Wireshark provided some better detail of traffic capturing. The bind
was OK with either cn=Directory Manager or
cn=proxyagent,ou=mydomain.com- as long as not quoted.
The invalid DN responses were also generated if the ldap_base_dn values
were quote.
The following is wrong
...
idmap alloc config:ldap_base_dn = "ou=alloc,ou=idmap,o=ssci.com"
...
idmap config ENGINEERING:ldap_base_dn =
"ou=engineering,ou=idmap,o=ssci.com"
The following is OK (ie. no bind errors)
...
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=ssci.com
...
idmap config ENGINEERING:ldap_base_dn =
ou=engineering,ou=idmap,o=ssci.com
So LDAP authentication seems OK. Although log.winbind still shows
lookup errors (
-------------------------------------------------------------------------------------------------------------------
[2011/03/21 16:51:22, 1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
error getting user id for sid S-xxxxxxxxxxxxxx-1217
[2011/03/21 16:51:22, 1] winbindd/winbindd_user.c:856(winbindd_getpwent)
could not lookup domain user rsmith
[2011/03/21 16:51:22, 1] winbindd/winbindd_user.c:856(winbindd_getpwent)
could not lookup domain user jsmith
(In the examble above there is an idmap entry in LDAP for jsmith but not
rsmith.)
-------------------------------------------------------------------------------------------------------------------
The "wbinfo --allocate-uid" command does work-
# wbinfo --allocate-uid
New uid: 30778
# wbinfo --allocate-uid
New uid: 30779
the uidNumber parameter in ou=alloc is incremented - it now shows 30780.
But I can not manually set a uid mapping:
#wbinfo --set-uid-mapping 123,S-xxxxxxxxxxxxxx-1217
Could not create or modify uid to sid mapping
#wbinfo --set-uid-mapping 30779,S-xxxxxxxxxxxxxx-1217
Could not create or modify uid to sid mapping
The wbinfo --set-uid-mapping command DOES work on the PDC. The
member server just doesn't seem to read the information properly.
On 03/21/2011 04:17 PM, Gaiseric Vandal wrote:
Linux "unix" authentication uses a proxyagent account. There is no
particular reason that Samba should use this account.
However, to rule out the spaces and quotes being an issue, I updated
the smb.conf on this machine (Fedora Core 11 linux member server) to
use the cn=proxyagent,ou=mydomain.com account. The account has
sufficient privs to read existing LDAP entries, even if it can't
create new ones.
If I quote it, I get the following error:
get_credentials: Unable to fetch auth credentials for
"cn=proxyagent,ou=profile,o=ssci.com"
If I don't quote it, I don't get credential error messages. So on
FC11 Linux Member servers running Samba 3.4.7, the ldap user in
smb.conf should be unquoted, not have spaces, and be in the same ldap
suffix as everything else.
But I still get the following error
[2011/03/21 15:53:06, 3]
winbindd/idmap_ldap.c:1248(idmap_ldap_sids_to_unixids)
Failure looking up sids (Invalid DN syntax)
Since I have 3 LDAP servers (in replication) I just updated smb.conf
to use one ldap server while having /etc/ldap.conf (and
/etc/openldap/ldap.conf) use another one. That way when I watch
ldap traffic between this machine and an LDAP server I can distiguish
between traffic related to unix accounts and that related to samba idmap.
I don't see any relevant ldap server error or access logs. snoop
(packet capture) does show
sambamember1 -> ldapserver1 LDAP C port=59073 Search Request
neverDerefAliases
ldapserver1 -> sambamember1 LDAP R port=59073 Search ResDone Invalid
DN Syntax
sambamember1 -> ldapserver1 LDAP C port=59073
On 03/21/2011 12:37 PM, Ayman Tahboub wrote:
hiya,
that sound as reasonable to me, perhaps due to the while space
it might be safer to quote the entry,,
on the other side what are you seeing under the Access and Errors
logs for DS?
are you seeing the actual bind coming in?
on the FC machine I presume you are running over proxyagent?
hope it helps
/ayman
-----Original Message----- From: Gaiseric Vandal
Sent: Monday, March 21, 2011 16:21
To: Ayman Tahboub ; Samba
Subject: Re: [Samba] Samba 3.4.7 can't retrieve idmap infor from ldap
I tried with and without the double quotes.
the following commands do work in linux (it will prompt me for the pw.)
ldapserach -D "cn=Directory Manager" -b "" objectclass=* -x -W
ldapsearch -D "cn=admin,cn=Administrators,cn=config" -h spooky -b
"" -x -W
Not sure in smb.conf whether I should ever quote the ldap_user_dn
parameter. Maybe it should be quoted if it is an absolute vs relative
entry?
