[Samba] Fwd: Migrating server
Harry Jede
walk2sun at arcor.de
Thu Mar 1 15:20:09 UTC 2018
Am Donnerstag, 1. März 2018, 16:05:36 CET schrieb Rob Thoman via samba:
> Yes please for the notes.
>
> I re-ran the tests without the smbldap-tools. I installed phpldapadmin
> and am able to login to the apache page using the cn=admin,
> dn=mydomain and create entries. This kind of tells me that LDAP is
> working
>
> Then I run the pdbedit -Lv and it lists all the users.
>
> The following happens when I add the LDAP bits to smb.conf and restart
> samba.The issue seems to be with samba and ldap intergration. Just to
> re-iterate we have samba 3.6. The following errors keeps coming up.
>
> pdbedit -Lv
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
> smbldap_open_connection: connection opened
> add_new_domain_info: failed to add domain dn=
> sambaDomainName=MYDOMAIN,dc=mydomain with: Invalid DN syntax
> invalid DN
> smbldap_search_domain_info: Adding domain info for MYDOMAIN failed
> with NT_STATUS_UNSUCCESSFUL
> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to
> the domain
> pdb_init_ldapsam: Continuing on regardless, will be unable to allocate
> new users/groups, and will risk BDCs having inconsistent SIDs
>
>
> obey pam restrictions = no
> dns forwarder = 8.8.8.8
> passdb backend = ldapsam:ldap://sam3dc.mydomain/
> ldap admin dn = cn=admin,dc=mydomain
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap passwd sync = yes
> ldap suffix = dc=mydomain
> ldap user suffix = ou=Users
> ldap ssl = off
> ldap passwd sync = yes
>
> /etc/ldap/ldap.conf
> BASE dc=mydomain
> URI ldap://sam3dc.mydomain ldap://sam3dc.mydomain:666
This line is wrong, I asume, but let us verify how your ldap server is started:
$ cat /proc/$(pidof slapd)/cmdline|xargs -0 ;echo
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
I do not have a server on port 666 and you may also not.
If you have a listener on ldapi, show us the base:
$ ldapsearch -xLLL -s base -b dc=kronprinz,dc=xx +
dn: dc=kronprinz,dc=xx
structuralObjectClass: organization
entryUUID: 4f120bb2-1ec1-1033-881e-8177fc263f99
creatorsName: cn=admin,dc=kronprinz,dc=xx
createTimestamp: 20140131124529Z
entryCSN: 20140131124529.134733Z#000000#000#000000
modifiersName: cn=admin,dc=kronprinz,dc=xx
modifyTimestamp: 20140131124529Z
entryDN: dc=kronprinz,dc=xx
subschemaSubentry: cn=Subschema
hasSubordinates: TRUE
Your cmd should look like:
$ ldapsearch -xLLL -s base -b dc=mydomain +
as root user:
Let us check if you have loaded the samba schema:
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'olcAttributeTypes=*' dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
On this machine samba schema is *not loaded*
Here it is and some other usefull schemas:
# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'olcAttributeTypes=*' dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}corba,cn=schema,cn=config
dn: cn={6}samba,cn=schema,cn=config
dn: cn={7}dhcp,cn=schema,cn=config
dn: cn={8}quota,cn=schema,cn=config
check your secrets.tdb in /var/lib/samba
# tdbdump secrets.tdb |egrep 'SID|LDAP'
key(16) = "SECRETS/SID/ALIX"
key(18) = "SECRETS/SID/SCHULE"
key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=afrika,dc=xx"
key16 is the hostname,
key18 is the netbios domain name, both in upper case
key45 is the admin DN of your ldap server and should contain the admin password, like:
data(8) = "secrets\00"
And check that this ldap server is authoritive for your samba domain:
# ldapsearch -xLLL -b dc=afrika,dc=xx -s sub -D cn=admin,dc=afrika,dc=xx -w 'sambadomainname=*'
dn: sambaDomainName=SCHULE,dc=afrika,dc=xx
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: SCHULE
sambaSID: S-1-5-21-1507708399-2130971284-2230424465
sambaAlgorithmicRidBase: 1000
sambaNextRid: 100000
sambaNextUserRid: 2000
sambaNextGroupRid: 100000
uidNumber: 10001
gidNumber: 2000
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
Important is "objectClass, sambaDomainName and sambaSID"
And please, show us the imortant sections of your smb.conf. Perhaps in a private mail:
# cat /etc/samba/smb.conf| egrep -v '^[[:space:]]*#|^;|^$'
[global]
server string = Schulserver %h
workgroup = SCHULE
netbios name = alix
interfaces = lo 10.100.0.1/255.255.0.0
bind interfaces only = Yes
hosts allow = 127. 10.100.
