[Samba] idmap problem

Tamás Pisch pischta at gmail.com
Wed Jul 15 04:11:25 MDT 2009 

Hi,

I configured a SaMBa PDC and a BDC with a master and a slave OpenLDAP. I set
up TLS, because I wanted secure syncrepl. Slapd runs with -h ldap://
127.0.0.1/ ldaps.///.
I successfully joined an XP client to the servers' domain, I see shares (but
I havent logged in as a domain user, because I have to create a default
profile first).
My problem is in the log.winbindd-idmap log file:
[2009/07/15 09:24:23,  1] winbindd/idmap.c:idmap_init(385)
  Initializing idmap domains
[2009/07/15 09:24:23,  0] winbindd/idmap.c:idmap_init(396)
  idmap_init: Ignoring domain MYDOMAIN
[2009/07/15 09:24:23,  0] winbindd/idmap.c:idmap_init(549)
  ERROR: Could not get methods for backend ldapsam
[2009/07/15 09:24:23,  0] winbindd/idmap.c:idmap_init(801)
  Aborting IDMAP Initialization ...

smb.conf:
    netbios name = SRV3
    dos charset = CP852
    unix charset = UTF8
    workgroup = MYDOMAIN
    interfaces = 127.0.0.0/8, eth0
    bind interfaces only = Yes
    passdb backend = ldapsam:"ldap://127.0.0.1:389"
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    username map = /etc/samba/username.map
    unix password sync = Yes
    log level = 1 idmap:10
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    smb ports = 139
    name resolve order = wins host bcast
    time server = Yes
.
.
.
    domain logons = Yes
    preferred master = Yes
    wins support = Yes
    ldap admin dn = cn=adm,dc=mydomain,dc=site
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap machine suffix = ou=People
    ldap passwd sync = Yes
    ldap suffix = dc=mydomain,dc=site
    ldap user suffix = ou=People
    eventlog list = Security, Application, Syslog
    usershare max shares = 0
    usershare path = /home/samba/usershares
    panic action = /usr/share/samba/panic-action %d
    idmap backend = ldapsam:ldap://127.0.0.1:389
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    map acl inherit = Yes
    veto oplock files = /*.pdf/*.pst/

/etc/ldap/ldap.conf:
host 127.0.0.1
base dc=mydomain,dc=site
logdir /var/lib/ldap/log
TLS_REQCERT  hard
TLS_CACERT /etc/ssl/certs/cacert.pem

slapd.conf:
#######################################################################
# Global Directives:
# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include        /etc/ldap/schema/samba3.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel    conns stats filter
idletimeout    30
modulepath    /usr/lib/ldap
moduleload    back_hdb
moduleload    syncprov
sizelimit unlimited
tool-threads 1
TLSCertificateFile /etc/ssl/certs/srv3cert.pem
TLSCertificateKeyFile /etc/ssl/private/srv3key.pem
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSVerifyClient never

#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend        hdb
database        hdb
suffix        "dc=mydomain,dc=site"
rootdn          "cn=adm,dc=mydomain,dc=site"
rootpw          {SSHA}.......
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 100000000 1
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 524288
dbconfig set_lg_dir             /var/lib/ldap/log
dbconfig set_flags               DB_LOG_AUTOREMOVE
index objectClass    eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub
index sambaSIDList          eq
index sambaGroupType        eq
index entryCSN,entryUUID eq
lastmod         on
checkpoint      512 30

access to *
    by dn.exact="cn=replicator,dc=mydomain,dc=site" tls_ssf=128 read
    by * break

access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange
        by dn="cn=admin,dc=mydomain,dc=site" write
        by dn="cn=replicator,dc=mydomain,dc=site" read
        by anonymous auth
        by self write
        by * none

access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=mydomain,dc=site" write
        by dn="cn=replicator,dc=mydomain,dc=site" read
        by self write
        by * read

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

libnss-ldap.conf:
host 127.0.0.1
base dc=mydomain,dc=site
timelimit 50
bind_timelimit 50
bind_policy hard
idle_timelimit 3600
nss_base_passwd ou=People,dc=mydomain,dc=site?one
nss_base_shadow ou=People,dc=mydomain,dc=site?one
nss_base_group  ou=Groups,dc=mydomain,dc=site?one
logdir /var/lib/ldap/log
ldap_version 3
rootbinddn cn=adm,dc=mydomain,dc=site
port 389
pam_password exop
ssl off

Thanks,

Tamas.

More information about the samba mailing list