[Samba] Re: Need help with IDMAP storage in LDAP using Winbind

Kristof Bruyninckx kristof.bruyninckx at thales-is.com
Wed Sep 28 14:30:15 GMT 2005 

On Tue, 2005-09-27 at 19:08 +0200, paul kölle wrote:

> Kristof Bruyninckx wrote:
> > Hi, I removed the entry for "cn=manager,dc=thales,dc=be" and checked
> > with ldapmodigy if I could change the existing NIS users, which seems to
> > still work.
> > 
> > Now I added a user called Admin , output from slapcat :
> no, you have not. You authenticate with a DN and a password so a "user"
> object in LDAP is identified with a DistinguishedName, not something
> with a cn=whatever attribute.
> > Any ideas off what I'm doing wrong?
> 

Ok, I recreated the user, called samba. Trying to follow the example you
show below. Output from slapcat :

dn: uid=samba,ou=Idmap,dc=thales,dc=be
uid: samba
cn: Admin
objectClass: account
objectClass: simpleSecurityObject
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: secret
description: DN for use in SAMBA
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/false
uidNumber: 0
gidNumber: 0
homeDirectory: /
gecos: root
structuralObjectClass: account
entryUUID: 334e4406-c441-1029-8ef6-90f912772ff1
creatorsName: cn=Manager,dc=thales,dc=be
createTimestamp: 20050928075703Z
entryCSN: 20050928075703Z#000001#00#000000
modifiersName: cn=Manager,dc=thales,dc=be
modifyTimestamp: 20050928075703Z

I think this is what it was supposed to look like...

Entry in the /etc/samba/smb.conf
snip "
        ldap ssl = no
        ldap admin dn = uid=samba,ou=Idmap,dc=thales,dc=be
        ldap idmap suffix = ou=idmap
        ldap suffix = dc=thales,dc=be
        idmap backend = ldap:ldap://127.0.0.1
snip"

Also fixed the ACL (I think...) :

Changed the ACL part in the /etc/openldap/slapd.conf to the following

access to attr=userPassword
        by self write
        by anonymous auth
        by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
        by * none
access to *
        by self write
        by users read
        by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write

Explanation, just to check if my reasoning was correct :

1.ACL1 : access to attr=userPassword means this policy applies to the
attribute userPassword.
2.ACL1: by self write grants only the owner of the entry write
permissions of the entry.
3.ACL1: anonymous auth grants anonymous user access only for
authentication purposes.
4.ACL1 : by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write. 
              Breaking it all down.
        dn. base = Only the entry addressed by pattern. 
        So this comes down to the fact that the samba user has write
access to all the userPassword entries. Or I'm I completely missing the
point ?

5: ACL1: by * none      This means that any non-owner cannot write to
userPassword.

1.ACL2:  access to * This applies to all attributes exept userpassword,
because it was previously defined to have it's own rules.
2.ACL2: by self write grants the owner off the entry write permissions
to the attibutes covered by this directive.
3.ACL2: by users read grants any authenticated user read permission to
all the attributes covered by this policy.
4.ACL2: by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write grants the
samba user write rights to all the attributes.

Now when I restart the winbind instances the following is showing :

/var/log/messages :

