[Samba] Samba LDAP rootpw error
Gary Dale
garydale at torfree.net
Sun Mar 26 13:58:38 GMT 2006
Matt Richards wrote:
>>Matt Richards wrote:
>>
>>
>>
>>>>Matt Richards wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>Matt Richards wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>I was following the howto below (originally posted on this list as
>>>>>>>>BIG
>>>>>>>>Samba howto for debian only.) to see if I could get my
>>>>>>>>not-quite-working
>>>>>>>>Samba 3.0.14a (debian) server fully working and able to handle my
>>>>>>>>Linux
>>>>>>>>logins too. The problem I'm having with my Samba setup is that I
>>>>>>>>can't
>>>>>>>>change user passwords except through Swat. Users can't change them
>>>>>>>>from
>>>>>>>>their machines using the Windows password change - but they are
>>>>>>>>notified
>>>>>>>>to change them by when they expire.
>>>>>>>>
>>>>>>>>Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP
>>>>>>>>Server configuration". Neither slapindex nor slapd will run. It
>>>>>>>>looks
>>>>>>>>like it doesn't like something about my root password, but I'm not
>>>>>>>>sure
>>>>>>>>what it wants (I'm no expert on LDAP). :)
>>>>>>>>
>>>>>>>>Slapindex complains "bad configuration file". Slapd gives the more
>>>>>>>>detailed:
>>>>>>>>line 65 (rootpw ***)
>>>>>>>>/etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn
>>>>>>>>is
>>>>>>>>under suffix
>>>>>>>>
>>>>>>>>I've attached my slapd.conf file if that is of any assistance. Any
>>>>>>>>help
>>>>>>>>will be greatly appreciated.
>>>>>>>>
>>>>>>>>
>>>>>>>>Louis van Belle wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>[..snip..]
>>>>>>>
>>>>>>>humm well looking at the config file the first thing that i notice is
>>>>>>>this
>>>>>>>...
>>>>>>>
>>>>>>># The base of your directory in database #1
>>>>>>>suffix "dc=rahim-dale,dc=org"
>>>>>>>rootdn "cn=admin,dc=toronto,dc=ontario,dc=ca"
>>>>>>>
>>>>>>>
>>>>>>>your root dn isn't in the base of your ldap tree, this should probuly
>>>>>>>be
>>>>>>>something like ...
>>>>>>>
>>>>>>>suffix "dc=rahim-dale,dc=org"
>>>>>>>rootdn "cn=admin,dc=rahim-dale,dc=org"
>>>>>>>
>>>>>>>try it n let us know what happens :).
>>>>>>>
>>>>>>>HTH
>>>>>>>
>>>>>>>Matt.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>You got it in one! I've got slapd running.
>>>>>>
>>>>>>Now I'm stuck at "5.4 set the samba ldap admin password". I can set
>>>>>>the
>>>>>>admin password and get the expected response, but when I try
>>>>>>"smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it
>>>>>>fails
>>>>>>to add the various groups. I get "failed to add entry: modifications
>>>>>>require authentication at /usr/sbin/smbldap-populate line 460, <GEN1>
>>>>>>line 3." for each ou=<groupname> it tries to add.
>>>>>>
>>>>>>Any ideas?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>the smbldap-populate scripts requires authentication to the ldap server
>>>>>there is probuly a problem with the login you have set in smbldap.conf
>>>>>..
>>>>>if you have set any at!
>>>>>
>>>>>i would recommend looking through the smbldap-tools howto at
>>>>>http://samba.idealx.org/smbldap-tools.en.html
>>>>>and see if there is anything you have missed out, but the first thing i
>>>>>would try is this ..
>>>>>
>>>>>...
>>>>>3 Configuring the smbldap-tools
>>>>>As mentioned in the previous section, you'll have to update two
>>>>>configuration files. The first (smbldap.conf) allows you to set global
>>>>>parameter that are readable by everybody, and the second
>>>>>(smbldap_bind.conf) defines two administrative accounts to bind to a
>>>>>slave
>>>>>and a master ldap server: this file must thus be readable only by root.
>>>>>A
>>>>>script is named configure.pl can help you to set their contents up. It
>>>>>is
>>>>>located in the tarball downloaded or in the documentation directory if
>>>>>you
>>>>>got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke
>>>>>it:
>>>>>
>>>>>/usr/share/doc/smbldap-tools/configure.pl
>>>>>...
