[Samba] Re: Need help with IDMAP storage in LDAP using Winbind

Kristof Bruyninckx kristof.bruyninckx at thales-is.com
Thu Sep 29 10:10:48 GMT 2005 

Hello,

Ok, so I fixed the ACL to your example

#access to dn.base="" by * read
#access to dn.base="cn=subschema" by * read
access to attr=userPassword
        by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
        by self write
        by anonymous auth
        by * none
access to *
        by dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
        by self write
        by users read



, but now the following occurs:

When I launch the smb & winbind instances :

>From the LDAP /var/log/messages, debug lvl 220:
snip"
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc38
end=0x08f6dc84 len=76
Sep 29 10:59:52 linux14 slapd:   0000:  02 01 01 60 47 02 01 03  04 1a
63 6e 3d 4d 61 6e   ...`G.....cn=Man
Sep 29 10:59:52 linux14 slapd:   0010:  61 67 65 72 2c 64 63 3d  74 68
61 6c 65 73 2c 64   ager,dc=thales,d
Sep 29 10:59:52 linux14 slapd:   0020:  63 3d 62 65 80 26 7b 53  53 48
41 7d 37 41 52 32   c=be.&{SSHA}7AR2
Sep 29 10:59:52 linux14 slapd:   0030:  53 6c 30 53 45 69 46 57  46 75
4a 52 78 38 62 56   Sl0SEiFWFuJRx8bV
Sep 29 10:59:52 linux14 slapd:   0040:  78 41 63 68 55 35 4d 4e  73 6c
4d 76               xAchU5MNslMv
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc3b
end=0x08f6dc84 len=73
Sep 29 10:59:52 linux14 slapd:   0000:  60 47 02 01 03 04 1a 63  6e 3d
4d 61 6e 61 67 65   `G.....cn=Manage
Sep 29 10:59:52 linux14 slapd:   0010:  72 2c 64 63 3d 74 68 61  6c 65
73 2c 64 63 3d 62   r,dc=thales,dc=b
Sep 29 10:59:52 linux14 slapd:   0020:  65 80 26 7b 53 53 48 41  7d 37
41 52 32 53 6c 30   e.&{SSHA}7AR2Sl0
Sep 29 10:59:52 linux14 slapd:   0030:  53 45 69 46 57 46 75 4a  52 78
38 62 56 78 41 63   SEiFWFuJRx8bVxAc
Sep 29 10:59:52 linux14 slapd:   0040:  68 55 35 4d 4e 73 6c 4d  76
hU5MNslMv
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc5c
end=0x08f6dc84 len=40
Sep 29 10:59:52 linux14 slapd:   0000:  00 26 7b 53 53 48 41 7d  37 41
52 32 53 6c 30 53   .&{SSHA}7AR2Sl0S
Sep 29 10:59:52 linux14 slapd:   0010:  45 69 46 57 46 75 4a 52  78 38
62 56 78 41 63 68   EiFWFuJRx8bVxAch
Sep 29 10:59:52 linux14 slapd:   0020:  55 35 4d 4e 73 6c 4d 76
U5MNslMv
Sep 29 10:59:52 linux14 slapd: ==> ldbm_back_bind: dn:
cn=Manager,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=49 matched=""
text=""
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors
Sep 29 10:59:52 linux14 slapd: daemon: activity on: 8r
Sep 29 10:59:52 linux14 slapd: daemon: read activity on 8
Sep 29 10:59:52 linux14 slapd: connection_get(8)
snip"
    
which to my opinion is odd since it is no longer used in samba. And it
fails to authenticate. I tried a reset off the password, and changed the
entries in ldap.conf and slapd.conf. Once done, I tried to modify an
existing entry with ldapmodify which was successfully. Is samba here
still trying to access the LDAP with this account?

