[Samba] getent group fails

Dermot Wed, 22 Jun 2011 06:47:00 -0700

Hi,

I've been debugging this for a day now and I am on the edge of my
understanding and could use some help.


I have a smbd 3.5.6 running as a PDC (smb.conf below) with an openldap
backend. If I run `getent passwd` I get all the users (local and
Domain) and computer accounts that I've imported into the ldap tree.
If I run `getent group`, I only see local groups:

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
....
powerdev:x:115:
ntpd:x:116:
winbindd_priv:x:117: (don't know where winbind comes from. It's not in
/etc/passwd)

I can see the imported groups in the ldap tree via phpLDAPadmin.


I have cranked up the logging in slapd.conf and watched as I did both queries:
>getent passwd
Jun 22 13:17:27 rigel slapd[26541]: conn=59 fd=14 ACCEPT from
IP=127.0.0.1:39071 (IP=0.0.0.0:389)
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" method=128
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" mech=SIMPLE ssf=0
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=0 RESULT tag=97 err=0 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SRCH
base="dc=example,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixAccount)"
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Jun 22 13:17:27 rigel slapd[26541]: conn=59 op=1 SEARCH RESULT tag=101
err=0 nentries=115 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=59 fd=14 closed (connection lost)

nentries=115

>getent group
Jun 22 13:17:27 rigel slapd[26541]: conn=60 fd=14 ACCEPT from
IP=127.0.0.1:39072 (IP=0.0.0.0:389)
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" method=128
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 BIND
dn="cn=admin,dc=example,dc=co,dc=uk" mech=SIMPLE ssf=0
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=0 RESULT tag=97 err=0 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SRCH
base="ou=group,dc=example,dc=co,dc=uk" scope=1 deref=0
filter="(&(objectClass=posixGroup))"
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SRCH attr=cn
userPassword memberUid uniqueMember gidNumber
Jun 22 13:17:27 rigel slapd[26541]: conn=60 op=1 SEARCH RESULT tag=101
err=32 nentries=0 text=
Jun 22 13:17:27 rigel slapd[26541]: conn=60 fd=14 closed (connection lost)

nentries=0 and err=32

I tried to replicate the query using ldapsearch. I am not very
familiar with ldapsearch. This was the best I could muster:
>ldapsearch -x -b 'dc=example,dc=co,dc=uk'  '(ObjectClass=posixGroup)'

This returned the groups from the ldap tree correctly:
...
...
# Backup Operators, Groups, example.co.uk
dn: cn=Backup Operators,ou=Groups,dc=example,dc=co,dc=uk
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators

# Replicators, Groups, example.co.uk
dn: cn=Replicators,ou=Groups,dc=example,dc=co,dc=uk
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9



The difference as far as I can tell is between the two searches

SRCH base="ou=group,dc=example,dc=co,dc=uk" scope=1 deref=0
filter="(&(objectClass=posixGroup))   # Failed lookup

and

SRCH base="dc=example,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixGroup)" # Working lookup


The first one confines itself to the base 'group' ou, where as the
working search starts at the root and does not restrict themselves. If
I do (notice ou=groups)
>ldapsearch -x -b 'ou=groups,dc=example,dc=co,dc=uk'  '(ObjectClass=posixGroup)'

I see this:
Jun 22 13:32:47 rigel slapd[26541]: conn=102 fd=14 ACCEPT from
IP=127.0.0.1:51550 (IP=0.0.0.0:389)
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=0 BIND dn="" method=128
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=0 RESULT tag=97 err=0 text=
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=1 SRCH
base="ou=groups,dc=example,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixGroup)"
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=1 SEARCH RESULT
tag=101 err=0 nentries=9 text=
Jun 22 13:32:47 rigel slapd[26541]: conn=102 op=2 UNBIND
Jun 22 13:32:47 rigel slapd[26541]: conn=102 fd=14 closed

and get this by way of response:
# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9 # CORRECT!

If I do the search as it looks like it's being sent to ldap, EG:
ou=group NOT ou=groups
>ldapsearch -x -b 'ou=group,dc=example,dc=co,dc=uk'  '(ObjectClass=posixGroup)'

I see:
Jun 22 13:36:07 rigel slapd[26541]: conn=110 fd=22 ACCEPT from
IP=127.0.0.1:42136 (IP=0.0.0.0:389)
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=0 BIND dn="" method=128
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=0 RESULT tag=97 err=0 text=
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=1 SRCH
base="ou=group,dc=sciencephoto,dc=co,dc=uk" scope=2 deref=0
filter="(objectClass=posixGroup)"
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=1 SEARCH RESULT
tag=101 err=32 nentries=0 text=
Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=2 UNBIND
Jun 22 13:36:07 rigel slapd[26541]: conn=110 fd=22 closed

and get this response:

# search result
search: 2
result: 32 No such object
matchedDN: dc=example,dc=co,dc=uk


I have grepped everywhere but I can not see how to tweak the config so
that the search will be performed on ou=groups. I think I am very
close to working out what's wrong but I could use some advice.

Thanks in advance,
Dermot.

================ ldap.conf =========
base dc=example,dc=co,dc=uk
host localhost rigel.example.co.uk
binddn cn=admin,dc=example,dc=co,dc=uk
bindpw mysecret

bind_policy soft
pam_password exop
timelimit 15

nss_base_passwd dc=example,dc=co,dc=uk?one
nss_base_shadow dc=example,dc=co,dc=uk?one
nss_base_passwd ou=Computers,dc=example,dc=co,dc=uk?one
nss_base_shadow ou=Computers,dc=example,dc=co,dc=uk?one
nss_base_group ou=Groups,dc=example,dc=co,dc=uk?one
ssl off
======================================


================= smb.conf =============
[global]
        dos charset = UTF-8
        display charset = UTF-8
        workgroup = LDN
        server string = %h server
        map to guest = Bad User
        passdb backend = ldapsam:ldap://127.0.0.1/
        pam password change = Yes
        passwd program = /usr/sbin/smbldap-passwd -u %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
        unix password sync = Yes
        log level = 1
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        smb ports = 139 445
        name resolve order = wins hosts bcast
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        add user script = /usr/sbin/smbldap-useradd -m %u
        delete user script = /usr/sbin/smbldap-userdel '%u'
        delete group script = /usr/sbin/smbldap-groupdel %g
        add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
        delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
        set primary group script = /usr/sbin/smbldap-usermod -g %g %u
        add machine script = /usr/sbin/smbldap-useradd -w %u
        logon script = logon.bat
        logon path =
        logon drive = U:
        logon home =
        domain logons = Yes
        os level = 65
        preferred master = Auto
        domain master = Yes
        dns proxy = No
        ldap admin dn = cn=admin,dc=example,dc=co,dc=uk
        ldap delete dn = Yes
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=idmap
        ldap machine suffix = ou=Computers, ou=Users
        ldap passwd sync = yes
        ldap suffix = dc=example,dc=co,dc=uk
        ldap ssl = no
        ldap timeout = 20
        ldap user suffix = ou=Users
        panic action = /usr/share/samba/panic-action %d
        idmap backend = ldap:"ldap://127.0.0.1/";
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        map acl inherit = Yes
        case sensitive = No
        hide unreadable = Yes

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

[netlogon]
        path = /var/lib/samba/netlogon
        browseable = No

[profiles]
        path = /var/lib/samba/profiles
        force user = %U
        read only = No
        create mask = 0600
        directory mask = 0700
        guest ok = Yes
        profile acls = Yes
        browseable = No
        csc policy = disable

[public]
        path = /tmp
        read only = No
        guest ok = Yes
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] getent group fails

Reply via email to