Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Hi, On Thu, 2005-09-29 at 17:36 +0200, paul kölle wrote: Kristof Bruyninckx wrote: But still there are some new problems that popped up. wbinfo -u ,wbinfo -g and wbinfo -t still work. Also getent passwd works, and shows me all the windows accounts, but it is very slow, when starting this command the LDAP starts pumping a lot of messages into /var/log/message, this in it self is not a real problem since the debugging is turned to maximum. logging slows things down, additionally you might consider adding indexes for the relevant attributes to slapd.conf, shut down the ldap server run slapindex and start again. It was indeed the logging which was slowing me down so badly, turned of debugging and the system is very responsive now. But even do getent passwd is working, I cannot perform id Windows.Usename Hmm, I'd expect id should work for root as soon as getent works for root. Stop nscd if running. I'm sure you alread red this: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html nor login as that user. You have set up pam_winbind have you? ldapsearch -x -b 'dc=thales,dc=be' '(objectclass=*)' also doesn't show me any entry, and if I'm not mistaken it should display everything. No, this is an anonymous search and your ACLs do not grant anonymous read access. I don't know if that is a problem for nss_winbind though, try changing your last ACL to: Also is no longer giving me any problems, and displays all the users. access to * by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by self write by users read by * read If that helps you will have to investigate which component uses anonymous binds and if that can be changed. cheers Paul But I have one more question, I configured a LDAP client, and on this machine I can see all the normal NIS users, but I don't see any windows users. This might sound stupid but this was what how I expected it to work. Sometimes it takes a while for the brain to catch a clue :). Now my question would be, how to setup the client, to use the mapping stored into the LDAP server. If this is possible, since at the moment I'm a bit confused. Do I have to perform this setup on every server to Unify SID to UID/GID mapping. Or how can I use the LDAP server I just setup for this purpose, sorry if this question is well documented somewhere, but I haven't found anything yet, maybe because I was asking the wrong questions. Cheers, -- Bruyninckx Kristof Thales Services Division GNULinux/Unix System Administrator / Test developer Tel: 02/674.76.49.19 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote: [snipp] But I have one more question, I configured a LDAP client, and on this machine I can see all the normal NIS users, but I don't see any windows users. This might sound stupid but this was what how I expected it to work. Sometimes it takes a while for the brain to catch a clue :). ;), if I recall your setup correctly you don't have the windows users in LDAP. They are comming from AD and nss_winbind makes them available for the OS. Idmap provides a means to share SID - UID mappings across multiple servers. Something like: Now my question would be, how to setup the client, to use the mapping stored into the LDAP server. This largely depends on the definition of use. If this is possible, since at the moment I'm a bit confused. Do I have to perform this setup on every server to Unify SID to UID/GID mapping. Or how can I use the LDAP server I just setup for this purpose, For your samba servers you just point every member server to your ou=Idmap, ... branch. You *can* add another LDAP server as slave to add redundancy but that's another story. grz Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
So basically the winbind has to be setup as usual, pointing to the PDC, but instead of storing it's SID/UID/GID locally, it will use the remote SID-UID/GID mappings stored in the LDAP correct? For example : On a system previously working just with winbind to resolve the SID to UID/GID locally, I should just change the following to make it use the remotely stored mappings : client system : [global] log level = 6 workgroup = THALES-IS realm = THALES-IS.BE server string = Samba Server security = ads password server = 192.168.1.99 username map = /etc/opt/samba/smbusers log file = /var/log/samba/smbd.log max log size = 5 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 #printcap name = /etc/printcap dns proxy = No ldap admin dn = uid=samba,ou=Idmap,dc=thales,dc=be ldap idmap suffix = ou= Idmap ldap suffix = dc=thales,dc=be idmap backend = ldap:ldap://192.168.1.143 #Our IDMAP LDAP we just setup. ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 encrypt passwords = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/bash winbind separator = / winbind cache time = 10 winbind use default domain = yes hosts allow = 192.168.1. I ran the smbpasswd -w MyverySecretPassword, but still when I start this I see in the smb log, [2005/09/30 16:04:12, 0] lib/smbldap.c:smbldap_connect_system(751) ldap_connect_system: Failed to retrieve password from secrets.tdb [2005/09/30 16:04:12, 1] lib/smbldap.c:another_ldap_try(951) Connection to LDAP server failed for the 3 try Are there anymore changes I need to do in the ldap.conf on client side? wbinfo -u , wbinfo -g work, and shows me the users, but when I try getent passwd, it just says in the logs cannot lookup domain user ... . But ok when it fails to authenticate this is supposed to be normal. Also when preforming ID on one of the NIS users, this works nicely. The link there to the LDAP is working. On Fri, 2005-09-30 at 14:31 +0200, paul kölle wrote: Kristof Bruyninckx wrote: [snipp] But I have one more question, I configured a LDAP client, and on this machine I can see all the normal NIS users, but I don't see any windows users. This might sound stupid but this was what how I expected it to work. Sometimes it takes a while for the brain to catch a clue :). ;), if I recall your setup correctly you don't have the windows users in LDAP. They are comming from AD and nss_winbind makes them available for the OS. Idmap provides a means to share SID - UID mappings across multiple servers. Something like: Now my question would be, how to setup the client, to use the mapping stored into the LDAP server. This largely depends on the definition of use. If this is possible, since at the moment I'm a bit confused. Do I have to perform this setup on every server to Unify SID to UID/GID mapping. Or how can I use the LDAP server I just setup for this purpose, For your samba servers you just point every member server to your ou=Idmap, ... branch. You *can* add another LDAP server as slave to add redundancy but that's another story. grz Paul -- Bruyninckx Kristof Thales Services Division GNULinux/Unix System Administrator / Test developer Tel: 02/674.76.49.19 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Hello, Ok, so I fixed the ACL to your example #access to dn.base= by * read #access to dn.base=cn=subschema by * read access to attr=userPassword by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by self write by anonymous auth by * none access to * by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by self write by users read , but now the following occurs: When I launch the smb winbind instances : From the LDAP /var/log/messages, debug lvl 220: snip Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc38 end=0x08f6dc84 len=76 Sep 29 10:59:52 linux14 slapd: : 02 01 01 60 47 02 01 03 04 1a 63 6e 3d 4d 61 6e ...`G.cn=Man Sep 29 10:59:52 linux14 slapd: 0010: 61 67 65 72 2c 64 63 3d 74 68 61 6c 65 73 2c 64 ager,dc=thales,d Sep 29 10:59:52 linux14 slapd: 0020: 63 3d 62 65 80 26 7b 53 53 48 41 7d 37 41 52 32 c=be.{SSHA}7AR2 Sep 29 10:59:52 linux14 slapd: 0030: 53 6c 30 53 45 69 46 57 46 75 4a 52 78 38 62 56 Sl0SEiFWFuJRx8bV Sep 29 10:59:52 linux14 slapd: 0040: 78 41 63 68 55 35 4d 4e 73 6c 4d 76 xAchU5MNslMv Sep 29 10:59:52 linux14 slapd: daemon: select: listen=6 active_threads=0 tvp=NULL Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc3b end=0x08f6dc84 len=73 Sep 29 10:59:52 linux14 slapd: : 60 47 02 01 03 04 1a 63 6e 3d 4d 61 6e 61 67 65 `G.cn=Manage Sep 29 10:59:52 linux14 slapd: 0010: 72 2c 64 63 3d 74 68 61 6c 65 73 2c 64 63 3d 62 r,dc=thales,dc=b Sep 29 10:59:52 linux14 slapd: 0020: 65 80 26 7b 53 53 48 41 7d 37 41 52 32 53 6c 30 e.