Hello, Since I have trouble with ipasam I am now trying to get ldapsam working.
I have a IPA user for the bind in smb.conf The problem is that smb and winbind won't start because it wants to create domain the domain info. This user has no privilege for that. My question is: what privilege does such a user need in IPA? Or, is it perhaps possible to run ipa-adtrust-install --add-sids on this Samba server (which is not a IPA master)? Part of my smb.conf ################################################### # Global parameters [global] create krb5 conf = No dedicated keytab file = /etc/samba/samba.keytab disable spoolss = Yes domain logons = Yes domain master = Yes kerberos method = dedicated keytab ldap debug level = 99 ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ldap ssl = no ldap suffix = dc=example,dc=com ldap user suffix = cn=users,cn=accounts ldap admin dn = uid=samba_admin,cn=users,cn=accounts,dc=example,dc=com #log level = 99 log level = 1 log file = /var/log/samba/log.%m max log size = 100000 # passdb backend = ipasam:ldaps://rotte.example.com passdb backend = ldapsam:ldap://rotte.example.com realm = EXAMPLE.COM registry shares = Yes security = USER workgroup = EXAMPLE rpc_daemon:lsasd = fork rpc_daemon:epmd = fork rpc_server:tcpip = yes rpc_server:netlogon = external rpc_server:samr = external rpc_server:lsasd = external rpc_server:lsass = external rpc_server:lsarpc = external #rpc_server:epmapper = external ldapsam:trusted = yes idmap config * : backend = tdb ################################################### The error I'm getting is: ################################################### [2022/10/17 10:28:05.097093, 0] ../../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info) smbldap_search_domain_info: Adding domain info for EXAMPLE failed with NT_STATUS_UNSUCCESSFUL [2022/10/17 10:28:05.097202, 0] ../../source3/passdb/pdb_ldap.c:6754(pdb_ldapsam_init_common) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it. [2022/10/17 10:28:05.097307, 0] ../../source3/passdb/pdb_interface.c:181(make_pdb_method_name) pdb backend ldapsam:ldap://rotte.example.com did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) [2022/10/17 10:28:05.097524, 0] ../../lib/util/become_daemon.c:119(exit_daemon) exit_daemon: daemon failed to start: Failed to initialize passdb backend! Check the 'passdb backend' variable in your smb.conf file., error code 22 ldap_url_parse_ext(ldap://localhost/) ldap_init: trying /etc/openldap/ldap.conf ldap_init: using /etc/openldap/ldap.conf ldap_url_parse_ext(ldaps://rotte.example.com) ldap_init: HOME env is NULL ldap_init: trying ldaprc ldap_init: LDAPCONF env is NULL ldap_init: LDAPRC env is NULL [2022/10/17 10:41:56.487397, 0] ../../source3/winbindd/winbindd.c:1723(main) winbindd version 4.16.4 started. Copyright Andrew Tridgell and the Samba Team 1992-2022 [2022/10/17 10:41:56.487826, 1] ../../lib/param/loadparm.c:1766(lpcfg_do_global_parameter) lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated [2022/10/17 10:41:56.509672, 1] ../../source3/passdb/pdb_ldap_util.c:235(add_new_domain_info) add_new_domain_info: failed to add domain dn= sambaDomainName=EXAMPLE,dc=example,dc=com with: Insufficient access Insufficient 'add' privilege to add the entry 'sambaDomainName=EXAMPLE,dc=example,dc=com'. [2022/10/17 10:41:56.509704, 0] ../../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info) smbldap_search_domain_info: Adding domain info for EXAMPLE failed with NT_STATUS_UNSUCCESSFUL [2022/10/17 10:41:56.509731, 0] ../../source3/passdb/pdb_ldap.c:6754(pdb_ldapsam_init_common) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it. [2022/10/17 10:41:56.509748, 0] ../../source3/passdb/pdb_interface.c:181(make_pdb_method_name) pdb backend ldapsam:ldap://rotte.example.com did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) [2022/10/17 10:41:56.509791, 0] ../../lib/util/become_daemon.c:119(exit_daemon) exit_daemon: daemon failed to start: Failed to initialize passdb backend! Check the 'passdb backend' variable in your smb.conf file., error code 22 ################################################### -- Kees _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
