[Samba] openldap integration failed after power cut

Fergus Clarke fclarke at ixico.com
Mon Feb 20 05:13:00 MST 2012


Hi

running ldapsearch -x on the primary LDAP server fails, it gives

[root at servername ~]# ldapsearch -x
ldap_bind: Can't contact LDAP server (-1)

And yet on that server the Zimbra instance appears to be fine.

Can you suggest any further diagnosis of the LDAP on that server, or action I might take?

Many Thanks

Fergus


----- Original Message -----
From: "Gaiseric Vandal" <gaiseric.vandal at gmail.com>
To: "Fergus Clarke" <fclarke at ixico.com>
Cc: samba at lists.samba.org
Sent: Monday, 13 February, 2012 6:32:41 PM
Subject: Re: [Samba] openldap integration failed after power cut

try ldapsearch with "-x" for simple (non sasl) authentication.

On 02/13/2012 01:29 PM, Fergus Clarke wrote:
> Hi
>
> Thanks for your reply, much appreciated.
>
> When I run ldapsearch on the Samba server it prompts me for a password and this fails when tried with the credentials for the ldap bind account specified in smb.conf, also with the root pw for either machine, as follows:
>
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
> I have tried resetting the smbpasswd -w as you suggested and setting the bind account password to the same on the ldap server, but i still get this message.  This suggests you are right and it is a credentials issue, is there anything I need to do beyond
>
> smbpasswd -w<password>  on the samba machine
> and passwd<bind account>  on ldap server
> ?
>
> The LDAP does appear to be running on the primary LDAP server as I can look at it on the console of the (unused) instance of zimbra on there, it looks OK.  That said if I do a ldapsearch on the that machine I get an error:
>
> [root at primaryldapserver cacerts]# ldapsearch
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>
> Regards
>
> Fergus
>
>
> ----- Original Message -----
> From: "Gaiseric Vandal"<gaiseric.vandal at gmail.com>
> To: samba at lists.samba.org
> Sent: Monday, 13 February, 2012 5:51:43 PM
> Subject: Re: [Samba] openldap integration failed after power cut
>
> Can you use "ldapsearch" or a GUI Ldap browser/editor (e.g. Apache
> Directory Studio) to make sure that your primary LDAP server really is
> working .  Verify that the credentials are good.
>
> You may need to re enter the ldap pw in samba if your  password store
> got corrupted
>
> # smbpasswd -w LDAPBINDPW
>
>
>
>
>
>
> On 02/13/2012 11:12 AM, Fergus Clarke wrote:
>> Hi
>>
>> We have a Samba server that authenticates with an openldap server.  Or it used to.
>> We had a power cut last week and after a bit of struggling everything came back, but not Samba.
>> Previously our smb.conf file included the line
>>
>> passdb backend = ldapsam:ldap://server.domain.net/
>>
>> With this line in place the connection to the LDAP server fails, and peoples shares drop off every few minutes.  I changed this to point to our 2nd, backup ldap server and now shares and logon work again.  I need to get communication started again between our Samba and primary LDAP server.
>>
>> Symptoms include the following: (with the new config, ie pointing at the backup ldap server)
>>
>> On the samba server:
>>
>> servername:/etc/samba# smbclient '\\servername\data'
>> WARNING: The "printer admin" option is deprecated
>> Enter root's password:
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> but
>>
>> servername:/etc/samba# smbclient -L localhost -U%
>> WARNING: The "printer admin" option is deprecated
>> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
>>
>> 	Sharename       Type      Comment
>> 	---------       ----      -------
>> 	netlogon        Disk      Network Logon Service
>> 	print$          Disk      Printer Drivers
>>
>> etc
>>
>> also:
>>
>> servername:/etc/samba# pdbedit -u username -c "[X]"
>> doing parameter syslog = 1
>> doing parameter log file = /var/log/samba/log.%m
>> doing parameter max log size = 1000
>> doing parameter smb ports = 139
>> doing parameter name resolve order = wins bcast hosts
>> doing parameter printcap name = cups
>> doing parameter add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
>> doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m
>> doing parameter logon script = logon.cmd
>> doing parameter logon path = \\server.domain.net\%U\profile
>> doing parameter logon home = \\server.domain.net\%U
>> doing parameter domain logons = Yes
>> doing parameter os level = 33
>> doing parameter preferred master = Yes
>> doing parameter domain master = Yes
>> doing parameter dns proxy = No
>> doing parameter wins support = Yes
>> doing parameter ldap admin dn = "uid=username,cn=admins,cn=thenameofthecn"
>> doing parameter ldap group suffix = ou=groups
>> doing parameter ldap machine suffix = ou=machines
>> doing parameter ldap passwd sync = Yes
>> doing parameter ldap suffix = dc=ixico,dc=com
>> doing parameter ldap user suffix = ou=people
>> doing parameter panic action = /usr/share/samba/panic-action %d
>> pm_process() returned Yes
>> smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> The LDAP server is successfully connected
>> smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> The LDAP server is successfully connected
>> init_sam_from_ldap: Entry found for user: username
>> ldapsam_update_sam_account: user username to be modified has dn: uid=username,ou=people,dc=domain,dc=com
>> init_ldap_from_sam: Setting entry for user: username
>> Unable to modify entry!
>>
>>
>> If I change the setting back to point at our original LDAP server I get the following errors, for example:
>>
>>
>> servername:/etc/samba# pdbedit -u username -c "[X]"
>> doing parameter syslog = 1
>> doing parameter log file = /var/log/samba/log.%m
>> doing parameter max log size = 1000
>> doing parameter smb ports = 139
>> doing parameter name resolve order = wins bcast hosts
>> doing parameter printcap name = cups
>> doing parameter add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
>> doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m
>> doing parameter logon script = logon.cmd
>> doing parameter logon path = \\server.domain.net\%U\profile
>> doing parameter logon home = \\server.domain.net\%U
>> doing parameter domain logons = Yes
>> doing parameter os level = 33
>> doing parameter preferred master = Yes
>> doing parameter domain master = Yes
>> doing parameter dns proxy = No
>> doing parameter wins support = Yes
>> doing parameter ldap admin dn = "uid=user,cn=admins,cn=relevantcn"
>> doing parameter ldap group suffix = ou=groups
>> doing parameter ldap machine suffix = ou=machines
>> doing parameter ldap passwd sync = Yes
>> doing parameter ldap suffix = dc=domain,dc=com
>> doing parameter ldap user suffix = ou=people
>> doing parameter panic action = /usr/share/samba/panic-action %d
>> pm_process() returned Yes
>> smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
>> smbldap_open_connection: connection opened
>> failed to bind to server ldap://ldap2.domain.net/ with dn="uid=username,cn=admins,cn=thecn" Error: Can't contact LDAP server
>> 	(unknown)
>> Connection to LDAP server failed for the 1 try!
>> smbldap_open_connection: connection opened
>> failed to bind to server ldap://ldap2.domain.net/ with dn="uid=username,cn=admins,cn=thecn" Error: Can't contact LDAP server
>>
>> etc
>>
>> but I can ping the LDAP server with its hostname and the LDAP alias.
>>
>> I have upped the log level to 10 and grepped for relevant hostnames and things but I am somewhat at a loss as to whats gone wrong, any help you can offer would be very gratefully received.  I would also be v happy to post any logs etc to assist.
>>
>> Thanks
>>
>> Fergus
>>
>>
>>



More information about the samba mailing list