Mark Cooke
2016-Feb-04 12:29 UTC
[Samba] What is the equivalent of net idmap secret in samba 4.2 ?
Hi all, Isn’t it always the way that you find what you need after posting a question: net idmap set secret ‘*’ password Cheers, Mark From: Mark Cooke Sent: 04 February 2016 11:43 To: 'samba at lists.samba.org' Subject: What is the equivalent of net idmap secret in samba 4.2 ? Hi Everyone, The documented command in net(8) for setting the LDAP password appears to have gone away in the refactoring between samba 4.1 and 4.2: # net idmap secret * password Invalid command: net idmap secret Does someone have a pointer to a method to set the ldap auth credentials with samba 4.2? Setup: Domain member server 1 – originally setup using SL7.0, samba 4.1, hosting the ldap server, winbind, bound to AD, net idmap secret * worked fine: # yum install samba-winbind samba-winbind-clients pam_krb5 # authconfig --enablekrb5 --krbkdc=dc.domain --krb5adminserver=dc.domain --krb5realm=REALM --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=REALM --smbservers=dc.domain --smbworkgroup=WORKGROUP --winbindtemplatehomedir=/path /%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --update # net ads join –U account Updated the winbind related settings in /etc/samba/smb.conf for ldap backend (see below), and set the idmap LDAP password using: net idmap secret '*' password. The same process fails on the new server, which is a fully patched Scientific Linux 7.1. Comparing samba package versions shows that SL7.0 shipped with samba 4.1 and SL7.1 is currently using samba 4.2. I then went back to the existing domain member server, and as it is fully patched and running samba 4.2, ‘net idmap’ is failing in the same way as the new server. I have also tried using ‘smbpassword –W’ but that says ldap admin dn isn’t defined. As I haven’t been able to set the credentials, my log.winbindd-idmap is showing: [2016/02/04 10:13:06.731517, 0] ../source3/winbindd/idmap_ldap.c:95(get_credentials) get_credentials: Unable to fetch auth credentials for cn=Manager,ou=idmap in * smb.conf: [global] workgroup = WORKGROUP password server = dc.domain realm = REALM security = ads idmap config * : range = 16777216-33554431 template homedir = /path/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true winbind offline logon = false idmap config * : backend = ldap idmap config * : ldap_url = ldaps://ldap-server/ idmap config * : ldap_base_dn = ou=idmap idmap config * : ldap_user_dn = cn=Manager,ou=idmap winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind offline logon = yes winbind cache time = 600 winbind expand groups = 5 server string = Samba Server Version %v max protocol = SMB2 passdb backend = tdbsam load printers = yes cups options = raw # rpm -qa | grep samba | sort samba-4.2.3-11.el7_2.x86_64 samba-client-4.2.3-11.el7_2.x86_64 samba-client-libs-4.2.3-11.el7_2.x86_64 samba-common-4.2.3-11.el7_2.noarch samba-common-libs-4.2.3-11.el7_2.x86_64 samba-common-tools-4.2.3-11.el7_2.x86_64 samba-libs-4.2.3-11.el7_2.x86_64 samba-test-4.2.3-11.el7_2.x86_64 samba-test-libs-4.2.3-11.el7_2.x86_64 samba-winbind-4.2.3-11.el7_2.x86_64 samba-winbind-clients-4.2.3-11.el7_2.x86_64 samba-winbind-modules-4.2.3-11.el7_2.x86_64 I could go back and install SL7.0, do the samba setup, set the credentials and then update, but that would still leave me with an issue if I needed to change the LDAP password at a future point. Thanks for any help! Mark -- The contents of this email may be privileged and are confidential. It may not be disclosed by, or used, or copied in any way by anyone other than the addressee. If received in error, please notify the sender then delete it from your system. Should you communicate with the sender by email, you consent to The University of Birmingham monitoring and reading any such correspondence.