Re: [Samba] ldap idmap backend
It's known bug https://bugzilla.samba.org/show_bug.cgi?id= fixed in 3.5.8 Thanks to Christian PERRIER who pointed it out in his announcement. -- Vladimir Vassiliev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldap idmap backend
Hi all, i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. Servers run Centos 4 and 5. I can't cope with next issue for long time. On all servers in domain winbind constantly tries to create mapping for SID-513 and fails because of already existing entry. It just wastes gid range. Note that SID is not SID of main domain but another which name equal to hostname. For example on host FMS in domain CORP I have: wbinfo --all-domains BUILTIN FMS CORP wbinfo -D FMS Name : FMS Alt_Name : SID : S-1-5-21-3830529182-610880034-2098875520 Active Directory : No Native: No Primary : No Here is log: [2011/03/17 15:37:28.387459, 0] winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping) ldap_set_mapping_internals: Failed to add S-1-5-21-3830529182-610880034-2098875520-513 to 20067 mapping [gidNumber] [2011/03/17 15:37:28.387538, 0] winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping) ldap_set_mapping_internals: Error was: (Already exists) Can someone experienced in Samba comment how to deal with this issue? Thanks. -- Vladimir Vassiliev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
On Thursday, March 17, 2011, Vladimir Vassiliev wrote: Hi all, i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. Servers run Centos 4 and 5. I can't cope with next issue for long time. On all servers in domain winbind constantly tries to create mapping for SID-513 and fails because of already existing entry. It just wastes gid range. I had that problem. In my case, doing an ldapsearch -x sambaSID=SID-513 found two idmap entries (in different ou). After I deleted one of them with ldapdelete, it stopped having that error and stopped trying to create new entries. signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
On Thu, Mar 17, 2011 at 04:02:29PM +0300, Vladimir Vassiliev wrote: Hi all, i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. Servers run Centos 4 and 5. I can't cope with next issue for long time. On all servers in domain winbind constantly tries to create mapping for SID-513 and fails because of already existing entry. It just wastes gid range. DOMAIN-SID-513 is the Domain Users group. Note that SID is not SID of main domain but another which name equal to hostname. For example on host FMS in domain CORP I have: wbinfo --all-domains BUILTIN FMS CORP Why have you created a local computer domain, out of interest? Windows does this, but you don't have to do it with samba. This has been the cause of your problem; winbind is trying to map both CORP-SID-513 and FMS-SID-513 to the same local group. -- Bruce Bitterly it mathinketh me, that I spent mine wholle lyf in the lists against the ignorant. -- Roger Bacon, Doctor Mirabilis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
17.03.2011 16:30, Bruce Richardson пишет: DOMAIN-SID-513 is the Domain Users group. Note thatSID is not SID of main domain but another which name equal to hostname. For example on host FMS in domain CORP I have: wbinfo --all-domains BUILTIN FMS CORP Why have you created a local computer domain, out of interest? I didn't do it, Samba did. Really I dunno how to add extra domain to Samba. How can I delete this domain? Windows does this, but you don't have to do it with samba. This has been the cause of your problem; winbind is trying to map bothCORP-SID-513 and FMS-SID-513 to the same local group. CORP-SID-513 already has its own mapping with gid=10001 but Samba tries to use values 20043 and higher for new mappings. -- Vladimir Vassiliev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
17.03.2011 16:27, Frank Mori Hess пишет: On Thursday, March 17, 2011, Vladimir Vassiliev wrote: Hi all, i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. Servers run Centos 4 and 5. I can't cope with next issue for long time. On all servers in domain winbind constantly tries to create mapping for SID-513 and fails because of already existing entry. It just wastes gid range. I had that problem. In my case, doing an ldapsearch -x sambaSID=SID-513 found two idmap entries (in different ou). After I deleted one of them with ldapdelete, it stopped having that error and stopped trying to create new entries. Were these mappings identical or not? -- Vladimir Vassiliev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
