Mark De Lange
2005-Aug-29 17:16 UTC
[Samba] Trying to get idmap backend using ADS working...
Hi folks,
I have been trying to use the ADS as the IDMAP backend but without
success. I have followed the examples in the HOWTO and Samba-3 by
example. While both of these docs describe using LDAP as the
repository, I have not been able to make the info work for ADS. I do
not want to use LDAP nor ADS to authenticate Linux users, just for the
UID/GID resolution. There will be multiple Samba servers accessing the
same ADS and being used by the same set of Windows users.
Some background:
- using RHEL AS4 for AMD Opteron (64-bit)
- Samba version 3.0.10 (labeled as 3.0.10-1.4E by RedHat)
- For various reasons, using an OpenLDAP server is not possible.
If I disable the idmap backend options, I can successfully authenticate
Windows users and they can access the Samba shares. However, obviously
at this point the UID/GID allocation comes from the local winbind range.
When I enable the idmap backend, and then attempt to use getent passwd
mdelange, I get the following winbind log trace snippet:
wcache_save_name_to_sid: MDELANGE -> <long valid SID>
refresh_sequence_number: LAB01 time ok
refresh_sequence_number: LAB01 seq number is now 4970735
sid_to_name: [Cached] - doing backend query for info for domain LAB01
ads: query_user
Current tickets expire at 1125371334, time is now 1125335307
Search for
(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\E7\0D\E9\57\EF\1F\9A\24\
D2\5D\58\73\C0\04\00\00) gave 1 replies
ads query_user gave mdelange
refresh_sequence_number: LAB01 time ok
refresh_sequence_number: LAB01 seq number is now 4970735
wcache_save_user: <long valid SID> (acct_name mdelange)
idmap_sid_to_uid: sid = [<long valid SID>]
error getting user id for sid <long valid SID>
I imported the following LDIF file into ADS using the LDIFDE utility.
This is probably where the problem lies:
dn: ou=Idmap, DC=lab01,DC=local
objectClass: top
objectClass: organizationalUnit
ou: Idmap
Any help or pointers would be greatly appreciated.
Thanks in advance
Mark
smb.conf contents
--------------------------
[global]
workgroup = LAB01
realm = LAB01.LOCAL
preferred master = no
server string = Samba Server
security = ADS
log level = 10
log file = /var/log/samba/%m.log
load printers = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
template shell = /bin/false
dns proxy = no
cups options = raw
idmap uid = 60000000-70000000
idmap gid = 60000000-70000000
printcap name = /etc/printcap
max log size = 50
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 5
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100
-s /bin/false -M%u
# ldap admin dn = cn=Administrator,dc=lab01,dc=local
ldap idmap suffix = ou=Idmap
ldap suffix = dc=lab01,dc=local
idmap backend = ldap:ldap://l01ad1.lab01.local
[homes]
comment = Home Directories
browseable = yes
writeable = yes
valid users = %S
[LAB01]
writeable = yes
path = /home/LAB01
krb5.conf contents
---------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LAB01.LOCAL
default_keytab_name = /var/kerberos/krb5kdc/krb5.keytab
binddn = cn=Administrator,cn=Users,lab01.local
bindpw = rabbit
[realms]
LAB01.LOCAL = {
kdc = l01ad1.lab01.local:88
admin_server = l01ad1.lab01.local:749
default_domain = LAB01.LOCAL
}
[domain_realms]
.kerberos.server = LAB01.LOCAL
[domain_realm]
.LAB01.LOCAL = LAB01.LOCAL
LAB01.LOCAL = LAB01.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
nisswitch.conf
---------------------
passwd: files winbind ldap
shadow: files winbind ldap
group: files winbind ldap
Possibly Parallel Threads
Wisdom of the Ancients