{SSHA}7AR2Sl0 Sep 29 10:59:52 linux14 slapd: 0030: 53 45 69 46 57 46 75 4a 52 78 38 62 56 78 41 63 SEiFWFuJRx8bVxAc Sep 29 10:59:52 linux14 slapd: 0040: 68 55 35 4d 4e 73 6c 4d 76 hU5MNslMv Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc5c end=0x08f6dc84 len=40 Sep 29 10:59:52 linux14 slapd: : 00 26 7b 53 53 48 41 7d 37 41 52 32 53 6c 30 53 .{SSHA}7AR2Sl0S Sep 29 10:59:52 linux14 slapd: 0010: 45 69 46 57 46 75 4a 52 78 38 62 56 78 41 63 68 EiFWFuJRx8bVxAch Sep 29 10:59:52 linux14 slapd: 0020: 55 35 4d 4e 73 6c 4d 76 U5MNslMv Sep 29 10:59:52 linux14 slapd: == ldbm_back_bind: dn: cn=Manager,dc=thales,dc=be Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=49 matched= text= Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0 tvp=NULL Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors Sep 29 10:59:52 linux14 slapd: daemon: activity on: 8r Sep 29 10:59:52 linux14 slapd: daemon: read activity on 8 Sep 29 10:59:52 linux14 slapd: connection_get(8) snip which to my opinion is odd since it is no longer used in samba. And it fails to authenticate. I tried a reset off the password, and changed the entries in ldap.conf and slapd.conf. Once done, I tried to modify an existing entry with ldapmodify which was successfully. Is samba here still trying to access the LDAP with this account? snip Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce60 end=0x08f4ce97 len=55 Sep 29 10:59:52 linux14 slapd: : 02 01 01 60 32 02 01 03 04 22 75 69 64 3d 73 61 ...`2uid=sa Sep 29 10:59:52 linux14 slapd: 0010: 6d 62 61 2c 6f 75 3d 49 64 6d 61 70 2c 64 63 3d mba,ou=Idmap,dc= Sep 29 10:59:52 linux14 slapd: 0020: 74 68 61 6c 65 73 2c 64 63 3d 62 65 80 09 61 71 thales,dc=be..secret Sep 29 10:59:52 linux14 slapd: 0030: 77 31 32 33 7a 73 78 Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce63 end=0x08f4ce97 len=52 Sep 29 10:59:52 linux14 slapd: : 60 32 02 01 03 04 22 75 69 64 3d 73 61 6d 62 61 `2uid=samba Sep 29 10:59:52 linux14 slapd: 0010: 2c 6f 75 3d 49 64 6d 61 70 2c 64 63 3d 74 68 61 ,ou=Idmap,dc=tha Sep 29 10:59:52 linux14 slapd: 0020: 6c 65 73 2c 64 63 3d 62 65 80 09 61 71 77 31 32 les,dc=be..secret Sep 29 10:59:52 linux14 slapd: 0030: 33 7a 73 78 Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce8c end=0x08f4ce97 len=11 Sep 29 10:59:52 linux14 slapd: : 00 09 61 71 77 31 32 33 7a 73 78 ..secret Sep 29 10:59:52 linux14 slapd: == ldbm_back_bind: dn: uid=samba,ou=Idmap,dc=thales,dc=be Sep 29 10:59:52 linux14 slapd: daemon: select: listen=6 active_threads=0 tvp=NULL Sep 29 10:59:52 linux14 slapd: = access_allowed: auth access to uid=samba,ou=Idmap,dc=thales,dc=be userPassword requested Sep 29 10:59:52 linux14 slapd: = acl_get: [1] attr userPassword Sep 29 10:59:52 linux14 slapd: = acl_mask: access to entry uid=samba,ou=Idmap,dc=thales,dc=be, attr userPassword requested Sep 29 10:59:52 linux14 slapd: = acl_mask: to all values by , (=n) Sep 29 10:59:52 linux14 slapd: = check a_dn_pat: uid=samba,ou=idmap,dc=thales,dc=be Sep 29 10:59:52 linux14 slapd: = check a_dn_pat: self Sep 29 10:59:52 linux14 slapd: = check a_dn_pat: anonymous Sep 29
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote: snipp Sep 29 10:59:52 linux14 slapd: == ldbm_back_bind: dn: cn=Manager,dc=thales,dc=be Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=49 matched= text= Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0 tvp=NULL Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors Sep 29 10:59:52 linux14 slapd: daemon: activity on: 8r Sep 29 10:59:52 linux14 slapd: daemon: read activity on 8 Sep 29 10:59:52 linux14 slapd: connection_get(8) snip which to my opinion is odd since it is no longer used in samba. And it fails to authenticate. I tried a reset off the password, and changed the entries in ldap.conf and slapd.conf. Once done, I tried to modify an existing