[Samba] Samba 3.4.7 can't retrieve idmap infor from ldap

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Mar 17 14:12:58 MDT 2011


I am running Samba 3.4.7on Fedora Core 11 Linux.  This is a domain member.

My PDC is Samba 3.4.9 on Solaris 10.  I have LDAP as a backend 
(Sun/Oracle Directory Server 6.)    I have an OU for user accounts, and 
an OU for idmap entries.  The PDC has already populated some idmap entries.

An idmap entry looks like



dn: sambaSID=S-1-5-21-xxxxxxxxxxxxxxx-1121,ou=mydomain,ou 
=idmap,o=mycomany.com
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
uidNumber: 176
sambaSID: S-1-5-21-xxxxxxxxxxxxxxx-1121

The member servers can be read only


In the member server, smb.conf has the following entries

idmap config MYDOMAIN:backend = ldap
idmap config MYDOMAIN:ldap_url = ldap://pdc.mycompany.com
idmap config MYDOMAIN:readonly = yes
idmap config MYDOMAIN:default=no
idmap config MYDOMAIN:ldap_base_dn = "ou=mydomain,ou=idmap,o=mycompany.com"
#idmap config MYDOMAIN:ldap_user_dn = cn=Directory Manager
#idmap config MYDOMAIN:ldap_user_dn = cn=admin,cn=Administrators,cn=config
idmap config MYDOMAIN:ldap_user_dn = uid=jsmith,ou=people,o=mycompany.com
idmap config MYDOMAIN:range = 70000-79999
idmap config MYDOMAIN:uid = 100 -79999
idmap config MYDOMAIN:gid = 100 -79999





On this machine (FC11 member server), when I run "getent passwd" 
command, log.winbind shows


   failed to bind to server ldap://pdc.mycompany.com with 
dn=""cn=Directory Manager"" Error: Invalid DN syntax
       Invalid DN

On gentent passwd, winbind.log shows

  lib/smbldap.c:890(smbldap_open_connection)
   smbldap_open_connection: connection opened
lib/smbldap.c:1101(smbldap_connect_system)
   ldap_connect_system: successful connection to the LDAP server
winbindd/idmap_ldap.c:1248(idmap_ldap_sids_to_unixids)
   Failure looking up sids (Invalid DN syntax)



If there is NOT an idmap entry already for the user, I get winbind.log 
entries like:

[2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
   error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1083
[2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
   could not lookup domain user jkerry

[2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
   error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1044
[2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
   could not lookup domain user jmcain

It looks like it tried to locate a record via user name or sid.

If there is an idmap entry already for the use I only


[2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
   could not lookup domain user jsmith


So the samba member server is connecting to the LDAP server and 
retrieving some LDAP information.  But it seems that the LDAP info is 
NOT formatted as expected (thus the Invalid DN Syntax errors.)

The PDC was initially Samba 3.0.x, and I am guessing that the LDAP IDMAP 
syntax changed between 3.0.x and 3.4.x,

I would appreciate advice on this.

Thanks






More information about the samba mailing list