Samba + OpenLDAP + TLS

Issues related to configuring your network
MD11
Posts: 14
Joined: 2009/07/06 13:41:34
Location: Duesseldorf, Germany

Samba + OpenLDAP + TLS

Post by MD11 » 2009/07/21 10:41:05

Hi Folks,
I have a little Problem. I?ve configured a CentOS 5.3 Server with OpenLDAP and Samba. I have lam / webmin and swat Running just to check if everything is ok. But there lies my problem. I cant get Samba and OpenLDAP to work with ech other using TLS.
I have created a self signed certificate and the connection through openssl s_client -connect localhost:636 work just fine. But when I want to connect to the server on port 389 which is needed by Samba, as far as I know, i just receive a ssl handhake failure:s23_lib.c:188

Can anyone help me out or give me a hint to solve this Problem? If there is any need for a config file or anything else, just say so and I will post my config files and anythin needed to help me out ;)

regards

yyagol
Posts: 1015
Joined: 2006/06/10 18:27:44
Location: 32 4′N 34 47′E
Contact:

Re: Samba + OpenLDAP + TLS

Post by yyagol » 2009/07/23 05:26:37

have you try connecting using

[code]uri ldaps://xxx.xxx.xxx.xxx/[/code]

MD11
Posts: 14
Joined: 2009/07/06 13:41:34
Location: Duesseldorf, Germany

Re: Samba + OpenLDAP + TLS

Post by MD11 » 2009/07/23 08:16:23

ldaps://localhost:636 works without any problems. But is Samba able to connect to this port?
When I configure Samba to use ldapsam:"ldaps://localhost:636", then smb won?t even start due to a bad configuration. I thought that when I switch to the standard Port of LDAP 389 that it would work.

I can connect through localhost as well as through the IP address.

regards

yyagol
Posts: 1015
Joined: 2006/06/10 18:27:44
Location: 32 4′N 34 47′E
Contact:

Re: Samba + OpenLDAP + TLS

Post by yyagol » 2009/07/23 15:57:13

This manual may help

http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc35

MD11
Posts: 14
Joined: 2009/07/06 13:41:34
Location: Duesseldorf, Germany

Re: Samba + OpenLDAP + TLS

Post by MD11 » 2009/07/24 06:39:39

Thx, I?ll have a look and see what I can use to get this thing done ;)

regards

MD11
Posts: 14
Joined: 2009/07/06 13:41:34
Location: Duesseldorf, Germany

Re: Samba + OpenLDAP + TLS

Post by MD11 » 2009/07/24 10:41:13

OK, it realy doesn?t want to work anyway. But i know where the Problem lies. When I configure Samba to use 'ldapsam' than Samba wont start up because there is a Problem. When I configure Samba to use smbsam then Samba starts up without any Problems and I can Manage the Samba Accounts as well as the LDAP Accounts, but seperatly and that is not the Point in setting up an Samba + LDAP PDC.

So the Problem lies in the connection between Samba and LDAP but dont ask me where :D ... here I would need some help to figure it out how to solve the Problem. If someone want the log File or something else just ask. :

[code][2009/07/24 10:42:18, 0] smbd/server.c:main(944)
smbd version 3.0.33-3.7.el5_3.1 started.
Copyright Andrew Tridgell and the Samba Team 1992-2008
[2009/07/24 10:42:19, 0] lib/smbldap.c:smb_ldap_start_tls(610)
Failed to issue the StartTLS instruction: Connect error[/code]

[code][2009/07/24 12:35:19, 6] param/loadparm.c:lp_file_list_changed(3097)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Fri Jul 24 12:35:00 2009