On Thu, Mar 17, 2011 at 05:06:03PM +0300, Vladimir Vassiliev wrote: Why have you created a local computer domain, out of interest? I didn't do it, Samba did. Really I dunno how to add extra domain to Samba. How can I delete this domain? Something did it. Was this machine a domain controller before it was joined to the CORP domain? Can you show us the idmap-related section of your samba config? -- Bruce Explota!: miles de lemmings no pueden estar equivocados. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
17.03.2011 17:12, Bruce Richardson пишет: On Thu, Mar 17, 2011 at 05:06:03PM +0300, Vladimir Vassiliev wrote: Why have you created a local computer domain, out of interest? I didn't do it, Samba did. Really I dunno how to add extra domain to Samba. How can I delete this domain? Something did it. Was this machine a domain controller before it was joined to the CORP domain? Can you show us the idmap-related section of your samba config? This happens with every host I join to domain, i.e. every host tries to create its own SID-HOST-513. Whole smb.conf of newly installed host [global] workgroup = CORP security = ADS realm = CORP.EDU.YAR.RU encrypt passwords = yes load printers = no winbind enum users = yes winbind enum groups = yes winbind nested groups = yes idmap uid = 1000-3 idmap gid = 1000-3 idmap backend = ldap winbind offline logon = yes idmap backend = ldap:ldaps://ldap host/ ldap admin dn = cn=admin,dc=corp,dc=edu,dc=yar,dc=ru ldap suffix = dc=corp,dc=edu,dc=yar,dc=ru ldap idmap suffix = ou=idmap ldap ssl = off -- Vladimir Vassiliev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
On Thursday, March 17, 2011, Vladimir Vassiliev wrote: 17.03.2011 16:27, Frank Mori Hess пишет: I had that problem. In my case, doing an ldapsearch -x sambaSID=SID-513 found two idmap entries (in different ou). After I deleted one of them with ldapdelete, it stopped having that error and stopped trying to create new entries. Were these mappings identical or not? No, one was in dc=blah,... and the other was in ou=Idmap,dc=blah, Also, they mapped to different gid numbers. They just had the same sambaSID. I think the second one got allocated accidentally when I was playing around with ldap suffixes in smb.conf. They corresponded to domain group MYHOSTNAME\None. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: Samba / LDAP / Idmap
Should I be running winbindd in this situation? Not really, winbind is used for things like a samba server authenticating against a Windows server and NTLM authentication. You can just make the second box look at the ldap server on the first, or if you like, run an ldap slave on the second machine for redundancy and have samba look at that. I have found that winbind is needed also in a samba domain if you want the windows properties tab to show the user names for acls other than the default. Without winbind sids will be shown for all extended acls in the properties tab. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Fwd: [Samba] Re: Samba / LDAP / Idmap
Perhaps, though, I am asking the wrong question. Here is what I have (on one Linux server): - OpenLDAP - Samba 3.0, user data stored in LDAP - local Unix users / groups resolved via LDAP I have added another Linux machine and local Unix users / groups are resolved via LDAP. I now want to have Samba on this additional machine also reference the existing directory information. Should I be running winbindd in this situation? If you are not using windows machines with samba you do not need winbind or idmap. John -- John M. Drescher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba / LDAP / Idmap
Hi, This is probably documented somewhere very obvious but I do not seem to be able to find it. Many years ago I configured my Samba server with an LDAP backend. I also put in the parameter 'ldap idmap suffix = ou=Idmap' in my smb.conf file too as per: http://au1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain- member.html#id2571568 Amazingly enough I now have to add two more members servers, checking via GQ I see that the ou=Idmap tree is actually empty. Should it be? If not, how can I -- is there a way, even -- have it populated with the existing Idmaps? My users are able to login to their machines perfectly fine (everything is run via LDAP). Thanks, Anand -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba / LDAP / Idmap
