Hi all,
I'm using Samba 3.2.7 with openldap 2.4.13 and have problems with
winbind.
If winbindd is started, he needs two minutes, until he is responding
to queries. That makes it hard to debug problems. May be winbindd
is waiting for WINS answers?
The problem,
the man page says this:
ldap group suffix (G)
This parameter specifies the suffix that is used for groups when these
are added to the LDAP directory. If this parameter is unset, the value
of ldap suffix will be used instead.
But this is not true, or I have a mistake in my configuration.
The LDAP-Search ist done with scope=2 (sub). 2 Posix Entries are found
and resolved to sambaSid correctly. Then the SIDs are searched and this
search use the base from "ldap user suffix".
The result is, that instead of finding 2 users in 2 different OUs,
only 1 user is found.
So, is this a bug?
Is the man page wrong?
The problem is shown here, in the slapd.log.
slapd[27069]: conn=484 op=68 SRCH base="dc=schule,dc=xx" scope=2
deref=3 filter="(&(uid=domain
administratoren)(objectClass=sambaSamAccount))"
slapd[27069]: conn=484 op=68 SRCH attr=uid uidNumber gidNumber homeDirectory
sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath
sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass
sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber
slapd[27069]: conn=484 op=68 SEARCH RESULT tag=101 err=0 nentries=0
textslapd[27069]: conn=484 op=69 SRCH base="o=SCHULE,dc=schule,dc=xx"
scope=2 deref=3
filter="(&(objectClass=sambaGroupMapping)(|(displayName=domain
administratoren)(cn=domain administratoren)))"
slapd[27069]: conn=484 op=69 SRCH attr=gidNumber sambaSID sambaGroupType
sambaSIDList description displayName cn objectClass
slapd[27069]: conn=484 op=69 SEARCH RESULT tag=101 err=0 nentries=1
textslapd[27069]: conn=484 op=70 SRCH
base="ou=SCHUELER,o=SCHULE,dc=schule,dc=xx" scope=2 deref=3
filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-512)))"
slapd[27069]: conn=484 op=70 SRCH attr=uid sambaSid
slapd[27069]: conn=484 op=70 SEARCH RESULT tag=101 err=0 nentries=0
textslapd[27069]: conn=484 op=71 SRCH base="o=SCHULE,dc=schule,dc=xx"
scope=2 deref=3
filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-512)))"
slapd[27069]: conn=484 op=71 SRCH attr=cn displayName sambaSid sambaGroupType
slapd[27069]: conn=484 op=71 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[27069]: conn=486 op=13 SRCH base="o=SCHULE,dc=schule,dc=xx"
scope=2 deref=3
filter="(&(objectClass=posixGroup)(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-512))"
slapd[27069]: conn=486 op=13 SRCH attr=memberUid gidNumber
slapd[27069]: conn=486 op=13 SEARCH RESULT tag=101 err=0 nentries=1
textslapd[27069]: conn=486 op=14 SRCH base="dc=schule,dc=xx" scope=2
deref=3
filter="(&(objectClass=sambaSamAccount)(|(uid=atom)(uid=auge)))"
slapd[27069]: conn=486 op=14 SRCH attr=sambaSID
slapd[27069]: conn=486 op=14 SEARCH RESULT tag=101 err=0 nentries=2
textslapd[27069]: conn=486 op=15 SRCH base="dc=schule,dc=xx" scope=2
deref=3 filter="(&(objectClass=sambaSamAccount)(gidNumber=9009))"
slapd[27069]: conn=486 op=15 SRCH attr=sambaSID
slapd[27069]: conn=486 op=15 SEARCH RESULT tag=101 err=0 nentries=0
textslapd[27069]: conn=486 op=16 SRCH
base="ou=SCHUELER,o=SCHULE,dc=schule,dc=xx" scope=2 deref=3
filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-5000)(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-1004)))"
slapd[27069]: conn=486 op=16 SRCH attr=uid sambaSid
slapd[27069]: conn=486 op=16 SEARCH RESULT tag=101 err=0 nentries=1
textslapd[27069]: conn=486 op=17 SRCH base="o=SCHULE,dc=schule,dc=xx"
scope=2 deref=3
filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-5000)(sambaSID=s-1-5-21-2462391502-1360153102-2655098952-1004)))"
slapd[27069]: conn=486 op=17 SRCH attr=cn displayName sambaSid sambaGroupType
slapd[27069]: conn=486 op=17 SEARCH RESULT tag=101 err=0 nentries=0 text
[global]
unix charset = LOCALE
workgroup = SCHULE
netbios name = SERVER-1
server string = %h server
interfaces = 192.168.231.48/24, 127.0.0.1/8
bind interfaces only = Yes
security = user
name resolve order = wins bcast host
passdb backend = ldapsam
ldapsam:trusted = yes
ldapsam:editposix = yes
lanman auth = Yes
syslog = 0
max log size = 1000
log level = 0
log file = /var/log/samba/log.%m
log file = /var/log/samba/log.%U
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p -a "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = logon.bat
logon drive = L:
logon path = \\%L\Profiles\%U
logon home = \\%L\%U
domain logons = Yes
domain master = Yes
local master = yes
preferred master =yes
os level = 254
wins support = Yes
ldap admin dn = cn=admin,dc=schule,dc=xx
ldap delete dn = Yes
ldap machine suffix = ou=ARBEITSSTATIONEN,o=SCHULE
ldap passwd sync = Yes
ldap suffix = dc=schule,dc=xx
ldap user suffix = ou=SCHUELER,o=SCHULE
ldap group suffix = o=SCHULE
ldap machine suffix = ou=ARBEITSSTATIONEN,o=SCHULE
ldap debug level = 160
panic action = /usr/share/samba/panic-action %d
idmap domains = ALLE
idmap config ALLE:backend = ldap
idmap config ALLE:default = yes
idmap config ALLE:ldap_base_dn = ou=idmaps,o=SYSTEM,dc=schule,dc=xx
idmap config ALLE:ldap_url = ldap://localhost/
winbind nested groups = yes
winbind separator = /
template shell = /bin/bash
template homedir = /home/%g/%U
ea support = Yes
store dos attributes = Yes
--
Gruss
Harry Jede
