samba - Oct 2014 - What is wrong with my nslcd configuration?

I can't get my domain users presented to my local machine with getent
passwd and the wiki
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
doesn't give me any steps troubleshoot this issue. My best guess it that
I configured the user account incorrectly or I configured nslcd
incorrectly. I can't exactly see what is the problem.

I get these messages from nslcd when I started it in debug mode and ran
getent passwd.

nslcd: [7b23c6] DEBUG: connection from pid=19355 uid=500 gid=0
nslcd: [7b23c6] <passwd(all)> DEBUG:
myldap_search(base="dc=CORP,dc=oflameo,dc=com",
filter="(objectClass=user)")
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result():
CN=DRAKEBURNER,OU=Domain Controllers,DC=corp,DC=oflameo,DC=com
nslcd: [7b23c6] <passwd(all)> CN=DRAKEBURNER,OU=Domain
Controllers,DC=corp,DC=oflameo,DC=com: uidNumber: missing
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result():
CN=Administrator,CN=Users,DC=corp,DC=oflameo,DC=com
nslcd: [7b23c6] <passwd(all)>
CN=Administrator,CN=Users,DC=corp,DC=oflameo,DC=com: uidNumber: missing
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result():
CN=ldap-connect,CN=Users,DC=corp,DC=oflameo,DC=com
nslcd: [7b23c6] <passwd(all)>
CN=ldap-connect,CN=Users,DC=corp,DC=oflameo,DC=com: uidNumber: missing
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result():
CN=krbtgt,CN=Users,DC=corp,DC=oflameo,DC=com
nslcd: [7b23c6] <passwd(all)>
CN=krbtgt,CN=Users,DC=corp,DC=oflameo,DC=com: uidNumber: missing
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result():
CN=Guest,CN=Users,DC=corp,DC=oflameo,DC=com
nslcd: [7b23c6] <passwd(all)>
CN=Guest,CN=Users,DC=corp,DC=oflameo,DC=com: uidNumber: missing
nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result(): end of results (5
total)

This is the ldif of the user account I created.

dictator at drakeburner:~/samba/ldap$ cat ldap-connect.ldif
# extended LDIF
#
# LDAPv3
# base <cn=ldap-connect,cn=Users,dc=corp,dc=oflameo,dc=com> with scope
subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ldap-connect, Users, corp.oflameo.com
dn: CN=ldap-connect,CN=Users,DC=corp,DC=oflameo,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: ldap-connect
instanceType: 4
whenCreated: 20141001025044.0Z
uSNCreated: 3769
name: ldap-connect
objectGUID:: h5Ml10kKGk+tnk+yUkmSbA=badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAJqYPFioPpCmZ5TwaTwQAAA=accountExpires:
9223372036854775807
logonCount: 0
sAMAccountName: ldap-connect
sAMAccountType: 805306368
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=oflameo,DC=com
userAccountControl: 512
pwdLastSet: 130566324840000000
homeDirectory:: IA=whenChanged: 20141005131318.0Z
uSNChanged: 3777
distinguishedName: CN=ldap-connect,CN=Users,DC=corp,DC=oflameo,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Here is my nslcd.conf

dictator at drakeburner:~/samba/ldap$ cat /etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://127.0.0.1:389

# The search base that will be used for all queries.
base dc=CORP,dc=oflameo,dc=com

# Some seting for AD
pagesize 1000
referrals off

# Filters (only required if your accounts doesn't have
objectClass=posixAccount
# and your groups haven't objectClass=posixGroup. This objectClasses
won't be added
# by ADUC. So they won't be there automatically!)
filter  passwd  (objectClass=user)
filter  group   (objectClass=group)

# Attribut mappings (depending on your nslcd version, some might not be
# necessary or can cause errors and can/must be removed)
map     passwd  uid                sAMAccountName
map     passwd  homeDirectory      unixHomeDirectory
map     passwd  gecos              displayName
map     passwd  gidNumber          primaryGroupID
map     group   member             member

# Kerberos
#sasl_mech GSSAPI
#sasl_realm CORP.OFLAMEO.COM
#krb5_ccname /tmp/nslcd.tkt

# The LDAP protocol version to use.
#ldap_version 3

# LDAP bind (Account in AD that is used from nslcd to bind to the directory)
binddn cn=ldap-connect,cn=Users,dc=corp,dc=oflameo,dc=com
bindpw icanread33#

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never

# The search scope.
#scope sub

I figured out a work around. I used ldbedit on
/var/lib/samba/private/sam.ldb and manually added the record "uidNumber:
1000"

I will map it explicitly in nslcd.conf unlike it was in the example on
the wiki.

Is there any command in the samba suite to modify this attribute
automatically without having to modify the ldap directly?