snip"
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce60
end=0x08f4ce97 len=55
Sep 29 10:59:52 linux14 slapd:   0000:  02 01 01 60 32 02 01 03  04 22
75 69 64 3d 73 61   ...`2...."uid=sa
Sep 29 10:59:52 linux14 slapd:   0010:  6d 62 61 2c 6f 75 3d 49  64 6d
61 70 2c 64 63 3d   mba,ou=Idmap,dc=
Sep 29 10:59:52 linux14 slapd:   0020:  74 68 61 6c 65 73 2c 64  63 3d
62 65 80 09 61 71   thales,dc=be..secret
Sep 29 10:59:52 linux14 slapd:   0030:  77 31 32 33 7a 73
78                               
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce63
end=0x08f4ce97 len=52
Sep 29 10:59:52 linux14 slapd:   0000:  60 32 02 01 03 04 22 75  69 64
3d 73 61 6d 62 61   `2...."uid=samba
Sep 29 10:59:52 linux14 slapd:   0010:  2c 6f 75 3d 49 64 6d 61  70 2c
64 63 3d 74 68 61   ,ou=Idmap,dc=tha
Sep 29 10:59:52 linux14 slapd:   0020:  6c 65 73 2c 64 63 3d 62  65 80
09 61 71 77 31 32   les,dc=be..secret
Sep 29 10:59:52 linux14 slapd:   0030:  33 7a 73
78                                        
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce8c
end=0x08f4ce97 len=11
Sep 29 10:59:52 linux14 slapd:   0000:  00 09 61 71 77 31 32 33  7a 73
78                  ..secret
Sep 29 10:59:52 linux14 slapd: ==> ldbm_back_bind: dn:
uid=samba,ou=Idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: => access_allowed: auth access to
"uid=samba,ou=Idmap,dc=thales,dc=be" "userPassword" requested
Sep 29 10:59:52 linux14 slapd: => acl_get: [1] attr userPassword
Sep 29 10:59:52 linux14 slapd: => acl_mask: access to entry
"uid=samba,ou=Idmap,dc=thales,dc=be", attr "userPassword" requested
Sep 29 10:59:52 linux14 slapd: => acl_mask: to all values by "", (=n)
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat:
uid=samba,ou=idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat: self
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat: anonymous
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [3] applying auth(=x) (stop)
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [3] mask: auth(=x)
Sep 29 10:59:52 linux14 slapd: => access_allowed: auth access granted by
auth(=x)
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched=""
text=""
Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors
Sep 29 10:59:52 linux14 slapd: daemon: activity on:
snip"

What ever is happening here, it seems that the samba users is not
getting write permissions.
 
third part
snip"

Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce60
end=0x08f4ce97 len=55
Sep 29 10:59:52 linux14 slapd:   0000:  02 01 02 63 32 04 00 0a  01 00
0a 01 00 02 01 00   ...c2...........
Sep 29 10:59:52 linux14 slapd:   0010:  02 01 00 01 01 00 87 0b  6f 62
6a 65 63 74 63 6c   ........objectcl
Sep 29 10:59:52 linux14 slapd:   0020:  61 73 73 30 12 04 10 73  75 70
70 6f 72 74 65 64   ass0...supported
Sep 29 10:59:52 linux14 slapd:   0030:  43 6f 6e 74 72 6f 6c
Control
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce63
end=0x08f4ce97 len=52
Sep 29 10:59:52 linux14 slapd:   0000:  63 32 04 00 0a 01 00 0a  01 00
02 01 00 02 01 00   c2..............
Sep 29 10:59:52 linux14 slapd:   0010:  01 01 00 87 0b 6f 62 6a  65 63
74 63 6c 61 73 73   .....objectclass
Sep 29 10:59:52 linux14 slapd:   0020:  30 12 04 10 73 75 70 70  6f 72
74 65 64 43 6f 6e   0...supportedCon
Sep 29 10:59:52 linux14 slapd:   0030:  74 72 6f 6c
trol
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: SRCH "" 0 0    0 0 0
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce76
end=0x08f4ce97 len=33
Sep 29 10:59:52 linux14 slapd:   0000:  87 0b 6f 62 6a 65 63 74  63 6c
61 73 73 30 12 04   ..objectclass0..
Sep 29 10:59:52 linux14 slapd:   0010:  10 73 75 70 70 6f 72 74  65 64
43 6f 6e 74 72 6f   .supportedContro
Sep 29 10:59:52 linux14 slapd:   0020:  6c
l
Sep 29 10:59:52 linux14 slapd:     filter: (objectClass=*)
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce83
end=0x08f4ce97 len=20
Sep 29 10:59:52 linux14 slapd:   0000:  00 12 04 10 73 75 70 70  6f 72
74 65 64 43 6f 6e   ....supportedCon
Sep 29 10:59:52 linux14 slapd:   0010:  74 72 6f 6c
trol
Sep 29 10:59:52 linux14 slapd:     attrs: supportedControl
Sep 29 10:59:52 linux14 slapd: => access_allowed: search access to ""
"objectClass" requested
Sep 29 10:59:52 linux14 slapd: => acl_get: [2] attr objectClass
Sep 29 10:59:52 linux14 slapd: => acl_mask: access to entry "", attr
"objectClass" requested
Sep 29 10:59:52 linux14 slapd: => acl_mask: to all values by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat:
uid=samba,ou=idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] applying write(=wrscx)
(stop)
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] mask: write(=wrscx)
Sep 29 10:59:52 linux14 slapd: => access_allowed: search access granted
by write(=wrscx)
Sep 29 10:59:52 linux14 slapd: => access_allowed: read access to ""
"entry" requested
Sep 29 10:59:52 linux14 slapd: => acl_get: [2] attr entry
Sep 29 10:59:52 linux14 slapd: => acl_mask: access to entry "", attr
"entry" requested
Sep 29 10:59:52 linux14 slapd: => acl_mask: to all values by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat:
uid=samba,ou=idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] applying write(=wrscx)
(stop)
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] mask: write(=wrscx)
Sep 29 10:59:52 linux14 slapd: => access_allowed: read access granted by
write(=wrscx)
Sep 29 10:59:52 linux14 slapd: => access_allowed: read access to ""
"supportedControl" requested
Sep 29 10:59:52 linux14 slapd: => acl_get: [2] attr supportedControl
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: access_allowed: no res from state
(supportedControl)
Sep 29 10:59:52 linux14 slapd: => acl_mask: access to entry "", attr
"supportedControl" requested
Sep 29 10:59:52 linux14 slapd: => acl_mask: to value by
"uid=samba,ou=idmap,dc=thales,dc=be", (=n)
Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat:
uid=samba,ou=idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] applying write(=wrscx)
(stop)
Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] mask: write(=wrscx)
Sep 29 10:59:52 linux14 slapd: => access_allowed: read access granted by
write(=wrscx)
Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched=""
text=""
snip"

