[SOLVED] CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Issues related to software problems.

[SOLVED] CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Postby browley » 2012/03/21 15:26:43

Hi All. I am having a heck of a time getting OpenLDAP and Samba to play nice on a CentOS box so I can eventually Vampire our AD server and promote the CentOS box as PDC. I know all the risks + politics involved, but I'm willing to make the jump. I've got a initial small OpenLDAP instance set up. Let's assume my domain is called "bob.local".

/etc/openldap/slapd.conf
Code: Select all
include       /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/nis.schema
include      /etc/openldap/schema/samba.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

access to attrs=userPassword
                        by self write
                        by anonymous auth
                        by dn.base="cn=root,dc=bob,dc=local" write
                        by * none

access to attrs=shadowLastChange
                        by self write
                        by anonymous auth
                        by dn.base="cn=root,dc=bob,dc=local" write
                        by * none

access to *
                        by self write
                        by dn.base="cn=root,dc=bob,dc=local" write
                        by users read

database bdb
suffix "dc=bob,dc=local"
rootdn "cn=root,dc=bob,dc=local"
rootpw {SSHA}<edited via paranoia>
password-hash {SSHA}

directory       /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub


smb.conf
Code: Select all
# Global parameters
[global]
   workgroup = BOB
   netbios name = dc1

   deadtime = 10

   log level = 10
   log file = /var/log/samba/log.%m
   max log size = 5000
   debug pid = yes
   debug uid = yes
   syslog = 0
   utmp = yes

   security = user
   domain logons = yes
   domain master = no
   os level = 64
   logon path =
   logon home =
   logon drive =
   logon script =

   passdb backend = ldapsam:ldap://localhost
   ldap ssl = off
   ldap admin dn = cn=root,dc=bob,dc=local
   ldap delete dn = no

   ## Sync UNIX password with Samba password
   ## Method 1:
   ldap password sync = yes
   ## Method 2:
   ;ldap password sync = no
   ;unix password sync = yes
   ;passwd program = /usr/sbin/smbldap-passwd -u '%u'
   ;passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"

   obey pam restrictions = no
   ldap suffix = dc=bob,dc=local
   ldap user suffix = ou=Users
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Idmap
   
   idmap backend = ldapsam:ldap://localhost
   idmap uid = 15000-20000
   idmap gid = 15000-20000   

   add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
   rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
   delete user script = /usr/sbin/smbldap-userdel '%u'
   set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
   add group script = /usr/sbin/smbldap-groupadd -p '%g'
   delete group script = /usr/sbin/smbldap-groupdel '%g'
   add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
   delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
   add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1

   enable privileges = yes
   username map = /etc/samba/smbusers
   nt acl support = yes

<cut for sanity>


/etc/smbldap-tools/smbldap.conf
Code: Select all
SID="S-1-5-21-599962346-blah"
sambaDomain="bob.local"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"

ldapTLS="0"
ldapSSL="0"
verify="none"
suffix="dc=bob,dc=local"

usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Group,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"

userSmbHome="\\DC1.BOB.LOCAL\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="bob.local"

with_smbpasswd="0"
smbpasswd="/usr/sbin/smbpasswd"

with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"


/etc/smbldap-tools/smbldap_bind.conf
Code: Select all
slaveDN="cn=root,dc=bob,dc=local"
slavePw="<LDAP root password here in plaintext>"
masterDN="cn=root,dc=bob,dc=local"
masterPw="<LDAP root password here in plaintext>"


/etc/nsswitch.conf
Code: Select all
passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

sudoers: files ldap


I ran authconfig-tui and set to use MD5, Shadow, LDAP. Should I also set it to use SMB auth? For the next set, I unchecked TLS and set server to ldap://127.0.0.1.