On Sun, Apr 13, 2008 at 10:23 PM, Anand Kumria [EMAIL PROTECTED] wrote: Hi, This is probably documented somewhere very obvious but I do not seem to be able to find it. Many years ago I configured my Samba server with an LDAP backend. I also put in the parameter 'ldap idmap suffix = ou=Idmap' in my smb.conf file too as per: http://au1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain- member.html#id2571568 Amazingly enough I now have to add two more members servers, checking via GQ I see that the ou=Idmap tree is actually empty. Should it be? If not, how can I -- is there a way, even -- have it populated with the existing Idmaps? My users are able to login to their machines perfectly fine (everything is run via LDAP). For a samba 3.0.28a member server using domain security and ldap and winbind enabled I had the same problem a few weeks ago and it ended up preventing my acls from working correctly. Basically after adding acls in windows xp they would be removed after applying. There would be an error in the samba logs. Something like could not allocate a UID or GID. I checked my ldap and the idmap tree was completely empty. So I decided to see if I could tell the format of what belongs in there and if I entered it would that fix the problem. I googled for a while and found a red hat doc that showed a slapcat with idmap entries. I Then added the entry for a test user via slapadd and then I added the user to an acl in windows and clicked accept and it took. So I looked deeper into the error and I found the two wbinfo allocate calls fail: # wbinfo --allocate-uid Could not allocate a uid # wbinfo --allocate-gid Could not allocate a gid but most other wbinfo stuff works ( -u -g -t ...) So at this point I set my winbind to use tdbsam and then I restarted samba and sure enough the properties tab of XP worked as expected. At that point I found a tool that would dump what was in a .tdb file and I wrote a shell script to populate the ldap with that. I am sorry I am not more specific but I am not at work and I did this stuff over a month ago. Anyways after populating the idmap tree from the .tdb file (in /var/cache/samba/) my acls work in XP for all users and groups that are in the tree. I switched back to using ldap to store winbind data because this is by no means the only samba server on our network. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba / LDAP / Idmap
idmap will only be populated if you are using winbind. Anand Kumria wrote: Hi, This is probably documented somewhere very obvious but I do not seem to be able to find it. Many years ago I configured my Samba server with an LDAP backend. I also put in the parameter 'ldap idmap suffix = ou=Idmap' in my smb.conf file too as per: http://au1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain- member.html#id2571568 Amazingly enough I now have to add two more members servers, checking via GQ I see that the ou=Idmap tree is actually empty. Should it be? If not, how can I -- is there a way, even -- have it populated with the existing Idmaps? My users are able to login to their machines perfectly fine (everything is run via LDAP). Thanks, Anand -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba / LDAP / Idmap
On Mon, Apr 14, 2008 at 9:32 AM, Adam Williams [EMAIL PROTECTED] wrote: idmap will only be populated if you are using winbind. In my case I was using winbind and it was not populated because winbind could not allocate a uid or gid. Any ideas how to debug that? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba / LDAP / Idmap
John Drescher wrote: In my case I was using winbind and it was not populated because winbind could not allocate a uid or gid. Any ideas how to debug that? John can't help you there, sorry. I'm not using winbind, i never could get it to work anyway, and I don't really need it for what I do at the moment. [EMAIL PROTECTED] log]# wbinfo -g Error looking up domain groups [EMAIL PROTECTED] log]# wbinfo -u Error looking up domain users -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba / LDAP / Idmap
Hi Adam, On Mon, 14 Apr 2008 08:32:31 -0500, Adam Williams wrote: idmap will only be populated if you are using winbind. Ah, that is definately not clear from what I read. The configuration example and text http://us3.samba.org/samba/docs/man/ Samba-HOWTO-Collection/passdb.html#idmapbackendexample seem to indicate that I can just use the idmap parameters and it will be populated. Perhaps, though, I am asking the wrong question. Here is what I have (on one Linux server): - OpenLDAP - Samba 3.0, user data stored in LDAP - local Unix users / groups resolved via LDAP I have added another Linux machine and local Unix users / groups are resolved via LDAP. I now want to have Samba on this additional machine also reference the existing directory information. Should I be running winbindd in this situation? Thanks, Anand -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba / LDAP / Idmap