[2009/07/24 12:35:19, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.111.1 bcast=192.168.111.255 nmask=255.255.255.0
[2009/07/24 12:35:19, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.111.254 bcast=192.168.111.255 nmask=255.255.255.0
[2009/07/24 12:35:19, 5] lib/util.c:init_names(309)
Netbios name list:-
my_netbios_names[0]="TC-NARUTO"
[2009/07/24 12:35:19, 3] smbd/server.c:main(982)
loaded services
[2009/07/24 12:35:19, 3] smbd/server.c:main(997)
Becoming a daemon.
[2009/07/24 12:35:19, 2] lib/tallocmsg.c:register_msg_pool_usage(105)
Registered MSG_REQ_POOL_USAGE
[2009/07/24 12:35:19, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(68)
Attempting to register passdb backend ldapsam
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(81)
Successfully added passdb backend 'ldapsam'
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(68)
Attempting to register passdb backend ldapsam_compat
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(81)
Successfully added passdb backend 'ldapsam_compat'
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(68)
Attempting to register passdb backend NDS_ldapsam
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(81)
Successfully added passdb backend 'NDS_ldapsam'
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(68)
Attempting to register passdb backend NDS_ldapsam_compat
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(81)
Successfully added passdb backend 'NDS_ldapsam_compat'
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(68)
Attempting to register passdb backend smbpasswd
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(81)
Successfully added passdb backend 'smbpasswd'
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(68)
Attempting to register passdb backend tdbsam
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:smb_register_passdb(81)
Successfully added passdb backend 'tdbsam'
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:make_pdb_method_name(121)
Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1:389 (ldapsam)
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:make_pdb_method_name(142)
Found pdb backend ldapsam
[2009/07/24 12:35:19, 2] lib/smbldap_util.c:smbldap_search_domain_info(256)
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TC-NARUTO))]
[2009/07/24 12:35:19, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [dc=timocom,dc=com], filter => [(&(objectClass=sambaDomain)(sambaDomainName=TC-NARUTO))], scope => [2]
[2009/07/24 12:35:19, 5] lib/smbldap.c:smbldap_close(1085)
The connection to the LDAP server was closed
[2009/07/24 12:35:19, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2009/07/24 12:35:19, 3] lib/smbldap.c:smbldap_connect_system(997)
ldap_connect_system: successful connection to the LDAP server
[2009/07/24 12:35:19, 4] lib/smbldap.c:smbldap_open(1065)
The LDAP server is successfully connected
[2009/07/24 12:35:19, 2] lib/smbldap_util.c:smbldap_search_domain_info(263)
smbldap_search_domain_info: Problem during LDAPsearch: No such object
[2009/07/24 12:35:19, 2] lib/smbldap_util.c:smbldap_search_domain_info(264)
smbldap_search_domain_info: Query was: dc=timocom,dc=com, (&(objectClass=sambaDomain)(sambaDomainName=TC-NARUTO))
[2009/07/24 12:35:19, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(5667)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs
[2009/07/24 12:35:19, 5] passdb/pdb_interface.c:make_pdb_method_name(153)
pdb backend ldapsam:ldap://127.0.0.1:389 has a valid init
[2009/07/24 12:35:19, 5] lib/gencache.c:gencache_init(61)
Opening cache file at /var/cache/samba/gencache.tdb
[2009/07/24 12:35:19, 5] libsmb/namecache.c:namecache_enable(58)
namecache_enable: enabling netbios namecache, timeout 660 seconds
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SYSTEM\CurrentControlSet\Control\Print]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SYSTEM\CurrentControlSet\Services\Eventlog]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKU]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKCR]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKPD]
[2009/07/24 12:35:19, 6] registry/reg_db.c:init_registry_data(118)
init_registry_data: Adding [HKPT]
[2009/07/24 12:35:19, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.111.1 bcast=192.168.111.255 nmask=255.255.255.0
[2009/07/24 12:35:19, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.111.254 bcast=192.168.111.255 nmask=255.255.255.0
[2009/07/24 12:35:19, 5] lib/util.c:init_names(309)
Netbios name list:-
my_netbios_names[0]="TC-NARUTO"
[2009/07/24 12:35:19, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.111.1 bcast=192.168.111.255 nmask=255.255.255.0
[2009/07/24 12:35:19, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.111.254 bcast=192.168.111.255 nmask=255.255.255.0
[2009/07/24 12:35:19, 5] lib/gencache.c:gencache_init(61)
Opening cache file at /var/cache/samba/gencache.tdb
