samba - Aug 2005 - Getting Winbind IDMAP into LDAP?

Hi,

I?ve been trying to populate an LDAP directory with IDMAP information from
Winbind using NSS_LDAP without much success over the last week.
Can anybody tell me if I?ve done anything obviously wrong?

I?ve followed the example shown in the Samba ?By Example? doc and am at the
stage where the LDAP directory has been created and configured, NSS_LDAP
config is amended, smb.conf contains entries to use LDAP as a backend and I
have deleted /var/cache/samba/winbindd_cache.tdb and winbindd_idmap.tdb. Now
wbinfo ?u and wbinfo ?g show users and groups on the domain but getent
passwd/groups only displays local users. The winbindd_cache.tdb and
winbindd_idmap.tdb files have been recreated but only winbindd_cache.tdb
holds any information. When I attempt to access a Samba share I?m prompted
to enter a username and password.

As I understand it once the wbinfo commands have been run this process
should automatically populate the Idmap ou with the ID mappings ? is this
correct? If so there must be something wrong with my config.

Here?s the current config and relevent info ? sorry it?s a bit long:

/etc/samba/smb.conf

[global]
workgroup = UKCORPLAN
netbios name = UKFS01
server string = UKFS01 Samba Server
winbind separator = /
ldap ssl = no
idmap uid = 10000-10000000
idmap gid = 10000-10000000
ldap admin dn = cn=Manager,dc=uk,dc=corplan,dc=net
ldap idmap suffix = ou=Idmap
ldap suffix = dc=uk,dc=corplan,dc=net
idmap backend = ldap:ldap://10.10.4.111/
winbind enum users = yes
winbind enum groups = yes
template homedir = /mnt/emcpowerb/user/%D/%U
template shell = /bin/bash
password server = ukdc01.uk.corplan.net
security = ADS
#encrypt passwords = yes
realm = uk.corplan.net
browseable = yes
username map = /etc/samba/smbusers
log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10
syslog = 0
log file = /var/log/samba/%m
max log size = 50
#============================ Share Definitions
=============================[homes]
comment = Home Directories
browseable = no
writable = yes

[public]
comment = Public Stuff
path = /home/samba
public = yes
read only = no

[test]
comment = test share
path = /mnt/emcpowera/shared/test
public = yes
browseable = yes
writeable = yes

/etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

/etc/openldap/slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
## schema files (core.schema is required by default)
include         /etc/openldap/schema/core.schema

## needed for sambaSamAccount
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/sbin/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
#access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix           "dc=uk,dc=corplan,dc=net"
rootdn          "cn=Manager,dc=uk,dc=corplan,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap/samba

# Indices to maintain for this database
# Required by OpenLDAP
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

# Indices required for Samba
index   sambaSID              eq
index   sambaPrimaryGroupSID  eq
index   sambaDomainName       eq
index   default               sub

/etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
HOST 10.10.4.111
BASE dc=uk,dc=corplan,dc=net
#TLS_CACERTDIR /etc/openldap/cacerts

/etc/ldap.conf - nss_ldap config - only shows changes the rest is as default

# @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 10.10.4.111

# The distinguished name of the search base.
base dc=uk,dc=corplan,dc=net

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://10.10.4.111/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Manager,dc=uk,dc=corplan,dc=net

# The credentials to bind with.
# Optional: default is no credential.
bindpw secret

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password exop

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd         ou=People,dc=uk,dc=corplan,dc=net?one
nss_base_shadow         ou=People,dc=uk,dc=corplan,dc=net?one
nss_base_group          ou=Groups,dc=uk,dc=corplan,dc=net?one
#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
#nss_base_services      ou=Services,dc=example,dc=com?one
#nss_base_networks      ou=Networks,dc=example,dc=com?one
#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one

[root@UKFS01 etc]# slapcat | grep -i IDMAP
o: Samba Idmap Directory
dn: ou=Idmap,dc=uk,dc=corplan,dc=net
ou: idmap

I've googled about a bit and haven't bee able to find to much except
this
thread:
http://www.mail-archive.com/samba@lists.samba.org/msg30905.html

But most I've checked most of the info and it looks OK in comparison to my
setup.

