samba - May 2005 - Fwd: Follow Up - Problem with groups & joining domain.- LDAP

Follow up to original post.

If I created local groups and users in /etc/passwd &
/etc/groups I get farther along.

For instance, if I have a Samba PDC with LDAP basically like I listed
in my post.  If I browse from a w2k pro box to the samba server
without the workstation having joined the domain, I can authenticate
to the samba server with a user who is not in /etc/passwd but is in
LDAP.  So samba is able to do the lookup via ldap.

Now, if I create a posix group in ldap but not in /etc/group, I can
not use "net groupmap modify" to modify the ntgroup to unix group
mapping.  But if I create the group in /etc/groups then the group
mapping works.  This leads me to believe either that the
nsswitch/nss_ldap stuff in FreeBSD is either insufficient or not
configured.  Since their is so little to configure, I tend to lean
towards NSSwitch not being fully implemented.

Also If I try to join the domain with from a workstation that neither
has a /etc/passwd account or an ldap account then, joining the domain
fails, but smbldap-tools creates a workstation account in ldap with
posix only attributes and no samba attributes.

If I create the workstation account in /etc/passwd and then join the
domain, then I can sucessfully join the domain, and smbldap tools
creates an account in ldap, but this time with only samba attributes
and no posix attributes.

I have not tested any other group/user scenarios yet.
---------- Forwarded message ----------
From: Flatfender <flatfender@gmail.com>
Date: Apr 21, 2005 11:04 AM
Subject: Problem with groups & joining domain.- LDAP
To: samba@lists.samba.org


Software list:

FreeBSD 5.3
Samba 3.0.14a
nss_ldap-1.204_5
openldap-client-2.2.19
openldap-server-2.2.23
p5-perl-ldap-0.32.02
pam_ldap-1.7.6
smbldap-tools-0.8.8

samba was configured with the following options. LDAP, Cups, Winbind,
utmp, popt, acl, quotas, msdfs, syslog, without_ADS

I have also tried winbind_nss which I believe is a FreeBSD wrapper
around the linux implentation of winbindd, but it yielded the same
results.

1. ldapadd & ldapserach w/tls is working fine.
2. smbldap-tools work.  smbldap-populate,
smbldap-migrate-unix-accounts/groups work.  smbldap-useradd works.
3. smbpasswd -w has been set.

What fails is joining a machine to the domain.  I get the domain
password is incorrect, the workstation account is created, but with
posix attributes only, no samba attributes.

problems with groups
If I add a group to the local /etc/group file, which I don't think
should have to do, but maybe this is a FreeBSD nsswitch bug?  Can
anyone confirm this?

pw group add domadmins
smbldap-groupadd -a domadmins - adds to ldap fine.
net groupmap modify ntgroup="Domain Admins" unixgroup=domadmins . This
fails with this error message:   and I get the same error message if
the -a omitted from smbldap-groupadd

 passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2665)
  ldapsam_update_group_mapping_entry: No group to modify!
Could not update group database

net groupmap list shows all groups that are in LDAP.

What I suspect is that group lookups are failing somehow, but I'm not
sure.   Also If I browse through network neighborhood to the samba PDC
server, I can authenticate with an ordinary user and get the users
home dir.  So Users seem to be working.

Here is my smb.conf, my smblap.conf and my ldap.conf

serf# testparm -s
Load smb config files from /usr/local/etc/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[Profiles]"
Processing section "[printers]"
Loaded services file OK.
# Global parameters
[global]
        dos charset = 850
        unix charset = ISO8859-1
        workgroup = IMSDOM
        server string = Samba Server [%v]
        map to guest = Bad User
        passdb backend = ldapsam:ldap://serf.ims-tpa.com
        username map = /usr/local/etc/smbusers
        log level = 5
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 50
        time server = Yes
        deadtime = 10
        printcap name = /etc/printcap
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
        delete user from group script /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g" "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        logon path         logon drive = T:
        logon home = \\%L\home\%u
        domain logons = Yes
        os level = 33
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=Manager,dc=ims-tpa,dc=com
        ldap delete dn = Yes
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Users
        ldap passwd sync = Yes
        ldap suffix = dc=ims-tpa,dc=com
        ldap ssl = start tls
        ldap user suffix = ou=Users
        idmap backend = ldap:ldap://serf.ims-tpa.com
        idmap uid = 1000-20000
        idmap gid = 1000-20000
        winbind separator = ^
        printer admin = "@Print Operators"
        create mask = 0640
        directory mask = 0750
        hosts allow = 192.168.0., 127.
        nt acl support = No
        case sensitive = No
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /usr/local/samba/netlogon
        guest ok = Yes
        share modes = No

[Profiles]
        path = /usr/local/samba/profiles
        read only = No
        guest ok = Yes
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

serf# less /usr/local/etc/smbldap-tools/smbldap.conf

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $

# General Configuration

SID="S-1-5-21-1642798596-2503770835-627191294"
##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Ex: slaveLDAP=127.0.0.1
# slaveLDAP="127.0.0.1"
# slavePort="389"

# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
# masterLDAP="127.0.0.1"
masterLDAP="serf.ims-tpa.com"
masterPort="389"

ldapTLS="1"

verify="require"

cafile="/usr/local/certs/cacert.pem"

clientcert=""
clientkey=""

# LDAP Suffix
suffix="dc=ims-tpa,dc=com"

usersdn="ou=Users,${suffix}"

computersdn="ou=Users,${suffix}"

groupsdn="ou=Groups,${suffix}"

idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="sambaDomainName=IMSDOM,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

userLoginShell="/bin/csh"

userHome="/home/%U"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

defaultMaxPasswordAge="99"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

userSmbHome=""

userHomeDrive="T:"

userScript=""

# mailDomain="ims-tpa.com"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="1"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

(END)

serf# less /etc/ldap.conf

# @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $

host serf.ims-tpa.com

# The distinguished name of the search base.
base dc=ims-tpa,dc=com

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
# uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

loglevel 256
logfile /var/log/ldap.log

# The LDAP version to use (defaults to 3
# if supported by client library)
# ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with.
# Optional: default is no credential.
# bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
# rootbinddn cn=Manager,dc=ims-tpa,dc=com

# The port.
# Optional: default is 389.
port 389

# The search scope.
scope sub
#scope one
#scope base

# Search timelimit
# timelimit 30

# Bind/connect timelimit
# bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
# bind_policy hard

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
# idle_timelimit 3600

# Filter to AND with uid=%s
# pam_filter objectclass=account

# The user ID attribute (defaults to uid)
# pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
# pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
# pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# If you are using XAD, you can set pam_password
# to racf, ad, or exop. Make sure that you have
# SSL enabled.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change
your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
# nss_base_passwd       ou=People,dc=ims-tpa,dc=com?one
# nss_base_shadow       ou=People,dc=ims-tpa,dc=com?one
# nss_base_group        ou=Group,dc=ims-tpa,dc=com?one
#nss_base_hosts         ou=Hosts,dc=padl,dc=com?one
#nss_base_services      ou=Services,dc=padl,dc=com?one
#nss_base_networks      ou=Networks,dc=padl,dc=com?one
#nss_base_protocols     ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc           ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers        ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases       ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one

nss_base_passwd ou=Users,dc=ims-tpa,dc=com?sub
nss_base_passwd dc=ims-tpa,dc=com?sub
# nss_base_shadow       dc=ims-tpa,dc=com?sub
nss_base_group  ou=Groups,dc=ims-tpa,dc=com?sub

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute      rfc2307attribute        mapped_attribute
#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
# ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer no
TLS_REQCERT allow

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
# tls_cacertfile /etc/ssl/ca.cert
# tls_cacertdir /etc/ssl/certs
# tls_cacertdir /usr/local/certs/demoCA

# tls_cacertfile /usr/local/certs/servercert.pem
# tls_cacertfile /usr/local/certs/cacert.pem
tls_cacert /usr/local/certs/cacert.pem

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
tls_ciphers HIGH:MEDIUM:SSLv2

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
(END)

tor, 05.05.2005 kl. 21.34 skrev Flatfender:
> If I created local groups and users in /etc/passwd &
> /etc/groups I get farther along.
> 
> For instance, if I have a Samba PDC with LDAP basically like I listed
> in my post.  If I browse from a w2k pro box to the samba server
> without the workstation having joined the domain, I can authenticate
> to the samba server with a user who is not in /etc/passwd but is in
> LDAP.  So samba is able to do the lookup via ldap.
> 
> Now, if I create a posix group in ldap but not in /etc/group, I can
> not use "net groupmap modify" to modify the ntgroup to unix group
> mapping.  But if I create the group in /etc/groups then the group
> mapping works.  This leads me to believe either that the
> nsswitch/nss_ldap stuff in FreeBSD is either insufficient or not
> configured.  Since their is so little to configure, I tend to lean
> towards NSSwitch not being fully implemented.
FWIW (and it's probably not going to help you) I read your post and
tried 'net groupmap modify' on my RHAS3/OpenLDAP 2.2.24 test rig. All my
Samba 3.0.14a stuff is in LDAP.

'net groupmap modify ntgroup="Domain Admins" unixgroup=katter'
(i.e.
"cats", it was domadm) and it *added* a new NT groupmapping, for
Domain
Admins beside the old groupmapping and changed the "katter" group RID
from 3009 to 512 as well as changing displayName from "Domain Katter"
to
"Domain Admins". Then I wanted to change it back again from the
command
line, but no no. It couldn't find "Domain Admins" in the database,
it
said. Thank God I use GQ to manage LDAP, so I could see what was going
on. Changing the RID and displayName in GQ got it back to the original
state.
> Also If I try to join the domain with from a workstation that neither
> has a /etc/passwd account or an ldap account then, joining the domain
> fails, but smbldap-tools creates a workstation account in ldap with
> posix only attributes and no samba attributes.
> 
> If I create the workstation account in /etc/passwd and then join the
> domain, then I can sucessfully join the domain, and smbldap tools
> creates an account in ldap, but this time with only samba attributes
> and no posix attributes.
I don't use those scripts. I use LDAP for far too many other things
besides Samba and my DIT is completely different from what Idealx would
like for me. If you use the Idealx adduser script to make a posixAccount
entry, try smbpasswd or pdbedit after that to make the sambaSamAccount
modifications. The only trouble is, that you can't make LDAP records on
the fly, that way.

