-
 pschaff |
|
Re: [SOLVED] CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind | #9 |
Moderator  
Joined: 2006/12/13
From Tidewater, Virginia, North America
Posts: 18773
|
Thanks for reporting back. Marking this thread [SOLVED] for posterity.
|
|
|
-
| browley |
|
[SOLVED] Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind | #8 |
Newbie  Joined: 2012/3/20
From
Posts: 5
|
Success! During my re-vamp of /etc/samba/smb.conf, I had blanked the ldap suffix. I had read some random forum post that suggested doing this may help generate the SID. Again, no idea if this was why the SID generated, but I left the ldap suffix blank. However, when I was trying to view the groupmap, I was getting "ldapsam_enum_group_mapping: Unable to open passdb" because samba had no way of knowing correct LDAP root (durrrrrr). So I went back and edited my /etc/samba/smb.conf and set the suffix from "ldap suffix = " to "ldap suffix = dc=bob,dc=local". Restarted samba and can now see groups. Anyhow, there are still a few more things I need to nitpick through but my main issue is solved. I hope some of this info helps someone who also finds themselves bashing their head against a wall.
|
|
|
-
| browley |
|
Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind | #7 |
Newbie Joined: 2012/3/20
From
Posts: 5
|
From what I've read, the SID is generated via Samba and has to be put in smbldap.conf before running smbldap-populate. From many of the guides I was following, they actually wanted to generate the SID before running smbldap-populate. Either way, I ran the command and here's what I got:
$ sudo smbldap-populate
Unable to determine domain SID: please edit your smbldap.conf, or start your samba server for a few minutes to allow for SID generation to proceed
Compilation failed in require at /usr/sbin/smbldap-populate line 33.
BEGIN failed--compilation aborted at /usr/sbin/smbldap-populate line 33.
So, in frustration, I decided to start over with the samba portion. I stopped samba and deleted my secrets.tdb and regenerated it:
sudo /etc/init.d/smb stop
$sudo rm -rf /var/lib/samba/private/secrets.tdb
$sudo /usr/bin/smbpasswd -W
I also re-set root's pw to match my cn=root,dc=bob,dc=local password. Then, I completely re-configured my smb.conf from the Samba admin guide. I then re-ran authconfig-tui to make sure it was correct. I also was reading about configure.pl from smbldap-tools guide above and realized I had never run it so I did that:
$sudo cp /usr/share/doc/smbldap-tools-0.9.6/configure.pl /etc/smbldap-tools
$sudo chmod +x /etc/smbldap-tools
$sudo /etc/smbldap-tools/configure.pl
Initially, it had a problem on one of the lines running pidof so I added /sbin to root's $PATH. Then I gave "net getlocalsid" a shot and it freakin' worked! I almost fell out of my chair. I added the SID to /etc/smbldap-tools/slapd.conf and then ran /usr/sbin/smbldap-populate without a problem. At that point I started samba without an issue. I still do not know what fixed the problem and am in a bit of shock. However, I am not out of the woods just yet:
$sudo net groupmap list
[2012/04/02 16:46:53.128000, 0] passdb/pdb_ldap.c:3448(ldapsam_setsamgrent)
ldapsam_setsamgrent: LDAP search failed: No such object
[2012/04/02 16:46:53.128134, 0] passdb/pdb_ldap.c:3523(ldapsam_enum_group_mapping)
ldapsam_enum_group_mapping: Unable to open passdb
From the googles, it looks like this is either an auth problem or the user object is not the right type. I'm a bit overwhelmed with Samba/LDAP today but will take another look tomorrow. If anyone else has any ideas please let me know. |
|
|
-
| gulikoza |
|
Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind | #6 |
Regular Board Member  Joined: 2007/5/6
From
Posts: 87
|
Well if you cleared the LDAP db there's obviously no SID inside. You need to re-run smbldap-populate.
