[Samba] confusion and problem with Samba v3.3.8 as PDC with ldapsam backend

Jon Detert jdetert at infinityhealthcare.com
Tue Jan 18 13:04:31 MST 2011 

Hello,

I'm trying to use samba v3.3.8 on Centos 5.5 to act as a PDC, using ldap as
the backend for users, groups, and computers.  The ldap I'm using is Centos
Directory Server v8.1.

The setting is a new, never used before, installation of samba and ldap.
There are no users other than what exists by default after a Centos
install.  The smb.conf contains what is my best guess for the desired goal.

The problem at the moment (besides having to guess at what to put in
smb.conf - see below) is that smbd exits about 2 minutes after I start it.
Here are what I think are the relevant bits from the log.smbd:

[2011/01/18 13:40:42,  2] lib/smbldap_util.c:smbldap_search_domain_info(277)
  smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))]
[2011/01/18 13:40:42,  2] lib/smbldap.c:smbldap_open_connection(856)
  smbldap_open_connection: connection opened
[2011/01/18 13:40:42,  3] lib/smbldap.c:smbldap_connect_system(1067)
  ldap_connect_system: successful connection to the LDAP server
[2011/01/18 13:40:42,  4] lib/smbldap.c:smbldap_open(1143)
  The LDAP server is successfully connected
[2011/01/18 13:41:12,  4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519)
  ldapsam_getsampwnam: Unable to locate user [root] count=0
[2011/01/18 13:41:42,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(gidNumber=0))
[2011/01/18 13:42:12,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))
[2011/01/18 13:42:27,  3] groupdb/mapping.c:pdb_create_builtin_alias(786)
  pdb_create_builtin_alias: Could not get a gid out of winbind
[2011/01/18 13:42:27,  2] auth/token_util.c:create_local_nt_token(450)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind
allocate gids?
[2011/01/18 13:42:57,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))
[2011/01/18 13:43:12,  1]
passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2871)
  User account [nobody] not found!
[2011/01/18 13:43:12,  0] smbd/server.c:main(1404)
  ERROR: failed to setup guest info.

winbind is running.  log.winbindd contains nothing useful to me.
log.winbindd-idmap contains lines suggesting it can't bind to the ldap
server:

2011/01/18 13:42:41,  2] lib/smbldap.c:smbldap_connect_system(1052)
  failed to bind to server ldap://localhost with dn="uid=samba,ou=Special
Users,
dc=infinityhealthcare,dc=com" Error: Invalid credentials

and

[2011/01/18 13:42:49,  1] lib/smbldap.c:another_ldap_try(1231)
  Connection to LDAP server failed for the 8 try!

Why doesn't the smbd log say something equivalent?  In fact, it suggests the
opposite, saying that "The LDAP server is successfully connected".

I did set the samba admin dn's password with the command "smbpasswd -W"
before starting either winbindd or smbd, and also verified that it is
correct using the command "ldapsearch -x -h localhost -s sub -b
ou=people,dc=infinityhealthcare,dc=com -D"uid=samba,ou=Special
Users,dc=infinityhealthcare,dc=com" -W".

Any ideas or suggestions?

Thanks,

Jon





The rest of this email is my smb.conf:
=============================
[global]

    workgroup = CHI
    server string = Samba Server Version %v

    netbios name = SAMBAPDC

    log file = /var/log/samba/log.%m
    log level = 4
    max log size = 50

    security = user
    passdb backend = ldapsam:ldap://localhost

    domain master = yes
    preferred master = yes
    domain logons = yes
    logon drive = N:
    logon path = \\%L\Profiles\%u

    logon script = %u.bat

    ldap admin dn = "uid=samba,ou=Special
Users,dc=infinityhealthcare,dc=com"
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap idmap suffix = out=IDmap
    ldap machine suffix = ou=Computers
    ldap suffix = dc=infinityhealthcare,dc=com
    ldap delete dn = no
    ldapsam:trusted = yes
    ldapsam:editposix = yes
    ldap ssl = off
    idmap backend = ldap:ldap://localhost
    idmap uid = 5000-50000
    idmap gid = 5000-50000
    winbind enum groups = yes
    winbind nested groups = yes
    template shell = /sbin/nologin
    template homedir = /home/%D/%U
    winbind use default domain = yes

    wins support = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[homes]
    comment = Home Directories
    browseable = no
    writable = yes


[netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = yes
    writable = no
    share modes = no

More information about the samba mailing list