Hi Gints, Changing nsswitch.conf from:
passwd: files ldap group: files ldap to passwd: files winbind group: files winbind did the trick. Running getent passwd/group began populating LDAP and I can search all the records using ldapsearch and slapcat. Would this be an error in the documentation as (unless I was reading the wrong section) it uses the ldap entries in it's example? My one concern is that when winbind is stopped and restarted the winbindd_idmap.tdb and winbindd_cache.tdb files are recreated and entries are added. Would this be expected? I guess I can test this today when I begin configuring a second node..... Thanks for your help. Simon > From: gints neimanis <[EMAIL PROTECTED]> > Date: Tue, 16 Aug 2005 11:57:48 +0300 > To: "Gibbs, Simon" <[EMAIL PROTECTED]>, <[email protected]> > Subject: Re: Getting Winbind IDMAP into LDAP? > > Hi, > > to use ldap as winbind idamp backend, you don't need the NSS_LDAP at all. > All queries and updates to ldap is performed by winbind itself. > > Your smb.conf looks fine. > You may check 2 things: > * Have you stored the LDAP Manager password to LDAP database with > command "smbpasswd -w 'verysecretldapmanager password'" ? > * and look if you have added winbind to /etc/nsswitch.conf (and then > command "getent passwd" should show all domain users with id from ldap)? > like: > === > ... > passwd: files winbind > group: files winbind > ... > === > > Next - you may increase the loglevel (loglevel 256) for LDAP server and > look in ldap messages what is wrong in connection. > > Gints > > Gibbs, Simon wrote: >> Hi, >> >> I?ve been trying to populate an LDAP directory with IDMAP information from >> Winbind using NSS_LDAP without much success over the last week. >> Can anybody tell me if I?ve done anything obviously wrong? >> >> I?ve followed the example shown in the Samba ?By Example? doc and am at the >> stage where the LDAP directory has been created and configured, NSS_LDAP >> config is amended, smb.conf contains entries to use LDAP as a backend and I >> have deleted /var/cache/samba/winbindd_cache.tdb and winbindd_idmap.tdb. Now >> wbinfo ?u and wbinfo ?g show users and groups on the domain but getent >> passwd/groups only displays local users. The winbindd_cache.tdb and >> winbindd_idmap.tdb files have been recreated but only winbindd_cache.tdb >> holds any information. When I attempt to access a Samba share I?m prompted >> to enter a username and password. >> >> As I understand it once the wbinfo commands have been run this process >> should automatically populate the Idmap ou with the ID mappings ? is this >> correct? If so there must be something wrong with my config. >> >> Here?s the current config and relevent info ? sorry it?s a bit long: >> >> /etc/samba/smb.conf >> >> [global] >> workgroup = UKCORPLAN >> netbios name = UKFS01 >> server string = UKFS01 Samba Server >> winbind separator = / >> ldap ssl = no >> idmap uid = 10000-10000000 >> idmap gid = 10000-10000000 >> ldap admin dn = cn=Manager,dc=uk,dc=corplan,dc=net >> ldap idmap suffix = ou=Idmap >> ldap suffix = dc=uk,dc=corplan,dc=net >> idmap backend = ldap:ldap://10.10.4.111/ >> winbind enum users = yes >> winbind enum groups = yes >> template homedir = /mnt/emcpowerb/user/%D/%U >> template shell = /bin/bash >> password server = ukdc01.uk.corplan.net >> security = ADS >> #encrypt passwords = yes >> realm = uk.corplan.net >> browseable = yes >> username map = /etc/samba/smbusers >> log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10 >> syslog = 0 >> log file = /var/log/samba/%m >> max log size = 50 >> #============================ Share Definitions >> ============================== >> [homes] >> comment = Home Directories >> browseable = no >> writable = yes >> >> [public] >> comment = Public Stuff >> path = /home/samba >> public = yes >> read only = no >> >> [test] >> comment = test share >> path = /mnt/emcpowera/shared/test >> public = yes >> browseable = yes >> writeable = yes >> >> /etc/nsswitch.conf >> >> passwd: files ldap >> shadow: files ldap >> group: files ldap >> >> #hosts: db files nisplus nis dns >> hosts: files dns >> >> /etc/openldap/slapd.conf >> >> # >> # See slapd.conf(5) for details on configuration options. >> # This file should NOT be world readable. >> # >> ## schema files (core.schema is required by default) >> include /etc/openldap/schema/core.schema >> >> ## needed for sambaSamAccount >> include /etc/openldap/schema/cosine.schema >> include /etc/openldap/schema/inetorgperson.schema >> include /etc/openldap/schema/nis.schema >> include /etc/openldap/schema/samba.schema >> >> # Allow LDAPv2 client connections. This is NOT the default. >> allow bind_v2 >> >> # Do not enable referrals until AFTER you have a working directory >> # service AND an understanding of referrals. >> #referral ldap://root.openldap.org >> >> pidfile /var/run/slapd.pid >> argsfile /var/run/slapd.args >> >> # Load dynamic backend modules: >> # modulepath /usr/sbin/openldap >> # moduleload back_bdb.la >> # moduleload back_ldap.la >> # moduleload back_ldbm.la >> # moduleload back_passwd.la >> # moduleload back_shell.la >> >> # Sample access control policy: >> # Root DSE: allow anyone to read it >> # Subschema (sub)entry DSE: allow anyone to read it >> # Other DSEs: >> # Allow self write access >> # Allow authenticated users read access >> # Allow anonymous users to authenticate >> # Directives needed to implement policy: >> # access to dn.base="" by * read >> # access to dn.base="cn=Subschema" by * read >> #access to * >> # by self write >> # by users read >> # by anonymous auth >> # >> # if no access controls are present, the default policy >> # allows anyone and everyone to read anything but restricts >> # updates to rootdn. (e.g., "access to * by * read") >> # >> # rootdn can always read and write EVERYTHING! >> >> ####################################################################### >> # ldbm and/or bdb database definitions >> ####################################################################### >> >> database bdb >> suffix "dc=uk,dc=corplan,dc=net" >> rootdn "cn=Manager,dc=uk,dc=corplan,dc=net" >> # Cleartext passwords, especially for the rootdn, should >> # be avoided. See slappasswd(8) and slapd.conf(5) for details. >> # Use of strong authentication encouraged. >> rootpw secret >> >> # The database directory MUST exist prior to running slapd AND >> # should only be accessible by the slapd and slap tools. >> # Mode 700 recommended. >> directory /var/lib/ldap/samba >> >> # Indices to maintain for this database >> # Required by OpenLDAP >> index objectClass eq,pres >> index ou,cn,mail,surname,givenname eq,pres,sub >> index uidNumber,gidNumber,loginShell eq,pres >> index uid,memberUid eq,pres,sub >> index nisMapName,nisMapEntry eq,pres,sub >> >> # Indices required for Samba >> index sambaSID eq >> index sambaPrimaryGroupSID eq >> index sambaDomainName eq >> index default sub >> >> /etc/openldap/ldap.conf >> >> # >> # LDAP Defaults >> # >> >> # See ldap.conf(5) for details >> # This file should be world readable but not world writable. >> >> #BASE dc=example, dc=com >> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 >> >> #SIZELIMIT 12 >> #TIMELIMIT 15 >> #DEREF never >> HOST 10.10.4.111 >> BASE dc=uk,dc=corplan,dc=net >> #TLS_CACERTDIR /etc/openldap/cacerts >> >> /etc/ldap.conf - nss_ldap config - only shows changes the rest is as default >> >> # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $ >> # >> # This is the configuration file for the LDAP nameservice >> # switch library and the LDAP PAM module. >> # >> # PADL Software >> # http://www.padl.com >> # >> >> # Your LDAP server. Must be resolvable without using LDAP. >> # Multiple hosts may be specified, each separated by a >> # space. How long nss_ldap takes to failover depends on >> # whether your LDAP client library supports configurable >> # network or connect timeouts (see bind_timelimit). >> host 10.10.4.111 >> >> # The distinguished name of the search base. >> base dc=uk,dc=corplan,dc=net >> >> # Another way to specify your LDAP server is to provide an >> # uri with the server name. This allows to use >> # Unix Domain Sockets to connect to a local LDAP Server. >> uri ldap://10.10.4.111/ >> #uri ldaps://127.0.0.1/ >> #uri ldapi://%2fvar%2frun%2fldapi_sock/ >> # Note: %2f encodes the '/' used as directory separator >> >> # The LDAP version to use (defaults to 3 >> # if supported by client library) >> #ldap_version 3 >> >> # The distinguished name to bind to the server with. >> # Optional: default is to bind anonymously. >> binddn cn=Manager,dc=uk,dc=corplan,dc=net >> >> # The credentials to bind with. >> # Optional: default is no credential. >> bindpw secret >> >> # Do not hash the password at all; presume >> # the directory server will do it, if >> # necessary. This is the default. >> pam_password exop >> >> # RFC2307bis naming contexts >> # Syntax: >> # nss_base_XXX base?scope?filter >> # where scope is {base,one,sub} >> # and filter is a filter to be &'d with the >> # default filter. >> # You can omit the suffix eg: >> # nss_base_passwd ou=People, >> # to append the default base DN but this >> # may incur a small performance impact. >> nss_base_passwd ou=People,dc=uk,dc=corplan,dc=net?one >> nss_base_shadow ou=People,dc=uk,dc=corplan,dc=net?one >> nss_base_group ou=Groups,dc=uk,dc=corplan,dc=net?one >> #nss_base_hosts ou=Hosts,dc=example,dc=com?one >> #nss_base_services ou=Services,dc=example,dc=com?one >> #nss_base_networks ou=Networks,dc=example,dc=com?one >> #nss_base_protocols ou=Protocols,dc=example,dc=com?one >> #nss_base_rpc ou=Rpc,dc=example,dc=com?one >> #nss_base_ethers ou=Ethers,dc=example,dc=com?one >> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne >> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one >> #nss_base_aliases ou=Aliases,dc=example,dc=com?one >> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one >> >> [EMAIL PROTECTED] etc]# slapcat | grep -i IDMAP >> o: Samba Idmap Directory >> dn: ou=Idmap,dc=uk,dc=corplan,dc=net >> ou: idmap >> >> I've googled about a bit and haven't bee able to find to much except this >> thread: >> http://www.mail-archive.com/[email protected]/msg30905.html >> >> But most I've checked most of the info and it looks OK in comparison to my >> setup. >> >> Any help with this is much appreciated... >> >> Thanks, >> >> Simon >> >> >> >> >> >> ***************************************************************************** >> *** >> The information contained in this email message may be confidential. If you >> are not the intended recipient, any use, interference with, disclosure or >> copying of this material is unauthorised and prohibited. Although this >> message and any attachments are believed to be free of viruses, no >> responsibility is accepted by T&F Informa for any loss or damage arising in >> any way from receipt or use thereof. Messages to and from the company are >> monitored for operational reasons and in accordance with lawful business >> practices. >> If you have received this message in error, please notify us by return and >> delete the message and any attachments. Further enquiries/returns can be >> sent to [EMAIL PROTECTED] >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