|
|
|
-
| browley |
|
Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind | #5 |
Newbie Joined: 2012/3/20
From
Posts: 5
|
Ok some more info, because I'm still stumped. So I deleted the openLDAP db (removed everything in /var/lib/ldap) and started anew. Got the instance up and running and figured out how to revert the log. Right now I only have the root user:
$ /usr/sbin/slapcat
dn: dc=bob,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: bob
dc: bob
structuralObjectClass: organization
entryUUID: b4589b6c-0bd1-1031-8df1-25b31779b23b
creatorsName: cn=root,dc=bob,dc=local
createTimestamp: 20120326205503Z
entryCSN: 20120326205503Z#000000#00#000000
modifiersName: cn=root,dc=bob,dc=local
modifyTimestamp: 20120326205503Z
dn: cn=root,dc=bob,dc=local
objectClass: organizationalRole
cn: root
structuralObjectClass: organizationalRole
entryUUID: b4766692-0bd1-1031-8df2-25b31779b23b
creatorsName: cn=root,dc=bob,dc=local
createTimestamp: 20120326205503Z
entryCSN: 20120326205503Z#000001#00#000000
modifiersName: cn=root,dc=bob,dc=local
Here's a search on localhost:
ldapsearch -x -s base -b "" -h 127.0.0.1 -D cn=root,dc=bob,dc=local -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
Re-ran the smbpasswd, then I tried and get the SID and while I no longer get the failed to bind so I feel like I'm getting very close. I ran the net command in debug mode:
$net getlocalsid -d 10
[2012/03/27 09:16:40, 5] lib/debug.c:405(debug_dump_status)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
registry: False/0
[2012/03/27 09:16:40, 3] param/loadparm.c:9180(lp_load_ex)
lp_load_ex: refreshing parameters
[2012/03/27 09:16:40, 3] param/loadparm.c:4948(init_globals)
Initialising global parameters
[2012/03/27 09:16:40, 2] param/loadparm.c:4807(max_open_files)
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
[2012/03/27 09:16:40.228633, 3] ../lib/util/params.c:550(pm_process)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2012/03/27 09:16:40.228688, 3] param/loadparm.c:7864(do_section)
Processing section "[global]"
doing parameter workgroup = bob
doing parameter netbios name = dc1
[2012/03/27 09:16:40.228756, 4] param/loadparm.c:7226(handle_netbios_name)
handle_netbios_name: set global_myname to: DC1
doing parameter interfaces = eth0
doing parameter bind interfaces only = No
doing parameter passdb backend = ldapsam:ldap://localhost
doing parameter client NTLMv2 auth = Yes
doing parameter client lanman auth = No
doing parameter client plaintext auth = No
doing parameter log level = 2
doing parameter syslog = 1
doing parameter log file = /var/log/samba/%m
doing parameter max log size = 0
doing parameter smb ports = 139 445
doing parameter name resolve order = wins
doing parameter time server = Yes
doing parameter server signing = auto
doing parameter add user script = /usr/sbin/smbldap-useradd -m '%u'
doing parameter add group script = /usr/sbin/smbldap-groupadd '%g'
doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
doing parameter set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
doing parameter add machine script = /usr/sbin/smbldap-useradd -w '%u'
doing parameter logon path =
doing parameter logon home =
doing parameter domain logons = Yes
doing parameter os level = 34
doing parameter preferred master = Yes
doing parameter domain master = Yes
doing parameter wins support = Yes
doing parameter ldap admin dn = "cn=root,dc=bob,dc=local"
doing parameter ldap user suffix = ou=People
doing parameter ldap group suffix = ou=Group
doing parameter ldap idmap suffix = ou=Idmap
doing parameter ldap machine suffix = ou=Hosts
doing parameter ldap passwd sync = Yes
doing parameter ldap suffix = dc=bob,dc=local
doing parameter ldap ssl = no
doing parameter ldap timeout = 100
doing parameter idmap backend = ldap:ldap://localhost
doing parameter idmap uid = 15000-20000
doing parameter idmap gid = 15000-20000
doing parameter winbind nested groups = Yes
doing parameter nt acl support = yes
doing parameter ea support = Yes
doing parameter inherit acls = Yes
doing parameter nt acl support = Yes
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
[2012/03/27 09:16:40.230149, 4] param/loadparm.c:9215(lp_load_ex)
pm_process() returned Yes
[2012/03/27 09:16:40.230192, 7] param/loadparm.c:9421(lp_servicenumber)
lp_servicenumber: couldn't find homes
[2012/03/27 09:16:40.230230, 10] param/loadparm.c:8425(set_server_role)
set_server_role: role = ROLE_DOMAIN_PDC
[2012/03/27 09:16:40.230268, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UCS-2LE
[2012/03/27 09:16:40.230299, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UCS-2LE
[2012/03/27 09:16:40.230326, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UTF-16LE
