[SOLVED] CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Issues related to software problems.
Post Reply
browley
Posts: 5
Joined: 2012/03/20 17:20:41

[SOLVED] CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Post by browley » 2012/03/21 15:26:43

Hi All. I am having a heck of a time getting OpenLDAP and Samba to play nice on a CentOS box so I can eventually Vampire our AD server and promote the CentOS box as PDC. I know all the risks + politics involved, but I'm willing to make the jump. I've got a initial small OpenLDAP instance set up. Let's assume my domain is called "bob.local".

/etc/openldap/slapd.conf
[code]
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema

allow bind_v2

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=root,dc=bob,dc=local" write
by * none

access to attrs=shadowLastChange
by self write
by anonymous auth
by dn.base="cn=root,dc=bob,dc=local" write
by * none

access to *
by self write
by dn.base="cn=root,dc=bob,dc=local" write
by users read

database bdb
suffix "dc=bob,dc=local"
rootdn "cn=root,dc=bob,dc=local"
rootpw {SSHA}<edited via paranoia>
password-hash {SSHA}

directory /var/lib/ldap

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
[/code]

smb.conf
[code]
# Global parameters
[global]
workgroup = BOB
netbios name = dc1

deadtime = 10

log level = 10
log file = /var/log/samba/log.%m
max log size = 5000
debug pid = yes
debug uid = yes
syslog = 0
utmp = yes

security = user
domain logons = yes
domain master = no
os level = 64
logon path =
logon home =
logon drive =
logon script =

passdb backend = ldapsam:ldap://localhost
ldap ssl = off
ldap admin dn = cn=root,dc=bob,dc=local
ldap delete dn = no

## Sync UNIX password with Samba password
## Method 1:
ldap password sync = yes
## Method 2:
;ldap password sync = no
;unix password sync = yes
;passwd program = /usr/sbin/smbldap-passwd -u '%u'
;passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

obey pam restrictions = no
ldap suffix = dc=bob,dc=local
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap

idmap backend = ldapsam:ldap://localhost
idmap uid = 15000-20000
idmap gid = 15000-20000

add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
delete user script = /usr/sbin/smbldap-userdel '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1

enable privileges = yes
username map = /etc/samba/smbusers
nt acl support = yes

<cut for sanity>
[/code]

/etc/smbldap-tools/smbldap.conf
[code]
SID="S-1-5-21-599962346-blah"
sambaDomain="bob.local"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"

ldapTLS="0"
ldapSSL="0"
verify="none"
suffix="dc=bob,dc=local"

usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Group,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"

userSmbHome="\\DC1.BOB.LOCAL\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="bob.local"

with_smbpasswd="0"
smbpasswd="/usr/sbin/smbpasswd"

with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
[/code]

/etc/smbldap-tools/smbldap_bind.conf
[code]
slaveDN="cn=root,dc=bob,dc=local"
slavePw="<LDAP root password here in plaintext>"
masterDN="cn=root,dc=bob,dc=local"
masterPw="<LDAP root password here in plaintext>"
[/code]

/etc/nsswitch.conf
[code]
passwd: files ldap
shadow: files ldap
group: files ldap

#hosts: db files nisplus nis dns
hosts: files dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files ldap

publickey: nisplus

automount: files ldap
aliases: files nisplus

sudoers: files ldap
[/code]

I ran authconfig-tui and set to use MD5, Shadow, LDAP. Should I also set it to use SMB auth? For the next set, I unchecked TLS and set server to ldap://127.0.0.1.

My problem comes with running certain commands. For example, when I run
[code]
$ sudo net groupmap list
[2012/03/21 10:32:48.661571, 0, pid=4690, effective(0, 0), real(0, 0)] lib/smbldap.c:1151(smbldap_connect_system)
failed to bind to server ldap://localhost with dn="cn=root,dc=bob,dc=local" Error: Invalid credentials

$ sudo net getlocalsid
[2012/03/21 10:45:24.324350, 0, pid=4775, effective(0, 0), real(0, 0)] lib/smbldap.c:1151(smbldap_connect_system)
failed to bind to server ldap://localhost with dn="cn=root,dc=bob,dc=local" Error: Invalid credentials
[/code]

