[Samba] idmap backend, LDAP & Windows AD

Yanick Quirion YQuirion at tranzyme.com
Thu Feb 9 14:09:32 GMT 2006 

Dear all,

Since couple of weeks, I'm trying to configure Samba to get UID & GID
from Windows 2003 AD. I read samba documentation & how to, but it still
not working.

Here are the tasks I've perform:

- I installed SFU on my Windows 2003 Server
- I configure /etc/samba/smb.conf:

# Global parameters
[global]
        workgroup = TOTO
        netbios name = VENUS
        encrypt passwords = yes
        obey pam restrictions = No
        pam password change = No
        interfaces = eth0 10.1.0.0/16
        wins server = 10.1.2.4
        domain master = no
        local master = no
        preferred master = no
        server string = VENUS Samba Services
        lock directory = /var/lib/samba
        load printers = no
        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        username map = /etc/samba/smbusers
        admin users = @"Domain Admins"

        #### ACTIVE DIRECTORY
        realm = TOTO.COM
        security = ADS
        log level = 1 ads:10 auth:10 sam:10 rpc:10
        winbind separator = +
        ldap admin dn = cn=Administrator,dc=TOTO,dc=COM
        ldap idmap suffix = ou=Idmap
        ldap passwd sync = yes
        ldap suffix = dc=TOTO,dc=COM
        idmap backend = ldap:ldap://ads-tst.toto.com <-- THIS IS THE IP
OF
                                                         MY WINDOWS 2003
SRV
                                                         10.1.3.9
        idmap uid = 150000-550000
        idmap gid = 150000-550000
        #idmap backend = ldap:ldap://127.0.0.1
   #     ldap user suffix = ou=Sherbrooke
   #     ldap machine suffix = ou=Computers

        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        winbind use default domain = Yes
        winbind nss info = template, sfu
        #winbind use default domain = yes
        template shell = /bin/bash
        template homedir = /u/%D/%U
        winbind cache time = 5

- I configured /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TOTO.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true

[realms]
 TOTO.COM = {
  kdc = ads-tst.toto.com <-- THIS IS THE NAME OF MY WINDOWS SERVER
                             (10.1.3.9)
  default_domain = toto.com
 }

[domain_realm]
 .toto.com = TOTO.COM
 toto.com = TOTO.COM

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

- I configured /etc/ldap.conf
host    10.1.3.9 <-- THIS THE IP OF MY WINDOWS SERVER 2003
base    dc=toto,dc=com
binddn  cn=Administrator,dc=toto,dc=com
bindpw  password

pam_password exop

nss_base_passwd ou=People,dc=toto,dc=com?one
nss_base_shadow ou=People,dc=toto,dc=com?one
nss_base_group  ou=Groups,dc=toto,dc=com?one
ssl     no

- I configured nss_ldap-248 and install it
./configure --enable-rfc2307bis --enable-schema-mapping
make install


- I joined my samba to my Windows 2003 server (It worked fine)
root#  net ads join -UAdministrator%password
Using short domain name -- TOTO
Joined 'VENUS' to realm 'TOTO.COM'

- I modified file /etc/nsswitch.conf as follow:
passwd: files ldap
shadow: files ldap
group:  files ldap

- I stored the LDAP password (Windows 2003) info secret.tdb file:
smbpasswd -w password


Now when I'm starting winbind, I'm getting the following error:

Feb  9 08:58:29 venus winbindd[21018]: [2006/02/09 08:58:29, 0]
lib/debug.c:debug_lookup_classname(352) 
Feb  9 08:58:29 venus winbindd[21018]:   debug_lookup_classname(ads):
Unknown class 
Feb  9 08:58:29 venus winbindd[21018]: [2006/02/09 08:58:29, 0]
lib/debug.c:debug_lookup_classname(352) 
Feb  9 08:58:29 venus winbindd[21018]:   debug_lookup_classname(rpc):
Unknown class 
Feb  9 08:58:30 venus winbindd[21018]: [2006/02/09 08:58:30, 0]
lib/smbldap.c:smbldap_connect_system(890) 
Feb  9 08:58:30 venus winbindd[21018]:   failed to bind to server
ldap://ads-tst.toto.com with dn="cn=Administrator,dc=TOTO,dc=COM" Error:
Invalid credentials 
Feb  9 08:58:30 venus winbindd[21018]:          80090308: LdapErr:
DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
Feb  9 08:58:45 venus winbindd[21018]: [2006/02/09 08:58:45, 0]
sam/idmap.c:idmap_init(146) 
Feb  9 08:58:45 venus winbindd[21018]:   idmap_init: failed to
initialize remote backend!


If I'm doing a wbinfo -u and wbinfo -g I get the list from AD:

Administrator
Guest
SUPPORT_388945a0
ADS-TST$
krbtgt
yquirion
toto
venus$

[venus]:/# wbinfo -g
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
sinfsyst

If I tried this command: chown toto nss_ldap-248/
chown: `toto': invalid user

If I tried getent passwd, I got following error in syslog:
Feb  9 09:03:57 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb  9 09:03:57 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb  9 09:03:57 venus getent: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Feb  9 09:04:01 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb  9 09:04:01 venus getent: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Feb  9 09:04:09 venus getent: nss_ldap: failed to bind to LDAP server
ldap://10.32.3.9: Invalid credentials
Feb  9 09:04:09 venus getent: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...

Is somebody can tell me what's I'm doing bad? My first goal is to have
the same UID & GID from my active directory with all my Linux/Samba
system.

Thank you everybody for your help.

Best Regards,
Yanick

More information about the samba mailing list