Anand Kumria wrote: Hi Adam, On Mon, 14 Apr 2008 08:32:31 -0500, Adam Williams wrote: snip Here is what I have (on one Linux server): - OpenLDAP - Samba 3.0, user data stored in LDAP - local Unix users / groups resolved via LDAP I have added another Linux machine and local Unix users / groups are resolved via LDAP. I now want to have Samba on this additional machine also reference the existing directory information. Should I be running winbindd in this situation? Not really, winbind is used for things like a samba server authenticating against a Windows server and NTLM authentication. You can just make the second box look at the ldap server on the first, or if you like, run an ldap slave on the second machine for redundancy and have samba look at that. Thanks, Anand *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ldap idmap backend doesn't work
Hi, Ive got a problem with the ldap idmap backend capability. I've integrated a fedora Core3 with samba 3.0.10 box in an Active Directory 2003 domain. WinBind works correctly with the tdb backend but have some troubles with ldap functionality. I've modified my smb.conf file for use my OpenLDAP server to stock the maps. Smb.conf : idmap backend = ldap:ldap://fedogat.vdp.mdp ldap idmap suffix = ou=idmap,dc=vdp,dc=mdp ldap admin dn = cn=manager,dc=vdp,dc=mdp In a same time, ive created the admin dn password with : smbpasswd w secret Ive configured my OpenLDAP server : 1 Configure the slapd.conf file (include samba.schema; dc=vdp,dc=mdp; rootpw) 2 Create the manager object and the idmap organizational unit The OpenLDAP server is launched with the following command: Slapd f /etc/openldap/slapd.conf u ldap The /var/lib/ldap dir is owned by the ldap local user. But, when i start the winbindd daemon with the next command: Winbindd F S d 10 I can see that the connection to the ldap server is successful but after, Ive got the idmap_init: failed to initialize remote backend! error message. Perhaps, I forgot a stage in my configuration process. If someone can help me or redirect me towards a good tutorial to implement the ldap idmap backend. Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
FW: [Samba] LDAP Idmap
In addition to the instructions below, you must have complied the NSS_LDAP from www.padl.com on your SAMBA PDC. I have written a how-to with instructions to compile NSS_LDAP and an example smb.conf attached to this email. I got the detailed directions from the SAMBA 3 by example at http://us1.samba.org/samba/docs/man/Samba-Guide/ Good luck, Pat -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Manfred Odenstein Sent: Monday, August 09, 2004 2:59 AM To: [EMAIL PROTECTED] Subject: Re: [Samba] LDAP Idmap Hi, at least you have to specify: idmap backend = ldap:ldap://host idmap uid = 1-2 idmap gid = 1-2 ldap idmap suffix = suffix ldap admin dn = admindn ldap suffix = suffix you don't have to change the nsswitch if winbind is already in there regards odi Am Freitag, 6. August 2004 13:51 schrieb Shannon Johnson: Thanks for the quick response... but I've already been there. As I said, I'm NOT looking for an LDAP PDC... I'm ONLY looking for LDAP idmap. There is no documentation on idealx.org for an LDAP idmap that does NOT include the PDC... nor is there much documentation anywhere else about it. Shannon Johnson Network Support Specialist / Systems Administrator Dept. of Mechanical and Nuclear Engineering 224 Reber Building University Park, PA 16802 Phone: (814) 865-8267 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 06, 2004 3:59 AM To: Shannon Johnson; [EMAIL PROTECTED] Subject: Re: [Samba] LDAP Idmap Shannon Johnson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05.08.2004 22:59 To: [EMAIL PROTECTED] cc: Subject:[Samba] LDAP Idmap Hi shannon, a good start you'll find at www.idealx.org. There is a very good docu on how to setup samba3-LDAP. If you then running into problems. ask the list. Chris I'm having quite a bit of trouble getting an LDAP directory set up for the idmap backend for winbind. I've been working on it for quite a while, and haven't found any very helpful websites or anything. I've found quite a bit on how to set up a PDC using LDAP, which would be nice, but I already have the PDC... I just need LDAP to host UID's and GID's. The things I'd like to know are: 1. What should the rootdn, suffix, and indexes be in the slapd.conf? I think that the rootdn needs to match what I put in the smb.conf for the ldap admin dn, and I'm fairly sure the suffix needs to match the ldap suffix from the smb.conf... I don't have any idea about the indexes. 2. What needs to be in the ldif file to create the directory properly? I've tried several that I've found online, both from the Samba 3 By Example book, and lots of forum / mailing list posts. I'm not sure if what I've tried has been correct, but it hasn't worked yet, and this is one part I'm not sure about. 