 err=0 text=
Sep 1 17:13:43 Ns02 slapd[9137]: conn=218 op=1 SRCH base="dc=sample,dc=com"
scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=root))"
Sep 1 17:13:43 Ns02 slapd[9137]: conn=218 op=1 SEARCH RESULT tag=101 err=32
nentries=0 text=
Sep 1 17:13:50 Ns02 slapd[9137]: conn=219 fd=12 ACCEPT from
IP=127.0.0.1:1745 (IP=0.0.0.0:389)
However, If I tried to logged in as the test user then:
Password:
LDAP Password:
Password:
LDAP Password:
Password:
LDAP Password
Log for this:
Sep 1 17:11:45 Ns02 slapd[9137]: conn=217 fd=11 ACCEPT from
IP=127.0.0.1:1742 (IP=0.0.0.0:389)
Sep 1 17:11:45 Ns02 slapd[9137]: conn=217 op=0 BIND
dn="cn=Admin,dc=sample,dc=com" method=128
Sep 1 17:11:45 Ns02 slapd[9137]: conn=217 op=0 BIND
dn="cn=Admin,dc=sample,dc=com" mech=SIMPLE ssf=0
Sep 1 17:11:45 Ns02 slapd[9137]: conn=217 op=0 RESULT tag=97 err=0 text=
Sep 1 17:11:45 Ns02 slapd[9137]: conn=217 op=1 SRCH base="dc=sample,dc=com"
scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"
Sep 1 17:11:45 Ns02 slapd[9137]: conn=217 op=1 SEARCH RESULT tag=101 err=32
nentries=0 text=
Sep 1 17:12:30 Ns02 slapd[9137]: conn=217 fd=11 closed
I checked the /var/lib/ldap where the database for OpenLDAP and the files
are current and exist.
I restarted samba + openldap + nmb and nothing was changed. I checked and
restarted my firewall (no errors regarding unable to access port 139 or 445
or 389 for that matter)
At times the log file would indicate this message:
ep 1 17:29:12 Ns02 slapd[9137]: conn=239 fd=11 ACCEPT from
IP=127.0.0.1:1774 (IP=0.0.0.0:389)
Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=0 BIND
dn="cn=Admin,dc=sample,dc=com" method=128
Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=0 BIND
dn="cn=Admin,dc=sample,dc=com" mech=SIMPLE ssf=0
Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=0 RESULT tag=97 err=0 text=
Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=1 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=1 SRCH attr=supportedControl
Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=2 SRCH base="dc=sample,dc=com"
scope=2 deref=0 filter="(&(uid=steven)(objectClass=sambaSamAccount))"
Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=2 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName
sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp
Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=2 SEARCH RESULT tag=101 err=32
nentries=0 text=
Sep 1 17:29:21 Ns02 slapd[9137]: conn=239 fd=11 closed
(STEVEN is a user name of an account from a XP box)
######################################################################
I tried to google the problem but nothing seemed to be anything similar to
this problem.
And here are my config files.
#/etc/smb/smb.conf
[global]
workgroup = SAMPLE
server string = Ns02
interfaces = lo, eth0
bind interfaces only = Yes
min password length = 7
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 5
syslog = 3
log file = /var/log/samba/%m.log
max log size = 100000
time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap cache time = 750
printcap name = cups
add user script = /usr/local/sbin/smbldap-useradd -m %u
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%g'
'%u'
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
'%g' '%u'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g'
'%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
logon script = logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Admin,dc=sample,dc=com
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=sample,dc=com
ldap ssl = no
ldap user suffix = ou=Users
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
printer admin = @ntadmin, root, administrator
hosts allow = 192.168.0.0/24, 127.0.0.0/8
map acl inherit = Yes
cups options = raw
case sensitive = No
hide special files = Yes
hide unreadable = Yes
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
[homes]
comment = Home Directories %U, %u
valid users = %U
read only = No
inherit acls = Yes
browseable = No
[profiles]
comment = Network Profiles Service
path = /home/samba/profiles
valid users = %U, "@Domain Admins"
force user = %U
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
profile acls = Yes
store dos attributes = Yes
csc policy = disable
[netlogon]
path = /home/samba/netlogon/
browseable = No
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0600
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
valid users = @ntadmin, root, administrator
write list = @ntadmin, root, administrator
force group = ntadmin
create mask = 0664
directory mask = 0775
[canonir3]
comment = Black White Laser
path = /var/spool/samba
read only = No
create mask = 0600
printable = Yes
printer name = CanoniR3
share modes = No
##########################################################
#/etc/openldap/slap.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/openldap/modules
access to dn.base=""
by self write
by * auth
access to attr=userPassword,SambaLMPassword,SambaNTPassword
by self write
by dn="cn=Admin,dc=sample,dc=com" write
by * auth
access to attr=shadowLastChange
by self write
by * read
access to *
by dn="cn=Admin,dc=sample,dc=com" write
by users read
by anonymous auth
by * read
loglevel 256
schemacheck on
idletimeout 30
backend bdb
database bdb
checkpoint 1024 5
cachesize 10000
suffix "dc=sample,dc=com"
rootdn "cn=Admin,dc=sample,dc=com"