My problem comes with running certain commands. For example, when I run
Code: Select all
$ sudo net groupmap list
[2012/03/21 10:32:48.661571,  0, pid=4690, effective(0, 0), real(0, 0)] lib/smbldap.c:1151(smbldap_connect_system)
failed to bind to server ldap://localhost with dn="cn=root,dc=bob,dc=local" Error: Invalid credentials

$ sudo net getlocalsid
[2012/03/21 10:45:24.324350,  0, pid=4775, effective(0, 0), real(0, 0)] lib/smbldap.c:1151(smbldap_connect_system)
failed to bind to server ldap://localhost with dn="cn=root,dc=bob,dc=local" Error: Invalid credentials


Oddly, I can login to my phpLDAPadmin via using the full root user, cn=root,dc=bob,dc=local, with the master LDAP password, the same one that's in the smbldap_bind.conf file. Somewhere along the line, samba is misconfigured to bind to ldap, I'm just not sure how/where. I'm not sure what I have configured incorrectly or if I have too much/too little in my confs. To be honest, I've been through so many how-to's and configs that it's all starting to blur together. My only other thought is that maybe I should bind with another user? Please let me know if you need any more info and THANKS in advance for any help/hints you can give me.
browley
 
Posts: 5
Joined: 2012/03/20 17:20:41

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Postby gulikoza » 2012/03/22 04:54:36

Samba LDAP password is set with smbpasswd -w, not read from smbldap_bind.conf. And sadly, I don't think you can vampire AD, I think it works only with NT4 domains but I might be wrong (never tried it myself)
gulikoza
 
Posts: 97
Joined: 2007/05/06 20:15:23

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Postby browley » 2012/03/22 13:31:08

Thanks for the reply. I had set it but I tried it again anyway:

Code: Select all
$ sudo smbpasswd -w <passwd here>
Setting stored password for "cn=root,dc=bob,dc=local" in secrets.tdb

$ sudo net getlocalsid
[2012/03/22 09:24:02.008821,  0, pid=9544, effective(0, 0), real(0, 0)] lib/smbldap.c:1151(smbldap_connect_system)
  failed to bind to server ldap://localhost with dn="cn=root,dc=bob,dc=local" Error: Invalid credentials


Any other ideas?
browley
 
Posts: 5
Joined: 2012/03/20 17:20:41

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Postby gulikoza » 2012/03/23 10:38:55

Hmm, not really. This should work.
Perhaps try checking slapd log for any additional information?
gulikoza
 
Posts: 97
Joined: 2007/05/06 20:15:23

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Postby browley » 2012/03/27 13:40:22

Ok some more info, because I'm still stumped. So I deleted the openLDAP db (removed everything in /var/lib/ldap) and started anew. Got the instance up and running and figured out how to revert the log. Right now I only have the root user:
Code: Select all
$ /usr/sbin/slapcat
dn: dc=bob,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: bob
dc: bob
structuralObjectClass: organization
entryUUID: b4589b6c-0bd1-1031-8df1-25b31779b23b
creatorsName: cn=root,dc=bob,dc=local
createTimestamp: 20120326205503Z
entryCSN: 20120326205503Z#000000#00#000000
modifiersName: cn=root,dc=bob,dc=local
modifyTimestamp: 20120326205503Z

dn: cn=root,dc=bob,dc=local
objectClass: organizationalRole
cn: root
structuralObjectClass: organizationalRole
entryUUID: b4766692-0bd1-1031-8df2-25b31779b23b
creatorsName: cn=root,dc=bob,dc=local
createTimestamp: 20120326205503Z
entryCSN: 20120326205503Z#000001#00#000000
modifiersName: cn=root,dc=bob,dc=local


Here's a search on localhost:
Code: Select all
ldapsearch -x -s base -b "" -h 127.0.0.1 -D cn=root,dc=bob,dc=local -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success


Re-ran the smbpasswd, then I tried and get the SID and while I no longer get the failed to bind so I feel like I'm getting very close. I ran the net command in debug mode:
Code: Select all
$net getlocalsid -d 10
[2012/03/27 09:16:40,  5] lib/debug.c:405(debug_dump_status)
  INFO: Current debug levels:
    all: True/10
    tdb: False/0
    printdrivers: False/0
    lanman: False/0
    smb: False/0
    rpc_parse: False/0
    rpc_srv: False/0
    rpc_cli: False/0
    passdb: False/0
    sam: False/0
    auth: False/0
    winbind: False/0
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
    registry: False/0
[2012/03/27 09:16:40,  3] param/loadparm.c:9180(lp_load_ex)
  lp_load_ex: refreshing parameters
[2012/03/27 09:16:40,  3] param/loadparm.c:4948(init_globals)
  Initialising global parameters
[2012/03/27 09:16:40,  2] param/loadparm.c:4807(max_open_files)
  rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
[2012/03/27 09:16:40.228633,  3] ../lib/util/params.c:550(pm_process)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2012/03/27 09:16:40.228688,  3] param/loadparm.c:7864(do_section)
  Processing section "[global]"
  doing parameter workgroup = bob
  doing parameter netbios name = dc1
[2012/03/27 09:16:40.228756,  4] param/loadparm.c:7226(handle_netbios_name)
  handle_netbios_name: set global_myname to: DC1
  doing parameter interfaces = eth0
  doing parameter bind interfaces only = No
  doing parameter passdb backend = ldapsam:ldap://localhost
  doing parameter client NTLMv2 auth = Yes
  doing parameter client lanman auth = No
  doing parameter client plaintext auth = No
  doing parameter log level = 2
  doing parameter syslog = 1
  doing parameter log file = /var/log/samba/%m
  doing parameter max log size = 0
  doing parameter smb ports = 139 445
  doing parameter name resolve order = wins
  doing parameter time server = Yes
  doing parameter server signing = auto
  doing parameter add user script = /usr/sbin/smbldap-useradd -m '%u'
  doing parameter add group script = /usr/sbin/smbldap-groupadd '%g'
  doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
  doing parameter set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
  doing parameter add machine script = /usr/sbin/smbldap-useradd -w '%u'
  doing parameter logon path =
  doing parameter logon home =
  doing parameter domain logons = Yes
  doing parameter os level = 34
  doing parameter preferred master = Yes
  doing parameter domain master = Yes
  doing parameter wins support = Yes
  doing parameter ldap admin dn = "cn=root,dc=bob,dc=local"
  doing parameter ldap user suffix = ou=People
  doing parameter ldap group suffix = ou=Group
  doing parameter ldap idmap suffix = ou=Idmap
  doing parameter ldap machine suffix = ou=Hosts
  doing parameter ldap passwd sync = Yes
  doing parameter ldap suffix = dc=bob,dc=local
  doing parameter ldap ssl = no
  doing parameter ldap timeout = 100
  doing parameter idmap backend = ldap:ldap://localhost
  doing parameter idmap uid = 15000-20000
  doing parameter idmap gid = 15000-20000
  doing parameter winbind nested groups = Yes
  doing parameter nt acl support = yes
  doing parameter ea support = Yes
  doing parameter inherit acls = Yes
  doing parameter nt acl support = Yes
  doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
[2012/03/27 09:16:40.230149,  4] param/loadparm.c:9215(lp_load_ex)
  pm_process() returned Yes
[2012/03/27 09:16:40.230192,  7] param/loadparm.c:9421(lp_servicenumber)
  lp_servicenumber: couldn't find homes
[2012/03/27 09:16:40.230230, 10] param/loadparm.c:8425(set_server_role)
  set_server_role: role = ROLE_DOMAIN_PDC
[2012/03/27 09:16:40.230268,  5] lib/iconv.c:104(smb_register_charset)
  Attempting to register new charset UCS-2LE
[2012/03/27 09:16:40.230299,  5] lib/iconv.c:112(smb_register_charset)
  Registered charset UCS-2LE
[2012/03/27 09:16:40.230326,  5] lib/iconv.c:104(smb_register_charset)
