Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Hi, On Thu, 2005-09-29 at 17:36 +0200, paul kölle wrote: Kristof Bruyninckx wrote: But still there are some new problems that popped up. wbinfo -u ,wbinfo -g and wbinfo -t still work. Also getent passwd works, and shows me all the windows accounts, but it is very slow, when starting this command the LDAP starts pumping a lot of messages into /var/log/message, this in it self is not a real problem since the debugging is turned to maximum. logging slows things down, additionally you might consider adding indexes for the relevant attributes to slapd.conf, shut down the ldap server run slapindex and start again. It was indeed the logging which was slowing me down so badly, turned of debugging and the system is very responsive now. But even do getent passwd is working, I cannot perform id Windows.Usename Hmm, I'd expect id should work for root as soon as getent works for root. Stop nscd if running. I'm sure you alread red this: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html nor login as that user. You have set up pam_winbind have you? ldapsearch -x -b 'dc=thales,dc=be' '(objectclass=*)' also doesn't show me any entry, and if I'm not mistaken it should display everything. No, this is an anonymous search and your ACLs do not grant anonymous read access. I don't know if that is a problem for nss_winbind though, try changing your last ACL to: Also is no longer giving me any problems, and displays all the users. access to * by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by self write by users read by * read If that helps you will have to investigate which component uses anonymous binds and if that can be changed. cheers Paul But I have one more question, I configured a LDAP client, and on this machine I can see all the normal NIS users, but I don't see any windows users. This might sound stupid but this was what how I expected it to work. Sometimes it takes a while for the brain to catch a clue :). Now my question would be, how to setup the client, to use the mapping stored into the LDAP server. If this is possible, since at the moment I'm a bit confused. Do I have to perform this setup on every server to Unify SID to UID/GID mapping. Or how can I use the LDAP server I just setup for this purpose, sorry if this question is well documented somewhere, but I haven't found anything yet, maybe because I was asking the wrong questions. Cheers, -- Bruyninckx Kristof Thales Services Division GNULinux/Unix System Administrator / Test developer Tel: 02/674.76.49.19 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote: [snipp] But I have one more question, I configured a LDAP client, and on this machine I can see all the normal NIS users, but I don't see any windows users. This might sound stupid but this was what how I expected it to work. Sometimes it takes a while for the brain to catch a clue :). ;), if I recall your setup correctly you don't have the windows users in LDAP. They are comming from AD and nss_winbind makes them available for the OS. Idmap provides a means to share SID - UID mappings across multiple servers. Something like: Now my question would be, how to setup the client, to use the mapping stored into the LDAP server. This largely depends on the definition of use. If this is possible, since at the moment I'm a bit confused. Do I have to perform this setup on every server to Unify SID to UID/GID mapping. Or how can I use the LDAP server I just setup for this purpose, For your samba servers you just point every member server to your ou=Idmap, ... branch. You *can* add another LDAP server as slave to add redundancy but that's another story. grz Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
So basically the winbind has to be setup as usual, pointing to the PDC, but instead of storing it's SID/UID/GID locally, it will use the remote SID-UID/GID mappings stored in the LDAP correct? For example : On a system previously working just with winbind to resolve the SID to UID/GID locally, I should just change the following to make it use the remotely stored mappings : client system : [global] log level = 6 workgroup = THALES-IS realm = THALES-IS.BE server string = Samba Server security = ads password server = 192.168.1.99 username map = /etc/opt/samba/smbusers log file = /var/log/samba/smbd.log max log size = 5 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 #printcap name = /etc/printcap dns proxy = No ldap admin dn = uid=samba,ou=Idmap,dc=thales,dc=be ldap idmap suffix = ou= Idmap ldap suffix = dc=thales,dc=be idmap backend = ldap:ldap://192.168.1.143 #Our IDMAP LDAP we just setup. ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 encrypt passwords = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/bash winbind separator = / winbind cache time = 10 winbind use default domain = yes hosts allow = 192.168.1. I ran the smbpasswd -w MyverySecretPassword, but still when I start this I see in the smb log, [2005/09/30 16:04:12, 0] lib/smbldap.c:smbldap_connect_system(751) ldap_connect_system: Failed to retrieve password from secrets.tdb [2005/09/30 16:04:12, 1] lib/smbldap.c:another_ldap_try(951) Connection to LDAP server failed for the 3 try Are there anymore changes I need to do in the ldap.conf on client side? wbinfo -u , wbinfo -g work, and shows me the users, but when I try getent passwd, it just says in the logs cannot lookup domain user ... . But ok when it fails to authenticate this is supposed to be normal. Also when preforming ID on one of the NIS users, this works nicely. The link there to the LDAP is working. On Fri, 2005-09-30 at 14:31 +0200, paul kölle wrote: Kristof Bruyninckx wrote: [snipp] But I have one more question, I configured a LDAP client, and on this machine I can see all the normal NIS users, but I don't see any windows users. This might sound stupid but this was what how I expected it to work. Sometimes it takes a while for the brain to catch a clue :). ;), if I recall your setup correctly you don't have the windows users in LDAP. They are comming from AD and nss_winbind makes them available for the OS. Idmap provides a means to share SID - UID mappings across multiple servers. Something like: Now my question would be, how to setup the client, to use the mapping stored into the LDAP server. This largely depends on the definition of use. If this is possible, since at the moment I'm a bit confused. Do I have to perform this setup on every server to Unify SID to UID/GID mapping. Or how can I use the LDAP server I just setup for this purpose, For your samba servers you just point every member server to your ou=Idmap, ... branch. You *can* add another LDAP server as slave to add redundancy but that's another story. grz Paul -- Bruyninckx Kristof Thales Services Division GNULinux/Unix System Administrator / Test developer Tel: 02/674.76.49.19 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Hello,
Ok, so I fixed the ACL to your example
#access to dn.base= by * read
#access to dn.base=cn=subschema by * read
access to attr=userPassword
by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write
by self write
by anonymous auth
by * none
access to *
by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write
by self write
by users read
, but now the following occurs:
When I launch the smb winbind instances :
From the LDAP /var/log/messages, debug lvl 220:
snip
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc38
end=0x08f6dc84 len=76
Sep 29 10:59:52 linux14 slapd: : 02 01 01 60 47 02 01 03 04 1a
63 6e 3d 4d 61 6e ...`G.cn=Man
Sep 29 10:59:52 linux14 slapd: 0010: 61 67 65 72 2c 64 63 3d 74 68
61 6c 65 73 2c 64 ager,dc=thales,d
Sep 29 10:59:52 linux14 slapd: 0020: 63 3d 62 65 80 26 7b 53 53 48
41 7d 37 41 52 32 c=be.{SSHA}7AR2
Sep 29 10:59:52 linux14 slapd: 0030: 53 6c 30 53 45 69 46 57 46 75
4a 52 78 38 62 56 Sl0SEiFWFuJRx8bV
Sep 29 10:59:52 linux14 slapd: 0040: 78 41 63 68 55 35 4d 4e 73 6c
4d 76 xAchU5MNslMv
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc3b
end=0x08f6dc84 len=73
Sep 29 10:59:52 linux14 slapd: : 60 47 02 01 03 04 1a 63 6e 3d
4d 61 6e 61 67 65 `G.cn=Manage
Sep 29 10:59:52 linux14 slapd: 0010: 72 2c 64 63 3d 74 68 61 6c 65
73 2c 64 63 3d 62 r,dc=thales,dc=b
Sep 29 10:59:52 linux14 slapd: 0020: 65 80 26 7b 53 53 48 41 7d 37
41 52 32 53 6c 30 e.{SSHA}7AR2Sl0
Sep 29 10:59:52 linux14 slapd: 0030: 53 45 69 46 57 46 75 4a 52 78
38 62 56 78 41 63 SEiFWFuJRx8bVxAc
Sep 29 10:59:52 linux14 slapd: 0040: 68 55 35 4d 4e 73 6c 4d 76
hU5MNslMv
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f6dc38 ptr=0x08f6dc5c
end=0x08f6dc84 len=40
Sep 29 10:59:52 linux14 slapd: : 00 26 7b 53 53 48 41 7d 37 41
52 32 53 6c 30 53 .{SSHA}7AR2Sl0S
Sep 29 10:59:52 linux14 slapd: 0010: 45 69 46 57 46 75 4a 52 78 38
62 56 78 41 63 68 EiFWFuJRx8bVxAch
Sep 29 10:59:52 linux14 slapd: 0020: 55 35 4d 4e 73 6c 4d 76
U5MNslMv
Sep 29 10:59:52 linux14 slapd: == ldbm_back_bind: dn:
cn=Manager,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=49 matched=
text=
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors
Sep 29 10:59:52 linux14 slapd: daemon: activity on: 8r
Sep 29 10:59:52 linux14 slapd: daemon: read activity on 8
Sep 29 10:59:52 linux14 slapd: connection_get(8)
snip
which to my opinion is odd since it is no longer used in samba. And it
fails to authenticate. I tried a reset off the password, and changed the
entries in ldap.conf and slapd.conf. Once done, I tried to modify an
existing entry with ldapmodify which was successfully. Is samba here
still trying to access the LDAP with this account?
