thr3ads.net - samba - [Samba] Samba 3.4.7 can't retrieve idmap infor from ldap [Mar 2011]

If this information is useful, please help other people find it:
Share via:

Gaiseric Vandal

2011-Mar-17 20:12 UTC

[Samba] Samba 3.4.7 can't retrieve idmap infor from ldap

I am running Samba 3.4.7on Fedora Core 11 Linux.  This is a domain member.

My PDC is Samba 3.4.9 on Solaris 10.  I have LDAP as a backend 
(Sun/Oracle Directory Server 6.)    I have an OU for user accounts, and 
an OU for idmap entries.  The PDC has already populated some idmap entries.

An idmap entry looks like



dn: sambaSID=S-1-5-21-xxxxxxxxxxxxxxx-1121,ou=mydomain,ou 
=idmap,o=mycomany.com
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
uidNumber: 176
sambaSID: S-1-5-21-xxxxxxxxxxxxxxx-1121

The member servers can be read only


In the member server, smb.conf has the following entries

idmap config MYDOMAIN:backend = ldap
idmap config MYDOMAIN:ldap_url = ldap://pdc.mycompany.com
idmap config MYDOMAIN:readonly = yes
idmap config MYDOMAIN:default=no
idmap config MYDOMAIN:ldap_base_dn =
"ou=mydomain,ou=idmap,o=mycompany.com"
#idmap config MYDOMAIN:ldap_user_dn = cn=Directory Manager
#idmap config MYDOMAIN:ldap_user_dn = cn=admin,cn=Administrators,cn=config
idmap config MYDOMAIN:ldap_user_dn = uid=jsmith,ou=people,o=mycompany.com
idmap config MYDOMAIN:range = 70000-79999
idmap config MYDOMAIN:uid = 100 -79999
idmap config MYDOMAIN:gid = 100 -79999





On this machine (FC11 member server), when I run "getent passwd" 
command, log.winbind shows


   failed to bind to server ldap://pdc.mycompany.com with 
dn=""cn=Directory Manager"" Error: Invalid DN syntax
       Invalid DN

On gentent passwd, winbind.log shows

  lib/smbldap.c:890(smbldap_open_connection)
   smbldap_open_connection: connection opened
lib/smbldap.c:1101(smbldap_connect_system)
   ldap_connect_system: successful connection to the LDAP server
winbindd/idmap_ldap.c:1248(idmap_ldap_sids_to_unixids)
   Failure looking up sids (Invalid DN syntax)



If there is NOT an idmap entry already for the user, I get winbind.log 
entries like:

[2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
   error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1083
[2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
   could not lookup domain user jkerry

[2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:97(winbindd_fill_pwent)
   error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1044
[2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
   could not lookup domain user jmcain

It looks like it tried to locate a record via user name or sid.

If there is an idmap entry already for the use I only


[2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
   could not lookup domain user jsmith


So the samba member server is connecting to the LDAP server and 
retrieving some LDAP information.  But it seems that the LDAP info is 
NOT formatted as expected (thus the Invalid DN Syntax errors.)

The PDC was initially Samba 3.0.x, and I am guessing that the LDAP IDMAP 
syntax changed between 3.0.x and 3.4.x,

I would appreciate advice on this.

Thanks

Gaiseric Vandal

2011-Mar-21 16:21 UTC

head link

[Samba] Samba 3.4.7 can't retrieve idmap infor from ldap

I tried with and without the double quotes.

the following commands do work in linux  (it will prompt me for the pw.)

     ldapserach -D "cn=Directory Manager" -b ""
objectclass=*  -x -W
     ldapsearch -D "cn=admin,cn=Administrators,cn=config" -h spooky -b
""  -x -W

Not sure in smb.conf whether I should ever quote the ldap_user_dn 
parameter.  Maybe it should be quoted if it is an absolute vs relative 
entry?






