[Samba] question concerning ldapsam:editposix - winbind problems!

Andrew Richey ar2748 at columbia.edu
Thu Jan 17 13:45:01 GMT 2008

I actually loaded another box with Fedora, and used authconfig like you 
described.  It worked quite well! :-)

On a slightly different note... Previously I thought I had winbind 
working, but it seems I don't.  I believe I put all the correct entries 
in my smb.conf file... but I keep getting errors in my winbind logs.  
Also, wbinfo -t and -u come back with errors.  I'm probably doing 
something silly, but I'm running around in mental circles trying to 
figure out what it is.

appropriate smb.conf entries...

idmap domains = EPSILON
idmap config EPSILON:backend = ldap
idmap config EPSILON:readonly = no
idmap config EPSILON:default = yes
idmap config EPSILON:ldap_base_dn = ou=idmap, ....
idmap config EPSILON:ldap_user_dn = cn=admin, ...
idmap config EPSILON:ldap_url = ldap://ip-address:389
idmap config EPSILON:range = 5000-500000
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap, ....
idmap alloc config:ldap_user_dn = cn=admin, ....
idmap alloc config:ldap_url = ldap://ip-address:389
idmap alloc config:range = 5000-500000

section of log.winbindd-idmap:

[2008/01/16 19:18:43, 1] nsswitch/idmap.c:idmap_init(377)
Initializing idmap domains
[2008/01/16 19:18:43, 0] nsswitch/idmap.c:idmap_init(388)
idmap_init: Ignoring domain EPSILON

wbinfo -t:

checking the trust secret via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
Could not check secret

Adam Williams wrote:
> yes, linux distros require nss_ldap and pam_ldap to authenticate linux 
> shell accounts against ldap.  if you are using fedora/centos you can 
> use authconfig and select ldap and put in the required info.  and 
> you'll need to add ldap to the passwd: shadow: and group: entries in 
> /etc/nsswitch.conf
> authconfig will configure /etc/ldap.conf and edd the required ldap 
> attributes to /etc/pam.d/system-auth
> not sure about freebsd but it shouldn't be too different. (famous last 
> words!)
> to convert your existing /etc/passwd users to ldap, you can use the 
> PADL migration tools.
> Andrew Richey wrote:
>> Well, it looks like I would have to use pam_ldap and nss_ldap to make 
>> this work.  Or so I think...  Wondering if all the Linux distros 
>> require these too, to authenticate off of ldap.
>> Andrew Richey wrote:
>>> Hey guys,
>>> I've gotten my samba + openldap running quite well, minus one 
>>> problem (that I know about).  I've read over plenty of 
>>> documentation, the official and other wiki's and such.  I believe I 
>>> have winbind working correctly, so I assume I won't have to use 
>>> external scripts to add groups/users/etc..
>>> But isn't there something one must do in order for their OS (in my 
>>> case FreeBSD 6.2) to use my ldap server instead of /etc/passwd and 
>>> /etc/group files?   I'm unable to change the Administrator users 
>>> password because I have no Unix account for it, and I assume it's 
>>> looking for that in /etc/passwd.  On the same token, I can add 
>>> another user who already exists in my /etc/password  (the local user 
>>> I added during the installation of FreeBSD).  And it shows up 
>>> sucsessfully in my ldap server.
>>> At first I was thinking that the ...
>>> ldapsam:trusted= yes
>>> ldapsam:editposix= yes
>>> ..handled this issue, via winbind.  But that might be a 
>>> misunderstanding on my part. Anyone have any ideas?

More information about the samba mailing list