[2009/07/24 12:35:19, 5] libsmb/namecache.c:namecache_enable(58)
namecache_enable: enabling netbios namecache, timeout 660 seconds
[2009/07/24 12:35:19, 4] lib/time.c:TimeInit(1262)
TimeInit: Serverzone is -7200
[2009/07/24 12:35:19, 2] lib/tallocmsg.c:register_msg_pool_usage(105)
Registered MSG_REQ_POOL_USAGE
[2009/07/24 12:35:19, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2009/07/24 12:35:19, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2229)
initialize_winbindd_cache: clearing cache and re-creating with version number 1
[2009/07/24 12:35:19, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
Added domain TC-NARUTO S-1-5-21-3827853897-493734299-1158459374
[2009/07/24 12:35:19, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
Added domain BUILTIN S-1-5-32
[2009/07/24 12:35:19, 5] nsswitch/winbindd_util.c:init_child_recv(420)
Received child initialization response for domain TC-NARUTO
[2009/07/24 12:35:19, 6] nsswitch/winbindd.c:new_connection(640)
accepted socket 19
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 3981]: request interface version
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 3981]: request location of privileged pipe
[2009/07/24 12:35:19, 6] nsswitch/winbindd.c:new_connection(640)
accepted socket 20
[2009/07/24 12:35:19, 3] nsswitch/winbindd_sid.c:winbindd_uid_to_sid(447)
[ 3981]: uid to sid 0
[2009/07/24 12:35:19, 5] nsswitch/winbindd_async.c:winbindd_uid2sid_recv(1485)
uid2sid returned an error
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 5] passdb/lookup_sid.c:uid_to_sid(1343)
uid_to_sid: winbind failed to find a sid for uid 0
[2009/07/24 12:35:19, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(477)
[ 3981]: gid to sid 0
[2009/07/24 12:35:19, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
[ 3981]: sid to gid S-1-5-32-544
[2009/07/24 12:35:19, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(545)
winbindd_sid2gid_async: Resolving S-1-5-32-544 to a gid
[2009/07/24 12:35:19, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
sid2gid returned an error
[2009/07/24 12:35:19, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
Could not convert sid S-1-5-32-544
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/24 12:35:19, 3] groupdb/mapping.c:pdb_create_builtin_alias(723)
pdb_create_builtin_alias: Could not get a gid out of winbind
[2009/07/24 12:35:19, 0] auth/auth_util.c:create_builtin_administrators(844)
create_builtin_administrators: Failed to create Administrators
[2009/07/24 12:35:19, 2] auth/auth_util.c:create_local_nt_token(966)
create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
[ 3981]: sid to gid S-1-5-32-545
[2009/07/24 12:35:19, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(545)
winbindd_sid2gid_async: Resolving S-1-5-32-545 to a gid
[2009/07/24 12:35:19, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
sid2gid returned an error
[2009/07/24 12:35:19, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
Could not convert sid S-1-5-32-545
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/24 12:35:19, 3] groupdb/mapping.c:pdb_create_builtin_alias(723)
pdb_create_builtin_alias: Could not get a gid out of winbind
[2009/07/24 12:35:19, 0] auth/auth_util.c:create_builtin_users(810)
create_builtin_users: Failed to create Users
[2009/07/24 12:35:19, 2] auth/auth_util.c:create_local_nt_token(993)
create_local_nt_token: Failed to create BUILTIN\Users group!
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/24 12:35:19, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [ou=Groups,dc=timocom,dc=com], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-0-0)(sambaSIDList=S-1-5-32-544)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11)))], scope => [2]
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 7] registry/reg_frontend.c:regkey_open_internal(359)
regkey_open_internal: name = [HKLM\SYSTEM\CurrentControlSet\Services]
[2009/07/24 12:35:19, 5] registry/reg_frontend.c:registry_access_check(59)
registry_access_check: using root's token
[2009/07/24 12:35:19, 3] nsswitch/winbindd_sid.c:winbindd_uid_to_sid(447)
[ 3981]: uid to sid 0
[2009/07/24 12:35:19, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(477)
[ 3981]: gid to sid 0
[2009/07/24 12:35:19, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
[ 3981]: sid to gid S-1-5-32-544
[2009/07/24 12:35:19, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(545)
winbindd_sid2gid_async: Resolving S-1-5-32-544 to a gid
[2009/07/24 12:35:19, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
sid2gid returned an error
[2009/07/24 12:35:19, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
Could not convert sid S-1-5-32-544
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/24 12:35:19, 3] groupdb/mapping.c:pdb_create_builtin_alias(723)
pdb_create_builtin_alias: Could not get a gid out of winbind
[2009/07/24 12:35:19, 0] auth/auth_util.c:create_builtin_administrators(844)