[2012/03/27 09:16:40.230357, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UTF-16LE
[2012/03/27 09:16:40.230383, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UCS-2BE
[2012/03/27 09:16:40.230409, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UCS-2BE
[2012/03/27 09:16:40.230435, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UTF-16BE
[2012/03/27 09:16:40.230465, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UTF-16BE
[2012/03/27 09:16:40.230489, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UTF8
[2012/03/27 09:16:40.230516, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UTF8
[2012/03/27 09:16:40.230540, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UTF-8
[2012/03/27 09:16:40.230564, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UTF-8
[2012/03/27 09:16:40.230591, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset ASCII
[2012/03/27 09:16:40.230621, 5] lib/iconv.c:112(smb_register_charset)
Registered charset ASCII
[2012/03/27 09:16:40.230647, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset 646
[2012/03/27 09:16:40.230675, 5] lib/iconv.c:112(smb_register_charset)
Registered charset 646
[2012/03/27 09:16:40.230701, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset ISO-8859-1
[2012/03/27 09:16:40.230725, 5] lib/iconv.c:112(smb_register_charset)
Registered charset ISO-8859-1
[2012/03/27 09:16:40.230754, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UCS2-HEX
[2012/03/27 09:16:40.230781, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UCS2-HEX
[2012/03/27 09:16:40.230841, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231165, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231245, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231293, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231339, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231387, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231429, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231487, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231537, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231581, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231659, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231772, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231844, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231936, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.232045, 5] lib/util.c:276(init_names)
Netbios name list:-
my_netbios_names[0]="DC1"
[2012/03/27 09:16:40.232236, 2] lib/interface.c:340(add_interface)
added interface eth0 ip=fe80::6631:50ff:fed3:f1f5%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
[2012/03/27 09:16:40.232370, 2] lib/interface.c:340(add_interface)
added interface eth0 ip=192.168.101.17 bcast=192.168.101.255 netmask=255.255.255.0
[2012/03/27 09:16:40.232443, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend ldapsam
[2012/03/27 09:16:40.232487, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'ldapsam'
[2012/03/27 09:16:40.232515, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend ldapsam_compat
[2012/03/27 09:16:40.232544, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'ldapsam_compat'
[2012/03/27 09:16:40.232573, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend NDS_ldapsam
[2012/03/27 09:16:40.232601, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'NDS_ldapsam'
[2012/03/27 09:16:40.232628, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend NDS_ldapsam_compat
[2012/03/27 09:16:40.232654, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'NDS_ldapsam_compat'
[2012/03/27 09:16:40.232690, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend smbpasswd
[2012/03/27 09:16:40.232720, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'smbpasswd'
[2012/03/27 09:16:40.232748, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend tdbsam
[2012/03/27 09:16:40.232774, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'tdbsam'
[2012/03/27 09:16:40.232802, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend wbc_sam
[2012/03/27 09:16:40.232833, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'wbc_sam'
[2012/03/27 09:16:40.232861, 5] passdb/pdb_interface.c:133(make_pdb_method_name)
Attempting to find a passdb backend to match ldapsam:ldap://localhost (ldapsam)
[2012/03/27 09:16:40.232893, 5] passdb/pdb_interface.c:154(make_pdb_method_name)
Found pdb backend ldapsam
[2012/03/27 09:16:40.232955, 2] lib/smbldap_util.c:277(smbldap_search_domain_info)
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BOB))]
[2012/03/27 09:16:40.233013, 5] lib/smbldap.c:1360(smbldap_search_ext)
