Re: [Samba] ldap idmap backend
It's known bug https://bugzilla.samba.org/show_bug.cgi?id= fixed in 3.5.8 Thanks to Christian PERRIER who pointed it out in his announcement. -- Vladimir Vassiliev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldap idmap backend
Hi all, i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. Servers run Centos 4 and 5. I can't cope with next issue for long time. On all servers in domain winbind constantly tries to create mapping for SID-513 and fails because of already existing entry. It just wastes gid range. Note that SID is not SID of main domain but another which name equal to hostname. For example on host FMS in domain CORP I have: wbinfo --all-domains BUILTIN FMS CORP wbinfo -D FMS Name : FMS Alt_Name : SID : S-1-5-21-3830529182-610880034-2098875520 Active Directory : No Native: No Primary : No Here is log: [2011/03/17 15:37:28.387459, 0] winbindd/idmap_ldap.c:1471(idmap_ldap_set_mapping) ldap_set_mapping_internals: Failed to add S-1-5-21-3830529182-610880034-2098875520-513 to 20067 mapping [gidNumber] [2011/03/17 15:37:28.387538, 0] winbindd/idmap_ldap.c:1473(idmap_ldap_set_mapping) ldap_set_mapping_internals: Error was: (Already exists) Can someone experienced in Samba comment how to deal with this issue? Thanks. -- Vladimir Vassiliev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
On Thursday, March 17, 2011, Vladimir Vassiliev wrote: Hi all, i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. Servers run Centos 4 and 5. I can't cope with next issue for long time. On all servers in domain winbind constantly tries to create mapping for SID-513 and fails because of already existing entry. It just wastes gid range. I had that problem. In my case, doing an ldapsearch -x sambaSID=SID-513 found two idmap entries (in different ou). After I deleted one of them with ldapdelete, it stopped having that error and stopped trying to create new entries. signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
On Thu, Mar 17, 2011 at 04:02:29PM +0300, Vladimir Vassiliev wrote: Hi all, i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. Servers run Centos 4 and 5. I can't cope with next issue for long time. On all servers in domain winbind constantly tries to create mapping for SID-513 and fails because of already existing entry. It just wastes gid range. DOMAIN-SID-513 is the Domain Users group. Note that SID is not SID of main domain but another which name equal to hostname. For example on host FMS in domain CORP I have: wbinfo --all-domains BUILTIN FMS CORP Why have you created a local computer domain, out of interest? Windows does this, but you don't have to do it with samba. This has been the cause of your problem; winbind is trying to map both CORP-SID-513 and FMS-SID-513 to the same local group. -- Bruce Bitterly it mathinketh me, that I spent mine wholle lyf in the lists against the ignorant. -- Roger Bacon, Doctor Mirabilis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
17.03.2011 16:30, Bruce Richardson пишет: DOMAIN-SID-513 is the Domain Users group. Note thatSID is not SID of main domain but another which name equal to hostname. For example on host FMS in domain CORP I have: wbinfo --all-domains BUILTIN FMS CORP Why have you created a local computer domain, out of interest? I didn't do it, Samba did. Really I dunno how to add extra domain to Samba. How can I delete this domain? Windows does this, but you don't have to do it with samba. This has been the cause of your problem; winbind is trying to map bothCORP-SID-513 and FMS-SID-513 to the same local group. CORP-SID-513 already has its own mapping with gid=10001 but Samba tries to use values 20043 and higher for new mappings. -- Vladimir Vassiliev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
17.03.2011 16:27, Frank Mori Hess пишет: On Thursday, March 17, 2011, Vladimir Vassiliev wrote: Hi all, i use Samba 3.5.6 in ads mode (Windows 2008R2) with ldap idmap backend. Servers run Centos 4 and 5. I can't cope with next issue for long time. On all servers in domain winbind constantly tries to create mapping for SID-513 and fails because of already existing entry. It just wastes gid range. I had that problem. In my case, doing an ldapsearch -x sambaSID=SID-513 found two idmap entries (in different ou). After I deleted one of them with ldapdelete, it stopped having that error and stopped trying to create new entries. Were these mappings identical or not? -- Vladimir Vassiliev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
On Thu, Mar 17, 2011 at 05:06:03PM +0300, Vladimir Vassiliev wrote: Why have you created a local computer domain, out of interest? I didn't do it, Samba did. Really I dunno how to add extra domain to Samba. How can I delete this domain? Something did it. Was this machine a domain controller before it was joined to the CORP domain? Can you show us the idmap-related section of your samba config? -- Bruce Explota!: miles de lemmings no pueden estar equivocados. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
