[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx
kristof.bruyninckx at thales-is.com
Wed Sep 28 14:30:15 GMT 2005
On Tue, 2005-09-27 at 19:08 +0200, paul kölle wrote:
> Kristof Bruyninckx wrote:
> > Hi, I removed the entry for "cn=manager,dc=thales,dc=be" and checked
> > with ldapmodigy if I could change the existing NIS users, which seems to
> > still work.
> >
> > Now I added a user called Admin , output from slapcat :
> no, you have not. You authenticate with a DN and a password so a "user"
> object in LDAP is identified with a DistinguishedName, not something
> with a cn=whatever attribute.
> > Any ideas off what I'm doing wrong?
>
Ok, I recreated the user, called samba. Trying to follow the example you
show below. Output from slapcat :
dn: uid=samba,ou=Idmap,dc=thales,dc=be
uid: samba
cn: Admin
objectClass: account
objectClass: simpleSecurityObject
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: secret
description: DN for use in SAMBA
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/false
uidNumber: 0
gidNumber: 0
homeDirectory: /
gecos: root
structuralObjectClass: account
entryUUID: 334e4406-c441-1029-8ef6-90f912772ff1
creatorsName: cn=Manager,dc=thales,dc=be
createTimestamp: 20050928075703Z
entryCSN: 20050928075703Z#000001#00#000000
modifiersName: cn=Manager,dc=thales,dc=be
modifyTimestamp: 20050928075703Z
I think this is what it was supposed to look like...
Entry in the /etc/samba/smb.conf
snip "
ldap ssl = no
ldap admin dn = uid=samba,ou=Idmap,dc=thales,dc=be
ldap idmap suffix = ou=idmap
ldap suffix = dc=thales,dc=be
idmap backend = ldap:ldap://127.0.0.1
snip"
Also fixed the ACL (I think...) :
Changed the ACL part in the /etc/openldap/slapd.conf to the following
access to attr=userPassword
by self write
by anonymous auth
by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
by * none
access to *
by self write
by users read
by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
Explanation, just to check if my reasoning was correct :
1.ACL1 : access to attr=userPassword means this policy applies to the
attribute userPassword.
2.ACL1: by self write grants only the owner of the entry write
permissions of the entry.
3.ACL1: anonymous auth grants anonymous user access only for
authentication purposes.
4.ACL1 : by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write.
Breaking it all down.
dn. base = Only the entry addressed by pattern.
So this comes down to the fact that the samba user has write
access to all the userPassword entries. Or I'm I completely missing the
point ?
5: ACL1: by * none This means that any non-owner cannot write to
userPassword.
1.ACL2: access to * This applies to all attributes exept userpassword,
because it was previously defined to have it's own rules.
2.ACL2: by self write grants the owner off the entry write permissions
to the attibutes covered by this directive.
3.ACL2: by users read grants any authenticated user read permission to
all the attributes covered by this policy.
4.ACL2: by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write grants the
samba user write rights to all the attributes.
Now when I restart the winbind instances the following is showing :
/var/log/messages :
Sep 28 16:21:22 linux14 slapd: supportedControl
Sep 28 16:21:22 linux14 slapd:
Sep 28 16:21:22 linux14 slapd: => access_allowed: search access to ""
"objectClass" requested
Sep 28 16:21:22 linux14 slapd: => acl_get: [2] attr objectClass
Sep 28 16:21:22 linux14 slapd: => acl_mask: access to entry "", attr
"objectClass" requested
Sep 28 16:21:22 linux14 slapd: => acl_mask: to all values by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: self
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: users
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] applying read(=rscx)
(stop)
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] mask: read(=rscx)
Sep 28 16:21:22 linux14 slapd: => access_allowed: search access granted
by read(=rscx)
Sep 28 16:21:22 linux14 slapd: => access_allowed: read access to ""
"entry" requested
Sep 28 16:21:22 linux14 slapd: => acl_get: [2] attr entry
Sep 28 16:21:22 linux14 slapd: => acl_mask: access to entry "", attr
"entry" requested
Sep 28 16:21:22 linux14 slapd: => acl_mask: to all values by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: self
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: users
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] applying read(=rscx)
(stop)
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] mask: read(=rscx)
Sep 28 16:21:22 linux14 slapd: => access_allowed: read access granted by
read(=rscx)
Sep 28 16:21:22 linux14 slapd: => access_allowed: read access to ""
"supportedControl" requested
Sep 28 16:21:22 linux14 slapd: => acl_get: [2] attr supportedControl
Sep 28 16:21:22 linux14 slapd: access_allowed: no res from state
(supportedControl)
Sep 28 16:21:22 linux14 slapd: => acl_mask: access to entry "", attr
"supportedControl" requested
Sep 28 16:21:22 linux14 slapd: => acl_mask: to value by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: self
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: users
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] applying read(=rscx)
(stop)
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] mask: read(=rscx)
Sep 28 16:21:22 linux14 slapd: => access_allowed: read access granted by
read(=rscx)
Does this mean the samba user is only granted read access?
