Hi, I'm trying to make a "pure ldap" setup, whereas users, groups, id mappings and everything that is supported with LDAP be in the LDAP tree and managed directly by samba. That is, I'm using: ldapsam:trusted = yes ldapsam:editposix = yes And NOT using smbldap-*. My smb.conf is here: http://wiki.clueless.com.ar/SambaLdap/smb.conf-PDC I created the LDAP tree root (o=midominio) and all its branches (ou=people; ou=groups; ou= hosts and ou=idmap). I ran "net sam provision" to fill in the basic values. I stored the secrets in secrets.tdb: # smbpasswd -w ldap_admin_password # net idmap secret midominio ldap_admin_password # net idmap secret alloc ldap_admin_password I was able to join a samba server to the domain (net rpc join -S miserver -UAdministrator). However, when I try to join an XP host to the domain, I get an error (IIRC it's "An attached device is not functionning") in the workstation and the samba logs show the following: [2009/10/15 11:17:47, 0] passdb/pdb_ldap.c:ldapsam_create_user(5119) ldapsam_create_user: Unable to allocate a new user id: bailing out! The user I'm using to bind to the LDAP server is the LDAP administrator and it does have permissions on all the tree (in particular, within "ou=idmap,o=midominio")... I manually added an entry for the workstation's account posix data, then issued "smbpasswd -a workstation$" THEN I could join the domain... Clearly, I have something misconfigured regarding ldap/idmap/alloc, but I can't find enough information to do it right. Any help REALLY appreciated... -- Mariano Absatz - "El Baby" el.baby at gmail.com www.clueless.com.ar -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- To define recursion, we must first define recursion. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- * TagZilla 0.066 * http://tagzilla.mozdev.org
Sorry... I forgot a bit of info. winbindd is running I'm using the Ubuntu 9.04 samba packages which are at version 3.3.2-1ubuntu3.2 (I think is 3.3.2 plus all the security patches). I re-built the packages in order to include the /usr/lib/samba/idmap/ldap.so module because somehow, this didn't make into the official package (this was done following the steps in http://wiki.clueless.com.ar/SambaLdap/RecompilarSamba). HTH (helping me)... that is, hope that helps helping me :-P -- Mariano Absatz - El Baby www.clueless.com.ar
Can anyone help me on this? I'm really stuck... On Thu, Oct 15, 2009 at 16:58, Mariano Absatz <el.baby at gmail.com> wrote:> Hi, > > I'm trying to make a "pure ldap" setup, whereas users, groups, id mappings > and everything that is supported with LDAP be in the LDAP tree and managed > directly by samba. > > That is, I'm using: > > ldapsam:trusted = yes > ldapsam:editposix = yes > > And NOT using smbldap-*. > > My smb.conf is here: http://wiki.clueless.com.ar/SambaLdap/smb.conf-PDC > > I created the LDAP tree root (o=midominio) and all its branches (ou=people; > ou=groups; ou= hosts and ou=idmap). > > I ran "net sam provision" to fill in the basic values. > > I stored the secrets in secrets.tdb: > # smbpasswd -w ldap_admin_password > # net idmap secret midominio ldap_admin_password > # net idmap secret alloc ldap_admin_password > > I was able to join a samba server to the domain (net rpc join -S miserver > -UAdministrator). > > However, when I try to join an XP host to the domain, I get an error (IIRC > it's "An attached device is not functionning") in the workstation and the > samba logs show the following: > > [2009/10/15 11:17:47, ?0] passdb/pdb_ldap.c:ldapsam_create_user(5119) > ?ldapsam_create_user: Unable to allocate a new user id: bailing out! > > The user I'm using to bind to the LDAP server is the LDAP administrator and > it does have permissions on all the tree (in particular, within > "ou=idmap,o=midominio")... > > I manually added an entry for the workstation's account posix data, then > issued "smbpasswd -a workstation$" > > THEN I could join the domain... > > Clearly, I have something misconfigured regarding ldap/idmap/alloc, but I > can't find enough information to do it right. > > Any help REALLY appreciated...-- Mariano Absatz - El Baby www.clueless.com.ar
Quoting from the Samba 3.3.0 release notes: ? Winbind idmap backend changes ============================ The idmap configuration has changed with version 3.3 to something that allows a smoother upgrade path from pre-3.0.25 configurations that use "idmap backend". The reason for this change is that to many, also to Samba developers, the 3.0.25 style configuration with "idmap config" turned out to be very complex. Version 3.3 no longer deprecates the "idmap backend" parameter, instead with "idmap backend" the default idmap backend is specified. Accordingly, the "idmap config : default = yes" setting is no longer being looked at. The alloc backend defaults to the default backend, which should be able to allocate IDs. In the default distribution the tdb and ldap backends can allocate, the ad and rid backends can not. The idmap alloc range is now being set with the "old" parameters "idmap uid" and "idmap gid". The "idmap domains" parameter has been removed. ? Release note here: http://www.samba.org/samba/history/samba-3.3.0.html
On Sun, Oct 18, 2009 at 13:47, Miguel Medalha <miguelmedalha at sapo.pt> wrote:> >> Yes... I read this... and deleted the "idmap config MIDOMINIO:default >> = yes" setting... but it still doesn't work :-( >> >> > > I suppose you will also have to remove those "idmap alloc backend" and > "idmap alloc config" entries. > >Oh... I see... I didn't try that... thanx a lot for your help... I'll try and come back. -- Mariano Absatz - El Baby www.clueless.com.ar