[Samba] samba idmap ldap backend

Sébastien Prud'homme sebastien.prudhomme at gmail.com
Tue Oct 21 16:11:20 GMT 2008 

In nsswitch.conf, replace "ldap" by "winbind"

2008/10/21 Johan Hendriks <Johan at double-l.nl>:
> Hello all
>
>
>
> First of all Sorry for the long e-mail
>
>
>
> I am trying to get samba working as a domain member and store the idmap in a ldap database.
>
>
>
> The join is successful and all commands are working like it should wbinfo –u, wbinfo –g   kinit enz
>
> But the id administrator command gives me the following
>
>
>
> # id administrator
>
> id: administrator: no such user
>
>
>
> If I do not use the ldap backend it works well.
>
>
>
> This is on FreeBSD 7_RELEASE with samba 3.0.32 and openldap 2.3.43
>
> I did do all the things mentioned in chapter 7 of the by example doc.
>
> Also the smbpasswd –w 12345
>
>
>
> I am working on this for over 3 days now but my ldap understanding is not that much I guess.
>
> What am I forgetting or doing wrong.
>
>
>
> Best regards,
>
> Johan Hendriks
>
>
>
>
>
> My slapd.conf file
>
>
>
> #
>
> # See slapd.conf(5) for details on configuration options.
>
> # This file should NOT be world readable.
>
> #
>
> include         /usr/local/etc/openldap/schema/core.schema
>
> include         /usr/local/etc/openldap/schema/cosine.schema
>
> include         /usr/local/etc/openldap/schema/inetorgperson.schema
>
> include         /usr/local/etc/openldap/schema/misc.schema
>
> include         /usr/local/etc/openldap/schema/nis.schema
>
> include         /usr/local/etc/openldap/schema/openldap.schema
>
> include         /usr/local/etc/openldap/schema/samba.schema
>
>
>
> loglevel 256
>
>
>
> pidfile         /var/run/openldap/slapd.pid
>
> argsfile        /var/run/openldap/slapd.args
>
>
>
> # Load dynamic backend modules:
>
> modulepath      /usr/local/libexec/openldap
>
> moduleload      back_bdb
>
>
>
> #######################################################################
>
> # BDB database definitions
>
> #######################################################################
>
>
>
> database        bdb
>
> suffix          "dc=double-l,dc=local"
>
> rootdn          "cn=Manager,dc=double-l,dc=local"
>
> rootpw = 12345
>
>
>
>
>
>
>
> directory       /usr/local/var/db/openldap-data
>
>
>
> # Indices to maintain
>
> index   objectClass     eq
>
> index   cn              pres,sub,eq
>
> index   sn              pres,sub,eq
>
> index   uid             pres,sub,eq
>
> index   displayName     pres,sub,eq
>
> index   uidNumber               eq
>
> index   gidNumber               eq
>
> index   memberUID               eq
>
> index   sambaSID                eq
>
> index   sambaPrimaryGroupSID    eq
>
> index   sambaDomainName         eq
>
> index   default                 sub
>
>
>
> my ldap.con and nss_ldap.conf file
>
>
>
>
>
> base dc=double-l,dc=local
>
> binddn cn=Manager,dc=double-l,dc=local
>
> bindpw 12345
>
>
>
>
>
> pam_password exop
>
>
>
> bind_policy soft
>
> bind_timelimit 10
>
>
>
> host 127.0.0.1
>
> idle_timelimit 3600
>
> ldap_version 3
>
>
>
> nss_base_group  ou=Groups,dc=double-l,dc=local?one
>
> nss_base_passwd ou=People,dc=double-l,dc=local?one
>
> nss_base_shadow ou=People,dc=double-l,dc=local?one
>
>
>
> nss_connect_policy persist
>
> nss_paged_results yes
>
>
>
> pagesize 1000
>
> port 389
>
> timelimit 30
>
>
>
> my vi /etc/nsswitch.conf
>
> group: files ldap
>
> group_compat: nis
>
> hosts: files dns
>
> networks: files
>
> passwd: files ldap
>
> passwd_compat: nis
>
> shells: files
>
> services: compat
>
> services_compat: nis
>
> protocols: files
>
> rpc: files
>
>
>
> my idmap.ldiff file
>
>
>
> dn: dc=snowshow,dc=com
> objectClass: dcObject
> objectClass: organization
> dc: snowshow
> o: The Greatest Snow Show in Singapore.
> description: Posix and Samba LDAP Identity Database
>
> dn: cn=Manager,dc=snowshow,dc=com
> objectClass: organizationalRole
> cn: Manager
> description: Directory Manager
>
> dn: ou=Idmap,dc=snowshow,dc=com
> objectClass: organizationalUnit
> ou: idmap
>
>
>
>
>
> and finally my smb.conf file
>
>
>
> [global]
>
> workgroup = DOUBLE-L
>
> netbios name = BEASTY
>
> realm = DOUBLE-L.LOCAL
>
> server string = Samba Server
>
> security = ADS
>
> log level = 1 ads:10 auth:10 sam:10 rpc:10
>
> ldap admin dn = cn=Manager,dc=DOUBLE-L,dc=LOCAL
>
> ldap idmap suffix = ou=Idmap
>
> ldap suffix = dc=DOUBLE-L,dc=LOCAL
>
> idmap backend = ldap:ldap://127.0.0.1
>
> idmap uid = 150000-550000
>
> idmap gid = 150000-550000
>
> template shell = /usr/local/bin/bash
>
> winbind use default domain = Yes
>
>
>
> [share1]
>
>        comment = Data Directory
>
>        path = /mnt
>
>        #write list = @mr70
>
>        read only = no
>
>        create mask = 0777
>
>        directory mask = 0777
>
>
>
> and my /etc/krb5.conf file
>
>
>
> [libdefaults]
>
>        default_realm = DOUBLE-l.LOCAL
>
>        clockskew = 300
>
>
>
> [realms]
>
>        DOUBLE-l.LOCAL = {
>
>                kdc = w2003s01.double-l.local
>
>        }
>
>
>
> [domain_realm]
>
>        .double-l.local = DOUBLE-l.LOCAL
>
>
>
>
>
> This is a part of my slapd.log file after a restart of samba and a id administrator command
>
>
>
> Oct 21 16:47:34 beasty slapd[60723]: conn=7 fd=13 closed (connection lost)
>
> Oct 21 16:47:34 beasty slapd[60723]: conn=8 fd=15 closed (connection lost)
>
> Oct 21 16:47:34 beasty slapd[60723]: conn=6 fd=12 closed (connection lost)
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=13 fd=12 ACCEPT from IP=127.0.0.1:58176 (IP=127.0.0.1:389)
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=13 op=0 BIND dn="cn=Manager,dc=double-l,dc=local" method=128
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=13 op=0 BIND dn="cn=Manager,dc=double-l,dc=local" mech=SIMPLE ssf=0
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=13 op=0 RESULT tag=97 err=0 text=
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=13 op=1 SRCH base="ou=Groups,dc=double-l,dc=local" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=13 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=13 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=14 fd=13 ACCEPT from IP=127.0.0.1:60398 (IP=127.0.0.1:389)
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=14 op=0 BIND dn="cn=Manager,dc=DOUBLE-L,dc=LOCAL" method=128
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=14 op=0 BIND dn="cn=Manager,dc=double-l,dc=local" mech=SIMPLE ssf=0
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=14 op=0 RESULT tag=97 err=0 text=
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=14 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=14 op=1 SRCH attr=supportedControl
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=14 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=14 op=2 SRCH base="ou=Idmap,dc=DOUBLE-L,dc=LOCAL" scope=2 deref=0 filter="(objectClass=sambaUnixIdPool)"
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=14 op=2 SRCH attr=uidNumber gidNumber objectClass
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=14 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=15 fd=15 ACCEPT from IP=127.0.0.1:60156 (IP=127.0.0.1:389)
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=15 op=0 BIND dn="cn=Manager,dc=DOUBLE-L,dc=LOCAL" method=128
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=15 op=0 BIND dn="cn=Manager,dc=double-l,dc=local" mech=SIMPLE ssf=0
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=15 op=0 RESULT tag=97 err=0 text=
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=15 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=15 op=1 SRCH attr=supportedControl
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=15 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=15 op=2 SRCH base="ou=Idmap,dc=DOUBLE-L,dc=LOCAL" scope=2 deref=0 filter="(&(objectClass=sambaIdmapEntry)(gidNumber=65534))"
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=15 op=2 SRCH attr=sambaSID uidNumber gidNumber objectClass
>
> Oct 21 16:47:35 beasty slapd[60723]: conn=15 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
>
> Oct 21 16:47:50 beasty slapd[60723]: conn=16 fd=17 ACCEPT from IP=127.0.0.1:50821 (IP=127.0.0.1:389)
>
> Oct 21 16:47:50 beasty slapd[60723]: conn=16 op=0 BIND dn="cn=Manager,dc=double-l,dc=local" method=128
>
> Oct 21 16:47:50 beasty slapd[60723]: conn=16 op=0 BIND dn="cn=Manager,dc=double-l,dc=local" mech=SIMPLE ssf=0
>
> Oct 21 16:47:50 beasty slapd[60723]: conn=16 op=0 RESULT tag=97 err=0 text=
>
> Oct 21 16:47:50 beasty slapd[60723]: conn=16 op=1 SRCH base="ou=People,dc=double-l,dc=local" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=administrator))"
>
> Oct 21 16:47:50 beasty slapd[60723]: conn=16 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
>
> Oct 21 16:47:50 beasty slapd[60723]: conn=16 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
>
> Oct 21 16:47:50 beasty slapd[60723]: conn=16 fd=17 closed (connection lost)
>
>
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list