I'm trying to use the LDAP backend for the idmap database but I just can't seem to get it to work. There really is rather pathetic documentation out there on how to implement this. I've basically got my ldap server setup with an OU called smb and another OU under it called idmap. Here is my smb.conf file: [global] workgroup = HQ server string = Theo's Samba Server security = ADS encrypt passwords = yes load printers = no log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no dns proxy = no wins server = 192.168.192.60 192.168.192.61 log level = 1 syslog = 0 ldap ssl = no realm = HQ.NAVIS.NET password server = hqdc01.hq.navis.net winbind cache time = 10 winbind use default domain = yes client use spnego = yes template primary group = "HQ+Domain Users" template shell = /bin/bash winbind separator = + winbind nested groups = yes #idmap options for mapping SID to Unix uid, gid idmap uid = 10000-20000 idmap gid = 10000-20000 idmap backend = "ldap:ldap://localhost" ldap admin dn = "cn=Manager,dc=navis,dc=net" ldap idmap suffix = "ou=idmap,ou=smb,dc=navis,dc=net" ldap suffix = "ou=smb,dc=navis,dc=net" #============================ Share Definitions ============================= # This one is useful for people to share files [test] comment = this is a test share path = /share/test read only = no public = yes writable = yes printable = no browseable = yes valid users = @"HQ+Domain Users" All seems well with wbinfo and things work fine when I'm not using the LDAP backend. Please someone help this is driving me nuts! Thanks in advance, Theo
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Theodore Jencks wrote: | ldap idmap suffix = "ou=idmap,ou=smb,dc=navis,dc=net" | ldap suffix = "ou=smb,dc=navis,dc=net" change this to ldap suffix = "ou=smb,dc=navis,dc=net" ldap idmap suffix = "ou=idmap" cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCOvELIR7qMdg1EfYRAqkxAJ4wivlVYXp6DmKIaXbl786I7CQOLwCfXL6w XIO2bFqLhparOqZGF0BdgWo=MKbV -----END PGP SIGNATURE-----
Ok I made the change but now I get this in the Winbind log at log level 4. idmap_init: failed to initialize remote backend! What might this be related to? I looked a little further through the logs and it looks like it connects to the LDAP server just fine but I don't know what is screwing up the initialization. Regards, Theo -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Friday, March 18, 2005 7:18 AM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] idmap LDAP backend -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Theodore Jencks wrote: | ldap idmap suffix = "ou=idmap,ou=smb,dc=navis,dc=net" | ldap suffix = "ou=smb,dc=navis,dc=net" change this to ldap suffix = "ou=smb,dc=navis,dc=net" ldap idmap suffix = "ou=idmap" cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCOvELIR7qMdg1EfYRAqkxAJ4wivlVYXp6DmKIaXbl786I7CQOLwCfXL6w XIO2bFqLhparOqZGF0BdgWo=MKbV -----END PGP SIGNATURE-----
Ok, I made the change however the LDAP backend for idmap is still not working. I set Winbind to debugging level 5 and get the following in the logs: [2005/03/21 09:45:05, 2] lib/interface.c:add_interface(81) added interface ip=192.168.192.112 bcast=192.168.195.255 nmask=255.255.252.0 [2005/03/21 09:45:05, 5] lib/util.c:init_names(256) Netbios name list:- my_netbios_names[0]="THEO" [2005/03/21 09:45:05, 2] lib/interface.c:add_interface(81) added interface ip=192.168.192.112 bcast=192.168.195.255 nmask=255.255.252.0 [2005/03/21 09:45:05, 5] lib/gencache.c:gencache_init(59) Opening cache file at /var/lock/samba/gencache.tdb [2005/03/21 09:45:05, 5] libsmb/namecache.c:namecache_enable(58) namecache_enable: enabling netbios namecache, timeout 660 seconds [2005/03/21 09:45:05, 5] sam/idmap.c:smb_register_idmap(91) smb_register_idmap: Successfully added idmap backend 'ldap' [2005/03/21 09:45:05, 5] sam/idmap.c:smb_register_idmap(91) smb_register_idmap: Successfully added idmap backend 'tdb' [2005/03/21 09:45:05, 3] sam/idmap.c:idmap_init(132) idmap_init: using 'ldap' as remote backend [2005/03/21 09:45:05, 5] lib/smbldap.c:smbldap_search(1038) smbldap_search: base => ["ou=idmap","ou=smb,dc=navis,dc=net"], filter => [(objectclass=sambaUnixIdPool)], scope => [2] [2005/03/21 09:45:05, 5] lib/smbldap.c:smbldap_close(949) The connection to the LDAP server was closed [2005/03/21 09:45:05, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 09:45:05, 3] lib/smbldap.c:smbldap_connect_system(866) ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does support paged results [2005/03/21 09:45:05, 4] lib/smbldap.c:smbldap_open(929) The LDAP server is succesfully connected [2005/03/21 09:45:05, 0] sam/idmap.c:idmap_init(138) idmap_init: failed to initialize remote backend! Looks like it tries to get what are called paged results and then it fails to initialize remote backend. I'm not quite sure what is going on here and any further guidance would be greatly appreciated. Thanks in advance, Theo -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Friday, March 18, 2005 7:18 AM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] idmap LDAP backend -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Theodore Jencks wrote: | ldap idmap suffix = "ou=idmap,ou=smb,dc=navis,dc=net" | ldap suffix = "ou=smb,dc=navis,dc=net" change this to ldap suffix = "ou=smb,dc=navis,dc=net" ldap idmap suffix = "ou=idmap" cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCOvELIR7qMdg1EfYRAqkxAJ4wivlVYXp6DmKIaXbl786I7CQOLwCfXL6w XIO2bFqLhparOqZGF0BdgWo=MKbV -----END PGP SIGNATURE-----
Figure this out a little further: I had the following in my smb.conf: idmap uid = 10000-20000 idmap gid = 10000-20000 idmap backend = ldap:ldap://localhost ldap admin dn = cn=manager,dc=navis,dc=net ldap suffix = "ou=smb,dc=navis,dc=net" ldap idmap suffix = "ou=idmap" I took the quotes off and now Winbind seems to connect to LDAP fine: ldap suffix = ou=smb,dc=navis,dc=net ldap idmap suffix = ou=idmap I'm now getting this when I start Winbind in the Winbind log: [2005/03/21 11:16:25, 5] lib/gencache.c:gencache_init(59) Opening cache file at /var/lock/samba/gencache.tdb [2005/03/21 11:16:25, 5] libsmb/namecache.c:namecache_enable(58) namecache_enable: enabling netbios namecache, timeout 660 seconds [2005/03/21 11:16:25, 5] sam/idmap.c:smb_register_idmap(91) smb_register_idmap: Successfully added idmap backend 'ldap' [2005/03/21 11:16:25, 5] sam/idmap.c:smb_register_idmap(91) smb_register_idmap: Successfully added idmap backend 'tdb' [2005/03/21 11:16:25, 3] sam/idmap.c:idmap_init(132) idmap_init: using 'ldap' as remote backend [2005/03/21 11:16:25, 5] lib/smbldap.c:smbldap_search(1038) smbldap_search: base => [ou=idmap,ou=smb,dc=navis,dc=net], filter => [(objectclass=sambaUnixIdPool)], scope => [2] [2005/03/21 11:16:25, 5] lib/smbldap.c:smbldap_close(949) The connection to the LDAP server was closed [2005/03/21 11:16:25, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 11:16:26, 3] lib/smbldap.c:smbldap_connect_system(866) ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does support paged results [2005/03/21 11:16:26, 4] lib/smbldap.c:smbldap_open(929) The LDAP server is succesfully connected [2005/03/21 11:16:26, 2] lib/tallocmsg.c:register_msg_pool_usage(57) Registered MSG_REQ_POOL_USAGE [2005/03/21 11:16:26, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2005/03/21 11:16:26, 2] nsswitch/winbindd_util.c:add_trusted_domain(175) Added domain HQ HQ.NAVIS.NET S-0-0 [2005/03/21 11:16:26, 4] passdb/secrets.c:secrets_fetch_trust_account_password(290) Using cleartext machine password However I still think there is a problem because getent passwd only returns local usernames. When I'm not using the ldap idmap backend getent passwd runs as expected giving both local and domain usernames. Any help appreciated, Theo -----Original Message----- From: samba-bounces+tjencks=navis.com@lists.samba.org [mailto:samba-bounces+tjencks=navis.com@lists.samba.org] On Behalf Of Theodore Jencks Sent: Monday, March 21, 2005 9:52 AM To: samba@lists.samba.org Subject: RE: [Samba] idmap LDAP backend Ok, I made the change however the LDAP backend for idmap is still not working. I set Winbind to debugging level 5 and get the following in the logs: [2005/03/21 09:45:05, 2] lib/interface.c:add_interface(81) added interface ip=192.168.192.112 bcast=192.168.195.255 nmask=255.255.252.0 [2005/03/21 09:45:05, 5] lib/util.c:init_names(256) Netbios name list:- my_netbios_names[0]="THEO" [2005/03/21 09:45:05, 2] lib/interface.c:add_interface(81) added interface ip=192.168.192.112 bcast=192.168.195.255 nmask=255.255.252.0 [2005/03/21 09:45:05, 5] lib/gencache.c:gencache_init(59) Opening cache file at /var/lock/samba/gencache.tdb [2005/03/21 09:45:05, 