snip
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce60
end=0x08f4ce97 len=55
Sep 29 10:59:52 linux14 slapd: : 02 01 01 60 32 02 01 03 04 22
75 69 64 3d 73 61 ...`2uid=sa
Sep 29 10:59:52 linux14 slapd: 0010: 6d 62 61 2c 6f 75 3d 49 64 6d
61 70 2c 64 63 3d mba,ou=Idmap,dc=
Sep 29 10:59:52 linux14 slapd: 0020: 74 68 61 6c 65 73 2c 64 63 3d
62 65 80 09 61 71 thales,dc=be..secret
Sep 29 10:59:52 linux14 slapd: 0030: 77 31 32 33 7a 73
78
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce63
end=0x08f4ce97 len=52
Sep 29 10:59:52 linux14 slapd: : 60 32 02 01 03 04 22 75 69 64
3d 73 61 6d 62 61 `2uid=samba
Sep 29 10:59:52 linux14 slapd: 0010: 2c 6f 75 3d 49 64 6d 61 70 2c
64 63 3d 74 68 61 ,ou=Idmap,dc=tha
Sep 29 10:59:52 linux14 slapd: 0020: 6c 65 73 2c 64 63 3d 62 65 80
09 61 71 77 31 32 les,dc=be..secret
Sep 29 10:59:52 linux14 slapd: 0030: 33 7a 73
78
Sep 29 10:59:52 linux14 slapd: ber_dump: buf=0x08f4ce60 ptr=0x08f4ce8c
end=0x08f4ce97 len=11
Sep 29 10:59:52 linux14 slapd: : 00 09 61 71 77 31 32 33 7a 73
78 ..secret
Sep 29 10:59:52 linux14 slapd: == ldbm_back_bind: dn:
uid=samba,ou=Idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: daemon: select: listen=6 active_threads=0
tvp=NULL
Sep 29 10:59:52 linux14 slapd: = access_allowed: auth access to
uid=samba,ou=Idmap,dc=thales,dc=be userPassword requested
Sep 29 10:59:52 linux14 slapd: = acl_get: [1] attr userPassword
Sep 29 10:59:52 linux14 slapd: = acl_mask: access to entry
uid=samba,ou=Idmap,dc=thales,dc=be, attr userPassword requested
Sep 29 10:59:52 linux14 slapd: = acl_mask: to all values by , (=n)
Sep 29 10:59:52 linux14 slapd: = check a_dn_pat:
uid=samba,ou=idmap,dc=thales,dc=be
Sep 29 10:59:52 linux14 slapd: = check a_dn_pat: self
Sep 29 10:59:52 linux14 slapd: = check a_dn_pat: anonymous
Sep 29
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote: snipp Sep 29 10:59:52 linux14 slapd: == ldbm_back_bind: dn: cn=Manager,dc=thales,dc=be Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=49 matched= text= Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0 tvp=NULL Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors Sep 29 10:59:52 linux14 slapd: daemon: activity on: 8r Sep 29 10:59:52 linux14 slapd: daemon: read activity on 8 Sep 29 10:59:52 linux14 slapd: connection_get(8) snip which to my opinion is odd since it is no longer used in samba. And it fails to authenticate. I tried a reset off the password, and changed the entries in ldap.conf and slapd.conf. Once done, I tried to modify an existing entry with ldapmodify which was successfully. Is samba here still trying to access the LDAP with this account? Probably not, but I'm pretty sure you have nss-ldap installed with a configured /etc/ldap.conf or wherever this file is on your distro. Sep 29 10:59:52 linux14 slapd: = check a_dn_pat: anonymous Sep 29 10:59:52 linux14 slapd: = acl_mask: [3] applying auth(=x) (stop) Sep 29 10:59:52 linux14 slapd: = acl_mask: [3] mask: auth(=x) Sep 29 10:59:52 linux14 slapd: = access_allowed: auth access granted by auth(=x) Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0 tvp=NULL Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched= text= Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors Sep 29 10:59:52 linux14 slapd: daemon: activity on: snip What ever is happening here, it seems that the samba users is not getting write permissions. Before the password is checked the bind is anonymous and it requests auth access to userPassword which is granted. That's how things are supposed to work. err=0 above indicates no error. Sep 29 10:59:52 linux14 slapd: = acl_mask: [1] applying write(=wrscx) (stop) Sep 29 10:59:52 linux14 slapd: = acl_mask: [1] mask: write(=wrscx) Sep 29 10:59:52 linux14 slapd: = access_allowed: read access granted by write(=wrscx) Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched= text= snip