Re: [Samba] openldap integration failed after power cut
Hi running ldapsearch -x on the primary LDAP server fails, it gives [root@servername ~]# ldapsearch -x ldap_bind: Can't contact LDAP server (-1) And yet on that server the Zimbra instance appears to be fine. Can you suggest any further diagnosis of the LDAP on that server, or action I might take? Many Thanks Fergus - Original Message - From: Gaiseric Vandal gaiseric.van...@gmail.com To: Fergus Clarke fcla...@ixico.com Cc: samba@lists.samba.org Sent: Monday, 13 February, 2012 6:32:41 PM Subject: Re: [Samba] openldap integration failed after power cut try ldapsearch with -x for simple (non sasl) authentication. On 02/13/2012 01:29 PM, Fergus Clarke wrote: Hi Thanks for your reply, much appreciated. When I run ldapsearch on the Samba server it prompts me for a password and this fails when tried with the credentials for the ldap bind account specified in smb.conf, also with the root pw for either machine, as follows: ldap_sasl_interactive_bind_s: Invalid credentials (49) I have tried resetting the smbpasswd -w as you suggested and setting the bind account password to the same on the ldap server, but i still get this message. This suggests you are right and it is a credentials issue, is there anything I need to do beyond smbpasswd -wpassword on the samba machine and passwdbind account on ldap server ? The LDAP does appear to be running on the primary LDAP server as I can look at it on the console of the (unused) instance of zimbra on there, it looks OK. That said if I do a ldapsearch on the that machine I get an error: [root@primaryldapserver cacerts]# ldapsearch ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Regards Fergus - Original Message - From: Gaiseric Vandalgaiseric.van...@gmail.com To: samba@lists.samba.org Sent: Monday, 13 February, 2012 5:51:43 PM Subject: Re: [Samba] openldap integration failed after power cut Can you use ldapsearch or a GUI Ldap browser/editor (e.g. Apache Directory Studio) to make sure that your primary LDAP server really is working . Verify that the credentials are good. You may need to re enter the ldap pw in samba if your password store got corrupted # smbpasswd -w LDAPBINDPW On 02/13/2012 11:12 AM, Fergus Clarke wrote: Hi We have a Samba server that authenticates with an openldap server. Or it used to. We had a power cut last week and after a bit of struggling everything came back, but not Samba. Previously our smb.conf file included the line passdb backend = ldapsam:ldap://server.domain.net/ With this line in place the connection to the LDAP server fails, and peoples shares drop off every few minutes. I changed this to point to our 2nd, backup ldap server and now shares and logon work again. I need to get communication started again between our Samba and primary LDAP server. Symptoms include the following: (with the new config, ie pointing at the backup ldap server) On the samba server: servername:/etc/samba# smbclient '\\servername\data' WARNING: The printer admin option is deprecated Enter root's password: session setup failed: NT_STATUS_LOGON_FAILURE but servername:/etc/samba# smbclient -L localhost -U% WARNING: The printer admin option is deprecated Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] Sharename Type Comment - --- netlogonDisk Network Logon Service print$ Disk Printer Drivers etc also: servername:/etc/samba# pdbedit -u username -c [X] doing parameter syslog = 1 doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter smb ports = 139 doing parameter name resolve order = wins bcast hosts doing parameter printcap name = cups doing parameter add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m doing parameter logon script = logon.cmd doing parameter logon path = \\server.domain.net\%U\profile doing parameter logon home = \\server.domain.net\%U doing parameter domain logons = Yes doing parameter os level = 33 doing parameter preferred master = Yes doing parameter domain master = Yes doing parameter dns proxy = No doing parameter wins support = Yes doing parameter ldap admin dn = uid=username,cn=admins,cn=thenameofthecn doing parameter ldap group suffix = ou=groups doing parameter ldap machine suffix = ou=machines doing parameter ldap passwd sync = Yes doing parameter ldap suffix = dc=ixico,dc=com doing parameter ldap user suffix = ou=people doing parameter panic action = /usr/share/samba/panic-action %d pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully
Re: [Samba] openldap integration failed after power cut
On Mon, 2012-02-20 at 12:13 +, Fergus Clarke wrote: running ldapsearch -x on the primary LDAP server fails, it gives [root@servername ~]# ldapsearch -x ldap_bind: Can't contact LDAP server (-1) And yet on that server the Zimbra instance appears to be fine. Can you suggest any further diagnosis of the LDAP on that server, or action I might take? Yes, research the problem. On the DSA [LDAP server] is the slapd server listening on the expected port? netstat --listen --tcp --program Given the contents of /etc/openldap/ldap.conf [or wherever your client LDAP config is] - does the hostname specified there resolve? Is the port specified the same the server is listening on? Can you telnet hostname port-number from the client and get a connection? All this is just standard debugging steps. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] openldap integration failed after power cut
Can you use ldapsearch or a GUI Ldap browser/editor (e.g. Apache Directory Studio) to make sure that your primary LDAP server really is working . Verify that the credentials are good. You may need to re enter the ldap pw in samba if your password store got corrupted # smbpasswd -w LDAPBINDPW On 02/13/2012 11:12 AM, Fergus Clarke wrote: Hi We have a Samba server that authenticates with an openldap server. Or it used to. We had a power cut last week and after a bit of struggling everything came back, but not Samba. Previously our smb.conf file included the line passdb backend = ldapsam:ldap://server.domain.net/ With this line in place the connection to the LDAP server fails, and peoples shares drop off every few minutes. I changed this to point to our 2nd, backup ldap server and now shares and logon work again. I need to get communication started again between our Samba and primary LDAP server. Symptoms include the following: (with the new config, ie pointing at the backup ldap server) On the samba server: servername:/etc/samba# smbclient '\\servername\data' WARNING: The printer admin option is deprecated Enter root's password: session setup failed: NT_STATUS_LOGON_FAILURE but servername:/etc/samba# smbclient -L localhost -U% WARNING: The printer admin option is deprecated Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] Sharename Type Comment - --- netlogonDisk Network Logon Service print$ Disk Printer Drivers etc also: servername:/etc/samba# pdbedit -u username -c [X] doing parameter syslog = 1 doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter smb ports = 139 doing parameter name resolve order = wins bcast hosts doing parameter printcap name = cups doing parameter add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m doing parameter logon script = logon.cmd doing parameter logon path = \\server.domain.net\%U\profile doing parameter logon home = \\server.domain.net\%U doing parameter domain logons = Yes doing parameter os level = 33 doing parameter preferred master = Yes doing parameter domain master = Yes doing parameter dns proxy = No doing parameter wins support = Yes doing parameter ldap admin dn = uid=username,cn=admins,cn=thenameofthecn doing parameter ldap group suffix = ou=groups doing parameter ldap machine suffix = ou=machines doing parameter ldap passwd sync = Yes doing parameter ldap suffix = dc=ixico,dc=com doing parameter ldap user suffix = ou=people doing parameter panic action = /usr/share/samba/panic-action %d pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: username ldapsam_update_sam_account: user username to be modified has dn: uid=username,ou=people,dc=domain,dc=com init_ldap_from_sam: Setting entry for user: username Unable to modify entry! If I change the setting back to point at our original LDAP server I get the following errors, for example: servername:/etc/samba# pdbedit -u username -c [X] doing parameter syslog = 1 doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter smb ports = 139 doing parameter name resolve order = wins bcast hosts doing parameter printcap name = cups doing parameter add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m doing parameter logon script = logon.cmd doing parameter logon path = \\server.domain.net\%U\profile doing parameter logon home = \\server.domain.net\%U doing parameter domain logons = Yes doing parameter os level = 33 doing parameter preferred master = Yes doing parameter domain master = Yes doing parameter dns proxy = No doing parameter wins support = Yes doing parameter ldap admin dn = uid=user,cn=admins,cn=relevantcn doing parameter ldap group suffix = ou=groups doing parameter ldap machine suffix = ou=machines doing parameter ldap passwd sync = Yes doing parameter ldap suffix = dc=domain,dc=com doing parameter ldap user suffix = ou=people doing parameter panic action = /usr/share/samba/panic-action %d pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened failed to bind to server ldap://ldap2.domain.net/ with
