[Samba] Cannot bind to AD using nslcd

Rob Mason rob.mason at acasta.co.uk
Wed Nov 19 11:19:58 MST 2014


Thanks - my nslcd appears to be _almost_ working!!  Debug shows:

nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=18724 uid=0 gid=0
nslcd: [8b4567] <passwd(all)> DEBUG:
myldap_search(base="DC=acasta,DC=intra",
filter="(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))")
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_initialize(ldap://kepler.acasta.intra/)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd(all)> DEBUG:
ldap_simple_bind_s("CN=nslcd-connect,CN=Users,DC=acasta,DC=intra","***")
(uri="ldap://kepler.acasta.intra/")
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_result(): end of results (0 total)

When I use 'getent passwd', I do not see any domain accounts.  I
expected to see 'Administrator' and 'nlscd-connect' domain accounts
listed.  i only get Unix accounts.




On 19/11/2014 17:48, Min Wai Chan wrote:
> you should be using this.
>
> if you are using ldap and not Kerbos
>
> pagesize 1000
> referrals off
> idle_timelimit 800
> filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
> map    passwd uid              sAMAccountName
> map    passwd homeDirectory    unixHomeDirectory
> map    passwd gecos            displayName
> filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
> map    shadow uid              sAMAccountName
> map    shadow shadowLastChange pwdLastSet
> filter group  (objectClass=group)
>
>
> On Thu, Nov 20, 2014 at 1:45 AM, Rob Mason <rob.mason at acasta.co.uk> wrote:
>
>> A little further forward!  I've re-provisioned the domain and re-created
>> the new 'nslcd-connect' user just to be sure.
>>
>> 'binddn' is now working - but is complaining about 'uidNumber'. I think
>> this is now just a mapping issue.  Anyone??
>>
>> nslcd: [495cff] <passwd(all)> DEBUG:
>> myldap_search(base="CN=Users,DC=acasta,DC=intra",
>> filter="(objectClass=user)")
>> nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
>> CN=Administrator,CN=Users,DC=acasta,DC=intra
>> nslcd: [495cff] <passwd(all)>
>> CN=Administrator,CN=Users,DC=acasta,DC=intra: uidNumber: missing
>> nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
>> CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
>> nslcd: [495cff] <passwd(all)>
>> CN=nslcd-connect,CN=Users,DC=acasta,DC=intra: uidNumber: missing
>> nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
>> CN=krbtgt,CN=Users,DC=acasta,DC=intra
>> nslcd: [495cff] <passwd(all)> CN=krbtgt,CN=Users,DC=acasta,DC=intra:
>> uidNumber: missing
>> nslcd: [495cff] <passwd(all)> DEBUG: ldap_result():
>> CN=Guest,CN=Users,DC=acasta,DC=intra
>> nslcd: [495cff] <passwd(all)> CN=Guest,CN=Users,DC=acasta,DC=intra:
>> uidNumber: missing
>> nslcd: [495cff] <passwd(all)> DEBUG: ldap_result(): end of results (4
>> total)
>>
>> The full nslcd.conf is here:
>>
>> uid nslcd
>> gid nslcd
>> uri ldap://kepler.acasta.intra/
>> base CN=Users,DC=acasta,DC=intra
>> binddn CN=nslcd-connect,CN=Users,DC=acasta,DC=intra
>> bindpw xxxxxxxx
>> pagesize 1000
>> referrals off
>> filter  passwd  (objectClass=user)
>> filter  group   (objectClass=group)
>> map     passwd  uid                sAMAccountName
>> map     passwd  homeDirectory      unixHomeDirectory
>> map     passwd  gecos              displayName
>> map     passwd  gidNumber          primaryGroupID
>> map     passwd  uidNumber          uidNumber
>> #map     group   uniqueMember       member
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>




More information about the samba mailing list