But here LDAP does grant the samba user the proper permissions. Sure, the request was for entry and objectClass etc., so the condition in the access to attrs=userPassword doesn't match here. Sep 29 10:59:52 linux14 slapd: modifications: Sep 29 10:59:52 linux14 slapd: add: objectClass Sep 29 10:59:52 linux14 slapd: one value, length 15 Sep 29 10:59:53 linux14 slapd: add: uidNumber Sep 29 10:59:53 linux14 slapd: one value, length 5 Sep 29 10:59:53 linux14 slapd: add: gidNumber Sep 29 10:59:53 linux14 slapd: one value, length 5 *Sep 29 10:59:53 linux14 slapd: send_ldap_result: err=21 matched= text=objectClass: value #0 invalid per syntax* Google would have told you this error stems from unrecognized objectClass definitions. You probably miss an include statement in slapd.conf. You need at least core.schema, cosine.schema, nis.schema, samba.schema (in that order). cheers Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Hello, These last changes did the trick, as far as I can tell all entries have been added to the LDAP, example entry from slapcat : dn: sambaSID=S-1-5-21-1960408961-1965331169-725345543-1884,ou=Idmap,dc=thales, dc=be objectClass: sambaIdmapEntry objectClass: sambaSidEntry uidNumber: 10370 sambaSID: S-1-5-21-1960408961-1965331169-725345543-1884 structuralObjectClass: sambaSidEntry entryUUID: e66d21ba-c53b-1029-89db-ab2ff339c432 creatorsName: uid=samba,ou=Idmap,dc=thales,dc=be createTimestamp: 20050929135137Z entryCSN: 20050929135137Z#02#00#00 modifiersName: uid=samba,ou=Idmap,dc=thales,dc=be modifyTimestamp: 20050929135137Z dn: sambaSID=S-1-5-21-1960408961-1965331169-725345543-1107,ou=Idmap,dc=thales, dc=be objectClass: sambaIdmapEntry objectClass: sambaSidEntry uidNumber: 10371 sambaSID: S-1-5-21-1960408961-1965331169-725345543-1107 structuralObjectClass: sambaSidEntry entryUUID: eeb32a86-c53b-1029-89dc-ab2ff339c432 creatorsName: uid=samba,ou=Idmap,dc=thales,dc=be createTimestamp: 20050929135151Z entryCSN: 20050929135151Z#02#00#00 modifiersName: uid=samba,ou=Idmap,dc=thales,dc=be modifyTimestamp: 20050929135151Z So the Idmap entries are finally getting into the LDAP. 3 Cheers!! Thx again, would still be stuck without your advice. But still there are some new problems that popped up. wbinfo -u ,wbinfo -g and wbinfo -t still work. Also getent passwd works, and shows me all the windows accounts, but it is very slow, when starting this command the LDAP starts pumping a lot of messages into /var/log/message, this in it self is not a real problem since the debugging is turned to maximum. snip Sep 29 16:39:23 linux14 slapd: = access_allowed: search access granted by write(=wrscx) Sep 29 16:39:23 linux14 slapd: = access_allowed: search access to sambaSID=S-1-5-21-1960408961-1965331169-725345543-1746,ou=Idmap,dc=thales,dc=be sambaSID requested Sep 29 16:39:23 linux14 slapd: = acl_get: [2] attr sambaSID Sep 29 16:39:23 linux14 slapd: = acl_mask: access to entry sambaSID=S-1-5-21-1960408961-1965331169-725345543-1746,ou=Idmap,dc=thales,dc=be, attr sambaSID requested Sep 29 16:39:23 linux14 slapd: = acl_mask: to value by uid=samba,ou=idmap,dc=thales,dc=be, (=n) Sep 29 16:39:23 linux14 slapd: = check a_dn_pat: uid=samba,ou=idmap,dc=thales,dc=be Sep 29 16:39:23 linux14 slapd: = acl_mask: [1] applying write(=wrscx) (stop) Sep 29 16:39:23 linux14 slapd: = acl_mask: [1] mask: write(=wrscx) Sep 29 16:39:23 linux14 slapd: = access_allowed: search access granted by write(=wrscx) Sep 29 16:39:23 linux14 slapd: = access_allowed: search access to sambaSID=S-1-5-21-1960408961-1965331169-725345543-1841,ou=Idmap,dc=thales,dc=be objectClass requested Sep 29 16:39:23 linux14 slapd: = acl_get: [2] attr objectClass Sep 29 16:39:23 linux14 slapd: = acl_mask: access to entry sambaSID=S-1-5-21-1960408961-1965331169-725345543-1841,ou=Idmap,dc=thales,dc=be, attr objectClass requested Sep 29 