Actually, the Samba tools are brilliant and *they* can cope with my
non-Idealx DIT more than well enough. I use smbpasswd on my rigs, called
out of shell scripts, for adding users and machines.

What you describe /would/ point to the nss libraries on your FreeBSD
rig. Maybe others with the same OS could comment, and someone like
Padl's Luke Howard on the Padl nssldap@padl.com mailing list would
surely know, since it's mainly he who writes the nss_ldap software.
> I have not tested any other group/user scenarios yet.
Well I have. I have Samba 3.0.11 with LDAP (RHAS3 again) on a
zero-maintenance production rig running at a reasonably large high
school site in Amsterdam. It's taken over from an NT4 PDC that
continually clapped out.

--Tonni

-- 
Nothing sucksseeds like a pigeon without a beak ...

mail: tonye@billy.demon.nl
http://www.billy.demon.nl
 
They'll love us, won't they? They feed us, don't they? ...

Just a note for the archives.

My Freebsd nsswitch problems were being caused by a mis-configured
nss_ldap.conf file.  Everything indeed seems to be working properly
now in Freebsd.

On 5/5/05, Flatfender <flatfender@gmail.com>
wrote:
> Follow up to original post.
> 
> If I created local groups and users in /etc/passwd &
> /etc/groups I get farther along.
> 
> For instance, if I have a Samba PDC with LDAP basically like I listed
> in my post.  If I browse from a w2k pro box to the samba server
> without the workstation having joined the domain, I can authenticate
> to the samba server with a user who is not in /etc/passwd but is in
> LDAP.  So samba is able to do the lookup via ldap.
> 
> Now, if I create a posix group in ldap but not in /etc/group, I can
> not use "net groupmap modify" to modify the ntgroup to unix group
> mapping.  But if I create the group in /etc/groups then the group
> mapping works.  This leads me to believe either that the
> nsswitch/nss_ldap stuff in FreeBSD is either insufficient or not
> configured.  Since their is so little to configure, I tend to lean
> towards NSSwitch not being fully implemented.
> 
> Also If I try to join the domain with from a workstation that neither
> has a /etc/passwd account or an ldap account then, joining the domain
> fails, but smbldap-tools creates a workstation account in ldap with
> posix only attributes and no samba attributes.
> 
> If I create the workstation account in /etc/passwd and then join the
> domain, then I can sucessfully join the domain, and smbldap tools
> creates an account in ldap, but this time with only samba attributes
> and no posix attributes.
> 
> I have not tested any other group/user scenarios yet.
> ---------- Forwarded message ----------
> From: Flatfender <flatfender@gmail.com>
> Date: Apr 21, 2005 11:04 AM
> Subject: Problem with groups & joining domain.- LDAP
> To: samba@lists.samba.org
> 
> 
> Software list:
> 
> FreeBSD 5.3
> Samba 3.0.14a
> nss_ldap-1.204_5
> openldap-client-2.2.19
> openldap-server-2.2.23
> p5-perl-ldap-0.32.02
> pam_ldap-1.7.6
> smbldap-tools-0.8.8
> 
> samba was configured with the following options. LDAP, Cups, Winbind,
> utmp, popt, acl, quotas, msdfs, syslog, without_ADS
> 
> I have also tried winbind_nss which I believe is a FreeBSD wrapper
> around the linux implentation of winbindd, but it yielded the same
> results.
> 
> 1. ldapadd & ldapserach w/tls is working fine.
> 2. smbldap-tools work.  smbldap-populate,
> smbldap-migrate-unix-accounts/groups work.  smbldap-useradd works.
> 3. smbpasswd -w has been set.
> 
> What fails is joining a machine to the domain.  I get the domain
> password is incorrect, the workstation account is created, but with
> posix attributes only, no samba attributes.
> 
> problems with groups
> If I add a group to the local /etc/group file, which I don't think
> should have to do, but maybe this is a FreeBSD nsswitch bug?  Can
> anyone confirm this?
> 
> pw group add domadmins
> smbldap-groupadd -a domadmins - adds to ldap fine.
> net groupmap modify ntgroup="Domain Admins" unixgroup=domadmins .
This
> fails with this error message:   and I get the same error message if
> the -a omitted from smbldap-groupadd
> 
>  passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2665)
>   ldapsam_update_group_mapping_entry: No group to modify!
> Could not update group database
> 
> net groupmap list shows all groups that are in LDAP.
> 
> What I suspect is that group lookups are failing somehow, but I'm not
> sure.   Also If I browse through network neighborhood to the samba PDC
> server, I can authenticate with an ordinary user and get the users
> home dir.  So Users seem to be working.
snipped.