17.03.2011 17:12, Bruce Richardson пишет: On Thu, Mar 17, 2011 at 05:06:03PM +0300, Vladimir Vassiliev wrote: Why have you created a local computer domain, out of interest? I didn't do it, Samba did. Really I dunno how to add extra domain to Samba. How can I delete this domain? Something did it. Was this machine a domain controller before it was joined to the CORP domain? Can you show us the idmap-related section of your samba config? This happens with every host I join to domain, i.e. every host tries to create its own SID-HOST-513. Whole smb.conf of newly installed host [global] workgroup = CORP security = ADS realm = CORP.EDU.YAR.RU encrypt passwords = yes load printers = no winbind enum users = yes winbind enum groups = yes winbind nested groups = yes idmap uid = 1000-3 idmap gid = 1000-3 idmap backend = ldap winbind offline logon = yes idmap backend = ldap:ldaps://ldap host/ ldap admin dn = cn=admin,dc=corp,dc=edu,dc=yar,dc=ru ldap suffix = dc=corp,dc=edu,dc=yar,dc=ru ldap idmap suffix = ou=idmap ldap ssl = off -- Vladimir Vassiliev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap idmap backend
On Thursday, March 17, 2011, Vladimir Vassiliev wrote: 17.03.2011 16:27, Frank Mori Hess пишет: I had that problem. In my case, doing an ldapsearch -x sambaSID=SID-513 found two idmap entries (in different ou). After I deleted one of them with ldapdelete, it stopped having that error and stopped trying to create new entries. Were these mappings identical or not? No, one was in dc=blah,... and the other was in ou=Idmap,dc=blah, Also, they mapped to different gid numbers. They just had the same sambaSID. I think the second one got allocated accidentally when I was playing around with ldap suffixes in smb.conf. They corresponded to domain group MYHOSTNAME\None. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldap idmap backend doesn't work
Hi, Ive got a problem with the ldap idmap backend capability. I've integrated a fedora Core3 with samba 3.0.10 box in an Active Directory 2003 domain. WinBind works correctly with the tdb backend but have some troubles with ldap functionality. I've modified my smb.conf file for use my OpenLDAP server to stock the maps. Smb.conf : idmap backend = ldap:ldap://fedogat.vdp.mdp ldap idmap suffix = ou=idmap,dc=vdp,dc=mdp ldap admin dn = cn=manager,dc=vdp,dc=mdp In a same time, ive created the admin dn password with : smbpasswd w secret Ive configured my OpenLDAP server : 1 Configure the slapd.conf file (include samba.schema; dc=vdp,dc=mdp; rootpw) 2 Create the manager object and the idmap organizational unit The OpenLDAP server is launched with the following command: Slapd f /etc/openldap/slapd.conf u ldap The /var/lib/ldap dir is owned by the ldap local user. But, when i start the winbindd daemon with the next command: Winbindd F S d 10 I can see that the connection to the ldap server is successful but after, Ive got the idmap_init: failed to initialize remote backend! error message. Perhaps, I forgot a stage in my configuration process. If someone can help me or redirect me towards a good tutorial to implement the ldap idmap backend. Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP idmap backend
I've been trying to get an idmap backend working in an ldap database (I know, not really a database). I think I got most it worked out, but I'm having a problem getting samba to bind to the ldap server. My smb.conf says (just the important stuff, with my domain taken out because I'm paranoid): idmap backend = ldap:ldap://ldapserver.subdomain.domain.com:389 ldap suffix = dc=mnelabs,dc=mne,dc=psu,dc=edu ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=subdomain,dc=domain,dc=com My slapd.conf says: suffix dc=subdomain,dc=domain,dc=com rootdn cn=Manager,dc=subdomain,dc=domain,dc=com rootpw long-encrypted-password starting with {SSHA} I ran slappasswd and entered my password, and it gave me the rootpw. I ran smbpasswd -w and used the same password as the slappasswd, and it said it set the stored password in secrets.tdb. Now, when I restart winbind, the log says: [2004/06/16 10:51:52, 0] lib/smbldap.c:smbldap_connect_system(798) failed to bind to server with dn= cn=Manager,dc=subdomain,dc=domain,dc=com Error: Invalid credentials I'm not sure what the problem is, or how to fix it... I'm brand new to ldap, but have been working with Samba for a while. Shannon Shannon Johnson Network Support Specialist / Systems Administrator Dept. of Mechanical and Nuclear Engineering 224 Reber Building University Park, PA 16802 Phone: (814) 865-8267 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba