[Samba] Samba LDAP rootpw error
Gary Dale
garydale at torfree.net
Sun Mar 26 14:33:50 GMT 2006
Matt Richards wrote:
>>Matt Richards wrote:
>>
>>
>>
>>>>Matt Richards wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>Matt Richards wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>Matt Richards wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>>I was following the howto below (originally posted on this list as
>>>>>>>>>>BIG
>>>>>>>>>>Samba howto for debian only.) to see if I could get my
>>>>>>>>>>not-quite-working
>>>>>>>>>>Samba 3.0.14a (debian) server fully working and able to handle my
>>>>>>>>>>Linux
>>>>>>>>>>logins too. The problem I'm having with my Samba setup is that I
>>>>>>>>>>can't
>>>>>>>>>>change user passwords except through Swat. Users can't change them
>>>>>>>>>>from
>>>>>>>>>>their machines using the Windows password change - but they are
>>>>>>>>>>notified
>>>>>>>>>>to change them by when they expire.
>>>>>>>>>>
>>>>>>>>>>Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP
>>>>>>>>>>Server configuration". Neither slapindex nor slapd will run. It
>>>>>>>>>>looks
>>>>>>>>>>like it doesn't like something about my root password, but I'm not
>>>>>>>>>>sure
>>>>>>>>>>what it wants (I'm no expert on LDAP). :)
>>>>>>>>>>
>>>>>>>>>>Slapindex complains "bad configuration file". Slapd gives the more
>>>>>>>>>>detailed:
>>>>>>>>>>line 65 (rootpw ***)
>>>>>>>>>>/etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn
>>>>>>>>>>is
>>>>>>>>>>under suffix
>>>>>>>>>>
>>>>>>>>>>I've attached my slapd.conf file if that is of any assistance. Any
>>>>>>>>>>help
>>>>>>>>>>will be greatly appreciated.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>Louis van Belle wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>[..snip..]
>>>>>>>>>
>>>>>>>>>humm well looking at the config file the first thing that i notice
>>>>>>>>>is
>>>>>>>>>this
>>>>>>>>>...
>>>>>>>>>
>>>>>>>>># The base of your directory in database #1
>>>>>>>>>suffix "dc=rahim-dale,dc=org"
>>>>>>>>>rootdn "cn=admin,dc=toronto,dc=ontario,dc=ca"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>your root dn isn't in the base of your ldap tree, this should
>>>>>>>>>probuly
>>>>>>>>>be
>>>>>>>>>something like ...
>>>>>>>>>
>>>>>>>>>suffix "dc=rahim-dale,dc=org"
>>>>>>>>>rootdn "cn=admin,dc=rahim-dale,dc=org"
>>>>>>>>>
>>>>>>>>>try it n let us know what happens :).
>>>>>>>>>
>>>>>>>>>HTH
>>>>>>>>>
>>>>>>>>>Matt.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>You got it in one! I've got slapd running.
>>>>>>>>
>>>>>>>>Now I'm stuck at "5.4 set the samba ldap admin password". I can set
>>>>>>>>the
>>>>>>>>admin password and get the expected response, but when I try
>>>>>>>>"smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it
>>>>>>>>fails
>>>>>>>>to add the various groups. I get "failed to add entry: modifications
>>>>>>>>require authentication at /usr/sbin/smbldap-populate line 460,
>>>>>>>><GEN1>
>>>>>>>>line 3." for each ou=<groupname> it tries to add.
>>>>>>>>
>>>>>>>>Any ideas?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>the smbldap-populate scripts requires authentication to the ldap
>>>>>>>server
>>>>>>>there is probuly a problem with the login you have set in
>>>>>>>smbldap.conf
>>>>>>>..
>>>>>>>if you have set any at!
>>>>>>>
>>>>>>>i would recommend looking through the smbldap-tools howto at
>>>>>>>http://samba.idealx.org/smbldap-tools.en.html
>>>>>>>and see if there is anything you have missed out, but the first thing
>>>>>>>i
>>>>>>>would try is this ..
>>>>>>>
>>>>>>>...
>>>>>>>3 Configuring the smbldap-tools
>>>>>>>As mentioned in the previous section, you'll have to update two
>>>>>>>configuration files. The first (smbldap.conf) allows you to set
>>>>>>>global
>>>>>>>parameter that are readable by everybody, and the second
>>>>>>>(smbldap_bind.conf) defines two administrative accounts to bind to a
>>>>>>>slave
>>>>>>>and a master ldap server: this file must thus be readable only by
>>>>>>>root.