3. I think that once I get the first 2 things worked out, I just set about 6 things in my smb.conf (ldap suffix, ldap admin dn, idmap backend (which should point to ldap:ldap://127.0.0.1, if the server is running on the same machine, right?), ldap idmap suffix, idmap uid, and idmap gid), enter my password from the smbpasswd -w command, and once I restart winbind, it should automatically start filling up the directory, right? 4. Once I get the server going and filled up with UID's and GID's, for the clients, am I correct in saying that I alter the smb.conf to include the ldap suffix, ldap admin dn, idmap backend, ldap idmap suffix, idmap uid, and idmap gid, then again enter my password via smbpasswd -w, change /etc/nsswitch.conf to be passwd files ldap instead of passwd files winbind, and it should work? This isn't documented very well anywhere, so I'd appreciate any hints or suggestions anybody might have... Shannon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP Idmap
Hi, at least you have to specify: idmap backend = ldap:ldap://host idmap uid = 1-2 idmap gid = 1-2 ldap idmap suffix = suffix ldap admin dn = admindn ldap suffix = suffix you don't have to change the nsswitch if winbind is already in there regards odi Am Freitag, 6. August 2004 13:51 schrieb Shannon Johnson: Thanks for the quick response... but I've already been there. As I said, I'm NOT looking for an LDAP PDC... I'm ONLY looking for LDAP idmap. There is no documentation on idealx.org for an LDAP idmap that does NOT include the PDC... nor is there much documentation anywhere else about it. Shannon Johnson Network Support Specialist / Systems Administrator Dept. of Mechanical and Nuclear Engineering 224 Reber Building University Park, PA 16802 Phone: (814) 865-8267 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 06, 2004 3:59 AM To: Shannon Johnson; [EMAIL PROTECTED] Subject: Re: [Samba] LDAP Idmap Shannon Johnson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05.08.2004 22:59 To: [EMAIL PROTECTED] cc: Subject:[Samba] LDAP Idmap Hi shannon, a good start you'll find at www.idealx.org. There is a very good docu on how to setup samba3-LDAP. If you then running into problems. ask the list. Chris I'm having quite a bit of trouble getting an LDAP directory set up for the idmap backend for winbind. I've been working on it for quite a while, and haven't found any very helpful websites or anything. I've found quite a bit on how to set up a PDC using LDAP, which would be nice, but I already have the PDC... I just need LDAP to host UID's and GID's. The things I'd like to know are: 1. What should the rootdn, suffix, and indexes be in the slapd.conf? I think that the rootdn needs to match what I put in the smb.conf for the ldap admin dn, and I'm fairly sure the suffix needs to match the ldap suffix from the smb.conf... I don't have any idea about the indexes. 2. What needs to be in the ldif file to create the directory properly? I've tried several that I've found online, both from the Samba 3 By Example book, and lots of forum / mailing list posts. I'm not sure if what I've tried has been correct, but it hasn't worked yet, and this is one part I'm not sure about. 3. I think that once I get the first 2 things worked out, I just set about 6 things in my smb.conf (ldap suffix, ldap admin dn, idmap backend (which should point to ldap:ldap://127.0.0.1, if the server is running on the same machine, right?), ldap idmap suffix, idmap uid, and idmap gid), enter my password from the smbpasswd -w command, and once I restart winbind, it should automatically start filling up the directory, right? 4. Once I get the server going and filled up with UID's and GID's, for the clients, am I correct in saying that I alter the smb.conf to include the ldap suffix, ldap admin dn, idmap backend, ldap idmap suffix, idmap uid, and idmap gid, then again enter my password via smbpasswd -w, change /etc/nsswitch.conf to be passwd files ldap instead of passwd files winbind, and it should work? This isn't documented very well anywhere, so I'd appreciate any hints or suggestions anybody might have... Shannon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP Idmap
Shannon Johnson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05.08.2004 22:59 To: [EMAIL PROTECTED] cc: Subject:[Samba] LDAP Idmap Hi shannon, a good start you'll find at www.idealx.org. There is a very good docu on how to setup samba3-LDAP. If you then running into problems. ask the list. Chris I'm having quite a bit of trouble getting an LDAP directory set up for the idmap backend for winbind. I've been working on it for quite a while, and haven't found any very helpful websites or anything. I've found quite a bit on how to set up a PDC using LDAP, which would be nice, but I already have the PDC... I just need LDAP to host UID's and GID's. The things I'd like to know are: 1. What should the rootdn, suffix, and indexes be in the slapd.conf? I think that the rootdn needs to match what I put in the smb.conf for the ldap admin dn, and I'm fairly sure the suffix needs to match the ldap suffix from the smb.conf... I don't have any idea about the indexes. 2. What needs to be in the ldif file to create the directory properly? I've tried several that I've found online, both from the Samba 3 By Example book, and lots of forum / mailing list posts. I'm not sure if what I've tried has been correct, but it hasn't worked yet, and this is one part I'm not sure about. 3. I think that once I get the first 2 things worked out, I just set about 6 things in my smb.conf (ldap suffix, ldap admin dn, idmap backend (which should point to ldap:ldap://127.0.0.1, if the server is running on the same machine, right?), ldap idmap suffix, idmap uid, and idmap gid), enter my password from the smbpasswd -w command, and once I restart winbind, it should automatically start filling up the directory, right? 4. Once I get the server going and filled up with UID's and GID's, for the clients, am I correct in saying that I alter the smb.conf to include the ldap suffix, ldap admin dn, idmap backend, ldap idmap suffix, idmap uid, and idmap gid, then again enter my password via smbpasswd -w, change /etc/nsswitch.conf to be passwd files ldap instead of passwd files winbind, and it should work? This isn't documented very well anywhere, so I'd appreciate any hints or suggestions anybody might have... Shannon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] LDAP Idmap
Thanks for the quick response... but I've already been there. As I said, I'm NOT looking for an LDAP PDC... I'm ONLY looking for LDAP idmap. There is no documentation on idealx.org for an LDAP idmap that does NOT include the PDC... nor is there much documentation anywhere else about it. Shannon Johnson Network Support Specialist / Systems Administrator Dept. of Mechanical and Nuclear Engineering 224 Reber Building University Park, PA 16802 Phone: (814) 865-8267 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 06, 2004 3:59 AM To: Shannon Johnson; [EMAIL PROTECTED] Subject: Re: [Samba] LDAP Idmap Shannon Johnson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05.08.2004 22:59 To: [EMAIL PROTECTED] cc: Subject:[Samba] LDAP Idmap Hi shannon, a good start you'll find at www.idealx.org. There is a very good docu on how to setup samba3-LDAP. If you then running into problems. ask the list. Chris I'm having quite a bit of trouble getting an LDAP directory set up for the idmap backend for winbind. I've been working on it for quite a while, and haven't found any very helpful websites or anything. I've found quite a bit on how to set up a PDC using LDAP, which would be nice, but I already have the PDC... I just need LDAP to host UID's and GID's. The things I'd like to know are: 1. What should the rootdn, suffix, and indexes be in the slapd.conf? I think that the rootdn needs to match what I put in the smb.conf for the ldap admin dn, and I'm fairly sure the suffix needs to match the ldap suffix from the smb.conf... I don't have any idea about the indexes. 2. What needs to be in the ldif file to create the directory properly? I've tried several that I've found online, both from the Samba 3 By Example book, and lots of forum / mailing list posts. I'm not sure if what I've tried has been correct, but it hasn't worked yet, and this is one part I'm not sure about. 3. I think that once I get the first 2 things worked out, I just set about 6 things in my smb.conf (ldap suffix, ldap admin dn, idmap backend (which should point to ldap:ldap://127.0.0.1, if the server is running on the same machine, right?), ldap idmap suffix, idmap uid, and idmap gid), enter my password from the smbpasswd -w command, and once I restart winbind, it should automatically start filling up the directory, right? 4. Once I get the server going and filled up with UID's and GID's, for the clients, am I correct in saying that I alter the smb.conf to include the ldap suffix, ldap admin dn, idmap backend, ldap idmap suffix, idmap uid, and idmap gid, then again enter my password via smbpasswd -w, change /etc/nsswitch.conf to be passwd files ldap instead of passwd files winbind, and it should work? This isn't documented very well anywhere, so I'd appreciate any hints or suggestions anybody might have... Shannon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP Idmap
I'm having quite a bit of trouble getting an LDAP directory set up for the idmap backend for winbind. I've been working on it for quite a while, and haven't found any very helpful websites or anything. I've found quite a bit on how to set up a PDC using LDAP, which would be nice, but I already have the PDC... I just need LDAP to host UID's and GID's. The things I'd like to know are: 1. What should the rootdn, suffix, and indexes be in the slapd.conf? I think that the rootdn needs to match what I put in the smb.conf for the ldap admin dn, and I'm fairly sure the suffix needs to match the ldap suffix from the smb.conf... I don't have any idea about the indexes. 2. What needs to be in the ldif file to create the directory properly? I've tried several that I've found online, both from the Samba 3 By Example book, and lots of forum / mailing list posts. I'm not sure if what I've tried has been correct, but it hasn't worked yet, and this is one part I'm not sure about. 3. I think that once I get the first 2 things worked out, I just set about 6 things in my smb.conf (ldap suffix, ldap admin dn, idmap backend (which should point to ldap:ldap://127.0.0.1, if the server is running on the same machine, right?), ldap idmap suffix, idmap uid, and idmap gid), enter my password from the smbpasswd -w command, and once I restart winbind, it should automatically start filling up the directory, right? 4. Once I get the server going and filled up with UID's and GID's, for the clients, am I correct in saying that I alter the smb.conf to include the ldap suffix, ldap admin dn, idmap backend, ldap idmap suffix, idmap uid, and idmap gid, then again enter my password via smbpasswd -w, change /etc/nsswitch.conf to be passwd files ldap instead of passwd files winbind, and it should work? This isn't documented very well anywhere, so I'd appreciate any hints or suggestions anybody might have... Shannon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP/IDMAP/3.0.4
I've written a program according to what I learned from all the docs and John T.'s assessment of what I intended to do from an email about a month back. I've got everything in LDAP *no* winbind is in use and my ldap value from [global] are: passdb backend = ldapsam:ldap://ldap.hvcc.edu; ldap suffix = dc=hvcc,dc=edu ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=root,dc=hvcc,dc=edu idmap backend = ldap:ldap://ldap.hvcc.edu But I'm stuck on joining the PC to the domain. I'm getting No mapping between account names and security IDs was done. But from the logs, I can't seem to gleen *which* mapping it's referring to. I'm still looking and I'm sure it's something dreadfully ignorant on my part. It is authing the root user properly because if I give the wrong root password, it tells me so and the log reflects this as well. I have an idmap entry for every user for every one of the seven domains we have and I calculated all the rid values using the legacy algorithmic method and populated the LDAP DIT with it all. Every sambaSamAccount is also a posix and shadow account. It loads perfectly, AIX is (surprisingly :-P ) happy and Samba seems truly happy up until this point. I'll keep digging, but if the experts have seen this and can suggest a quick fix, I'd appreciate it. All hits I've found so far are relative to 2.2. The only strange error I just found (while composing this email) is: [2004/07/30 15:51:07, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. Thank you! Bill -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP idmap backend
I've been trying to get an idmap backend working in an ldap database (I know, not really a database). I think I got most it worked out, but I'm having a problem getting samba to bind to the ldap server. My smb.conf says (just the important stuff, with my domain taken out because I'm paranoid): idmap backend = ldap:ldap://ldapserver.subdomain.domain.com:389 ldap suffix = dc=mnelabs,dc=mne,dc=psu,dc=edu ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=subdomain,dc=domain,dc=com My slapd.conf says: suffix dc=subdomain,dc=domain,dc=com rootdn cn=Manager,dc=subdomain,dc=domain,dc=com rootpw long-encrypted-password starting with {SSHA} I ran slappasswd and entered my password, and it gave me the rootpw. I ran smbpasswd -w and used the same password as the slappasswd, and it said it set the stored password in secrets.tdb. Now, when I restart winbind, the log says: [2004/06/16 10:51:52, 0] lib/smbldap.c:smbldap_connect_system(798) failed to bind to server with dn= cn=Manager,dc=subdomain,dc=domain,dc=com Error: Invalid credentials I'm not sure what the problem is, or how to fix it... I'm brand new to ldap, but have been working with Samba for a while. Shannon Shannon Johnson Network Support Specialist / Systems Administrator Dept. of Mechanical and Nuclear Engineering 224 Reber Building University Park, PA 16802 Phone: (814) 865-8267 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] LDAP IDMAP not working