Sep 28 16:21:22 linux14 slapd: send_ldap_result: err=0 matched=""
text=""
Sep 28 16:21:22 linux14 slapd: daemon: activity on 1 descriptors
Sep 28 16:21:22 linux14 slapd: daemon: activity on: 8r
Sep 28 16:21:22 linux14 slapd: daemon: read activity on 8
Sep 28 16:21:22 linux14 slapd: connection_get(8)
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a81408 ptr=0x09a81408
end=0x09a8147b len=115
Sep 28 16:21:22 linux14 slapd: 0000: 02 01 03 63 6e 04 18 6f 75 3d
69 64 6d 61 70 2c ...cn..ou=idmap,
Sep 28 16:21:22 linux14 slapd: 0010: 64 63 3d 74 68 61 6c 65 73 2c
64 63 3d 62 65 0a dc=thales,dc=be.
Sep 28 16:21:22 linux14 slapd: 0020: 01 02 0a 01 00 02 01 00 02 01
0f 01 01 00 a3 1e ................
Sep 28 16:21:22 linux14 slapd: 0030: 04 0b 6f 62 6a 65 63 74 63 6c
61 73 73 04 0f 73 ..objectclass..s
Sep 28 16:21:22 linux14 slapd: 0040: 61 6d 62 61 55 6e 69 78 49 64
50 6f 6f 6c 30 23 ambaUnixIdPool0#
Sep 28 16:21:22 linux14 slapd: 0050: 04 09 75 69 64 4e 75 6d 62 65
72 04 09 67 69 64 ..uidNumber..gid
Sep 28 16:21:22 linux14 slapd: 0060: 4e 75 6d 62 65 72 04 0b 6f 62
6a 65 63 74 43 6c Number..objectCl
Sep 28 16:21:22 linux14 slapd: 0070: 61 73 73
ass
Sep 28 16:21:22 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a81408 ptr=0x09a8140b
end=0x09a8147b len=112
Sep 28 16:21:22 linux14 slapd: 0000: 63 6e 04 18 6f 75 3d 69 64 6d
61 70 2c 64 63 3d cn..ou=idmap,dc=
Sep 28 16:21:22 linux14 slapd: 0010: 74 68 61 6c 65 73 2c 64 63 3d
62 65 0a 01 02 0a thales,dc=be....
Sep 28 16:21:22 linux14 slapd: 0020: 01 00 02 01 00 02 01 0f 01 01
00 a3 1e 04 0b 6f ...............o
Sep 28 16:21:22 linux14 slapd: 0030: 62 6a 65 63 74 63 6c 61 73 73
04 0f 73 61 6d 62 bjectclass..samb
Sep 28 16:21:22 linux14 slapd: 0040: 61 55 6e 69 78 49 64 50 6f 6f
6c 30 23 04 09 75 aUnixIdPool0#..u
Sep 28 16:21:22 linux14 slapd: 0050: 69 64 4e 75 6d 62 65 72 04 09
67 69 64 4e 75 6d idNumber..gidNum
Sep 28 16:21:22 linux14 slapd: 0060: 62 65 72 04 0b 6f 62 6a 65 63
74 43 6c 61 73 73 ber..objectClass
Sep 28 16:21:22 linux14 slapd: SRCH "ou=idmap,dc=thales,dc=be" 2 0 0
15 0
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a81408 ptr=0x09a81436
end=0x09a8147b len=69
Sep 28 16:21:22 linux14 slapd: 0000: a3 1e 04 0b 6f 62 6a 65 63 74
63 6c 61 73 73 04 ....objectclass.
