Re: ApacheDS and Samba
This has taken a longer time to write then I wanted, but I had to let everyone know that so far, this seem to have corrected the issue. I have downloaded the source, recreated the directory structure jdbmstore component, complied it with maven (mvn, doesn't seem to be in the CentOS repos but it was easy enough to just download and configure), and recomplie that component after correcting the bug. It wasn't 100% clear, but just changing one word from remove to add seems to ahve done the trick. After that, I shutdown Apache DS, replaced the .jar file, restarted, and now newly added objectClasses can be referenced by ldapsearches. One other point, I have a ton of users to sync NT passwords with userPasswords. I used a combination of Self Serve Password tool from the LDAP Toolbox, and a binary that creates the hashes for NT passwords. You see, one issue I was having was that Samba wanted to use sambaNTPasswd to authenticate users. I didn't want to have people maintain two separate passwords, and SSP can be used to cahnge both at the same time. Unfortunately, SSP uses an out of date method to generate the hash, so I had to intergate another program (mkntpwd) to generate the NT password from the user input and save it as the appropriate field. Sorry I can't go into more detail, but after a bit of googling php I'm sure most people shold be able to put together a working solution! -Cheers Jeff - Original Message - From: Stefan Seelmann seelm...@apache.org To: users@directory.apache.org Sent: Sunday, April 17, 2011 6:02 PM Subject: Re: ApacheDS and Samba On Mon, Apr 18, 2011 at 12:36 AM, Jeffrey Reynolds jeffrey.james.reyno...@gmail.com wrote: Yep, it looks like this is a bug with 1.5.7, and the export import maneuver would work, but it would also be a serious pain in the butt and not something I want to try with a production system. My question is, what is the easiest way to upgrade to the latest trunk with an active system? Should a recompile the class that had issues, and slide it into place on my installation? And if so what are the comilation options and procedures that need to be followed? Or can I just go a svn update from somewhere that will put me up to the latest code revision? As you are using 1.5.7 you could - checkout the jdbm-store project from the tag [1] - fix the bug in src/main/java/org/apache/directory/server/core/partition/impl/btree/jdbm/JdbmStore.java - run a mvn clean package - target/apacheds-jdbm-store-1.5.7.jar is the fixed Jar, copy it to your installation directory Kind Regards, Stefan [1] http://svn.apache.org/repos/asf/directory/apacheds/tags/1.5.7/jdbm-store
Re: ApacheDS and Samba
On 4/17/11 5:42 AM, Jeffrey Reynolds wrote: Just a few things. Wiki page? Excellent idea. If I ever get this working I'll try to throw it together over a weekend. There are a few more issues, the samba schema is missing a few more attributes, and seems like it needs an overhaul anyway. Yeah, we don't maintain the samba schema. It keeps evolving over the time. It would be good to update it with the latest version in the next ADS release. I'm wondering if its planed to be updated in version 2.0. We can do that, of course. Anyway, those items seem inconsequential enough, just limit a bit of functionality. Anyway, the biggest problem is that this is what my issue appears to be. Once an object is created with a given set of objectClasses, it can only be referenced by those object classes. For example, I created an inetOrgPerson, which also includes organizationPerson, person, and top objectClasses. If I run ldapsearch looking for anyone of those objectClasses, I can find that entry. Later I can add another objectClass to the entry, say posixAccount, but ldapsearch returns nothing for that entry when search for the objectClass=posixAccount attribute. However, if I create an object that has all five objectClasses, then searching for any of them will return a result. I have seen you JIRA for this one, and replied to it. Sounds like a bug in the way we update index in 1.5.7. Can you try to extract all your objects, and reinject them ? We are going to check this in trunk, as it has evolved a lot since 1.5.7... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: ApacheDS and Samba
On 4/17/11 5:52 AM, Jeffrey Reynolds wrote: Oh one other thing, I'm not sure if it's a performance issue since I am running Apache DS in a VM, but whenever I go to full debug mode for logging, the server crashes (IE Apache DS stops running), and it seems that anything less does not yield any relevant log info in apache-rolling.log Strange... Another JIRA ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: ApacheDS and Samba