On 03/21/2011 11:34 AM, Ayman Tahboub wrote:> hiya Gaiseric,
>
> one quick note against your binding DN, I think you
> its complaining about having double quotations ""CN=Directory
Manager""
>
> one the other side, you verified binding via normal LDAPSEARCH command ,
>
> as in ldapserach -D"CN=directory manager" -b ""
objectclass=* ?
>
> hope it helps
>
> /ayman
>
>
> -----Original Message----- From: Gaiseric Vandal Sent: Thursday, March 
> 17, 2011 20:12 To: Samba Subject: [Samba] Samba 3.4.7 can't retrieve 
> idmap infor from ldap
> I am running Samba 3.4.7on Fedora Core 11 Linux.  This is a domain 
> member.
>
> My PDC is Samba 3.4.9 on Solaris 10.  I have LDAP as a backend 
> (Sun/Oracle Directory Server 6.)    I have an OU for user accounts, 
> and an OU for idmap entries.  The PDC has already populated some idmap 
> entries.
>
> An idmap entry looks like
>
>
>
> dn: sambaSID=S-1-5-21-xxxxxxxxxxxxxxx-1121,ou=mydomain,ou 
> =idmap,o=mycomany.com
> objectClass: sambaIdmapEntry
> objectClass: sambaSidEntry
> uidNumber: 176
> sambaSID: S-1-5-21-xxxxxxxxxxxxxxx-1121
>
> The member servers can be read only
>
>
> In the member server, smb.conf has the following entries
>
> idmap config MYDOMAIN:backend = ldap
> idmap config MYDOMAIN:ldap_url = ldap://pdc.mycompany.com
> idmap config MYDOMAIN:readonly = yes
> idmap config MYDOMAIN:default=no
> idmap config MYDOMAIN:ldap_base_dn = 
> "ou=mydomain,ou=idmap,o=mycompany.com"
> #idmap config MYDOMAIN:ldap_user_dn = cn=Directory Manager
> #idmap config MYDOMAIN:ldap_user_dn = 
> cn=admin,cn=Administrators,cn=config
> idmap config MYDOMAIN:ldap_user_dn = uid=jsmith,ou=people,o=mycompany.com
> idmap config MYDOMAIN:range = 70000-79999
> idmap config MYDOMAIN:uid = 100 -79999
> idmap config MYDOMAIN:gid = 100 -79999
>
>
>
>
>
> On this machine (FC11 member server), when I run "getent passwd" 
> command, log.winbind shows
>
>
>   failed to bind to server ldap://pdc.mycompany.com with 
> dn=""cn=Directory Manager"" Error: Invalid DN syntax
>       Invalid DN
>
> On gentent passwd, winbind.log shows
>
>  lib/smbldap.c:890(smbldap_open_connection)
>   smbldap_open_connection: connection opened
> lib/smbldap.c:1101(smbldap_connect_system)
>   ldap_connect_system: successful connection to the LDAP server
> winbindd/idmap_ldap.c:1248(idmap_ldap_sids_to_unixids)
>   Failure looking up sids (Invalid DN syntax)
>
>
>
> If there is NOT an idmap entry already for the user, I get winbind.log 
> entries like:
>
> [2011/03/17 12:52:48,  1] 
> winbindd/winbindd_user.c:97(winbindd_fill_pwent)
>   error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1083
> [2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
>   could not lookup domain user jkerry
>
> [2011/03/17 12:52:48,  1] 
> winbindd/winbindd_user.c:97(winbindd_fill_pwent)
>   error getting user id for sid S-1-5-21-xxxxxxxxxxxx-1044
> [2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
>   could not lookup domain user jmcain
>
> It looks like it tried to locate a record via user name or sid.
>
> If there is an idmap entry already for the use I only
>
>
> [2011/03/17 12:52:48,  1] winbindd/winbindd_user.c:856(winbindd_getpwent)
>   could not lookup domain user jsmith
>
>
> So the samba member server is connecting to the LDAP server and 
> retrieving some LDAP information.  But it seems that the LDAP info is 
> NOT formatted as expected (thus the Invalid DN Syntax errors.)
>
> The PDC was initially Samba 3.0.x, and I am guessing that the LDAP 
> IDMAP syntax changed between 3.0.x and 3.4.x,
>
> I would appreciate advice on this.
>
> Thanks
>
>
>
>

Reasonably Related Threads

Search for more possibly parallel threads

samba - Mar 2011 - Samba 3.4.7 can't retrieve idmap infor from ldap

[Samba] Samba 3.4.7 can't retrieve idmap infor from ldap

[Samba] Samba 3.4.7 can't retrieve idmap infor from ldap

Reasonably Related Threads