Hi All,
I'm in the process of setting up samba with ldap and winbind and haven't
been able to find an article anywhere on how to do this. I've managed to
troll together everything except the directory setup.
I'm stuck on what I need to add into the directory (ldif files) to make
it all go. I've included the steps I took and so hopefully it'll be easy
to spot what needs doing.
Here is where I'm up to so far and then below are the errors I'm
getting.
1. System is Gentoo Linux with openldap 2.1.30, samba 3.0.5. Working to
an AD system on a Windows 2003 server.
[1a. Set up a working winbind system prior to adding LDAP to the mix
then deleted /etc/samba/secrets.tdb, /var/cache/samba/*.tdb and run "net
ads leave"]
2. /etc/slapd.conf. No openldap ACLs are defined as Winbind accesses the
directory as root (I can tie it down later). Also, I haven't included
the indexes for brevity.
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
database bdb
suffix "dc=abc,dc=local"
rootdn "cn=Manager,dc=abc,dc=local"
rootpw <password>
3. smbpasswd -w <password>
4. Edited ldap.conf
host 127.0.0.1
base dc=abc,dc=local
binddn cn=Manager,dc=abc,dc=local
bindpw <password>
pam_password exop
ssl no
5. Edit smb.conf and added
idmap backend = ldap:ldap://127.0.0.1
ldap suffix = "dc=abc,dc=local"
ldap idmap suffix = ou=idmap
ldap admin dn = "cn=Manager,dc=abc,dc=local"
7. net ads join -U administrator ---> result was joined to the domain
successfully
8. wbinfo -u and wbinfo -g work successfully
9. getent passwd and getent groups don't show domain accounts.
---------------------------------------------------------------------------
The winbind idmaps aren't being written to the directory
1. slapcat shows nothing at all
2. tail /var/log/syslog
Oct 18 18:53:58 fluoron slapd[2030]: do_search: invalid
dn(ou=idmap,"dc=abc,dc=local")
Oct 18 18:53:58 fluoron slapd[2030]: conn=4 op=842 RESULT tag=101 err=34
text=invalid DN
Oct 18 18:53:58 fluoron slapd[2030]: do_search: invalid dn
(ou=idmap,"dc=abc,dc=local")
Oct 18 18:53:58 fluoron slapd[2030]: conn=4 op=843 RESULT tag=101 err=34
text=invalid DN
Oct 18 18:53:58 fluoron slapd[2030]: do_search: invalid dn
(ou=idmap,"dc=abc,dc=local")
3. tail /var/log/samba/log/smbd
[2004/10/18 18:53:58, 1] nsswitch/winbindd_user.c:winbindd_getpwent(571) could
not lookup domain user jack
[2004/10/18 18:53:58, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error
getting user id for sid S-1-5-21-1949245599-2602856593-3224012141-4049
[2004/10/18 18:53:58, 1] nsswitch/winbindd_user.c:winbindd_getpwent(571) could
not lookup domain user jill
[2004/10/18 18:53:58, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error
getting user id for sid
S-1-5-21-1949245599-2602856593-3224012141-4052
-----------------------------------------------------------------------------
I figured it needs some structure there and tried this...
$> cat idmap.ldif
dn: ou=Idmap,dc=abc,dc=local
objectClass: organizationalUnit
ou: idmap
$> ldapadd -x -D "cn=Manager,dc=abc,dc=local" -W <
/etc/openldap/idmap.ldif
Enter LDAP Password:
adding new entry "ou=Idmap,dc=abc,dc=local"
ldapadd: update failed: ou=Idmap,dc=abc,dc=local
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed
structuralObjectClass: organizationalUnit
-------------------------------------
Help would be really appreciated.
Thank you
Cheers
Stephen