Re: [Samba] openldap integration failed after power cut
Hi Thanks for your reply, much appreciated. When I run ldapsearch on the Samba server it prompts me for a password and this fails when tried with the credentials for the ldap bind account specified in smb.conf, also with the root pw for either machine, as follows: ldap_sasl_interactive_bind_s: Invalid credentials (49) I have tried resetting the smbpasswd -w as you suggested and setting the bind account password to the same on the ldap server, but i still get this message. This suggests you are right and it is a credentials issue, is there anything I need to do beyond smbpasswd -w password on the samba machine and passwd bind account on ldap server ? The LDAP does appear to be running on the primary LDAP server as I can look at it on the console of the (unused) instance of zimbra on there, it looks OK. That said if I do a ldapsearch on the that machine I get an error: [root@primaryldapserver cacerts]# ldapsearch ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Regards Fergus - Original Message - From: Gaiseric Vandal gaiseric.van...@gmail.com To: samba@lists.samba.org Sent: Monday, 13 February, 2012 5:51:43 PM Subject: Re: [Samba] openldap integration failed after power cut Can you use ldapsearch or a GUI Ldap browser/editor (e.g. Apache Directory Studio) to make sure that your primary LDAP server really is working . Verify that the credentials are good. You may need to re enter the ldap pw in samba if your password store got corrupted # smbpasswd -w LDAPBINDPW On 02/13/2012 11:12 AM, Fergus Clarke wrote: Hi We have a Samba server that authenticates with an openldap server. Or it used to. We had a power cut last week and after a bit of struggling everything came back, but not Samba. Previously our smb.conf file included the line passdb backend = ldapsam:ldap://server.domain.net/ With this line in place the connection to the LDAP server fails, and peoples shares drop off every few minutes. I changed this to point to our 2nd, backup ldap server and now shares and logon work again. I need to get communication started again between our Samba and primary LDAP server. Symptoms include the following: (with the new config, ie pointing at the backup ldap server) On the samba server: servername:/etc/samba# smbclient '\\servername\data' WARNING: The printer admin option is deprecated Enter root's password: session setup failed: NT_STATUS_LOGON_FAILURE but servername:/etc/samba# smbclient -L localhost -U% WARNING: The printer admin option is deprecated Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] Sharename Type Comment - --- netlogonDisk Network Logon Service print$ Disk Printer Drivers etc also: servername:/etc/samba# pdbedit -u username -c [X] doing parameter syslog = 1 doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter smb ports = 139 doing parameter name resolve order = wins bcast hosts doing parameter printcap name = cups doing parameter add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m doing parameter logon script = logon.cmd doing parameter logon path = \\server.domain.net\%U\profile doing parameter logon home = \\server.domain.net\%U doing parameter domain logons = Yes doing parameter os level = 33 doing parameter preferred master = Yes doing parameter domain master = Yes doing parameter dns proxy = No doing parameter wins support = Yes doing parameter ldap admin dn = uid=username,cn=admins,cn=thenameofthecn doing parameter ldap group suffix = ou=groups doing parameter ldap machine suffix = ou=machines doing parameter ldap passwd sync = Yes doing parameter ldap suffix = dc=ixico,dc=com doing parameter ldap user suffix = ou=people doing parameter panic action = /usr/share/samba/panic-action %d pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: username ldapsam_update_sam_account: user username to be modified has dn: uid=username,ou=people,dc=domain,dc=com init_ldap_from_sam: Setting entry for user: username Unable to modify entry! If I change the setting back to point at our original LDAP server I get the following errors, for example: servername:/etc/samba# pdbedit -u username -c [X] doing parameter syslog = 1 doing parameter
Re: [Samba] openldap integration failed after power cut
try ldapsearch with -x for simple (non sasl) authentication. On 02/13/2012 01:29 PM, Fergus Clarke wrote: Hi Thanks for your reply, much appreciated. When I run ldapsearch on the Samba server it prompts me for a password and this fails when tried with the credentials for the ldap bind account specified in smb.conf, also with the root pw for either machine, as follows: ldap_sasl_interactive_bind_s: Invalid credentials (49) I have tried resetting the smbpasswd -w as you suggested and setting the bind account password to the same on the ldap server, but i still get this message. This suggests you are right and it is a credentials issue, is there anything I need to do beyond smbpasswd -wpassword on the samba machine and passwdbind account on ldap server ? The LDAP does appear to be running on the primary LDAP server as I can look at it on the console of the (unused) instance of zimbra on there, it looks OK. That said if I do a ldapsearch on the that machine I get an error: [root@primaryldapserver cacerts]# ldapsearch ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Regards Fergus - Original Message - From: Gaiseric Vandalgaiseric.van...@gmail.com To: samba@lists.samba.org Sent: Monday, 13 February, 2012 5:51:43 PM Subject: Re: [Samba] openldap integration failed after power cut Can you use ldapsearch or a GUI Ldap browser/editor (e.g. Apache Directory Studio) to make sure that your primary LDAP server really is working . Verify that the credentials are good. You may need to re enter the ldap pw in samba if your password store got corrupted # smbpasswd -w LDAPBINDPW On 02/13/2012 11:12 AM, Fergus Clarke wrote: Hi We have a Samba server that authenticates with an openldap server. Or it used to. We had a power cut last week and after a bit of struggling everything came back, but not Samba. Previously our smb.conf file included the line passdb backend = ldapsam:ldap://server.domain.net/ With this line in place the connection to the LDAP server fails, and peoples shares drop off every few minutes. I changed this to point to our 2nd, backup ldap server and now shares and logon work again. I need to get communication started again between our Samba and primary LDAP server. Symptoms include the following: (with the new config, ie pointing at the backup ldap server) On the samba server: servername:/etc/samba# smbclient '\\servername\data' WARNING: The printer admin option is deprecated Enter root's password: session setup failed: NT_STATUS_LOGON_FAILURE but servername:/etc/samba# smbclient -L localhost -U% WARNING: The printer admin option is deprecated Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] Sharename Type Comment - --- netlogonDisk Network Logon Service print$ Disk Printer Drivers etc also: servername:/etc/samba# pdbedit -u username -c [X] doing parameter syslog = 1 doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter smb ports = 139 doing parameter name resolve order = wins bcast hosts doing parameter printcap name = cups doing parameter add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m doing parameter logon script = logon.cmd doing parameter logon path = \\server.domain.net\%U\profile doing parameter logon home = \\server.domain.net\%U doing parameter domain logons = Yes doing parameter os level = 33 doing parameter preferred master = Yes doing parameter domain master = Yes doing parameter dns proxy = No doing parameter wins support = Yes doing parameter ldap admin dn = uid=username,cn=admins,cn=thenameofthecn doing parameter ldap group suffix = ou=groups doing parameter ldap machine suffix = ou=machines doing parameter ldap passwd sync = Yes doing parameter ldap suffix = dc=ixico,dc=com doing parameter ldap user suffix = ou=people doing parameter panic action = /usr/share/samba/panic-action %d pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: username ldapsam_update_sam_account: user username to be modified has dn: uid=username,ou=people,dc=domain,dc=com init_ldap_from_sam: Setting entry for user: username Unable to modify entry! If I change the setting back to point at our original LDAP server I get the following errors, for example: servername:/etc/samba# pdbedit -u username -c [X] doing