16:39:23 linux14 slapd: = acl_mask: to value by uid=samba,ou=idmap,dc=thales,dc=be, (=n) Sep 29 16:39:23 linux14 slapd: = check a_dn_pat: uid=samba,ou=idmap,dc=thales,dc=be Sep 29 16:39:23 linux14 slapd: = acl_mask: [1] applying write(=wrscx) (stop) Sep 29 16:39:23 linux14 slapd: = acl_mask: [1] mask: write(=wrscx) snip And everytime I rerun getent passwd command it seems to run trough it again. But even do getent passwd is working, I cannot perform id Windows.Usename, nor login as that user. ldapsearch -x -b 'dc=thales,dc=be' '(objectclass=*)' also doesn't show me any entry, and if I'm not mistaken it should display everything. ldapsearch output:# extended LDIF # # LDAPv3 # base dc=thales,dc=be with scope sub # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 Now I'm still trying to find more information about what is going wrong, but if you have an idea, please give me a heads up. Cheers and regards, -- Bruyninckx Kristof Thales Services Division GNULinux/Unix System Administrator / Test developer Tel: 02/674.76.49.19 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote: But still there are some new problems that popped up. wbinfo -u ,wbinfo -g and wbinfo -t still work. Also getent passwd works, and shows me all the windows accounts, but it is very slow, when starting this command the LDAP starts pumping a lot of messages into /var/log/message, this in it self is not a real problem since the debugging is turned to maximum. logging slows things down, additionally you might consider adding indexes for the relevant attributes to slapd.conf, shut down the ldap server run slapindex and start again. But even do getent passwd is working, I cannot perform id Windows.Usename Hmm, I'd expect id should work for root as soon as getent works for root. Stop nscd if running. I'm sure you alread red this: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html nor login as that user. You have set up pam_winbind have you? ldapsearch -x -b 'dc=thales,dc=be' '(objectclass=*)' also doesn't show me any entry, and if I'm not mistaken it should display everything. No, this is an anonymous search and your ACLs do not grant anonymous read access. I don't know if that is a problem for nss_winbind though, try changing your last ACL to: access to * by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by self write by users read by * read If that helps you will have to investigate which component uses anonymous binds and if that can be changed. cheers Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
On Tue, 2005-09-27 at 19:08 +0200, paul kölle wrote: Kristof Bruyninckx wrote: Hi, I removed the entry for cn=manager,dc=thales,dc=be and checked with ldapmodigy if I could change the existing NIS users, which seems to still work. Now I added a user called Admin , output from slapcat : no, you have not. You authenticate with a DN and a password so a user object in LDAP is identified with a DistinguishedName, not something with a cn=whatever attribute. Any ideas off what I'm doing wrong? Ok, I recreated the user, called samba. Trying to follow the example you show below. Output from slapcat : dn: uid=samba,ou=Idmap,dc=thales,dc=be uid: samba cn: Admin objectClass: account objectClass: simpleSecurityObject objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: secret description: DN for use in SAMBA shadowMax: 9 shadowWarning: 7 loginShell: /bin/false uidNumber: 0 gidNumber: 0 homeDirectory: / gecos: root structuralObjectClass: account entryUUID: 334e4406-c441-1029-8ef6-90f912772ff1 creatorsName: cn=Manager,dc=thales,dc=be createTimestamp: 20050928075703Z entryCSN: 20050928075703Z#01#00#00 modifiersName: cn=Manager,dc=thales,dc=be modifyTimestamp: 20050928075703Z I think this is what it was supposed to look like... Entry in the /etc/samba/smb.conf snip ldap ssl = no ldap admin dn = uid=samba,ou=Idmap,dc=thales,dc=be ldap idmap suffix = ou=idmap ldap suffix = dc=thales,dc=be idmap backend = ldap:ldap://127.0.0.1 snip Also fixed the ACL (I think...) : Changed the ACL part in the /etc/openldap/slapd.conf to the following access to attr=userPassword by self write by anonymous auth by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by * none access to * by self write by users read by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write Explanation, just to check if my reasoning was correct : 1.ACL1 : access to attr=userPassword means this policy applies to the attribute userPassword. 2.ACL1: by self write grants only the owner of the entry write permissions of the entry. 3.ACL1: anonymous auth grants anonymous user access only for authentication purposes. 4.ACL1 : by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write. Breaking it all down. dn. base = Only the entry addressed by pattern. So this comes down to the fact that the samba user has write access to all the userPassword entries. Or I'm I completely missing the point ? 5: ACL1: by * none This means that any non-owner cannot write to userPassword. 1.ACL2: access to * This applies to all attributes exept userpassword, because it was previously defined to have it's own rules. 2.ACL2: by self write grants the owner off the entry write permissions to the attibutes covered by this directive. 3.ACL2: by users read grants any authenticated user read permission to all the attributes covered by this policy. 4.ACL2: by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write grants the samba user write rights to all the attributes. Now when I restart the winbind instances the following is showing : /var/log/messages : Sep 28 16:21:22 linux14 slapd: supportedControl Sep 28 16:21:22 linux14 slapd: Sep 28 16:21:22 linux14 slapd: = access_allowed: search access to objectClass requested Sep 28 16:21:22 linux14 slapd: = acl_get: [2] attr objectClass Sep 28 16:21:22 linux14 slapd: = acl_mask: access to entry , attr objectClass requested Sep 28 16:21:22 linux14 slapd: = acl_mask: to all values by uid=samba,ou=idmap,dc=thales,dc=be, (=n) Sep 28 16:21:22 linux14 slapd: = check a_dn_pat: self Sep 28 16:21:22 linux14 slapd: = check a_dn_pat: users Sep 28 16:21:22 linux14 slapd: = acl_mask: [2] applying read(=rscx) (stop) Sep 28 16:21:22 linux14 slapd: = acl_mask: [2] mask: read(=rscx) Sep 28 16:21:22 linux14 slapd: = access_allowed: search access granted by read(=rscx) Sep 28 16:21:22 linux14 slapd: = access_allowed: read access to entry requested Sep 28 16:21:22 linux14 slapd: = acl_get: [2] attr entry Sep 28 16:21:22 linux14 slapd: = acl_mask: access to entry , attr entry requested Sep 28 16:21:22 linux14 slapd: = acl_mask: to all values by uid=samba,ou=idmap,dc=thales,dc=be, (=n) Sep 28 16:21:22 linux14 slapd: = check a_dn_pat: self Sep 28 16:21:22 linux14 slapd: = check a_dn_pat: users Sep 28 16:21:22 linux14 slapd: = acl_mask: [2] applying read(=rscx) (stop) Sep 28 16:21:22 linux14 slapd: = acl_mask: [2] mask: read(=rscx) Sep 28 16:21:22 linux14 slapd: = access_allowed: read access granted by read(=rscx) Sep 28 16:21:22 linux14 slapd: = access_allowed: read access to supportedControl requested Sep 28 16:21:22 linux14 slapd: = acl_get: [2] attr supportedControl Sep 28 16:21:22 linux14 slapd: access_allowed: no res from state (supportedControl) Sep 28 16:21:22 linux14 slapd: = acl_mask: access to entry , attr supportedControl requested Sep 28 16:21:22 linux14 slapd: = acl_mask:
