samba - Mar 2005 - IDMAP LDAP problems

Hi,
I running samba-3.0.13-1 on RH9
(openldap-2.0.27-8,krb5-1.2.7-10,nss_ldap-202-5) and configured as show
below, my intention is only to make IDMAP storage in LDAP using winbind.
I've looked on SAMBA3 by example book and relatives official guide on the
site.
First I have try to run samba and winbind retriving users and groups from
ADS and storing them in winbindd_idmap.tdb and winbindd_cache.tdb files and
it seems to work fine.
After I have introduce the LDAP backend and relative configuration as shown
below, but I have received the errors at the bottom of the message.
Why it doesn't work? I found only example that show domains with only one
prefix could I wrong the ldap configuration?
Thanks.
Marco.

/etc/samba/smb.conf
        netbios name = XXXX03
        os level = 16
        wins server = XXX.XXX.XXX.XXX
        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
        unix charset = LOCALE
        workgroup = WORKGROUP
        realm = PREFIX1.PREFIX2.COM
        security = ADS
        password server = kdc01.sinter.gkn.com
        encrypt passwords = yes
        winbind use default domain = Yes
        winbind separator = /
        winbind enum users = Yes
        winbind enum groups = Yes
        ldap ssl = No
        ldap admin dn = cn=Manager,dc=prefix1,dc=prefix2,dc=com
        ldap idmap suffix = ou=Idmap
        ldap suffix = dc=prefix1,dc=prefix2,dc=com
        idmap backend = ldap:ldap://localhost
        idmap uid = 10000-40000
        idmap gid = 10000-40000
        hide unreadable = Yes
        template homedir = /data/user/%U
        template shell = /bin/false
        use sendfile = Yes

/etc/nsswitch.conf
passwd:     compat ldap
shadow:     compat ldap
group:        compat ldap
hosts:        files dns wins

/etc/ldap.conf
host 127.0.0.1
base dc=prefix1,dc=prefix2,dc=com
binddn cn=Manager,dc=prefix1,dc=prefix2,dc=com
bindpw secret
pam_password exop
nss_base_passwd         ou=People,dc=prefix1,dc=prefix2,dc=com?one
nss_base_shadow         ou=People,dc=prefix1,dc=prefix2,dc=com?one
nss_base_group          ou=Group,dc=prefix1,dc=prefix2,dc=com?one
ssl no

/etc/openldap/idmap.ldif
dn: dc=prefix1,dc=prefix2,dc=com
objectClass: dcObject
objectClass: organization
dc: prefix1.prefix2
o: xxx
description: xxx

dn: cn=Manager,dc=prefix1,dc=prefix2,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=Idmap,dc=prefix1,dc=prefix2,dc=com
objectClass: organizationalUnit
ou: idmap

/etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log <FILE:/var/log/krb5libs.log>
<FILE:/var/log/krb5libs.log <FILE:/var/log/krb5libs.log> > 
 kdc = FILE:/var/log/krb5kdc.log <FILE:/var/log/krb5kdc.log>
<FILE:/var/log/krb5kdc.log <FILE:/var/log/krb5kdc.log> > 
 admin_server = FILE:/var/log/kadmind.log <FILE:/var/log/kadmind.log>
<FILE:/var/log/kadmind.log <FILE:/var/log/kadmind.log> > 

[libdefaults]
 ticket_lifetime = 24000
 default_realm = PREFIX1.PREFIX2.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 PREFIX1.PREFIX2.COM = {
  kdc = KDC01.PREFIX1.PREFIX2.COM
 }

[domain_realm]
 .prefix1.prefix2.com = PREFIX1.PREFIX2.COM
 prefix1.prefix2.com = PREFIX1.PREFIX2.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

/var/spool/samba/log.winbindd
[2005/03/30 17:53:26, 0] sam/idmap.c:idmap_init(138)
  idmap_init: failed to initialize remote backend!
[2005/03/30 17:53:26, 1] nsswitch/winbindd.c:main(897)
  Could not init idmap -- netlogon proxy only
[2005/03/30 17:54:34, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid
S-1-5-21-597916725-1483147915-620655208-19426
[2005/03/30 17:54:34, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid
S-1-5-21-597916725-1483147915-620655208-19426

On Thursday 31 March 2005 04:40, Meli Marco wrote:
> Hi,
> I running samba-3.0.13-1 on RH9
> (openldap-2.0.27-8,krb5-1.2.7-10,nss_ldap-202-5) and configured as show
> below, my intention is only to make IDMAP storage in LDAP using winbind.
> I've looked on SAMBA3 by example book and relatives official guide on
the
> site.
> First I have try to run samba and winbind retriving users and groups from
> ADS and storing them in winbindd_idmap.tdb and winbindd_cache.tdb files and
> it seems to work fine.
> After I have introduce the LDAP backend and relative configuration as shown
> below, but I have received the errors at the bottom of the message.
> Why it doesn't work? I found only example that show domains with only
one
> prefix could I wrong the ldap configuration?
> Thanks.
> Marco.
>
> /etc/samba/smb.conf
>         netbios name = XXXX03
>         os level = 16
>         wins server = XXX.XXX.XXX.XXX
>         socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
>         unix charset = LOCALE
>         workgroup = WORKGROUP
>         realm = PREFIX1.PREFIX2.COM
>         security = ADS
>         password server = kdc01.sinter.gkn.com
>         encrypt passwords = yes
>         winbind use default domain = Yes
>         winbind separator = /
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         ldap ssl = No
>         ldap admin dn = cn=Manager,dc=prefix1,dc=prefix2,dc=com
>         ldap idmap suffix = ou=Idmap
>         ldap suffix = dc=prefix1,dc=prefix2,dc=com
>         idmap backend = ldap:ldap://localhost
>         idmap uid = 10000-40000
>         idmap gid = 10000-40000
>         hide unreadable = Yes
>         template homedir = /data/user/%U
>         template shell = /bin/false
>         use sendfile = Yes
>
> /etc/nsswitch.conf
> passwd:     compat ldap
> shadow:     compat ldap
> group:        compat ldap
> hosts:        files dns wins
>
> /etc/ldap.conf
> host 127.0.0.1
> base dc=prefix1,dc=prefix2,dc=com
> binddn cn=Manager,dc=prefix1,dc=prefix2,dc=com
> bindpw secret
> pam_password exop
> nss_base_passwd         ou=People,dc=prefix1,dc=prefix2,dc=com?one
> nss_base_shadow         ou=People,dc=prefix1,dc=prefix2,dc=com?one
> nss_base_group          ou=Group,dc=prefix1,dc=prefix2,dc=com?one
> ssl no
>
> /etc/openldap/idmap.ldif
> dn: dc=prefix1,dc=prefix2,dc=com
> objectClass: dcObject
> objectClass: organization
> dc: prefix1.prefix2
> o: xxx
> description: xxx
>
> dn: cn=Manager,dc=prefix1,dc=prefix2,dc=com
> objectClass: organizationalRole
> cn: Manager
> description: Directory Manager
>
> dn: ou=Idmap,dc=prefix1,dc=prefix2,dc=com
> objectClass: organizationalUnit
> ou: idmap
>
> /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log <FILE:/var/log/krb5libs.log>
> <FILE:/var/log/krb5libs.log <FILE:/var/log/krb5libs.log> >
>  kdc = FILE:/var/log/krb5kdc.log <FILE:/var/log/krb5kdc.log>
> <FILE:/var/log/krb5kdc.log <FILE:/var/log/krb5kdc.log> >
>  admin_server = FILE:/var/log/kadmind.log <FILE:/var/log/kadmind.log>
> <FILE:/var/log/kadmind.log <FILE:/var/log/kadmind.log> >
>
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = PREFIX1.PREFIX2.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>
> [realms]
>  PREFIX1.PREFIX2.COM = {
>   kdc = KDC01.PREFIX1.PREFIX2.COM
>  }
>
> [domain_realm]
>  .prefix1.prefix2.com = PREFIX1.PREFIX2.COM
>  prefix1.prefix2.com = PREFIX1.PREFIX2.COM
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>
> /var/spool/samba/log.winbindd
> [2005/03/30 17:53:26, 0] sam/idmap.c:idmap_init(138)
>   idmap_init: failed to initialize remote backend!
> [2005/03/30 17:53:26, 1] nsswitch/winbindd.c:main(897)
>   Could not init idmap -- netlogon proxy only
> [2005/03/30 17:54:34, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
>   error getting user id for sid
> S-1-5-21-597916725-1483147915-620655208-19426
> [2005/03/30 17:54:34, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
>   error getting user id for sid
> S-1-5-21-597916725-1483147915-620655208-19426
Did you store the LDAP server access password 'secret' into the Samba 
secrets.tdb file?

	smbpasswd -w secret


- John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.