create_builtin_administrators: Failed to create Administrators
[2009/07/24 12:35:19, 2] auth/auth_util.c:create_local_nt_token(966)
create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
[ 3981]: sid to gid S-1-5-32-545
[2009/07/24 12:35:19, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(545)
winbindd_sid2gid_async: Resolving S-1-5-32-545 to a gid
[2009/07/24 12:35:19, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
sid2gid returned an error
[2009/07/24 12:35:19, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
Could not convert sid S-1-5-32-545
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/24 12:35:19, 3] groupdb/mapping.c:pdb_create_builtin_alias(723)
pdb_create_builtin_alias: Could not get a gid out of winbind
[2009/07/24 12:35:19, 0] auth/auth_util.c:create_builtin_users(810)
create_builtin_users: Failed to create Users
[2009/07/24 12:35:19, 2] auth/auth_util.c:create_local_nt_token(993)
create_local_nt_token: Failed to create BUILTIN\Users group!
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/24 12:35:19, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [ou=Groups,dc=timocom,dc=com], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-22-1-0)(sambaSIDList=S-1-5-32-544)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11)))], scope => [2]
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] lib/util_seaccess.c:se_access_check(250)
[2009/07/24 12:35:19, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-7
[2009/07/24 12:35:19, 5] lib/util_seaccess.c:se_access_check(314)
se_access_check: access (f003f) denied.
[2009/07/24 12:35:19, 0] services/services_db.c:svcctl_init_keys(420)
svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/24 12:35:19, 6] passdb/pdb_interface.c:pdb_getsampwsid(281)
pdb_getsampwsid: Building guest account
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(477)
[ 3981]: gid to sid 99
[2009/07/24 12:35:19, 5] auth/auth_util.c:make_server_info_sam(675)
make_server_info_sam: made server info for user nobody -> nobody
[2009/07/24 12:35:19, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
[ 3981]: sid to gid S-1-5-32-544
[2009/07/24 12:35:19, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(545)
winbindd_sid2gid_async: Resolving S-1-5-32-544 to a gid
[2009/07/24 12:35:19, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
sid2gid returned an error
[2009/07/24 12:35:19, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
Could not convert sid S-1-5-32-544
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/24 12:35:19, 3] groupdb/mapping.c:pdb_create_builtin_alias(723)
pdb_create_builtin_alias: Could not get a gid out of winbind
[2009/07/24 12:35:19, 0] auth/auth_util.c:create_builtin_administrators(844)
create_builtin_administrators: Failed to create Administrators
[2009/07/24 12:35:19, 2] auth/auth_util.c:create_local_nt_token(966)
create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
[ 3981]: sid to gid S-1-5-32-545
[2009/07/24 12:35:19, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(545)
winbindd_sid2gid_async: Resolving S-1-5-32-545 to a gid
[2009/07/24 12:35:19, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
sid2gid returned an error
[2009/07/24 12:35:19, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
Could not convert sid S-1-5-32-545
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3981]: ping
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/24 12:35:19, 3] groupdb/mapping.c:pdb_create_builtin_alias(723)
pdb_create_builtin_alias: Could not get a gid out of winbind
[2009/07/24 12:35:19, 0] auth/auth_util.c:create_builtin_users(810)
create_builtin_users: Failed to create Users
[2009/07/24 12:35:19, 2] auth/auth_util.c:create_local_nt_token(993)
create_local_nt_token: Failed to create BUILTIN\Users group!
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/24 12:35:19, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/24 12:35:19, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [ou=Groups,dc=timocom,dc=com], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-3827853897-493734299-1158459374-501)(sambaSIDList=S-1-22-2-99)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-32-546)))], scope => [2]
[2009/07/24 12:35:19, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/24 12:35:19, 0] smbd/server.c:main(1059)
ERROR: failed to setup guest info.
[2009/07/24 12:35:22, 6] nsswitch/winbindd.c:new_connection(640)
accepted socket 19
[2009/07/24 12:35:22, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491)
[ 3974]: request interface version
[2009/07/24 12:35:22, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
[ 3974]: request location of privileged pipe
[2009/07/24 12:35:22, 6] nsswitch/winbindd.c:new_connection(640)
accepted socket 20
[2009/07/24 12:35:22, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3974]: ping
[2009/07/24 12:35:22, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
[ 3974]: ping
[/code]

