samba - Jun 2004 - And the LDIF thing

Sorry.. One more email.. I tried to create the IDMAP container on the LDAP with
an example I found:

dn: ou=Idmap,dc=softeng,dc=com
objectClass: organizationalUnit
ou: idmap
structuralObjectClass: organizationalUnit

and it gives:

adding new entry "ou=Idmap,dc=softeng,dc=com"
ldap_add: Constraint violation
        additional info: structuralObjectClass: no user modification allowed

ldif_record() = 19

Just seems so complicated just to sync the UID and GID maps across unix systems.
:(... Why can't I just use some NFS share and a database????

JMS

Hi Josh,

	I have sympathy for your position, I have been through the same exersize
myself. I used SunONE
LDAP server so can't provide you a how to from that.
First thing I would say is if you want to achieve a central idmap database then,
as you know, the
only currently supported way to do this is with LDAP. LDAP is not a trivial
thing to deal with and
if you go down this route you really need to accept it'll take time and
effort to get something
you understand properly (to provide a robust solution). I think the dev guys are
looking at
alternatives as many people have complained that being forced to use LDAP
isn't ideal, but until
then...

Most of your config looks fine from a Samba point of view, with regards creating
your OU (which of
course must exist or nothing will work). But I can't say I've come
across structrualObjectClass before
have you tried adding an object without like:

dn: ou=Idmap,dc=softeng,dc=com
objectClass: organizationalUnit

??

		cheers Andy.


BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views
which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use,
copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC
monitors e-mails sent or received.
Further communication will signify your consent to this.

> Sorry.. One more email.. I tried to create the IDMAP container on the LDAP
with an example I found:
> dn: ou=Idmap,dc=softeng,dc=com
> objectClass: organizationalUnit
> ou: idmap
> structuralObjectClass: organizationalUnit
Try dopping the "structuralObjectClass" line,  or either use
objectclass
OR structuralObjectClass.  You haven't said what DSA or version of DSA
your using.

I did drop it and it added.. 

# extended LDIF
#
# LDAPv3
# base <dc=softeng,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# softeng.com
dn: dc=softeng,dc=com
objectClass: dcObject
objectClass: organization
o: Software Engineering
dc: softeng

# Manager, softeng.com
dn: cn=Manager,dc=softeng,dc=com
objectClass: organizationalRole
cn: Manager

# Idmap, softeng.com
dn: ou=Idmap,dc=softeng,dc=com
objectClass: organizationalUnit
ou: idmap

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

But now when I do a getent passwd, I get:

Jun 10 02:31:05 wwweng1 winbindd[4233]:   ldap_allocate_id: single
sambaUnixIdPool object not found
Jun 10 02:31:05 wwweng1 winbindd[4233]: [2004/06/10 02:31:05, 0]
sam/idmap_ldap.c:ldap_allocate_id(413)
Jun 10 02:31:05 wwweng1 winbindd[4233]: [2004/06/10 02:31:05, 0]
sam/idmap_ldap.c:ldap_get_id_from_sid(621)
Jun 10 02:31:05 wwweng1 winbindd[4233]:   ldap_allocate_id: cannot acquire id
lock!

and the getent returns nothing from winbind.

When I remove the "ldap" entries from smb.conf, the getnet command
works fine. (so winbind is working)

As for DSA, I am not sure what you mean. I am doing nothing fancy like SSL or
the like.

Thanks,
JMS

P.S.

My SLDAP.CONF:

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

#pidfile        //var/run/slapd.pid
#argsfile       //var/run/slapd.args

# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile     /var/lib/ldap/master-slapd.replog

# Load dynamic backend modules:
# modulepath    /usr/sbin/openldap
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

#
# The next two lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing
permissions on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
#
# Sample Access Control
#       Allow read access of root DSE
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#
#access to dn="" by * read
#access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default is:
#       Allow read by all
#
# rootdn can always write!