  Attempting to register new charset UTF-16LE
[2012/03/27 09:16:40.230357,  5] lib/iconv.c:112(smb_register_charset)
  Registered charset UTF-16LE
[2012/03/27 09:16:40.230383,  5] lib/iconv.c:104(smb_register_charset)
  Attempting to register new charset UCS-2BE
[2012/03/27 09:16:40.230409,  5] lib/iconv.c:112(smb_register_charset)
  Registered charset UCS-2BE
[2012/03/27 09:16:40.230435,  5] lib/iconv.c:104(smb_register_charset)
  Attempting to register new charset UTF-16BE
[2012/03/27 09:16:40.230465,  5] lib/iconv.c:112(smb_register_charset)
  Registered charset UTF-16BE
[2012/03/27 09:16:40.230489,  5] lib/iconv.c:104(smb_register_charset)
  Attempting to register new charset UTF8
[2012/03/27 09:16:40.230516,  5] lib/iconv.c:112(smb_register_charset)
  Registered charset UTF8
[2012/03/27 09:16:40.230540,  5] lib/iconv.c:104(smb_register_charset)
  Attempting to register new charset UTF-8
[2012/03/27 09:16:40.230564,  5] lib/iconv.c:112(smb_register_charset)
  Registered charset UTF-8
[2012/03/27 09:16:40.230591,  5] lib/iconv.c:104(smb_register_charset)
  Attempting to register new charset ASCII
[2012/03/27 09:16:40.230621,  5] lib/iconv.c:112(smb_register_charset)
  Registered charset ASCII
[2012/03/27 09:16:40.230647,  5] lib/iconv.c:104(smb_register_charset)
  Attempting to register new charset 646
[2012/03/27 09:16:40.230675,  5] lib/iconv.c:112(smb_register_charset)
  Registered charset 646
[2012/03/27 09:16:40.230701,  5] lib/iconv.c:104(smb_register_charset)
  Attempting to register new charset ISO-8859-1
[2012/03/27 09:16:40.230725,  5] lib/iconv.c:112(smb_register_charset)
  Registered charset ISO-8859-1
[2012/03/27 09:16:40.230754,  5] lib/iconv.c:104(smb_register_charset)
  Attempting to register new charset UCS2-HEX
[2012/03/27 09:16:40.230781,  5] lib/iconv.c:112(smb_register_charset)
  Registered charset UCS2-HEX
[2012/03/27 09:16:40.230841,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231165,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231245,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231293,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231339,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231387,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231429,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231487,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231537,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231581,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231659,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231772,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231844,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.231936,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.232045,  5] lib/util.c:276(init_names)
  Netbios name list:-
  my_netbios_names[0]="DC1"
[2012/03/27 09:16:40.232236,  2] lib/interface.c:340(add_interface)
  added interface eth0 ip=fe80::6631:50ff:fed3:f1f5%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
[2012/03/27 09:16:40.232370,  2] lib/interface.c:340(add_interface)
  added interface eth0 ip=192.168.101.17 bcast=192.168.101.255 netmask=255.255.255.0
[2012/03/27 09:16:40.232443,  5] passdb/pdb_interface.c:63(smb_register_passdb)
  Attempting to register passdb backend ldapsam
[2012/03/27 09:16:40.232487,  5] passdb/pdb_interface.c:76(smb_register_passdb)
  Successfully added passdb backend 'ldapsam'
[2012/03/27 09:16:40.232515,  5] passdb/pdb_interface.c:63(smb_register_passdb)
  Attempting to register passdb backend ldapsam_compat
[2012/03/27 09:16:40.232544,  5] passdb/pdb_interface.c:76(smb_register_passdb)
  Successfully added passdb backend 'ldapsam_compat'
[2012/03/27 09:16:40.232573,  5] passdb/pdb_interface.c:63(smb_register_passdb)
  Attempting to register passdb backend NDS_ldapsam
[2012/03/27 09:16:40.232601,  5] passdb/pdb_interface.c:76(smb_register_passdb)
  Successfully added passdb backend 'NDS_ldapsam'
