[Samba] Samba 4 ldb_wrap open of idmap.ldb

steve steve at steve-ss.com
Sun Jan 15 06:49:28 MST 2012 

Hi everyone
Version 4.0.0alpha18-GIT-bfc7481

I'm using nslcd to map Samba 4 users to uid:gid and home directory. At 
startup I get this:

ldb_wrap open of secrets.ldb
WARNING: no socket to connect to

and /var/log/messages shows:

Jan 15 14:20:13 hh3 nslcd[2425]: [334873] failed to bind to LDAP server 
ldap://h
h3.site/: Can't contact LDAP server: Transport endpoint is not connected
Jan 15 14:20:13 hh3 nslcd[2425]: [334873] no available LDAP server 
found, sleepi
ng 1 seconds

Samba loads and I can wbinfo -u but it takes around 2 minutes for getent 
passwd to kick in. Then finally I get this:

auth_check_password_send: Checking password for unmapped user 
[CACTUS]\[Administrator]@[(null)]
auth_check_password_send: mapped user is: [CACTUS]\[Administrator]@[(null)]

And Linux clients can finally logon.

Qn. Why does it take so long for the LDAP to become available? Is there 
something wrong with my nslcd config? Not a problem but the 2 minute 
wait is annoying/worrying.

cat /etc/nslcd.conf
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The user and group nslcd should run as.
#uid nslcd
#gid nslcd
uid nslcd-user
gid nslcd-user
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://hh3.site/
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
base dc=hh3,dc=site
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Administrator,cn=Users,dc=hh3,dc=site
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this 
file.
bindpw 1234 at Abc
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
#scope sub
#scope one
#scope base
# Customize certain database lookups.
#base   group  ou=Groups,dc=example,dc=com
#base   passwd ou=People,dc=example,dc=com
#base   shadow ou=People,dc=example,dc=com
#scope  group  onelevel
#scope  hosts  sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# NDS mappings
#map group uniqueMember member

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map    passwd uid              msSFU30Name
#map    passwd userPassword     msSFU30Password
#map    passwd homeDirectory    msSFU30HomeDirectory
#map    passwd homeDirectory    msSFUHomeDirectory
#filter shadow (objectClass=User)
#map    shadow uid              msSFU30Name
#map    shadow userPassword     msSFU30Password
#filter group  (objectClass=Group)
#map    group  uniqueMember     msSFU30PosixMember

# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map    passwd uid              msSFUName
#map    passwd userPassword     msSFUPassword
#map    passwd homeDirectory    msSFUHomeDirectory
#map    passwd gecos            msSFUName
#filter shadow (objectClass=User)
#map    shadow uid              msSFUName
#map    shadow userPassword     msSFUPassword
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=Group)
#map    group  uniqueMember     posixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#filter passwd 
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
#map    passwd gecos            displayName
#filter shadow 
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=group)
#map    group  uniqueMember     member

# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map    passwd uid              userName
#map    passwd userPassword     passwordChar
#map    passwd uidNumber        uid
#map    passwd gidNumber        gid
#filter group  (objectClass=aixAccessGroup)
#map    group  cn               groupName
#map    group  uniqueMember     member
#map    group  gidNumber        gid

#sasl_mech GSSAPI
sasl_realm HH3.SITE
#krb5_ccname /tmp/krb5cc_0

Thanks
Steve

More information about the samba mailing list