[Samba] Samba 3.2 Ldap problem - Samba

This is a discussion on [Samba] Samba 3.2 Ldap problem - Samba ; Hi, I've running a samba 3.0.22-13.30 server in standalone mode (security=user) for quite a while. It's authenticated against an openLdap and works great, say Server A. A few days ago I've installed OpenSuSE 11 Beta 2 in another server, it ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: [Samba] Samba 3.2 Ldap problem

  1. [Samba] Samba 3.2 Ldap problem

    Hi,
    I've running a samba 3.0.22-13.30 server in standalone mode (security=user) for quite a while. It's authenticated against an openLdap and works great, say Server A.

    A few days ago I've installed OpenSuSE 11 Beta 2 in another server, it came with samba 3.2.0-18, so as I'm very lazy I copied the smb.conf file from the working server to the new one with little modifications like the netbios name and which shares it serves, say Server B. I'm connecting to the same Ldap server.

    The problem is that I can't reach any share, from the Server B logs...

    [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
    init_sam_from_ldap: No uid attribute found for this user!
    [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
    ldapsam_getsampwnam: init_sam_from_ldap failed for user 'xxxxx'!

    I've been "googleing" for the last 8 hours and I can't fix the problem, with a more verbose debug level I can see that the Ldap connection works fine. I've also checked the Ldap logs and everything is fine.

    May be it's a problem with idmap-ing.

    Here is my smb.conf file from the Server B, I've placed comments on lines which differ from the Server A and commented out lines I believe are not relevant to Server B.

    -----------------------------------------------------------------
    [global]

    passdb expand explicit = no
    utmp = Yes
    workgroup = CPD
    netbios name = OPEN # I've changed the
    server string = File Server
    passdb backend = ldapsam:ldap://ldapon.my.company
    time server = Yes
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    username map = /etc/samba/smbusers
    map to guest = Bad User
    wins support = no # it's 'Yes' in the old server
    local master = no # it's 'Yes' in the old server
    domain master = no # it's 'Yes' in the old server
    domain logons = no # it's 'Yes' in the old server
    security = user
    preferred master = no
    os level = 64
    encrypt passwords = yes
    # logon script = test.bat
    # logon path = \\%L\profiles\%U
    # logon home = \\%L\%U
    # logon drive = z:
    # add user script = ldapsmb -a -u "%u"
    # delete user script = ldapsmb -d -u "%u"
    # add machine script = ldapsmb -a -s -wks "%u" -v --logfile /var/log/samba/ldapsmb.log
    # add group script = ldapsmb -a -g "%g"
    # delete group script = ldapsmb -d -g "%g"
    # add user to group script = ldapsmb -j -u "%u" -g "%g"
    # delete user from group script = ldapsmb -j -u "%u" -g "%g"
    # set primary group script = ldapsmb -m -u "%u" -gid "%g"
    ldap admin dn = cn=Manager,dc=my,dc=company
    ldap suffix = dc=my,dc=company
    ldap machine suffix = ou=Computers
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap user suffix = ou=People
    ldap passwd sync = Yes
    log file = /var/log/samba/%m.log
    log level = 1
    load printers = no


    [www2]
    comment = webpages
    path = /path/to/webpages
    public = no
    writeable = yes
    browseable = yes
    valid users = +groupA +groupB
    force user = www2
    create mask = 0775
    dont descend = /bin,/boot,/dev,/etc,/lib,.....

    -----------------------------------------------------------------


    Please, any ideas?

    Best regards,
    --
    Ing. Ernesto Silva.
    Coordinador de Desarrollo Web y Sistemas Abiertos
    Centro de Procesamiento de Datos
    Universidad ORT Uruguay.
    E-mail: silva@ort.edu.uy
    Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
    Fax: (+5982) 900-2952
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Samba 3.2 Ldap problem


    > [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
    > init_sam_from_ldap: No uid attribute found for this user!
    > [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
    > ldapsam_getsampwnam: init_sam_from_ldap failed for user 'xxxxx'!
    >


    Have you looked in the LDAP log to see what attribute it's actually
    looking for? I haven't used 3.2 yet but I guess it's possible that
    something has changed with that.


    > [global]
    >
    > os level = 64


    I don't think you need or want this since you are not a WINS server...


    > ldap admin dn = cn=Manager,dc=my,dc=company
    > ldap suffix = dc=my,dc=company
    > ldap machine suffix = ou=Computers
    > ldap group suffix = ou=Groups
    > ldap idmap suffix = ou=Idmap
    > ldap user suffix = ou=People
    > ldap passwd sync = Yes



    Have you run smbpasswd -w to write the LDAP admin password into secrets.tdb?

    >
    >
    > [www2]
    > valid users = +groupA +groupB
    > force user = www2


    Only last night I was dealing with a terrible problem with 3.0.28a wih
    these two parameters. Try commenting these out and see if you can get to
    your share. Try naming individual users instead of groups. Also,
    apparently the required syntax for expanding groups has changed and I
    think it should be +DOMAIN\groupA and the like. Though I'm not sure that
    the '+' syntax is still favored either. You'll need to look in the docs
    for your version to verify this. Comment them out for testing anyway.

    Also I was made aware last night that it is better to set the sticky bit
    on the directory than to use 'force user' or 'force group' (thanks JHT).
    It will solve the 'create mask' too, I think.


    > create mask = 0775


    > Best regards,
    > --
    > Ing. Ernesto Silva.
    > Coordinador de Desarrollo Web y Sistemas Abiertos
    > Centro de Procesamiento de Datos
    > Universidad ORT Uruguay.
    > E-mail: silva@ort.edu.uy
    > Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
    > Fax: (+5982) 900-2952
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >



    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Samba 3.2 Ldap problem

    Have you installed the libnss-ldap module on Server B? It's required if you
    have your users in an LDAP-database.

