[Samba] confusion and problem with Samba v3.3.8 as PDC with ldapsam backend

Dimitri Yioulos dyioulos at firstbhph.com
Tue Jan 18 14:54:46 MST 2011


On Tuesday 18 January 2011 4:08:36 pm Jon Detert 
wrote:
> On Tue, Jan 18, 2011 at 2:35 PM, Gaiseric
> Vandal
>
> <gaiseric.vandal at gmail.com> wrote:
> > Nt- I don't use the "ldapsam:editposix"
> > option myself, if I understand it correctly
> > it means you don't have to precreate the
> > underlying unix accounts.
>
> That is my understanding as well.  I've never
> used it before, however.
>
> > However,  I believe you still need to do the
> > following
> >
> >    Create a samba Administrator account
> >    Create samba Domain Admins and Domain
> > Users groups. Explicitly specify the uid or
> > username for the "guest" user. Set ldap
> > password for the idmap backend (net idmap
> > secret thedomain  xxxx )
>
> the log messages tend to support this belief.
>
> > "smbpasswd -w" sets the ldap password samba
> > to access ldap for users and groups. But
> > idmap needs the ldap password set as well eg.
>
> I don't understand that.  There is no separate
> idmap process, afaik. Why can't the 'idmap'
> functionality get the same ldap credentials
> that smbd and winbindd evidently get from the
> smb.conf and the secrets.tdb files?
>
> >        net idmap secret MYDOMAIN  xxxx
> >    net idmap secret alloc  xxxx
>
> In any case, I tried the above, and got the
> same error for both command :
>
> "The only currently supported backend is LDAP"
>
> My smb.conf has a line expressly saying "idmap
> backend = ldap:ldap://localhost".   Does smbd
> have to be running before running the 'net
> idmap' commands?  If so, I'm screwed, cuz now
> that I fixed the 'out=IDmap' typo, smbd dies
> immediately after trying to start it.
>
> Ideas?
>
> Thanks,
>
> Jon
>
> > I don't know if when using the
> > "ldapsam:editposix" option you can use
> > smbpasswd to create the user accounts.  
> > Also, I used "net groupmap add...." to create
> > the mappings between the samba Domain Admins
> > group and the unix group by the same name.
> >
> >
> > If it were me,  I would also create local
> > unix groups for "Domain Admins" (e.g. with
> > gid 512), "Domain Users"  etc and then use
> > "net groupmap" to map the unix gids to the
> > Windows well known id's.
> >
> >
> > net groupmap add ntgroup="Domain Admins"
> > unixgroup=512 rid=512 type=domain net
> > groupmap add ntgroup="Domain Users"
> > unixgroup=513 rid=513 type=domain net
> > groupmap add ntgroup="Domain Guests"
> > unixgroup=514  rid=514 type=domain net
> > groupmap add ntgroup="Domain Computers"
> > unixgroup=515   rid=515 type=domain net
> > groupmap add ntgroup="Domain Controllers"
> > unixgroup=516   rid=516 type=domain
> >
> >
> > I would create a unix "Administrator" user in
> > the "Domain Admins" group then use smbpasswd
> > to create the samba Administrator account.
> >
> > I use Apache Directory Studio for browsing
> > and editing ldap entries.    You may find
> > having a GUI ldap browser and editor really
> > useful.     You should be able to tell if
> > your LDAP groups have unix gids and samba
> > sids.
> >
> > This way you can get basic functionality
> > working, then you can start troubleshooting
> > windbind and idmap .
> >
> > On 01/18/2011 03:04 PM, Jon Detert wrote:
> >> Hello,
> >>
> >> I'm trying to use samba v3.3.8 on Centos 5.5
> >> to act as a PDC, using ldap as the backend
> >> for users, groups, and computers.  The ldap
> >> I'm using is Centos Directory Server v8.1.
> >>
> >> The setting is a new, never used before,
> >> installation of samba and ldap. There are no
> >> users other than what exists by default
> >> after a Centos install.  The smb.conf
> >> contains what is my best guess for the
> >> desired goal.
> >>
> >> The problem at the moment (besides having to
> >> guess at what to put in smb.conf - see
> >> below) is that smbd exits about 2 minutes
> >> after I start it. Here are what I think are
> >> the relevant bits from the log.smbd:
> >>
> >> [2011/01/18 13:40:42,  2]
> >> lib/smbldap_util.c:smbldap_search_domain_inf
> >>o(277) smbldap_search_domain_info: Searching
> >> for:[(&(objectClass=sambaDomain)(sambaDomain
> >>Name=CHI))] [2011/01/18 13:40:42,  2]
> >> lib/smbldap.c:smbldap_open_connection(856)
> >> smbldap_open_connection: connection opened
> >> [2011/01/18 13:40:42,  3]
> >> lib/smbldap.c:smbldap_connect_system(1067)
> >> ldap_connect_system: successful connection
> >> to the LDAP server [2011/01/18 13:40:42,  4]
> >> lib/smbldap.c:smbldap_open(1143) The LDAP
> >> server is successfully connected [2011/01/18
> >> 13:41:12,  4]
> >> passdb/pdb_ldap.c:ldapsam_getsampwnam(1519)
> >> ldapsam_getsampwnam: Unable to locate user
> >> [root] count=0 [2011/01/18 13:41:42,  4]