>>>>>
>>>>>note : the smbldap-tools dir might not be located in your
>>>>>/usr/share/doc/
>>>>>directory.
>>>>>
>>>>>if this doesn't work you could attach your smbldap config file (with
>>>>>the
>>>>>passwd taken out of cause) so we can have a little look.
>>>>>
>>>>>Matt.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>I can't see anything wrong with my setup but even when I tweak the
>>>>settings a little, I get the same result. Here are: smbldap.conf,
>>>>smbldap_bind.conf (with passwords removed) and the smb.conf I'm using
>>>>for ldap (renamed right now because I'm keeping my old setup available
>>>>until I get this working).
>>>>
>>>>One issue is my password does have an apostrophe and a period in it. It
>>>>shouldn't be an issue because the bind file has them in quotes. I've
>>>>also tried them escaped ("\") but that didn't change anything.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>ok i have looked over everything and the only thing i can see at this
>>>moment is this ...
>>>
>>>in your smbldap_bind.conf file you arn't using a bind dn of
>>>cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the
>>>ldap server but the line in the config i gave you before was rootdn
>>>"cn=admin,dc=rahim-dale,dc=org" ... when you first setup ldap no accounts
>>>exist in the ldap database the rootdn account is like a virtual account
>>>that will always have full access and because of this (and i'm guessing
>>>your ldap tree is blank) you will only be able to use the rootdn to bind
>>>at this time.
>>>
>>>there are a few lines you can try to attempt to bind to the ldap server
>>>...
>>>
>>>ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W
>>>""
>>>ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
>>>
>>>the first the the bind dn in your smbldap_bind.conf and the second is
>>>using the rootdn from the other email.
>>>
>>>as your ldap tree is blank you wont get much output but one should fail
>>>with a bind error and the other should say something like no such object.
>>>
>>>HTH, let me know if they work will see if i can see anything else that
>>>may
>>>be wrong.
>>>
>>>Matt.
>>>
>>>
>>>
>>>
>>>
>>It's the one without the "family". The howto I've been following used
>>"internal" in some places, so I've been trying to follow that model,
>>replacing "internal" with "family". I went back and put the "family" in
>>the slapd.conf and now it worked with the "family". However, it still
>>failed to populate. In fact, the "adding new entry" lines still left out
>>family.
>>
>>Next I removed family and tried again (stopping slapd and samba, running
>>slapindex then restarting the services each time). Still getting the
>>same problem.
>>
>>
>>
>>
>
>ok now I think you have a root of dc=family,dc=rahim-dale,dc=org in your
>ldap tree and all the scripts to create the entries in ldap are trying to
>create entries under dc=rahim-dale,dc=org .. e.g
>ou=Users,dc=rahim-dale,dc=org.
>
>you have 2 options, ...
>
>1. you can remove everything in the ldap database (including the root
>object) make sure all the config files are pointing to the same place.
>
>for this step it should be only ...
>
># LDAP Suffix
># Ex: suffix=dc=IDEALX,dc=ORG
>suffix="dc=rahim-dale,dc=org"
>
>in smbldap.conf
>
>and cn=admin,dc=rahim-dale,dc=org for the slapd.conf rootdn line and
>smbldap_bind.conf files
>
>and then run the scripts again and everything should go nicely.
>
>as I don't know how to remove everything in the ldap tree and don't have a
>openldap server lying around to try anything out on I am also sending this
>email to the OpenLDAP mailing lists. if anybody could help that would be
>great. (ldapdelete i guess?)
>
>
>2. change everything to have a ldap base of dc=family,dc=rahim-dale,dc=org
>and re run the scripts, they should skip over everything that already
>exists and just add the objects that don't exist.
>
>oh also ...
>if you re run
>ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
>do you see a base and/or any other objects ?
>
>attaching the output would be useful.
>
>also .. ldap can be quite complicated at first, if your just starting to
>use it i would recommend using a nice pretty front end so you can see what
>is going on.
>A good front end is ...
>http://phpldapadmin.sf.net/ , however, this also requires a web server and
>php being setup.
>
>HTH
>
>Matt.
>
>
>
Actually, your two suggestions were what I'd already tried (except for
removing everything in the ldap database in 1 - how do you do that?). I
guess my language was a little confusing. I even changed the smb.conf.
Here's the output you requested:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting:
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
More information about the samba
mailing list