Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Problem: LDAP as idmap backend

334 views
Skip to first unread message

Chris Osicki

unread,
Aug 13, 2009, 6:00:16 PM8/13/09
to
Hi

I've just upgraded Samba on Solaris 10 from the bundled version (3.0.33)
to 3.4.0 and winbind don't want to cooperate with LDAP as idmap backend
anymore.

The smb.conf I use is:

[global]
workgroup = CORPROOT
netbios name = usonfs
security = domain
log level = 10
preferred master = no
bind interfaces only = yes
interfaces = usonfs

password server = sg000057.corproot.net sg1006z.corproot.net
winbind uid = 20000-21000
winbind gid = 20000-21000
winbind enum users = no
winbind enum groups = no

# Using ldap server as winbindd backend
idmap backend = ldap:ldap://usoldap01.swissptt.ch ldap:ldap://usoldap02.swissptt.ch
ldap admin dn = uid=idmapadm,ou=idmap,dc=swissptt,dc=ch
ldap idmap suffix = ou=idmap
ldap suffix = dc=swissptt,dc=ch

I compiled Samba myself: configure; make; make install.

It must be something obvious I'm overlooking I hope somebody could
point it out.

Running winbindd as:

/usr/local/samba/sbin/winbindd -d 3 -i -n

I see those messages:

[ 8286]: sid to uid S-1-5-21-796845957-1547161642-839522115-187984
idmap_init: using 'ldap' as remote backend
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 3 try!
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 5 try!
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 7 try!


Thanks for your time.

Regards,
Chris
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

David Markey

unread,
Aug 13, 2009, 6:50:11 PM8/13/09
to

ldap ssl = off

Chris Osicki

unread,
Aug 14, 2009, 4:50:08 AM8/14/09
to

That helped, many thanks David.

However, winbind behaves strangely.

I ask it to print SID-UID mapping for a SID I know it is in LDAP:

wbinfo --sid-to-uid S-1-5-21-796845957-1547161642-839522115-187984

It fails and winbindd says:

ldap_connect_system: successful connection to the LDAP server
ldap_set_mapping_internals: Failed to add S-1-5-21-796845957-1547161642-839522115-187984 to 20011 mapping [uidNumber]
ldap_set_mapping_internals: Error was: (NULL) (Already exists)
Could not store the new mapping: NT_STATUS_UNSUCCESSFUL

In the LDAP server logs I see a successful search and then a try to ADD (?!) a mapping
for the given SID with next free UID from the defined UIDs range:

conn=564 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.238.186.50 to 10.238.186.52
conn=564 op=0 msgId=1 - BIND dn="uid=idmapadm,ou=idmap,dc=swissptt,dc=ch" method=128 version=3
conn=564 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=idmapadm,ou=idmap,dc=swissptt,dc=ch"
conn=564 op=1 msgId=2 - SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl"
conn=564 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0
conn=564 op=2 msgId=3 - SRCH base="ou=idmap,dc=swissptt,dc=ch" scope=2 filter="(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-21-796845957-1547161642-839522115-187984))" attrs="sambaSID uidNumber gidNumber objectClass"
conn=564 op=2 msgId=3 - RESULT err=0 tag=101 nentries=1 etime=0
conn=564 op=3 msgId=4 - ADD dn="sambaSID=S-1-5-21-796845957-1547161642-839522115-187984,ou=idmap,dc=swissptt,dc=ch"
conn=564 op=3 msgId=4 - RESULT err=68 tag=105 nentries=0 etime=0 csn=4a851d61000100020000
conn=564 op=4 msgId=5 - UNBIND
conn=564 op=4 msgId=-1 - closing - U1
conn=564 op=-1 msgId=-1 - closed.

My LDAP was pre-feed with all known SID-UID mappings, the dynamic allocation is there
for "just in case".

Is it a bug or feature? Or again a config parameter I missed?

Thanks for your time.

Regards,
Chris

charles weber

unread,
Aug 14, 2009, 8:30:11 AM8/14/09
to
A big change in ldap usage documented only in the man pages.
For 3.3.7 I had to change from this
idmap backend = ldap:ldap://niairpfiler1.grc.nia.nih.gov ldap:ldap://
niairpfiler2.grc.nia.nih.gov

to this

ldap ssl = no
idmap backend = ldap:ldap://ldapserv1
idmap alloc backend = ldap
idmap alloc config : ldap_user_dn = cn=Manager,dc=X,dc=X
idmap alloc config : ldap_base_dn = ou=People,dc=X,dc=X
idmap alloc config : ldap_url = ldap://ldapserv2

you have to set your alloc password separately with net idmap command.


In my case CentOS 5.3 openldap does not do multimaster, ldapserv1 is
master and ldapserv2 is slave.
I ended up rolling back to 3.0.3 for other issues.

Regardless of quoting etc, 3.3.7 did not support multiple ldapservers
listed on the idmap backend line.

0 new messages