Yep, it looks like this is a bug with 1.5.7, and the export import maneuver would work, but it would also be a serious pain in the butt and not something I want to try with a production system. My question is, what is the easiest way to upgrade to the latest trunk with an active system? Should a recompile the class that had issues, and slide it into place on my installation? And if so what are the comilation options and procedures that need to be followed? Or can I just go a svn update from somewhere that will put me up to the latest code revision? This is probably a simple question, and I apologize for the constant pestering. Both Emmanuel and Stefan have been awesome during this whole ordeal and my hats off to you guys. - Jeff On 4/17/11 5:42 AM, Jeffrey Reynolds wrote: Just a few things. Wiki page? Excellent idea. If I ever get this working I'll try to throw it together over a weekend. There are a few more issues, the samba schema is missing a few more attributes, and seems like it needs an overhaul anyway. Yeah, we don't maintain the samba schema. It keeps evolving over the time. It would be good to update it with the latest version in the next ADS release. I'm wondering if its planed to be updated in version 2.0. We can do that, of course. Anyway, those items seem inconsequential enough, just limit a bit of functionality. Anyway, the biggest problem is that this is what my issue appears to be. Once an object is created with a given set of objectClasses, it can only be referenced by those object classes. For example, I created an inetOrgPerson, which also includes organizationPerson, person, and top objectClasses. If I run ldapsearch looking for anyone of those objectClasses, I can find that entry. Later I can add another objectClass to the entry, say posixAccount, but ldapsearch returns nothing for that entry when search for the objectClass=posixAccount attribute. However, if I create an object that has all five objectClasses, then searching for any of them will return a result. I have seen you JIRA for this one, and replied to it. Sounds like a bug in the way we update index in 1.5.7. Can you try to extract all your objects, and reinject them ? We are going to check this in trunk, as it has evolved a lot since 1.5.7... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: ApacheDS and Samba
On Mon, Apr 18, 2011 at 12:36 AM, Jeffrey Reynolds jeffrey.james.reyno...@gmail.com wrote: Yep, it looks like this is a bug with 1.5.7, and the export import maneuver would work, but it would also be a serious pain in the butt and not something I want to try with a production system. My question is, what is the easiest way to upgrade to the latest trunk with an active system? Should a recompile the class that had issues, and slide it into place on my installation? And if so what are the comilation options and procedures that need to be followed? Or can I just go a svn update from somewhere that will put me up to the latest code revision? As you are using 1.5.7 you could - checkout the jdbm-store project from the tag [1] - fix the bug in src/main/java/org/apache/directory/server/core/partition/impl/btree/jdbm/JdbmStore.java - run a mvn clean package - target/apacheds-jdbm-store-1.5.7.jar is the fixed Jar, copy it to your installation directory Kind Regards, Stefan [1] http://svn.apache.org/repos/asf/directory/apacheds/tags/1.5.7/jdbm-store
Re: ApacheDS and Samba
Oh one other thing, I'm not sure if it's a performance issue since I am running Apache DS in a VM, but whenever I go to full debug mode for logging, the server crashes (IE Apache DS stops running), and it seems that anything less does not yield any relevant log info in apache-rolling.log -Jeff
Re: ApacheDS and Samba
On 4/15/11 1:49 AM, Jeffrey Reynolds wrote: snip/ It wasn't until I fired up Wireshark that I saw my real problem. By the way, Wireshark is one of the single best utilities for diagnosing network communication problems, my hats off to those guys. +1 ! Anyway, I was watching the packet flow between Samba and LDAP, and after a bit of this activity, I saw that Samba was in fact asking for my uid from the LDAP server. Samba uses two filters to ask for a user account, it filters users by uid=user and objectclass=sambaSamAccount. Applying those two filters, it did not find uid=user. ((uid=xxx)(objectClass=sambaSamAccout)) ? So used ldapsearch to do run my own search. When I search for uid=user, it came back without issue, Does the entry contains objectClass=sambaSamAccout ? but adding the objectClass=sambaSamAccount filter it returned nothing. I double checked directory studio, and sure enough, uid=user has the objectClass=sambaSamAccount attribute. So I searched for any objects that had the objectClass=sambaSamAccount inside my user group. I found that both uid=root and uid=nobody had this attribute and were returned by the search. So I thought, what happens when I try to access Samba using the root account? I opened up Explorer, used the root account and password I set up during smbldap-populate, and BLAM. Access to the share. I checked the Apache DS logs later and found references to another missing and ignored attribute, sambaMaxPwdAge, but now I believe that the missing attributes were simply just red herrings. Just