Oddly, I can login to my phpLDAPadmin via using the full root user, cn=root,dc=bob,dc=local, with the master LDAP password, the same one that's in the smbldap_bind.conf file. Somewhere along the line, samba is misconfigured to bind to ldap, I'm just not sure how/where. I'm not sure what I have configured incorrectly or if I have too much/too little in my confs. To be honest, I've been through so many how-to's and configs that it's all starting to blur together. My only other thought is that maybe I should bind with another user? Please let me know if you need any more info and THANKS in advance for any help/hints you can give me.

gulikoza
Posts: 188
Joined: 2007/05/06 20:15:23

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Post by gulikoza » 2012/03/22 04:54:36

Samba LDAP password is set with smbpasswd -w, not read from smbldap_bind.conf. And sadly, I don't think you can vampire AD, I think it works only with NT4 domains but I might be wrong (never tried it myself)

browley
Posts: 5
Joined: 2012/03/20 17:20:41

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Post by browley » 2012/03/22 13:31:08

Thanks for the reply. I had set it but I tried it again anyway:

[code]
$ sudo smbpasswd -w <passwd here>
Setting stored password for "cn=root,dc=bob,dc=local" in secrets.tdb

$ sudo net getlocalsid
[2012/03/22 09:24:02.008821, 0, pid=9544, effective(0, 0), real(0, 0)] lib/smbldap.c:1151(smbldap_connect_system)
failed to bind to server ldap://localhost with dn="cn=root,dc=bob,dc=local" Error: Invalid credentials
[/code]

Any other ideas?

gulikoza
Posts: 188
Joined: 2007/05/06 20:15:23

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Post by gulikoza » 2012/03/23 10:38:55

Hmm, not really. This should work.
Perhaps try checking slapd log for any additional information?

browley
Posts: 5
Joined: 2012/03/20 17:20:41

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Post by browley » 2012/03/27 13:40:22

Ok some more info, because I'm still stumped. So I deleted the openLDAP db (removed everything in /var/lib/ldap) and started anew. Got the instance up and running and figured out how to revert the log. Right now I only have the root user:
[code]
$ /usr/sbin/slapcat
dn: dc=bob,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: bob
dc: bob
structuralObjectClass: organization
entryUUID: b4589b6c-0bd1-1031-8df1-25b31779b23b
creatorsName: cn=root,dc=bob,dc=local
createTimestamp: 20120326205503Z
entryCSN: 20120326205503Z#000000#00#000000
modifiersName: cn=root,dc=bob,dc=local
modifyTimestamp: 20120326205503Z

dn: cn=root,dc=bob,dc=local
objectClass: organizationalRole
cn: root
structuralObjectClass: organizationalRole
entryUUID: b4766692-0bd1-1031-8df2-25b31779b23b
creatorsName: cn=root,dc=bob,dc=local
createTimestamp: 20120326205503Z
entryCSN: 20120326205503Z#000001#00#000000
modifiersName: cn=root,dc=bob,dc=local
[/code]

Here's a search on localhost:
[code]
ldapsearch -x -s base -b "" -h 127.0.0.1 -D cn=root,dc=bob,dc=local -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success
[/code]

