AIX 5.2 OpenLDAP 2.2.15 Samba 3.0.7 (no winbindd)
I've got a stupid problem with referrals that I can't seem to ferret
out.
Each Samba DC has a localhost-based LDAP replica for scalability (my
idea anyway). So the only way they will talk to the Master is if there is
need for an update. Ok.
If I make the updatedn the same as the rootdn of the replica, it updates
the local database; *NOT* what I want obviously, but at least I know Samba
is talking to *something* and being successful with say a workstation
join.
If I make the updatedn the known DN that slurpd will use (NOT the rootdn
of the replica) Samba doesn't seem to follow the referral. I've verified
the referral is offered using a simple ldapmodify command. Samba just
doesn't seem to be *seeing* the referral?
Log level 10 snippet:
[2004/09/22 08:55:39, 4]
passdb/pdb_ldap.c:ldapsam_update_sam_account(1595)
ldapsam_update_sam_account: user CRK7$ to be modified has dn:
uid=CRK7$,ou=People,dc=hvcc,dc=edu
[2004/09/22 08:55:39, 2] passdb/pdb_ldap.c:init_ldap_from_sam(864)
init_ldap_from_sam: Setting entry for user: CRK7$
[2004/09/22 08:55:39, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaLMPassword] = [<does not exist>]
[2004/09/22 08:55:39, 5] lib/smbldap.c:smbldap_modify(1009)
smbldap_modify: dn => [uid=CRK7$,ou=People,dc=hvcc,dc=edu]
[2004/09/22 08:55:39, 5] lib/smbldap.c:rebindproc_connect_with_state(698)
rebindproc_connect_with_state: Rebinding as "cn=root,dc=hvcc,dc=edu"
[2004/09/22 08:55:39, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1422)
ldapsam_modify_entry: Failed to modify user
dnuid=CRK7$,ou=People,dc=hvcc,dc=edu with: No such attribute
modify/delete: sambaPwdCanChange: no such attribute
[2004/09/22 08:55:39, 0]
passdb/pdb_ldap.c:ldapsam_update_sam_account(1622)
ldapsam_update_sam_account: failed to modify user with uid = CRK7$,
error: modify/delete: sambaPwdCanChange: no such attribute (Success)
[2004/09/22 08:55:39, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 samr_io_r_set_userinfo
[2004/09/22 08:55:39, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
0000 status: NT_STATUS_ACCESS_DENIED
I'm not sure why the "no such attribute" is occuring. It's
there;
ldapsearch snippet:
dn: uid=CRK7$,ou=People,dc=hvcc,dc=edu
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
uid: CRK7$
cn: CRK7$
sn: CRK7$
sambaSID: S-1-5-21-1908802895-3536710745-1580887524-41700
sambaPrimaryGroupSID: S-1-5-21-1908802895-3536710745-1580887524-515
sambaAcctFlags: [W ]
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1095858128
sambaNTPassword: C7389145F8AF64E09B75D48214E02B6B
sambaPwdLastSet: 1095858128
Maybe it's a mistake in processing the referral?
I'm going through the source, but haven't found enything yet.
snippet from smb.conf:
ldap passwd sync = yes
passdb backend = ldapsam:"ldap://localhost"
ldap suffix = dc=hvcc,dc=edu
ldap machine suffix = ou=People,dc=hvcc,dc=edu
ldap user suffix = ou=People,dc=hvcc,dc=edu
ldap group suffix = ou=Groups,dc=hvcc,dc=edu
ldap idmap suffix = ou=Idmap,dc=hvcc,dc=edu
ldap admin dn = cn=root,dc=hvcc,dc=edu
idmap backend = ldap:ldap://localhost
Can anyone shed some light here? I'd *really like to use this "every DC
is
also a LDAP replica" approach...
On a separate note, I've noticed that Samba doesn't seem to be using
alternate suffix values to override "ldap suffix" when knowledge of
machine, user, group or idmap may be known as indicated in
smb.conf(5)...I'm sure I'm missing something...
Regards,
Bill