Sep 28 16:21:22 linux14 slapd:  supportedControl
Sep 28 16:21:22 linux14 slapd:
Sep 28 16:21:22 linux14 slapd: => access_allowed: search access to ""
"objectClass" requested
Sep 28 16:21:22 linux14 slapd: => acl_get: [2] attr objectClass
Sep 28 16:21:22 linux14 slapd: => acl_mask: access to entry "", attr
"objectClass" requested
Sep 28 16:21:22 linux14 slapd: => acl_mask: to all values by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: self
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: users
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] applying read(=rscx)
(stop)
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] mask: read(=rscx)
Sep 28 16:21:22 linux14 slapd: => access_allowed: search access granted
by read(=rscx)
Sep 28 16:21:22 linux14 slapd: => access_allowed: read access to ""
"entry" requested
Sep 28 16:21:22 linux14 slapd: => acl_get: [2] attr entry
Sep 28 16:21:22 linux14 slapd: => acl_mask: access to entry "", attr
"entry" requested
Sep 28 16:21:22 linux14 slapd: => acl_mask: to all values by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: self
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: users
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] applying read(=rscx)
(stop)
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] mask: read(=rscx)
Sep 28 16:21:22 linux14 slapd: => access_allowed: read access granted by
read(=rscx)
Sep 28 16:21:22 linux14 slapd: => access_allowed: read access to ""
"supportedControl" requested
Sep 28 16:21:22 linux14 slapd: => acl_get: [2] attr supportedControl
Sep 28 16:21:22 linux14 slapd: access_allowed: no res from state
(supportedControl)
Sep 28 16:21:22 linux14 slapd: => acl_mask: access to entry "", attr
"supportedControl" requested
Sep 28 16:21:22 linux14 slapd: => acl_mask: to value by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: self
Sep 28 16:21:22 linux14 slapd: <= check a_dn_pat: users
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] applying read(=rscx)
(stop)
Sep 28 16:21:22 linux14 slapd: <= acl_mask: [2] mask: read(=rscx)
Sep 28 16:21:22 linux14 slapd: => access_allowed: read access granted by
read(=rscx)

Does this mean the samba user is only granted read access?