    What do you see if you type the command on Server B:

    id

    For example, I have a user in my LDAP database, named "kissg_02a". In my
    case, I see the followings:

    root@lemontree# id kissg_02a
    uid=10003(kissg_02a) gid=513(Domain Users) groups=513(Domain Users)

    Try to set "loglevel 256" on your slapd.conf and look for entries in your
    syslog file, which have an "err" value, other than zero. If you don't have
    any, it means that communication with the LDAP-server works as expected, but
    Samba cannot access the uid attribute. It can also be, that the samba.schema
    file changed since Samba version 3.0, and the new version stores UIDs in a
    different attribute or in a different place of the LDAP directory structure.
    Check if there is a new version available for Samba 3.2.

    Best regards
    Gergely Kiss

    2008/7/2 Ernesto Silva :

    > Hi,
    > I've running a samba 3.0.22-13.30 server in standalone mode
    > (security=user) for quite a while. It's authenticated against an openLdap
    > and works great, say Server A.
    >
    > A few days ago I've installed OpenSuSE 11 Beta 2 in another server, it came
    > with samba 3.2.0-18, so as I'm very lazy I copied the smb.conf file from the
    > working server to the new one with little modifications like the netbios
    > name and which shares it serves, say Server B. I'm connecting to the same
    > Ldap server.
    >
    > The problem is that I can't reach any share, from the Server B logs...
    >
    > [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
    > init_sam_from_ldap: No uid attribute found for this user!
    > [2008/07/01 04:54:01, 1]
    > passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
    > ldapsam_getsampwnam: init_sam_from_ldap failed for user 'xxxxx'!
    >
    > I've been "googleing" for the last 8 hours and I can't fix the problem,
    > with a more verbose debug level I can see that the Ldap connection works
    > fine. I've also checked the Ldap logs and everything is fine.
    >
    > May be it's a problem with idmap-ing.
    >
    > Here is my smb.conf file from the Server B, I've placed comments on lines
    > which differ from the Server A and commented out lines I believe are not
    > relevant to Server B.
    >
    > -----------------------------------------------------------------
    > [global]
    >
    > passdb expand explicit = no
    > utmp = Yes
    > workgroup = CPD
    > netbios name = OPEN # I've changed the
    > server string = File Server
    > passdb backend = ldapsam:ldap://ldapon.my.company
    > time server = Yes
    > printing = cups
    > printcap name = cups
    > printcap cache time = 750
    > cups options = raw
    > username map = /etc/samba/smbusers
    > map to guest = Bad User
    > wins support = no # it's 'Yes' in the old server
    > local master = no # it's 'Yes' in the old server
    > domain master = no # it's 'Yes' in the old server
    > domain logons = no # it's 'Yes' in the old server
    > security = user
    > preferred master = no
    > os level = 64
    > encrypt passwords = yes
    > # logon script = test.bat
    > # logon path = \\%L\profiles\%U
    > # logon home = \\%L\%U
    > # logon drive = z:
    > # add user script = ldapsmb -a -u "%u"
    > # delete user script = ldapsmb -d -u "%u"
    > # add machine script = ldapsmb -a -s -wks "%u" -v --logfile
    > /var/log/samba/ldapsmb.log
    > # add group script = ldapsmb -a -g "%g"
    > # delete group script = ldapsmb -d -g "%g"
    > # add user to group script = ldapsmb -j -u "%u" -g "%g"
    > # delete user from group script = ldapsmb -j -u "%u" -g "%g"
    > # set primary group script = ldapsmb -m -u "%u" -gid "%g"
    > ldap admin dn = cn=Manager,dc=my,dc=company
    > ldap suffix = dc=my,dc=company
    > ldap machine suffix = ou=Computers
    > ldap group suffix = ou=Groups
    > ldap idmap suffix = ou=Idmap
    > ldap user suffix = ou=People
    > ldap passwd sync = Yes
    > log file = /var/log/samba/%m.log
    > log level = 1
    > load printers = no
    >
    >
    > [www2]
    > comment = webpages
    > path = /path/to/webpages
    > public = no
    > writeable = yes
    > browseable = yes
    > valid users = +groupA +groupB
    > force user = www2
    > create mask = 0775
    > dont descend = /bin,/boot,/dev,/etc,/lib,.....
    >
    > -----------------------------------------------------------------
    >
    >
    > Please, any ideas?
    >
    > Best regards,
    > --
    > Ing. Ernesto Silva.
    > Coordinador de Desarrollo Web y Sistemas Abiertos
    > Centro de Procesamiento de Datos
    > Universidad ORT Uruguay.
    > E-mail: silva@ort.edu.uy
    > Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102 Fax: (+5982) 900-2952
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Samba 3.2 Ldap problem

    I think that you overlooked the SID

    In standalone mode you're not worrying about a domain - the data in LDAP is
    for your old server.

    The new samba installation has a new SID and it's doing its search in LDAP
    for that, finding no users.

    I've only used samba and ldap in a domain so don't know much about your
    options in standalone mode.



    2008/7/2 Ernesto Silva :

    > Hi,
    > I've running a samba 3.0.22-13.30 server in standalone mode
    > (security=user) for quite a while. It's authenticated against an openLdap
    > and works great, say Server A.
    >
    > A few days ago I've installed OpenSuSE 11 Beta 2 in another server, it came
    > with samba 3.2.0-18, so as I'm very lazy I copied the smb.conf file from the
    > working server to the new one with little modifications like the netbios
    > name and which shares it serves, say Server B. I'm connecting to the same
    > Ldap server.
    >
    > The problem is that I can't reach any share, from the Server B logs...
    >
    > [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
    > init_sam_from_ldap: No uid attribute found for this user!
    > [2008/07/01 04:54:01, 1]
    > passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
    > ldapsam_getsampwnam: init_sam_from_ldap failed for user 'xxxxx'!
    >
    > I've been "googleing" for the last 8 hours and I can't fix the problem,
    > with a more verbose debug level I can see that the Ldap connection works
    > fine. I've also checked the Ldap logs and everything is fine.
    >
    > May be it's a problem with idmap-ing.
    >
    > Here is my smb.conf file from the Server B, I've placed comments on lines
    > which differ from the Server A and commented out lines I believe are not
    > relevant to Server B.
    >
    > -----------------------------------------------------------------
    > [global]
    >
    > passdb expand explicit = no
    > utmp = Yes
    > workgroup = CPD
    > netbios name = OPEN # I've changed the
    > server string = File Server
    > passdb backend = ldapsam:ldap://ldapon.my.company
    > time server = Yes
    > printing = cups
    > printcap name = cups
    > printcap cache time = 750
    > cups options = raw
    > username map = /etc/samba/smbusers
    > map to guest = Bad User
    > wins support = no # it's 'Yes' in the old server
    > local master = no # it's 'Yes' in the old server
    > domain master = no # it's 'Yes' in the old server
    > domain logons = no # it's 'Yes' in the old server
    > security = user
    > preferred master = no
    > os level = 64
    > encrypt passwords = yes
    > # logon script = test.bat
    > # logon path = \\%L\profiles\%U
    > # logon home = \\%L\%U
    > # logon drive = z:
    > # add user script = ldapsmb -a -u "%u"
    > # delete user script = ldapsmb -d -u "%u"
    > # add machine script = ldapsmb -a -s -wks "%u" -v --logfile
    > /var/log/samba/ldapsmb.log
    > # add group script = ldapsmb -a -g "%g"
    > # delete group script = ldapsmb -d -g "%g"
    > # add user to group script = ldapsmb -j -u "%u" -g "%g"
    > # delete user from group script = ldapsmb -j -u "%u" -g "%g"
    > # set primary group script = ldapsmb -m -u "%u" -gid "%g"
    > ldap admin dn = cn=Manager,dc=my,dc=company
    > ldap suffix = dc=my,dc=company
    > ldap machine suffix = ou=Computers
    > ldap group suffix = ou=Groups
    > ldap idmap suffix = ou=Idmap
    > ldap user suffix = ou=People
    > ldap passwd sync = Yes
    > log file = /var/log/samba/%m.log
    > log level = 1
    > load printers = no
    >
    >
    > [www2]
    > comment = webpages
    > path = /path/to/webpages
    > public = no
    > writeable = yes
    > browseable = yes
    > valid users = +groupA +groupB
    > force user = www2
    > create mask = 0775
    > dont descend = /bin,/boot,/dev,/etc,/lib,.....
    >
    > -----------------------------------------------------------------
    >
    >
    > Please, any ideas?
    >
    > Best regards,
    > --
    > Ing. Ernesto Silva.
    > Coordinador de Desarrollo Web y Sistemas Abiertos
    > Centro de Procesamiento de Datos
    > Universidad ORT Uruguay.
    > E-mail: silva@ort.edu.uy
    > Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102 Fax: (+5982) 900-2952
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. Re: [Samba] Samba 3.2 Ldap problem

    The Ldap log sais nothing, every operation is fine, BUT, the samba log sais that it can't find the 'uid' attribute for the user. As I understand samba first tries to map the user with idmap (which I don't understand at all), then it makes the bind against the Ldap and last but not least enters the share specific permissions phase.

    >From the samba logging system I extracted this first lines with the "error":


    [2008/07/01 23:24:50, 4] smbd/map_username.c:map_username(145)
    Scanning username map /etc/samba/smbusers
    [2008/07/01 23:24:50, 5] auth/auth_util.c:make_user_info_map(178)
    make_user_info_map: Mapping user [WORKGROUP]\[silva] from workstation [ERNIE]
    [2008/07/01 23:24:50, 5] auth/auth_util.c:make_user_info(92)
    attempting to make a user_info for silva (silva)
    [2008/07/01 23:24:50, 5] auth/auth_util.c:make_user_info(102)
    making strings for silva's user_info struct
    [2008/07/01 23:24:50, 5] auth/auth_util.c:make_user_info(134)
    making blobs for silva's user_info struct
    [2008/07/01 23:24:50, 3] auth/auth.c:check_ntlm_password(220)
    check_ntlm_password: Checking password for unmapped user [WORKGROUP]\[silva]@[ERNIE] with the new password interface
    [2008/07/01 23:24:50, 3] auth/auth.c:check_ntlm_password(223)
    check_ntlm_password: mapped user is: [OPEN]\[silva]@[ERNIE]
    [2008/07/01 23:24:50, 5] lib/util.c:dump_data(2226)
    [000] 82 EB 85 FE 24 80 63 76 ....$.cv
    [2008/07/01 23:24:50, 3] smbd/sec_ctx.cush_sec_ctx(224)
    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
    [2008/07/01 23:24:50, 3] smbd/uid.cush_conn_ctx(357)
    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
    [2008/07/01 23:24:50, 3] smbd/sec_ctx.c:set_sec_ctx(324)
    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2008/07/01 23:24:50, 5] auth/token_util.c:debug_nt_user_token(464)
    NT user token: (NULL)
    [2008/07/01 23:24:50, 5] auth/token_util.c:debug_unix_user_token(490)
    UNIX token of user 0
    Primary group is 0 and contains 0 supplementary groups
    [2008/07/01 23:24:50, 5] lib/smbldap.c:smbldap_search_ext(1183)
    smbldap_search_ext: base => [dc=ort,dc=edu,dc=uy], filter => [(&(uid=silva)(objectclass=sambaSamAccount))], scope => [2]
    [2008/07/01 23:24:50, 5] lib/smbldap.c:smbldap_close(1086)
    The connection to the LDAP server was closed
    [2008/07/01 23:24:50, 2] lib/smbldap.c:smbldap_open_connection(772)
    smbldap_open_connection: connection opened
    [2008/07/01 23:24:50, 3] lib/smbldap.c:smbldap_connect_system(983)
    ldap_connect_system: successful connection to the LDAP server
    [2008/07/01 23:24:50, 4] lib/smbldap.c:smbldap_open(1066)
    The LDAP server is successfully connected
    [2008/07/01 23:24:50, 1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
    init_sam_from_ldap: No uid attribute found for this user!
    [2008/07/01 23:24:50, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
    ldapsam_getsampwnam: init_sam_from_ldap failed for user 'silva'!
    [2008/07/01 23:24:50, 3] smbd/sec_ctx.cop_sec_ctx(432)
    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2008/07/01 23:24:50, 3] auth/auth_sam.c:check_sam_security(281)
    check_sam_security: Couldn't find user 'silva' in passdb.
    [2008/07/01 23:24:50, 5] auth/auth.c:check_ntlm_password(272)
    check_ntlm_password: sam authentication for user [silva] FAILED with error NT_STATUS_NO_SUCH_USER
    [2008/07/01 23:24:50, 2] auth/auth.c:check_ntlm_password(318)
    check_ntlm_password: Authentication for user [silva] -> [silva] FAILED with error NT_STATUS_NO_SUCH_USER


    This is the openLdap log from the transaction:

    conn=129952 fd=153 ACCEPT from IP=172.30.150.100:14793 (IP=0.0.0.0:389)
    conn=129952 op=0 BIND dn="cn=Manager,dc=my,dc=company" method=128
    conn=129952 op=0 BIND dn="cn=Manager,dc=my,dc=company" mech=SIMPLE ssf=0
    conn=129952 op=0 RESULT tag=97 err=0 text=
    conn=129952 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
    conn=129952 op=1 SRCH attr=supportedControl
    conn=129952 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
    conn=129952 op=2 SRCH base="dc=my,dc=company" scope=2 deref=0 filter="(&(uid=silva)(objectClass=sambaSamAccount))"
    slapd[2498]: conn=129952 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber
    conn=129952 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
    conn=129952 op=3 SRCH base="ou=Groups,dc=my,dc=company" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=65533))"
    conn=129952 op=3 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
    conn=129952 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
    conn=129952 op=4 SRCH base="sambaDomainName=OPEN,dc=my,dc=company" scope=0 deref=0 filter="(objectClass=*)"
    conn=129952 op=4 SRCH attr=sambaPwdHistoryLength
    conn=129952 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
    conn=129952 fd=153 closed (connection lost)



    I've changed the share configuration to the following but still....


    [www2]
    comment = webpages
    path = /path/to/webpages
    public = no
    writeable = yes
    browseable = yes
    valid users = silva
    dont descend = /proc,/dev,/etc,/bin,/usr...






    Best regards,
    --
    Ing. Ernesto Silva.
    Coordinador de Desarrollo Web y Sistemas Abiertos
    Centro de Procesamiento de Datos
    Universidad ORT Uruguay.
    E-mail: silva@ort.edu.uy
    Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
    Fax: (+5982) 900-2952


    misty@borkholder.com wrote:
    >> [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
    >> init_sam_from_ldap: No uid attribute found for this user!
    >> [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
    >> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'xxxxx'!
    >>

    >
    > Have you looked in the LDAP log to see what attribute it's actually
    > looking for? I haven't used 3.2 yet but I guess it's possible that
    > something has changed with that.
    >
    >
    >> [global]
    >>
    >> os level = 64

    >
    > I don't think you need or want this since you are not a WINS server...
    >
    >
    >> ldap admin dn = cn=Manager,dc=my,dc=company
    >> ldap suffix = dc=my,dc=company
    >> ldap machine suffix = ou=Computers
    >> ldap group suffix = ou=Groups
    >> ldap idmap suffix = ou=Idmap
    >> ldap user suffix = ou=People
    >> ldap passwd sync = Yes

    >
    >
    > Have you run smbpasswd -w to write the LDAP admin password into secrets.tdb?
    >
    >>
    >> [www2]
    >> valid users = +groupA +groupB
    >> force user = www2

    >
    > Only last night I was dealing with a terrible problem with 3.0.28a wih
    > these two parameters. Try commenting these out and see if you can get to
    > your share. Try naming individual users instead of groups. Also,
    > apparently the required syntax for expanding groups has changed and I
    > think it should be +DOMAIN\groupA and the like. Though I'm not sure that
    > the '+' syntax is still favored either. You'll need to look in the docs
    > for your version to verify this. Comment them out for testing anyway.
    >
    > Also I was made aware last night that it is better to set the sticky bit
    > on the directory than to use 'force user' or 'force group' (thanks JHT).
    > It will solve the 'create mask' too, I think.
    >
    >
    >> create mask = 0775

    >
    >> Best regards,
    >> --
    >> Ing. Ernesto Silva.
    >> Coordinador de Desarrollo Web y Sistemas Abiertos
    >> Centro de Procesamiento de Datos
    >> Universidad ORT Uruguay.
    >> E-mail: silva@ort.edu.uy
    >> Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
    >> Fax: (+5982) 900-2952
    >> --
    >> To unsubscribe from this list go to the following URL and read the
    >> instructions: https://lists.samba.org/mailman/listinfo/samba
    >>

    >
    >
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. Re: [Samba] Samba 3.2 Ldap problem

    On Tue, Jul 1, 2008 at 8:16 PM, Ernesto Silva wrote:
    >
    > A few days ago I've installed OpenSuSE 11 Beta 2 in another server, it came
    > with samba 3.2.0-18, so as I'm very lazy I copied the smb.conf file from the
    > working server to the new one with little modifications like the netbios
    > name and which shares it serves, say Server B. I'm connecting to the same
    > Ldap server.


    Did you copy over the secrets.tdb as well? If not, you are going to
    have to use "net setlocalsid" to set the machine SID to match the old
    one, and "smbpasswd -w" to set the LDAP access password. Samba tracks
    users by SID now (which I don't like, personally, but it's something
    that the Samba Team apparently had to do if they wanted to
    interoperate with later versions of Microsoft's networking stack) so
    your users will have SIDs that were created by the old system.

    You also will want to put a "sub" index on the sambaSID attribute in
    OpenLDAP's slapd.conf file if you haven't already done so. Later
    versions of samba need it... you get a nice efficiency boost. Um, and
    watch your search limits in OpenLDAP also -the "machine suffix" and
    "user suffix" parameters in smb.conf are not applied as filters in the
    searches that samba makes in LDAP, so search returns might be bigger
    than you anticipate, and I'm not sure that samba can properly handle
    an RFC-compliant paged LDAP search result like OpenLDAP might return.