one important thing to understand : - adding a new attribute to an objectclass will *not* modify the existing entries by adding some values into those entries. You have to update all of them accordingly to the modified schema. That means you have to do a LDAP modify which adds the newly added AT with a value to all the entries. It's like if you have added a new column in an existing table in a data base, the existing rows will not magically set some value in this column. So I'm left with two questions, why can't Apache DS add the new attribute but LAM can (both use the same admin dn)? I think Stefan replied. Bug in Studio. Refresh the connection works. And the big one, the $64,000 question, why does Apache DS return 2 uid's when search for objectClass=sambaSamAccount, but doesn't return my user accounts, when the objectClass=sambaSamAccount attribute is present in all of them? One more question : did you restart the server after all those modifications ? Also what would be cool is to activate the logs on the server and do a session where you try to log with root and your user. We can analyse the log if you send them to us (botch the password before !). You can even send them to me if you don't want any confidential info to be shared on the web. Be aware that logs can be *very* verbose (debug mode). At the end, when it'll work, I think we would have to create some wiki page explaining all this painful process... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: ApacheDS and Samba
Ok, Using Apache Directory Studio, it was very easy to create to schema attributes. I created a sambaPwdHistoryLength attribute with a new OID (just added one to the last number of the other samba attributes), and then I opened the objectClasses container to add my new attribute to the sambaDomain object. After going through some Googling, I understand now that ApacheDS doesn't use actual schema files, but all schema information is held in metadata inside the partition directory (which for me is /var/lib/apacheds/default/partitions. However, even though I have added the attribute definition to the schema, and added the attribute as a m-may value under the sambaDomain object class, I still can't add a sambaPwdHistoryLength value under my sambaDomain object. I've tried deleting the object and remaking it and restarting the ApacheDS service. Is there anywhere else that I have to specify this attribute, or any other configurations to undergo? Thanks for any information, and thanks to Emmanuel for the quick response. -Jeff
Re: ApacheDS and Samba
On 4/14/11 10:38 PM, Jeffrey Reynolds wrote: Ok, Using Apache Directory Studio, it was very easy to create to schema attributes. I created a sambaPwdHistoryLength attribute with a new OID (just added one to the last number of the other samba attributes), and then I opened the objectClasses container to add my new attribute to the sambaDomain object. After going through some Googling, I understand now that ApacheDS doesn't use actual schema files, but all schema information is held in metadata inside the partition directory (which for me is /var/lib/apacheds/default/partitions. However, even though I have added the attribute definition to the schema, and added the attribute as a m-may value under the sambaDomain object class, I still can't add a sambaPwdHistoryLength value under my sambaDomain object. I've tried deleting the object and remaking it and restarting the ApacheDS service. Is there anywhere else that I have to specify this attribute, or any other configurations to undergo? It's quite simple. Let me explain : 1) You first have to add your AT : - go to ou=schema, (not cn, ou), - go to cn=samba - go to ou=attributes - right click on the entry, select new - new entry - Use existing entry as template - browse to pick one entry as a template - change the m-oid, then all the other attributes to get what is the definition of the sambaPwdHistoryLength AT : attributeTypes: ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' DESC 'Length of Password History Entries (default: 0 = off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - save it. You'll see the AT in the list. 2) Modify the ObjectClass to add the newly added AT 3) once done, there is one extra necessary step : you have to enable the NIS schema - select the cn=nis,ou=schema entry - modify the DISABLE=TRUE attribute value to FALSE 4) Now, you can do the same thing for the Samba schem (ie, modify the DISABLE=TRUE Attribute) 5) Just disconnect and reconnect (this is necessary in Studio to be able to see the modification in cn=schema) 6) Last, not least, stop and restart your server. You are all set ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: ApacheDS and Samba
