Alexander Harm || ApfelQ
2022-Sep-23 10:31 UTC
[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389
I couldn?t help myself but dig some more. I compared the ldif as suggested and they are identical. From what I gather, the results that LDAP returns are fine but the process fails at a non-LDAP stage: The LDAP server is successfully connected pdb backend ldapsam:ldap://ldap1.example.com has a valid init smbldap_search_ext: base => [dc=example,dc=com], filter => [(&(uid=johndoe)(objectclass=sambaSamAccount))], scope => [2] init_sam_from_ldap: Entry found for user: johndoe pdb_set_username: setting username johndoe, was pdb_set_domain: setting domain EXAMPLE, was pdb_set_nt_username: setting nt username johndoe, was pdb_set_user_sid_from_string: setting user sid S-1-5-21-1926693724-44905045-1282156110-25724 pdb_set_user_sid: setting user sid S-1-5-21-1926693724-44905045-1282156110-25724 attribute sambaLogonTime does not exist attribute sambaLogoffTime does not exist attribute sambaPwdCanChange does not exist pdb_set_full_name: setting full name Doe, John, was pdb_set_dir_drive: setting dir drive E:, was NULL pdb_set_homedir: setting home dir \\univers\homes, was pdb_set_logon_script: setting logon script johndoe, was attribute sambaProfilePath does not exist pdb_set_profile_path: setting profile path , was attribute description does not exist attribute sambaUserWorkstations does not exist attribute sambaMungedDial does not exist attribute sambaLMPassword does not exist Opening cache file at /var/lib/samba/lock/gencache.tdb attribute sambaBadPasswordCount does not exist attribute sambaBadPasswordTime does not exist attribute sambaLogonHours does not exist Opening cache file at /var/lib/samba/login_cache.tdb Looking up login cache for user johndoe No cache entry found No cache entry, bad count = 0, bad time = 0 Finding user johndoe Trying _Get_Pwnam(), username as lowercase is johndoe Trying _Get_Pwnam(), username as uppercase is JOHNDOE Checking combinations of 0 uppercase letters in johndoe Get_Pwnam_internals didn't find user [johndoe]! Failed to find a Unix account for johndoe pdb_set_username: setting username johndoe, was pdb_set_domain: setting domain EXAMPLE, was pdb_set_nt_username: setting nt username johndoe, was pdb_set_full_name: setting full name Doe, John, was pdb_set_homedir: setting home dir \\univers\homes, was pdb_set_dir_drive: setting dir drive E:, was NULL pdb_set_logon_script: setting logon script johndoe, was pdb_set_profile_path: setting profile path , was pdb_set_workstations: setting workstations , was pdb_set_user_sid: setting user sid S-1-5-21-1926693724-44905045-1282156110-25724 pdb_set_user_sid_from_rid: setting user sid S-1-5-21-1926693724-44905045-1282156110-25724 from rid 25724 Unix username: johndoe NT username: johndoe Account Flags: [U ] User SID: S-1-5-21-1926693724-44905045-1282156110-25724 Finding user johndoe Trying _Get_Pwnam(), username as lowercase is johndoe Trying _Get_Pwnam(), username as uppercase is JOHNDOE Checking combinations of 0 uppercase letters in johndoe Get_Pwnam_internals didn't find user [johndoe]! Failed to find a Unix account for johndoe So where the two differ are here: Finding user johndoe Trying _Get_Pwnam(), username as lowercase is johndoe Trying _Get_Pwnam(), username as uppercase is JOHNDOE Checking combinations of 0 uppercase letters in johndoe Get_Pwnam_internals didn't find user [johndoe]! Failed to find a Unix account for johndoe and on the old server it just returns the user straight away. Is that a problem of PAM configuration? Regards, Alexander> On Wednesday, Sep 21, 2022 at 10:59 PM, Andrew Bartlett <abartlet at samba.org (mailto:abartlet at samba.org)> wrote: > Great, sounds like you are taking things carefully. Also note that > Symas provides OpenLDAP packages: > > https://repo.symas.com/soldap/ > > https://www.symas.com/symas-download-software > > Andrew Bartlett > > On Wed, 2022-09-21 at 22:49 +0200, Alexander Harm || ApfelQ via samba > wrote: > > Thanks again and don?t worry. We did not blindly upgrade, we are > > testing this in a clone of our production environment. So rolling > > back etc. is not an issue right now. I will go through your > > suggestions. Thank you all for your input. > > > > > On Wednesday, Sep 21, 2022 at 9:52 PM, Andrew Bartlett < > > > abartlet at samba.org > > > (mailto: > > > abartlet at samba.org > > > )> wrote: > > > > > > On Wed, 2022-09-21 at 11:57 +0200, Alexander Harm || ApfelQ via > > > samba > > > wrote: > > > > Hi, > > > > > > > > I was wondering if anyone ran into the same issue and maybe has a > > > > solution for me. In short: > > > > > > > > - we were running SLES 11 with Samba 3.6.3 as NT4 PDC and > > > > OpenLDAP > > > > backend: working fine > > > > - we upgraded to SLES 15 with Samba 4.13.13 as NT4 PDC and old > > > > OpenLDAP backend: working fine > > > > - now we migrated from OpenLDAP to 389 and things start to break > > > > > > > > LDAP seems to work in principle "pdbedit -L? is successful. > > > > However, > > > > running ?pdbedit -Lv username? returns an error: ?Failed to find > > > > a > > > > Unix account for username? and ?Primary Group SID: (NULL SID)?. > > > > > > > > So I guess the idmap is messed up? > > > > > > Looping back to the start, I think you a suggested elsewhere in the > > > thread need to work on this one step at a time. > > > > > > I agree that getting OpenLDAP back, if a reverse migration is > > > possible, > > > at least in a lab, might be a good idea, and confirm that the issue > > > really is with OpenLDAP