[Samba] Configuration of idmap_ldap "No backend defined"

Sat Apr 14 14:05:09 MDT 2012

Hi,

your security concerns are welcome.  Well I didn't use LDAP based idmap yet, but "multiple entries returned" could be a result of your duplicate settings for "idmap config" - one with the asterisk and the second with MYDOMAIN. Please read the docs to determine which of the entries is necessary.

Cheers,

Christian

Jon Theil Nielsen <jontheil at gmail.com> schrieb:

>Hi and thanks,
>
>The base dn is not as shown. Might be some kind of paranoia...
>I changed the smb.conf as suggested. Did not change any other file. Now
>my
>log shows:
>
>[2012/04/14 20:29:36.891125,  2]
>lib/smbldap.c:1018(smbldap_open_connection)
>  smbldap_open_connection: connection opened
>[2012/04/14 20:29:36.901600,  0]
>winbindd/idmap_ldap.c:192(verify_idpool)
>  Multiple entries returned from (objectclass=sambaUnixIdPool) (base ==
>dc=example,dc=com)
>[2012/04/14 20:29:36.901919,  1]
>winbindd/idmap_ldap.c:516(idmap_ldap_db_init)
>  idmap_ldap_db_init: failed to verify ID pool (NT_STATUS_UNSUCCESSFUL)
>[2012/04/14 20:29:36.903646,  5]
>winbindd/idmap_ldap.c:421(idmap_ldap_close_destructor)
>  The connection to the LDAP server was closed
>[2012/04/14 20:29:36.904039,  1]
>winbindd/idmap.c:249(idmap_init_domain)
>  idmap initialization returned NT_STATUS_UNSUCCESSFUL
>
>Regards,
>Jon
>
>On 14 April 2012 20:14, Christian Rost <christian.rost at rocon-it.de>
>wrote:
>
>> Hi,
>>
>> please check your ldap configuration in your smb.conf file. At first
>> verify that your base-dn is really  "dc=example,dc=com". Than remove
>> "cn=Manager" from each option that contains "base_dn".
>>
>> As usual, make sure that your LDAP server is set up correctly and
>that
>> everthing works fine. Than you can connect samba to your LDAP.
>>
>> Cheers,
>>
>> Christian
>>
>> Jon Theil Nielsen <jontheil at gmail.com> schrieb:
>>
>> >Hi list,
>> >
>> >I can't make idmap talk to my LDAP server. And I haven't found an
>> >updated
>> >howto.
>> >
>> >Some entries from log.windbindd-imap:
>> >[2012/04/13 20:05:40.500475,  5]
>> >winbindd/idmap.c:153(smb_register_idmap)
>> >  Successfully added idmap backend 'ldap'
>> >[2012/04/13 20:05:40.501112,  5]
>> >winbindd/idmap.c:153(smb_register_idmap)
>> >  Successfully added idmap backend 'tdb'
>> >[2012/04/13 20:05:40.501318,  5]
>> >winbindd/idmap.c:153(smb_register_idmap)
>> >  Successfully added idmap backend 'passdb'
>> >[2012/04/13 20:05:40.501516,  5]
>> >winbindd/idmap.c:153(smb_register_idmap)
>> >  Successfully added idmap backend 'nss'
>> >[2012/04/13 20:05:40.540035,  2]
>> >lib/smbldap.c:1018(smbldap_open_connection)
>> >  smbldap_open_connection: connection opened
>> >[2012/04/13 20:05:40.550305,  2]
>> >passdb/pdb_ldap.c:2427(init_group_from_ldap)
>> >  init_group_from_ldap: Entry found for group: 515
>> >[2012/04/13 20:05:40.592075,  1]
>> >winbindd/idmap.c:288(idmap_init_named_domain)
>> >  no backend defined for idmap config MYDOMAIN
>> >[2012/04/13 20:06:23.606655,  2]