Any help with this is much appreciated...

Thanks,

Simon





********************************************************************************
The information contained in this email message may be confidential. If you are
not the intended recipient, any use, interference with, disclosure or copying of
this material is unauthorised and prohibited. Although this message and any
attachments are believed to be free of viruses, no responsibility is accepted by
T&F Informa for any loss or damage arising in any way from receipt or use
thereof.  Messages to and from the company are monitored for operational reasons
and in accordance with lawful business practices.
If you have received this message in error, please notify us by return and
delete the message and any attachments.  Further enquiries/returns can be sent
to postmaster@tfinforma.com

Hi,

The uidNumber and gidNumber are in already in LDAP - they're shown using
ldapsearch but not slapcat. I think they automatically get added by samba.

Thanks,

Simon


> From: Sam <get-a-no-spam-fix123@hotmail.com>
> Newsgroups: linux.samba
> Date: Tue, 16 Aug 2005 11:16:10 +1000
> To: "Gibbs, Simon" <Simon.Gibbs@informa.com>
> Subject: Re: [Samba] Getting Winbind IDMAP into LDAP?
> 
> <snip>
> idmap uid = 10000-10000000
> idmap gid = 10000-10000000
> <snip>
>> [root@UKFS01 etc]# slapcat | grep -i IDMAP
>> o: Samba Idmap Directory
>> dn: ou=Idmap,dc=uk,dc=corplan,dc=net
>> ou: idmap
>> 
>> I've googled about a bit and haven't bee able to find to much
except this
> 
> in ur LDIF used to populate LDAP add
> 
> gidNumber: 10000
> uidNumber: 10000
> 
> this provides initial seed for IDMAP. Thats how it worked for me. YMMV.
> Lookfor LDAP debug logs for more clues about its failure wrt LDAP
> connection.
> 
> regards
> 
> 
> Shirish
> getafix*no*spam*123@hot*no*spam*mail.com



********************************************************************************
The information contained in this email message may be confidential. If you are
not the intended recipient, any use, interference with, disclosure or copying of
this material is unauthorised and prohibited. Although this message and any
attachments are believed to be free of viruses, no responsibility is accepted by
T&F Informa for any loss or damage arising in any way from receipt or use
thereof.  Messages to and from the company are monitored for operational reasons
and in accordance with lawful business practices.
If you have received this message in error, please notify us by return and
delete the message and any attachments.  Further enquiries/returns can be sent
to postmaster@tfinforma.com

Hi Gints,

Changing nsswitch.conf from:

passwd:     files ldap
group:      files ldap
to
passwd:     files winbind
group:      files winbind

did the trick. Running getent passwd/group began populating LDAP and I can
search all the records using ldapsearch and slapcat.

Would this be an error in the documentation as (unless I was reading the
wrong section) it uses the ldap entries in it's example?

My one concern is that when winbind is stopped and restarted the
winbindd_idmap.tdb and winbindd_cache.tdb files are recreated and entries
are added. Would this be expected?

I guess I can test this today when I begin configuring a second node.....

Thanks for your help.