Re-ran the smbpasswd, then I tried and get the SID and while I no longer get the failed to bind so I feel like I'm getting very close. I ran the net command in debug mode:
[code]
$net getlocalsid -d 10
[2012/03/27 09:16:40, 5] lib/debug.c:405(debug_dump_status)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
registry: False/0
[2012/03/27 09:16:40, 3] param/loadparm.c:9180(lp_load_ex)
lp_load_ex: refreshing parameters
[2012/03/27 09:16:40, 3] param/loadparm.c:4948(init_globals)
Initialising global parameters
[2012/03/27 09:16:40, 2] param/loadparm.c:4807(max_open_files)
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
[2012/03/27 09:16:40.228633, 3] ../lib/util/params.c:550(pm_process)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2012/03/27 09:16:40.228688, 3] param/loadparm.c:7864(do_section)
Processing section "[global]"
doing parameter workgroup = bob
doing parameter netbios name = dc1
[2012/03/27 09:16:40.228756, 4] param/loadparm.c:7226(handle_netbios_name)
handle_netbios_name: set global_myname to: DC1
doing parameter interfaces = eth0
doing parameter bind interfaces only = No
doing parameter passdb backend = ldapsam:ldap://localhost
doing parameter client NTLMv2 auth = Yes
doing parameter client lanman auth = No
doing parameter client plaintext auth = No
doing parameter log level = 2
doing parameter syslog = 1
doing parameter log file = /var/log/samba/%m
doing parameter max log size = 0
doing parameter smb ports = 139 445
doing parameter name resolve order = wins
doing parameter time server = Yes
doing parameter server signing = auto
doing parameter add user script = /usr/sbin/smbldap-useradd -m '%u'
doing parameter add group script = /usr/sbin/smbldap-groupadd '%g'
doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
doing parameter set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
doing parameter add machine script = /usr/sbin/smbldap-useradd -w '%u'
doing parameter logon path =
doing parameter logon home =
doing parameter domain logons = Yes
doing parameter os level = 34
doing parameter preferred master = Yes
doing parameter domain master = Yes
doing parameter wins support = Yes
doing parameter ldap admin dn = "cn=root,dc=bob,dc=local"
doing parameter ldap user suffix = ou=People
doing parameter ldap group suffix = ou=Group
doing parameter ldap idmap suffix = ou=Idmap
doing parameter ldap machine suffix = ou=Hosts
doing parameter ldap passwd sync = Yes
doing parameter ldap suffix = dc=bob,dc=local
doing parameter ldap ssl = no
doing parameter ldap timeout = 100
doing parameter idmap backend = ldap:ldap://localhost
doing parameter idmap uid = 15000-20000
doing parameter idmap gid = 15000-20000
doing parameter winbind nested groups = Yes
doing parameter nt acl support = yes
doing parameter ea support = Yes
doing parameter inherit acls = Yes
doing parameter nt acl support = Yes
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
[2012/03/27 09:16:40.230149, 4] param/loadparm.c:9215(lp_load_ex)
pm_process() returned Yes
[2012/03/27 09:16:40.230192, 7] param/loadparm.c:9421(lp_servicenumber)
lp_servicenumber: couldn't find homes
[2012/03/27 09:16:40.230230, 10] param/loadparm.c:8425(set_server_role)
set_server_role: role = ROLE_DOMAIN_PDC
[2012/03/27 09:16:40.230268, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UCS-2LE
[2012/03/27 09:16:40.230299, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UCS-2LE
[2012/03/27 09:16:40.230326, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UTF-16LE
[2012/03/27 09:16:40.230357, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UTF-16LE
[2012/03/27 09:16:40.230383, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UCS-2BE
[2012/03/27 09:16:40.230409, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UCS-2BE
[2012/03/27 09:16:40.230435, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UTF-16BE
[2012/03/27 09:16:40.230465, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UTF-16BE
[2012/03/27 09:16:40.230489, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UTF8
[2012/03/27 09:16:40.230516, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UTF8
[2012/03/27 09:16:40.230540, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UTF-8
[2012/03/27 09:16:40.230564, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UTF-8
[2012/03/27 09:16:40.230591, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset ASCII
[2012/03/27 09:16:40.230621, 5] lib/iconv.c:112(smb_register_charset)
Registered charset ASCII
[2012/03/27 09:16:40.230647, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset 646
[2012/03/27 09:16:40.230675, 5] lib/iconv.c:112(smb_register_charset)
Registered charset 646
[2012/03/27 09:16:40.230701, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset ISO-8859-1
[2012/03/27 09:16:40.230725, 5] lib/iconv.c:112(smb_register_charset)
Registered charset ISO-8859-1
[2012/03/27 09:16:40.230754, 5] lib/iconv.c:104(smb_register_charset)
Attempting to register new charset UCS2-HEX
[2012/03/27 09:16:40.230781, 5] lib/iconv.c:112(smb_register_charset)
Registered charset UCS2-HEX