Sep 28 16:21:22 linux14 slapd: 0010: 0f 73 61 6d 62 61 55 6e 69 78
49 64 50 6f 6f 6c .sambaUnixIdPool
Sep 28 16:21:22 linux14 slapd: 0020: 30 23 04 09 75 69 64 4e 75 6d
62 65 72 04 09 67 0#..uidNumber..g
Sep 28 16:21:22 linux14 slapd: 0030: 69 64 4e 75 6d 62 65 72 04 0b
6f 62 6a 65 63 74 idNumber..object
Sep 28 16:21:22 linux14 slapd: 0040: 43 6c 61 73 73
Class
Sep 28 16:21:22 linux14 slapd: filter: (?=undefined)
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a81408 ptr=0x09a81456
end=0x09a8147b len=37
Sep 28 16:21:22 linux14 slapd: 0000: 00 23 04 09 75 69 64 4e 75 6d
62 65 72 04 09 67 .#..uidNumber..g
Sep 28 16:21:22 linux14 slapd: 0010: 69 64 4e 75 6d 62 65 72 04 0b
6f 62 6a 65 63 74 idNumber..object
Sep 28 16:21:22 linux14 slapd: 0020: 43 6c 61 73 73
Class
Sep 28 16:21:22 linux14 slapd: attrs: uidNumber gidNumber
objectClass
Sep 28 16:21:22 linux14 slapd: send_ldap_result: err=0 matched=""
text=""
Sep 28 16:21:22 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 28 16:21:22 linux14 slapd: daemon: activity on 1 descriptors
Sep 28 16:21:22 linux14 slapd: daemon: activity on: 8r
Sep 28 16:21:22 linux14 slapd: daemon: read activity on 8
Sep 28 16:21:22 linux14 slapd: connection_get(8)
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a7f120 ptr=0x09a7f120
end=0x09a7f19e len=126
Sep 28 16:21:22 linux14 slapd: 0000: 02 01 04 66 79 04 18 6f 75 3d
69 64 6d 61 70 2c ...fy..ou=idmap,
Sep 28 16:21:22 linux14 slapd: 0010: 64 63 3d 74 68 61 6c 65 73 2c
64 63 3d 62 65 30 dc=thales,dc=be0
Sep 28 16:21:22 linux14 slapd: 0020: 5d 30 25 0a 01 00 30 20 04 0b
6f 62 6a 65 63 74 ]0%...0 ..object
Sep 28 16:21:22 linux14 slapd: 0030: 43 6c 61 73 73 31 11 04 0f 73
61 6d 62 61 55 6e Class1...sambaUn
Sep 28 16:21:22 linux14 slapd: 0040: 69 78 49 64 50 6f 6f 6c 30 19
0a 01 00 30 14 04 ixIdPool0....0..
Sep 28 16:21:22 linux14 slapd: 0050: 09 75 69 64 4e 75 6d 62 65 72
31 07 04 05 31 30 .uidNumber1...10
Sep 28 16:21:22 linux14 slapd: 0060: 30 30 30 30 19 0a 01 00 30 14
04 09 67 69 64 4e 0000....0...gidN
Sep 28 16:21:22 linux14 slapd: 0070: 75 6d 62 65 72 31 07 04 05 31
30 30 30 30 umber1...10000
Sep 28 16:21:22 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a7f120 ptr=0x09a7f123
end=0x09a7f19e len=123
Sep 28 16:21:22 linux14 slapd: 0000: 66 79 04 18 6f 75 3d 69 64 6d
61 70 2c 64 63 3d fy..ou=idmap,dc=
Sep 28 16:21:22 linux14 slapd: 0010: 74 68 61 6c 65 73 2c 64 63 3d
62 65 30 5d 30 25 thales,dc=be0]0%
Sep 28 16:21:22 linux14 slapd: 0020: 0a 01 00 30 20 04 0b 6f 62 6a
65 63 74 43 6c 61 ...0 ..objectCla
Sep 28 16:21:22 linux14 winbind: winbindd startup succeeded
Sep 28 16:21:22 linux14 slapd: 0030: 73 73 31 11 04 0f 73 61 6d 62
61 55 6e 69 78 49 ss1...sambaUnixI
Sep 28 16:21:22 linux14 slapd: 0040: 64 50 6f 6f 6c 30 19 0a 01 00
30 14 04 09 75 69 dPool0....0...ui
Sep 28 16:21:22 linux14 slapd: 0050: 64 4e 75 6d 62 65 72 31 07 04
05 31 30 30 30 30 dNumber1...10000
Sep 28 16:21:22 linux14 slapd: 0060: 30 19 0a 01 00 30 14 04 09 67
69 64 4e 75 6d 62 0....0...gidNumb
Sep 28 16:21:22 linux14 slapd: 0070: 65 72 31 07 04 05 31 30 30 30
30 er1...10000
Sep 28 16:21:22 linux14 slapd: do_modify: dn (ou=idmap,dc=thales,dc=be)
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a7f120 ptr=0x09a7f141
end=0x09a7f19e len=93
Sep 28 16:21:22 linux14 slapd: 0000: 30 25 0a 01 00 30 20 04 0b 6f
62 6a 65 63 74 43 0%...0 ..objectC
Sep 28 16:21:22 linux14 slapd: 0010: 6c 61 73 73 31 11 04 0f 73 61
6d 62 61 55 6e 69 lass1...sambaUni
Sep 28 16:21:22 linux14 slapd: 0020: 78 49 64 50 6f 6f 6c 30 19 0a
01 00 30 14 04 09 xIdPool0....0...