On 03/21/2011 11:34 AM, Ayman Tahboub wrote:
hiya Gaiseric,
one quick note against your binding DN, I think you
its complaining about having double quotations ""CN=Directory Manager""
one the other side, you verified binding via normal LDAPSEARCH
command ,
as in ldapserach -D"CN=directory manager" -b "" objectclass=* ?
hope it helps
/ayman
-----Original Message----- From: Gaiseric Vandal Sent: Thursday,
March 17, 2011 20:12 To: Samba Subject: [Samba] Samba 3.4.7 can't
retrieve idmap infor from ldap
I am running Samba 3.4.7on Fedora Core 11 Linux. This is a domain
member.
My PDC is Samba 3.4.9 on Solaris 10. I have LDAP as a backend
(Sun/Oracle Directory Server 6.) I have an OU for user accounts,
and an OU for idmap entries. The PDC has already populated some
idmap entries.
An idmap entry looks like
dn: sambaSID=S-1-5-21-xxxxxxxxxxxxxxx-1121,ou=mydomain,ou
=idmap,o=mycomany.com
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
uidNumber: 176
sambaSID: S-1-5-21-xxxxxxxxxxxxxxx-1121
The member servers can be read only
In the member server, smb.conf has the following entries
idmap config MYDOMAIN:backend = ldap
idmap config MYDOMAIN:ldap_url = ldap://pdc.mycompany.com
idmap config MYDOMAIN:readonly = yes
idmap config MYDOMAIN:default=no
idmap config MYDOMAIN:ldap_base_dn =
"ou=mydomain,ou=idmap,o=mycompany.com"
#idmap config MYDOMAIN:ldap_user_dn = cn=Directory Manager
#idmap config MYDOMAIN:ldap_user_dn =
cn=admin,cn=Administrators,cn=config
idmap config MYDOMAIN:ldap_user_dn =
uid=jsmith,ou=people,o=mycompany.com
idmap config MYDOMAIN:range = 70000-79999
idmap config MYDOMAIN:uid = 100 -79999
idmap config MYDOMAIN:gid = 100 -79999
On this machine (FC11 member server), when I run "getent passwd"
command, log.winbind shows
failed to bind to server ldap://pdc.mycompany.com with
dn=""cn=Directory Manager"" Error: Invalid DN syntax
Invalid DN
On gentent passwd, winbind.log shows
lib/smbldap.c:890(smbldap_open_connection)
smbldap_open_connection: connection opened
lib/smbldap.c:1101(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
winbindd/idmap_ldap.c:1248(idmap_ldap_sids_to_unixids)
Failure looking up sids (Invalid DN syntax)
If there is NOT an idmap entry already for the user, I get
winbind.log entries like:
[2011/03/17 12:52:48, 1]
winbindd/winbindd_user.c:97(winbindd_fill_pwent)
error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1083
[2011/03/17 12:52:48, 1]
winbindd/winbindd_user.c:856(winbindd_getpwent)
could not lookup domain user jkerry
[2011/03/17 12:52:48, 1]
winbindd/winbindd_user.c:97(winbindd_fill_pwent)
error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1044
[2011/03/17 12:52:48, 1]
winbindd/winbindd_user.c:856(winbindd_getpwent)
could not lookup domain user jmcain
It looks like it tried to locate a record via user name or sid.
If there is an idmap entry already for the use I only
[2011/03/17 12:52:48, 1]
winbindd/winbindd_user.c:856(winbindd_getpwent)
could not lookup domain user jsmith
So the samba member server is connecting to the LDAP server and
retrieving some LDAP information. But it seems that the LDAP info
is NOT formatted as expected (thus the Invalid DN Syntax errors.)
The PDC was initially Samba 3.0.x, and I am guessing that the LDAP
IDMAP syntax changed between 3.0.x and 3.4.x,
I would appreciate advice on this.
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