> >> passdb/pdb_ldap.c:ldapsam_getgroup(2481)
> >> ldapsam_getgroup: Did not find group, filter
> >> was
> >> (&(objectClass=sambaGroupMapping)(gidNumber=
> >>0)) [2011/01/18 13:42:12,  4]
> >> passdb/pdb_ldap.c:ldapsam_getgroup(2481)
> >> ldapsam_getgroup: Did not find group, filter
> >> was
> >> (&(objectClass=sambaGroupMapping)(sambaSID=S
> >>-1-5-32-544)) [2011/01/18 13:42:27,  3]
> >> groupdb/mapping.c:pdb_create_builtin_alias(7
> >>86) pdb_create_builtin_alias: Could not get a
> >> gid out of winbind [2011/01/18 13:42:27,  2]
> >> auth/token_util.c:create_local_nt_token(450)
> >> WARNING: Failed to create
> >> BUILTIN\Administrators group!  Can Winbind
> >> allocate gids?
> >> [2011/01/18 13:42:57,  4]
> >> passdb/pdb_ldap.c:ldapsam_getgroup(2481)
> >> ldapsam_getgroup: Did not find group, filter
> >> was
> >> (&(objectClass=sambaGroupMapping)(sambaSID=S
> >>-1-5-32-545)) [2011/01/18 13:43:12,  1]
> >> passdb/pdb_ldap.c:ldapsam_enum_group_members
> >>hips(2871) User account [nobody] not found!
> >> [2011/01/18 13:43:12,  0]
> >> smbd/server.c:main(1404) ERROR: failed to
> >> setup guest info.
> >>
> >> winbind is running.  log.winbindd contains
> >> nothing useful to me. log.winbindd-idmap
> >> contains lines suggesting it can't bind to
> >> the ldap server:
> >>
> >> 2011/01/18 13:42:41,  2]
> >> lib/smbldap.c:smbldap_connect_system(1052)
> >> failed to bind to server ldap://localhost
> >> with dn="uid=samba,ou=Special Users,
> >> dc=infinityhealthcare,dc=com" Error: Invalid
> >> credentials
> >>
> >> and
> >>
> >> [2011/01/18 13:42:49,  1]
> >> lib/smbldap.c:another_ldap_try(1231)
> >> Connection to LDAP server failed for the 8
> >> try!
> >>
> >> Why doesn't the smbd log say something
> >> equivalent?  In fact, it suggests the
> >> opposite, saying that "The LDAP server is
> >> successfully connected".
> >>
> >> I did set the samba admin dn's password with
> >> the command "smbpasswd -W" before starting
> >> either winbindd or smbd, and also verified
> >> that it is correct using the command
> >> "ldapsearch -x -h localhost -s sub -b
> >> ou=people,dc=infinityhealthcare,dc=com
> >> -D"uid=samba,ou=Special
> >> Users,dc=infinityhealthcare,dc=com" -W".
> >>
> >> Any ideas or suggestions?
> >>
> >> Thanks,
> >>
> >> Jon
> >>
> >>
> >>
> >>
> >>
> >> The rest of this email is my smb.conf:
> >> =============================
> >> [global]
> >>
> >>     workgroup = CHI
> >>     server string = Samba Server Version %v
> >>
> >>     netbios name = SAMBAPDC
> >>
> >>     log file = /var/log/samba/log.%m
> >>     log level = 4
> >>     max log size = 50
> >>
> >>     security = user
> >>     passdb backend =
> >> ldapsam:ldap://localhost
> >>
> >>     domain master = yes
> >>     preferred master = yes
> >>     domain logons = yes
> >>     logon drive = N:
> >>     logon path = \\%L\Profiles\%u
> >>
> >>     logon script = %u.bat
> >>
> >>     ldap admin dn = "uid=samba,ou=Special
> >> Users,dc=infinityhealthcare,dc=com"
> >>     ldap user suffix = ou=People
> >>     ldap group suffix = ou=Groups
> >>     ldap idmap suffix = out=IDmap
> >>     ldap machine suffix = ou=Computers
> >>     ldap suffix =
> >> dc=infinityhealthcare,dc=com ldap delete dn
> >> = no
> >>     ldapsam:trusted = yes
> >>     ldapsam:editposix = yes
> >>     ldap ssl = off
> >>     idmap backend = ldap:ldap://localhost
> >>     idmap uid = 5000-50000
> >>     idmap gid = 5000-50000
> >>     winbind enum groups = yes
> >>     winbind nested groups = yes
> >>     template shell = /sbin/nologin
> >>     template homedir = /home/%D/%U
> >>     winbind use default domain = yes
> >>
> >>     wins support = yes
> >>     socket options = TCP_NODELAY
> >> SO_RCVBUF=8192 SO_SNDBUF=8192
> >>
> >> [homes]
> >>     comment = Home Directories
> >>     browseable = no
> >>     writable = yes
> >>
> >>
> >> [netlogon]
> >>     comment = Network Logon Service
> >>     path = /var/lib/samba/netlogon
> >>     guest ok = yes
> >>     writable = no
> >>     share modes = no
> >
> > --


I, too, ran into this very problem.   I have a 
terrible short-term memory (can't even remember 
what I was doing an hour ago :-) ), and never 
write anything down, of course, so I'm not 
exactly sure what I did to correct the problem.  
But, try this:

make sure perl-Net-LDAP is installed.

run "authconfig-tui".  On the first page, 
choose "Use LDAP" from the left pane, and "Use 
LDAP Authentication" in the right pane.  In the 
next page, add your LDAP server (e.g. 
ldap://myserver.mydomain.tld/), and your base DN.  
Click OK.

IIRC, ncpd and portmap were closed in the process 
(they pose problems in this scenario).  I'd 
restart Samba and LDAP.

HTH.

Dimitri

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the samba mailing list