Sep 28 16:21:22 linux14 slapd: 0030: 75 69 64 4e 75 6d 62 65 72 31
07 04 05 31 30 30 uidNumber1...100
Sep 28 16:21:22 linux14 slapd: 0040: 30 30 30 19 0a 01 00 30 14 04
09 67 69 64 4e 75 000....0...gidNu
Sep 28 16:21:22 linux14 slapd: 0050: 6d 62 65 72 31 07 04 05 31 30
30 30 30 mber1...10000
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a7f120 ptr=0x09a7f168
end=0x09a7f19e len=54
Sep 28 16:21:22 linux14 slapd: 0000: 30 19 0a 01 00 30 14 04 09 75
69 64 4e 75 6d 62 0....0...uidNumb
Sep 28 16:21:22 linux14 slapd: 0010: 65 72 31 07 04 05 31 30 30 30
30 30 19 0a 01 00 er1...100000....
Sep 28 16:21:22 linux14 slapd: 0020: 30 14 04 09 67 69 64 4e 75 6d
62 65 72 31 07 04 0...gidNumber1..
Sep 28 16:21:22 linux14 slapd: 0030: 05 31 30 30 30
30 .10000
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a7f120 ptr=0x09a7f183
end=0x09a7f19e len=27
Sep 28 16:21:22 linux14 slapd: 0000: 30 19 0a 01 00 30 14 04 09 67
69 64 4e 75 6d 62 0....0...gidNumb
Sep 28 16:21:22 linux14 slapd: 0010: 65 72 31 07 04 05 31 30 30 30
30 er1...10000
Sep 28 16:21:22 linux14 slapd: modifications:
Sep 28 16:21:22 linux14 slapd: add: objectClass
Sep 28 16:21:22 linux14 slapd: one value, length 15
Sep 28 16:21:22 linux14 slapd: add: uidNumber
Sep 28 16:21:22 linux14 slapd: one value, length 5
Sep 28 16:21:22 linux14 slapd: add: gidNumber
Sep 28 16:21:22 linux14 slapd: one value, length 5
Sep 28 16:21:22 linux14 slapd: send_ldap_result: err=21 matched=""
text="objectClass: value #0 invalid per syntax"
Sep 28 16:21:22 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
smbd.log
[2005/09/28 15:48:07, 3] sam/idmap.c:idmap_init(132)
idmap_init: using 'ldap' as remote backend
[2005/09/28 15:48:07, 2] lib/smbldap.c:smbldap_open_connection(630)
smbldap_open_connection: connection opened
[2005/09/28 15:48:08, 3] lib/smbldap.c:smbldap_connect_system(805)
ldap_connect_system: succesful connection to the LDAP server
[2005/09/28 15:48:08, 0] sam/idmap.c:idmap_init(138)
idmap_init: failed to initialize remote backend!
[2005/09/28 15:48:08, 1] nsswitch/winbindd.c:main(968)
Could not init idmap -- netlogon proxy only
[2005/09/28 15:48:08, 2] lib/tallocmsg.c:register_msg_pool_usage(56)
Registered MSG_REQ_POOL_USAGE
[2005/09/28 15:48:08, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2005/09/28 15:48:08, 2] nsswitch/winbindd_util.c:add_trusted_domain
(166)
Added domain THALES-IS THALES-IS.BE
S-1-5-21-1960408961-1965331169-725345543
[2005/09/28 15:48:08, 2] nsswitch/winbindd_util.c:add_trusted_domain
(166)
Added domain BUILTIN S-1-5-32
So I guess the samba is at least making a good connection with the LDAP,
but is unable to insert entries due to lacking permissions? And if so
what is wrong with the ACL then?
> Your accounts are still messed up. You create an entry with DN
> uid=root,ou=Idmap,dc=thales,dc=be but your "admin dn" is
> "cn=Admin,dc=thales,dc=be" how is that supposed to work?
>
> given the admin should not be used for other stuff (think of least
> privileges model;) it could look like:
>
> dn: uid=samba,ou=services,dc=thales,dc=be
> objectClass: top
> objectClass: simpleSecurityObject
> objectClass: account
> uid: samba
> userPassword: {CLEARTEXT}whatever
> description: DN for samba
>
> then you would do:
> 1. change the ou to your needs
> 2. change the password
> 3. fix your ACLs
> 3. put exactly that DN in your smb.conf
> 4. run: smbpasswd -w <DN as in "ldap admin dn"> -> type in password from
> step 2.
>
> Of course you can use whatever DN you like, it needs just a userPassword
> attribute.
>
> hth
> Paul
>
Thanks already for the help so far,
Regards,
--
Kristof.Bruyninckx
We are Microsoft. What you are experiencing is not a problem; it is an
undocumented feature.
More information about the samba
mailing list