    I prefer using net setlocalsid and smbpasswd rather than just copying
    over an old secrets.tdb - but use tdbdump on the old one to see if
    there is anything else in there (like domain trust passwords) before
    you decide.

    --Charlie
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  7. Re: [Samba] Samba 3.2 Ldap problem

    Kissg,
    the ldap connection works fine, I've posted some ldap log lines and there is no problem there. I still believe the problem is in the idmap phase.

    thanks, regards,
    --
    Ing. Ernesto Silva.
    Coordinador de Desarrollo Web y Sistemas Abiertos
    Centro de Procesamiento de Datos
    Universidad ORT Uruguay.
    E-mail: silva@ort.edu.uy
    Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
    Fax: (+5982) 900-2952


    kissg wrote:
    > Have you installed the libnss-ldap module on Server B? It's required if
    > you have your users in an LDAP-database.
    >
    > What do you see if you type the command on Server B:
    >
    > id
    >
    > For example, I have a user in my LDAP database, named "kissg_02a". In my
    > case, I see the followings:
    >
    > root@lemontree# id kissg_02a
    > uid=10003(kissg_02a) gid=513(Domain Users) groups=513(Domain Users)
    >
    > Try to set "loglevel 256" on your slapd.conf and look for entries in
    > your syslog file, which have an "err" value, other than zero. If you
    > don't have any, it means that communication with the LDAP-server works
    > as expected, but Samba cannot access the uid attribute. It can also be,
    > that the samba.schema file changed since Samba version 3.0, and the new
    > version stores UIDs in a different attribute or in a different place of
    > the LDAP directory structure. Check if there is a new version available
    > for Samba 3.2.
    >
    > Best regards
    > Gergely Kiss
    >
    > 2008/7/2 Ernesto Silva >:
    >
    > Hi,
    > I've running a samba 3.0.22-13.30 server in standalone mode
    > (security=user) for quite a while. It's authenticated against an
    > openLdap and works great, say Server A.
    >
    > A few days ago I've installed OpenSuSE 11 Beta 2 in another server,
    > it came with samba 3.2.0-18, so as I'm very lazy I copied the
    > smb.conf file from the working server to the new one with little
    > modifications like the netbios name and which shares it serves, say
    > Server B. I'm connecting to the same Ldap server.
    >
    > The problem is that I can't reach any share, from the Server B logs...
    >
    > [2008/07/01 04:54:01, 1]
    > passdb/pdb_ldap.c:init_sam_from_ldap(567)
    > init_sam_from_ldap: No uid attribute found for this user!
    > [2008/07/01 04:54:01, 1]
    > passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
    > ldapsam_getsampwnam: init_sam_from_ldap failed for user
    > 'xxxxx'!
    >
    > I've been "googleing" for the last 8 hours and I can't fix the
    > problem, with a more verbose debug level I can see that the Ldap
    > connection works fine. I've also checked the Ldap logs and
    > everything is fine.
    >
    > May be it's a problem with idmap-ing.
    >
    > Here is my smb.conf file from the Server B, I've placed comments on
    > lines which differ from the Server A and commented out lines I
    > believe are not relevant to Server B.
    >
    > -----------------------------------------------------------------
    > [global]
    >
    > passdb expand explicit = no
    > utmp = Yes
    > workgroup = CPD
    > netbios name = OPEN # I've changed the
    > server string = File Server
    > passdb backend = ldapsam:ldap://ldapon.my.company
    > time server = Yes
    > printing = cups
    > printcap name = cups
    > printcap cache time = 750
    > cups options = raw
    > username map = /etc/samba/smbusers
    > map to guest = Bad User
    > wins support = no # it's 'Yes' in the old server
    > local master = no # it's 'Yes' in the old server
    > domain master = no # it's 'Yes' in the old server
    > domain logons = no # it's 'Yes' in the old server
    > security = user
    > preferred master = no
    > os level = 64
    > encrypt passwords = yes
    > # logon script = test.bat
    > # logon path = \\%L\profiles\%U
    > # logon home = \\%L\%U
    > # logon drive = z:
    > # add user script = ldapsmb -a -u "%u"
    > # delete user script = ldapsmb -d -u "%u"
    > # add machine script = ldapsmb -a -s -wks "%u" -v --logfile
    > /var/log/samba/ldapsmb.log
    > # add group script = ldapsmb -a -g "%g"
    > # delete group script = ldapsmb -d -g "%g"
    > # add user to group script = ldapsmb -j -u "%u" -g "%g"
    > # delete user from group script = ldapsmb -j -u "%u" -g "%g"
    > # set primary group script = ldapsmb -m -u "%u" -gid "%g"
    > ldap admin dn = cn=Manager,dc=my,dc=company
    > ldap suffix = dc=my,dc=company
    > ldap machine suffix = ou=Computers
    > ldap group suffix = ou=Groups
    > ldap idmap suffix = ou=Idmap
    > ldap user suffix = ou=People
    > ldap passwd sync = Yes
    > log file = /var/log/samba/%m.log
    > log level = 1
    > load printers = no
    >
    >
    > [www2]
    > comment = webpages
    > path = /path/to/webpages
    > public = no
    > writeable = yes
    > browseable = yes
    > valid users = +groupA +groupB
    > force user = www2
    > create mask = 0775
    > dont descend = /bin,/boot,/dev,/etc,/lib,.....
    >
    > -----------------------------------------------------------------
    >
    >
    > Please, any ideas?
    >
    > Best regards,
    > --
    > Ing. Ernesto Silva.
    > Coordinador de Desarrollo Web y Sistemas Abiertos
    > Centro de Procesamiento de Datos
    > Universidad ORT Uruguay.
    > E-mail: silva@ort.edu.uy
    > Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102 Fax: (+5982) 900-2952
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  8. Re: [Samba] Samba 3.2 Ldap problem

    Kevin, unix users works fine, I can login into the server with my username and password with both stored in the directory, the only "problem" here is that I don't have a home directory so I the Linux server warns me and assumes '/'.