Simon

> From: gints neimanis <gints@venta.lv>
> Date: Tue, 16 Aug 2005 11:57:48 +0300
> To: "Gibbs, Simon" <Simon.Gibbs@informa.com>,
<samba@lists.samba.org>
> Subject: Re: Getting Winbind IDMAP into LDAP?
> 
> Hi,
> 
> to use ldap as winbind idamp backend, you don't need the NSS_LDAP at
all.
> All queries and updates to ldap is performed by winbind itself.
> 
> Your smb.conf looks fine.
> You may check 2 things:
> * Have you stored the LDAP Manager password to LDAP database with
> command "smbpasswd -w 'verysecretldapmanager password'" ?
> * and look if you have added winbind to /etc/nsswitch.conf (and then
> command "getent passwd" should show all domain users with id from
ldap)?
> like:
> ==> ...
> passwd:     files winbind
> group:      files winbind
> ...
> ==> 
> Next - you may increase the loglevel (loglevel 256) for LDAP server and
> look in ldap messages what is wrong in connection.
> 
> Gints
> 
> Gibbs, Simon wrote:
>> Hi,
>> 
>> I?ve been trying to populate an LDAP directory with IDMAP information
from
>> Winbind using NSS_LDAP without much success over the last week.
>> Can anybody tell me if I?ve done anything obviously wrong?
>> 
>> I?ve followed the example shown in the Samba ?By Example? doc and am at
the
>> stage where the LDAP directory has been created and configured,
NSS_LDAP
>> config is amended, smb.conf contains entries to use LDAP as a backend
and I
>> have deleted /var/cache/samba/winbindd_cache.tdb and
winbindd_idmap.tdb. Now
>> wbinfo ?u and wbinfo ?g show users and groups on the domain but getent
>> passwd/groups only displays local users. The winbindd_cache.tdb and
>> winbindd_idmap.tdb files have been recreated but only
winbindd_cache.tdb
>> holds any information. When I attempt to access a Samba share I?m
prompted
>> to enter a username and password.
>> 
>> As I understand it once the wbinfo commands have been run this process
>> should automatically populate the Idmap ou with the ID mappings ? is
this
>> correct? If so there must be something wrong with my config.
>> 
>> Here?s the current config and relevent info ? sorry it?s a bit long:
>> 
>> /etc/samba/smb.conf
>> 
>> [global]
>> workgroup = UKCORPLAN
>> netbios name = UKFS01
>> server string = UKFS01 Samba Server
>> winbind separator = /
>> ldap ssl = no
>> idmap uid = 10000-10000000
>> idmap gid = 10000-10000000
>> ldap admin dn = cn=Manager,dc=uk,dc=corplan,dc=net
>> ldap idmap suffix = ou=Idmap
>> ldap suffix = dc=uk,dc=corplan,dc=net
>> idmap backend = ldap:ldap://10.10.4.111/
>> winbind enum users = yes
>> winbind enum groups = yes
>> template homedir = /mnt/emcpowerb/user/%D/%U
>> template shell = /bin/bash
>> password server = ukdc01.uk.corplan.net
>> security = ADS
>> #encrypt passwords = yes
>> realm = uk.corplan.net
>> browseable = yes
>> username map = /etc/samba/smbusers
>> log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10
>> syslog = 0
>> log file = /var/log/samba/%m
>> max log size = 50
>> #============================ Share Definitions
>> =============================>> [homes]
>> comment = Home Directories
>> browseable = no
>> writable = yes
>> 
>> [public]
>> comment = Public Stuff
>> path = /home/samba
>> public = yes
>> read only = no
>> 
>> [test]
>> comment = test share
>> path = /mnt/emcpowera/shared/test
>> public = yes
>> browseable = yes
>> writeable = yes
>> 
>> /etc/nsswitch.conf
>> 
>> passwd:     files ldap
>> shadow:     files ldap
>> group:      files ldap
>> 
>> #hosts:     db files nisplus nis dns
>> hosts:      files dns
>> 
>> /etc/openldap/slapd.conf
>> 
>> #
>> # See slapd.conf(5) for details on configuration options.
>> # This file should NOT be world readable.
>> #
