[Samba] Cannot bind to AD using nslcd
Rob Mason
rob.mason at acasta.co.uk
Wed Nov 19 11:19:58 MST 2014
Thanks - my nslcd appears to be _almost_ working!! Debug shows:
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=18724 uid=0 gid=0
nslcd: [8b4567] <passwd(all)> DEBUG:
myldap_search(base="DC=acasta,DC=intra",
filter="(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))")
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_initialize(ldap://kepler.acasta.intra/)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_simple_bind_s("CN=nslcd-connect,CN=Users,DC=acasta,DC=intra","***")
(uri="ldap://kepler.acasta.intra/")
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_result(): end of results (0 total)
When I use 'getent passwd', I do not see any domain accounts. I
expected to see 'Administrator' and 'nlscd-connect' domain accounts
listed. i only get Unix accounts.
On 19/11/2014 17:48, Min Wai Chan wrote:
> you should be using this.
>
> if you are using ldap and not Kerbos
>
> pagesize 1000
> referrals off
> idle_timelimit 800
> filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
> map passwd uid sAMAccountName
> map passwd homeDirectory unixHomeDirectory
> map passwd gecos displayName
> filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
> map shadow uid sAMAccountName
> map shadow shadowLastChange pwdLastSet
> filter group (objectClass=group)
>
>
> On Thu, Nov 20, 2014 at 1:45 AM, Rob Mason <rob.mason at acasta.co.uk> wrote:
>
>> A little further forward! I've re-provisioned the domain and re-created
>> the new 'nslcd-connect' user just to be sure.
>>
>> 'binddn' is now working - but is complaining about 'uidNumber'. I think
>> this is now just a mapping issue. Anyone??
>>
>> nslcd: [495cff] <passwd(all)> DEBUG:
>> myldap_search(base="CN=Users,DC=acasta,DC=intra",
>> filter="(objectClass=user)")
>> nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
>> CN=Administrator,CN=Users,DC=acasta,DC=intra
>> nslcd: [495cff] <passwd(all)>
>> CN=Administrator,CN=Users,DC=acasta,DC=intra: uidNumber: missing
>> nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
>> CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
>> nslcd: [495cff] <passwd(all)>
>> CN=nslcd-connect,CN=Users,DC=acasta,DC=intra: uidNumber: missing
>> nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
>> CN=krbtgt,CN=Users,DC=acasta,DC=intra
>> nslcd: [495cff] <passwd(all)> CN=krbtgt,CN=Users,DC=acasta,DC=intra:
>> uidNumber: missing
>> nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
>> CN=Guest,CN=Users,DC=acasta,DC=intra
>> nslcd: [495cff] <passwd(all)> CN=Guest,CN=Users,DC=acasta,DC=intra:
>> uidNumber: missing
>> nslcd: [495cff] <passwd(all)> DEBUG: ldap_result(): end of results (4
>> total)
>>
>> The full nslcd.conf is here:
>>
>> uid nslcd
>> gid nslcd
>> uri ldap://kepler.acasta.intra/
>> base CN=Users,DC=acasta,DC=intra
>> binddn CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
>> bindpw xxxxxxxx
>> pagesize 1000
>> referrals off
>> filter passwd (objectClass=user)
>> filter group (objectClass=group)
>> map passwd uid sAMAccountName
>> map passwd homeDirectory unixHomeDirectory
>> map passwd gecos displayName
>> map passwd gidNumber primaryGroupID
>> map passwd uidNumber uidNumber
>> #map group uniqueMember member
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list