    Regards,
    --
    Ing. Ernesto Silva.
    Coordinador de Desarrollo Web y Sistemas Abiertos
    Centro de Procesamiento de Datos
    Universidad ORT Uruguay.
    E-mail: silva@ort.edu.uy
    Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
    Fax: (+5982) 900-2952


    Kevin Bedford wrote:
    > Ernesto Silva wrote:
    >> Hi,
    >> I've running a samba 3.0.22-13.30 server in standalone mode
    >> (security=user) for quite a while. It's authenticated against an
    >> openLdap and works great, say Server A.
    >>
    >> A few days ago I've installed OpenSuSE 11 Beta 2 in another server, it
    >> came with samba 3.2.0-18, so as I'm very lazy I copied the smb.conf
    >> file from the working server to the new one with little modifications
    >> like the netbios name and which shares it serves, say Server B. I'm
    >> connecting to the same Ldap server.
    >>
    >> The problem is that I can't reach any share, from the Server B logs...
    >>
    >> [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
    >> init_sam_from_ldap: No uid attribute found for this user!
    >> [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
    >> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'xxxxx'!
    >>
    >> I've been "googleing" for the last 8 hours and I can't fix the
    >> problem, with a more verbose debug level I can see that the Ldap
    >> connection works fine. I've also checked the Ldap logs and everything
    >> is fine.
    >>
    >> May be it's a problem with idmap-ing.
    >>
    >> Here is my smb.conf file from the Server B, I've placed comments on
    >> lines which differ from the Server A and commented out lines I believe
    >> are not relevant to Server B.
    >>
    >> -----------------------------------------------------------------
    >> [global]
    >>
    >> passdb expand explicit = no
    >> utmp = Yes
    >> workgroup = CPD
    >> netbios name = OPEN # I've changed the
    >> server string = File Server
    >> passdb backend = ldapsam:ldap://ldapon.my.company
    >> time server = Yes
    >> printing = cups
    >> printcap name = cups
    >> printcap cache time = 750
    >> cups options = raw
    >> username map = /etc/samba/smbusers
    >> map to guest = Bad User
    >> wins support = no # it's 'Yes' in the old server
    >> local master = no # it's 'Yes' in the old server
    >> domain master = no # it's 'Yes' in the old server
    >> domain logons = no # it's 'Yes' in the old server
    >> security = user
    >> preferred master = no
    >> os level = 64
    >> encrypt passwords = yes
    >> # logon script = test.bat
    >> # logon path = \\%L\profiles\%U
    >> # logon home = \\%L\%U
    >> # logon drive = z:
    >> # add user script = ldapsmb -a -u "%u"
    >> # delete user script = ldapsmb -d -u "%u"
    >> # add machine script = ldapsmb -a -s -wks "%u" -v --logfile
    >> /var/log/samba/ldapsmb.log
    >> # add group script = ldapsmb -a -g "%g"
    >> # delete group script = ldapsmb -d -g "%g"
    >> # add user to group script = ldapsmb -j -u "%u" -g "%g"
    >> # delete user from group script = ldapsmb -j -u "%u" -g "%g"
    >> # set primary group script = ldapsmb -m -u "%u" -gid "%g"
    >> ldap admin dn = cn=Manager,dc=my,dc=company
    >> ldap suffix = dc=my,dc=company
    >> ldap machine suffix = ou=Computers
    >> ldap group suffix = ou=Groups
    >> ldap idmap suffix = ou=Idmap
    >> ldap user suffix = ou=People
    >> ldap passwd sync = Yes
    >> log file = /var/log/samba/%m.log
    >> log level = 1
    >> load printers = no
    >>
    >>
    >> [www2]
    >> comment = webpages
    >> path = /path/to/webpages
    >> public = no
    >> writeable = yes
    >> browseable = yes
    >> valid users = +groupA +groupB
    >> force user = www2
    >> create mask = 0775
    >> dont descend = /bin,/boot,/dev,/etc,/lib,.....
    >>
    >> -----------------------------------------------------------------
    >>
    >>
    >> Please, any ideas?
    >>
    >> Best regards,

    > Is the new server set up to resolve Unix uid's and gid's from your LDAP
    > server? Just a thought.
    >
    > Cheers
    >
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  9. Re: [Samba] Samba 3.2 Ldap problem

    Ok, that's a posibility, I know very little about the protocol internals. On the contrary I used to have an old samba server (appart from server A) authenticating against the Ldap simultaneously with Server A.

    That old server is what I'm really trying to duplicate with a new installation on new hardware.

    Thanks, regards,
    --
    Ing. Ernesto Silva.
    Coordinador de Desarrollo Web y Sistemas Abiertos
    Centro de Procesamiento de Datos
    Universidad ORT Uruguay.
    E-mail: silva@ort.edu.uy
    Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
    Fax: (+5982) 900-2952