>> ## schema files (core.schema is required by default)
>> include         /etc/openldap/schema/core.schema
>> 
>> ## needed for sambaSamAccount
>> include         /etc/openldap/schema/cosine.schema
>> include         /etc/openldap/schema/inetorgperson.schema
>> include         /etc/openldap/schema/nis.schema
>> include         /etc/openldap/schema/samba.schema
>> 
>> # Allow LDAPv2 client connections.  This is NOT the default.
>> allow bind_v2
>> 
>> # Do not enable referrals until AFTER you have a working directory
>> # service AND an understanding of referrals.
>> #referral       ldap://root.openldap.org
>> 
>> pidfile         /var/run/slapd.pid
>> argsfile        /var/run/slapd.args
>> 
>> # Load dynamic backend modules:
>> # modulepath    /usr/sbin/openldap
>> # moduleload    back_bdb.la
>> # moduleload    back_ldap.la
>> # moduleload    back_ldbm.la
>> # moduleload    back_passwd.la
>> # moduleload    back_shell.la
>> 
>> # Sample access control policy:
>> #       Root DSE: allow anyone to read it
>> #       Subschema (sub)entry DSE: allow anyone to read it
>> #       Other DSEs:
>> #               Allow self write access
>> #               Allow authenticated users read access
>> #               Allow anonymous users to authenticate
>> #       Directives needed to implement policy:
>> # access to dn.base="" by * read
>> # access to dn.base="cn=Subschema" by * read
>> #access to *
>> #       by self write
>> #       by users read
>> #       by anonymous auth
>> #
>> # if no access controls are present, the default policy
>> # allows anyone and everyone to read anything but restricts
>> # updates to rootdn.  (e.g., "access to * by * read")
>> #
>> # rootdn can always read and write EVERYTHING!
>> 
>> #######################################################################
>> # ldbm and/or bdb database definitions
>> #######################################################################
>> 
>> database        bdb
>> suffix           "dc=uk,dc=corplan,dc=net"
>> rootdn          "cn=Manager,dc=uk,dc=corplan,dc=net"
>> # Cleartext passwords, especially for the rootdn, should
>> # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
>> # Use of strong authentication encouraged.
>> rootpw          secret
>> 
>> # The database directory MUST exist prior to running slapd AND
>> # should only be accessible by the slapd and slap tools.
>> # Mode 700 recommended.
>> directory       /var/lib/ldap/samba
>> 
>> # Indices to maintain for this database
>> # Required by OpenLDAP
>> index objectClass                       eq,pres
>> index ou,cn,mail,surname,givenname      eq,pres,sub
>> index uidNumber,gidNumber,loginShell    eq,pres
>> index uid,memberUid                     eq,pres,sub
>> index nisMapName,nisMapEntry            eq,pres,sub
>> 
>> # Indices required for Samba
>> index   sambaSID              eq
>> index   sambaPrimaryGroupSID  eq
>> index   sambaDomainName       eq
>> index   default               sub
>> 
>> /etc/openldap/ldap.conf
>> 
>> #
>> # LDAP Defaults
>> #
>> 
>> # See ldap.conf(5) for details
>> # This file should be world readable but not world writable.
>> 
>> #BASE   dc=example, dc=com
>> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
>> 
>> #SIZELIMIT      12
>> #TIMELIMIT      15
>> #DEREF          never
>> HOST 10.10.4.111
>> BASE dc=uk,dc=corplan,dc=net
>> #TLS_CACERTDIR /etc/openldap/cacerts
>> 
>> /etc/ldap.conf - nss_ldap config - only shows changes the rest is as
default
>> 
>> # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $
>> #
>> # This is the configuration file for the LDAP nameservice
>> # switch library and the LDAP PAM module.
>> #
>> # PADL Software
>> # http://www.padl.com
>> #
>> 