entry with ldapmodify which was successfully. Is samba here still trying to access the LDAP with this account? Probably not, but I'm pretty sure you have nss-ldap installed with a configured /etc/ldap.conf or wherever this file is on your distro. Sep 29 10:59:52 linux14 slapd: = check a_dn_pat: anonymous Sep 29 10:59:52 linux14 slapd: = acl_mask: [3] applying auth(=x) (stop) Sep 29 10:59:52 linux14 slapd: = acl_mask: [3] mask: auth(=x) Sep 29 10:59:52 linux14 slapd: = access_allowed: auth access granted by auth(=x) Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0 tvp=NULL Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched= text= Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors Sep 29 10:59:52 linux14 slapd: daemon: activity on: snip What ever is happening here, it seems that the samba users is not getting write permissions. Before the password is checked the bind is anonymous and it requests auth access to userPassword which is granted. That's how things are supposed to work. err=0 above indicates no error. Sep 29 10:59:52 linux14 slapd: = acl_mask: [1] applying write(=wrscx) (stop) Sep 29 10:59:52 linux14 slapd: = acl_mask: [1] mask: write(=wrscx) Sep 29 10:59:52 linux14 slapd: = access_allowed: read access granted by write(=wrscx) Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched= text= snip But here LDAP does grant the samba user the proper permissions. Sure, the request was for entry and objectClass etc., so the condition in the access to attrs=userPassword doesn't match here. Sep 29 10:59:52 linux14 slapd: modifications: Sep 29 10:59:52 linux14 slapd: add: objectClass Sep 29 10:59:52 linux14 slapd: one value, length 15 Sep 29 10:59:53 linux14 slapd: add: uidNumber Sep 29 10:59:53 linux14 slapd: one value, length 5 Sep 29 10:59:53 linux14 slapd: add: gidNumber Sep 29 10:59:53 linux14 slapd: one value, length 5 *Sep 29 10:59:53 linux14 slapd: send_ldap_result: err=21 matched= text=objectClass: value #0 invalid per syntax* Google would have told you this error stems from unrecognized objectClass definitions. You probably miss an include statement in slapd.conf. You need at least core.schema, cosine.schema, nis.schema, samba.schema (in that order). cheers Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Hello, These last changes did the trick, as far as I can tell all entries have been added to the LDAP, example entry from slapcat : dn: sambaSID=S-1-5-21-1960408961-1965331169-725345543-1884,ou=Idmap,dc=thales, dc=be objectClass: sambaIdmapEntry objectClass: sambaSidEntry uidNumber: 10370 sambaSID: S-1-5-21-1960408961-1965331169-725345543-1884 structuralObjectClass: sambaSidEntry entryUUID: e66d21ba-c53b-1029-89db-ab2ff339c432 creatorsName: uid=samba,ou=Idmap,dc=thales,dc=be createTimestamp: 20050929135137Z entryCSN: 20050929135137Z#02#00#00 modifiersName: uid=samba,ou=Idmap,dc=thales,dc=be modifyTimestamp: 20050929135137Z dn: sambaSID=S-1-5-21-1960408961-1965331169-725345543-1107,ou=Idmap,dc=thales, dc=be objectClass: sambaIdmapEntry objectClass: sambaSidEntry uidNumber: 10371 sambaSID: S-1-5-21-1960408961-1965331169-725345543-1107 structuralObjectClass: sambaSidEntry entryUUID: eeb32a86-c53b-1029-89dc-ab2ff339c432 creatorsName: uid=samba,ou=Idmap,dc=thales,dc=be createTimestamp: 20050929135151Z entryCSN: 20050929135151Z#02#00#00 modifiersName: uid=samba,ou=Idmap,dc=thales,dc=be modifyTimestamp: 20050929135151Z So the Idmap entries are finally getting into the LDAP. 3 Cheers!! Thx again, would still be stuck without your advice. But still there are some new problems that popped up. wbinfo -u ,wbinfo -g and wbinfo -t still work. Also getent passwd works, and shows me all the windows accounts, but it is very slow, when starting this command the LDAP starts pumping a lot of messages into /var/log/message, this in it self is not a real problem since the debugging is turned to maximum. snip Sep 29 16:39:23 linux14 slapd: = access_allowed: search access granted by write(=wrscx) Sep 29 16:39:23 linux14 slapd: = access_allowed: search access to