I use idmap backend to support domain trusts. I have a OU in ldap
for unix uid (or gid) to samba sid mappings for each trusted domain.
I also have an ou for "alloc" which is where the next available uid and
gid params are supported. Each of these required LDAP account and
password being specifically set. I don't know if this applies to
idmap used for in your case. I think the idmap stuff is handled by
winbind not smbd, but not sure.
Try temporarily disabling all the winbind/idmap stuff and see if you
can get it started.
On 01/18/2011 04:08 PM, Jon Detert wrote:
On Tue, Jan 18, 2011 at 2:35 PM, Gaiseric Vandal
<[email protected]> wrote:
Nt- I don't use the "ldapsam:editposix" option myself, if I understand it
correctly it means you don't have to precreate the underlying unix accounts.
That is my understanding as well. I've never used it before, however.
However, I believe you still need to do the following
Create a samba Administrator account
Create samba Domain Admins and Domain Users groups.
Explicitly specify the uid or username for the "guest" user.
Set ldap password for the idmap backend (net idmap secret thedomain xxxx )
the log messages tend to support this belief.
"smbpasswd -w" sets the ldap password samba to access ldap for users and groups.
But idmap needs the ldap password set as well eg.
I don't understand that. There is no separate idmap process, afaik.
Why can't the 'idmap' functionality get the same ldap credentials that
smbd and winbindd evidently get from the smb.conf and the secrets.tdb
files?
net idmap secret MYDOMAIN xxxx
net idmap secret alloc xxxx
In any case, I tried the above, and got the same error for both command :
"The only currently supported backend is LDAP"
My smb.conf has a line expressly saying "idmap backend =
ldap:ldap://localhost";. Does smbd have to be running before running
the 'net idmap' commands? If so, I'm screwed, cuz now that I fixed
the 'out=IDmap' typo, smbd dies immediately after trying to start it.
Ideas?
Thanks,
Jon
I don't know if when using the "ldapsam:editposix" option you can use smbpasswd to create
the user accounts. Also, I used "net groupmap add...." to create the mappings between
the samba Domain Admins group and the unix group by the same name.
If it were me, I would also create local unix groups for "Domain Admins" (e.g. with gid 512),
"Domain Users" etc and then use "net groupmap" to map the unix gids to the Windows well
known id's.
net groupmap add ntgroup="Domain Admins" unixgroup=512 rid=512 type=domain
net groupmap add ntgroup="Domain Users" unixgroup=513 rid=513 type=domain
net groupmap add ntgroup="Domain Guests" unixgroup=514 rid=514 type=domain
net groupmap add ntgroup="Domain Computers" unixgroup=515 rid=515 type=domain
net groupmap add ntgroup="Domain Controllers" unixgroup=516 rid=516
type=domain
I would create a unix "Administrator" user in the "Domain Admins" group then
use smbpasswd to create the samba Administrator account.
I use Apache Directory Studio for browsing and editing ldap entries. You may
find having a GUI ldap browser and editor really useful. You should be able
to tell if your LDAP groups have unix gids and samba sids.
This way you can get basic functionality working, then you can start
troubleshooting windbind and idmap .
On 01/18/2011 03:04 PM, Jon Detert wrote:
Hello,
I'm trying to use samba v3.3.8 on Centos 5.5 to act as a PDC, using ldap as
the backend for users, groups, and computers. The ldap I'm using is Centos
Directory Server v8.1.
The setting is a new, never used before, installation of samba and ldap.
There are no users other than what exists by default after a Centos
install. The smb.conf contains what is my best guess for the desired goal.
The problem at the moment (besides having to guess at what to put in
smb.conf - see below) is that smbd exits about 2 minutes after I start it.
Here are what I think are the relevant bits from the log.smbd:
[2011/01/18 13:40:42, 2] lib/smbldap_util.c:smbldap_search_domain_info(277)
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))]
[2011/01/18 13:40:42, 2] lib/smbldap.c:smbldap_open_connection(856)
smbldap_open_connection: connection opened
[2011/01/18 13:40:42, 3] lib/smbldap.c:smbldap_connect_system(1067)
ldap_connect_system: successful connection to the LDAP server
[2011/01/18 13:40:42, 4] lib/smbldap.c:smbldap_open(1143)
The LDAP server is successfully connected
[2011/01/18 13:41:12, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519)
ldapsam_getsampwnam: Unable to locate user [root] count=0
[2011/01/18 13:41:42, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(gidNumber=0))
[2011/01/18 13:42:12, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))
[2011/01/18 13:42:27, 3] groupdb/mapping.c:pdb_create_builtin_alias(786)
pdb_create_builtin_alias: Could not get a gid out of winbind
[2011/01/18 13:42:27, 2] auth/token_util.c:create_local_nt_token(450)
WARNING: Failed to create BUILTIN\Administrators group! Can Winbind
allocate gids?
[2011/01/18 13:42:57, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))
[2011/01/18 13:43:12, 1]
passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2871)
User account [nobody] not found!
[2011/01/18 13:43:12, 0] smbd/server.c:main(1404)
ERROR: failed to setup guest info.
winbind is running. log.winbindd contains nothing useful to me.
log.winbindd-idmap contains lines suggesting it can't bind to the ldap
server:
2011/01/18 13:42:41, 2] lib/smbldap.c:smbldap_connect_system(1052)
failed to bind to server ldap://localhost with dn="uid=samba,ou=Special
Users,
dc=infinityhealthcare,dc=com" Error: Invalid credentials
and
[2011/01/18 13:42:49, 1] lib/smbldap.c:another_ldap_try(1231)
Connection to LDAP server failed for the 8 try!
Why doesn't the smbd log say something equivalent? In fact, it suggests the
opposite, saying that "The LDAP server is successfully connected".
I did set the samba admin dn's password with the command "smbpasswd -W"
before starting either winbindd or smbd, and also verified that it is
correct using the command "ldapsearch -x -h localhost -s sub -b
ou=people,dc=infinityhealthcare,dc=com -D"uid=samba,ou=Special
Users,dc=infinityhealthcare,dc=com" -W".
Any ideas or suggestions?
Thanks,
Jon
The rest of this email is my smb.conf:
=============================
[global]
workgroup = CHI
server string = Samba Server Version %v
netbios name = SAMBAPDC
log file = /var/log/samba/log.%m
log level = 4
max log size = 50
security = user
passdb backend = ldapsam:ldap://localhost
domain master = yes
preferred master = yes
domain logons = yes
logon drive = N:
logon path = \\%L\Profiles\%u
logon script = %u.bat
ldap admin dn = "uid=samba,ou=Special
Users,dc=infinityhealthcare,dc=com"
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = out=IDmap
ldap machine suffix = ou=Computers
ldap suffix = dc=infinityhealthcare,dc=com
ldap delete dn = no
ldapsam:trusted = yes
ldapsam:editposix = yes
ldap ssl = off
idmap backend = ldap:ldap://localhost
idmap uid = 5000-50000
idmap gid = 5000-50000
winbind enum groups = yes
winbind nested groups = yes
template shell = /sbin/nologin
template homedir = /home/%D/%U
winbind use default domain = yes
wins support = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[homes]
comment = Home Directories
browseable = no
writable = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