>> # Your LDAP server. Must be resolvable without using LDAP.
>> # Multiple hosts may be specified, each separated by a
>> # space. How long nss_ldap takes to failover depends on
>> # whether your LDAP client library supports configurable
>> # network or connect timeouts (see bind_timelimit).
>> host 10.10.4.111
>> 
>> # The distinguished name of the search base.
>> base dc=uk,dc=corplan,dc=net
>> 
>> # Another way to specify your LDAP server is to provide an
>> # uri with the server name. This allows to use
>> # Unix Domain Sockets to connect to a local LDAP Server.
>> uri ldap://10.10.4.111/
>> #uri ldaps://127.0.0.1/
>> #uri ldapi://%2fvar%2frun%2fldapi_sock/
>> # Note: %2f encodes the '/' used as directory separator
>> 
>> # The LDAP version to use (defaults to 3
>> # if supported by client library)
>> #ldap_version 3
>> 
>> # The distinguished name to bind to the server with.
>> # Optional: default is to bind anonymously.
>> binddn cn=Manager,dc=uk,dc=corplan,dc=net
>> 
>> # The credentials to bind with.
>> # Optional: default is no credential.
>> bindpw secret
>> 
>> # Do not hash the password at all; presume
>> # the directory server will do it, if
>> # necessary. This is the default.
>> pam_password exop
>> 
>> # RFC2307bis naming contexts
>> # Syntax:
>> # nss_base_XXX          base?scope?filter
>> # where scope is {base,one,sub}
>> # and filter is a filter to be &'d with the
>> # default filter.
>> # You can omit the suffix eg:
>> # nss_base_passwd       ou=People,
>> # to append the default base DN but this
>> # may incur a small performance impact.
>> nss_base_passwd         ou=People,dc=uk,dc=corplan,dc=net?one
>> nss_base_shadow         ou=People,dc=uk,dc=corplan,dc=net?one
>> nss_base_group          ou=Groups,dc=uk,dc=corplan,dc=net?one
>> #nss_base_hosts         ou=Hosts,dc=example,dc=com?one
>> #nss_base_services      ou=Services,dc=example,dc=com?one
>> #nss_base_networks      ou=Networks,dc=example,dc=com?one
>> #nss_base_protocols     ou=Protocols,dc=example,dc=com?one
>> #nss_base_rpc           ou=Rpc,dc=example,dc=com?one
>> #nss_base_ethers        ou=Ethers,dc=example,dc=com?one
>> #nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
>> #nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
>> #nss_base_aliases       ou=Aliases,dc=example,dc=com?one
>> #nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one
>> 
>> [root@UKFS01 etc]# slapcat | grep -i IDMAP
>> o: Samba Idmap Directory
>> dn: ou=Idmap,dc=uk,dc=corplan,dc=net
>> ou: idmap
>> 
>> I've googled about a bit and haven't bee able to find to much
except this
>> thread:
>> http://www.mail-archive.com/samba@lists.samba.org/msg30905.html
>> 
>> But most I've checked most of the info and it looks OK in
comparison to my
>> setup.
>> 
>> Any help with this is much appreciated...
>> 
>> Thanks,
>> 
>> Simon
>> 
>> 
>> 
>> 
>> 
>>
*****************************************************************************
>> ***
>> The information contained in this email message may be confidential. If
you
>> are not the intended recipient, any use, interference with, disclosure
or
>> copying of this material is unauthorised and prohibited. Although this
>> message and any attachments are believed to be free of viruses, no
>> responsibility is accepted by T&F Informa for any loss or damage
arising in
>> any way from receipt or use thereof.  Messages to and from the company
are
>> monitored for operational reasons and in accordance with lawful
business
>> practices. 
>> If you have received this message in error, please notify us by return
and
>> delete the message and any attachments.  Further enquiries/returns can
be
>> sent to postmaster@tfinforma.com
>> 
>

