[Samba] Samba 4 ldb_wrap open of idmap.ldb
Michael Wood
esiotrot at gmail.com
Sun Jan 15 08:17:31 MST 2012
Hi
On 15 January 2012 15:49, steve <steve at steve-ss.com> wrote:
> Hi everyone
> Version 4.0.0alpha18-GIT-bfc7481
>
> I'm using nslcd to map Samba 4 users to uid:gid and home directory. At
> startup I get this:
>
> ldb_wrap open of secrets.ldb
> WARNING: no socket to connect to
>
> and /var/log/messages shows:
>
> Jan 15 14:20:13 hh3 nslcd[2425]: [334873] failed to bind to LDAP server
> ldap://h
> h3.site/: Can't contact LDAP server: Transport endpoint is not connected
> Jan 15 14:20:13 hh3 nslcd[2425]: [334873] no available LDAP server found,
> sleepi
> ng 1 seconds
[...]
I don't know why the above happens, but...:
> cat /etc/nslcd.conf
[...]
> # The user and group nslcd should run as.
> #uid nslcd
> #gid nslcd
> uid nslcd-user
> gid nslcd-user
Just a guess, but this might cause a problem. I believe you created a
Samba user called nslcd-user and it looks like this is what you're
trying to use here. (Also, AD does not support using the same name
for a user and a group, I believe.)
So before nslcd starts fully it would need to look up those values,
but in order to do that it needs to talk to Samba. It seems to me
that this might be problematic. Maybe you should use a local Linux
user for running nslcd and just use the Samba nslcd-user account for
nslcd's authentication to Samba.
> # The distinguished name to bind to the server with.
> # Optional: default is to bind anonymously.
> binddn cn=Administrator,cn=Users,dc=hh3,dc=site
I think you want CN=nslcd-user,CN=Users,DC=hh3,DC=site here.
> # The credentials to bind with.
> # Optional: default is no credentials.
> # Note that if you set a bindpw you should check the permissions of this
> file.
> bindpw 1234 at Abc
I think if your Kerberos config is working correctly this should not
be necessary.
> #sasl_mech GSSAPI
> sasl_realm HH3.SITE
> #krb5_ccname /tmp/krb5cc_0
Try using /var/run/nslcd/nslcd.tkt after exporting the nslcd-user's
SPN to it and making sure nslcd can read it.
--
Michael Wood <esiotrot at gmail.com>
More information about the samba
mailing list