Ok, I apologize in advance for the long winded story here, but this might get a little lengthy. First of all, thanks again Emmanuel for your response. Here is a bit more of what I've done and tried to do in depth. Before posting I should have mentioned that the Samba and NIS schemas were enabled. Prior posts to the mailing list helped me with that months ago (its only been just now that I've had time to revisit this little science experiment). Anyway, I initially added the AT to ou=attributes, but I had botched the OID and EQUALITY values. They were just corrected, and thanks for posting the information for that. Afterwards, I added the AT to the sambaDomain object class, restarted Directory Studio, and I could not add a sambaPwdHistoryLength value to my domain object . in Directory Studio that is. I opened up my other LDAP configuration manager, LDAP Account Manager (LAM), and I was able to add the sambaPwdHistoryLength attribute to my domain without any issue. Now when I open Directory Studio back up, I can see the value there but it's in italics. I cannot add a second value, or add the attribute to a newly created domain. Again, though, LAM seems to do this without issue. However, I tried to connect to Samba via LDAP, and still no success. And no there was no error indicating missing and ignored attributes. It wasn't until I fired up Wireshark that I saw my real problem. By the way, Wireshark is one of the single best utilities for diagnosing network communication problems, my hats off to those guys. Anyway, I was watching the packet flow between Samba and LDAP, and after a bit of this activity, I saw that Samba was in fact asking for my uid from the LDAP server. Samba uses two filters to ask for a user account, it filters users by uid=user and objectclass=sambaSamAccount. Applying those two filters, it did not find uid=user. So used ldapsearch to do run my own search. When I search for uid=user, it came back without issue, but adding the objectClass=sambaSamAccount filter it returned nothing. I double checked directory studio, and sure enough, uid=user has the objectClass=sambaSamAccount attribute. So I searched for any objects that had the objectClass=sambaSamAccount inside my user group. I found that both uid=root and uid=nobody had this attribute and were returned by the search. So I thought, what happens when I try to access Samba using the root account? I opened up Explorer, used the root account and password I set up during smbldap-populate, and BLAM. Access to the share. I checked the Apache DS logs later and found references to another missing and ignored attribute, sambaMaxPwdAge, but now I believe that the missing attributes were simply just red herrings. So I'm left with two questions, why can't Apache DS add the new attribute but LAM can (both use the same admin dn)? And the big one, the $64,000 question, why does Apache DS return 2 uid's when search for objectClass=sambaSamAccount, but doesn't return my user accounts, when the objectClass=sambaSamAccount attribute is present in all of them? A little more information, the root and nobody accounts were created when the smbldap-populate command was run, and the user accounts were created with smbldap-useradd -a user. Here is a print out of the information that ldapsearch returns for both accounts: dn: uid=root,ou=People,dc=mydomain,dc=com uid: root sn: root sambaNTPassword: sambaAcctFlags: [U] objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: sambaSamAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: top loginshell: /bin/false cn: root uidnumber: 0 homedirectory: /home/root sambalogofftime: 2147483647 userPassword:: sambaPwdMustChange: 1306701193 shadowLastChange: 15078 gidnumber: 0 sambakickofftime: 2147483647 sambaprimarygroupsid: S-1-5-21-3758697847-7384960784-35657434567-512 sambaPwdLastSet: 1302813193 sambasid: S-1-5-21-3758697847-7384960784-35657434567-500 sambaLMPassword: shadowMax: 45 sambalogontime: 0 gecos: Netbios Domain Administrator sambapwdcanchange: 0 dn: uid=user, ou=People,dc=mydomain,dc=com uid: user sn: user sambaNTPassword: XXX sambaAcctFlags: [UX] objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: top displayName: user givenname: user uidnumber: 3 loginshell: /bin/bash cn: user homedirectory: /home/user sambaLogoffTime: 2147483647 userPassword:: XX sambaPwdMustChange: 2147483647 shadowLastChange: 15078 gidnumber: 513 sambaKickoffTime: 2147483647 sambaPwdLastSet: 0 sambaPrimaryGroupSID:
Re: ApacheDS and Samba
On Fri, Apr 15, 2011 at 1:49 AM, Jeffrey Reynolds jeffrey.james.reyno...@gmail.com wrote: So I'm left with two questions, why can't Apache DS add the new attribute but LAM can (both use the same admin dn)? I just answer the one question: I'm afraid the problem is that Studio caches the schema it retrieved from the server. In theory the modifyTimestamp of the subschemaSubentry to decide if a reload is required. But there are so many reports that it's clear that this isn't working well. To fix that you can always reload the schema manually, e.g. in the connection properties [1]. HTH, Stefan [1] http://directory.apache.org/studio/static/users_guide/ldap_browser/tools_connection_properties.html#tools_connection_properties_schema