[2012/03/27 09:16:40.232628,  5] passdb/pdb_interface.c:63(smb_register_passdb)
  Attempting to register passdb backend NDS_ldapsam_compat
[2012/03/27 09:16:40.232654,  5] passdb/pdb_interface.c:76(smb_register_passdb)
  Successfully added passdb backend 'NDS_ldapsam_compat'
[2012/03/27 09:16:40.232690,  5] passdb/pdb_interface.c:63(smb_register_passdb)
  Attempting to register passdb backend smbpasswd
[2012/03/27 09:16:40.232720,  5] passdb/pdb_interface.c:76(smb_register_passdb)
  Successfully added passdb backend 'smbpasswd'
[2012/03/27 09:16:40.232748,  5] passdb/pdb_interface.c:63(smb_register_passdb)
  Attempting to register passdb backend tdbsam
[2012/03/27 09:16:40.232774,  5] passdb/pdb_interface.c:76(smb_register_passdb)
  Successfully added passdb backend 'tdbsam'
[2012/03/27 09:16:40.232802,  5] passdb/pdb_interface.c:63(smb_register_passdb)
  Attempting to register passdb backend wbc_sam
[2012/03/27 09:16:40.232833,  5] passdb/pdb_interface.c:76(smb_register_passdb)
  Successfully added passdb backend 'wbc_sam'
[2012/03/27 09:16:40.232861,  5] passdb/pdb_interface.c:133(make_pdb_method_name)
  Attempting to find a passdb backend to match ldapsam:ldap://localhost (ldapsam)
[2012/03/27 09:16:40.232893,  5] passdb/pdb_interface.c:154(make_pdb_method_name)
  Found pdb backend ldapsam
[2012/03/27 09:16:40.232955,  2] lib/smbldap_util.c:277(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BOB))]
[2012/03/27 09:16:40.233013,  5] lib/smbldap.c:1360(smbldap_search_ext)
  smbldap_search_ext: base => [dc=bob,dc=local], filter => [(&(objectClass=sambaDomain)(sambaDomainName=BOB))], scope => [2]
[2012/03/27 09:16:40.233076,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233132,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233181,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233230,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233275,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233316,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233358,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233402,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233446,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233488,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233537,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233590,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233637,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233685,  5] lib/charcnv.c:98(charset_name)
  Substituting charset 'UTF-8' for LOCALE
[2012/03/27 09:16:40.233758,  5] lib/smbldap.c:1262(smbldap_close)
  The connection to the LDAP server was closed
[2012/03/27 09:16:40.233790, 10] lib/smbldap.c:751(smb_ldap_setup_conn)
  smb_ldap_setup_connection: ldap://localhost
[2012/03/27 09:16:40.234270,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2012/03/27 09:16:40.234472, 10] lib/smbldap.c:1120(smbldap_connect_system)
  ldap_connect_system: Binding to ldap server ldap://localhost as "cn=root,dc=bob,dc=local"
[2012/03/27 09:16:40.235501,  3] lib/smbldap.c:1862(smbldap_check_root_dse)
  smbldap_check_root_dse: Expected one rootDSE, got 0
[2012/03/27 09:16:40.235545,  3] lib/smbldap.c:1166(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
  ldap_connect_system: LDAP server does not support paged results
[2012/03/27 09:16:40.235584,  4] lib/smbldap.c:1242(smbldap_open)
  The LDAP server is successfully connected
[2012/03/27 09:16:40.236150,  5] passdb/pdb_interface.c:165(make_pdb_method_name)
  pdb backend ldapsam:ldap://localhost has a valid init
[2012/03/27 09:16:40.236253,  0] utils/net.c:264(net_getlocalsid)
  Can't fetch domain SID for name: DC1
[2012/03/27 09:16:40.271436,  2] utils/net.c:916(main)
  return code = 1
[2012/03/27 09:16:40.271512,  5] lib/gencache.c:65(gencache_init)
  Opening cache file at /var/lib/samba/gencache.tdb
[2012/03/27 09:16:40.271655,  5] lib/gencache.c:108(gencache_init)
  Opening cache file at /var/lib/samba/gencache_notrans.tdb


When I tail the logs, here's what happens when I run the net getlocalsid command. While it no longer give me the same message, this time it just says cannot fetch sid. Here is the output from the log:
Code: Select all
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 fd=17 ACCEPT from IP=127.0.0.1:55999 (IP=0.0.0.0:389)
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=0 BIND dn="cn=root,dc=bob,dc=local" method=128
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=0 BIND dn="cn=root,dc=bob,dc=local" mech=SIMPLE ssf=0
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=0 RESULT tag=97 err=0 text=
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=1 SRCH attr=supportedControl
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=2 SRCH base="dc=bob,dc=local" scope=2 deref=0 filter="(&(objectClass=sambaDomain)(sambaDomainName=bob))"
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=2 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
Mar 27 09:34:21 dc1 slapd[15629]: <= bdb_equality_candidates: (sambaDomainName) not indexed
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 27 09:34:21 dc1 slapd[15629]: conn=51387 fd=17 closed (connection lost)


Based on this, does anyone else have any more ideas? Thanks again.
browley
 
Posts: 5
Joined: 2012/03/20 17:20:41

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Postby gulikoza » 2012/03/28 17:32:29

Well if you cleared the LDAP db there's obviously no SID inside. You need to re-run smbldap-populate.
gulikoza
 
Posts: 97
Joined: 2007/05/06 20:15:23

Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Postby browley » 2012/04/02 21:04:03

From what I've read, the SID is generated via Samba and has to be put in smbldap.conf before running smbldap-populate. From many of the guides I was following, they actually wanted to generate the SID before running smbldap-populate. Either way, I ran the command and here's what I got:

Code: Select all
$ sudo smbldap-populate
Unable to determine domain SID: please edit your smbldap.conf, or start your samba server for a few minutes to allow for SID generation to proceed
Compilation failed in require at /usr/sbin/smbldap-populate line 33.
BEGIN failed--compilation aborted at /usr/sbin/smbldap-populate line 33.


So, in frustration, I decided to start over with the samba portion. I stopped samba and deleted my secrets.tdb and regenerated it:
Code: Select all
sudo /etc/init.d/smb stop
$sudo rm -rf /var/lib/samba/private/secrets.tdb
$sudo /usr/bin/smbpasswd -W


I also re-set root's pw to match my cn=root,dc=bob,dc=local password. Then, I completely re-configured my smb.conf from the Samba admin guide. I then re-ran authconfig-tui to make sure it was correct. I also was reading about configure.pl from smbldap-tools guide above and realized I had never run it so I did that:
Code: Select all
$sudo cp /usr/share/doc/smbldap-tools-0.9.6/configure.pl /etc/smbldap-tools
$sudo chmod +x /etc/smbldap-tools
$sudo /etc/smbldap-tools/configure.pl


Initially, it had a problem on one of the lines running pidof so I added /sbin to root's $PATH. Then I gave "net getlocalsid" a shot and it freakin' worked! I almost fell out of my chair. I added the SID to /etc/smbldap-tools/slapd.conf and then ran /usr/sbin/smbldap-populate without a problem. At that point I started samba without an issue. I still do not know what fixed the problem and am in a bit of shock. However, I am not out of the woods just yet:

Code: Select all
 $sudo net groupmap list
[2012/04/02 16:46:53.128000,  0] passdb/pdb_ldap.c:3448(ldapsam_setsamgrent)
  ldapsam_setsamgrent: LDAP search failed: No such object
[2012/04/02 16:46:53.128134,  0] passdb/pdb_ldap.c:3523(ldapsam_enum_group_mapping)
  ldapsam_enum_group_mapping: Unable to open passdb


From the googles, it looks like this is either an auth problem or the user object is not the right type. I'm a bit overwhelmed with Samba/LDAP today but will take another look tomorrow. If anyone else has any ideas please let me know.
browley
 
Posts: 5
Joined: 2012/03/20 17:20:41

[SOLVED] Re: CentOS 5.8 - Migrating to OpenLDAP + Samba, samba fails to bind

Postby browley » 2012/04/03 19:34:22

Success! During my re-vamp of /etc/samba/smb.conf, I had blanked the ldap suffix. I had read some random forum post that suggested doing this may help generate the SID. Again, no idea if this was why the SID generated, but I left the ldap suffix blank. However, when I was trying to view the groupmap, I was getting "ldapsam_enum_group_mapping: Unable to open passdb" because samba had no way of knowing correct LDAP root (durrrrrr). So I went back and edited my /etc/samba/smb.conf and set the suffix from "ldap suffix = " to "ldap suffix = dc=bob,dc=local". Restarted samba and can now see groups. Anyhow, there are still a few more things I need to nitpick through but my main issue is solved. I hope some of this info helps someone who also finds themselves bashing their head against a wall.
browley
 
Posts: 5
Joined: 2012/03/20 17:20:41

[SOLVED] CentOS 5.8 - Migrating to OpenLDAP + Samba, samba f

Postby pschaff » 2012/04/03 20:03:51

Thanks for reporting back. Marking this thread [SOLVED] for posterity.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America


Return to CentOS 5 - Software Support

Who is online

Users browsing this forum: No registered users and 0 guests