samba - Jan 2011 - confusion and problem with Samba v3.3.8 as PDC with ldapsam backend

Hello,

I'm trying to use samba v3.3.8 on Centos 5.5 to act as a PDC, using ldap as
the backend for users, groups, and computers.  The ldap I'm using is Centos
Directory Server v8.1.

The setting is a new, never used before, installation of samba and ldap.
There are no users other than what exists by default after a Centos
install.  The smb.conf contains what is my best guess for the desired goal.

The problem at the moment (besides having to guess at what to put in
smb.conf - see below) is that smbd exits about 2 minutes after I start it.
Here are what I think are the relevant bits from the log.smbd:

[2011/01/18 13:40:42,  2] lib/smbldap_util.c:smbldap_search_domain_info(277)
  smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))]
[2011/01/18 13:40:42,  2] lib/smbldap.c:smbldap_open_connection(856)
  smbldap_open_connection: connection opened
[2011/01/18 13:40:42,  3] lib/smbldap.c:smbldap_connect_system(1067)
  ldap_connect_system: successful connection to the LDAP server
[2011/01/18 13:40:42,  4] lib/smbldap.c:smbldap_open(1143)
  The LDAP server is successfully connected
[2011/01/18 13:41:12,  4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519)
  ldapsam_getsampwnam: Unable to locate user [root] count=0
[2011/01/18 13:41:42,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(gidNumber=0))
[2011/01/18 13:42:12,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))
[2011/01/18 13:42:27,  3] groupdb/mapping.c:pdb_create_builtin_alias(786)
  pdb_create_builtin_alias: Could not get a gid out of winbind
[2011/01/18 13:42:27,  2] auth/token_util.c:create_local_nt_token(450)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind
allocate gids?
[2011/01/18 13:42:57,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))
[2011/01/18 13:43:12,  1]
passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2871)
  User account [nobody] not found!
[2011/01/18 13:43:12,  0] smbd/server.c:main(1404)
  ERROR: failed to setup guest info.

winbind is running.  log.winbindd contains nothing useful to me.
log.winbindd-idmap contains lines suggesting it can't bind to the ldap
server:

2011/01/18 13:42:41,  2] lib/smbldap.c:smbldap_connect_system(1052)
  failed to bind to server ldap://localhost with dn="uid=samba,ou=Special
Users,
dc=infinityhealthcare,dc=com" Error: Invalid credentials

and

[2011/01/18 13:42:49,  1] lib/smbldap.c:another_ldap_try(1231)
  Connection to LDAP server failed for the 8 try!

Why doesn't the smbd log say something equivalent?  In fact, it suggests the
opposite, saying that "The LDAP server is successfully connected".

I did set the samba admin dn's password with the command "smbpasswd
-W"
before starting either winbindd or smbd, and also verified that it is
correct using the command "ldapsearch -x -h localhost -s sub -b
ou=people,dc=infinityhealthcare,dc=com -D"uid=samba,ou=Special
Users,dc=infinityhealthcare,dc=com" -W".

Any ideas or suggestions?

Thanks,

Jon





The rest of this email is my smb.conf:
============================[global]

    workgroup = CHI
    server string = Samba Server Version %v

    netbios name = SAMBAPDC

    log file = /var/log/samba/log.%m
    log level = 4
    max log size = 50

    security = user
    passdb backend = ldapsam:ldap://localhost

    domain master = yes
    preferred master = yes
    domain logons = yes
    logon drive = N:
    logon path = \\%L\Profiles\%u

    logon script = %u.bat

    ldap admin dn = "uid=samba,ou=Special
Users,dc=infinityhealthcare,dc=com"
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap idmap suffix = out=IDmap
    ldap machine suffix = ou=Computers
    ldap suffix = dc=infinityhealthcare,dc=com
    ldap delete dn = no
    ldapsam:trusted = yes
    ldapsam:editposix = yes
    ldap ssl = off
    idmap backend = ldap:ldap://localhost
    idmap uid = 5000-50000
    idmap gid = 5000-50000
    winbind enum groups = yes
    winbind nested groups = yes
    template shell = /sbin/nologin
    template homedir = /home/%D/%U
    winbind use default domain = yes

    wins support = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[homes]
    comment = Home Directories
    browseable = no
    writable = yes


[netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = yes
    writable = no
    share modes = no

On 18/01/11 20:04, Jon Detert wrote:
> ldap idmap suffix = out=IDmap
Could the "out" instead of "ou" be your issue?

Cheers

Alex

-- 
This message is intended only for the addressee and may contain
confidential information.  Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.

"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London  EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 5300
(Registered office: as above; Registered in England and Wales under number:
3727592)
Authorised and regulated by the Financial Services Authority (entered on the FSA
Register; number: 190856)

Nt- I don't use the "ldapsam:editposix" option myself, if I
understand
it correctly it means you don't have to precreate the underlying unix 
accounts.

However,  I believe you still need to do the following

     Create a samba Administrator account
     Create samba Domain Admins and Domain Users groups.
     Explicitly specify the uid or username for the "guest" user.
    Set ldap password for the idmap backend (net idmap secret thedomain  
xxxx )


"smbpasswd -w" sets the ldap password samba to access ldap for users
and
groups.
But idmap needs the ldap password set as well eg.

         net idmap secret MYDOMAIN  xxxx
     net idmap secret alloc  xxxx



I don't know if when using the "ldapsam:editposix" option you can
use
smbpasswd to create the user accounts.   Also, I used "net groupmap 
add...." to create the mappings between the samba Domain Admins group 
and the unix group by the same name.


If it were me,  I would also create local unix groups for "Domain 
Admins" (e.g. with gid 512), "Domain Users"  etc and then use
"net
groupmap" to map the unix gids to the Windows well known id's.


net groupmap add ntgroup="Domain Admins" unixgroup=512 rid=512
type=domain
net groupmap add ntgroup="Domain Users" unixgroup=513 rid=513
type=domain
net groupmap add ntgroup="Domain Guests" unixgroup=514  rid=514
type=domain
net groupmap add ntgroup="Domain Computers" unixgroup=515   rid=515 
type=domain
net groupmap add ntgroup="Domain Controllers" unixgroup=516   rid=516 
type=domain


I would create a unix "Administrator" user in the "Domain
Admins" group
then use smbpasswd to create the samba Administrator account.

I use Apache Directory Studio for browsing and editing ldap entries.    
You may find having a GUI ldap browser and editor really useful.     You 
should be able to tell if your LDAP groups have unix gids and samba sids.

This way you can get basic functionality working, then you can start 
troubleshooting windbind and idmap .




On 01/18/2011 03:04 PM, Jon Detert wrote:
> Hello,
>
> I'm trying to use samba v3.3.8 on Centos 5.5 to act as a PDC, using
ldap as
> the backend for users, groups, and computers.  The ldap I'm using is
Centos
> Directory Server v8.1.
>
> The setting is a new, never used before, installation of samba and ldap.
> There are no users other than what exists by default after a Centos
> install.  The smb.conf contains what is my best guess for the desired goal.
>
> The problem at the moment (besides having to guess at what to put in
> smb.conf - see below) is that smbd exits about 2 minutes after I start it.
> Here are what I think are the relevant bits from the log.smbd:
>
> [2011/01/18 13:40:42,  2]
lib/smbldap_util.c:smbldap_search_domain_info(277)
>    smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))]
> [2011/01/18 13:40:42,  2] lib/smbldap.c:smbldap_open_connection(856)
>    smbldap_open_connection: connection opened
> [2011/01/18 13:40:42,  3] lib/smbldap.c:smbldap_connect_system(1067)
>    ldap_connect_system: successful connection to the LDAP server
> [2011/01/18 13:40:42,  4] lib/smbldap.c:smbldap_open(1143)
>    The LDAP server is successfully connected
> [2011/01/18 13:41:12,  4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519)
>    ldapsam_getsampwnam: Unable to locate user [root] count=0
> [2011/01/18 13:41:42,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
>    ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=0))
> [2011/01/18 13:42:12,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
>    ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))
> [2011/01/18 13:42:27,  3] groupdb/mapping.c:pdb_create_builtin_alias(786)
>    pdb_create_builtin_alias: Could not get a gid out of winbind
> [2011/01/18 13:42:27,  2] auth/token_util.c:create_local_nt_token(450)
>    WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind
> allocate gids?
> [2011/01/18 13:42:57,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
>    ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))
> [2011/01/18 13:43:12,  1]
> passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2871)
>    User account [nobody] not found!
> [2011/01/18 13:43:12,  0] smbd/server.c:main(1404)
>    ERROR: failed to setup guest info.
>
> winbind is running.  log.winbindd contains nothing useful to me.
> log.winbindd-idmap contains lines suggesting it can't bind to the ldap
> server:
>
> 2011/01/18 13:42:41,  2] lib/smbldap.c:smbldap_connect_system(1052)
>    failed to bind to server ldap://localhost with
dn="uid=samba,ou=Special
> Users,
> dc=infinityhealthcare,dc=com" Error: Invalid credentials
>
> and
>
> [2011/01/18 13:42:49,  1] lib/smbldap.c:another_ldap_try(1231)
>    Connection to LDAP server failed for the 8 try!
>
> Why doesn't the smbd log say something equivalent?  In fact, it
suggests the
> opposite, saying that "The LDAP server is successfully
connected".
>
> I did set the samba admin dn's password with the command
"smbpasswd -W"
> before starting either winbindd or smbd, and also verified that it is
> correct using the command "ldapsearch -x -h localhost -s sub -b
> ou=people,dc=infinityhealthcare,dc=com -D"uid=samba,ou=Special
> Users,dc=infinityhealthcare,dc=com" -W".
>
> Any ideas or suggestions?
>
> Thanks,
>
> Jon
>
>
>
>
>
> The rest of this email is my smb.conf:
> ============================> [global]
>
>      workgroup = CHI
>      server string = Samba Server Version %v
>
>      netbios name = SAMBAPDC
>
>      log file = /var/log/samba/log.%m
>      log level = 4
>      max log size = 50
>
>      security = user
>      passdb backend = ldapsam:ldap://localhost
>
>      domain master = yes
>      preferred master = yes
>      domain logons = yes
>      logon drive = N:
>      logon path = \\%L\Profiles\%u
>
>      logon script = %u.bat
>
>      ldap admin dn = "uid=samba,ou=Special
> Users,dc=infinityhealthcare,dc=com"
>      ldap user suffix = ou=People
>      ldap group suffix = ou=Groups
>      ldap idmap suffix = out=IDmap
>      ldap machine suffix = ou=Computers
>      ldap suffix = dc=infinityhealthcare,dc=com
>      ldap delete dn = no
>      ldapsam:trusted = yes
>      ldapsam:editposix = yes
>      ldap ssl = off
>      idmap backend = ldap:ldap://localhost
>      idmap uid = 5000-50000
>      idmap gid = 5000-50000
>      winbind enum groups = yes
>      winbind nested groups = yes
>      template shell = /sbin/nologin
>      template homedir = /home/%D/%U
>      winbind use default domain = yes
>
>      wins support = yes
>      socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> [homes]
>      comment = Home Directories
>      browseable = no
>      writable = yes
>
>
> [netlogon]
>      comment = Network Logon Service
>      path = /var/lib/samba/netlogon
>      guest ok = yes
>      writable = no
>      share modes = no
>

On Tue, Jan 18, 2011 at 2:25 PM, Alex Crow <acrow at integrafin.co.uk>
wrote:
> On 18/01/11 20:04, Jon Detert wrote:
>
>> ldap idmap suffix = out=IDmap
>>
> Could the "out" instead of "ou" be your issue?
>
wow, thanks.  However, sadly, sloppiness is not my only issue.  I fixed that
typo, restarted winbindd and smbd, but smbd still dies with the same
messages.

Am I missing a step I was supposed to do which would have created some
default, expected, groups and users to exist?

- Jon

> Cheers
>
> Alex
>
> --
> This message is intended only for the addressee and may contain
> confidential information.  Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
>
> "Transact" is operated by Integrated Financial Arrangements plc
> Domain House, 5-7 Singer Street, London  EC2A 4BQ
> Tel: (020) 7608 4900 Fax: (020) 7608 5300
> (Registered office: as above; Registered in England and Wales under number:
> 3727592)
> Authorised and regulated by the Financial Services Authority (entered on
> the FSA Register; number: 190856)
>
>