unix extensions = yes
time server = yes
case sensitive = no
preserve case = yes
short preserve case = yes
logon script = logon.bat %u %U %a %g %G %m
logon path = \\%L\profile\%G\%U\%a
logon drive = L:
logon home = \\%L\profile\%G\%U\%a
domain logons = yes
domain master = yes
local master = yes
os level = 99
preferred master = yes
passdb backend = ldapsam
ldap passwd sync = yes
pam password change = yes
security = user
ldap suffix = dc=afrika,dc=xx
ldap admin dn = cn=admin,dc=afrika,dc=xx
ldap group suffix = ou=groups
ldap user suffix = ou=people,ou=accounts
ldap machine suffix = ou=machines,ou=accounts
passwd program = /usr/sbin/smbldap-passwd %u
add machine script = /usr/local/sbin/delixs-smb-useradd "%u"
ldap delete dn = yes
ldap ssl = no
ldap passwd sync = yes
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
encrypt passwords = true
dns proxy = no
wins support = yes
admin users = adm, root, Administrator
enable privileges = yes
guest account = nobody
mangled names = no
log level = 1
veto files = /*.eml/*.nws/riched20.dll/autorun.inf/
[netlogon]
comment = Anmeldeverzeichnis
browsable = yes
path = /etc/samba/scripts
public = yes
write list = adm, root
guest ok = yes
locking = no
root preexec = /etc/samba/exec/prelogon %u %U %a %g %G %m
[homes]
comment = Stammverzeichnis
browseable = no
read only = no
inherit permissions = yes
create mask = 0755
map hidden = yes
map system = yes
hide dot files = yes
wide links = no
This is *not* the best smb.conf you should have but it is a working one with smbldap tools.
Today samba is much faster with these settings and w/o smbldap:
ldapsam:trusted = yes
ldapsam:editposix = yes
> On Thu, Mar 1, 2018 at 10:51 AM, Rob Thoman <emailthomasrob at gmail.com>
> wrote:
> > Yes please
> >
> > On Wed, Feb 28, 2018 at 9:34 PM, Rowland Penny via samba <
> >
> > samba at lists.samba.org> wrote:
> >> On Wed, 28 Feb 2018 20:41:43 +1000
> >>
> >> Rob Thoman via samba <samba at lists.samba.org> wrote:
> >> > root at sam3dc # smbldap-populate
> >> > Use of qw(...) as parentheses is deprecated at /usr/share/perl5/
> >> > smbldap_tools.pm line 1423, <DATA> line 522.
> >> > Unable to open /etc/smbldap-tools/smbldap.conf for reading !
> >> > Compilation failed in require at /usr/sbin/smbldap-populate line
> >> > 30.
> >> > BEGIN failed--compilation aborted at /usr/sbin/smbldap-populate
> >> > line
> >> > 30.
> >>
> >> The problem is that smbldap-tools appears to be a dead project,
> >> last
> >> time I looked, it had disappeared from the internet.
> >> That's the bad news, the good news is, you do not need it ;-)
> >>
> >> You have (in your smb.conf):
> >>
> >> ldapsam:trusted = yes
> >> ldapsam:editposix = yes
> >>
> >> With these lines, Samba itself can admin ldap, I can provide you
> >> with
> >> some notes I made last year when testing this very subject,
> >> interested ?>>
> >> > The file in question doesn't even exist. Any ideas?
> >> >
> >> > Also, in one of the samba list articles, I read that we'll need
> >> > to run pdbedit -i tdbsam -e ldapsam to import the info from tdb
> >> > to ldap. When do we do this one?
> >>
> >> Presumably, once you get your PDC up and running, the how is a
> >> question I cannot answer ;-)
> >>
> >> Rowland
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
--
Gruss
Harry Jede
More information about the samba
mailing list