Gaiseric Vandal
2011-Mar-17 20:12 UTC
[Samba] Samba 3.4.7 can't retrieve idmap infor from ldap
I am running Samba 3.4.7on Fedora Core 11 Linux. This is a domain member. My PDC is Samba 3.4.9 on Solaris 10. I have LDAP as a backend (Sun/Oracle Directory Server 6.) I have an OU for user accounts, and an OU for idmap entries. The PDC has already populated some idmap entries. An idmap entry looks like dn: sambaSID=S-1-5-21-xxxxxxxxxxxxxxx-1121,ou=mydomain,ou =idmap,o=mycomany.com objectClass: sambaIdmapEntry objectClass: sambaSidEntry uidNumber: 176 sambaSID: S-1-5-21-xxxxxxxxxxxxxxx-1121 The member servers can be read only In the member server, smb.conf has the following entries idmap config MYDOMAIN:backend = ldap idmap config MYDOMAIN:ldap_url = ldap://pdc.mycompany.com idmap config MYDOMAIN:readonly = yes idmap config MYDOMAIN:default=no idmap config MYDOMAIN:ldap_base_dn = "ou=mydomain,ou=idmap,o=mycompany.com" #idmap config MYDOMAIN:ldap_user_dn = cn=Directory Manager #idmap config MYDOMAIN:ldap_user_dn = cn=admin,cn=Administrators,cn=config idmap config MYDOMAIN:ldap_user_dn = uid=jsmith,ou=people,o=mycompany.com idmap config MYDOMAIN:range = 70000-79999 idmap config MYDOMAIN:uid = 100 -79999 idmap config MYDOMAIN:gid = 100 -79999 On this machine (FC11 member server), when I run "getent passwd" command, log.winbind shows failed to bind to server ldap://pdc.mycompany.com with dn=""cn=Directory Manager"" Error: Invalid DN syntax Invalid DN On gentent passwd, winbind.log shows lib/smbldap.c:890(smbldap_open_connection) smbldap_open_connection: connection opened lib/smbldap.c:1101(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server winbindd/idmap_ldap.c:1248(idmap_ldap_sids_to_unixids) Failure looking up sids (Invalid DN syntax) If there is NOT an idmap entry already for the user, I get winbind.log entries like: [2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:97(winbindd_fill_pwent) error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1083 [2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent) could not lookup domain user jkerry [2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:97(winbindd_fill_pwent) error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1044 [2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent) could not lookup domain user jmcain It looks like it tried to locate a record via user name or sid. If there is an idmap entry already for the use I only [2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent) could not lookup domain user jsmith So the samba member server is connecting to the LDAP server and retrieving some LDAP information. But it seems that the LDAP info is NOT formatted as expected (thus the Invalid DN Syntax errors.) The PDC was initially Samba 3.0.x, and I am guessing that the LDAP IDMAP syntax changed between 3.0.x and 3.4.x, I would appreciate advice on this. Thanks
Gaiseric Vandal
2011-Mar-21 16:21 UTC
[Samba] Samba 3.4.7 can't retrieve idmap infor from ldap
I tried with and without the double quotes. the following commands do work in linux (it will prompt me for the pw.) ldapserach -D "cn=Directory Manager" -b "" objectclass=* -x -W ldapsearch -D "cn=admin,cn=Administrators,cn=config" -h spooky -b "" -x -W Not sure in smb.conf whether I should ever quote the ldap_user_dn parameter. Maybe it should be quoted if it is an absolute vs relative entry? On 03/21/2011 11:34 AM, Ayman Tahboub wrote:> hiya Gaiseric, > > one quick note against your binding DN, I think you > its complaining about having double quotations ""CN=Directory Manager"" > > one the other side, you verified binding via normal LDAPSEARCH command , > > as in ldapserach -D"CN=directory manager" -b "" objectclass=* ? > > hope it helps > > /ayman > > > -----Original Message----- From: Gaiseric Vandal Sent: Thursday, March > 17, 2011 20:12 To: Samba Subject: [Samba] Samba 3.4.7 can't retrieve > idmap infor from ldap > I am running Samba 3.4.7on Fedora Core 11 Linux. This is a domain > member. > > My PDC is Samba 3.4.9 on Solaris 10. I have LDAP as a backend > (Sun/Oracle Directory Server 6.) I have an OU for user accounts, > and an OU for idmap entries. The PDC has already populated some idmap > entries. > > An idmap entry looks like > > > > dn: sambaSID=S-1-5-21-xxxxxxxxxxxxxxx-1121,ou=mydomain,ou > =idmap,o=mycomany.com > objectClass: sambaIdmapEntry > objectClass: sambaSidEntry > uidNumber: 176 > sambaSID: S-1-5-21-xxxxxxxxxxxxxxx-1121 > > The member servers can be read only > > > In the member server, smb.conf has the following entries > > idmap config MYDOMAIN:backend = ldap > idmap config MYDOMAIN:ldap_url = ldap://pdc.mycompany.com > idmap config MYDOMAIN:readonly = yes > idmap config MYDOMAIN:default=no > idmap config MYDOMAIN:ldap_base_dn = > "ou=mydomain,ou=idmap,o=mycompany.com" > #idmap config MYDOMAIN:ldap_user_dn = cn=Directory Manager > #idmap config MYDOMAIN:ldap_user_dn = > cn=admin,cn=Administrators,cn=config > idmap config MYDOMAIN:ldap_user_dn = uid=jsmith,ou=people,o=mycompany.com > idmap config MYDOMAIN:range = 70000-79999 > idmap config MYDOMAIN:uid = 100 -79999 > idmap config MYDOMAIN:gid = 100 -79999 > > > > > > On this machine (FC11 member server), when I run "getent passwd" > command, log.winbind shows > > > failed to bind to server ldap://pdc.mycompany.com with > dn=""cn=Directory Manager"" Error: Invalid DN syntax > Invalid DN > > On gentent passwd, winbind.log shows > > lib/smbldap.c:890(smbldap_open_connection) > smbldap_open_connection: connection opened > lib/smbldap.c:1101(smbldap_connect_system) > ldap_connect_system: successful connection to the LDAP server > winbindd/idmap_ldap.c:1248(idmap_ldap_sids_to_unixids) > Failure looking up sids (Invalid DN syntax) > > > > If there is NOT an idmap entry already for the user, I get winbind.log > entries like: > > [2011/03/17 12:52:48, 1] > winbindd/winbindd_user.c:97(winbindd_fill_pwent) > error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1083 > [2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent) > could not lookup domain user jkerry > > [2011/03/17 12:52:48, 1] > winbindd/winbindd_user.c:97(winbindd_fill_pwent) > error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1044 > [2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent) > could not lookup domain user jmcain > > It looks like it tried to locate a record via user name or sid. > > If there is an idmap entry already for the use I only > > > [2011/03/17 12:52:48, 1] winbindd/winbindd_user.c:856(winbindd_getpwent) > could not lookup domain user jsmith > > > So the samba member server is connecting to the LDAP server and > retrieving some LDAP information. But it seems that the LDAP info is > NOT formatted as expected (thus the Invalid DN Syntax errors.) > > The PDC was initially Samba 3.0.x, and I am guessing that the LDAP > IDMAP syntax changed between 3.0.x and 3.4.x, > > I would appreciate advice on this. > > Thanks > > > >