[Samba] Samba 3.4.7 can't retrieve idmap infor from ldap
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Mar 21 10:21:37 MDT 2011
I tried with and without the double quotes.
the following commands do work in linux (it will prompt me for the pw.)
ldapserach -D "cn=Directory Manager" -b "" objectclass=* -x -W
ldapsearch -D "cn=admin,cn=Administrators,cn=config" -h spooky -b
"" -x -W
Not sure in smb.conf whether I should ever quote the ldap_user_dn
parameter. Maybe it should be quoted if it is an absolute vs relative
entry?
On 03/21/2011 11:34 AM, Ayman Tahboub wrote:
> hiya Gaiseric,
>
> one quick note against your binding DN, I think you
> its complaining about having double quotations ""CN=Directory Manager""
>
> one the other side, you verified binding via normal LDAPSEARCH command ,
>
> as in ldapserach -D"CN=directory manager" -b "" objectclass=* ?
>
> hope it helps
>
> /ayman
>
>
> -----Original Message----- From: Gaiseric Vandal Sent: Thursday, March
> 17, 2011 20:12 To: Samba Subject: [Samba] Samba 3.4.7 can't retrieve
> idmap infor from ldap
> I am running Samba 3.4.7on Fedora Core 11 Linux. This is a domain
> member.
>
> My PDC is Samba 3.4.9 on Solaris 10. I have LDAP as a backend
> (Sun/Oracle Directory Server 6.) I have an OU for user accounts,
> and an OU for idmap entries. The PDC has already populated some idmap
> entries.
>
> An idmap entry looks like
>
>
>
> dn: sambaSID=S-1-5-21-xxxxxxxxxxxxxxx-1121,ou=mydomain,ou
> =idmap,o=mycomany.com
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> uidNumber: 176
> sambaSID: S-1-5-21-xxxxxxxxxxxxxxx-1121
>
> The member servers can be read only
>
>
> In the member server, smb.conf has the following entries
>
> idmap config MYDOMAIN:backend = ldap
> idmap config MYDOMAIN:ldap_url = ldap://pdc.mycompany.com
> idmap config MYDOMAIN:readonly = yes
> idmap config MYDOMAIN:default=no
> idmap config MYDOMAIN:ldap_base_dn =
> "ou=mydomain,ou=idmap,o=mycompany.com"
> #idmap config MYDOMAIN:ldap_user_dn = cn=Directory Manager
> #idmap config MYDOMAIN:ldap_user_dn =
> cn=admin,cn=Administrators,cn=config
> idmap config MYDOMAIN:ldap_user_dn = uid=jsmith,ou=people,o=mycompany.com
> idmap config MYDOMAIN:range = 70000-79999
> idmap config MYDOMAIN:uid = 100 -79999
> idmap config MYDOMAIN:gid = 100 -79999
>
>
>
>
>
> On this machine (FC11 member server), when I run "getent passwd"
> command, log.winbind shows
>
>
> failed to bind to server ldap://pdc.mycompany.com with
> dn=""cn=Directory Manager"" Error: Invalid DN syntax
> Invalid DN
>
> On gentent passwd, winbind.log shows
>
> lib/smbldap.c:890(smbldap_open_connection)
> smbldap_open_connection: connection opened
> lib/smbldap.c:1101(smbldap_connect_system)
> ldap_connect_system: successful connection to the LDAP server
> winbindd/idmap_ldap.c:1248(idmap_ldap_sids_to_unixids)
> Failure looking up sids (Invalid DN syntax)
>
>
>
> If there is NOT an idmap entry already for the user, I get winbind.log
> entries like:
>
> [2011/03/17 12:52:48, 1]
> winbindd/winbindd_user.c:97(winbindd_fill_pwent)
> error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1083
> [2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent)
> could not lookup domain user jkerry
>
> [2011/03/17 12:52:48, 1]
> winbindd/winbindd_user.c:97(winbindd_fill_pwent)
> error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1044
> [2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent)
> could not lookup domain user jmcain
>
> It looks like it tried to locate a record via user name or sid.
>
> If there is an idmap entry already for the use I only
>
>
> [2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent)
> could not lookup domain user jsmith
>
>
> So the samba member server is connecting to the LDAP server and
> retrieving some LDAP information. But it seems that the LDAP info is
> NOT formatted as expected (thus the Invalid DN Syntax errors.)
>
> The PDC was initially Samba 3.0.x, and I am guessing that the LDAP
> IDMAP syntax changed between 3.0.x and 3.4.x,
>
> I would appreciate advice on this.
>
> Thanks
>
>
>
>
More information about the samba
mailing list