[Samba] Re: Getting Winbind IDMAP into LDAP?
Hi Gints, Changing nsswitch.conf from: passwd: files ldap group: files ldap to passwd: files winbind group: files winbind did the trick. Running getent passwd/group began populating LDAP and I can search all the records using ldapsearch and slapcat. Would this be an error in the documentation as (unless I was reading the wrong section) it uses the ldap entries in it's example? My one concern is that when winbind is stopped and restarted the winbindd_idmap.tdb and winbindd_cache.tdb files are recreated and entries are added. Would this be expected? I guess I can test this today when I begin configuring a second node. Thanks for your help. Simon From: gints neimanis [EMAIL PROTECTED] Date: Tue, 16 Aug 2005 11:57:48 +0300 To: Gibbs, Simon [EMAIL PROTECTED], samba@lists.samba.org Subject: Re: Getting Winbind IDMAP into LDAP? Hi, to use ldap as winbind idamp backend, you don't need the NSS_LDAP at all. All queries and updates to ldap is performed by winbind itself. Your smb.conf looks fine. You may check 2 things: * Have you stored the LDAP Manager password to LDAP database with command smbpasswd -w 'verysecretldapmanager password' ? * and look if you have added winbind to /etc/nsswitch.conf (and then command getent passwd should show all domain users with id from ldap)? like: === ... passwd: files winbind group: files winbind ... === Next - you may increase the loglevel (loglevel 256) for LDAP server and look in ldap messages what is wrong in connection. Gints Gibbs, Simon wrote: Hi, I?ve been trying to populate an LDAP directory with IDMAP information from Winbind using NSS_LDAP without much success over the last week. Can anybody tell me if I?ve done anything obviously wrong? I?ve followed the example shown in the Samba ?By Example? doc and am at the stage where the LDAP directory has been created and configured, NSS_LDAP config is amended, smb.conf contains entries to use LDAP as a backend and I have deleted /var/cache/samba/winbindd_cache.tdb and winbindd_idmap.tdb. Now wbinfo ?u and wbinfo ?g show users and groups on the domain but getent passwd/groups only displays local users. The winbindd_cache.tdb and winbindd_idmap.tdb files have been recreated but only winbindd_cache.tdb holds any information. When I attempt to access a Samba share I?m prompted to enter a username and password. As I understand it once the wbinfo commands have been run this process should automatically populate the Idmap ou with the ID mappings ? is this correct? If so there must be something wrong with my config. Here?s the current config and relevent info ? sorry it?s a bit long: /etc/samba/smb.conf [global] workgroup = UKCORPLAN netbios name = UKFS01 server string = UKFS01 Samba Server winbind separator = / ldap ssl = no idmap uid = 1-1000 idmap gid = 1-1000 ldap admin dn = cn=Manager,dc=uk,dc=corplan,dc=net ldap idmap suffix = ou=Idmap ldap suffix = dc=uk,dc=corplan,dc=net idmap backend = ldap:ldap://10.10.4.111/ winbind enum users = yes winbind enum groups = yes template homedir = /mnt/emcpowerb/user/%D/%U template shell = /bin/bash password server = ukdc01.uk.corplan.net security = ADS #encrypt passwords = yes realm = uk.corplan.net browseable = yes username map = /etc/samba/smbusers log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10 syslog = 0 log file = /var/log/samba/%m max log size = 50 # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes [public] comment = Public Stuff path = /home/samba public = yes read only = no [test] comment = test share path = /mnt/emcpowera/shared/test public = yes browseable = yes writeable = yes /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns /etc/openldap/slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # ## schema files (core.schema is required by default) include /etc/openldap/schema/core.schema ## needed for sambaSamAccount include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid argsfile/var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleload
[Samba] Re: Getting Winbind IDMAP into LDAP?