    Quinn Fissler wrote:
    > I think that you overlooked the SID
    >
    > In standalone mode you're not worrying about a domain - the data in LDAP
    > is for your old server.
    >
    > The new samba installation has a new SID and it's doing its search in
    > LDAP for that, finding no users.
    >
    > I've only used samba and ldap in a domain so don't know much about your
    > options in standalone mode.
    >
    >
    >
    > 2008/7/2 Ernesto Silva >:
    >
    > Hi,
    > I've running a samba 3.0.22-13.30 server in standalone mode
    > (security=user) for quite a while. It's authenticated against an
    > openLdap and works great, say Server A.
    >
    > A few days ago I've installed OpenSuSE 11 Beta 2 in another server,
    > it came with samba 3.2.0-18, so as I'm very lazy I copied the
    > smb.conf file from the working server to the new one with little
    > modifications like the netbios name and which shares it serves, say
    > Server B. I'm connecting to the same Ldap server.
    >
    > The problem is that I can't reach any share, from the Server B logs...
    >
    > [2008/07/01 04:54:01, 1]
    > passdb/pdb_ldap.c:init_sam_from_ldap(567)
    > init_sam_from_ldap: No uid attribute found for this user!
    > [2008/07/01 04:54:01, 1]
    > passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
    > ldapsam_getsampwnam: init_sam_from_ldap failed for user
    > 'xxxxx'!
    >
    > I've been "googleing" for the last 8 hours and I can't fix the
    > problem, with a more verbose debug level I can see that the Ldap
    > connection works fine. I've also checked the Ldap logs and
    > everything is fine.
    >
    > May be it's a problem with idmap-ing.
    >
    > Here is my smb.conf file from the Server B, I've placed comments on
    > lines which differ from the Server A and commented out lines I
    > believe are not relevant to Server B.
    >
    > -----------------------------------------------------------------
    > [global]
    >
    > passdb expand explicit = no
    > utmp = Yes
    > workgroup = CPD
    > netbios name = OPEN # I've changed the
    > server string = File Server
    > passdb backend = ldapsam:ldap://ldapon.my.company
    > time server = Yes
    > printing = cups
    > printcap name = cups
    > printcap cache time = 750
    > cups options = raw
    > username map = /etc/samba/smbusers
    > map to guest = Bad User
    > wins support = no # it's 'Yes' in the old server
    > local master = no # it's 'Yes' in the old server
    > domain master = no # it's 'Yes' in the old server
    > domain logons = no # it's 'Yes' in the old server
    > security = user
    > preferred master = no
    > os level = 64
    > encrypt passwords = yes
    > # logon script = test.bat
    > # logon path = \\%L\profiles\%U
    > # logon home = \\%L\%U
    > # logon drive = z:
    > # add user script = ldapsmb -a -u "%u"
    > # delete user script = ldapsmb -d -u "%u"
    > # add machine script = ldapsmb -a -s -wks "%u" -v --logfile
    > /var/log/samba/ldapsmb.log
    > # add group script = ldapsmb -a -g "%g"
    > # delete group script = ldapsmb -d -g "%g"
    > # add user to group script = ldapsmb -j -u "%u" -g "%g"
    > # delete user from group script = ldapsmb -j -u "%u" -g "%g"
    > # set primary group script = ldapsmb -m -u "%u" -gid "%g"
    > ldap admin dn = cn=Manager,dc=my,dc=company
    > ldap suffix = dc=my,dc=company
    > ldap machine suffix = ou=Computers
    > ldap group suffix = ou=Groups
    > ldap idmap suffix = ou=Idmap
    > ldap user suffix = ou=People
    > ldap passwd sync = Yes
    > log file = /var/log/samba/%m.log
    > log level = 1
    > load printers = no
    >
    >
    > [www2]
    > comment = webpages
    > path = /path/to/webpages
    > public = no
    > writeable = yes
    > browseable = yes
    > valid users = +groupA +groupB
    > force user = www2
    > create mask = 0775
    > dont descend = /bin,/boot,/dev,/etc,/lib,.....
    >
    > -----------------------------------------------------------------
    >
    >
    > Please, any ideas?
    >
    > Best regards,
    > --
    > Ing. Ernesto Silva.
    > Coordinador de Desarrollo Web y Sistemas Abiertos
    > Centro de Procesamiento de Datos
    > Universidad ORT Uruguay.
    > E-mail: silva@ort.edu.uy
    > Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102 Fax: (+5982) 900-2952
    > --
    > To unsubscribe from this list go to the following URL and read the
    > instructions: https://lists.samba.org/mailman/listinfo/samba
    >
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  10. Re: [Samba] Samba 3.2 Ldap problem

    Misty, sorry I forgot to mention that the secrets.tdb file is correctly set with 'smbpasswd -w myldapmanagerpassword'

    regards,
    --
    Ing. Ernesto Silva.
    Coordinador de Desarrollo Web y Sistemas Abiertos
    Centro de Procesamiento de Datos
    Universidad ORT Uruguay.
    E-mail: silva@ort.edu.uy
    Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
    Fax: (+5982) 900-2952


    misty@borkholder.com wrote:
    >> [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
    >> init_sam_from_ldap: No uid attribute found for this user!
    >> [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
    >> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'xxxxx'!
    >>

    >
    > Have you looked in the LDAP log to see what attribute it's actually
    > looking for? I haven't used 3.2 yet but I guess it's possible that
    > something has changed with that.
    >
    >
    >> [global]
    >>
    >> os level = 64

    >
    > I don't think you need or want this since you are not a WINS server...
    >
    >
    >> ldap admin dn = cn=Manager,dc=my,dc=company
    >> ldap suffix = dc=my,dc=company
    >> ldap machine suffix = ou=Computers
    >> ldap group suffix = ou=Groups
    >> ldap idmap suffix = ou=Idmap
    >> ldap user suffix = ou=People
    >> ldap passwd sync = Yes

    >
    >
    > Have you run smbpasswd -w to write the LDAP admin password into secrets.tdb?
    >
    >>
    >> [www2]
    >> valid users = +groupA +groupB
    >> force user = www2

    >
    > Only last night I was dealing with a terrible problem with 3.0.28a wih
    > these two parameters. Try commenting these out and see if you can get to
    > your share. Try naming individual users instead of groups. Also,
    > apparently the required syntax for expanding groups has changed and I
    > think it should be +DOMAIN\groupA and the like. Though I'm not sure that
    > the '+' syntax is still favored either. You'll need to look in the docs
    > for your version to verify this. Comment them out for testing anyway.
    >
    > Also I was made aware last night that it is better to set the sticky bit
    > on the directory than to use 'force user' or 'force group' (thanks JHT).
    > It will solve the 'create mask' too, I think.
    >
    >
    >> create mask = 0775

    >
    >> Best regards,
    >> --
    >> Ing. Ernesto Silva.
    >> Coordinador de Desarrollo Web y Sistemas Abiertos
    >> Centro de Procesamiento de Datos
    >> Universidad ORT Uruguay.
    >> E-mail: silva@ort.edu.uy
    >> Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
    >> Fax: (+5982) 900-2952
    >> --
    >> To unsubscribe from this list go to the following URL and read the
    >> instructions: https://lists.samba.org/mailman/listinfo/samba
    >>

    >
    >
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  11. Re: [Samba] Samba 3.2 Ldap problem

    Charlie,

    I didn't copied the secrets.tdb, I've used smbpasswd -w. In my Ldap I have an object named "sambaDomainName=OPEN,dc=my,dc=company" which I didn't create, it's automagically created by samba. That object has it's own sid, I've even deleted the secrets.tdb file and the ldap OPEN object, they are recreated with "smbpasswd -w xxxxx", so I assume everything is automagically right.

