[Samba] Problem: LDAP as idmap backend
Chris Osicki
osk at admin.swisscom-mobile.ch
Fri Aug 14 02:47:08 MDT 2009
That helped, many thanks David.
However, winbind behaves strangely.
I ask it to print SID-UID mapping for a SID I know it is in LDAP:
wbinfo --sid-to-uid S-1-5-21-796845957-1547161642-839522115-187984
It fails and winbindd says:
ldap_connect_system: successful connection to the LDAP server
ldap_set_mapping_internals: Failed to add S-1-5-21-796845957-1547161642-839522115-187984 to 20011 mapping [uidNumber]
ldap_set_mapping_internals: Error was: (NULL) (Already exists)
Could not store the new mapping: NT_STATUS_UNSUCCESSFUL
In the LDAP server logs I see a successful search and then a try to ADD (?!) a mapping
for the given SID with next free UID from the defined UIDs range:
conn=564 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.238.186.50 to 10.238.186.52
conn=564 op=0 msgId=1 - BIND dn="uid=idmapadm,ou=idmap,dc=swissptt,dc=ch" method=128 version=3
conn=564 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=idmapadm,ou=idmap,dc=swissptt,dc=ch"
conn=564 op=1 msgId=2 - SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl"
conn=564 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0
conn=564 op=2 msgId=3 - SRCH base="ou=idmap,dc=swissptt,dc=ch" scope=2 filter="(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-796845957-1547161642-839522115-187984))" attrs="sambaSID uidNumber gidNumber objectClass"
conn=564 op=2 msgId=3 - RESULT err=0 tag=101 nentries=1 etime=0
conn=564 op=3 msgId=4 - ADD dn="sambaSID=S-1-5-21-796845957-1547161642-839522115-187984,ou=idmap,dc=swissptt,dc=ch"
conn=564 op=3 msgId=4 - RESULT err=68 tag=105 nentries=0 etime=0 csn=4a851d61000100020000
conn=564 op=4 msgId=5 - UNBIND
conn=564 op=4 msgId=-1 - closing - U1
conn=564 op=-1 msgId=-1 - closed.
My LDAP was pre-feed with all known SID-UID mappings, the dynamic allocation is there
for "just in case".
Is it a bug or feature? Or again a config parameter I missed?
Thanks for your time.
Regards,
Chris
On Thu, 13 Aug 2009 23:45:16 +0100
David Markey <dmarkey at dodds.dmarkey.com> wrote:
>
> ldap ssl = off
>
>
> On Thu, 13 Aug 2009 23:26:37 +0200, Chris Osicki
> <osk at admin.swisscom-mobile.ch> wrote:
> > Hi
> >
> > I've just upgraded Samba on Solaris 10 from the bundled version (3.0.33)
> > to 3.4.0 and winbind don't want to cooperate with LDAP as idmap backend
> > anymore.
> >
> > The smb.conf I use is:
> >
> > [global]
> > workgroup = CORPROOT
> > netbios name = usonfs
> > security = domain
> > log level = 10
> > preferred master = no
> > bind interfaces only = yes
> > interfaces = usonfs
> >
> > password server = sg000057.corproot.net sg1006z.corproot.net
> > winbind uid = 20000-21000
> > winbind gid = 20000-21000
> > winbind enum users = no
> > winbind enum groups = no
> >
> > # Using ldap server as winbindd backend
> > idmap backend = ldap:ldap://usoldap01.swissptt.ch
> > ldap:ldap://usoldap02.swissptt.ch
> > ldap admin dn = uid=idmapadm,ou=idmap,dc=swissptt,dc=ch
> > ldap idmap suffix = ou=idmap
> > ldap suffix = dc=swissptt,dc=ch
> >
> > I compiled Samba myself: configure; make; make install.
> >
> > It must be something obvious I'm overlooking I hope somebody could
> > point it out.
> >
> > Running winbindd as:
> >
> > /usr/local/samba/sbin/winbindd -d 3 -i -n
> >
> > I see those messages:
> >
> > [ 8286]: sid to uid S-1-5-21-796845957-1547161642-839522115-187984
> > idmap_init: using 'ldap' as remote backend
> > Failed to issue the StartTLS instruction: Connect error
> > Connection to LDAP server failed for the 1 try!
> > Failed to issue the StartTLS instruction: Connect error
> > Connection to LDAP server failed for the 3 try!
> > Failed to issue the StartTLS instruction: Connect error
> > Connection to LDAP server failed for the 5 try!
> > Failed to issue the StartTLS instruction: Connect error
> > Connection to LDAP server failed for the 7 try!
> >
> >
> > Thanks for your time.
> >
> > Regards,
> > Chris
>
More information about the samba
mailing list