[Samba] What is the equivalent of net idmap secret in samba 4.2 ?
M.P.COOKE at bham.ac.uk
Thu Feb 4 12:29:36 UTC 2016
Isn’t it always the way that you find what you need after posting a question:
net idmap set secret ‘*’ password
From: Mark Cooke
Sent: 04 February 2016 11:43
To: 'samba at lists.samba.org'
Subject: What is the equivalent of net idmap secret in samba 4.2 ?
The documented command in net(8) for setting the LDAP password appears to have gone away in the refactoring between samba 4.1 and 4.2:
# net idmap secret * password
Invalid command: net idmap secret
Does someone have a pointer to a method to set the ldap auth credentials with samba 4.2?
Domain member server 1 – originally setup using SL7.0, samba 4.1, hosting the ldap server, winbind, bound to AD, net idmap secret * worked fine:
# yum install samba-winbind samba-winbind-clients pam_krb5
# authconfig --enablekrb5 --krbkdc=dc.domain --krb5adminserver=dc.domain --krb5realm=REALM --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=REALM --smbservers=dc.domain --smbworkgroup=WORKGROUP --winbindtemplatehomedir=/path /%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --update
# net ads join –U account
Updated the winbind related settings in /etc/samba/smb.conf for ldap backend (see below), and set the idmap LDAP password using: net idmap secret '*' password.
The same process fails on the new server, which is a fully patched Scientific Linux 7.1. Comparing samba package versions shows that SL7.0 shipped with samba 4.1 and SL7.1 is currently using samba 4.2.
I then went back to the existing domain member server, and as it is fully patched and running samba 4.2, ‘net idmap’ is failing in the same way as the new server.
I have also tried using ‘smbpassword –W’ but that says ldap admin dn isn’t defined.
As I haven’t been able to set the credentials, my log.winbindd-idmap is showing:
[2016/02/04 10:13:06.731517, 0] ../source3/winbindd/idmap_ldap.c:95(get_credentials)
get_credentials: Unable to fetch auth credentials for cn=Manager,ou=idmap in *
workgroup = WORKGROUP
password server = dc.domain
realm = REALM
security = ads
idmap config * : range = 16777216-33554431
template homedir = /path/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
idmap config * : backend = ldap
idmap config * : ldap_url = ldaps://ldap-server/
idmap config * : ldap_base_dn = ou=idmap
idmap config * : ldap_user_dn = cn=Manager,ou=idmap
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind offline logon = yes
winbind cache time = 600
winbind expand groups = 5
server string = Samba Server Version %v
max protocol = SMB2
passdb backend = tdbsam
load printers = yes
cups options = raw
# rpm -qa | grep samba | sort
I could go back and install SL7.0, do the samba setup, set the credentials and then update, but that would still leave me with an issue if I needed to change the LDAP password at a future point.
Thanks for any help!
The contents of this email may be privileged and are confidential. It may not be disclosed by, or used, or copied in any way by anyone other than the addressee. If received in error, please notify the sender then delete it from your system. Should you communicate with the sender by email, you consent to The University of Birmingham monitoring and reading any such correspondence.
More information about the samba