rootpw {SSHA}LkUefrF11RHeFKeOr/ajxf9tZU0l6d8G
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
directory /var/lib/ldap
####################################################
#/etc/ldap.conf
host 127.0.0.1
BASE dc=sample,dc=com
binddn cn=Admin,dc=sample,dc=com
bindpw secret
timelimit 50
bind_timelimit 50
bind_policy hard
idle_timelimit 3600
pam_password exop
ssl no
nss_base_passwd dc=sample,dc=com?one
nss_base_passwd ou=Users,dc=sample,dc=com?one
nss_base_shadow ou=Users,dc=sample,dc=com?one
nss_base_group ou=Groups,dc=sample,dc=com?one
debug 256
logdir /var/log/nssldaplogs
base dc=sample,dc=com ///<------------------------------------------
nss_map_attribute uniqueMember member
ldap_version 3
pam_filter objectclass=posixAccount
################################################
#/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns wins
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
#######################################################
## /etc/pam.d/system-auth
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
###################################################
#/etc/smbldap-tools/smbldap.conf
SID="S-1-5-21-4243189714-2027005459-491393344"
sambaDomain="SAMPLE"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0" ///<<<<<<<<<<<<<<<<<<<<<<<<<<<,
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.key"
suffix="dc=sample,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\Ns02\home\%U"
userProfile="\\Ns02\profiles\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="sample.com"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
################################################
#/etc/smbldap-tools/smbldap_bind.conf
slaveDN="cn=Admin,dc=sample,dc=com"
slavePw="secret"
masterDN="cn=Admin,dc=sample,dc=com"
masterPw="secret"
###############################################
### add.ldif //I used this one to make Samba to allocate the next uid and
gid
dn: cn=NextFreeUnixId,dc=nanostellar,dc=com
objectClass: inetOrgPerson
objectClass: sambaUnixIdPool
uidNumber: 10000
gidNumber: 10000
cn: NextFreeUnixId
sn: NextFreeUnixId
Could you tell me what I missed? How I could keep the database or
connection to the database remained the same after each reboot? It would
be crazy to set up everything again after each rebooting when the server in
production.
Thank you very much for reading and helping me out.
(getent passwd did not show the root Net bios Administration entry and the
testuser entry)
Here is what I found when I tried to do pdbedit -L -v
INFO: Current debug levels:
all: True/5
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
.....
......
Trying to load: ldapsam:ldap://127.0.0.1/
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend guest
Successfully added passdb backend 'guest'
Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/
(ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMPLE))]
smbldap_search: base => [dc=sample,dc=com], filter =>
[(&(objectClass=sambaDomain)(sambaDomainName=SAMPLE))], scope => [2]
The connection to the LDAP server was closed
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
The LDAP server is succesfully connected
smbldap_search_suffix: Problem during the LDAP search: (No such object)
Problem during LDAPsearch: No such object
Query was: dc=sample,dc=com,
(&(objectClass=sambaDomain)(sambaDomainName=SAMPLE))
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new
users/groups, and will risk BDCs having inconsistant SIDs
pdb backend ldapsam:ldap://127.0.0.1/ has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
Netbios name list:-
my_netbios_names[0]="NS02"
Trying to load: ldapsam:ldap://127.0.0.1/
Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/
(ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMPLE))]
smbldap_search: base => [dc=sample,dc=com], filter =>
[(&(objectClass=sambaDomain)(sambaDomainName=SAMPLE))], scope => [2]
The connection to the LDAP server was closed
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
The LDAP server is succesfully connected
smbldap_search_suffix: Problem during the LDAP search: (No such object)
Problem during LDAPsearch: No such object
Query was: dc=sample,dc=com,
(&(objectClass=sambaDomain)(sambaDomainName=SAMPLE))
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new
users/groups, and will risk BDCs having inconsistant SIDs
pdb backend ldapsam:ldap://127.0.0.1/ has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
smbldap_search: base => [dc=sample,dc=com], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))], scope => [2]
ldapsam_setsampwent: LDAP search failed: No such object
ldapsam_setsampwent: Query was: dc=sample,dc=com,
(&(uid=*)(objectclass=sambaSamAccount))
Error for net groupmap list
net groupmap list
[2005/09/01 17:47:44, 0] lib/smbldap.c:smbldap_search_suffix(1176)
smbldap_search_suffix: Problem during the LDAP search: (No such object)
[2005/09/01 17:47:44, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2763)
ldapsam_setsamgrent: LDAP search failed: No such object
[2005/09/01 17:47:44, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2828)
ldapsam_enum_group_mapping: Unable to open passdb
So the samba could not access the database. Then what should I do?
Thanks.
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
More information about the samba
mailing list