sambaSID=S-1-5-21-1960408961-1965331169-725345543-1746,ou=Idmap,dc=thales,dc=be sambaSID requested Sep 29 16:39:23 linux14 slapd: = acl_get: [2] attr sambaSID Sep 29 16:39:23 linux14 slapd: = acl_mask: access to entry sambaSID=S-1-5-21-1960408961-1965331169-725345543-1746,ou=Idmap,dc=thales,dc=be, attr sambaSID requested Sep 29 16:39:23 linux14 slapd: = acl_mask: to value by uid=samba,ou=idmap,dc=thales,dc=be, (=n) Sep 29 16:39:23 linux14 slapd: = check a_dn_pat: uid=samba,ou=idmap,dc=thales,dc=be Sep 29 16:39:23 linux14 slapd: = acl_mask: [1] applying write(=wrscx) (stop) Sep 29 16:39:23 linux14 slapd: = acl_mask: [1] mask: write(=wrscx) Sep 29 16:39:23 linux14 slapd: = access_allowed: search access granted by write(=wrscx) Sep 29 16:39:23 linux14 slapd: = access_allowed: search access to sambaSID=S-1-5-21-1960408961-1965331169-725345543-1841,ou=Idmap,dc=thales,dc=be objectClass requested Sep 29 16:39:23 linux14 slapd: = acl_get: [2] attr objectClass Sep 29 16:39:23 linux14 slapd: = acl_mask: access to entry sambaSID=S-1-5-21-1960408961-1965331169-725345543-1841,ou=Idmap,dc=thales,dc=be, attr objectClass requested Sep 29 16:39:23 linux14 slapd: = acl_mask: to value by uid=samba,ou=idmap,dc=thales,dc=be, (=n) Sep 29 16:39:23 linux14 slapd: = check a_dn_pat: uid=samba,ou=idmap,dc=thales,dc=be Sep 29 16:39:23 linux14 slapd: = acl_mask: [1] applying write(=wrscx) (stop) Sep 29 16:39:23 linux14 slapd: = acl_mask: [1] mask: write(=wrscx) snip And everytime I rerun getent passwd command it seems to run trough it again. But even do getent passwd is working, I cannot perform id Windows.Usename, nor login as that user. ldapsearch -x -b 'dc=thales,dc=be' '(objectclass=*)' also doesn't show me any entry, and if I'm not mistaken it should display everything. ldapsearch output:# extended LDIF # # LDAPv3 # base dc=thales,dc=be with scope sub # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 Now I'm still trying to find more information about what is going wrong, but if you have an idea, please give me a heads up. Cheers and regards, -- Bruyninckx Kristof Thales Services Division GNULinux/Unix System Administrator / Test developer Tel: 02/674.76.49.19 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote: But still there are some new problems that popped up. wbinfo -u ,wbinfo -g and wbinfo -t still work. Also getent passwd works, and shows me all the windows accounts, but it is very slow, when starting this command the LDAP starts pumping a lot of messages into /var/log/message, this in it self is not a real problem since the debugging is turned to maximum. logging slows things down, additionally you might consider adding indexes for the relevant attributes to slapd.conf, shut down the ldap server run slapindex and start again. But even do getent passwd is working, I cannot perform id Windows.Usename Hmm, I'd expect id should work for root as soon as getent works for root. Stop nscd if running. I'm sure you alread red this: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html nor login as that user. You have set up pam_winbind have you? ldapsearch -x -b 'dc=thales,dc=be' '(objectclass=*)' also doesn't show me any entry, and if I'm not mistaken it should display everything. No, this is an anonymous search and your ACLs do not grant anonymous read access. I don't know if that is a problem for nss_winbind though, try changing your last ACL to: access to * by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by self write by users read by * read If that helps you will have to investigate which component uses anonymous binds and if that can be changed. cheers Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
On Tue, 2005-09-27 at 19:08 +0200, paul kölle wrote: Kristof Bruyninckx wrote: Hi, I removed the entry for cn=manager,dc=thales,dc=be and checked with ldapmodigy if I could change the existing NIS users, which seems to still work. Now I added a user called Admin , output from slapcat : no, you have not. You authenticate with a DN and a password so a user object in LDAP is identified with a DistinguishedName, not something with a cn=whatever attribute. Any ideas off what I'm doing wrong? Ok, I recreated the user, called samba. Trying to follow the example you show below. Output from slapcat : dn: uid=samba,ou=Idmap,dc=thales,dc=be uid: samba cn: Admin objectClass: account objectClass: simpleSecurityObject objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: secret description: DN for use in SAMBA shadowMax: 9 shadowWarning: 7 loginShell: /bin/false uidNumber: 0 gidNumber: 0 homeDirectory: / gecos: root structuralObjectClass: account entryUUID: 334e4406-c441-1029-8ef6-90f912772ff1 creatorsName: cn=Manager,dc=thales,dc=be createTimestamp: 20050928075703Z entryCSN: 20050928075703Z#01#00#00 modifiersName: cn=Manager,dc=thales,dc=be modifyTimestamp: 20050928075703Z I think this is what it was supposed to look like... Entry in the /etc/samba/smb.conf snip ldap ssl = no ldap admin dn = uid=samba,ou=Idmap,dc=thales,dc=be ldap idmap suffix = ou=idmap ldap suffix = dc=thales,dc=be idmap backend = ldap:ldap://127.0.0.1 snip Also fixed the ACL (I think...) : Changed the ACL part in the /etc/openldap/slapd.conf to the following access to attr=userPassword by self write by anonymous auth by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by * none access to * by self write by users read by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write Explanation, just to check if my reasoning was correct : 1.ACL1 : access to attr=userPassword means this policy applies to the attribute userPassword. 2.ACL1: by self write grants only the owner of the entry write permissions of the entry. 3.ACL1: anonymous auth grants anonymous user access only for authentication purposes. 4.ACL1 : by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write. Breaking it all down. dn. base = Only the entry addressed by pattern. So this comes down to the fact that the samba user has write access to all the userPassword entries. Or I'm I completely missing the point ? 5: ACL1: by * none This means that any non-owner cannot write to userPassword. 1.ACL2: access to * This applies to all attributes exept userpassword, because it was previously defined to have it's own rules. 2.ACL2: by self write grants the owner off the entry write permissions to the attibutes covered by this directive. 3.ACL2: by users read grants any authenticated user read permission to all the attributes covered by this policy. 4.ACL2: by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write grants the samba user write rights to all the attributes. Now when I restart the winbind instances the following is showing : /var/log/messages : Sep 28 16:21:22 linux14 slapd: supportedControl Sep 28 16:21:22 linux14 slapd: Sep 28 16:21:22 linux14 slapd: = access_allowed: search access to objectClass requested Sep 28 16:21:22 linux14 slapd: = acl_get: [2] attr objectClass Sep 28 16:21:22 linux14 slapd: = acl_mask: access to entry , attr objectClass requested Sep 28 16:21:22 linux14 slapd: = acl_mask: to all values by uid=samba,ou=idmap,dc=thales,dc=be, (=n) Sep 28 16:21:22 linux14 slapd: = check a_dn_pat: self Sep 28 16:21:22 linux14 slapd: = check a_dn_pat: users Sep 28 16:21:22 linux14 slapd: = acl_mask: [2] applying read(=rscx) (stop) Sep 28 16:21:22 linux14 slapd: = acl_mask: [2] mask: read(=rscx) Sep 28 16:21:22 linux14 slapd: = access_allowed: search access granted by read(=rscx) Sep 28 16:21:22 linux14 slapd: = access_allowed: read access to entry requested Sep 28 16:21:22 linux14 slapd: = acl_get: [2] attr entry Sep 28 16:21:22 linux14 slapd: = acl_mask: access to entry , attr entry requested Sep 28 16:21:22 linux14 slapd: = acl_mask: to all values by uid=samba,ou=idmap,dc=thales,dc=be, (=n) Sep 28 16:21:22 linux14 slapd: = check a_dn_pat: self Sep 28 16:21:22 linux14 slapd: = check a_dn_pat: users Sep 28 16:21:22 linux14 slapd: = acl_mask: [2] applying read(=rscx) (stop) Sep 28 16:21:22 linux14 slapd: = acl_mask: [2] mask: read(=rscx) Sep 28 16:21:22 linux14 slapd: = access_allowed: read access granted by read(=rscx) Sep 28 16:21:22 linux14 slapd: = access_allowed: read access to supportedControl requested Sep 28 16:21:22 linux14 slapd: = acl_get: [2] attr supportedControl Sep 28 16:21:22 linux14 slapd: access_allowed: no res from state (supportedControl) Sep 28 16:21:22 linux14 slapd: = acl_mask: access to entry , attr supportedControl requested Sep 28 16:21:22 linux14 slapd: = acl_mask:
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote: Entry in the /etc/samba/smb.conf snip ldap ssl = no ldap admin dn = uid=samba,ou=Idmap,dc=thales,dc=be ldap idmap suffix = ou=idmap ldap suffix = dc=thales,dc=be idmap backend = ldap:ldap://127.0.0.1 snip Also fixed the ACL (I think...) : Changed the ACL part in the /etc/openldap/slapd.conf to the following access to attr=userPassword by self write by anonymous auth by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by * none access to * by self write by users read by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write ACLs are evaluated in order, the first match wins (see man slapd.access). here is an (simple) example: # give everyone read access to the RootDSE and subschema access to dn.base= by * read access to dn.base=cn=subschema by * read #protect passwords access to attrs=userPassword by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by self write by anonymous auth by * none # very permissive but this is no problem as long as there are # not other sensible entries in the directory like user objects. access to * by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by self write by users read by * none hth Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote: # Use the OpenLDAP password change # extended operation to update the password. pam_password md5 If you want it to do what the comment suggest this should read: pam_password exop dn: cn=Manager,dc=thales,dc=be objectClass: organizationalRole cn: Manager description: Directory Manager I think that may be your problem. The DN is the same as your rootdn in slapd.conf but does not have a userPassword attribute. It might shadow your rootdn making binds with that DN fail (see below). You don't have to add the rootdn from slapd.conf to your directory but it is generally discouraged to use it in daily operations as ACLs do not apply to rootdn. Sep 27 13:31:47 linux14 slapd: = access_allowed: auth access to cn=Manager,dc=thales,dc=be userPassword requested Sep 27 13:31:47 linux14 slapd: = access_allowed: backend default auth access granted to (anonymous) Sep 27 13:31:47 linux14 slapd: send_ldap_result: err=49 matched= err=49 means invalid credentials most likely due to the missing userPassword attribute of cn=manager,dc=thales,dc=be. Try removing cn=Manager,dc=thales,dc=be from your ldif and see if you can bind with rootdn and rootpw from your slapd.conf. If that works create another entry in your DIT with a userPassword attribute, give it appropriate permissions in slapd.conf and use that for your ldap admin dn in smb.conf hth Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Hi, I removed the entry for cn=manager,dc=thales,dc=be and checked with ldapmodigy if I could change the existing NIS users, which seems to still work. Now I added a user called Admin , output from slapcat : dn: ou=People,dc=thales,dc=be ou: People description: All Nis people objectClass: organizationalUnit structuralObjectClass: organizationalUnit entryUUID: 15579caa-c053-1029-82d3-9e2135f77083 creatorsName: cn=Manager,dc=thales,dc=be createTimestamp: 20050923075459Z entryCSN: 20050923075459Z#01#00#00 modifiersName: cn=Manager,dc=thales,dc=be modifyTimestamp: 20050923075459Z dn: uid=root,ou=Idmap,dc=thales,dc=be structuralObjectClass: account entryUUID: 1d5990e8-c053-1029-82d4-9e2135f77083 creatorsName: cn=Manager,dc=thales,dc=be createTimestamp: 20050923075512Z uid: root cn: Admin objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: secret shadowLastChange: 13041 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 0 gidNumber: 0 homeDirectory: /root gecos: root entryCSN: 20050927142003Z#01#00#00 modifiersName: cn=Manager,dc=thales,dc=be modifyTimestamp: 