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote: Entry in the /etc/samba/smb.conf snip ldap ssl = no ldap admin dn = uid=samba,ou=Idmap,dc=thales,dc=be ldap idmap suffix = ou=idmap ldap suffix = dc=thales,dc=be idmap backend = ldap:ldap://127.0.0.1 snip Also fixed the ACL (I think...) : Changed the ACL part in the /etc/openldap/slapd.conf to the following access to attr=userPassword by self write by anonymous auth by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by * none access to * by self write by users read by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write ACLs are evaluated in order, the first match wins (see man slapd.access). here is an (simple) example: # give everyone read access to the RootDSE and subschema access to dn.base= by * read access to dn.base=cn=subschema by * read #protect passwords access to attrs=userPassword by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by self write by anonymous auth by * none # very permissive but this is no problem as long as there are # not other sensible entries in the directory like user objects. access to * by dn.base=uid=samba,ou=Idmap,dc=thales,dc=be write by self write by users read by * none hth Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote: # Use the OpenLDAP password change # extended operation to update the password. pam_password md5 If you want it to do what the comment suggest this should read: pam_password exop dn: cn=Manager,dc=thales,dc=be objectClass: organizationalRole cn: Manager description: Directory Manager I think that may be your problem. The DN is the same as your rootdn in slapd.conf but does not have a userPassword attribute. It might shadow your rootdn making binds with that DN fail (see below). You don't have to add the rootdn from slapd.conf to your directory but it is generally discouraged to use it in daily operations as ACLs do not apply to rootdn. Sep 27 13:31:47 linux14 slapd: = access_allowed: auth access to cn=Manager,dc=thales,dc=be userPassword requested Sep 27 13:31:47 linux14 slapd: = access_allowed: backend default auth access granted to (anonymous) Sep 27 13:31:47 linux14 slapd: send_ldap_result: err=49 matched= err=49 means invalid credentials most likely due to the missing userPassword attribute of cn=manager,dc=thales,dc=be. Try removing cn=Manager,dc=thales,dc=be from your ldif and see if you can bind with rootdn and rootpw from your slapd.conf. If that works create another entry in your DIT with a userPassword attribute, give it appropriate permissions in slapd.conf and use that for your ldap admin dn in smb.conf hth Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Hi, I removed the entry for cn=manager,dc=thales,dc=be and checked
with ldapmodigy if I could change the existing NIS users, which seems to
still work.
Now I added a user called Admin , output from slapcat :
dn: ou=People,dc=thales,dc=be
ou: People
description: All Nis people
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 15579caa-c053-1029-82d3-9e2135f77083
creatorsName: cn=Manager,dc=thales,dc=be
createTimestamp: 20050923075459Z
entryCSN: 20050923075459Z#01#00#00
modifiersName: cn=Manager,dc=thales,dc=be
modifyTimestamp: 20050923075459Z
dn: uid=root,ou=Idmap,dc=thales,dc=be
structuralObjectClass: account
entryUUID: 1d5990e8-c053-1029-82d4-9e2135f77083
creatorsName: cn=Manager,dc=thales,dc=be
createTimestamp: 20050923075512Z
uid: root
cn: Admin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: secret
shadowLastChange: 13041
shadowMax: 9
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
entryCSN: 20050927142003Z#01#00#00
modifiersName: cn=Manager,dc=thales,dc=be
modifyTimestamp: 20050927142003Z
And then added the access permissions inside slapd.conf.
access to attr=userPassword
by self write
by anonymous auth
by dn.base=cn=Admin,dc=thales,dc=be write
by * none
access to *
by self write
by dn.base=cn=Admin,dc=thales,dc=be write
by * read
and also changed the ldap admin in samba to :
ldap admin dn = cn=Admin,dc=thales,dc=be
Now when I restart the winbind daemons he is still complaining about the
dn entry:
[2005/09/27 17:05:43, 1] lib/smbldap.c:another_ldap_try(951)
Connection to LDAP server failed for the 15 try!
