Hi running ldapsearch -x on the primary LDAP server fails, it gives
[root@servername ~]# ldapsearch -x ldap_bind: Can't contact LDAP server (-1) And yet on that server the Zimbra instance appears to be fine. Can you suggest any further diagnosis of the LDAP on that server, or action I might take? Many Thanks Fergus ----- Original Message ----- From: "Gaiseric Vandal" <[email protected]> To: "Fergus Clarke" <[email protected]> Cc: [email protected] Sent: Monday, 13 February, 2012 6:32:41 PM Subject: Re: [Samba] openldap integration failed after power cut try ldapsearch with "-x" for simple (non sasl) authentication. On 02/13/2012 01:29 PM, Fergus Clarke wrote: > Hi > > Thanks for your reply, much appreciated. > > When I run ldapsearch on the Samba server it prompts me for a password and > this fails when tried with the credentials for the ldap bind account > specified in smb.conf, also with the root pw for either machine, as follows: > > ldap_sasl_interactive_bind_s: Invalid credentials (49) > > I have tried resetting the smbpasswd -w as you suggested and setting the bind > account password to the same on the ldap server, but i still get this > message. This suggests you are right and it is a credentials issue, is there > anything I need to do beyond > > smbpasswd -w<password> on the samba machine > and passwd<bind account> on ldap server > ? > > The LDAP does appear to be running on the primary LDAP server as I can look > at it on the console of the (unused) instance of zimbra on there, it looks > OK. That said if I do a ldapsearch on the that machine I get an error: > > [root@primaryldapserver cacerts]# ldapsearch > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > > Regards > > Fergus > > > ----- Original Message ----- > From: "Gaiseric Vandal"<[email protected]> > To: [email protected] > Sent: Monday, 13 February, 2012 5:51:43 PM > Subject: Re: [Samba] openldap integration failed after power cut > > Can you use "ldapsearch" or a GUI Ldap browser/editor (e.g. Apache > Directory Studio) to make sure that your primary LDAP server really is > working . Verify that the credentials are good. > > You may need to re enter the ldap pw in samba if your password store > got corrupted > > # smbpasswd -w LDAPBINDPW > > > > > > > On 02/13/2012 11:12 AM, Fergus Clarke wrote: >> Hi >> >> We have a Samba server that authenticates with an openldap server. Or it >> used to. >> We had a power cut last week and after a bit of struggling everything came >> back, but not Samba. >> Previously our smb.conf file included the line >> >> passdb backend = ldapsam:ldap://server.domain.net/ >> >> With this line in place the connection to the LDAP server fails, and peoples >> shares drop off every few minutes. I changed this to point to our 2nd, >> backup ldap server and now shares and logon work again. I need to get >> communication started again between our Samba and primary LDAP server. >> >> Symptoms include the following: (with the new config, ie pointing at the >> backup ldap server) >> >> On the samba server: >> >> servername:/etc/samba# smbclient '\\servername\data' >> WARNING: The "printer admin" option is deprecated >> Enter root's password: >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> but >> >> servername:/etc/samba# smbclient -L localhost -U% >> WARNING: The "printer admin" option is deprecated >> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] >> >> Sharename Type Comment >> --------- ---- ------- >> netlogon Disk Network Logon Service >> print$ Disk Printer Drivers >> >> etc >> >> also: >> >> servername:/etc/samba# pdbedit -u username -c "[X]" >> doing parameter syslog = 1 >> doing parameter log file = /var/log/samba/log.%m >> doing parameter max log size = 1000 >> doing parameter smb ports = 139 >> doing parameter name resolve order = wins bcast hosts >> doing parameter printcap name = cups >> doing parameter add user script = /usr/sbin/adduser --quiet >> --disabled-password --gecos "" %u >> doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m >> doing parameter logon script = logon.cmd >> doing parameter logon path = \\server.domain.net\%U\profile >> doing parameter logon home = \\server.domain.net\%U >> doing parameter domain logons = Yes >> doing parameter os level = 33 >> doing parameter preferred master = Yes >> doing parameter domain master = Yes >> doing parameter dns proxy = No >> doing parameter wins support = Yes >> doing parameter ldap admin dn = "uid=username,cn=admins,cn=thenameofthecn" >> doing parameter ldap group suffix = ou=groups >> doing parameter ldap machine suffix = ou=machines >> doing parameter ldap passwd sync = Yes >> doing parameter ldap suffix = dc=ixico,dc=com >> doing parameter ldap user suffix = ou=people >> doing parameter panic action = /usr/share/samba/panic-action %d >> pm_process() returned Yes >> smbldap_search_domain_info: Searching >> for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] >> smbldap_open_connection: connection opened >> ldap_connect_system: successful connection to the LDAP server >> The LDAP server is successfully connected >> smbldap_search_domain_info: Searching >> for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] >> smbldap_open_connection: connection opened >> ldap_connect_system: successful connection to the LDAP server >> The LDAP server is successfully connected >> init_sam_from_ldap: Entry found for user: username >> ldapsam_update_sam_account: user username to be modified has dn: >> uid=username,ou=people,dc=domain,dc=com >> init_ldap_from_sam: Setting entry for user: username >> Unable to modify entry! >> >> >> If I change the setting back to point at our original LDAP server I get the >> following errors, for example: >> >> >> servername:/etc/samba# pdbedit -u username -c "[X]" >> doing parameter syslog = 1 >> doing parameter log file = /var/log/samba/log.%m >> doing parameter max log size = 1000 >> doing parameter smb ports = 139 >> doing parameter name resolve order = wins bcast hosts >> doing parameter printcap name = cups >> doing parameter add user script = /usr/sbin/adduser --quiet >> --disabled-password --gecos "" %u >> doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m >> doing parameter logon script = logon.cmd >> doing parameter logon path = \\server.domain.net\%U\profile >> doing parameter logon home = \\server.domain.net\%U >> doing parameter domain logons = Yes >> doing parameter os level = 33 >> doing parameter preferred master = Yes >> doing parameter domain master = Yes >> doing parameter dns proxy = No >> doing parameter wins support = Yes >> doing parameter ldap admin dn = "uid=user,cn=admins,cn=relevantcn" >> doing parameter ldap group suffix = ou=groups >> doing parameter ldap machine suffix = ou=machines >> doing parameter ldap passwd sync = Yes >> doing parameter ldap suffix = dc=domain,dc=com >> doing parameter ldap user suffix = ou=people >> doing parameter panic action = /usr/share/samba/panic-action %d >> pm_process() returned Yes >> smbldap_search_domain_info: Searching >> for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))] >> smbldap_open_connection: connection opened >> failed to bind to server ldap://ldap2.domain.net/ with >> dn="uid=username,cn=admins,cn=thecn" Error: Can't contact LDAP server >> (unknown) >> Connection to LDAP server failed for the 1 try! >> smbldap_open_connection: connection opened >> failed to bind to server ldap://ldap2.domain.net/ with >> dn="uid=username,cn=admins,cn=thecn" Error: Can't contact LDAP server >> >> etc >> >> but I can ping the LDAP server with its hostname and the LDAP alias. >> >> I have upped the log level to 10 and grepped for relevant hostnames and >> things but I am somewhat at a loss as to whats gone wrong, any help you can >> offer would be very gratefully received. I would also be v happy to post >> any logs etc to assist. >> >> Thanks >> >> Fergus >> >> >> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