>>>>>>>A
>>>>>>>script is named configure.pl can help you to set their contents up.
>>>>>>>It
>>>>>>>is
>>>>>>>located in the tarball downloaded or in the documentation directory
>>>>>>>if
>>>>>>>you
>>>>>>>got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke
>>>>>>>it:
>>>>>>>
>>>>>>>/usr/share/doc/smbldap-tools/configure.pl
>>>>>>>...
>>>>>>>
>>>>>>>note : the smbldap-tools dir might not be located in your
>>>>>>>/usr/share/doc/
>>>>>>>directory.
>>>>>>>
>>>>>>>if this doesn't work you could attach your smbldap config file (with
>>>>>>>the
>>>>>>>passwd taken out of cause) so we can have a little look.
>>>>>>>
>>>>>>>Matt.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>I can't see anything wrong with my setup but even when I tweak the
>>>>>>settings a little, I get the same result. Here are: smbldap.conf,
>>>>>>smbldap_bind.conf (with passwords removed) and the smb.conf I'm using
>>>>>>for ldap (renamed right now because I'm keeping my old setup available
>>>>>>until I get this working).
>>>>>>
>>>>>>One issue is my password does have an apostrophe and a period in it.
>>>>>>It
>>>>>>shouldn't be an issue because the bind file has them in quotes. I've
>>>>>>also tried them escaped ("\") but that didn't change anything.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>ok i have looked over everything and the only thing i can see at this
>>>>>moment is this ...
>>>>>
>>>>>in your smbldap_bind.conf file you arn't using a bind dn of
>>>>>cn=admin,dc=family,dc=rahim-dale,dc=org for authentication against the
>>>>>ldap server but the line in the config i gave you before was rootdn
>>>>>"cn=admin,dc=rahim-dale,dc=org" ... when you first setup ldap no
>>>>>accounts
>>>>>exist in the ldap database the rootdn account is like a virtual account
>>>>>that will always have full access and because of this (and i'm guessing
>>>>>your ldap tree is blank) you will only be able to use the rootdn to
>>>>>bind
>>>>>at this time.
>>>>>
>>>>>there are a few lines you can try to attempt to bind to the ldap server
>>>>>...
>>>>>
>>>>>ldapsearch -D cn=admin,dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x
>>>>>-W
>>>>>""
>>>>>ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
>>>>>
>>>>>the first the the bind dn in your smbldap_bind.conf and the second is
>>>>>using the rootdn from the other email.
>>>>>
>>>>>as your ldap tree is blank you wont get much output but one should fail
>>>>>with a bind error and the other should say something like no such
>>>>>object.
>>>>>
>>>>>HTH, let me know if they work will see if i can see anything else that
>>>>>may
>>>>>be wrong.
>>>>>
>>>>>Matt.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>It's the one without the "family". The howto I've been following used
>>>>"internal" in some places, so I've been trying to follow that model,
>>>>replacing "internal" with "family". I went back and put the "family" in
>>>>the slapd.conf and now it worked with the "family". However, it still
>>>>failed to populate. In fact, the "adding new entry" lines still left out
>>>>family.
>>>>
>>>>Next I removed family and tried again (stopping slapd and samba, running
>>>>slapindex then restarting the services each time). Still getting the
>>>>same problem.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>ok now I think you have a root of dc=family,dc=rahim-dale,dc=org in your
>>>ldap tree and all the scripts to create the entries in ldap are trying to
>>>create entries under dc=rahim-dale,dc=org .. e.g
>>>ou=Users,dc=rahim-dale,dc=org.
>>>
>>>you have 2 options, ...
>>>
>>>1. you can remove everything in the ldap database (including the root
>>>object) make sure all the config files are pointing to the same place.
>>>
>>>for this step it should be only ...
>>>
>>># LDAP Suffix
>>># Ex: suffix=dc=IDEALX,dc=ORG
>>>suffix="dc=rahim-dale,dc=org"
>>>
>>>in smbldap.conf
>>>
>>>and cn=admin,dc=rahim-dale,dc=org for the slapd.conf rootdn line and
>>>smbldap_bind.conf files
>>>
>>>and then run the scripts again and everything should go nicely.
>>>
>>>as I don't know how to remove everything in the ldap tree and don't have
>>>a
>>>openldap server lying around to try anything out on I am also sending
>>>this
>>>email to the OpenLDAP mailing lists. if anybody could help that would be
>>>great. (ldapdelete i guess?)
>>>
>>>
>>>2. change everything to have a ldap base of
>>>dc=family,dc=rahim-dale,dc=org
>>>and re run the scripts, they should skip over everything that already
>>>exists and just add the objects that don't exist.
>>>
>>>oh also ...
>>>if you re run
>>>ldapsearch -D cn=admin,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
>>>do you see a base and/or any other objects ?
>>>
>>>attaching the output would be useful.
>>>
>>>also .. ldap can be quite complicated at first, if your just starting to
>>>use it i would recommend using a nice pretty front end so you can see
>>>what
>>>is going on.
>>>A good front end is ...
>>>http://phpldapadmin.sf.net/ , however, this also requires a web server
>>>and
>>>php being setup.
>>>
>>>HTH
>>>
>>>Matt.
>>>
>>>
>>>
>>>
>>>
>>Actually, your two suggestions were what I'd already tried (except for
>>removing everything in the ldap database in 1 - how do you do that?). I
>>guess my language was a little confusing. I even changed the smb.conf.
>>
>>Here's the output you requested:
>>
>># extended LDIF
>>#
>># LDAPv3
>># base <> with scope sub
>># filter: (objectclass=*)
>># requesting:
>>#
>>
>># search result
>>search: 2
>>result: 32 No such object
>>
>># numResponses: 1
>>
>>
>>
>>
>
>
>lol oops i forgot to set a base in that command using -b
>ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b dc=rahim-dale,dc=org -h
>127.0.0.1 -x -W ""
>
>and
>
>ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b
>dc=family,dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
>
>anyway i need to goto my mums now for some mothers day thing and i'm
>already late .. oops
>
>maybe you should try doing all the openldap related stuff from that guide
>again, and this time make sure you stick to one ldap base
>(dc=rahim-dale,dc=org).
>
>Matt.
>
>
>
OK, here's the new output (along with the command line I used). To be
clear, last night I did do exactly what you suggested - going back and
using just one ldap suffix - tried it with both, going back to the point
that the suffix is first entered and redoing the instructions (in the
Debian-only howto - which seems to have some cut-and-pasting from the
idealx.org howto) from there.
semper:/etc/smbldap-tools# ldapsearch -D cn=admin,dc=rahim-dale,dc=org
-b dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=rahim-dale,dc=org> with scope sub
# filter: (objectclass=*)
# requesting:
#
# rahim-dale.org
dn: dc=rahim-dale,dc=org
# admin, rahim-dale.org
dn: cn=admin,dc=rahim-dale,dc=org
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Below is the same thing when I try to run smbldap-populate:
semper:/etc/smbldap-tools# smbldap-populate -a Administrator -b nobody
-u 2000 -g 2000
Using workgroup name from sambaUnixIdPooldn (smbldap.conf):
sambaDomainName=rahim-dale
Using builtin directory structure
entry dc=rahim-dale,dc=org already exist.
adding new entry: ou=Users,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 3.
adding new entry: ou=Groups,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 4.
adding new entry: ou=Computers,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 5.
adding new entry: ou=Idmap,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 6.
adding new entry: sambaDomainName=rahim-dale,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 7.
adding new entry: uid=Administrator,ou=Users,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 8.
adding new entry: uid=nobody,ou=Users,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 9.
adding new entry: cn=Domain Admins,ou=Groups,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 10.
adding new entry: cn=Domain Users,ou=Groups,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 11.
adding new entry: cn=Domain Guests,ou=Groups,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 12.
adding new entry: cn=Domain Computers,ou=Groups,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 13.
adding new entry: cn=Administrators,ou=Groups,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 19.
adding new entry: cn=Print Operators,ou=Groups,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 20.
adding new entry: cn=Backup Operators,ou=Groups,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 21.
adding new entry: cn=Replicators,ou=Groups,dc=rahim-dale,dc=org
failed to add entry: modifications require authentication at
/usr/sbin/smbldap-populate line 460, <GEN1> line 21.
More information about the samba
mailing list