>> >passdb/pdb_ldap.c:2427(init_group_from_ldap)
>> >  init_group_from_ldap: Entry found for group: 548
>> >[2012/04/13 20:06:23.629123,  2]
>> >passdb/pdb_ldap.c:2427(init_group_from_ldap)
>> >  init_group_from_ldap: Entry found for group: 1006
>> >[2012/04/13 20:06:23.632141,  1]
>> >winbindd/idmap.c:288(idmap_init_named_domain)
>> >  no backend defined for idmap config MYDOMAIN
>> >[2012/04/13 20:06:23.637118,  2]
>> >passdb/pdb_ldap.c:2427(init_group_from_ldap)
>> >  init_group_from_ldap: Entry found for group: 1005
>> >[2012/04/13 20:06:23.640003,  1]
>> >winbindd/idmap.c:288(idmap_init_named_domain)
>> >  no backend defined for idmap config MYDOMAIN
>> >[2012/04/13 20:06:23.653837,  1]
>> >winbindd/idmap.c:288(idmap_init_named_domain)
>> >  no backend defined for idmap config MYDOMAIN
>> >[2012/04/13 20:06:33.287504,  1]
>> >winbindd/idmap.c:288(idmap_init_named_domain)
>> >  no backend defined for idmap config MYDOMAIN
>> >[2012/04/13 20:06:33.287723,  1]
>> >winbindd/idmap.c:288(idmap_init_named_domain)
>> >  no backend defined for idmap config BUILTIN
>> >[2012/04/13 20:06:38.048645,  1]
>> >winbindd/idmap.c:288(idmap_init_named_domain)
>> >  no backend defined for idmap config MYDOMAIN
>> >
>> >Part of my smb.conf:
>> >[global]
>> >    ldap admin dn = cn=Manager,dc=example,dc=com
>> >    ldap delete dn = Yes
>> >    ldap group suffix = ou=Groups
>> >    ldap idmap suffix = ou=Idmap
>> >    ldap machine suffix = ou=Computers
>> >    ldap passwd sync = yes
>> >    ldap suffix = dc=example,dc=com
>> >    ldap user suffix = ou=People
>> >    ldap debug level = 1
>> >    idmap config *:backend = ldap
>> >    idmap config *:readonly = no
>> >    idmap config *:range = 1000-1999999
>> >    idmap config *:ldap_url=ldap://localhost
>> >    idmap config *:ldap_base_dn = cn=Manager,dc=example,dc=com
>> >    idmap config MYDOMAIN:backend = ldap
>> >    idmap config MYDOMAIN:readonly = no
>> >    idmap config MYDOMAIN:range = 1000-1999999
>> >    idmap config MYDOMAIN:ldap_url=ldap://localhost
>> >    idmap config MYDOMAIN:ldap_base_dn =
>cn=Manager,dc=example,dc=com
>> >idmap config MYDOMAIN:ldap_user_dn =
>> >cn=admin,ou=Idmap,dc=example,dc=com
>> >
>> >I'm running samba 3.6.3 on FreeBSD 9.0-RELEASE and my LDAP server
>seems
>> >to
>> >work otherwise. At least, I can do user authentication this way.
>> >
>> >Of course, I can provide much more information from the logs and the
>> >configuration files. I just don't know where to start. And any help
>> >would
>> >be much appreciated.
>> >
>> >Best regards,
>> >Jon Theil Nielsen
>> >--
>> >To unsubscribe from this list go to the following URL and read the
>> >instructions:  https://lists.samba.org/mailman/options/samba
>>
>> --
>> Dipl.-Ing. Christian Rost
>> roCon - Informationstechnologie
>> Ulmenstraße 45
>> 44534 Lünen
>>
>>
>> Fon: +49 2306 910 658
>> Fax:  +48 2306 910 664
>> URL: www.rocon-it.de
>>

-- 
Dipl.-Ing. Christian Rost
roCon - Informationstechnologie
Ulmenstraße 45
44534 Lünen

Fon: +49 2306 910 658
Fax:  +48 2306 910 664
URL: www.rocon-it.de