Hi,

to use ldap as winbind idamp backend, you don't need the NSS_LDAP at all.
All queries and updates to ldap is performed by winbind itself.

Your smb.conf looks fine.
You may check 2 things:
* Have you stored the LDAP Manager password to LDAP database with 
command "smbpasswd -w 'verysecretldapmanager password'" ?
* and look if you have added winbind to /etc/nsswitch.conf (and then 
command "getent passwd" should show all domain users with id from
ldap)?
like:
==...
passwd:     files winbind
group:      files winbind
...
==
Next - you may increase the loglevel (loglevel 256) for LDAP server and 
look in ldap messages what is wrong in connection.

Gints

Gibbs, Simon wrote:
> Hi,
> 
> I?ve been trying to populate an LDAP directory with IDMAP information from
> Winbind using NSS_LDAP without much success over the last week.
> Can anybody tell me if I?ve done anything obviously wrong?
> 
> I?ve followed the example shown in the Samba ?By Example? doc and am at the
> stage where the LDAP directory has been created and configured, NSS_LDAP
> config is amended, smb.conf contains entries to use LDAP as a backend and I
> have deleted /var/cache/samba/winbindd_cache.tdb and winbindd_idmap.tdb.
Now
> wbinfo ?u and wbinfo ?g show users and groups on the domain but getent
> passwd/groups only displays local users. The winbindd_cache.tdb and
> winbindd_idmap.tdb files have been recreated but only winbindd_cache.tdb
> holds any information. When I attempt to access a Samba share I?m prompted
> to enter a username and password.
> 
> As I understand it once the wbinfo commands have been run this process
> should automatically populate the Idmap ou with the ID mappings ? is this
> correct? If so there must be something wrong with my config.
> 
> Here?s the current config and relevent info ? sorry it?s a bit long:
> 
> /etc/samba/smb.conf
> 
> [global]
> workgroup = UKCORPLAN
> netbios name = UKFS01
> server string = UKFS01 Samba Server
> winbind separator = /
> ldap ssl = no
> idmap uid = 10000-10000000
> idmap gid = 10000-10000000
> ldap admin dn = cn=Manager,dc=uk,dc=corplan,dc=net
> ldap idmap suffix = ou=Idmap
> ldap suffix = dc=uk,dc=corplan,dc=net
> idmap backend = ldap:ldap://10.10.4.111/
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /mnt/emcpowerb/user/%D/%U
> template shell = /bin/bash
> password server = ukdc01.uk.corplan.net
> security = ADS
> #encrypt passwords = yes
> realm = uk.corplan.net
> browseable = yes
> username map = /etc/samba/smbusers
> log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10
> syslog = 0
> log file = /var/log/samba/%m
> max log size = 50
> #============================ Share Definitions
> =============================> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> 
> [public]
> comment = Public Stuff
> path = /home/samba
> public = yes
> read only = no
> 
> [test]
> comment = test share
> path = /mnt/emcpowera/shared/test
> public = yes
> browseable = yes
> writeable = yes
> 
> /etc/nsswitch.conf
> 
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> 
> #hosts:     db files nisplus nis dns
> hosts:      files dns
> 
> /etc/openldap/slapd.conf
> 
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> ## schema files (core.schema is required by default)
> include         /etc/openldap/schema/core.schema
> 
> ## needed for sambaSamAccount
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/samba.schema
> 
> # Allow LDAPv2 client connections.  This is NOT the default.
> allow bind_v2
> 
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral       ldap://root.openldap.org
> 
> pidfile         /var/run/slapd.pid
> argsfile        /var/run/slapd.args
> 
> # Load dynamic backend modules:
> # modulepath    /usr/sbin/openldap
> # moduleload    back_bdb.la
> # moduleload    back_ldap.la
> # moduleload    back_ldbm.la
> # moduleload    back_passwd.la
> # moduleload    back_shell.la
> 
> # Sample access control policy:
> #       Root DSE: allow anyone to read it
> #       Subschema (sub)entry DSE: allow anyone to read it
> #       Other DSEs:
> #               Allow self write access
> #               Allow authenticated users read access
> #               Allow anonymous users to authenticate
> #       Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> #access to *
> #       by self write
> #       by users read
> #       by anonymous auth
> #
> # if no access controls are present, the default policy
> # allows anyone and everyone to read anything but restricts
> # updates to rootdn.  (e.g., "access to * by * read")
> #
> # rootdn can always read and write EVERYTHING!
> 
> #######################################################################
> # ldbm and/or bdb database definitions
> #######################################################################
> 
> database        bdb
> suffix           "dc=uk,dc=corplan,dc=net"