5] libsmb/namecache.c:namecache_enable(58) namecache_enable: enabling netbios namecache, timeout 660 seconds [2005/03/21 09:45:05, 5] sam/idmap.c:smb_register_idmap(91) smb_register_idmap: Successfully added idmap backend 'ldap' [2005/03/21 09:45:05, 5] sam/idmap.c:smb_register_idmap(91) smb_register_idmap: Successfully added idmap backend 'tdb' [2005/03/21 09:45:05, 3] sam/idmap.c:idmap_init(132) idmap_init: using 'ldap' as remote backend [2005/03/21 09:45:05, 5] lib/smbldap.c:smbldap_search(1038) smbldap_search: base => ["ou=idmap","ou=smb,dc=navis,dc=net"], filter => [(objectclass=sambaUnixIdPool)], scope => [2] [2005/03/21 09:45:05, 5] lib/smbldap.c:smbldap_close(949) The connection to the LDAP server was closed [2005/03/21 09:45:05, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 09:45:05, 3] lib/smbldap.c:smbldap_connect_system(866) ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does support paged results [2005/03/21 09:45:05, 4] lib/smbldap.c:smbldap_open(929) The LDAP server is succesfully connected [2005/03/21 09:45:05, 0] sam/idmap.c:idmap_init(138) idmap_init: failed to initialize remote backend! Looks like it tries to get what are called paged results and then it fails to initialize remote backend. I'm not quite sure what is going on here and any further guidance would be greatly appreciated. Thanks in advance, Theo -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Friday, March 18, 2005 7:18 AM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] idmap LDAP backend -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Theodore Jencks wrote: | ldap idmap suffix = "ou=idmap,ou=smb,dc=navis,dc=net" | ldap suffix = "ou=smb,dc=navis,dc=net" change this to ldap suffix = "ou=smb,dc=navis,dc=net" ldap idmap suffix = "ou=idmap" cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCOvELIR7qMdg1EfYRAqkxAJ4wivlVYXp6DmKIaXbl786I7CQOLwCfXL6w XIO2bFqLhparOqZGF0BdgWo=MKbV -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Ok so things seem to be working better now. The LDAP backend is populated with SID to Unix ID mappings however if I run "getent passwd" the local user list is returned followed by a long pause then nothing. I would like to correct this behavior because it means that something is screwed up someplace. I have created a couple file shares in my smb.conf as follows: [software] comment = Software for IT personnel path = /share/software read only = no public = no writable = yes printable = no browseable = yes valid users = @"HQ+Domain Admins" [backup] comment = Misc. data backups path = /share/backup read only = no public = no writable = yes printable = no browseable = yes valid users = HQ+tjencks I can access both of these shares from my windows domain account however other users that are in the Domain Admins group get prompted for a password when trying to access the "software" share. I can't figure out why my domain account is the only one that seems to work for this share. I've checked permissions on the /share/software directory and they were set as follows: 'chown "HQ+tjencks":"HQ+Domain Admins" software' then I did 'chmod 775 software' Ls -l shows drwxrwxr-x 4 tjencks domain admins 96 Mar 21 07:10 software I don't know what could be wrong? Thanks in advance for any and all help, tip or snippet of info. Theo -----Original Message----- From: samba-bounces+tjencks=navis.com@lists.samba.org [mailto:samba-bounces+tjencks=navis.com@lists.samba.org] On Behalf Of Theodore Jencks Sent: Monday, March 21, 2005 11:30 AM To: samba@lists.samba.org Subject: RE: [Samba] idmap LDAP backend Figure this out a little further: I had the following in my smb.conf: idmap uid = 10000-20000 idmap gid = 10000-20000 idmap backend = ldap:ldap://localhost ldap admin dn = cn=manager,dc=navis,dc=net ldap suffix = "ou=smb,dc=navis,dc=net" ldap idmap suffix = "ou=idmap" I took the quotes off and now Winbind seems to connect to LDAP fine: ldap suffix = ou=smb,dc=navis,dc=net ldap idmap suffix = ou=idmap I'm now getting this when I start Winbind in the Winbind log: [2005/03/21 11:16:25, 5] lib/gencache.c:gencache_init(59) Opening cache file at /var/lock/samba/gencache.tdb [2005/03/21 11:16:25, 5] libsmb/namecache.c:namecache_enable(58) namecache_enable: enabling netbios namecache, timeout 660 seconds [2005/03/21 11:16:25, 5] sam/idmap.c:smb_register_idmap(91) smb_register_idmap: Successfully added idmap backend 'ldap' [2005/03/21 11:16:25, 5] sam/idmap.c:smb_register_idmap(91) smb_register_idmap: Successfully added idmap backend 'tdb' [2005/03/21 11:16:25, 3] sam/idmap.c:idmap_init(132) idmap_init: using 'ldap' as remote backend [2005/03/21 11:16:25, 5] lib/smbldap.c:smbldap_search(1038) smbldap_search: base => [ou=idmap,ou=smb,dc=navis,dc=net], filter => [(objectclass=sambaUnixIdPool)], scope => [2] [2005/03/21 11:16:25, 5] lib/smbldap.c:smbldap_close(949) The connection to the LDAP server was closed [2005/03/21 11:16:25, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 11:16:26, 3] lib/smbldap.c:smbldap_connect_system(866) ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does support paged results [2005/03/21 11:16:26, 4] lib/smbldap.c:smbldap_open(929) The LDAP server is succesfully connected [2005/03/21 11:16:26, 2] lib/tallocmsg.c:register_msg_pool_usage(57) Registered MSG_REQ_POOL_USAGE [2005/03/21 11:16:26, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2005/03/21 11:16:26, 2] nsswitch/winbindd_util.c:add_trusted_domain(175) Added domain HQ HQ.NAVIS.NET S-0-0 [2005/03/21 11:16:26, 4] passdb/secrets.c:secrets_fetch_trust_account_password(290) Using cleartext machine password However I still think there is a problem because getent passwd only returns local usernames. When I'm not using the ldap idmap backend getent passwd runs as expected giving both local and domain usernames. Any help appreciated, Theo -----Original Message----- From: samba-bounces+tjencks=navis.com@lists.samba.org [mailto:samba-bounces+tjencks=navis.com@lists.samba.org] On Behalf Of Theodore Jencks Sent: Monday, March 21, 2005 9:52 AM To: samba@lists.samba.org Subject: RE: [Samba] idmap LDAP backend Ok, I made the change however the LDAP backend for idmap is still not working. I set Winbind to debugging level 5 and get the following in the logs: [2005/03/21 09:45:05, 2] lib/interface.c:add_interface(81) added interface ip=192.168.192.112 bcast=192.168.195.255 nmask=255.255.252.0 [2005/03/21 09:45:05, 5] lib/util.c:init_names(256) Netbios name list:- my_netbios_names[0]="THEO" [2005/03/21 09:45:05, 2] lib/interface.c:add_interface(81) added interface ip=192.168.192.112 bcast=192.168.195.255 nmask=255.255.252.0 [2005/03/21 09:45:05, 5] lib/gencache.c:gencache_init(59) Opening cache file at /var/lock/samba/gencache.tdb [2005/03/21 09:45:05, 5] libsmb/namecache.c:namecache_enable(58) namecache_enable: enabling netbios namecache, timeout 660 seconds [2005/03/21 09:45:05, 5] sam/idmap.c:smb_register_idmap(91) smb_register_idmap: Successfully added idmap backend 'ldap' [2005/03/21 09:45:05, 5] sam/idmap.c:smb_register_idmap(91) smb_register_idmap: Successfully added idmap backend 'tdb' [2005/03/21 09:45:05, 3] sam/idmap.c:idmap_init(132) idmap_init: using 'ldap' as remote backend [2005/03/21 09:45:05, 5] lib/smbldap.c:smbldap_search(1038) smbldap_search: base => ["ou=idmap","ou=smb,dc=navis,dc=net"], filter => [(objectclass=sambaUnixIdPool)], scope => [2] [2005/03/21 09:45:05, 5] lib/smbldap.c:smbldap_close(949) The connection to the LDAP server was closed [2005/03/21 09:45:05, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 09:45:05, 3] lib/smbldap.c:smbldap_connect_system(866) ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does support paged results [2005/03/21 09:45:05, 4] lib/smbldap.c:smbldap_open(929) The LDAP server is succesfully connected [2005/03/21 09:45:05, 0] sam/idmap.c:idmap_init(138) idmap_init: failed to initialize remote backend! Looks like it tries to get what are called paged results and then it fails to initialize remote backend. I'm not quite sure what is going on here and any further guidance would be greatly appreciated. Thanks in advance, Theo -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Friday, March 18, 2005 7:18 AM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] idmap LDAP backend -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Theodore Jencks wrote: | ldap idmap suffix = "ou=idmap,ou=smb,dc=navis,dc=net" | ldap suffix = "ou=smb,dc=navis,dc=net" change this to ldap suffix = "ou=smb,dc=navis,dc=net" ldap idmap suffix = "ou=idmap" cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCOvELIR7qMdg1EfYRAqkxAJ4wivlVYXp6DmKIaXbl786I7CQOLwCfXL6w XIO2bFqLhparOqZGF0BdgWo=MKbV -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba