samba - Nov 2004 - vampire fails because of Debian smbldap-tools problem

Hi people,
	As usual I've tried a number of different approaches to this problem
and can't figure it out.  I don't have enough knowledge.  Every time I
do
net rpc vampire I get this crap spewed at me:

Use of uninitialized value in substitution (s///) at
/usr/share/perl5/smbldap_tools.pm line 106, <CONFIGFILE> line 233.
Use of uninitialized value in substitution (s///) at
/usr/share/perl5/smbldap_tools.pm line 106, <CONFIGFILE> line 245.
Use of uninitialized value in string at /usr/share/perl5/smbldap_tools.pm
line 153.
Use of uninitialized value in string at /usr/share/perl5/smbldap_tools.pm
line 153.
erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad
hostname ''
) at /usr/share/perl5/smbldap_tools.pm line 153.
Creating unix group: 'Hire Accounting'

I've got this in my smbldap.conf file:

# Master LDAP : needed for write operations
# Ex: $masterLDAP = "127.0.0.1";
$masterLDAP = "guests1.guestsfurniturehire.com.au";
$masterPort = "389";

And /usr/share/perl5/smbldap_tools.pm line 106, has this:

101 sub subst_configvar
102   {
103         my $value = shift;
104         my $vars = shift;
105
106         $value =~ s/\$\{([^}]+)\}/$vars->{$1} ? $vars->{$1} : $1/eg;
107         return $value;
108   }
109

/usr/share/perl5/smbldap_tools.pm line 153  Says this:

150 sub connect_ldap_master
151   {
152         # bind to a directory with dn and password
153         my $ldap_master = Net::LDAP->new(
154
154  "$config{masterLDAP}",

These are the files provided by Debian sarge with an apt-get install
smbldap-tools.
And libnet-ldap-perl has been installed.  I don't know what to do next.
I'm hoping that someone can please help me figure out what is missing.


Regards Geoff Scott

Le mar 23/11/2004 ? 05:35, Geoff Scott a ?crit :
> Hi people,
> 	As usual I've tried a number of different approaches to this problem
> and can't figure it out.  I don't have enough knowledge.  Every
time I do
> net rpc vampire I get this crap spewed at me:
> 
> Use of uninitialized value in substitution (s///) at
> /usr/share/perl5/smbldap_tools.pm line 106, <CONFIGFILE> line 233.
> Use of uninitialized value in substitution (s///) at
> /usr/share/perl5/smbldap_tools.pm line 106, <CONFIGFILE> line 245.
it looks like there is a problem in your config file (
smbldap-tools.conf ). you should double-check syntax and verify proper
location

don't know if it's relevant but according to my installation of
smbldap-tools from tgz, configuration files should be in
/etc/smbldap-tools and debian package don't create this directory.

you should check /usr/share/doc/smbldap-tools/README.Debian.gz for
proper install instruction

> erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad
> hostname ''
apparently variable hostname is not initialized.

hope this help

BTW i use tgz version of smbldap-tools on debian, they are more
up-to-date, and aparently better packaged.


-- 
-- Thomas Constans --

http://www.opendoor.fr
thomas.constans@opendoor.fr
04 78 68 17 34

> 
> BTW i use tgz version of smbldap-tools on debian, they are more
> up-to-date, and aparently better packaged.
> 
OK so I gave up on the .DEB version and downloaded the .tgz version.  I put
the scripts in /usr/sbin/samba.  I copied the 2 .conf files into
/etc/smbldap-tools/ and just to be sure that I didn't get any typos I used
the configure.pl script that comes with the tgz file.  It seems to run fine
and produce 2 good .conf files.  It does output this part way through
though:

Use of uninitialized value in scalar chomp at /usr/sbin/samba/configure.pl
line138, <STDIN> line 17.
Use of uninitialized value in hash element at /usr/sbin/samba/configure.pl
line140, <STDIN> line 17.
Use of uninitialized value in concatenation (.) or string at
/usr/sbin/samba/configure.pl line 144, <STDIN> line 17.
Use of uninitialized value in string at /usr/sbin/samba/configure.pl line
145, <STDIN> line 17.

Then when you Vampire accounts this happens:

Fetching DOMAIN database
SAM_DELTA_DOMAIN_INFO not handled
Creating unix group: 'Domain Admins'
Creating unix group: 'Domain Users'
Creating unix group: 'Domain Guests'
Creating unix group: 'Sofa Workshop'
Creating unix group: 'Family'
Creating unix group: 'Payroll'
Creating unix group: 'PA'
Creating unix group: 'Accounting'
Creating unix group: 'GHAccounts'
Creating unix group: 'Hire Accounting'
Creating unix group: 'Seagate Info'
Creating unix group: 'MTS Trusted Impersonators'
Creating unix group: 'TopTools'
Creating unix group: 'Melb Consultants'
Creating unix group: 'Melb Accounts'
Creating unix group: 'Manager Reporting'
Creating unix group: 'NSW Consultants'
Creating unix group: 'Actif'
Creating unix group: 'QLD Consultants'
Creating account: administrator
Can't call method "get_value" on an undefined value at
/usr/sbin/samba/smbldap-useradd line 168, <DATA> line 283.
Could not create posix account info for 'administrator'
Creating account: deloitte
Can't call method "get_value" on an undefined value at
/usr/sbin/samba/smbldap-useradd line 168, <DATA> line 283.
Could not create posix account info for 'deloitte'
Creating account: iusr_guests
Can't call method "get_value" on an undefined value at
/usr/sbin/samba/smbldap-useradd line 168, <DATA> line 283.
Could not create posix account info for 'iusr_guests'

So everything works fine till you get to creating proper users.  I've
checked and checked the smbldap.conf file for errors, which I can't see.
Can anyone see anything glaringly obvious that I have missed?  Oh, and the
reason that I am putting users etc into ou=Users,ou=OxObjects is that I am
trying to integrate Samba with Open Exchange.  Is there something hardcoded
into Samba that will stop me from doing this?

Regards Geoff

The smbldap.conf file that I am currently using is below:

# General Configuration

# Put your own SID
# to obtain this number do: net getlocalsid
SID="S-1-5-21-1766222747-101449826-1539857752"

# LDAP Configuration
slaveLDAP="127.0.0.1"
slavePort="389"

# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify=""

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile=""

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert=""

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey=""

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=foobar,dc=com,dc=au"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=Users,ou=OxObjects,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=Users,ou=OxObjects,${suffix}"

# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,ou=OxObjects,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
hash_encrypt="MD5"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

############################################################################
##
#
# Unix Accounts Configuration
#
############################################################################
##

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Gecos
userGecos="User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="90"

############################################################################
##
#
# SAMBA Configuration
#
############################################################################
##

# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon
home'
# directive and/or disable roaming profiles
userSmbHome=""

# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon
path'
# directive and/or disable roaming profiles
userProfile=""

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="'Z:'"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="foobar.com"

############################################################################
##
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
############################################################################
##

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm)
but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

> > BTW i use tgz version of smbldap-tools on debian, they are more
> > up-to-date, and aparently better packaged.
> >
> 
> OK so I gave up on the .DEB version and downloaded the .tgz version.  I
> put
> the scripts in /usr/sbin/samba.  I copied the 2 .conf files into
> /etc/smbldap-tools/ and just to be sure that I didn't get any typos I
used
> the configure.pl script that comes with the tgz file.  It seems to run
> fine
> and produce 2 good .conf files.  It does output this part way through
> though:
> 
> Use of uninitialized value in scalar chomp at /usr/sbin/samba/configure.pl
> line138, <STDIN> line 17.
> Use of uninitialized value in hash element at /usr/sbin/samba/configure.pl
> line140, <STDIN> line 17.
> Use of uninitialized value in concatenation (.) or string at
> /usr/sbin/samba/configure.pl line 144, <STDIN> line 17.
> Use of uninitialized value in string at /usr/sbin/samba/configure.pl line
> 145, <STDIN> line 17.
> 
> Then when you Vampire accounts this happens:
> 
> Fetching DOMAIN database
> SAM_DELTA_DOMAIN_INFO not handled
> Creating unix group: 'Domain Admins'
> Creating unix group: 'Domain Users'
> Creating unix group: 'Domain Guests'
<snip>
> Creating unix group: 'QLD Consultants'
> Creating account: administrator
> Can't call method "get_value" on an undefined value at
> /usr/sbin/samba/smbldap-useradd line 168, <DATA> line 283.
> Could not create posix account info for 'administrator'
> Creating account: deloitte
> Can't call method "get_value" on an undefined value at
I thought that I would give it another go.  This time just adding a user
with smbldap-useradd only. The error that I got back was that the group gid
513 didn't exist.  I did a slapcat and looked for the domain users and the
gid was like 10001 or something   the reason for this was that I had
followed chapter 8 of JHT's example book and it doesn't explicitly state
in
that chapter where you follow on from chapter 6.  If you use the smbldap
tools they set the domain users gid to 513 and the default group of your
users to the domain users.  So if you follow chapter 8 don't just use the
preload.ldif and then follow that up with a vampire off the NT server, you
probably want to use smbldap-populate after you join the domain and before
you vampire accounts, as it will create the Domain Users group with gid 513,
the same as is the default for the smbldap scripts.

I hope this helps other people. 

Regards Geoff

Sorry, Geoff, I thought I'd reply to the list as this seems an important 
issue...

On Nov 24, Geoff Scott wrote:
>> There is a note in the book (and online) that says that you have to
create
>> all these yourself in the case that you are using ldap.  Nowhere does
it
>> make mention of that in the example scripts.  This is how I missed it
>> first time around.
> Does it say it in the TOSHARG book?  I looked again and I can't find
any
> reference to it in the samba by example book online.
Ok, I lied.  I had seen it somewhere...
it is in the Samba-HOWTO-Collection/groupmapping.html#id2537327 paragraph 
(the note...)

The other really useful thing I found while looking for the above 
reference is in the Samba-Guide/happy.html#id2536161 where in the note it 
says that having separate containers for users and computers does not yet 
work, yet examples appear to use this (hence I got the crazy idea it 
should just work and it didn't).

This brings me to my last point about the LDAP issue that seemed to bring 
this thread up:
Why is samba using NSS when it has all the necessary information to do the 
proper LDAP search itself?  This does not appear to make sense.

tom.

> The issue of this thread was authenticating machine accounts if I remember
> correctly...
> 
No I was just having a hard time getting the smbldap tools to work properly.
It all came down to me not knowing at what point you switch from chapter 6
of the example book to chapter 8 to vampire accounts of the NT server.  Of
course if you vampire accounts straight after you use the preload.ldif then
you end up with different GID's than what the smbldap tools expect in their
defaults. therefore the vampire fails as the expected GID for the group is
different to what vampire sets up as it creates the groups from the NT
server. 
 It would be nice if John could add to chapter 8 something like: Build the
Base server the same as in Chapter 6 including step ? "using the
smbldap-populate script" then continue with vampiring the accounts.

Regards Geoff