[2012/03/27 09:16:40.230841, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231165, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231245, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231293, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231339, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231387, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231429, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231487, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231537, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231581, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231659, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231772, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231844, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231936, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.232045, 5] lib/util.c:276(init_names)
Netbios name list:-
my_netbios_names[0]="DC1"
[2012/03/27 09:16:40.232236, 2] lib/interface.c:340(add_interface)
added interface eth0 ip=fe80::6631:50ff:fed3:f1f5%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
[2012/03/27 09:16:40.232370, 2] lib/interface.c:340(add_interface)
added interface eth0 ip=192.168.101.17 bcast=192.168.101.255 netmask=255.255.255.0
[2012/03/27 09:16:40.232443, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend ldapsam
[2012/03/27 09:16:40.232487, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'ldapsam'
[2012/03/27 09:16:40.232515, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend ldapsam_compat
[2012/03/27 09:16:40.232544, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'ldapsam_compat'
[2012/03/27 09:16:40.232573, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend NDS_ldapsam
[2012/03/27 09:16:40.232601, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'NDS_ldapsam'
[2012/03/27 09:16:40.232628, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend NDS_ldapsam_compat
[2012/03/27 09:16:40.232654, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'NDS_ldapsam_compat'
[2012/03/27 09:16:40.232690, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend smbpasswd
[2012/03/27 09:16:40.232720, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'smbpasswd'
[2012/03/27 09:16:40.232748, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend tdbsam
[2012/03/27 09:16:40.232774, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'tdbsam'
[2012/03/27 09:16:40.232802, 5] passdb/pdb_interface.c:63(smb_register_passdb)
Attempting to register passdb backend wbc_sam
[2012/03/27 09:16:40.232833, 5] passdb/pdb_interface.c:76(smb_register_passdb)
Successfully added passdb backend 'wbc_sam'
[2012/03/27 09:16:40.232861, 5] passdb/pdb_interface.c:133(make_pdb_method_name)
Attempting to find a passdb backend to match ldapsam:ldap://localhost (ldapsam)
[2012/03/27 09:16:40.232893, 5] passdb/pdb_interface.c:154(make_pdb_method_name)
Found pdb backend ldapsam
[2012/03/27 09:16:40.232955, 2] lib/smbldap_util.c:277(smbldap_search_domain_info)
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BOB))]
[2012/03/27 09:16:40.233013, 5] lib/smbldap.c:1360(smbldap_search_ext)
smbldap_search_ext: base => [dc=bob,dc=local], filter => [(&(objectClass=sambaDomain)(sambaDomainName=BOB))], scope => [2]
[2012/03/27 09:16:40.233076, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233132, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233181, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233230, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233275, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233316, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233358, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233402, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233446, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233488, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233537, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233590, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233637, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233685, 5] lib/charcnv.c:98(charset_name)
Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233758, 5] lib/smbldap.c:1262(smbldap_close)
The connection to the LDAP server was closed
[2012/03/27 09:16:40.233790, 10] lib/smbldap.c:751(smb_ldap_setup_conn)
smb_ldap_setup_connection: ldap://localhost
[2012/03/27 09:16:40.234270, 2] lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2012/03/27 09:16:40.234472, 10] lib/smbldap.c:1120(smbldap_connect_system)
ldap_connect_system: Binding to ldap server ldap://localhost as "cn=root,dc=bob,dc=local"
[2012/03/27 09:16:40.235501, 3] lib/smbldap.c:1862(smbldap_check_root_dse)
smbldap_check_root_dse: Expected one rootDSE, got 0
[2012/03/27 09:16:40.235545, 3] lib/smbldap.c:1166(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
ldap_connect_system: LDAP server does not support paged results
[2012/03/27 09:16:40.235584, 4] lib/smbldap.c:1242(smbldap_open)
The LDAP server is successfully connected
[2012/03/27 09:16:40.236150, 5] passdb/pdb_interface.c:165(make_pdb_method_name)
pdb backend ldapsam:ldap://localhost has a valid init
[2012/03/27 09:16:40.236253, 0] utils/net.c:264(net_getlocalsid)
Can't fetch domain SID for name: DC1
[2012/03/27 09:16:40.271436, 2] utils/net.c:916(main)
return code = 1
[2012/03/27 09:16:40.271512, 5] lib/gencache.c:65(gencache_init)
Opening cache file at /var/lib/samba/gencache.tdb
[2012/03/27 09:16:40.271655, 5] lib/gencache.c:108(gencache_init)
Opening cache file at /var/lib/samba/gencache_notrans.tdb
[/code]

When I tail the logs, here's what happens when I run the net getlocalsid command. While it no longer give me the same message, this time it just says cannot fetch sid. Here is the output from the log:
[code]
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 fd=17 ACCEPT from IP=127.0.0.1:55999 (IP=0.0.0.0:389)
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=0 BIND dn="cn=root,dc=bob,dc=local" method=128
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=0 BIND dn="cn=root,dc=bob,dc=local" mech=SIMPLE ssf=0
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=0 RESULT tag=97 err=0 text=
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=1 SRCH attr=supportedControl
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=2 SRCH base="dc=bob,dc=local" scope=2 deref=0 filter="(&(objectClass=sambaDomain)(sambaDomainName=bob))"
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=2 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
Mar 27 09:34:21 dc1 slapd[15629]: <= bdb_equality_candidates: (sambaDomainName) not indexed
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 fd=17 closed (connection lost)
[/code]

Based on this, does anyone else have any more ideas? Thanks again.

gulikoza
Posts: 188
Joined: 2007/05/06 20:15:23

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Post by gulikoza » 2012/03/28 17:32:29

Well if you cleared the LDAP db there's obviously no SID inside. You need to re-run smbldap-populate.

browley
Posts: 5
Joined: 2012/03/20 17:20:41

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Post by browley » 2012/04/02 21:04:03

From what I've read, the SID is generated via Samba and has to be put in smbldap.conf before running smbldap-populate. From many of the guides I was following, they actually wanted to generate the SID before running smbldap-populate. Either way, I ran the command and here's what I got:

[code]
$ sudo smbldap-populate
Unable to determine domain SID: please edit your smbldap.conf, or start your samba server for a few minutes to allow for SID generation to proceed
Compilation failed in require at /usr/sbin/smbldap-populate line 33.
BEGIN failed--compilation aborted at /usr/sbin/smbldap-populate line 33.
[/code]

So, in frustration, I decided to start over with the samba portion. I stopped samba and deleted my secrets.tdb and regenerated it:
[code]
sudo /etc/init.d/smb stop
$sudo rm -rf /var/lib/samba/private/secrets.tdb
$sudo /usr/bin/smbpasswd -W
[/code]

I also re-set root's pw to match my cn=root,dc=bob,dc=local password. Then, I completely re-configured my smb.conf from the Samba admin [url=http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html#id2602152]guide[/url]. I then re-ran authconfig-tui to make sure it was correct. I also was reading about configure.pl from smbldap-tools guide above and realized I had never run it so I did that:
[code]
$sudo cp /usr/share/doc/smbldap-tools-0.9.6/configure.pl /etc/smbldap-tools
$sudo chmod +x /etc/smbldap-tools
$sudo /etc/smbldap-tools/configure.pl
[/code]

Initially, it had a problem on one of the lines running pidof so I added /sbin to root's $PATH. Then I gave "net getlocalsid" a shot and it freakin' worked! I almost fell out of my chair. I added the SID to /etc/smbldap-tools/slapd.conf and then ran /usr/sbin/smbldap-populate without a problem. At that point I started samba without an issue. I still do not know what fixed the problem and am in a bit of shock. However, I am not out of the woods just yet:

[code]
$sudo net groupmap list
[2012/04/02 16:46:53.128000, 0] passdb/pdb_ldap.c:3448(ldapsam_setsamgrent)
ldapsam_setsamgrent: LDAP search failed: No such object
[2012/04/02 16:46:53.128134, 0] passdb/pdb_ldap.c:3523(ldapsam_enum_group_mapping)
ldapsam_enum_group_mapping: Unable to open passdb
[/code]

From the googles, it looks like this is either an auth problem or the user object is not the right type. I'm a bit overwhelmed with Samba/LDAP today but will take another look tomorrow. If anyone else has any ideas please let me know.

browley
Posts: 5
Joined: 2012/03/20 17:20:41

[SOLVED] Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Post by browley » 2012/04/03 19:34:22

Success! During my re-vamp of /etc/samba/smb.conf, I had blanked the ldap suffix. I had read some random forum post that suggested doing this may help generate the SID. Again, no idea if this was why the SID generated, but I left the ldap suffix blank. However, when I was trying to view the groupmap, I was getting "ldapsam_enum_group_mapping: Unable to open passdb" because samba had no way of knowing correct LDAP root (durrrrrr). So I went back and edited my /etc/samba/smb.conf and set the suffix from "ldap suffix = " to "ldap suffix = dc=bob,dc=local". Restarted samba and can now see groups. Anyhow, there are still a few more things I need to nitpick through but my main issue is solved. I hope some of this info helps someone who also finds themselves bashing their head against a wall.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

[SOLVED] CentOS 5.8 - Migrating to OpenLDAP + Samba, samba f

Post by pschaff » 2012/04/03 20:03:51

Thanks for reporting back. Marking this thread [SOLVED] for posterity.

Post Reply