> rootdn          "cn=Manager,dc=uk,dc=corplan,dc=net"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw          secret
> 
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory       /var/lib/ldap/samba
> 
> # Indices to maintain for this database
> # Required by OpenLDAP
> index objectClass                       eq,pres
> index ou,cn,mail,surname,givenname      eq,pres,sub
> index uidNumber,gidNumber,loginShell    eq,pres
> index uid,memberUid                     eq,pres,sub
> index nisMapName,nisMapEntry            eq,pres,sub
> 
> # Indices required for Samba
> index   sambaSID              eq
> index   sambaPrimaryGroupSID  eq
> index   sambaDomainName       eq
> index   default               sub
> 
> /etc/openldap/ldap.conf
> 
> #
> # LDAP Defaults
> #
> 
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> 
> #BASE   dc=example, dc=com
> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
> 
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
> HOST 10.10.4.111
> BASE dc=uk,dc=corplan,dc=net
> #TLS_CACERTDIR /etc/openldap/cacerts
> 
> /etc/ldap.conf - nss_ldap config - only shows changes the rest is as
default
> 
> # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $
> #
> # This is the configuration file for the LDAP nameservice
> # switch library and the LDAP PAM module.
> #
> # PADL Software
> # http://www.padl.com
> #
> 
> # Your LDAP server. Must be resolvable without using LDAP.
> # Multiple hosts may be specified, each separated by a
> # space. How long nss_ldap takes to failover depends on
> # whether your LDAP client library supports configurable
> # network or connect timeouts (see bind_timelimit).
> host 10.10.4.111
> 
> # The distinguished name of the search base.
> base dc=uk,dc=corplan,dc=net
> 
> # Another way to specify your LDAP server is to provide an
> # uri with the server name. This allows to use
> # Unix Domain Sockets to connect to a local LDAP Server.
> uri ldap://10.10.4.111/
> #uri ldaps://127.0.0.1/
> #uri ldapi://%2fvar%2frun%2fldapi_sock/
> # Note: %2f encodes the '/' used as directory separator
> 
> # The LDAP version to use (defaults to 3
> # if supported by client library)
> #ldap_version 3
> 
> # The distinguished name to bind to the server with.
> # Optional: default is to bind anonymously.
> binddn cn=Manager,dc=uk,dc=corplan,dc=net
> 
> # The credentials to bind with.
> # Optional: default is no credential.
> bindpw secret
> 
> # Do not hash the password at all; presume
> # the directory server will do it, if
> # necessary. This is the default.
> pam_password exop
> 
> # RFC2307bis naming contexts
> # Syntax:
> # nss_base_XXX          base?scope?filter
> # where scope is {base,one,sub}
> # and filter is a filter to be &'d with the
> # default filter.
> # You can omit the suffix eg:
> # nss_base_passwd       ou=People,
> # to append the default base DN but this
> # may incur a small performance impact.
> nss_base_passwd         ou=People,dc=uk,dc=corplan,dc=net?one
> nss_base_shadow         ou=People,dc=uk,dc=corplan,dc=net?one
> nss_base_group          ou=Groups,dc=uk,dc=corplan,dc=net?one
> #nss_base_hosts         ou=Hosts,dc=example,dc=com?one
> #nss_base_services      ou=Services,dc=example,dc=com?one
> #nss_base_networks      ou=Networks,dc=example,dc=com?one
> #nss_base_protocols     ou=Protocols,dc=example,dc=com?one
> #nss_base_rpc           ou=Rpc,dc=example,dc=com?one
> #nss_base_ethers        ou=Ethers,dc=example,dc=com?one
> #nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
> #nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
> #nss_base_aliases       ou=Aliases,dc=example,dc=com?one
> #nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one
> 
> [root@UKFS01 etc]# slapcat | grep -i IDMAP
> o: Samba Idmap Directory
> dn: ou=Idmap,dc=uk,dc=corplan,dc=net
> ou: idmap
> 
> I've googled about a bit and haven't bee able to find to much
except this
> thread:
> http://www.mail-archive.com/samba@lists.samba.org/msg30905.html
> 
> But most I've checked most of the info and it looks OK in comparison to
my
> setup.
> 
> Any help with this is much appreciated...
> 
> Thanks,
> 
> Simon
> 
> 
> 
> 
> 
>
********************************************************************************
> The information contained in this email message may be confidential. If you
are not the intended recipient, any use, interference with, disclosure or
copying of this material is unauthorised and prohibited. Although this message
and any attachments are believed to be free of viruses, no responsibility is
accepted by T&F Informa for any loss or damage arising in any way from
receipt or use thereof.  Messages to and from the company are monitored for
operational reasons and in accordance with lawful business practices.
> If you have received this message in error, please notify us by return and
delete the message and any attachments.  Further enquiries/returns can be sent
to postmaster@tfinforma.com
>