[OpenIndiana-discuss] (SOLVED) Could not setup LDAP for SAMBA

IVO GELOV (CRM) ivo at crm.walltopia.com
Wed Mar 7 12:24:40 UTC 2012 

Jon, I want to say "THANK YOU" for your patience with me. Last night I was googling for
anything about my problem and I found this blog
http://jakub.wartak.pl/blog/?p=57

After issuing (twice) the proposed command, I have now finally got my problem solved.
The command, proposed on the blog was (filled with my values):

ldapclient manual -v \
  -a credentialLevel=proxy \
  -a authenticationMethod=simple \
  -a proxyDN=cn=admin,dc=domain,dc=com \
  -a proxyPassword=my-secret \
  -a defaultServerList=127.0.0.1:389 \
  -a defaultSearchBase=dc=domain,dc=com \
  -a domainName=sf.extrapack.com \
  -a followReferrals=false \
  -a attributeMap=group:userpassword=userPassword \
  -a attributeMap=group:memberuid=memberUid \
  -a attributeMap=group:gidnumber=gidNumber \
  -a attributeMap=passwd:gecos=cn \
  -a attributeMap=passwd:gidnumber=gidNumber \
  -a attributeMap=passwd:uidnumber=uidNumber \
  -a attributeMap=passwd:homedirectory=homeDirectory \
  -a attributeMap=passwd:loginshell=loginShell \
  -a attributeMap=shadow:shadowflag=shadowFlag \
  -a attributeMap=shadow:userpassword=userPassword \
  -a objectClassMap=group:posixGroup=posixGroup \
  -a objectClassMap=passwd:posixAccount=posixAccount \
  -a objectClassMap=shadow:shadowAccount=shadowAccount \
  -a serviceSearchDescriptor=passwd:ou=users,dc=domain,dc=com?sub \
  -a serviceSearchDescriptor=group:ou=groups,dc=domain,dc=com?sub

After the 1st run, it shows this:

Handling manual option
Proxy DN: cn=admin,dc=domain,dc=com
Proxy password: {NS1}89eb3b864345f0
Credential level: 1
Authentication method: 1
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: system/filesystem/autofs:default... success
ldap not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=-1
file_backup: No /etc/defaultdomain file.
file_backup: nis domain is " "
file_backup: stat(/var/yp/binding/ )=-1
file_backup: No /var/yp/binding/  directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname sf.extrapack.com... success
start: sleep 100000 microseconds
start: network/ldap/client:default... success
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
System successfully configured

After the 2nd run it shows this:

Handling manual option
Proxy DN: cn=admin,dc=domain,dc=com
Proxy password: {NS1}89eb3b864345f0
Credential level: 1
Authentication method: 1
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: system/filesystem/autofs:default... success
Stopping ldap
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: nis domain is "sf.extrapack.com"
file_backup: stat(/var/yp/binding/sf.extrapack.com)=-1
file_backup: No /var/yp/binding/sf.extrapack.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname sf.extrapack.com... success
start: sleep 100000 microseconds
start: network/ldap/client:default... success
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
System successfully configured

The obvious difference is

ldap not running
vs
Stopping ldap
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success

which pointed me to edit the NWAM Automatic profile.
There are also differences in /var/ldap/ldap_client_cred and ldap_client_file.
Before:

#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_BINDDN= cn=admin,dc=domain,dc=com
NS_LDAP_BINDPASSWD= my-secret

#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 127.0.0.1
NS_LDAP_SEARCH_BASEDN= dc=domain,dc=com
NS_LDAP_CACHETTL= 0
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=users,dc=domain,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=domain,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=users,dc=domain,dc=com?sub

After:

#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_BINDDN= cn=admin,dc=domain,dc=com
NS_LDAP_BINDPASSWD= {NS1}89eb3b864345f0

#
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 127.0.0.1:389
NS_LDAP_SEARCH_BASEDN= dc=domain,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=users,dc=domain,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=groups,dc=domain,dc=com?sub
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=homeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=shadowAccount
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixGroup

===============================================================================
Finally I have a working

root at arhiv:/var/samba/log# getent passwd administration
administration:x:104:101:administration:/tmp:

The rest is just tweaking some values in LDAP to make SAMBA happy :)

Problem is solved !


On Wed, 07 Mar 2012 12:14:07 +0200, Jonathan Adams <t12nslookup at gmail.com> wrote:

> you still have "ldap" in your /etc/nsswitch.conf on the passwd and
> group lines? (are you using nwam?)
>
> does ldapsearch work without a password now?
>
> do you get anything from:
>
> ldapsearch -b ou=users,dc=domain,dc=com -D cn=admin,dc=domain,dc=com
> -w my-secret -s one uid=administration
>
> can you re-paste in your updated ldap_client_file
>
> an example of what looking at my username gives:
> t12nslookup at jadlaptop:~$ ldapsearch -s one -b
> ou=People,dc=domain,dc=com -D cn=Manager,dc=domain,dc=com -s one -w -
> uid=t12nslookup
> Enter bind password:
> version: 1
> dn: uid=t12nslookup,ou=People,dc=domain,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetLocalMailRecipient
> cn: Jonathan Adams
> uid: t12nslookup
> uidNumber: 64007
> gidNumber: 63020
> userPassword: {crypt}NPNPNPNPNPNP
> givenName: Jonathan
> sn: Adams
> homeDirectory: /home/t12nslookup
> o: My Company Ltd
> l: Manchester
> mail: t12nslookup at domain.com
> postalCode: M16 9FE
> registeredAddress: My Company Address
> shadowFlag: 0
> shadowLastChange: 11835
> sambaNTPassword: 34DFBB34763428723487F71CF1806DC7
> sambaSID: S-1-5-21-2469953014-4172709918-2210631845-1814
> sambaPrimaryGroupSID: S-1-5-21-2469953014-4172709918-2210631845-513
> sambaHomePath: \\SERVER\t12nslookup
> sambaHomeDrive: M:
> sambaProfilePath: \\SERVER\profiles\t12nslookup
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 1088504232
> sambaPwdMustChange: 2147483647
> mobile: 07918740616
> sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
>  00000000
> sambaAcctFlags: [U          ]
> loginShell: /bin/bash
> sambaPwdLastSet: 1305107652
> mailHost: SERVER
> gecos: Jonathan Adams
>

More information about the OpenIndiana-discuss mailing list