Patrick Rynhart
2009-Oct-11 09:43 UTC
[Samba] idmap LDAP branch never populates with Samba 3.4.1 - how do I debug ?
I've followed the instructions at http://wiki.samba.org/index.php/Ldapsam_Editposix which concerns how to setup idmap correctly with Samba > 3.0.25. I have a trusted domain which has been successfully established. However, no SID entries populate beneath ou=idmap and any logon to the trusted domain will result in: netr_LogonSamLogon: user SANDBOX\Administrator has user sid S-1-5-21-9468687\15-1626585415-795749315-500 but group sid S-1-5-21-3349915894-2557539911-1720661062-513. The conflicting domain portions are not supported for NETLOGON calls since the idmap caching isn't working at present, and the group SID falls back to the built-in domain. I have a suspicion that the idmap_ldap plugin/module isn't being loaded (no probing appears to occur for the 'ldap' module and log.winbind-idmap is missing) but the module does exist on my system: # file /usr/lib/samba/idmap/ldap.so /usr/lib/samba/idmap/ldap.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), not stripped My configure script was initially simple but I've now tried to build with all the bells and whistles: ./configure --cache-file=./config.cache --with-fhs --enable-shared --enable-static --disable-pie --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib/samba --with-privatedir=/etc/samba --with-piddir=/var/run/samba --localstatedir=/var --with-rootsbindir=/sbin --with-pammodulesdir=/lib/security --with-pam --with-syslog --with-utmp --with-readline --with-pam_smbpass --with-libsmbclient --with-winbind --with-shared-modules=idmap_ldap,idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_tdb2 --with-automount --with-ldap --with-ads --with-dnsupdate --without-libtdb --without-libnetapi --with-modulesdir=/usr/lib/samba --datarootdir=/usr/share --datadir=/usr/share/samba --with-swatdir=/usr/share/samba/swat --with-lockdir=/var/run/samba --with-statedir=/var/lib/samba --with-cachedir=/var/cache/samba --with-ctdb --with-cifsmount --with-cifsupcall --with-acl-support --with-quotas --build i486-linux-gnu The global portion of smb.conf file is: workgroup = SEAT server string = %h server (Samba %v) wins support = no wins server = 192.168.93.1 name resolve order = wins host bcast lmhosts syslog = 0 log level = 100 tdb:100 idmap:100 log file = /var/log/samba/%m.log panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://127.0.0.1 # ldapsam Editposix ldapsam:trusted=yes ldapsam:editposix=yes ldap ssl = no ldap admin dn = cn=admin,dc=seat,dc=massey,dc=ac,dc=nz ldap delete dn = yes ldap group suffix = ou=groups ldap machine suffix = ou=machines ldap user suffix = ou=users ldap suffix = dc=seat,dc=massey,dc=ac,dc=nz preload modules = /usr/lib/samba/idmap/ldap.so winbind enum users = yes winbind enum groups = yes idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=idmap,dc=seat,dc=massey,dc=ac,dc=nz idmap alloc config:ldap_user_dn = cn=admin,dc=seat,dc=massey,dc=ac,dc=nz idmap alloc config:ldap_url = ldap://localhost idmap alloc config:range = 50000-500000 idmap config BUILTIN:backend = ldap idmap config BUILTIN:readonly = no idmap config BUILTIN:default = yes idmap config BUILTIN:ldap_base_dn = ou=idmap,dc=seat,dc=massey,dc=ac,dc=nz idmap config BUILTIN:ldap_user_dn = cn=admin,dc=seat,dc=massey,dc=ac,dc=nz idmap config BUILTIN:ldap_url = ldap://localhost idmap config BUILTIN:range = 50000-500000 idmap config SANDBOX:backend = ldap idmap config SANDBOX:range = 50000-59999 idmap config SANDBOX:ldap_url = ldap://127.0.0.1/ idmap config SANDBOX:ldap_base_dn = ou=idmap,dc=seat,dc=massey,dc=ac,dc=nz idmap config SANDBOX:ldap_user_dn = cn=admin,dc=seat,dc=massey,dc=ac,dc=nz idmap config SANDBOX:ldap_alloc_url = ldap://127.0.0.1/ idmap config SANDBOX:ldap_alloc_base_dn ou=idmap,dc=seat,dc=massey,dc=ac,dc=nz smb ports = 139 domain master = yes domain logons = yes deadtime = 60 Any help would be appreciated.
Miguel Medalha
2009-Oct-11 18:43 UTC
[Samba] idmap LDAP branch never populates with Samba 3.4.1 - how do I debug ?
> I've followed the instructions at > > http://wiki.samba.org/index.php/Ldapsam_Editposix > > >What version of Samba are you using? The wiki page you quote is now in need of urgent update. Quoting from the Samba 3.3.0 release notes: ? Winbind idmap backend changes ============================ The idmap configuration has changed with version 3.3 to something that allows a smoother upgrade path from pre-3.0.25 configurations that use "idmap backend". The reason for this change is that to many, also to Samba developers, the 3.0.25 style configuration with "idmap config" turned out to be very complex. Version 3.3 no longer deprecates the "idmap backend" parameter, instead with "idmap backend" the default idmap backend is specified. Accordingly, the "idmap config : default = yes" setting is no longer being looked at. The alloc backend defaults to the default backend, which should be able to allocate IDs. In the default distribution the tdb and ldap backends can allocate, the ad and rid backends can not. The idmap alloc range is now being set with the "old" parameters "idmap uid" and "idmap gid". The "idmap domains" parameter has been removed. ? Release note here: http://www.samba.org/samba/history/samba-3.3.0.html
Reasonably Related Threads
- How do I get Samba to probe for my ldap module ?
- Samba 3.4.2 Trusted Domain Logon gives: "Conflicting domain portions are not supported for NETLOGON calls"
- winbind initialization: GetDC got invalid response type 21
- Ignoring unknown parameter "idmap domains"
- editpostfix setup