    In addition I've tried the index on sambaSID attribute, I already have an "eq" index on it, and I can't create a "sub" index, I think this is because of the attribute definition.

    I've updated to samba-3.2.0-21 but I'm still stuck.

    I'm worried about your comment on users located by sid as all my users already has a sid assigned, is that sid server-dependant? I must assume it isn't, it's only user-dependant, isn't it?

    Regards,
    --
    Ing. Ernesto Silva.
    Coordinador de Desarrollo Web y Sistemas Abiertos
    Centro de Procesamiento de Datos
    Universidad ORT Uruguay.
    E-mail: silva@ort.edu.uy
    Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
    Fax: (+5982) 900-2952


    Charlie wrote:
    > On Tue, Jul 1, 2008 at 8:16 PM, Ernesto Silva wrote:
    >> A few days ago I've installed OpenSuSE 11 Beta 2 in another server, it came
    >> with samba 3.2.0-18, so as I'm very lazy I copied the smb.conf file from the
    >> working server to the new one with little modifications like the netbios
    >> name and which shares it serves, say Server B. I'm connecting to the same
    >> Ldap server.

    >
    > Did you copy over the secrets.tdb as well? If not, you are going to
    > have to use "net setlocalsid" to set the machine SID to match the old
    > one, and "smbpasswd -w" to set the LDAP access password. Samba tracks
    > users by SID now (which I don't like, personally, but it's something
    > that the Samba Team apparently had to do if they wanted to
    > interoperate with later versions of Microsoft's networking stack) so
    > your users will have SIDs that were created by the old system.
    >
    > You also will want to put a "sub" index on the sambaSID attribute in
    > OpenLDAP's slapd.conf file if you haven't already done so. Later
    > versions of samba need it... you get a nice efficiency boost. Um, and
    > watch your search limits in OpenLDAP also -the "machine suffix" and
    > "user suffix" parameters in smb.conf are not applied as filters in the
    > searches that samba makes in LDAP, so search returns might be bigger
    > than you anticipate, and I'm not sure that samba can properly handle
    > an RFC-compliant paged LDAP search result like OpenLDAP might return.
    >
    > I prefer using net setlocalsid and smbpasswd rather than just copying
    > over an old secrets.tdb - but use tdbdump on the old one to see if
    > there is anything else in there (like domain trust passwords) before
    > you decide.
    >
    > --Charlie
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  12. Re: [Samba] Samba 3.2 Ldap problem

    On 7/3/08, Ernesto Silva wrote:
    > I didn't copied the secrets.tdb, I've used smbpasswd -w. In my Ldap I have
    > an object named "sambaDomainName=OPEN,dc=my,dc=company" which I didn't
    > create, it's automagically created by samba. That object has it's own sid,
    > I've even deleted the secrets.tdb file and the ldap OPEN object, they are
    > recreated with "smbpasswd -w xxxxx", so I assume everything is automagically
    > right.


    That's very good, that means your LDAP and samba are communicating correctly.

    If you want the new server to be a Primary Domain Controller or a
    Backup Domain Controller you need to have the server's sambaSID
    attribute match the domain SID. I believe you also need to set up
    all the netlogon stuff in order to be a PDC or BDC.

    If you aren't going to be a PDC or BDC you need to use "net rpc join"
    to join the local domain. (You can use the "net rpc testjoin" command
    to see if it's already joined.)

    > In addition I've tried the index on sambaSID attribute, I already have an
    > "eq" index on it, and I can't create a "sub" index, I think this is because
    > of the attribute definition.


    That's bad. You need to check to make sure your LDAP has the samba
    schema that matches your version of samba, and not an old schema. As
    I understand it, samba will be much less efficient without that
    subinitial index. I personally have sambaSID indexed as "eq, pres,
    sub" in my /etc/openldap/slapd.conf and it works fine.

    When I added the "sub" index, I used slapcat to dump the entire
    database to LDIF format, then moved the old database files in
    /var/lib/ldap into a backup directory to get them out of the way, then
    I used slapadd to rebuild the database with the new index. There are
    other ways to create a new index (I think there's a slapindex
    program?) but I have never learned any of them, I just dump the
    database to LDIF and rebuild, it's reasonably quick and it defragments
    the database at the same time.

    > I've updated to samba-3.2.0-21 but I'm still stuck.


    I haven't used 3.2 yet, so you should take my advice with a grain of
    salt. But you should always do that anyway since I don't write
    code for the Samba Team...

    > I'm worried about your comment on users located by sid as all my users
    > already has a sid assigned, is that sid server-dependant? I must assume it
    > isn't, it's only user-dependant, isn't it?


    SID stands for either System Identifier or Security Identifier (and
    sometimes Security Context) depending on which documents you read.
    The last part of a user or group SID is the RID. RID always stands
    for Relative Identifier.

    SIDs are assigned by domain. If you want a user who has a SID from
    domain A to be able to log in to domain B, you have to set up a domain
    trust relationship between the two domains, which is annoyingly
    complicated. If your new server is joined to the old domain, you
    should have no problems.

    Take a look in LDAP at one of your users, and see what that
    individual's sambaSID is. It should look something like
    "S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-yyyyyy" except the x and y
    will be numbers. Everything in that string except the last -yyyyy
    part is the domain SID, and the -yyyyyy part is the user's RID...
    together they make up the user's SID.

    SIDs are *almost* unique - user and group SIDs must always be unique,
    but the SID of a server that is a PDC or a BDC is identical to the
    domain SID of the domain being served. Unfortunately, there is
    nothing that enforces this uniqueness except human intervention, so it
    is easy to break things when connecting two or more previously
    unconnected networks.

    If the above sounds stupid, self-limiting and unneccessarily complex,
    that's probably because it is. It's not the Samba Team's fault,
    though - they inherited this madness from Microsoft.

    --Charlie
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread