[Samba] getent group fails
Dermot
paikkos at googlemail.com
Wed Jun 22 07:46:52 MDT 2011
Hi,
I've been debugging this for a day now and I am on the edge of my
understanding and could use some help.
I have a smbd 3.5.6 running as a PDC (smb.conf below) with an openldap
backend. If I run `getent passwd` I get all the users (local and
Domain) and computer accounts that I've imported into the ldap tree.
If I run `getent group`, I only see local groups:
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
....
powerdev:x:115:
ntpd:x:116:
winbindd_priv:x:117: (don't know where winbind comes from. It's not in
/etc/passwd)
I can see the imported groups in the ldap tree via phpLDAPadmin.
I have cranked up the logging in slapd.conf and watched as I did both queries:
>getent passwd
Jun 22 13:17:27 rigel slapd[26541]: conn=59 fd=14 ACCEPT from
IP=127.0.0.1:39071 (IP=0.0.0.0:389)
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" method=128
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" mech=SIMPLE ssf=0
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 RESULT tag=97 err=0 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SRCH
base="dc=example,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixAccount)"
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SEARCH RESULT tag=101
err=0 nentries=115 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=59 fd=14 closed (connection lost)
nentries=115
>getent group
Jun 22 13:17:27 rigel slapd[26541]: conn=60 fd=14 ACCEPT from
IP=127.0.0.1:39072 (IP=0.0.0.0:389)
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" method=128
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" mech=SIMPLE ssf=0
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 RESULT tag=97 err=0 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SRCH
base="ou=group,dc=example,dc=co,dc=uk" scope=1 deref=0
filter="(&(objectClass=posixGroup))"
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SRCH attr=cn
userPassword memberUid uniqueMember gidNumber
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SEARCH RESULT tag=101
err=32 nentries=0 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=60 fd=14 closed (connection lost)
nentries=0 and err=32
I tried to replicate the query using ldapsearch. I am not very
familiar with ldapsearch. This was the best I could muster:
>ldapsearch -x -b 'dc=example,dc=co,dc=uk' '(ObjectClass=posixGroup)'
This returned the groups from the ldap tree correctly:
...
...
# Backup Operators, Groups, example.co.uk
dn: cn=Backup Operators,ou=Groups,dc=example,dc=co,dc=uk
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
# Replicators, Groups, example.co.uk
dn: cn=Replicators,ou=Groups,dc=example,dc=co,dc=uk
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
# search result
search: 2
result: 0 Success
# numResponses: 10
# numEntries: 9
The difference as far as I can tell is between the two searches
SRCH base="ou=group,dc=example,dc=co,dc=uk" scope=1 deref=0
filter="(&(objectClass=posixGroup)) # Failed lookup
and
SRCH base="dc=example,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixGroup)" # Working lookup
The first one confines itself to the base 'group' ou, where as the
working search starts at the root and does not restrict themselves. If
I do (notice ou=groups)
>ldapsearch -x -b 'ou=groups,dc=example,dc=co,dc=uk' '(ObjectClass=posixGroup)'
I see this:
Jun 22 13:32:47 rigel slapd[26541]: conn=102 fd=14 ACCEPT from
IP=127.0.0.1:51550 (IP=0.0.0.0:389)
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=0 BIND dn="" method=128
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=0 RESULT tag=97 err=0 text=
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=1 SRCH
base="ou=groups,dc=example,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixGroup)"
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=1 SEARCH RESULT
tag=101 err=0 nentries=9 text=
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=2 UNBIND
Jun 22 13:32:47 rigel slapd[26541]: conn=102 fd=14 closed
and get this by way of response:
# search result
search: 2
result: 0 Success
# numResponses: 10
# numEntries: 9 # CORRECT!
If I do the search as it looks like it's being sent to ldap, EG:
ou=group NOT ou=groups
>ldapsearch -x -b 'ou=group,dc=example,dc=co,dc=uk' '(ObjectClass=posixGroup)'
I see:
Jun 22 13:36:07 rigel slapd[26541]: conn=110 fd=22 ACCEPT from
IP=127.0.0.1:42136 (IP=0.0.0.0:389)
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=0 BIND dn="" method=128
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=0 RESULT tag=97 err=0 text=
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=1 SRCH
base="ou=group,dc=sciencephoto,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixGroup)"
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=1 SEARCH RESULT
tag=101 err=32 nentries=0 text=
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=2 UNBIND
Jun 22 13:36:07 rigel slapd[26541]: conn=110 fd=22 closed
and get this response:
# search result
search: 2
result: 32 No such object
matchedDN: dc=example,dc=co,dc=uk
I have grepped everywhere but I can not see how to tweak the config so
that the search will be performed on ou=groups. I think I am very
close to working out what's wrong but I could use some advice.
Thanks in advance,
Dermot.
================ ldap.conf =========
base dc=example,dc=co,dc=uk
host localhost rigel.example.co.uk
binddn cn=admin,dc=example,dc=co,dc=uk
bindpw mysecret
bind_policy soft
pam_password exop
timelimit 15
nss_base_passwd dc=example,dc=co,dc=uk?one
nss_base_shadow dc=example,dc=co,dc=uk?one
nss_base_passwd ou=Computers,dc=example,dc=co,dc=uk?one
nss_base_shadow ou=Computers,dc=example,dc=co,dc=uk?one
nss_base_group ou=Groups,dc=example,dc=co,dc=uk?one
ssl off
======================================
================= smb.conf =============
[global]
dos charset = UTF-8
display charset = UTF-8
workgroup = LDN
server string = %h server
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
unix password sync = Yes
log level = 1
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
smb ports = 139 445
name resolve order = wins hosts bcast
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel '%u'
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
logon script = logon.bat
logon path =
logon drive = U:
logon home =
domain logons = Yes
os level = 65
preferred master = Auto
domain master = Yes
dns proxy = No
ldap admin dn = cn=admin,dc=example,dc=co,dc=uk
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=Computers, ou=Users
ldap passwd sync = yes
ldap suffix = dc=example,dc=co,dc=uk
ldap ssl = no
ldap timeout = 20
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
idmap backend = ldap:"ldap://127.0.0.1/"
idmap uid = 15000-20000
idmap gid = 15000-20000
map acl inherit = Yes
case sensitive = No
hide unreadable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[netlogon]
path = /var/lib/samba/netlogon
browseable = No
[profiles]
path = /var/lib/samba/profiles
force user = %U
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
profile acls = Yes
browseable = No
csc policy = disable
[public]
path = /tmp
read only = No
guest ok = Yes
More information about the samba
mailing list