smbldap_search_ext: base => [dc=bob,dc=local], filter => [(&(objectClass=sambaDomain)(sambaDomainName=BOB))], scope => [2]
[2012/03/27 09:16:40.233076, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233132, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233181, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233230, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233275, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233316, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233358, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233402, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233446, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233488, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233537, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233590, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233637, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233685, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233758, 5] lib/smbldap.c:1262(smbldap_close)
The connection to the LDAP server was closed
[2012/03/27 09:16:40.233790, 10] lib/smbldap.c:751(smb_ldap_setup_conn)
smb_ldap_setup_connection: ldap://localhost
[2012/03/27 09:16:40.234270, 2] lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2012/03/27 09:16:40.234472, 10] lib/smbldap.c:1120(smbldap_connect_system)
ldap_connect_system: Binding to ldap server ldap://localhost as "cn=root,dc=bob,dc=local"
[2012/03/27 09:16:40.235501, 3] lib/smbldap.c:1862(smbldap_check_root_dse)
smbldap_check_root_dse: Expected one rootDSE, got 0
[2012/03/27 09:16:40.235545, 3] lib/smbldap.c:1166(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
ldap_connect_system: LDAP server does not support paged results
[2012/03/27 09:16:40.235584, 4] lib/smbldap.c:1242(smbldap_open)
The LDAP server is successfully connected
[2012/03/27 09:16:40.236150, 5] passdb/pdb_interface.c:165(make_pdb_method_name)
pdb backend ldapsam:ldap://localhost has a valid init
[2012/03/27 09:16:40.236253, 0] utils/net.c:264(net_getlocalsid)
Can't fetch domain SID for name: DC1
[2012/03/27 09:16:40.271436, 2] utils/net.c:916(main)
return code = 1
[2012/03/27 09:16:40.271512, 5] lib/gencache.c:65(gencache_init)
Opening cache file at /var/lib/samba/gencache.tdb
[2012/03/27 09:16:40.271655, 5] lib/gencache.c:108(gencache_init)
Opening cache file at /var/lib/samba/gencache_notrans.tdb
When I tail the logs, here's what happens when I run the net getlocalsid command. While it no longer give me the same message, this time it just says cannot fetch sid. Here is the output from the log:
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 fd=17 ACCEPT from IP=127.0.0.1:55999 (IP=0.0.0.0:389)
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=0 BIND dn="cn=root,dc=bob,dc=local" method=128
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=0 BIND dn="cn=root,dc=bob,dc=local" mech=SIMPLE ssf=0
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=0 RESULT tag=97 err=0 text=
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=1 SRCH attr=supportedControl
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=2 SRCH base="dc=bob,dc=local" scope=2 deref=0 filter="(&(objectClass=sambaDomain)(sambaDomainName=bob))"
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=2 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
Mar 27 09:34:21 dc1 slapd[15629]: <= bdb_equality_candidates: (sambaDomainName) not indexed
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 fd=17 closed (connection lost)
Based on this, does anyone else have any more ideas? Thanks again. |
|
|
-
| gulikoza |
|
Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind | #4 |
Regular Board Member Joined: 2007/5/6
From
Posts: 87
|
Hmm, not really. This should work.
Perhaps try checking slapd log for any additional information?
|
|
|
-
| browley |
|
Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind | #3 |
Newbie Joined: 2012/3/20
From
Posts: 5
|
Thanks for the reply. I had set it but I tried it again anyway:
$ sudo smbpasswd -w <passwd here>
Setting stored password for "cn=root,dc=bob,dc=local" in secrets.tdb
$ sudo net getlocalsid
[2012/03/22 09:24:02.008821, 0, pid=9544, effective(0, 0), real(0, 0)] lib/smbldap.c:1151(smbldap_connect_system)
failed to bind to server ldap://localhost with dn="cn=root,dc=bob,dc=local" Error: Invalid credentials
Any other ideas? |
|
|
-
| gulikoza |
|
Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind | #2 |
Regular Board Member Joined: 2007/5/6
From
Posts: 87
|
Samba LDAP password is set with smbpasswd -w, not read from smbldap_bind.conf. And sadly, I don't think you can vampire AD, I think it works only with NT4 domains but I might be wrong (never tried it myself)