Hi, to use ldap as winbind idamp backend, you don't need the NSS_LDAP at all. All queries and updates to ldap is performed by winbind itself. Your smb.conf looks fine. You may check 2 things: * Have you stored the LDAP Manager password to LDAP database with command smbpasswd -w 'verysecretldapmanager password' ? * and look if you have added winbind to /etc/nsswitch.conf (and then command getent passwd should show all domain users with id from ldap)? like: === ... passwd: files winbind group: files winbind ... === Next - you may increase the loglevel (loglevel 256) for LDAP server and look in ldap messages what is wrong in connection. Gints Gibbs, Simon wrote: Hi, I¹ve been trying to populate an LDAP directory with IDMAP information from Winbind using NSS_LDAP without much success over the last week. Can anybody tell me if I¹ve done anything obviously wrong? I¹ve followed the example shown in the Samba ³By Example² doc and am at the stage where the LDAP directory has been created and configured, NSS_LDAP config is amended, smb.conf contains entries to use LDAP as a backend and I have deleted /var/cache/samba/winbindd_cache.tdb and winbindd_idmap.tdb. Now wbinfo u and wbinfo g show users and groups on the domain but getent passwd/groups only displays local users. The winbindd_cache.tdb and winbindd_idmap.tdb files have been recreated but only winbindd_cache.tdb holds any information. When I attempt to access a Samba share I¹m prompted to enter a username and password. As I understand it once the wbinfo commands have been run this process should automatically populate the Idmap ou with the ID mappings is this correct? If so there must be something wrong with my config. Here¹s the current config and relevent info sorry it¹s a bit long: /etc/samba/smb.conf [global] workgroup = UKCORPLAN netbios name = UKFS01 server string = UKFS01 Samba Server winbind separator = / ldap ssl = no idmap uid = 1-1000 idmap gid = 1-1000 ldap admin dn = cn=Manager,dc=uk,dc=corplan,dc=net ldap idmap suffix = ou=Idmap ldap suffix = dc=uk,dc=corplan,dc=net idmap backend = ldap:ldap://10.10.4.111/ winbind enum users = yes winbind enum groups = yes template homedir = /mnt/emcpowerb/user/%D/%U template shell = /bin/bash password server = ukdc01.uk.corplan.net security = ADS #encrypt passwords = yes realm = uk.corplan.net browseable = yes username map = /etc/samba/smbusers log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10 syslog = 0 log file = /var/log/samba/%m max log size = 50 # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes [public] comment = Public Stuff path = /home/samba public = yes read only = no [test] comment = test share path = /mnt/emcpowera/shared/test public = yes browseable = yes writeable = yes /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns /etc/openldap/slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # ## schema files (core.schema is required by default) include /etc/openldap/schema/core.schema ## needed for sambaSamAccount include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid argsfile/var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleloadback_shell.la # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base= by * read # access to dn.base=cn=Subschema by * read #access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., access to * by * read) # # rootdn can always read and write EVERYTHING! ### # ldbm and/or bdb database definitions ### databasebdb suffix dc=uk,dc=corplan,dc=net rootdn
[Samba] Re: Getting Winbind IDMAP into LDAP?
Hi Simon, I thnik it is not the error in documentation (I don't know about which chapter we are talking :)). If you use winbdind authentication (+ idmap/ldap) only, you don't need the NSS_LDAP. But if you build a domain, where all user data is stored in LDAP, then you may authenticate users (from *nix) directly to LDAP database - and then you should use the NSS_LDAP (and Windows clients are using (SAMBA)Domain authentication. And the Samba guides are more explaining how to build the full Samba domain with LDAP backend. About winbind*tdb. I have too such files and I think it is expected (it speeds up resolving the id's). My setup with W2K as domain controller and SAMBA servers with winbind+idmap_ldap works fine for ~2 year without any trouble for 900 users (Thanks for Samba team!). Gints Gibbs, Simon wrote: Hi Gints, Changing nsswitch.conf from: passwd: files ldap group: files ldap to passwd: files winbind group: files winbind did the trick. Running getent passwd/group began populating LDAP and I can search all the records using ldapsearch and slapcat. Would this be an error in the documentation as (unless I was reading the wrong section) it uses the ldap entries in it's example? My one concern is that when winbind is stopped and restarted the winbindd_idmap.tdb and winbindd_cache.tdb files are recreated and entries are added. Would this be expected? I guess I can test this today when I begin configuring a second node. Thanks for your help. Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Getting Winbind IDMAP into LDAP?