But here LDAP does grant the samba user the proper permissions.

the log ends with the following:
Sep 29 10:59:52 linux14 slapd: do_modify: dn (ou=Idmap,dc=thales,dc=be)
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6df28 ptr=0x08f6df49
end=0x08f6dfa6 len=93
Sep 29 10:59:52 linux14 slapd:   0000:  30 25 0a 01 00 30 20 04  0b 6f
62 6a 65 63 74 43   0%...0 ..objectC
Sep 29 10:59:52 linux14 slapd:   0010:  6c 61 73 73 31 11 04 0f  73 61
6d 62 61 55 6e 69   lass1...sambaUni
Sep 29 10:59:52 linux14 slapd:   0020:  78 49 64 50 6f 6f 6c 30  19 0a
01 00 30 14 04 09   xIdPool0....0...
Sep 29 10:59:52 linux14 slapd:   0030:  75 69 64 4e 75 6d 62 65  72 31
07 04 05 31 30 30   uidNumber1...100
Sep 29 10:59:52 linux14 slapd:   0040:  30 30 30 19 0a 01 00 30  14 04
09 67 69 64 4e 75   000....0...gidNu
Sep 29 10:59:52 linux14 slapd:   0050:  6d 62 65 72 31 07 04 05  31 30
30 30 30            mber1...10000
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6df28 ptr=0x08f6df70
end=0x08f6dfa6 len=54
Sep 29 10:59:52 linux14 slapd:   0000:  30 19 0a 01 00 30 14 04  09 75
69 64 4e 75 6d 62   0....0...uidNumb
Sep 29 10:59:52 linux14 slapd:   0010:  65 72 31 07 04 05 31 30  30 30
30 30 19 0a 01 00   er1...100000....
Sep 29 10:59:52 linux14 slapd:   0020:  30 14 04 09 67 69 64 4e  75 6d
62 65 72 31 07 04   0...gidNumber1..
Sep 29 10:59:52 linux14 slapd:   0030:  05 31 30 30 30
30                                  .10000
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6df28 ptr=0x08f6df8b
end=0x08f6dfa6 len=27
Sep 29 10:59:52 linux14 slapd:   0000:  30 19 0a 01 00 30 14 04  09 67
69 64 4e 75 6d 62   0....0...gidNumb
Sep 29 10:59:52 linux14 slapd:   0010:  65 72 31 07 04 05 31 30  30 30
30                  er1...10000
Sep 29 10:59:52 linux14 slapd: modifications:
Sep 29 10:59:52 linux14 slapd:  add: objectClass
Sep 29 10:59:52 linux14 slapd:          one value, length 15
Sep 29 10:59:53 linux14 slapd:  add: uidNumber
Sep 29 10:59:53 linux14 slapd:          one value, length 5
Sep 29 10:59:53 linux14 slapd:  add: gidNumber
Sep 29 10:59:53 linux14 slapd:          one value, length 5
Sep 29 10:59:53 linux14 slapd: send_ldap_result: err=21 matched=""
text="objectClass: value #0 invalid per syntax"

entry from the smbd.log


[2005/09/29 10:59:52, 3] sam/idmap.c:idmap_init(132)
  idmap_init: using 'ldap' as remote backend
[2005/09/29 10:59:52, 2] lib/smbldap.c:smbldap_open_connection(630)
  smbldap_open_connection: connection opened
[2005/09/29 10:59:52, 3] lib/smbldap.c:smbldap_connect_system(805)
  ldap_connect_system: succesful connection to the LDAP server
[2005/09/29 10:59:52, 4] lib/smbldap.c:smbldap_open(869)
  The LDAP server is succesfully connected
[2005/09/29 10:59:52, 0] sam/idmap.c:idmap_init(138)
  idmap_init: failed to initialize remote backend!
[2005/09/29 10:59:52, 1] nsswitch/winbindd.c:main(968)
  Could not init idmap -- netlogon proxy only

Any thoughts on this problem?

Kind regards


-- 
Bruyninckx Kristof
Thales Services Division
GNU&Linux/Unix System Administrator / Test developer
Tel: 02/674.76.49.19
kristof.bruyninckx at thales-is.com

More information about the samba mailing list