hiya,
that sound as reasonable to me, perhaps due to the while space
it might be safer to quote the entry,,
on the other side what are you seeing under the Access and Errors logs for
DS?
are you seeing the actual bind coming in?
on the FC machine I presume you are running over proxyagent?
hope it helps
/ayman
-----Original Message-----
From: Gaiseric Vandal
Sent: Monday, March 21, 2011 16:21
To: Ayman Tahboub ; Samba
Subject: Re: [Samba] Samba 3.4.7 can't retrieve idmap infor from ldap
I tried with and without the double quotes.
the following commands do work in linux (it will prompt me for the pw.)
ldapserach -D "cn=Directory Manager" -b "" objectclass=* -x -W
ldapsearch -D "cn=admin,cn=Administrators,cn=config" -h spooky -b
"" -x -W
Not sure in smb.conf whether I should ever quote the ldap_user_dn
parameter. Maybe it should be quoted if it is an absolute vs relative
entry?
On 03/21/2011 11:34 AM, Ayman Tahboub wrote:
hiya Gaiseric,
one quick note against your binding DN, I think you
its complaining about having double quotations ""CN=Directory Manager""
one the other side, you verified binding via normal LDAPSEARCH command ,
as in ldapserach -D"CN=directory manager" -b "" objectclass=* ?
hope it helps
/ayman
-----Original Message----- From: Gaiseric Vandal Sent: Thursday, March 17,
2011 20:12 To: Samba Subject: [Samba] Samba 3.4.7 can't retrieve idmap
infor from ldap
I am running Samba 3.4.7on Fedora Core 11 Linux. This is a domain member.
My PDC is Samba 3.4.9 on Solaris 10. I have LDAP as a backend (Sun/Oracle
Directory Server 6.) I have an OU for user accounts, and an OU for
idmap entries. The PDC has already populated some idmap entries.
An idmap entry looks like
dn: sambaSID=S-1-5-21-xxxxxxxxxxxxxxx-1121,ou=mydomain,ou
=idmap,o=mycomany.com
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
uidNumber: 176
sambaSID: S-1-5-21-xxxxxxxxxxxxxxx-1121
The member servers can be read only
In the member server, smb.conf has the following entries
idmap config MYDOMAIN:backend = ldap
idmap config MYDOMAIN:ldap_url = ldap://pdc.mycompany.com
idmap config MYDOMAIN:readonly = yes
idmap config MYDOMAIN:default=no
idmap config MYDOMAIN:ldap_base_dn =
"ou=mydomain,ou=idmap,o=mycompany.com"
#idmap config MYDOMAIN:ldap_user_dn = cn=Directory Manager
#idmap config MYDOMAIN:ldap_user_dn = cn=admin,cn=Administrators,cn=config
idmap config MYDOMAIN:ldap_user_dn = uid=jsmith,ou=people,o=mycompany.com
idmap config MYDOMAIN:range = 70000-79999
idmap config MYDOMAIN:uid = 100 -79999
idmap config MYDOMAIN:gid = 100 -79999
On this machine (FC11 member server), when I run "getent passwd" command,
log.winbind shows
failed to bind to server ldap://pdc.mycompany.com with dn=""cn=Directory
Manager"" Error: Invalid DN syntax
Invalid DN
On gentent passwd, winbind.log shows
lib/smbldap.c:890(smbldap_open_connection)
smbldap_open_connection: connection opened
lib/smbldap.c:1101(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
winbindd/idmap_ldap.c:1248(idmap_ldap_sids_to_unixids)
Failure looking up sids (Invalid DN syntax)
If there is NOT an idmap entry already for the user, I get winbind.log
entries like:
[2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1083
[2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent)
could not lookup domain user jkerry
[2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1044
[2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent)
could not lookup domain user jmcain
It looks like it tried to locate a record via user name or sid.
If there is an idmap entry already for the use I only
[2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent)
could not lookup domain user jsmith
So the samba member server is connecting to the LDAP server and retrieving
some LDAP information. But it seems that the LDAP info is NOT formatted
as expected (thus the Invalid DN Syntax errors.)
The PDC was initially Samba 3.0.x, and I am guessing that the LDAP IDMAP
syntax changed between 3.0.x and 3.4.x,
I would appreciate advice on this.
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