and not something else. > > > > > > 'Clearly' something is different about the 389 LDAP server vs > > > OpenLDAP. > > > > > > Do they both accept the same (non)authentication? > > > > > > You should be able to debug this with either a network capture, or > > > LDAP > > > comparison tools. (I don't know if Samba's samba-tool ldapcmp can > > > do a > > > good enough job, but try it using the --simple-bind-dn mode). > > > > > > Try dumping a sorted LDIF of each directory, and compare with diff > > > even. > > > > > > Try turning up the log level and see what errors you see compared > > > with > > > your old OpenLDAP. > > > > > > Then finally, think about a migration to Samba AD, and how to have > > > your > > > other applications work with AD or synchronise with it. This is a > > > much > > > longer term project. > > > > > > > Actually I?m not sure how the idmap is stored in LDAP since both > > > > idmap-OUs look the same to me (empty) on the old OpenLDAP and new > > > > 389. > > > > > > > > Any hints/advice? > > > > > > Try not to change too much at once, particularly around idmap. > > > > > > Andrew Bartlett > > > > > > -- > > > Andrew Bartlett (he/him) > > > https://samba.org/~abartlet/ > > > > > > Samba Team Member (since 2001) > > > https://samba.org > > > > > > Samba Team Lead, Catalyst IT > > > https://catalyst.net.nz/services/samba > > > > > > > > > Samba Development and Support, Catalyst IT - Expert Open Source > > > Solutions > > > > -- > Andrew Bartlett (he/him) https://samba.org/~abartlet/ > Samba Team Member (since 2001) https://samba.org > Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba > > Samba Development and Support, Catalyst IT - Expert Open Source > Solutions >
Rowland Penny
2022-Sep-23 10:39 UTC
[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389
On 23/09/2022 11:31, Alexander Harm || ApfelQ via samba wrote:> I couldn?t help myself but dig some more. I compared the ldif as suggested and they are identical. From what I gather, the results that LDAP returns are fine but the process fails at a non-LDAP stage: > > The LDAP server is successfully connected > pdb backend ldapsam:ldap://ldap1.example.com has a valid init > smbldap_search_ext: base => [dc=example,dc=com], filter => [(&(uid=johndoe)(objectclass=sambaSamAccount))], scope => [2] > init_sam_from_ldap: Entry found for user: johndoe > pdb_set_username: setting username johndoe, was > pdb_set_domain: setting domain EXAMPLE, was > pdb_set_nt_username: setting nt username johndoe, was > pdb_set_user_sid_from_string: setting user sid S-1-5-21-1926693724-44905045-1282156110-25724 > pdb_set_user_sid: setting user sid S-1-5-21-1926693724-44905045-1282156110-25724 > attribute sambaLogonTime does not exist > attribute sambaLogoffTime does not exist > attribute sambaPwdCanChange does not exist > pdb_set_full_name: setting full name Doe, John, was > pdb_set_dir_drive: setting dir drive E:, was NULL > pdb_set_homedir: setting home dir \\univers\homes, was > pdb_set_logon_script: setting logon script johndoe, was > attribute sambaProfilePath does not exist > pdb_set_profile_path: setting profile path , was > attribute description does not exist > attribute sambaUserWorkstations does not exist > attribute sambaMungedDial does not exist > attribute sambaLMPassword does not exist > Opening cache file at /var/lib/samba/lock/gencache.tdb > attribute sambaBadPasswordCount does not exist > attribute sambaBadPasswordTime does not exist > attribute sambaLogonHours does not exist > Opening cache file at /var/lib/samba/login_cache.tdb > Looking up login cache for user johndoe > No cache entry found > No cache entry, bad count = 0, bad time = 0 > Finding user johndoe > Trying _Get_Pwnam(), username as lowercase is johndoe > Trying _Get_Pwnam(), username as uppercase is JOHNDOE > Checking combinations of 0 uppercase letters in johndoe > Get_Pwnam_internals didn't find user [johndoe]! > Failed to find a Unix account for johndoe > pdb_set_username: setting username johndoe, was > pdb_set_domain: setting domain EXAMPLE, was > pdb_set_nt_username: setting nt username johndoe, was > pdb_set_full_name: setting full name Doe, John, was > pdb_set_homedir: setting home dir \\univers\homes, was > pdb_set_dir_drive: setting dir drive E:, was NULL > pdb_set_logon_script: setting logon script johndoe, was > pdb_set_profile_path: setting profile path , was > pdb_set_workstations: setting workstations , was > pdb_set_user_sid: setting user sid S-1-5-21-1926693724-44905045-1282156110-25724 > pdb_set_user_sid_from_rid: > setting user sid S-1-5-21-1926693724-44905045-1282156110-25724 from rid 25724 > Unix username: johndoe > NT username: johndoe > Account Flags: [U ] > User SID: S-1-5-21-1926693724-44905045-1282156110-25724 > Finding user johndoe > Trying _Get_Pwnam(), username as lowercase is johndoe > Trying _Get_Pwnam(), username as uppercase is JOHNDOE > Checking combinations of 0 uppercase letters in johndoe > Get_Pwnam_internals didn't find user [johndoe]! > Failed to find a Unix account for johndoe > > So where the two differ are here: > > Finding user johndoe > Trying _Get_Pwnam(), username as lowercase is johndoe > Trying _Get_Pwnam(), username as uppercase is JOHNDOE > Checking combinations of 0 uppercase letters in johndoe > Get_Pwnam_internals didn't find user [johndoe]! > Failed to find a Unix account for johndoe > > and on the old server it just returns the user straight away. Is that a problem of PAM configuration?I take it that you are running winbind, but what is in /etc/nsswitch.conf ? Rowland