On Sun, 25 Mar 2018 08:01:57 +1300 Andrew Bartlett <abartlet at samba.org> wrote:> On Sat, 2018-03-24 at 12:50 +0000, Praveen Ghimire via samba wrote: > > Hi Rowland, > > > > I did that initially and that came with > > Failed to connect to ldap URL 'ldap://lin-pdc.lin - LDAP client > > internal error: NT_STATUS_BAD_NETWORK_NAME Hence I removed the > > whole ldap:// bit > > > > After your email I tried again but using ldap://localhost and it > > seems to have worked. Not sure what the issue is with the fqdn. I > > could run ldap queries when using fqdn. > > > > This patch should fix it. > > Praveen can you test it? > > Rowland, after Praveen has tested it, perhaps you would like to review > it? We don't have the infrastructure for a test against the LDAP > backend (a long-standing problem) so sadly there is no automatic > test. > > Thanks, > > Andrew Bartlett >Hi Andrew,, but what if the ldap server isn't on localhost ? Praveen's smb.conf had this: idmap config *: ldap_url = ldap://lin-pdc.lin/ This is valid, so it looks like the 'idmap config' lines need to be parsed as well. Check if 'ldapsam' contains the URL, if not parse the 'idmap config' lines for the URL and then, if still not found, fall back to 'localhost' Rowland
On Sat, 2018-03-24 at 20:00 +0000, Rowland Penny via samba wrote:> On Sun, 25 Mar 2018 08:01:57 +1300 > Andrew Bartlett <abartlet at samba.org> wrote: > > > On Sat, 2018-03-24 at 12:50 +0000, Praveen Ghimire via samba wrote: > > > Hi Rowland, > > > > > > I did that initially and that came with > > > Failed to connect to ldap URL 'ldap://lin-pdc.lin - LDAP client > > > internal error: NT_STATUS_BAD_NETWORK_NAME Hence I removed the > > > whole ldap:// bit > > > > > > After your email I tried again but using ldap://localhost and it > > > seems to have worked. Not sure what the issue is with the fqdn. I > > > could run ldap queries when using fqdn. > > > > > > > This patch should fix it. > > > > Praveen can you test it? > > > > Rowland, after Praveen has tested it, perhaps you would like to review > > it? We don't have the infrastructure for a test against the LDAP > > backend (a long-standing problem) so sadly there is no automatic > > test. > > > > Thanks, > > > > Andrew Bartlett > > > > Hi Andrew,, but what if the ldap server isn't on localhost ?Then there would have needed to be a server specified in the passdb backend option.> Praveen's smb.conf had this: > > idmap config *: ldap_url = ldap://lin-pdc.lin/ > > This is valid, so it looks like the 'idmap config' lines need to be > parsed as well. Check if 'ldapsam' contains the URL, if not parse the > 'idmap config' lines for the URL and then, if still not found, fall > back to 'localhost'It is unclear to me what exactly what is going on in this configuration (passdb and idmap should be pointing at the same server in most configurations). However it doesn't change what passdb is pointing at, and for the moment I don't want to make it more complex, while respecting in python the default from the C code. As background: when I wrote the upgrade code I wasn't aware of the localhost default, as I've always used ldapi:// on local connections. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Sun, 25 Mar 2018 17:53:31 +1300 Andrew Bartlett <abartlet at samba.org> wrote:> On Sat, 2018-03-24 at 20:00 +0000, Rowland Penny via samba wrote: > > On Sun, 25 Mar 2018 08:01:57 +1300 > > Andrew Bartlett <abartlet at samba.org> wrote: > > > > > On Sat, 2018-03-24 at 12:50 +0000, Praveen Ghimire via samba > > > wrote: > > > > Hi Rowland, > > > > > > > > I did that initially and that came with > > > > Failed to connect to ldap URL 'ldap://lin-pdc.lin - LDAP client > > > > internal error: NT_STATUS_BAD_NETWORK_NAME Hence I removed the > > > > whole ldap:// bit > > > > > > > > After your email I tried again but using ldap://localhost and it > > > > seems to have worked. Not sure what the issue is with the fqdn. > > > > I could run ldap queries when using fqdn. > > > > > > > > > > This patch should fix it. > > > > > > Praveen can you test it? > > > > > > Rowland, after Praveen has tested it, perhaps you would like to > > > review it? We don't have the infrastructure for a test against > > > the LDAP backend (a long-standing problem) so sadly there is no > > > automatic test. > > > > > > Thanks, > > > > > > Andrew Bartlett > > > > > > > Hi Andrew,, but what if the ldap server isn't on localhost ? > > Then there would have needed to be a server specified in the passdb > backend option. > > > Praveen's smb.conf had this: > > > > idmap config *: ldap_url = ldap://lin-pdc.lin/ > > > > This is valid, so it looks like the 'idmap config' lines need to be > > parsed as well. Check if 'ldapsam' contains the URL, if not parse > > the 'idmap config' lines for the URL and then, if still not found, > > fall back to 'localhost' > > It is unclear to me what exactly what is going on in this > configuration (passdb and idmap should be pointing at the same server > in most configurations). > > However it doesn't change what passdb is pointing at, and for the > moment I don't want to make it more complex, while respecting in > python the default from the C code. > > As background: when I wrote the upgrade code I wasn't aware of the > localhost default, as I've always used ldapi:// on local connections. > > I hope this clarifies things, > > Andrew BartlettYes, After reading man smb.conf , I find you are quite correct and I think this probably explains why I couldn't get an NT4-style domain Unix domain member to work. The 'passdb backend = ldapsam' line was trying to connect to 'localhost' and the 'idmap config *: ldap_url ldap://PDC.FQDN/' line was trying to connect to the PDC. Rowland