Sep 28 16:21:22 linux14 slapd: send_ldap_result: err=0 matched=""
text=""
Sep 28 16:21:22 linux14 slapd: daemon: activity on 1 descriptors
Sep 28 16:21:22 linux14 slapd: daemon: activity on: 8r
Sep 28 16:21:22 linux14 slapd: daemon: read activity on 8
Sep 28 16:21:22 linux14 slapd: connection_get(8)
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a81408 ptr=0x09a81408
end=0x09a8147b len=115
Sep 28 16:21:22 linux14 slapd:   0000:  02 01 03 63 6e 04 18 6f  75 3d
69 64 6d 61 70 2c   ...cn..ou=idmap,
Sep 28 16:21:22 linux14 slapd:   0010:  64 63 3d 74 68 61 6c 65  73 2c
64 63 3d 62 65 0a   dc=thales,dc=be.
Sep 28 16:21:22 linux14 slapd:   0020:  01 02 0a 01 00 02 01 00  02 01
0f 01 01 00 a3 1e   ................
Sep 28 16:21:22 linux14 slapd:   0030:  04 0b 6f 62 6a 65 63 74  63 6c
61 73 73 04 0f 73   ..objectclass..s
Sep 28 16:21:22 linux14 slapd:   0040:  61 6d 62 61 55 6e 69 78  49 64
50 6f 6f 6c 30 23   ambaUnixIdPool0#
Sep 28 16:21:22 linux14 slapd:   0050:  04 09 75 69 64 4e 75 6d  62 65
72 04 09 67 69 64   ..uidNumber..gid
Sep 28 16:21:22 linux14 slapd:   0060:  4e 75 6d 62 65 72 04 0b  6f 62
6a 65 63 74 43 6c   Number..objectCl
Sep 28 16:21:22 linux14 slapd:   0070:  61 73 73
ass
Sep 28 16:21:22 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a81408 ptr=0x09a8140b
end=0x09a8147b len=112
Sep 28 16:21:22 linux14 slapd:   0000:  63 6e 04 18 6f 75 3d 69  64 6d
61 70 2c 64 63 3d   cn..ou=idmap,dc=
Sep 28 16:21:22 linux14 slapd:   0010:  74 68 61 6c 65 73 2c 64  63 3d
62 65 0a 01 02 0a   thales,dc=be....
Sep 28 16:21:22 linux14 slapd:   0020:  01 00 02 01 00 02 01 0f  01 01
00 a3 1e 04 0b 6f   ...............o
Sep 28 16:21:22 linux14 slapd:   0030:  62 6a 65 63 74 63 6c 61  73 73
04 0f 73 61 6d 62   bjectclass..samb
Sep 28 16:21:22 linux14 slapd:   0040:  61 55 6e 69 78 49 64 50  6f 6f
6c 30 23 04 09 75   aUnixIdPool0#..u
Sep 28 16:21:22 linux14 slapd:   0050:  69 64 4e 75 6d 62 65 72  04 09
67 69 64 4e 75 6d   idNumber..gidNum
Sep 28 16:21:22 linux14 slapd:   0060:  62 65 72 04 0b 6f 62 6a  65 63
74 43 6c 61 73 73   ber..objectClass
Sep 28 16:21:22 linux14 slapd: SRCH "ou=idmap,dc=thales,dc=be" 2 0    0
15 0
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a81408 ptr=0x09a81436
end=0x09a8147b len=69
Sep 28 16:21:22 linux14 slapd:   0000:  a3 1e 04 0b 6f 62 6a 65  63 74
63 6c 61 73 73 04   ....objectclass.
Sep 28 16:21:22 linux14 slapd:   0010:  0f 73 61 6d 62 61 55 6e  69 78
49 64 50 6f 6f 6c   .sambaUnixIdPool
Sep 28 16:21:22 linux14 slapd:   0020:  30 23 04 09 75 69 64 4e  75 6d
62 65 72 04 09 67   0#..uidNumber..g
Sep 28 16:21:22 linux14 slapd:   0030:  69 64 4e 75 6d 62 65 72  04 0b
6f 62 6a 65 63 74   idNumber..object
Sep 28 16:21:22 linux14 slapd:   0040:  43 6c 61 73 73
Class
Sep 28 16:21:22 linux14 slapd:     filter: (?=undefined)
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a81408 ptr=0x09a81456
end=0x09a8147b len=37
Sep 28 16:21:22 linux14 slapd:   0000:  00 23 04 09 75 69 64 4e  75 6d
62 65 72 04 09 67   .#..uidNumber..g
Sep 28 16:21:22 linux14 slapd:   0010:  69 64 4e 75 6d 62 65 72  04 0b
6f 62 6a 65 63 74   idNumber..object
Sep 28 16:21:22 linux14 slapd:   0020:  43 6c 61 73 73
Class
Sep 28 16:21:22 linux14 slapd:     attrs: uidNumber gidNumber
objectClass
Sep 28 16:21:22 linux14 slapd: send_ldap_result: err=0 matched=""
text=""
Sep 28 16:21:22 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 28 16:21:22 linux14 slapd: daemon: activity on 1 descriptors
Sep 28 16:21:22 linux14 slapd: daemon: activity on: 8r
Sep 28 16:21:22 linux14 slapd: daemon: read activity on 8
Sep 28 16:21:22 linux14 slapd: connection_get(8)
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a7f120 ptr=0x09a7f120
end=0x09a7f19e len=126
Sep 28 16:21:22 linux14 slapd:   0000:  02 01 04 66 79 04 18 6f  75 3d
69 64 6d 61 70 2c   ...fy..ou=idmap,
Sep 28 16:21:22 linux14 slapd:   0010:  64 63 3d 74 68 61 6c 65  73 2c