|
|
|
-
| browley |
|
[SOLVED] CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind | #1 |
Newbie Joined: 2012/3/20
From
Posts: 5
|
Hi All. I am having a heck of a time getting OpenLDAP and Samba to play nice on a CentOS box so I can eventually Vampire our AD server and promote the CentOS box as PDC. I know all the risks + politics involved, but I'm willing to make the jump. I've got a initial small OpenLDAP instance set up. Let's assume my domain is called "bob.local". /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=root,dc=bob,dc=local" write
by * none
access to attrs=shadowLastChange
by self write
by anonymous auth
by dn.base="cn=root,dc=bob,dc=local" write
by * none
access to *
by self write
by dn.base="cn=root,dc=bob,dc=local" write
by users read
database bdb
suffix "dc=bob,dc=local"
rootdn "cn=root,dc=bob,dc=local"
rootpw {SSHA}<edited via paranoia>
password-hash {SSHA}
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
smb.conf
# Global parameters
[global]
workgroup = BOB
netbios name = dc1
deadtime = 10
log level = 10
log file = /var/log/samba/log.%m
max log size = 5000
debug pid = yes
debug uid = yes
syslog = 0
utmp = yes
security = user
domain logons = yes
domain master = no
os level = 64
logon path =
logon home =
logon drive =
logon script =
passdb backend = ldapsam:ldap://localhost
ldap ssl = off
ldap admin dn = cn=root,dc=bob,dc=local
ldap delete dn = no
## Sync UNIX password with Samba password
## Method 1:
ldap password sync = yes
## Method 2:
;ldap password sync = no
;unix password sync = yes
;passwd program = /usr/sbin/smbldap-passwd -u '%u'
;passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
obey pam restrictions = no
ldap suffix = dc=bob,dc=local
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
idmap backend = ldapsam:ldap://localhost
idmap uid = 15000-20000
idmap gid = 15000-20000
add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
delete user script = /usr/sbin/smbldap-userdel '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
enable privileges = yes
username map = /etc/samba/smbusers
nt acl support = yes
<cut for sanity>
/etc/smbldap-tools/smbldap.conf
SID="S-1-5-21-599962346-blah"
sambaDomain="bob.local"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
ldapSSL="0"
verify="none"
suffix="dc=bob,dc=local"
usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Group,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\DC1.BOB.LOCAL\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="bob.local"
with_smbpasswd="0"
smbpasswd="/usr/sbin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
/etc/smbldap-tools/smbldap_bind.conf
slaveDN="cn=root,dc=bob,dc=local"
slavePw="<LDAP root password here in plaintext>"
masterDN="cn=root,dc=bob,dc=local"
masterPw="<LDAP root password here in plaintext>"
/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
sudoers: files ldap
I ran authconfig-tui and set to use MD5, Shadow, LDAP. Should I also set it to use SMB auth? For the next set, I unchecked TLS and set server to ldap://127.0.0.1.My problem comes with running certain commands. For example, when I run
$ sudo net groupmap list
[2012/03/21 10:32:48.661571, 0, pid=4690, effective(0, 0), real(0, 0)] lib/smbldap.c:1151(smbldap_connect_system)
failed to bind to server ldap://localhost with dn="cn=root,dc=bob,dc=local" Error: Invalid credentials
$ sudo net getlocalsid
[2012/03/21 10:45:24.324350, 0, pid=4775, effective(0, 0), real(0, 0)] lib/smbldap.c:1151(smbldap_connect_system)
failed to bind to server ldap://localhost with dn="cn=root,dc=bob,dc=local" Error: Invalid credentials
Oddly, I can login to my phpLDAPadmin via using the full root user, cn=root,dc=bob,dc=local, with the master LDAP password, the same one that's in the smbldap_bind.conf file. Somewhere along the line, samba is misconfigured to bind to ldap, I'm just not sure how/where. I'm not sure what I have configured incorrectly or if I have too much/too little in my confs. To be honest, I've been through so many how-to's and configs that it's all starting to blur together. My only other thought is that maybe I should bind with another user? Please let me know if you need any more info and THANKS in advance for any help/hints you can give me. |
|
|
 You cannot start a new topic.
 You can view topic.
You cannot reply to posts.
You cannot edit your posts.
You cannot delete your posts.
You cannot add new polls.
You cannot vote in polls.
You cannot attach files to posts.
You cannot post without approval.
|
|
|
|
|
www.centos.org Forum Index
[SOLVED] CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind
Bottom 
Previous Topic 
Next Topic
Topic options
Threaded
Oldest First
Top 