On Tuesday 18 January 2011 4:08:36 pm Jon Detert wrote: > On Tue, Jan 18, 2011 at 2:35 PM, Gaiseric > Vandal > > <[email protected]> wrote: > > Nt- I don't use the "ldapsam:editposix" > > option myself, if I understand it correctly > > it means you don't have to precreate the > > underlying unix accounts. > > That is my understanding as well. I've never > used it before, however. > > > However, I believe you still need to do the > > following > > > > Create a samba Administrator account > > Create samba Domain Admins and Domain > > Users groups. Explicitly specify the uid or > > username for the "guest" user. Set ldap > > password for the idmap backend (net idmap > > secret thedomain xxxx ) > > the log messages tend to support this belief. > > > "smbpasswd -w" sets the ldap password samba > > to access ldap for users and groups. But > > idmap needs the ldap password set as well eg. > > I don't understand that. There is no separate > idmap process, afaik. Why can't the 'idmap' > functionality get the same ldap credentials > that smbd and winbindd evidently get from the > smb.conf and the secrets.tdb files? > > > net idmap secret MYDOMAIN xxxx > > net idmap secret alloc xxxx > > In any case, I tried the above, and got the > same error for both command : > > "The only currently supported backend is LDAP" > > My smb.conf has a line expressly saying "idmap > backend = ldap:ldap://localhost";. Does smbd > have to be running before running the 'net > idmap' commands? If so, I'm screwed, cuz now > that I fixed the 'out=IDmap' typo, smbd dies > immediately after trying to start it. > > Ideas? > > Thanks, > > Jon > > > I don't know if when using the > > "ldapsam:editposix" option you can use > > smbpasswd to create the user accounts. > > Also, I used "net groupmap add...." to create > > the mappings between the samba Domain Admins > > group and the unix group by the same name. > > > > > > If it were me, I would also create local > > unix groups for "Domain Admins" (e.g. with > > gid 512), "Domain Users" etc and then use > > "net groupmap" to map the unix gids to the > > Windows well known id's. > > > > > > net groupmap add ntgroup="Domain Admins" > > unixgroup=512 rid=512 type=domain net > > groupmap add ntgroup="Domain Users" > > unixgroup=513 rid=513 type=domain net > > groupmap add ntgroup="Domain Guests" > > unixgroup=514 rid=514 type=domain net > > groupmap add ntgroup="Domain Computers" > > unixgroup=515 rid=515 type=domain net > > groupmap add ntgroup="Domain Controllers" > > unixgroup=516 rid=516 type=domain > > > > > > I would create a unix "Administrator" user in > > the "Domain Admins" group then use smbpasswd > > to create the samba Administrator account. > > > > I use Apache Directory Studio for browsing > > and editing ldap entries. You may find > > having a GUI ldap browser and editor really > > useful. You should be able to tell if > > your LDAP groups have unix gids and samba > > sids. > > > > This way you can get basic functionality > > working, then you can start troubleshooting > > windbind and idmap . > > > > On 01/18/2011 03:04 PM, Jon Detert wrote: > >> Hello, > >> > >> I'm trying to use samba v3.3.8 on Centos 5.5 > >> to act as a PDC, using ldap as the backend > >> for users, groups, and computers. The ldap > >> I'm using is Centos Directory Server v8.1. > >> > >> The setting is a new, never used before, > >> installation of samba and ldap. There are no > >> users other than what exists by default > >> after a Centos install. The smb.conf > >> contains what is my best guess for the > >> desired goal. > >> > >> The problem at the moment (besides having to > >> guess at what to put in smb.conf - see > >> below) is that smbd exits about 2 minutes > >> after I start it. Here are what I think are > >> the relevant bits from the log.smbd: > >> > >> [2011/01/18 13:40:42, 2] > >> lib/smbldap_util.c:smbldap_search_domain_inf > >>o(277) smbldap_search_domain_info: Searching > >> for:[(&(objectClass=sambaDomain)(sambaDomain > >>Name=CHI))] [2011/01/18 13:40:42, 2] > >> lib/smbldap.c:smbldap_open_connection(856) > >> smbldap_open_connection: connection opened > >> [2011/01/18 13:40:42, 3] > >> lib/smbldap.c:smbldap_connect_system(1067) > >> ldap_connect_system: successful connection > >> to the LDAP server [2011/01/18 13:40:42, 4] > >> lib/smbldap.c:smbldap_open(1143) The LDAP > >> server is successfully connected [2011/01/18 > >> 13:41:12, 4] > >> passdb/pdb_ldap.c:ldapsam_getsampwnam(1519) > >> ldapsam_getsampwnam: Unable to locate user > >> [root] count=0 [2011/01/18 13:41:42, 4] > >> passdb/pdb_ldap.c:ldapsam_getgroup(2481) > >> ldapsam_getgroup: Did not find group, filter > >> was > >> (&(objectClass=sambaGroupMapping)(gidNumber= > >>0)) [2011/01/18 13:42:12, 4] > >> passdb/pdb_ldap.c:ldapsam_getgroup(2481) > >> ldapsam_getgroup: Did not find group, filter > >> was > >> (&(objectClass=sambaGroupMapping)(sambaSID=S > >>-1-5-32-544)) [2011/01/18 13:42:27, 3] > >> groupdb/mapping.c:pdb_create_builtin_alias(7 > >>86) pdb_create_builtin_alias: Could not get a > >> gid out of winbind [2011/01/18 13:42:27, 2] > >> auth/token_util.c:create_local_nt_token(450) > >> WARNING: Failed to create > >> BUILTIN\Administrators group! Can Winbind > >> allocate gids? > >> [2011/01/18 13:42:57, 4] > >> passdb/pdb_ldap.c:ldapsam_getgroup(2481) > >> ldapsam_getgroup: Did not find group, filter > >> was > >> (&(objectClass=sambaGroupMapping)(sambaSID=S > >>-1-5-32-545)) [2011/01/18 13:43:12, 1] > >> passdb/pdb_ldap.c:ldapsam_enum_group_members > >>hips(2871) User account [nobody] not found! > >> [2011/01/18 13:43:12, 0] > >> smbd/server.c:main(1404) ERROR: failed to > >> setup guest info. > >> > >> winbind is running. log.winbindd contains > >> nothing useful to me. log.winbindd-idmap > >> contains lines suggesting it can't bind to > >> the ldap server: > >> > >> 2011/01/18 13:42:41, 2] > >> lib/smbldap.c:smbldap_connect_system(1052) > >> failed to bind to server ldap://localhost > >> with dn="uid=samba,ou=Special Users, > >> dc=infinityhealthcare,dc=com" Error: Invalid > >> credentials > >> > >> and > >> > >> [2011/01/18 13:42:49, 1] > >> lib/smbldap.c:another_ldap_try(1231) > >> Connection to LDAP server failed for the 8 > >> try! > >> > >> Why doesn't the smbd log say something > >> equivalent? In fact, it suggests the > >> opposite, saying that "The LDAP server is > >> successfully connected". > >> > >> I did set the samba admin dn's password with > >> the command "smbpasswd -W" before starting > >> either winbindd or smbd, and also verified > >> that it is correct using the command > >> "ldapsearch -x -h localhost -s sub -b > >> ou=people,dc=infinityhealthcare,dc=com > >> -D"uid=samba,ou=Special > >> Users,dc=infinityhealthcare,dc=com" -W". > >> > >> Any ideas or suggestions? > >> > >> Thanks, > >> > >> Jon > >> > >> > >> > >> > >> > >> The rest of this email is my smb.conf: > >> ============================= > >> [global] > >> > >> workgroup = CHI > >> server string = Samba Server Version %v > >> > >> netbios name = SAMBAPDC > >> > >> log file = /var/log/samba/log.%m > >> log level = 4 > >> max log size = 50 > >> > >> security = user > >> passdb backend = > >> ldapsam:ldap://localhost > >> > >> domain master = yes > >> preferred master = yes > >> domain logons = yes > >> logon drive = N: > >> logon path = \\%L\Profiles\%u > >> > >> logon script = %u.bat > >> > >> ldap admin dn = "uid=samba,ou=Special > >> Users,dc=infinityhealthcare,dc=com" > >> ldap user suffix = ou=People > >> ldap group suffix = ou=Groups > >> ldap idmap suffix = out=IDmap > >> ldap machine suffix = ou=Computers > >> ldap suffix = > >> dc=infinityhealthcare,dc=com ldap delete dn > >> = no > >> ldapsam:trusted = yes > >> ldapsam:editposix = yes > >> ldap ssl = off > >> idmap backend = ldap:ldap://localhost > >> idmap uid = 5000-50000 > >> idmap gid = 5000-50000 > >> winbind enum groups = yes > >> winbind nested groups = yes > >> template shell = /sbin/nologin > >> template homedir = /home/%D/%U > >> winbind use default domain = yes > >> > >> wins support = yes > >> socket options = TCP_NODELAY > >> SO_RCVBUF=8192 SO_SNDBUF=8192 > >> > >> [homes] > >> comment = Home Directories > >> browseable = no > >> writable = yes > >> > >> > >> [netlogon] > >> comment = Network Logon Service > >> path = /var/lib/samba/netlogon > >> guest ok = yes > >> writable = no > >> share modes = no > > > > --
I, too, ran into this very problem. I have a terrible short-term memory (can't even remember what I was doing an hour ago :-) ), and never write anything down, of course, so I'm not exactly sure what I did to correct the problem. But, try this: make sure perl-Net-LDAP is installed. run "authconfig-tui". On the first page, choose "Use LDAP" from the left pane, and "Use LDAP Authentication" in the right pane. In the next page, add your LDAP server (e.g. ldap://myserver.mydomain.tld/), and your base DN. Click OK. IIRC, ncpd and portmap were closed in the process (they pose problems in this scenario). I'd restart Samba and LDAP. HTH. Dimitri Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
