Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
08-01-2009, 11:02 AM
|
#1
|
LQ Newbie
Registered: Aug 2009
Posts: 5
Rep:
|
Samba issue (SAMBA and OpenLDAP for PDC)
Dear All,
I have an issues when I configured samba integrate with ldap for PDC
I have an server with openldap and samba installed on it.
Distro: CentOS 5.3 kernel: 2.6.18-128.2.1.el5
Samba
Code:
# rpm -qa | grep samba
samba-common-3.0.33-3.7.el5_3.1
samba_client-3.0.33-3.7.el5_3.1
samba_swat-3.0.33-3.7.el5_3.1
samba-3.0.33-3.7.el5_3.1
LDAP server
Code:
/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib/openldap
# modules available in openldap-servers-overlays RPM package:
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by dn="cn=sambaadmin,dc=domain,dc=com" write
by * auth
access to *
by dn="cn=sambaadmin,dc=domain,dc=com" write
by * read
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=domain,dc=com"
rootdn "cn=Manager,dc=domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}b7s999z2H5zR7baoshyaPtVlk6fF3coZ
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
# slaptest
config file testing succeeded
# service ldap start
Checking configuration files for sldapd: config file testing succeeded [OK]
Starting slapd [OK]
SAMBA
Code:
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[Documents]"
Loaded services file OK.
WARNING: Your 'passdb backend' configuration includes multiple backends. This is deprecated since Samba 3.0.23. Please check WHATSNEW.txt or the section 'Passdb Changes' from the ChangeNotes as part of Samba HOWTO collection. Only the first backend (ldapsam:ldap://pdc-svr.domain.com/) is uesd. The rest is ignored.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
.....
.....
Why I have this WARNING?
Code:
This is smb.conf and smbd log
# # Primary Domain Controller smb.conf
# # Global parameters
[global]
unix charset = LOCALE
workgroup = DOMAIN.COM
netbios name = PDC-SVR
interfaces = eth0, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://pdc-svr.domain.com/
enable privileges = Yes
username map = /etc/samba/smbusers
guest account = root
log level = 10
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon script = scripts\logon.bat
logon path = \\pdc-svr\profiles\%U
logon drive = X:
domain logons = Yes
preferred master = Yes
domain master = Yes
wins support = Yes
# peformance optimization all users stored in ldap
ldapsam:trusted = yes
ldap suffix = dc=dmain,dc=com
ldap machine suffix = ou=Computers,ou=Users
ldap user suffix = ou=People,ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=domain,dc=com
idmap backend = ldap://pdc-svr.domain.com
idmap uid = 10000-20000
idmap gid = 10000-20000
# printer admin = root
printing = cups
#========================Share Definitions=========================
[homes]
comment = Home Directories
valid users = %S
browseable = yes
writable = yes
create mask = 0600
directory mask = 0700
[sysvol]
path = /data/samba/sysvol
read only = no
[netlogon]
comment = Network Logon Service
path = /data/samba/sysvol/greystonevn.com/scripts
writeable = yes
browseable = yes
read only = no
[profiles]
path = /data/samba/profiles
writeable = yes
browseable = no
read only = no
create mode = 0777
directory mode = 0777
[Documents]
comment = share to test samba
path = /data/documents
writeable = yes
browseable = yes
read only = no
valid users = "@Domain Users"
SMBD log
Code:
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/30 13:15:58, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/30 13:15:58, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/30 13:15:58, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/30 13:15:58, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [ou=Groups,dc=domain,dc=com], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))], scope => [2]
[2009/07/30 13:15:58, 10] lib/smbldap.c:smbldap_search_ext(1246)
Failed search for base: ou=Groups,dc=domain,dc=com, error: 32 (No such object) ()
[2009/07/30 13:15:58, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/30 13:15:58, 10] passdb/lookup_sid.c:legacy_sid_to_gid(1287)
LEGACY: mapping failed for sid S-1-5-32-544
[2009/07/30 13:15:58, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/30 13:15:58, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/30 13:15:58, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/30 13:15:58, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/30 13:15:58, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/30 13:15:58, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [ou=Groups,dc=domain,dc=com], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))], scope => [2]
[2009/07/30 13:15:58, 10] lib/smbldap.c:smbldap_search_ext(1246)
Failed search for base: ou=Groups,dc=domain,dc=com, error: 32 (No such object) ()
[2009/07/30 13:15:58, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/30 13:15:58, 10] passdb/lookup_sid.c:legacy_sid_to_gid(1287)
LEGACY: mapping failed for sid S-1-5-32-545
[2009/07/30 13:15:58, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/30 13:15:58, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/30 13:15:58, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/30 13:15:58, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/30 13:15:58, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/30 13:15:58, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [ou=Groups,dc=domain,dc=com], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-22-1-0)(sambaSIDList=S-1-5-32-544)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11)))], scope => [2]
[2009/07/30 13:15:58, 10] lib/smbldap.c:smbldap_search_ext(1246)
Failed search for base: ou=Groups,dc=domain,dc=com, error: 32 (No such object) ()
[2009/07/30 13:15:58, 10] auth/auth_util.c:add_aliases(708)
pdb_enum_alias_memberships failed: NT_STATUS_UNSUCCESSFUL
[2009/07/30 13:15:58, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/30 13:15:58, 10] lib/util_seaccess.c:se_access_check(233)
se_access_check: requested access 0x000f003f, for NT token with 3 entries and first sid S-1-1-0.
[2009/07/30 13:15:58, 3] lib/util_seaccess.c:se_access_check(250)
[2009/07/30 13:15:58, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-7
se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 20019, current desired = f003f
se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f003f, current desired = d0026
[2009/07/30 13:15:58, 5] lib/util_seaccess.c:se_access_check(314)
se_access_check: access (f003f) denied.
[2009/07/30 13:15:58, 10] registry/reg_db.c:regdb_close(308)
regdb_close: decrementing refcount (1)
[2009/07/30 13:15:58, 0] services/services_db.c:svcctl_init_keys(420)
svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)
[2009/07/30 13:15:58, 10] registry/reg_db.c:regdb_close(308)
regdb_close: decrementing refcount (0)
[2009/07/30 13:15:58, 10] printing/nt_printing.c:update_c_setprinter(720)
update_c_setprinter: c_setprinter = 0
[2009/07/30 13:15:58, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/07/30 13:15:58, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/07/30 13:15:58, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/07/30 13:15:58, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2009/07/30 13:15:58, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2009/07/30 13:15:58, 6] passdb/pdb_interface.c:pdb_getsampwsid(281)
pdb_getsampwsid: Building guest account
[2009/07/30 13:15:58, 10] passdb/pdb_get_set.c:pdb_set_username(581)
pdb_set_username: setting username root, was
[2009/07/30 13:15:58, 10] passdb/pdb_get_set.c:pdb_set_fullname(650)
pdb_set_full_name: setting full name root, was
[2009/07/30 13:15:58, 10] passdb/pdb_get_set.c:pdb_set_domain(604)
pdb_set_domain: setting domain domain.COM, was
[2009/07/30 13:15:58, 10] passdb/pdb_get_set.c:pdb_set_user_sid(510)
pdb_set_user_sid: setting user sid S-1-5-21-1738631279-3210576300-98868778-501
[2009/07/30 13:15:58, 10] passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73)
pdb_set_user_sid_from_rid:
setting user sid S-1-5-21-1738631279-3210576300-98868778-501 from rid 501
[2009/07/30 13:15:58, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/07/30 13:15:58, 10] lib/util_pw.c:getpwnam_alloc(76)
Got root from pwnam_cache
[2009/07/30 13:15:58, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [dc=domain,dc=com], filter => [(&(objectClass=sambaSamAccount)(uid=root))], scope => [2]
[2009/07/30 13:15:58, 10] lib/smbldap.c:smbldap_search_ext(1246)
Failed search for base: dc=domain,dc=com, error: 32 (No such object) ()
[2009/07/30 13:15:58, 10] auth/auth_util.c:make_server_info_sam(639)
pdb_enum_group_memberships failed: NT_STATUS_UNSUCCESSFUL
[2009/07/30 13:15:58, 0] smbd/server.c:main(1059)
ERROR: failed to setup guest info.
Code:
# service smb start
Starting SMB services [OK]
Starting NMB services [OK]
Code:
# service smb status
smbd dead but pid file exits
nmbd (pid 3280 3278) is running...
After I start smb an couple time smb is dead.
I don't know what happen, look like my smb.conf is good config.
I already disable iptables, selinux.
Many thanks for any advises.
Regards
NYU
|
|
|
08-01-2009, 12:00 PM
|
#2
|
Member
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661
Rep:
|
Verify your setting with following command
#testparm -v|grep passdb
Above command will show what is working for passwd backend
I think your smbd deamon is unable to contact ldap server. Does your system able to resolve pdc-svr.domain.com. I mean first conclude that your system can resolve pdc-svr.domain.com. If yes then use 'pdedit' to ensure ldap backend is working properly.
what if place ip of pdc-svr.domain.com in 'passdb backend = ldapsam:ldap://pdc-svr.domain.com/'
Thanks
Last edited by vishesh; 08-01-2009 at 12:13 PM.
|
|
|
All times are GMT -5. The time now is 08:54 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|