20050927142003Z And then added the access permissions inside slapd.conf. access to attr=userPassword by self write by anonymous auth by dn.base=cn=Admin,dc=thales,dc=be write by * none access to * by self write by dn.base=cn=Admin,dc=thales,dc=be write by * read and also changed the ldap admin in samba to : ldap admin dn = cn=Admin,dc=thales,dc=be Now when I restart the winbind daemons he is still complaining about the dn entry: [2005/09/27 17:05:43, 1] lib/smbldap.c:another_ldap_try(951) Connection to LDAP server failed for the 15 try! [2005/09/27 17:05:44, 2] lib/smbldap.c:smbldap_open_connection(630) smbldap_open_connection: connection opened [2005/09/27 17:05:44, 2] lib/smbldap.c:smbldap_connect_system(790) failed to bind to server ldap://127.0.0.1 with dn=cn=Admin,dc=thales,dc=be Error: Invalid credentials The ldif I used to add the Admin acount is identical ass that of the Manager : root.ldif dn: uid=root,ou=Idmap,dc=thales,dc=be uid: root cn: Admin objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$lB0twC9d$i542IIFLEH11VLUzdEUr91 shadowLastChange: 13041 shadowMax: 9 shadowWarning: 7 loginShell: /bin/bash uidNumber: 0 gidNumber: 0 homeDirectory: /root gecos: root Any ideas off what I'm doing wrong? Thanks, On Tue, 2005-09-27 at 15:02 +0200, paul kölle wrote: Kristof Bruyninckx wrote: # Use the OpenLDAP password change # extended operation to update the password. pam_password md5 If you want it to do what the comment suggest this should read: pam_password exop dn: cn=Manager,dc=thales,dc=be objectClass: organizationalRole cn: Manager description: Directory Manager I think that may be your problem. The DN is the same as your rootdn in slapd.conf but does not have a userPassword attribute. It might shadow your rootdn making binds with that DN fail (see below). You don't have to add the rootdn from slapd.conf to your directory but it is generally discouraged to use it in daily operations as ACLs do not apply to rootdn. Sep 27 13:31:47 linux14 slapd: = access_allowed: auth access to cn=Manager,dc=thales,dc=be userPassword requested Sep 27 13:31:47 linux14 slapd: = access_allowed: backend default auth access granted to (anonymous) Sep 27 13:31:47 linux14 slapd: send_ldap_result: err=49 matched= err=49 means invalid credentials most likely due to the missing userPassword attribute of cn=manager,dc=thales,dc=be. Try removing cn=Manager,dc=thales,dc=be from your ldif and see if you can bind with rootdn and rootpw from your slapd.conf. If that works create another entry in your DIT with a userPassword attribute, give it appropriate permissions in slapd.conf and use that for your ldap admin dn in smb.conf hth Paul -- Kristof.Bruyninckx We are Microsoft. What you are experiencing is not a problem; it is an undocumented feature. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote: Hi, I removed the entry for cn=manager,dc=thales,dc=be and checked with ldapmodigy if I could change the existing NIS users, which seems to still work. Now I added a user called Admin , output from slapcat : no, you have not. You authenticate with a DN and a password so a user object in LDAP is identified with a DistinguishedName, not something with a cn=whatever attribute. Any ideas off what I'm doing wrong? Your accounts are still messed up. You create an entry with DN uid=root,ou=Idmap,dc=thales,dc=be but your admin dn is cn=Admin,dc=thales,dc=be how is that supposed to work? given the admin should not be used for other stuff (think of least privileges model;) it could look like: dn: uid=samba,ou=services,dc=thales,dc=be objectClass: top objectClass: simpleSecurityObject objectClass: account uid: samba userPassword: {CLEARTEXT}whatever description: DN for samba then you would do: 1. change the ou to your needs 2. change the password 3. fix your ACLs 3. put exactly that DN in your smb.conf 4. run: smbpasswd -w DN as in ldap admin dn - type in password from step 2. Of course you can use whatever DN you like, it needs just a userPassword attribute. hth Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba