notinh notien
2005-Sep-02 00:52 UTC
[Samba] Samba PDC + Openldap (no database connection established after reboot)
Hi, all. I really need your helps in determing what I did wrong. I have been trying to setup Samba PDC (not using TLS at this initial stage yet) by hand on SLES 9.1 and did not use YAST because somehow it just did not work. I followed all the steps from the "The Linux Samba-OpenLDAP Howto (1.10) from IDEALX.org) and Chapter 5 Making Happy Users from the book and a bunch of other papers, and finally I got something working. I was able to do: getent passwd getent group getent hosts getent shadow ldapsearch -x -b "dc=sample,dc=com" "(ObjectClass=*)" slapcat I was able to add a user using smbldap-useradd -m -a testuser smbldap-passwd testuser id testuser pdbedit -Lv testuser pdbedit -L -v net groupmap list smbclient -L localhost -U% Basically many steps recommended for testing and all the outputs are correct according to the example outputs. I did turn on debbuging values for all components and everything seems to work ok without any errors. So I rebooted the server and then after everything came up, I tried to do these testings again, Now slapcat, ldsearch would show no outputs and the log show no error of any kinds (from my intepretation). I set up everything again and backup all the config files just in case. I rebooted the server and the same problem happened.>From a Linux box, I could ssh to the server and get this prompt for root:Password: LDAP Password: Log for this: Sep 1 17:13:43 Ns02 slapd[9137]: conn=218 op=0 RESULT tag=97 err=0 textSep 1 17:13:43 Ns02 slapd[9137]: conn=218 op=1 SRCH base="dc=sample,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=root))" Sep 1 17:13:43 Ns02 slapd[9137]: conn=218 op=1 SEARCH RESULT tag=101 err=32 nentries=0 textSep 1 17:13:50 Ns02 slapd[9137]: conn=219 fd=12 ACCEPT from IP=127.0.0.1:1745 (IP=0.0.0.0:389) However, If I tried to logged in as the test user then: Password: LDAP Password: Password: LDAP Password: Password: LDAP Password Log for this: Sep 1 17:11:45 Ns02 slapd[9137]: conn=217 fd=11 ACCEPT from IP=127.0.0.1:1742 (IP=0.0.0.0:389) Sep 1 17:11:45 Ns02 slapd[9137]: conn=217 op=0 BIND dn="cn=Admin,dc=sample,dc=com" method=128 Sep 1 17:11:45 Ns02 slapd[9137]: conn=217 op=0 BIND dn="cn=Admin,dc=sample,dc=com" mech=SIMPLE ssf=0 Sep 1 17:11:45 Ns02 slapd[9137]: conn=217 op=0 RESULT tag=97 err=0 textSep 1 17:11:45 Ns02 slapd[9137]: conn=217 op=1 SRCH base="dc=sample,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))" Sep 1 17:11:45 Ns02 slapd[9137]: conn=217 op=1 SEARCH RESULT tag=101 err=32 nentries=0 textSep 1 17:12:30 Ns02 slapd[9137]: conn=217 fd=11 closed I checked the /var/lib/ldap where the database for OpenLDAP and the files are current and exist. I restarted samba + openldap + nmb and nothing was changed. I checked and restarted my firewall (no errors regarding unable to access port 139 or 445 or 389 for that matter) At times the log file would indicate this message: ep 1 17:29:12 Ns02 slapd[9137]: conn=239 fd=11 ACCEPT from IP=127.0.0.1:1774 (IP=0.0.0.0:389) Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=0 BIND dn="cn=Admin,dc=sample,dc=com" method=128 Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=0 BIND dn="cn=Admin,dc=sample,dc=com" mech=SIMPLE ssf=0 Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=0 RESULT tag=97 err=0 textSep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=1 SRCH attr=supportedControl Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=1 SEARCH RESULT tag=101 err=0 nentries=1 textSep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=2 SRCH base="dc=sample,dc=com" scope=2 deref=0 filter="(&(uid=steven)(objectClass=sambaSamAccount))" Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Sep 1 17:29:12 Ns02 slapd[9137]: conn=239 op=2 SEARCH RESULT tag=101 err=32 nentries=0 textSep 1 17:29:21 Ns02 slapd[9137]: conn=239 fd=11 closed (STEVEN is a user name of an account from a XP box) ###################################################################### I tried to google the problem but nothing seemed to be anything similar to this problem. And here are my config files. #/etc/smb/smb.conf [global] workgroup = SAMPLE server string = Ns02 interfaces = lo, eth0 bind interfaces only = Yes min password length = 7 map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ enable privileges = Yes username map = /etc/samba/smbusers log level = 5 syslog = 3 log file = /var/log/samba/%m.log max log size = 100000 time server = Yes deadtime = 10 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap cache time = 750 printcap name = cups add user script = /usr/local/sbin/smbldap-useradd -m %u delete user script = /usr/local/sbin/smbldap-userdel %u add group script = /usr/local/sbin/smbldap-groupadd -p %g delete group script = /usr/local/sbin/smbldap-groupdel %g add user to group script = /usr/local/sbin/smbldap-groupmod -m '%g' '%u' delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%g' '%u' set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/local/sbin/smbldap-useradd -w '%u' logon script = logon.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Admin,dc=sample,dc=com ldap group suffix = ou=Groups ldap idmap suffix = ou=Users ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=sample,dc=com ldap ssl = no ldap user suffix = ou=Users idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 printer admin = @ntadmin, root, administrator hosts allow = 192.168.0.0/24, 127.0.0.0/8 map acl inherit = Yes cups options = raw case sensitive = No hide special files = Yes hide unreadable = Yes dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd [homes] comment = Home Directories %U, %u valid users = %U read only = No inherit acls = Yes browseable = No [profiles] comment = Network Profiles Service path = /home/samba/profiles valid users = %U, "@Domain Admins" force user = %U read only = No create mask = 0600 directory mask = 0700 guest ok = Yes profile acls = Yes store dos attributes = Yes csc policy = disable [netlogon] path = /home/samba/netlogon/ browseable = No [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [printers] comment = All Printers path = /var/spool/samba create mask = 0600 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers valid users = @ntadmin, root, administrator write list = @ntadmin, root, administrator force group = ntadmin create mask = 0664 directory mask = 0775 [canonir3] comment = Black White Laser path = /var/spool/samba read only = No create mask = 0600 printable = Yes printer name = CanoniR3 share modes = No ########################################################## #/etc/openldap/slap.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/openldap/modules access to dn.base="" by self write by * auth access to attr=userPassword,SambaLMPassword,SambaNTPassword by self write by dn="cn=Admin,dc=sample,dc=com" write by * auth access to attr=shadowLastChange by self write by * read access to * by dn="cn=Admin,dc=sample,dc=com" write by users read by anonymous auth by * read loglevel 256 schemacheck on idletimeout 30 backend bdb database bdb checkpoint 1024 5 cachesize 10000 suffix "dc=sample,dc=com" rootdn "cn=Admin,dc=sample,dc=com" rootpw {SSHA}LkUefrF11RHeFKeOr/ajxf9tZU0l6d8G index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub directory /var/lib/ldap #################################################### #/etc/ldap.conf host 127.0.0.1 BASE dc=sample,dc=com binddn cn=Admin,dc=sample,dc=com bindpw secret timelimit 50 bind_timelimit 50 bind_policy hard idle_timelimit 3600 pam_password exop ssl no nss_base_passwd dc=sample,dc=com?one nss_base_passwd ou=Users,dc=sample,dc=com?one nss_base_shadow ou=Users,dc=sample,dc=com?one nss_base_group ou=Groups,dc=sample,dc=com?one debug 256 logdir /var/log/nssldaplogs base dc=sample,dc=com ///<------------------------------------------ nss_map_attribute uniqueMember member ldap_version 3 pam_filter objectclass=posixAccount ################################################ #/etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns wins networks: files dns services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files publickey: files bootparams: files automount: files nis aliases: files ####################################################### ## /etc/pam.d/system-auth auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so password required /lib/security/pam_cracklib.so retry=3 typepassword sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so ################################################### #/etc/smbldap-tools/smbldap.conf SID="S-1-5-21-4243189714-2027005459-491393344" sambaDomain="SAMPLE" slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" ldapTLS="0" ///<<<<<<<<<<<<<<<<<<<<<<<<<<<, verify="require" cafile="/etc/smbldap-tools/ca.pem" clientcert="/etc/smbldap-tools/smbldap-tools.pem" clientkey="/etc/smbldap-tools/smbldap-tools.key" suffix="dc=sample,dc=com" usersdn="ou=Users,${suffix}" computersdn="ou=Computers,${suffix}" groupsdn="ou=Groups,${suffix}" idmapdn="ou=Idmap,${suffix}" sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" scope="sub" hash_encrypt="SSHA" crypt_salt_format="%s" userLoginShell="/bin/bash" userHome="/home/%U" userHomeDirectoryMode="700" userGecos="System User" defaultUserGid="513" defaultComputerGid="515" skeletonDir="/etc/skel" defaultMaxPasswordAge="45" userSmbHome="\\Ns02\home\%U" userProfile="\\Ns02\profiles\%U" userHomeDrive="H:" userScript="logon.bat" mailDomain="sample.com" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" with_slappasswd="0" slappasswd="/usr/sbin/slappasswd" ################################################ #/etc/smbldap-tools/smbldap_bind.conf slaveDN="cn=Admin,dc=sample,dc=com" slavePw="secret" masterDN="cn=Admin,dc=sample,dc=com" masterPw="secret" ############################################### ### add.ldif //I used this one to make Samba to allocate the next uid and gid dn: cn=NextFreeUnixId,dc=nanostellar,dc=com objectClass: inetOrgPerson objectClass: sambaUnixIdPool uidNumber: 10000 gidNumber: 10000 cn: NextFreeUnixId sn: NextFreeUnixId Could you tell me what I missed? How I could keep the database or connection to the database remained the same after each reboot? It would be crazy to set up everything again after each rebooting when the server in production. Thank you very much for reading and helping me out. (getent passwd did not show the root Net bios Administration entry and the testuser entry) Here is what I found when I tried to do pdbedit -L -v INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 ..... ...... Trying to load: ldapsam:ldap://127.0.0.1/ Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to register passdb backend NDS_ldapsam_compat Successfully added passdb backend 'NDS_ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend guest Successfully added passdb backend 'guest' Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/ (ldapsam) Found pdb backend ldapsam Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMPLE))] smbldap_search: base => [dc=sample,dc=com], filter => [(&(objectClass=sambaDomain)(sambaDomainName=SAMPLE))], scope => [2] The connection to the LDAP server was closed smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does support paged results The LDAP server is succesfully connected smbldap_search_suffix: Problem during the LDAP search: (No such object) Problem during LDAPsearch: No such object Query was: dc=sample,dc=com, (&(objectClass=sambaDomain)(sambaDomainName=SAMPLE)) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs pdb backend ldapsam:ldap://127.0.0.1/ has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init Netbios name list:- my_netbios_names[0]="NS02" Trying to load: ldapsam:ldap://127.0.0.1/ Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/ (ldapsam) Found pdb backend ldapsam Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMPLE))] smbldap_search: base => [dc=sample,dc=com], filter => [(&(objectClass=sambaDomain)(sambaDomainName=SAMPLE))], scope => [2] The connection to the LDAP server was closed smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does support paged results The LDAP server is succesfully connected smbldap_search_suffix: Problem during the LDAP search: (No such object) Problem during LDAPsearch: No such object Query was: dc=sample,dc=com, (&(objectClass=sambaDomain)(sambaDomainName=SAMPLE)) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs pdb backend ldapsam:ldap://127.0.0.1/ has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init smbldap_search: base => [dc=sample,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))], scope => [2] ldapsam_setsampwent: LDAP search failed: No such object ldapsam_setsampwent: Query was: dc=sample,dc=com, (&(uid=*)(objectclass=sambaSamAccount)) Error for net groupmap list net groupmap list [2005/09/01 17:47:44, 0] lib/smbldap.c:smbldap_search_suffix(1176) smbldap_search_suffix: Problem during the LDAP search: (No such object) [2005/09/01 17:47:44, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2763) ldapsam_setsamgrent: LDAP search failed: No such object [2005/09/01 17:47:44, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2828) ldapsam_enum_group_mapping: Unable to open passdb So the samba could not access the database. Then what should I do? Thanks. _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Charles Marcus
2005-Sep-02 14:28 UTC
[Samba] Re: Samba PDC + Openldap (no database connection established after reboot)
Finally, one I can answer!> Hi, all. I really need your helps in determing what I did wrong. I have > been trying to setup Samba PDC (not using TLS at this initial stage yet) by > hand on SLES 9.1 and did not use YAST because somehow it just did not work. > > I followed all the steps from the "The Linux Samba-OpenLDAP Howto (1.10) > from IDEALX.org) and Chapter 5 Making Happy Users from the book and a bunch > of other papers, and finally I got something working. I was able to do:<snip>> Basically many steps recommended for testing and all the outputs are correct > according to the example outputs. I did turn on debbuging values for all > components and everything seems to work ok without any errors. > > So I rebooted the server and then after everything came up, I tried to do > these testings again, > Now slapcat, ldsearch would show no outputs and the log show no error of any > kinds (from my intepretation). > > I set up everything again and backup all the config files just in case. I > rebooted the server and the same problem happened.Are you by any chance using ReiserFS? There is a bug in the SuSE kernel in SLES9 (there is no SLES9.1 by the way, though SLES9 is up to sp2 now). SuSE just issued an update yesterday for this bug, so all you need to do is run YAST and update your kernel and you're good to go. -- Charles
Reasonably Related Threads
- Samba + OpenLDAP: LDAP server is running but could not respond to a search request
- Cannot make Windows join Samba domain
- samba nad ldap
- LDAP issue, access denied adding machine to domain, and LDAP user can't make unix-login on the box.
- Fedora Core2 / Samba / Ldap / smbldap-tools - No account in Domain.