[2005/09/27 17:05:44, 2] lib/smbldap.c:smbldap_open_connection(630)
smbldap_open_connection: connection opened
[2005/09/27 17:05:44, 2] lib/smbldap.c:smbldap_connect_system(790)
failed to bind to server ldap://127.0.0.1 with
dn=cn=Admin,dc=thales,dc=be Error: Invalid credentials
The ldif I used to add the Admin acount is identical ass that of the
Manager :
root.ldif
dn: uid=root,ou=Idmap,dc=thales,dc=be
uid: root
cn: Admin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$lB0twC9d$i542IIFLEH11VLUzdEUr91
shadowLastChange: 13041
shadowMax: 9
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
Any ideas off what I'm doing wrong?
Thanks,
On Tue, 2005-09-27 at 15:02 +0200, paul kölle wrote:
Kristof Bruyninckx wrote:
# Use the OpenLDAP password change
# extended operation to update the password.
pam_password md5
If you want it to do what the comment suggest this should read:
pam_password exop
dn: cn=Manager,dc=thales,dc=be
objectClass: organizationalRole
cn: Manager
description: Directory Manager
I think that may be your problem. The DN is the same as your rootdn in
slapd.conf but does not have a userPassword attribute. It might shadow
your rootdn making binds with that DN fail (see below). You don't have
to add the rootdn from slapd.conf to your directory but it is
generally discouraged to use it in daily operations as ACLs do not apply
to rootdn.
Sep 27 13:31:47 linux14 slapd: = access_allowed: auth access to
cn=Manager,dc=thales,dc=be userPassword requested
Sep 27 13:31:47 linux14 slapd: = access_allowed: backend default auth
access granted to (anonymous)
Sep 27 13:31:47 linux14 slapd: send_ldap_result: err=49 matched=
err=49 means invalid credentials most likely due to the missing
userPassword attribute of cn=manager,dc=thales,dc=be.
Try removing cn=Manager,dc=thales,dc=be from your ldif and see if you
can bind with rootdn and rootpw from your slapd.conf. If that works
create another entry in your DIT with a userPassword attribute, give it
appropriate permissions in slapd.conf and use that for your ldap admin
dn in smb.conf
hth
Paul
--
Kristof.Bruyninckx
We are Microsoft. What you are experiencing is not a problem; it is an
undocumented feature.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Need help with IDMAP storage in LDAP using Winbind
Kristof Bruyninckx wrote:
Hi, I removed the entry for cn=manager,dc=thales,dc=be and checked
with ldapmodigy if I could change the existing NIS users, which seems to
still work.
Now I added a user called Admin , output from slapcat :
no, you have not. You authenticate with a DN and a password so a user
object in LDAP is identified with a DistinguishedName, not something
with a cn=whatever attribute.
Any ideas off what I'm doing wrong?
Your accounts are still messed up. You create an entry with DN
uid=root,ou=Idmap,dc=thales,dc=be but your admin dn is
cn=Admin,dc=thales,dc=be how is that supposed to work?
given the admin should not be used for other stuff (think of least
privileges model;) it could look like:
dn: uid=samba,ou=services,dc=thales,dc=be
objectClass: top
objectClass: simpleSecurityObject
objectClass: account
uid: samba
userPassword: {CLEARTEXT}whatever
description: DN for samba
then you would do:
1. change the ou to your needs
2. change the password
3. fix your ACLs
3. put exactly that DN in your smb.conf
4. run: smbpasswd -w DN as in ldap admin dn - type in password from
step 2.
Of course you can use whatever DN you like, it needs just a userPassword
attribute.
hth
Paul
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
