[Samba] getent group fails

Dermot paikkos at googlemail.com
Wed Jun 22 07:46:52 MDT 2011 

Hi,

I've been debugging this for a day now and I am on the edge of my
understanding and could use some help.

I have a smbd 3.5.6 running as a PDC (smb.conf below) with an openldap
backend. If I run `getent passwd` I get all the users (local and
Domain) and computer accounts that I've imported into the ldap tree.
If I run `getent group`, I only see local groups:

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
....
powerdev:x:115:
ntpd:x:116:
winbindd_priv:x:117: (don't know where winbind comes from. It's not in
/etc/passwd)

I can see the imported groups in the ldap tree via phpLDAPadmin.


I have cranked up the logging in slapd.conf and watched as I did both queries:
>getent passwd
Jun 22 13:17:27 rigel slapd[26541]: conn=59 fd=14 ACCEPT from
IP=127.0.0.1:39071 (IP=0.0.0.0:389)
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" method=128
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" mech=SIMPLE ssf=0
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 RESULT tag=97 err=0 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SRCH
base="dc=example,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixAccount)"
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SEARCH RESULT tag=101
err=0 nentries=115 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=59 fd=14 closed (connection lost)

nentries=115

>getent group
Jun 22 13:17:27 rigel slapd[26541]: conn=60 fd=14 ACCEPT from
IP=127.0.0.1:39072 (IP=0.0.0.0:389)
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" method=128
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" mech=SIMPLE ssf=0
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 RESULT tag=97 err=0 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SRCH
base="ou=group,dc=example,dc=co,dc=uk" scope=1 deref=0
filter="(&(objectClass=posixGroup))"
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SRCH attr=cn
userPassword memberUid uniqueMember gidNumber
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SEARCH RESULT tag=101
err=32 nentries=0 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=60 fd=14 closed (connection lost)

nentries=0 and err=32

I tried to replicate the query using ldapsearch. I am not very
familiar with ldapsearch. This was the best I could muster:
>ldapsearch -x -b 'dc=example,dc=co,dc=uk'  '(ObjectClass=posixGroup)'

This returned the groups from the ldap tree correctly:
...
...
# Backup Operators, Groups, example.co.uk
dn: cn=Backup Operators,ou=Groups,dc=example,dc=co,dc=uk
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators

# Replicators, Groups, example.co.uk
dn: cn=Replicators,ou=Groups,dc=example,dc=co,dc=uk
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9



The difference as far as I can tell is between the two searches

SRCH base="ou=group,dc=example,dc=co,dc=uk" scope=1 deref=0
filter="(&(objectClass=posixGroup))   # Failed lookup

and

SRCH base="dc=example,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixGroup)" # Working lookup


The first one confines itself to the base 'group' ou, where as the
working search starts at the root and does not restrict themselves. If
I do (notice ou=groups)
>ldapsearch -x -b 'ou=groups,dc=example,dc=co,dc=uk'  '(ObjectClass=posixGroup)'

I see this:
Jun 22 13:32:47 rigel slapd[26541]: conn=102 fd=14 ACCEPT from
IP=127.0.0.1:51550 (IP=0.0.0.0:389)
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=0 BIND dn="" method=128
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=0 RESULT tag=97 err=0 text=
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=1 SRCH
base="ou=groups,dc=example,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixGroup)"
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=1 SEARCH RESULT
tag=101 err=0 nentries=9 text=
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=2 UNBIND
Jun 22 13:32:47 rigel slapd[26541]: conn=102 fd=14 closed

and get this by way of response:
# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9 # CORRECT!

If I do the search as it looks like it's being sent to ldap, EG:
ou=group NOT ou=groups
>ldapsearch -x -b 'ou=group,dc=example,dc=co,dc=uk'  '(ObjectClass=posixGroup)'

I see:
Jun 22 13:36:07 rigel slapd[26541]: conn=110 fd=22 ACCEPT from
IP=127.0.0.1:42136 (IP=0.0.0.0:389)
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=0 BIND dn="" method=128
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=0 RESULT tag=97 err=0 text=
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=1 SRCH
base="ou=group,dc=sciencephoto,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixGroup)"
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=1 SEARCH RESULT
tag=101 err=32 nentries=0 text=
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=2 UNBIND
Jun 22 13:36:07 rigel slapd[26541]: conn=110 fd=22 closed

and get this response:

# search result
search: 2
result: 32 No such object
matchedDN: dc=example,dc=co,dc=uk


I have grepped everywhere but I can not see how to tweak the config so
that the search will be performed on ou=groups. I think I am very
close to working out what's wrong but I could use some advice.

Thanks in advance,
Dermot.

================ ldap.conf =========
base dc=example,dc=co,dc=uk
host localhost rigel.example.co.uk
binddn cn=admin,dc=example,dc=co,dc=uk
bindpw mysecret

bind_policy soft
pam_password exop
timelimit 15

nss_base_passwd dc=example,dc=co,dc=uk?one
nss_base_shadow dc=example,dc=co,dc=uk?one
nss_base_passwd ou=Computers,dc=example,dc=co,dc=uk?one
nss_base_shadow ou=Computers,dc=example,dc=co,dc=uk?one
nss_base_group ou=Groups,dc=example,dc=co,dc=uk?one
ssl off
======================================


================= smb.conf =============
[global]
	dos charset = UTF-8
	display charset = UTF-8
	workgroup = LDN
	server string = %h server
	map to guest = Bad User
	passdb backend = ldapsam:ldap://127.0.0.1/
	pam password change = Yes
	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
	unix password sync = Yes
	log level = 1
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	smb ports = 139 445
	name resolve order = wins hosts bcast
	time server = Yes
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	load printers = No
	add user script = /usr/sbin/smbldap-useradd -m %u
	delete user script = /usr/sbin/smbldap-userdel '%u'
	delete group script = /usr/sbin/smbldap-groupdel %g
	add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
	delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
	set primary group script = /usr/sbin/smbldap-usermod -g %g %u
	add machine script = /usr/sbin/smbldap-useradd -w %u
	logon script = logon.bat
	logon path =
	logon drive = U:
	logon home =
	domain logons = Yes
	os level = 65
	preferred master = Auto
	domain master = Yes
	dns proxy = No
	ldap admin dn = cn=admin,dc=example,dc=co,dc=uk
	ldap delete dn = Yes
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=idmap
	ldap machine suffix = ou=Computers, ou=Users
	ldap passwd sync = yes
	ldap suffix = dc=example,dc=co,dc=uk
	ldap ssl = no
	ldap timeout = 20
	ldap user suffix = ou=Users
	panic action = /usr/share/samba/panic-action %d
	idmap backend = ldap:"ldap://127.0.0.1/"
	idmap uid = 15000-20000
	idmap gid = 15000-20000
	map acl inherit = Yes
	case sensitive = No
	hide unreadable = Yes

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers

[netlogon]
	path = /var/lib/samba/netlogon
	browseable = No

[profiles]
	path = /var/lib/samba/profiles
	force user = %U
	read only = No
	create mask = 0600
	directory mask = 0700
	guest ok = Yes
	profile acls = Yes
	browseable = No
	csc policy = disable

[public]
	path = /tmp
	read only = No
	guest ok = Yes

More information about the samba mailing list