; wins support = yes # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = 192.168.1.1 # WINS Proxy - Tells Samba to answer name resolution queries on # behalf of a non WINS capable client, for this to work there must be # at least one WINS Server on the network. The default is NO. ; wins proxy = yes # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The default is NO. dns proxy = no ldap admin dn = uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot ldap ssl = off ; ldap suffix = dc=testlan,dc=bbc,dc=co,dc=uk winbind separator = + winbind cache time = 10 template shell = /bin/sh ; template homedir = /home/%D/%U idmap backend = ldap:ldap://bbcwwp-sun24.testlan.bbc.co.uk:389 ldap idmap suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk ldap group suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk ldap user suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk ldap machine suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: 10 November 2003 21:35 To: ww m-pubsyssamba Cc: [EMAIL PROTECTED] Subject: Re: [Samba] LDAP IDMAP not working On Tue, 2003-11-11 at 00:08, ww m-pubsyssamba wrote: Hi all, anyone able to point out why I'm not able to get samba 3.0.0 to update my LDAP server with any idmap data? I'm using SunOne DS 5.2 LDAP server and the following entries in my smb.conf file, ldap admin dn = uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot ldap ssl = off ; ldap suffix = dc=testlan,dc=bbc,dc=co,dc=uk ** have tried with this attribute on and off ** winbind separator = + winbind cache time = 10 template shell = /bin/sh ; template homedir = /home/%D/%U idmap backend = ldap:ldap://bbcwwp-sun24.testlan.bbc.co.uk:389 ldap idmap suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk ldap group suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk ldap user suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk ldap machine suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes I've successfully updated the schema with the samba bits and have tested the admin account specified in the smb.conf using ldapsearch. I've created both a root and admin account using smbpasswd with the correct password for the admin account (I wasn't clear which account should be used from the samba documentation). But my idmap OU is empty, and to be honest I can't even see any attempts to access the LDAP server from its access logs (excepting when testing using ldapsearch). Any help would be appreciated, Is that the whole smb.conf? When Samba is a DC, or a standalone server, it doesn't use IDMAP for local accounts. (Something that changed over the course of the idmap design and implementation) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP IDMAP not working
On Tue, 2003-11-11 at 00:08, ww m-pubsyssamba wrote: Hi all, anyone able to point out why I'm not able to get samba 3.0.0 to update my LDAP server with any idmap data? I'm using SunOne DS 5.2 LDAP server and the following entries in my smb.conf file, ldap admin dn = uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot ldap ssl = off ; ldap suffix = dc=testlan,dc=bbc,dc=co,dc=uk ** have tried with this attribute on and off ** winbind separator = + winbind cache time = 10 template shell = /bin/sh ; template homedir = /home/%D/%U idmap backend = ldap:ldap://bbcwwp-sun24.testlan.bbc.co.uk:389 ldap idmap suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk ldap group suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk ldap user suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk ldap machine suffix = ou=idmap,dc=testlan,dc=bbc,dc=co,dc=uk idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes I've successfully updated the schema with the samba bits and have tested the admin account specified in the smb.conf using ldapsearch. I've created both a root and admin account using smbpasswd with the correct password for the admin account (I wasn't clear which account should be used from the samba documentation). But my idmap OU is empty, and to be honest I can't even see any attempts to access the LDAP server from its access logs (excepting when testing using ldapsearch). Any help would be appreciated, Is that the whole smb.conf? When Samba is a DC, or a standalone server, it doesn't use IDMAP for local accounts. (Something that changed over the course of the idmap design and implementation) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba