[Samba] samba idmap ldap backend

Johan Hendriks Johan at double-l.nl
Tue Oct 21 14:50:08 GMT 2008 

Hello all=20

=20

First of all Sorry for the long e-mail

=20

I am trying to get samba working as a domain member and store the idmap =
in a ldap database.

=20

The join is successful and all commands are working like it should =
wbinfo =96u, wbinfo =96g   kinit enz

But the id administrator command gives me the following

=20

# id administrator

id: administrator: no such user

=20

If I do not use the ldap backend it works well.

=20

This is on FreeBSD 7_RELEASE with samba 3.0.32 and openldap 2.3.43

I did do all the things mentioned in chapter 7 of the by example doc.

Also the smbpasswd =96w 12345

=20

I am working on this for over 3 days now but my ldap understanding is =
not that much I guess.

What am I forgetting or doing wrong.

=20

Best regards,

Johan Hendriks

=20

=20

My slapd.conf file

=20

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /usr/local/etc/openldap/schema/core.schema

include         /usr/local/etc/openldap/schema/cosine.schema

include         /usr/local/etc/openldap/schema/inetorgperson.schema

include         /usr/local/etc/openldap/schema/misc.schema

include         /usr/local/etc/openldap/schema/nis.schema

include         /usr/local/etc/openldap/schema/openldap.schema

include         /usr/local/etc/openldap/schema/samba.schema

=20

loglevel 256

=20

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

=20

# Load dynamic backend modules:

modulepath      /usr/local/libexec/openldap

moduleload      back_bdb

=20

#######################################################################

# BDB database definitions

#######################################################################

=20

database        bdb

suffix          "dc=3Ddouble-l,dc=3Dlocal"

rootdn          "cn=3DManager,dc=3Ddouble-l,dc=3Dlocal"

rootpw =3D 12345

  =20

=20

=20

directory       /usr/local/var/db/openldap-data

=20

# Indices to maintain

index   objectClass     eq

index   cn              pres,sub,eq

index   sn              pres,sub,eq

index   uid             pres,sub,eq

index   displayName     pres,sub,eq

index   uidNumber               eq

index   gidNumber               eq

index   memberUID               eq

index   sambaSID                eq

index   sambaPrimaryGroupSID    eq

index   sambaDomainName         eq

index   default                 sub

=20

my ldap.con and nss_ldap.conf file

=20

=20

base dc=3Ddouble-l,dc=3Dlocal

binddn cn=3DManager,dc=3Ddouble-l,dc=3Dlocal

bindpw 12345

=20

=20

pam_password exop

=20

bind_policy soft

bind_timelimit 10

=20

host 127.0.0.1

idle_timelimit 3600

ldap_version 3

=20

nss_base_group  ou=3DGroups,dc=3Ddouble-l,dc=3Dlocal?one

nss_base_passwd ou=3DPeople,dc=3Ddouble-l,dc=3Dlocal?one

nss_base_shadow ou=3DPeople,dc=3Ddouble-l,dc=3Dlocal?one

=20

nss_connect_policy persist

nss_paged_results yes

=20

pagesize 1000

port 389

timelimit 30

=20

my vi /etc/nsswitch.conf

group: files ldap

group_compat: nis

hosts: files dns

networks: files

passwd: files ldap

passwd_compat: nis

shells: files

services: compat

services_compat: nis

protocols: files

rpc: files

=20

my idmap.ldiff file=20

=20

dn: dc=3Dsnowshow,dc=3Dcom
objectClass: dcObject
objectClass: organization
dc: snowshow
o: The Greatest Snow Show in Singapore.
description: Posix and Samba LDAP Identity Database
=20
dn: cn=3DManager,dc=3Dsnowshow,dc=3Dcom
objectClass: organizationalRole
cn: Manager
description: Directory Manager
=20
dn: ou=3DIdmap,dc=3Dsnowshow,dc=3Dcom
objectClass: organizationalUnit
ou: idmap

=20

=20

and finally my smb.conf file

=20

[global]

workgroup =3D DOUBLE-L

netbios name =3D BEASTY

realm =3D DOUBLE-L.LOCAL

server string =3D Samba Server

security =3D ADS

log level =3D 1 ads:10 auth:10 sam:10 rpc:10

ldap admin dn =3D cn=3DManager,dc=3DDOUBLE-L,dc=3DLOCAL

ldap idmap suffix =3D ou=3DIdmap

ldap suffix =3D dc=3DDOUBLE-L,dc=3DLOCAL

idmap backend =3D ldap:ldap://127.0.0.1

idmap uid =3D 150000-550000

idmap gid =3D 150000-550000

template shell =3D /usr/local/bin/bash

winbind use default domain =3D Yes

=20

[share1]

        comment =3D Data Directory

        path =3D /mnt

        #write list =3D @mr70

        read only =3D no

        create mask =3D 0777

        directory mask =3D 0777

=20

and my /etc/krb5.conf file

=20

[libdefaults]

        default_realm =3D DOUBLE-l.LOCAL

        clockskew =3D 300

=20

[realms]

        DOUBLE-l.LOCAL =3D {

                kdc =3D w2003s01.double-l.local

        }

=20

[domain_realm]

        .double-l.local =3D DOUBLE-l.LOCAL

=20

=20

This is a part of my slapd.log file after a restart of samba and a id =
administrator command

=20

Oct 21 16:47:34 beasty slapd[60723]: conn=3D7 fd=3D13 closed (connection =
lost)

Oct 21 16:47:34 beasty slapd[60723]: conn=3D8 fd=3D15 closed (connection =
lost)

Oct 21 16:47:34 beasty slapd[60723]: conn=3D6 fd=3D12 closed (connection =
lost)

Oct 21 16:47:35 beasty slapd[60723]: conn=3D13 fd=3D12 ACCEPT from =
IP=3D127.0.0.1:58176 (IP=3D127.0.0.1:389)

Oct 21 16:47:35 beasty slapd[60723]: conn=3D13 op=3D0 BIND =
dn=3D"cn=3DManager,dc=3Ddouble-l,dc=3Dlocal" method=3D128

Oct 21 16:47:35 beasty slapd[60723]: conn=3D13 op=3D0 BIND =
dn=3D"cn=3DManager,dc=3Ddouble-l,dc=3Dlocal" mech=3DSIMPLE ssf=3D0

Oct 21 16:47:35 beasty slapd[60723]: conn=3D13 op=3D0 RESULT tag=3D97 =
err=3D0 text=3D

Oct 21 16:47:35 beasty slapd[60723]: conn=3D13 op=3D1 SRCH =
base=3D"ou=3DGroups,dc=3Ddouble-l,dc=3Dlocal" scope=3D1 deref=3D0 =
filter=3D"(&(objectClass=3DposixGroup))"

Oct 21 16:47:35 beasty slapd[60723]: conn=3D13 op=3D1 SRCH attr=3Dcn =
userPassword memberUid uniqueMember gidNumber

Oct 21 16:47:35 beasty slapd[60723]: conn=3D13 op=3D1 SEARCH RESULT =
tag=3D101 err=3D32 nentries=3D0 text=3D

Oct 21 16:47:35 beasty slapd[60723]: conn=3D14 fd=3D13 ACCEPT from =
IP=3D127.0.0.1:60398 (IP=3D127.0.0.1:389)

Oct 21 16:47:35 beasty slapd[60723]: conn=3D14 op=3D0 BIND =
dn=3D"cn=3DManager,dc=3DDOUBLE-L,dc=3DLOCAL" method=3D128

Oct 21 16:47:35 beasty slapd[60723]: conn=3D14 op=3D0 BIND =
dn=3D"cn=3DManager,dc=3Ddouble-l,dc=3Dlocal" mech=3DSIMPLE ssf=3D0

Oct 21 16:47:35 beasty slapd[60723]: conn=3D14 op=3D0 RESULT tag=3D97 =
err=3D0 text=3D

Oct 21 16:47:35 beasty slapd[60723]: conn=3D14 op=3D1 SRCH base=3D"" =
scope=3D0 deref=3D0 filter=3D"(objectClass=3D*)"

Oct 21 16:47:35 beasty slapd[60723]: conn=3D14 op=3D1 SRCH =
attr=3DsupportedControl

Oct 21 16:47:35 beasty slapd[60723]: conn=3D14 op=3D1 SEARCH RESULT =
tag=3D101 err=3D0 nentries=3D1 text=3D

Oct 21 16:47:35 beasty slapd[60723]: conn=3D14 op=3D2 SRCH =
base=3D"ou=3DIdmap,dc=3DDOUBLE-L,dc=3DLOCAL" scope=3D2 deref=3D0 =
filter=3D"(objectClass=3DsambaUnixIdPool)"

Oct 21 16:47:35 beasty slapd[60723]: conn=3D14 op=3D2 SRCH =
attr=3DuidNumber gidNumber objectClass

Oct 21 16:47:35 beasty slapd[60723]: conn=3D14 op=3D2 SEARCH RESULT =
tag=3D101 err=3D0 nentries=3D1 text=3D

Oct 21 16:47:35 beasty slapd[60723]: conn=3D15 fd=3D15 ACCEPT from =
IP=3D127.0.0.1:60156 (IP=3D127.0.0.1:389)

Oct 21 16:47:35 beasty slapd[60723]: conn=3D15 op=3D0 BIND =
dn=3D"cn=3DManager,dc=3DDOUBLE-L,dc=3DLOCAL" method=3D128

Oct 21 16:47:35 beasty slapd[60723]: conn=3D15 op=3D0 BIND =
dn=3D"cn=3DManager,dc=3Ddouble-l,dc=3Dlocal" mech=3DSIMPLE ssf=3D0

Oct 21 16:47:35 beasty slapd[60723]: conn=3D15 op=3D0 RESULT tag=3D97 =
err=3D0 text=3D

Oct 21 16:47:35 beasty slapd[60723]: conn=3D15 op=3D1 SRCH base=3D"" =
scope=3D0 deref=3D0 filter=3D"(objectClass=3D*)"

Oct 21 16:47:35 beasty slapd[60723]: conn=3D15 op=3D1 SRCH =
attr=3DsupportedControl

Oct 21 16:47:35 beasty slapd[60723]: conn=3D15 op=3D1 SEARCH RESULT =
tag=3D101 err=3D0 nentries=3D1 text=3D

Oct 21 16:47:35 beasty slapd[60723]: conn=3D15 op=3D2 SRCH =
base=3D"ou=3DIdmap,dc=3DDOUBLE-L,dc=3DLOCAL" scope=3D2 deref=3D0 =
filter=3D"(&(objectClass=3DsambaIdmapEntry)(gidNumber=3D65534))"

Oct 21 16:47:35 beasty slapd[60723]: conn=3D15 op=3D2 SRCH =
attr=3DsambaSID uidNumber gidNumber objectClass

Oct 21 16:47:35 beasty slapd[60723]: conn=3D15 op=3D2 SEARCH RESULT =
tag=3D101 err=3D0 nentries=3D0 text=3D

Oct 21 16:47:50 beasty slapd[60723]: conn=3D16 fd=3D17 ACCEPT from =
IP=3D127.0.0.1:50821 (IP=3D127.0.0.1:389)

Oct 21 16:47:50 beasty slapd[60723]: conn=3D16 op=3D0 BIND =
dn=3D"cn=3DManager,dc=3Ddouble-l,dc=3Dlocal" method=3D128

Oct 21 16:47:50 beasty slapd[60723]: conn=3D16 op=3D0 BIND =
dn=3D"cn=3DManager,dc=3Ddouble-l,dc=3Dlocal" mech=3DSIMPLE ssf=3D0

Oct 21 16:47:50 beasty slapd[60723]: conn=3D16 op=3D0 RESULT tag=3D97 =
err=3D0 text=3D

Oct 21 16:47:50 beasty slapd[60723]: conn=3D16 op=3D1 SRCH =
base=3D"ou=3DPeople,dc=3Ddouble-l,dc=3Dlocal" scope=3D1 deref=3D0 =
filter=3D"(&(objectClass=3DposixAccount)(uid=3Dadministrator))"

Oct 21 16:47:50 beasty slapd[60723]: conn=3D16 op=3D1 SRCH attr=3Duid =
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos =
description objectClass shadowLastChange shadowMax shadowExpire

Oct 21 16:47:50 beasty slapd[60723]: conn=3D16 op=3D1 SEARCH RESULT =
tag=3D101 err=3D32 nentries=3D0 text=3D

Oct 21 16:47:50 beasty slapd[60723]: conn=3D16 fd=3D17 closed =
(connection lost)

=20

=20

=20

=20

=20

More information about the samba mailing list