[OpenIndiana-discuss] Could not setup LDAP for SAMBA

Jonathan Adams t12nslookup at gmail.com
Wed Mar 7 10:14:07 UTC 2012


you still have "ldap" in your /etc/nsswitch.conf on the passwd and
group lines? (are you using nwam?)

does ldapsearch work without a password now?

do you get anything from:

ldapsearch -b ou=users,dc=domain,dc=com -D cn=admin,dc=domain,dc=com
-w my-secret -s one uid=administration

can you re-paste in your updated ldap_client_file

an example of what looking at my username gives:
t12nslookup at jadlaptop:~$ ldapsearch -s one -b
ou=People,dc=domain,dc=com -D cn=Manager,dc=domain,dc=com -s one -w -
uid=t12nslookup
Enter bind password:
version: 1
dn: uid=t12nslookup,ou=People,dc=domain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetLocalMailRecipient
cn: Jonathan Adams
uid: t12nslookup
uidNumber: 64007
gidNumber: 63020
userPassword: {crypt}NPNPNPNPNPNP
givenName: Jonathan
sn: Adams
homeDirectory: /home/t12nslookup
o: My Company Ltd
l: Manchester
mail: t12nslookup at domain.com
postalCode: M16 9FE
registeredAddress: My Company Address
shadowFlag: 0
shadowLastChange: 11835
sambaNTPassword: 34DFBB34763428723487F71CF1806DC7
sambaSID: S-1-5-21-2469953014-4172709918-2210631845-1814
sambaPrimaryGroupSID: S-1-5-21-2469953014-4172709918-2210631845-513
sambaHomePath: \\SERVER\t12nslookup
sambaHomeDrive: M:
sambaProfilePath: \\SERVER\profiles\t12nslookup
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 1088504232
sambaPwdMustChange: 2147483647
mobile: 07918740616
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
sambaAcctFlags: [U          ]
loginShell: /bin/bash
sambaPwdLastSet: 1305107652
mailHost: SERVER
gecos: Jonathan Adams

On 6 March 2012 20:33, IVO GELOV (CRM) <ivo at crm.walltopia.com> wrote:
> Enabling debug for "name-service-cache" and then issuing "getent passwd
> administration"
> shows this:
>
> Tue Mar  6 22:30:05.6585--3--27998      lookup_int:
>                getpwnam [key=administration]: lookup start
> Tue Mar  6 22:30:05.6585--3--27998      lookup_cache:
>                getpwnam [key=administration]: cache miss
> Tue Mar  6 22:30:05.6586--3--27998      lookup_int:
>                getpwnam [key=administration]: name service lookup required
> Tue Mar  6 22:30:05.6593--3--27998      lookup_int:
>                getpwnam [key=administration]: name service lookup status = 2
> Tue Mar  6 22:30:05.6593--3--27998      lookup_int:
>                getpwnam [key=administration]: name service lookup failed
> Tue Mar  6 22:30:05.6594--3--27998      lookup_int:
>                getpwnam [key=administration]: name service lookup failed
> (status=2, errno=0)
>
> and this is not very helpful :(
>
> IVO GELOV
>
>
> On Tue, 06 Mar 2012 21:17:09 +0200, Jonathan Adams <t12nslookup at gmail.com>
> wrote:
>
>> my auth from my slapd.conf:
>>
>> access to dn.base="" by * read
>> #
>> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>>        by self         write
>>        by dn="cn=samba_admin,ou=People,dc=domain,dc=com"   read
>>        by anonymous    auth
>>        by *            none
>> #
>> access to *
>>        by *            read
>>
>> my /var/ldap/ldap_client_file:
>>
>> NS_LDAP_FILE_VERSION= 2.0
>> NS_LDAP_SERVERS= 127.0.0.1
>> NS_LDAP_SEARCH_BASEDN= dc=domain,dc=com
>> NS_LDAP_AUTH= simple
>> NS_LDAP_CACHETTL= 43200
>> NS_LDAP_PROFILE= default
>> NS_LDAP_CREDENTIAL_LEVEL= proxy
>> NS_LDAP_SERVICE_SEARCH_DESC=
>> auto_home:nisMapName=auto_home,dc=domain,dc=com
>> NS_LDAP_ATTRIBUTEMAP= automount:automountKey=cn
>> NS_LDAP_ATTRIBUTEMAP= automount:automountInformation=nisMapEntry
>> NS_LDAP_ATTRIBUTEMAP= automount:automountMapName=nisMapName
>> NS_LDAP_OBJECTCLASSMAP= automount:automount=nisObject
>> NS_LDAP_OBJECTCLASSMAP= automount:automountMap=nisMap
>>
>> I don't believe you will want any of the automount stuff, we use
>> profiles and I've changed the LDAP_SERVERS list so that it doesn't
>> have all 30 machines in it (we also have syncrepl enabled with chains
>> to replicas) :)
>>
>> not sure if the access stuff makes any difference.
>>
>> you might want to change your bind auth to simple ...
>>
>> you shouldn't need to put any users in your /etc/passwd.
>>
>> Jon
>>
>> _______________________________________________
>> OpenIndiana-discuss mailing list
>> OpenIndiana-discuss at openindiana.org
>> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss



More information about the OpenIndiana-discuss mailing list