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
suffix          "dc=softeng,dc=com"
rootdn          "cn=Manager,dc=softeng,dc=com"
rootpw          {SSHA}l3niIBoW8kJe1gEzqK5VW426vNh+PW69
directory       /var/lib/ldap

# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
#       bindmethod=sasl saslmech=GSSAPI
#       authcId=host/ldap-master.example.com@EXAMPLE.COM

I hate to be a pain, but I am under the gun.. Could you show an example
"ldif" on that? I am completely ldap dumb. I'd greatly appreciate
it.

Thanks,
JMS

-----Original Message-----
From: Paul Gienger [mailto:pgienger@ae-solutions.com]
Sent: Thursday, June 10, 2004 11:03 AM
To: Josh Skains
Cc: adam@morrison-ind.com; samba@lists.samba.org
Subject: Re: [Samba] And the LDIF thing


>Jun 10 02:31:05 wwweng1 winbindd[4233]:   ldap_allocate_id: single
sambaUnixIdPool object not found
>Jun 10 02:31:05 wwweng1 winbindd[4233]: [2004/06/10 02:31:05, 0]
sam/idmap_ldap.c:ldap_allocate_id(413)
>Jun 10 02:31:05 wwweng1 winbindd[4233]: [2004/06/10 02:31:05, 0]
sam/idmap_ldap.c:ldap_get_id_from_sid(621)
>Jun 10 02:31:05 wwweng1 winbindd[4233]:   ldap_allocate_id: cannot acquire
id lock!
>
>and the getent returns nothing from winbind.
>  
>
You need to add a sambaUnixIdPool object inside of your IdMap ou.  This 
will give samba it's starting UID number and some other things.  Just 
make sure you have all of the required attributes filled out in that 
object and then samba(winbind) will start adding subobjects of it 
automatically when new users connect the first time.
>When I remove the "ldap" entries from smb.conf, the getnet command
works fine. (so winbind is working)
>
>As for DSA, I am not sure what you mean. I am doing nothing fancy like SSL
or the like.
>
>Thanks,
>JMS
>
>P.S.
>
>My SLDAP.CONF:
>
># Define global ACLs to disable default read access.
>
># Do not enable referrals until AFTER you have a working directory
># service AND an understanding of referrals.
>#referral       ldap://root.openldap.org
>
>#pidfile        //var/run/slapd.pid
>#argsfile       //var/run/slapd.args
>
># Create a replication log in /var/lib/ldap for use by slurpd.
>#replogfile     /var/lib/ldap/master-slapd.replog
>
># Load dynamic backend modules:
># modulepath    /usr/sbin/openldap
># moduleload    back_ldap.la
># moduleload    back_ldbm.la
># moduleload    back_passwd.la
># moduleload    back_shell.la
>
>#
># The next two lines allow use of TLS for connections using a dummy test
># certificate, but you should generate a proper certificate by changing to
># /usr/share/ssl/certs, running "make slapd.pem", and fixing
permissions on
># slapd.pem so that the ldap user or group can read it.
># TLSCertificateFile /usr/share/ssl/certs/slapd.pem
># TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
>#
># Sample Access Control
>#       Allow read access of root DSE
>#       Allow self write access
>#       Allow authenticated users read access
>#       Allow anonymous users to authenticate
>#
>#access to dn="" by * read
>#access to *
>#       by self write
>#       by users read
>#       by anonymous auth
>#
># if no access controls are present, the default is:
>#       Allow read by all
>#
># rootdn can always write!
>
>#######################################################################
># ldbm database definitions
>#######################################################################
>
>database        ldbm
>suffix          "dc=softeng,dc=com"
>rootdn          "cn=Manager,dc=softeng,dc=com"
>rootpw          {SSHA}l3niIBoW8kJe1gEzqK5VW426vNh+PW69
>directory       /var/lib/ldap
>
># Indices to maintain
>index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
>index   cn,mail,surname,givenname                       eq,subinitial
># Replicas to which we should propagate changes
>#replica host=ldap-1.example.com:389 tls=yes
>#       bindmethod=sasl saslmech=GSSAPI
>#       authcId=host/ldap-master.example.com@EXAMPLE.COM
>  
>
-- 
Paul Gienger                     Office:		701-281-1884
Applied Engineering Inc.         Cell:			701-306-6254
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com