On Tuesday 16 August 2005 03:35, Gibbs, Simon wrote: Hi Gints, Changing nsswitch.conf from: passwd: files ldap group: files ldap to passwd: files winbind group: files winbind did the trick. Running getent passwd/group began populating LDAP and I can search all the records using ldapsearch and slapcat. Correct - the use of LDAP to store the IDMAP data requires winbind support through NSS. Would this be an error in the documentation as (unless I was reading the wrong section) it uses the ldap entries in it's example? The documentation may not be clear enough. Please help me to fix this. What section (section number - not page number) and in which book? Have you used the on-line version? Or do you have a printed copy? Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Getting Winbind IDMAP into LDAP?
On Tuesday 16 August 2005 04:27, gints neimanis wrote: Hi Simon, I thnik it is not the error in documentation (I don't know about which chapter we are talking :)). I have reviewed the documentation on IDMAP in LDAP and it looks to me like something got deleted from the documentation sources somewhere in the editing cycle. That is why I would like to know precisely what version and section of the documentation has been referred to. I will fix any weaknesses, or lack of clarity, that can be uncovered. If you use winbdind authentication (+ idmap/ldap) only, you don't need the NSS_LDAP. Correct. But if you build a domain, where all user data is stored in LDAP, then you may authenticate users (from *nix) directly to LDAP database - and then you should use the NSS_LDAP (and Windows clients are using (SAMBA)Domain authentication. And the Samba guides are more explaining how to build the full Samba domain with LDAP backend. Correct. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Getting Winbind IDMAP into LDAP?
Hi John, I was using the online By-Example documentation at: http://us3.samba.org/samba/docs/man/Samba-Guide/unixclients.html#id2579097 Starting at the sub heading IDMAP Storage in LDAP using Winbind. The example that appears to be incorrect is related to /etc/nsswitch.conf: ... passwd: files ldap shadow: files ldap group: files ldap ... hosts: files wins ... The correct entries (working for me now) are: ... passwd: files winbind shadow: files group: files winbind ... hosts: files dns (we don't use wins) From a personal point of view it would have been useful to have an additional entry in this section explaining how the the idmap ou is populated, but I guess you can figure it out in the end. Hope this helps, Simon From: John H Terpstra [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 16 Aug 2005 08:46:45 -0600 To: samba@lists.samba.org Cc: gints neimanis [EMAIL PROTECTED], Gibbs, Simon [EMAIL PROTECTED] Subject: Re: [Samba] Re: Getting Winbind IDMAP into LDAP? On Tuesday 16 August 2005 04:27, gints neimanis wrote: Hi Simon, I thnik it is not the error in documentation (I don't know about which chapter we are talking :)). I have reviewed the documentation on IDMAP in LDAP and it looks to me like something got deleted from the documentation sources somewhere in the editing cycle. That is why I would like to know precisely what version and section of the documentation has been referred to. I will fix any weaknesses, or lack of clarity, that can be uncovered. If you use winbdind authentication (+ idmap/ldap) only, you don't need the NSS_LDAP. Correct. But if you build a domain, where all user data is stored in LDAP, then you may authenticate users (from *nix) directly to LDAP database - and then you should use the NSS_LDAP (and Windows clients are using (SAMBA)Domain authentication. And the Samba guides are more explaining how to build the full Samba domain with LDAP backend. Correct. Cheers, John T. The information contained in this email message may be confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Although this message and any attachments are believed to be free of viruses, no responsibility is accepted by TF Informa for any loss or damage arising in any way from receipt or use thereof. Messages to and from the company are monitored for operational reasons and in accordance with lawful business practices. If you have received this message in error, please notify us by return and delete the message and any attachments. Further enquiries/returns can be sent to [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Getting Winbind IDMAP into LDAP?
On Tuesday 16 August 2005 09:01, Gibbs, Simon wrote: Hi John, I was using the online By-Example documentation at: http://us3.samba.org/samba/docs/man/Samba-Guide/unixclients.html#id2579097 Starting at the sub heading IDMAP Storage in LDAP using Winbind. Thanks. I'll revise this chapter as soon as I can get to this. The example that appears to be incorrect is related to /etc/nsswitch.conf: ... passwd: files ldap shadow: files ldap group: files ldap ... hosts: files wins ... The correct entries (working for me now) are: ... passwd: files winbind shadow: files group: files winbind ... hosts: files dns (we don't use wins) From a personal point of view it would have been useful to have an additional entry in this section explaining how the the idmap ou is populated, but I guess you can figure it out in the end. Noted. Thanks for the feedback. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
