Kristof Bruyninckx
2005-Sep-27 12:19 UTC
[Samba] Need help with IDMAP storage in LDAP using Winbind
Hello @ll,
First a small sketch of my working environment.
There is one PDC, W2000 server, which contains an Active directory, so
basically all the windows users are maintained there. And the Linux/Unix
accounts are stored on a NIS server.
My goal would be the following 2 things.
Firstly currently all the Linux/Unix servers are setup with individual
winbind setups to make the windows users known, which work nicely. But
recently the ID's of all the users should be identical on all the
servers.
Therefore I'm trying to implement the IDMAP Storage in LDAP using
Winbind chapter.
And secondly migrating all the NIS users also to the same LDAP but under
a different OU.
This is my setup thus far :
/etc/samba/smb.conf: I think the way I setup this configuration is so
that winbind points to the PDC to collect al the windows users
information, and uses the LDAP backend to store it. Please correct me if
I'm wrong.
# Global parameters
[global]
log level = 3
workgroup = THALES-IS
#Is the windows domain name
realm = THALES-IS.BE
#winbind needs this to point to the PDC
server string = Samba Server
security = ads
password server = 192.168.1.99
username map = /etc/opt/samba/smbusers
log file = /var/log/samba/smbd.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
ldap ssl = no
ldap admin dn = cn=Manager,dc=thales,dc=be #Is the new domain
I'm trying to setup "thales.be", just to avoid confusion with the
existing thales-is.be
ldap idmap suffix = ou=idmap
ldap suffix = dc=thales,dc=be
idmap backend = ldap:ldap://127.0.0.1
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
winbind separator = /
winbind cache time = 10
winbind use default domain = yes
[homes]
comment = Home Directories
path = %H
read only = No
browseable = No
/etc/krb5.conf: As far as I can figure this is needed to do the
kerberos authentication, this is only pointing to the windows domain,
and not the new "thales.be". But I'm not sure this is significant
since
it is only needed by winbind to retrieve information from the PDC.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = THALES-IS.BE
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
THALES-IS.BE = {
kdc = backup1.thales-is.be:88
kdc = 192.168.1.99
admin_server = backup1.thales-is.be:749
kdc = 192.168.1.99
}
thales-is.be = {
kdc = 192.168.1.99
}
[domain_realm]
.thales-is.be = THALES-IS.BE
thales-is.be = THALES-IS.BE
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/nsswitch.conf:
passwd: files winbind ldap
shadow: files winbind ldap
group: files winbind ldap
hosts: files dns
/etc/openldap/slapd.conf :
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
database ldbm
##############################################################################################
suffix "dc=thales,dc=be"
###############################################################################################
rootdn "cn=Manager,dc=thales,dc=be"
###############################################################################################
rootpw secret
###############################################################################################
directory /var/lib/ldap/thales.be
###############################################################################################
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
/etc/ldap.conf : Only shown changes, rest is default
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1
host 127.0.0.1
# The distinguished name of the search base.
base dc=thales,dc=be
binddn cn=Manager,dc=thales,dc=be
bindpw secret
# Use the OpenLDAP password change
# extended operation to update the password.
pam_password md5
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=thales,dc=be?one
nss_base_shadow ou=People,dc=thales,dc=be?one
nss_base_group ou=Group,dc=thales,dc=be?one
ssl no
tls_cacertdir /etc/openldap/cacerts
My setup of the directory structure:
First I imported the following structure in the db:
/etc/openldap/thales.be.ldif : This should setup the LDAP with the
container for the Idmap information. command used whas ldapadd -x -D
"dn:Manager,dc=thales,dc=be" -W -f /etc/openldap/thales-is.be which
worked without problem.
dn: dc=thales,dc=be
objectClass: dcObject
objectClass: organization
dc: thales
o: LDAP server THALES SERVICES DIVISION
description: Root LDAP for thales.be domain
dn: cn=Manager,dc=thales,dc=be
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=Idmap,dc=thales,dc=be
objectClass: organizationalUnit
ou: idmap
And then I added the container for the NIS users.
dn: ou=People, dc=thales,dc=be
ou: People
description: All Nis people
objectClass: organizationalUnit
Now thus far I managed to import the NIS users, I can see there entries
with ldapsearch, but no Winbind users. ID <Windows.Account> doesn't
work, but as an interesting twist a windows user can access there share,
which is their Linux home directory without any problem, even though ID
doesn't know this user.
wbinfo -u , wbinfo -g , wbinfo -t all work, but getent passwd doesn't
show me the windows users.
Now when restarting the winbind instances on this server I get the
following output from the ldap in my syslog :
Sep 27 13:31:47 linux14 slapd: daemon: read activity on 8
Sep 27 13:31:47 linux14 slapd: connection_get(8)
Sep 27 13:31:47 linux14 slapd: ber_dump: buf=0x091132c8 ptr=0x091132c8
end=0x091132f1 len=41
Sep 27 13:31:47 linux14 slapd: 0000: 02 01 01 60 24 02 01 03 04 1a
63 6e 3d 4d 61 6e ...`$.....cn=Man
Sep 27 13:31:47 linux14 slapd: 0010: 61 67 65 72 2c 64 63 3d 74 68
61 6c 65 73 2c 64 ager,dc=thales,d
Sep 27 13:31:47 linux14 slapd: 0020: 63 3d 62 65 80 03 70 c3 a0
c=be..p..
Sep 27 13:31:47 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 27 13:31:47 linux14 slapd: ber_dump: buf=0x091132c8 ptr=0x091132cb
end=0x091132f1 len=38
Sep 27 13:31:47 linux14 slapd: 0000: 60 24 02 01 03 04 1a 63 6e 3d
4d 61 6e 61 67 65 `$.....cn=Manage
Sep 27 13:31:47 linux14 slapd: 0010: 72 2c 64 63 3d 74 68 61 6c 65
73 2c 64 63 3d 62 r,dc=thales,dc=b
Sep 27 13:31:47 linux14 slapd: 0020: 65 80 03 70 c3 a0
e..p..
Sep 27 13:31:47 linux14 slapd: ber_dump: buf=0x091132c8 ptr=0x091132ec
end=0x091132f1 len=5
Sep 27 13:31:47 linux14 slapd: 0000: 00 03 70 c3
a0 ..p..
Sep 27 13:31:47 linux14 slapd: ==> ldbm_back_bind: dn:
cn=Manager,dc=thales,dc=be
Sep 27 13:31:47 linux14 slapd: => access_allowed: auth access to
"cn=Manager,dc=thales,dc=be" "userPassword" requested
Sep 27 13:31:47 linux14 slapd: => access_allowed: backend default auth
access granted to "(anonymous)"
Sep 27 13:31:47 linux14 slapd: send_ldap_result: err=49 matched=""
text=""
Sep 27 13:31:47 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 27 13:31:47 linux14 slapd: daemon: activity on 1 descriptors
Sep 27 13:31:47 linux14 slapd: daemon: activity on:
Sep 27 13:31:47 linux14 slapd: 8r
Sep 27 13:31:47 linux14 slapd: daemon: read activity on 8
Sep 27 13:31:47 linux14 slapd: connection_get(8)
Sep 27 13:31:47 linux14 slapd: ber_dump: buf=0x090d70b0 ptr=0x090d70b0
end=0x090d70b5 len=5
Sep 27 13:31:47 linux14 slapd: 0000: 02 01 02 42
00 ...B.
Sep 27 13:31:47 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 27 13:31:47 linux14 slapd: daemon: removing 8
Sep 27 13:31:47 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 27 13:31:47 linux14 slapd: daemon: activity on 1 descriptors
Sep 27 13:31:47 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 27 13:31:47 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 27 13:31:47 linux14 winbind: winbindd startup succeeded
This is a part of the output I get from slapcat :
dn: dc=thales,dc=be
objectClass: dcObject
objectClass: organization
dc: thales
o: LDAP server THALES SERVICES DIVISION
description: Root LDAP for thales.be domain
structuralObjectClass: organization
entryUUID: 1abc1726-bf99-1029-82c5-9e2135f77083
creatorsName: cn=Manager,dc=thales,dc=be
createTimestamp: 20050922094341Z
entryCSN: 20050922094341Z#000001#00#000000
modifiersName: cn=Manager,dc=thales,dc=be
modifyTimestamp: 20050922094341Z
dn: cn=Manager,dc=thales,dc=be
objectClass: organizationalRole
cn: Manager
description: Directory Manager
structuralObjectClass: organizationalRole
entryUUID: 1ac4c56a-bf99-1029-82c6-9e2135f77083
creatorsName: cn=Manager,dc=thales,dc=be
createTimestamp: 20050922094342Z
entryCSN: 20050922094342Z#000001#00#000000
modifiersName: cn=Manager,dc=thales,dc=be
modifyTimestamp: 20050922094342Z
dn: ou=Idmap,dc=thales,dc=be
objectClass: organizationalUnit
ou: idmap
structuralObjectClass: organizationalUnit
entryUUID: 1ac5944a-bf99-1029-82c7-9e2135f77083
creatorsName: cn=Manager,dc=thales,dc=be
createTimestamp: 20050922094342Z
entryCSN: 20050922094342Z#000002#00#000000
modifiersName: cn=Manager,dc=thales,dc=be
modifyTimestamp: 20050922094342Z
dn: ou=People,dc=thales,dc=be
ou: People
description: All Nis people
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 15579caa-c053-1029-82d3-9e2135f77083
creatorsName: cn=Manager,dc=thales,dc=be
createTimestamp: 20050923075459Z
entryCSN: 20050923075459Z#000001#00#000000
modifiersName: cn=Manager,dc=thales,dc=be
modifyTimestamp: 20050923075459Z
My apologies for the long mail, but I could really use some help. Even a
confirmation that certain configuration parts are correct would already
help me, since now I'm questioning everything.
Regards and eagerly awaiting a reply,
--
Kristof.Bruyninckx
We are Microsoft. What you are experiencing is not a problem; it is an
undocumented feature.
paul kölle
2005-Sep-27 13:01 UTC
[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote:> # Use the OpenLDAP password change > # extended operation to update the password. > pam_password md5If you want it to do what the comment suggest this should read: pam_password exop> dn: cn=Manager,dc=thales,dc=be > objectClass: organizationalRole > cn: Manager > description: Directory ManagerI think that may be your problem. The DN is the same as your rootdn in slapd.conf but does not have a userPassword attribute. It might "shadow" your rootdn making binds with that DN fail (see below). You don't have to add the "rootdn" from slapd.conf to your directory but it is generally discouraged to use it in daily operations as ACLs do not apply to "rootdn".> Sep 27 13:31:47 linux14 slapd: => access_allowed: auth access to > "cn=Manager,dc=thales,dc=be" "userPassword" requested > Sep 27 13:31:47 linux14 slapd: => access_allowed: backend default auth > access granted to "(anonymous)" > Sep 27 13:31:47 linux14 slapd: send_ldap_result: err=49 matched=""err=49 means "invalid credentials" most likely due to the missing "userPassword" attribute of cn=manager,dc=thales,dc=be. Try removing cn=Manager,dc=thales,dc=be from your ldif and see if you can bind with rootdn and rootpw from your slapd.conf. If that works create another entry in your DIT with a userPassword attribute, give it appropriate permissions in slapd.conf and use that for your "ldap admin dn" in smb.conf hth Paul