64 63 3d 62 65 30   dc=thales,dc=be0
Sep 28 16:21:22 linux14 slapd:   0020:  5d 30 25 0a 01 00 30 20  04 0b
6f 62 6a 65 63 74   ]0%...0 ..object
Sep 28 16:21:22 linux14 slapd:   0030:  43 6c 61 73 73 31 11 04  0f 73
61 6d 62 61 55 6e   Class1...sambaUn
Sep 28 16:21:22 linux14 slapd:   0040:  69 78 49 64 50 6f 6f 6c  30 19
0a 01 00 30 14 04   ixIdPool0....0..
Sep 28 16:21:22 linux14 slapd:   0050:  09 75 69 64 4e 75 6d 62  65 72
31 07 04 05 31 30   .uidNumber1...10
Sep 28 16:21:22 linux14 slapd:   0060:  30 30 30 30 19 0a 01 00  30 14
04 09 67 69 64 4e   0000....0...gidN
Sep 28 16:21:22 linux14 slapd:   0070:  75 6d 62 65 72 31 07 04  05 31
30 30 30 30         umber1...10000
Sep 28 16:21:22 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a7f120 ptr=0x09a7f123
end=0x09a7f19e len=123
Sep 28 16:21:22 linux14 slapd:   0000:  66 79 04 18 6f 75 3d 69  64 6d
61 70 2c 64 63 3d   fy..ou=idmap,dc=
Sep 28 16:21:22 linux14 slapd:   0010:  74 68 61 6c 65 73 2c 64  63 3d
62 65 30 5d 30 25   thales,dc=be0]0%
Sep 28 16:21:22 linux14 slapd:   0020:  0a 01 00 30 20 04 0b 6f  62 6a
65 63 74 43 6c 61   ...0 ..objectCla
Sep 28 16:21:22 linux14 winbind: winbindd startup succeeded
Sep 28 16:21:22 linux14 slapd:   0030:  73 73 31 11 04 0f 73 61  6d 62
61 55 6e 69 78 49   ss1...sambaUnixI
Sep 28 16:21:22 linux14 slapd:   0040:  64 50 6f 6f 6c 30 19 0a  01 00
30 14 04 09 75 69   dPool0....0...ui
Sep 28 16:21:22 linux14 slapd:   0050:  64 4e 75 6d 62 65 72 31  07 04
05 31 30 30 30 30   dNumber1...10000
Sep 28 16:21:22 linux14 slapd:   0060:  30 19 0a 01 00 30 14 04  09 67
69 64 4e 75 6d 62   0....0...gidNumb
Sep 28 16:21:22 linux14 slapd:   0070:  65 72 31 07 04 05 31 30  30 30
30                  er1...10000
Sep 28 16:21:22 linux14 slapd: do_modify: dn (ou=idmap,dc=thales,dc=be)
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a7f120 ptr=0x09a7f141
end=0x09a7f19e len=93
Sep 28 16:21:22 linux14 slapd:   0000:  30 25 0a 01 00 30 20 04  0b 6f
62 6a 65 63 74 43   0%...0 ..objectC
Sep 28 16:21:22 linux14 slapd:   0010:  6c 61 73 73 31 11 04 0f  73 61
6d 62 61 55 6e 69   lass1...sambaUni
Sep 28 16:21:22 linux14 slapd:   0020:  78 49 64 50 6f 6f 6c 30  19 0a
01 00 30 14 04 09   xIdPool0....0...
Sep 28 16:21:22 linux14 slapd:   0030:  75 69 64 4e 75 6d 62 65  72 31
07 04 05 31 30 30   uidNumber1...100
Sep 28 16:21:22 linux14 slapd:   0040:  30 30 30 19 0a 01 00 30  14 04
09 67 69 64 4e 75   000....0...gidNu
Sep 28 16:21:22 linux14 slapd:   0050:  6d 62 65 72 31 07 04 05  31 30
30 30 30            mber1...10000
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a7f120 ptr=0x09a7f168
end=0x09a7f19e len=54
Sep 28 16:21:22 linux14 slapd:   0000:  30 19 0a 01 00 30 14 04  09 75
69 64 4e 75 6d 62   0....0...uidNumb
Sep 28 16:21:22 linux14 slapd:   0010:  65 72 31 07 04 05 31 30  30 30
30 30 19 0a 01 00   er1...100000....
Sep 28 16:21:22 linux14 slapd:   0020:  30 14 04 09 67 69 64 4e  75 6d
62 65 72 31 07 04   0...gidNumber1..
Sep 28 16:21:22 linux14 slapd:   0030:  05 31 30 30 30
30                                  .10000
Sep 28 16:21:22 linux14 slapd: ber_dump: buf=0x09a7f120 ptr=0x09a7f183
end=0x09a7f19e len=27
Sep 28 16:21:22 linux14 slapd:   0000:  30 19 0a 01 00 30 14 04  09 67
69 64 4e 75 6d 62   0....0...gidNumb
Sep 28 16:21:22 linux14 slapd:   0010:  65 72 31 07 04 05 31 30  30 30
30                  er1...10000
Sep 28 16:21:22 linux14 slapd: modifications:
Sep 28 16:21:22 linux14 slapd:  add: objectClass
Sep 28 16:21:22 linux14 slapd:          one value, length 15
Sep 28 16:21:22 linux14 slapd:  add: uidNumber
Sep 28 16:21:22 linux14 slapd:          one value, length 5
Sep 28 16:21:22 linux14 slapd:  add: gidNumber
Sep 28 16:21:22 linux14 slapd:          one value, length 5
Sep 28 16:21:22 linux14 slapd: send_ldap_result: err=21 matched=""
text="objectClass: value #0 invalid per syntax"
Sep 28 16:21:22 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL


smbd.log

[2005/09/28 15:48:07, 3] sam/idmap.c:idmap_init(132)
idmap_init: using 'ldap' as remote backend
[2005/09/28 15:48:07, 2] lib/smbldap.c:smbldap_open_connection(630)
smbldap_open_connection: connection opened
[2005/09/28 15:48:08, 3] lib/smbldap.c:smbldap_connect_system(805)
ldap_connect_system: succesful connection to the LDAP server
[2005/09/28 15:48:08, 0] sam/idmap.c:idmap_init(138)
idmap_init: failed to initialize remote backend!
[2005/09/28 15:48:08, 1] nsswitch/winbindd.c:main(968)
Could not init idmap -- netlogon proxy only
[2005/09/28 15:48:08, 2] lib/tallocmsg.c:register_msg_pool_usage(56)
Registered MSG_REQ_POOL_USAGE
[2005/09/28 15:48:08, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2005/09/28 15:48:08, 2] nsswitch/winbindd_util.c:add_trusted_domain
(166)
Added domain THALES-IS THALES-IS.BE
S-1-5-21-1960408961-1965331169-725345543
[2005/09/28 15:48:08, 2] nsswitch/winbindd_util.c:add_trusted_domain
(166)
Added domain BUILTIN S-1-5-32

So I guess the samba is at least making a good connection with the LDAP,
but is unable to insert entries due to lacking permissions? And if so
what is wrong with the ACL then?


> Your accounts are still messed up. You create an entry with DN
> uid=root,ou=Idmap,dc=thales,dc=be but your "admin dn" is
> "cn=Admin,dc=thales,dc=be" how is that supposed to work?
> 
> given the admin should not be used for other stuff (think of least
> privileges model;) it could look like:
> 
> dn: uid=samba,ou=services,dc=thales,dc=be
> objectClass: top
> objectClass: simpleSecurityObject
> objectClass: account
> uid: samba
> userPassword: {CLEARTEXT}whatever
> description: DN for samba
> 
> then you would do:
> 1. change the ou to your needs
> 2. change the password
> 3. fix your ACLs
> 3. put exactly that DN in your smb.conf
> 4. run: smbpasswd -w <DN as in "ldap admin dn"> -> type in password from
> step 2.
> 
> Of course you can use whatever DN you like, it needs just a userPassword
> attribute.
> 
> hth
>  Paul
> 


Thanks already for the help so far,

Regards,

-- 
Kristof.Bruyninckx

We are Microsoft.  What you are experiencing is not a problem; it is an
undocumented feature.

More information about the samba mailing list