regards

yyagol
Posts: 1015
Joined: 2006/06/10 18:27:44
Location: 32 4′N 34 47′E
Contact:

Re: Samba + OpenLDAP + TLS

Post by yyagol » 2009/07/25 06:21:46

[quote][2009/07/24 12:35:19, 5] lib/util_seaccess.c:se_access_check(314) se_access_check: access (f003f) denied.
[2009/07/24 12:35:19, 0] services/services_db.c:svcctl_init_keys(420) svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)[/quote]
please post your smbldap.conf , and if you are using SELinux you need go change the context of the files
so that samba can get access under /etac/smbldap-tools directory

MD11
Posts: 14
Joined: 2009/07/06 13:41:34
Location: Duesseldorf, Germany

Re: Samba + OpenLDAP + TLS

Post by MD11 » 2009/07/27 05:28:07

Well I have to admit that as far as I know my SELinux should be disabled.

And here is the smbldap.conf
[code]# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.

# Purpose :
# . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3827853897-493734299-1158459374"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="TIMOCOM-DE"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="tc-naruto"

# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="tc-naruto"

# Master LDAP port
# If not defined, parameter is set to "389"
#masterPort="389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
ldapTLS="1"

# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
ldapSSL="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/openldap/cacerts/cacert.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/openldap/slapd.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/openldap/slapd.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=timocom,dc=com"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=timocom,dc=com"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=timocom,dc=com"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=timocom,dc=com"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="35"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\%L\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\%L\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="Z:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
#userScript="logon.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="timocom.com"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner
no_banner="1"

[/code]

Hope you can help me with that ;)

regards

MD11
Posts: 14
Joined: 2009/07/06 13:41:34
Location: Duesseldorf, Germany

Re: Samba + OpenLDAP + TLS

Post by MD11 » 2009/07/27 10:02:41

Well.....
Bevor I can solve the connection Problem from Samba an SELinux I will have to solve my SSL Connection Problem first.
I followed the How To postet above and when I?m trying to populate with the smbldap tools I get an error.
[code]Could not start_tls: SSL connect attempt failed with unknown errorerror: 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify faild
at /usr/sbin//smbldap_tools.pm line 341[/code]

After a few config changes I get now this error message:

[code]Could not start_tls: Operation error at /usr/sbin//smbldap_tools.pm line 341[/code]

I think I should solve this first.

When I test my LDAP TLS connection with

[code]openssl s_client -connect localhost:636[/code]

I get to see my Server Certificate just like it should be, but when I try the same connection on the Port:389 I get this message

[code]CONNECTED(00000003)
4164:error:140790E5:SSL routines:SSL23_WRITE:ssk handshake failure:s23_lib.c:188:[/code]

Is it possible to make Samba connect on the port 636 where the TLS / SSL connection is working?

*lol* When I set the smbldap.conf to use Port:636 I get following error message.

[code]Could not start_tls: Unexpected EOF at /usr/sbin//smbldap_tools.pm line 341[/code]

Hoppe there is someone out there who is able to help me with the provided information.

regards

MD11
Posts: 14
Joined: 2009/07/06 13:41:34
Location: Duesseldorf, Germany

Re: Samba + OpenLDAP + TLS

Post by MD11 » 2009/07/30 07:27:28

Seems like no one is willing to help me?!

Ok new Try. I have set up the server from the beginning. I followed the How-To from http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc35.
The connection between Samba and LDAP is established but Samba log give me some Problems.

[code][2009/07/30 09:07:16, 0] lib/smbldap_util.c:smbldap_search_domain_info(304)
smbldap_search_domain_info: Got too many (2) domain info entries for domain TIMOCOM-DE
[2009/07/30 09:07:16, 2] passdb/pdb_ldap.c:pdb_init_ldapsam(5667)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs[/code]

It seems there are two Domains listed in the Database, but when I use a Frontend like Webmin oder LAM I get to see only one instance, how can I solve this Problem?

And the Problem with the TLS connection still exists. I have used several How To?s to create severel certificates. But everytime the same Problem. When LDAP and Samba are configured to
use TLS the connection fails due to a failure in Samba. Samba semms to be having a problem with Self Signed Certificates because it fails to open the SSL Connection!?

regards

Post Reply