On 10/05/2014 10:27 AM, John Lewis wrote:
> I can't get my domain users presented to my local machine with getent
> passwd and the wiki
>
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
> doesn't give me any steps troubleshoot this issue. My best guess it
that
> I configured the user account incorrectly or I configured nslcd
> incorrectly. I can't exactly see what is the problem.
> 
> I get these messages from nslcd when I started it in debug mode and ran
> getent passwd.
> 
> nslcd: [7b23c6] DEBUG: connection from pid=19355 uid=500 gid=0
> nslcd: [7b23c6] <passwd(all)> DEBUG:
> myldap_search(base="dc=CORP,dc=oflameo,dc=com",
filter="(objectClass=user)")
> nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result():
> CN=DRAKEBURNER,OU=Domain Controllers,DC=corp,DC=oflameo,DC=com
> nslcd: [7b23c6] <passwd(all)> CN=DRAKEBURNER,OU=Domain
> Controllers,DC=corp,DC=oflameo,DC=com: uidNumber: missing
> nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result():
> CN=Administrator,CN=Users,DC=corp,DC=oflameo,DC=com
> nslcd: [7b23c6] <passwd(all)>
> CN=Administrator,CN=Users,DC=corp,DC=oflameo,DC=com: uidNumber: missing
> nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result():
> CN=ldap-connect,CN=Users,DC=corp,DC=oflameo,DC=com
> nslcd: [7b23c6] <passwd(all)>
> CN=ldap-connect,CN=Users,DC=corp,DC=oflameo,DC=com: uidNumber: missing
> nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result():
> CN=krbtgt,CN=Users,DC=corp,DC=oflameo,DC=com
> nslcd: [7b23c6] <passwd(all)>
> CN=krbtgt,CN=Users,DC=corp,DC=oflameo,DC=com: uidNumber: missing
> nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result():
> CN=Guest,CN=Users,DC=corp,DC=oflameo,DC=com
> nslcd: [7b23c6] <passwd(all)>
> CN=Guest,CN=Users,DC=corp,DC=oflameo,DC=com: uidNumber: missing
> nslcd: [7b23c6] <passwd(all)> DEBUG: ldap_result(): end of results (5
total)
> 
> This is the ldif of the user account I created.
> 
> dictator at drakeburner:~/samba/ldap$ cat ldap-connect.ldif
> # extended LDIF
> #
> # LDAPv3
> # base <cn=ldap-connect,cn=Users,dc=corp,dc=oflameo,dc=com> with
scope
> subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # ldap-connect, Users, corp.oflameo.com
> dn: CN=ldap-connect,CN=Users,DC=corp,DC=oflameo,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: ldap-connect
> instanceType: 4
> whenCreated: 20141001025044.0Z
> uSNCreated: 3769
> name: ldap-connect
> objectGUID:: h5Ml10kKGk+tnk+yUkmSbA=> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAJqYPFioPpCmZ5TwaTwQAAA=> accountExpires:
9223372036854775807
> logonCount: 0
> sAMAccountName: ldap-connect
> sAMAccountType: 805306368
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=oflameo,DC=com
> userAccountControl: 512
> pwdLastSet: 130566324840000000
> homeDirectory:: IA=> whenChanged: 20141005131318.0Z
> uSNChanged: 3777
> distinguishedName: CN=ldap-connect,CN=Users,DC=corp,DC=oflameo,DC=com
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> 
> Here is my nslcd.conf
> 
> dictator at drakeburner:~/samba/ldap$ cat /etc/nslcd.conf
> # /etc/nslcd.conf
> # nslcd configuration file. See nslcd.conf(5)
> # for details.
> 
> # The user and group nslcd should run as.
> uid nslcd
> gid nslcd
> 
> # The location at which the LDAP server(s) should be reachable.
> uri ldap://127.0.0.1:389
> 
> # The search base that will be used for all queries.
> base dc=CORP,dc=oflameo,dc=com
> 
> # Some seting for AD
> pagesize 1000
> referrals off
> 
> # Filters (only required if your accounts doesn't have
> objectClass=posixAccount
> # and your groups haven't objectClass=posixGroup. This objectClasses
> won't be added
> # by ADUC. So they won't be there automatically!)
> filter  passwd  (objectClass=user)
> filter  group   (objectClass=group)
> 
> # Attribut mappings (depending on your nslcd version, some might not be
> # necessary or can cause errors and can/must be removed)
> map     passwd  uid                sAMAccountName
> map     passwd  homeDirectory      unixHomeDirectory
> map     passwd  gecos              displayName
> map     passwd  gidNumber          primaryGroupID
> map     group   member             member
> 
> # Kerberos
> #sasl_mech GSSAPI
> #sasl_realm CORP.OFLAMEO.COM
> #krb5_ccname /tmp/nslcd.tkt
> 
> # The LDAP protocol version to use.
> #ldap_version 3
> 
> # LDAP bind (Account in AD that is used from nslcd to bind to the
directory)
> binddn cn=ldap-connect,cn=Users,dc=corp,dc=oflameo,dc=com
> bindpw icanread33#
> 
> # The DN used for password modifications by root.
> #rootpwmoddn cn=admin,dc=example,dc=com
> 
> # SSL options
> #ssl off
> #tls_reqcert never
> 
> # The search scope.
> #scope sub
>