[Samba] Samba + ldap + cannot find domain

Harry Jede walk2sun at arcor.de
Fri Feb 19 12:28:35 UTC 2016 

Hi Rowland,
hi Dave

On 11:51:17 wrote Rowland penny:
> On 19/02/16 01:53, Dave Beach wrote:
> > So this got me thinking that maybe a chunk of my problem is with
> > LDAP itself on the server.
Yes, you are right. But it is really only a piece of the problem. You 
are comming from the 3.5 version of samba. Early in 3.6 some things have 
changed.

> > Executing "slapcat" shows me what I
> > believe to be the correct content, including what looks like
> > appropriate content underneath the following:
> > 
> > dn: sambaDomainName=DRBHOME,dc=drbhome,dc=ca
> > 
> > That seems to answer the question about whether the domain info is
> > actually there.
> > 
> >>> Can you also post the log where it shows asking for the wrong
> >>> domain.
> >> 
> >> Now looking for the correct domain, but still throwing an error
> >> (leaving off earlier log lines that don't seem to be relevant to
> >> the problem, and don't indicate any errors): [2016/02/18
> >> 20:12:07.200064,  2]
> >> ../source3/lib/interface.c:341(add_interface)
> >> 
> >>   added interface eth1 ip=192.168.2.1 bcast=192.168.2.255
> >>   netmask=255.255.255.0
> >> 
> >> [2016/02/18 20:12:07.209878,  3]
> >> ../source3/smbd/server.c:1248(main)
> >> 
> >>   loaded services
> >> 
> >> [2016/02/18 20:12:07.211751,  3]
> >> ../source3/smbd/server.c:1280(main)
> >> 
> >>   Becoming a daemon.
> >> 
> >> [2016/02/18 20:12:07.216706,  2]
> >> ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
> >> 
> >   > smbldap_search_domain_info: Searching
> >   > for:[(&(objectClass=sambaDomain)(sambaDomainName=DRBHOME))]
> >> 
> >> [2016/02/18 20:12:07.222064,  2]
> >> ../source3/lib/smbldap.c:794(smbldap_open_connection)
> >> 
> >    >smbldap_open_connection: connection opened
> >> 
> >> [2016/02/18 20:12:07.228496,  3]
> >> ../source3/lib/smbldap.c:1013(smbldap_connect_system)
> >> 
> >>   ldap_connect_system: successful connection to the LDAP server
> >> 
> >> [2016/02/18 20:12:07.229369,  2]
> >> ../source3/passdb/pdb_ldap_util.c:287(smbldap_search_domain_info)
> >> 
> >>   smbldap_search_domain_info: Problem during LDAPsearch: No such
> >>   object
> >> 
> >> [2016/02/18 20:12:07.229595,  2]
> >> ../source3/passdb/pdb_ldap_util.c:288(smbldap_search_domain_info)
> >> 
> >>   smbldap_search_domain_info: Query was: dc=drbhome,dc=ca,
> >>   (&(objectClass=sambaDomain)(sambaDomainName=DRBHOME))
> >> 
> >> [2016/02/18 20:12:07.229709,  0]
> >> ../source3/passdb/pdb_ldap.c:6529(pdb_ldapsam_init_common)
> >> 
> >>   pdb_init_ldapsam: WARNING: Could not get domain info, nor add
> >>   one to the domain. We cannot work reliably without it.
This is the important message from smbd.
1. domain info not found
2. unable to set domain info
3. without domain info this ldap server ist not our auth source

Your second migration problem which pops here up, is that the "smblap 
tools" could not handle "setting domain info" (which is a self join 
command) and required since early samba 3.6 version.

So, to make it fly:
Add these two statements
	ldapsam:trusted = yes
	ldapsam:editposix = yes
to your smb.conf and restart samba. smblap tools are now disabled, even 
if the "user/group add/del/modify" statements still are in smb.conf.

Verify that "domain info" is set. Compare the sid with the output from:
net getdomainsid
net getlocalsid


Some hints:
1. to debug the ldap queries set olcloglevel to 256 aka filter in slapd

2. After the join is successfull disable ldapsam:editposix and restart 
samba. This is a must have! smbd does not honor some settings
 (ldap group suffix,
  ldap idmap suffix,
  ldap machine suffix,
  ldap user suffix) in smb.conf. If you have set olcloglevel you can see 
what happens with
tail -f /var/log/syslog

3. if you wish to go with ldapsam:editposix (much faster then smblap 
tools) you need to move some objects in ldap



> >> [2016/02/18 20:12:07.229806,  0]
> >> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name)
> >> 
> >>   pdb backend ldapsam did not correctly init (error was
> >>   NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
> 
> OK, try running this on the Samba/ldap server:
> 
> ldapsearch -h 127.0.0.1 -D cn=admin,dc=drbhome,dc=ca -w -b
> "dc=drbhome,dc=ca" -s sub
> "(&(objectClass=sambaDomain)(sambaDomainName=DRBHOME))"
> sambaDomainName
> 
> Can you post the result.
> 
> Rowland


-- 

Regards
	Harry Jede

More information about the samba mailing list