[Samba] samba 3.0.21 PDC with LDAP problems
mallapadi niranjan
niranjan.ashok at gmail.com
Tue Jan 17 04:28:00 GMT 2006
Dear all
I have a system with samba PDC with LDAP, samba version being 3.0.21 and
openLDAP version 2.2.13
i have another linux system with samba version being 3.0.10 which is a
member server to samba pdc.
i have configured nss_ldap, and ldap.conf configured on the member server
pointing to my ldap server on samba pdc
The samba PDC LDAP is configured for simple bind .
1 )i have been getting the following errors:
on the member server when i issue the command net rpc info i get the
following error
rpc_parse/parse_prs.c prs_mem_get(537)
prs_mem_get: reading data size 14418130 would overrun buffer
what does the above error mean
2) on the domain member server i get the
error: nss_wins ldap_simple_bind can't contact LDAP server
3) And often on the samba PDC /var/log/message i get the following error
init_sam_from_ldap , Failed to get password history for user
4) on samba PDC , With LDAP , i get the following error,
slapd[] bdb_equality_candidates : (uid) index_param failed
bdb_equality_candidates : (sambaGroupType) index_parm failed
i believe the above error means that there some indexing problem with my
slapd.conf file in my samba PDC,
but what exaclty that is causing the problem , unable to figure it out.
my slapd.conf of samba pdc is
###################################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=msdpl,dc=com"
rootdn "cn=manager,dc=msdpl,dc=com"
rootpw secret
idletimeout 30
timelimit 30
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index loginShell eq,pres
index nisMapName,nisMapEntry eq,pres,sub
index displayName eq,pres,sub
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index default sub
access to
attrs=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Users,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Guests,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Print Operators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Backup Operators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Replicators,ou=Groups,dc=msdpl,dc=com" write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can
answer correctly
access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by * read
# somme attributes can be writable by users themselves
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by * read
# some attributes need to be writable for samba
access to dn.base="dc=msdpl,dc=com"
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="uid=kk1438,ou=People,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
by * none
# samba need to be able to create new users account
access to dn="ou=People,dc=msdpl,dc=com"
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=msdpl,dc=com"
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=msdpl,dc=com"
by dn="cn=nns,ou=Groups,dc=msdpl,dc=com" write
by dn="uid=kk1438,ou=People,dc=msdpl,dc=com" write
by dn="cn=Domain Admins,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Administrators,ou=Groups,dc=msdpl,dc=com" write
by dn="cn=Account Operators,ou=Groups,dc=msdpl,dc=com" write
by * none
access to * by * read
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com at EXAMPLE.COM
###################################################################
my samba pdc with LDAP, smb.conf file is
##################################################################
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings
=====================================
[global]
workgroup = msdpl.com
netbios name = medhapdc
passdb backend = ldapsam:ldap://msdpl.com
server string = Domain Controller
hosts allow = 192.168.128. 192.168.129. 192.168.130. 127.
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = eth0, lo
printing = cups
disable spoolss = Yes
printcap name = cups
max print jobs = 100
enable privileges = yes
password level = 8
username level = 8
bind interfaces only = yes
local master = Yes
os level = 65
domain master = yes
preferred master = yes
null passwords = no
hide unreadable = yes
hide dot files = yes
domain logons = yes
logon script = %u.bat
logon path =
logon drive = X:
logon home = \\medhapdc\%U
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
time server = yes
log file = /var/log/samba/%m.log
max log size = 50
nt acl support = yes
ldap passwd sync = yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
ldap delete dn = Yes
ldap ssl = no
ldap suffix = dc=msdpl,dc=com
ldap admin dn = cn=manager,dc=msdpl,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://msdpl.com
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = yes
winbind use default domain = no
template shell = /bin/false
######################################################[Share
Definations]###########################################
[homes]
comment = Home Directories
valid users = %S
browseable = no
read only = no
nt acl support = Yes
# Un-comment the following and create the netlogon directory for Domain
Logons
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon/scripts
guest ok = yes
browseable = no
write list = root
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0600
guest ok = Yes
printable = yes
use client driver = Yes
browseable = no
##################################################################
More information about the samba
mailing list