Web lists-archives.com

Re: [Samba] Fwd: Migrating server




Am Donnerstag, 1. März 2018, 16:05:36 CET schrieb Rob Thoman via samba:
> Yes please for the notes.
> 
> I re-ran the tests without the smbldap-tools. I installed phpldapadmin
> and am able to login to the apache page using the cn=admin,
> dn=mydomain and create entries. This kind of tells me that LDAP is
> working
> 
> Then I run the pdbedit -Lv and it lists all the users.
> 
> The following happens when I add the LDAP bits to smb.conf and restart
> samba.The issue seems to be with samba and ldap intergration. Just to
> re-iterate we have samba 3.6. The following errors keeps coming up.
> 
> pdbedit -Lv
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
> smbldap_open_connection: connection opened
> add_new_domain_info: failed to add domain dn=
> sambaDomainName=MYDOMAIN,dc=mydomain with: Invalid DN syntax
>         invalid DN
> smbldap_search_domain_info: Adding domain info for MYDOMAIN failed
> with NT_STATUS_UNSUCCESSFUL
> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to
> the domain
> pdb_init_ldapsam: Continuing on regardless, will be unable to allocate
> new users/groups, and will risk BDCs having inconsistent SIDs
> 
> 
>          obey pam restrictions = no
>         dns forwarder = 8.8.8.8
> passdb backend = ldapsam:ldap://sam3dc.mydomain/
>     ldap admin dn = cn=admin,dc=mydomain
>   ldap group suffix = ou=Groups
>   ldap idmap suffix = ou=Users
>   ldap machine suffix = ou=Computers
>   ldap passwd sync = yes
>     ldap suffix = dc=mydomain
>   ldap user suffix = ou=Users
> ldap ssl = off
> ldap passwd sync = yes
> 
> /etc/ldap/ldap.conf
> BASE    dc=mydomain
> URI     ldap://sam3dc.mydomain ldap://sam3dc.mydomain:666
This line is wrong, I asume, but let us verify how your ldap server is started:

$ cat /proc/$(pidof slapd)/cmdline|xargs -0 ;echo
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d

I do not have a server on port 666 and you may also not.


If you have a listener on ldapi, show us the base:

$ ldapsearch -xLLL -s base -b dc=kronprinz,dc=xx +
dn: dc=kronprinz,dc=xx
structuralObjectClass: organization
entryUUID: 4f120bb2-1ec1-1033-881e-8177fc263f99
creatorsName: cn=admin,dc=kronprinz,dc=xx
createTimestamp: 20140131124529Z
entryCSN: 20140131124529.134733Z#000000#000#000000
modifiersName: cn=admin,dc=kronprinz,dc=xx
modifyTimestamp: 20140131124529Z
entryDN: dc=kronprinz,dc=xx
subschemaSubentry: cn=Subschema
hasSubordinates: TRUE

Your cmd should look like:
$ ldapsearch -xLLL -s base -b dc=mydomain +

as root user:

Let us check if you have loaded the samba schema:

# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'olcAttributeTypes=*' dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

On this machine samba schema is *not loaded* 


Here it is and some other usefull schemas:

# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'olcAttributeTypes=*' dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: cn={4}corba,cn=schema,cn=config

dn: cn={6}samba,cn=schema,cn=config

dn: cn={7}dhcp,cn=schema,cn=config

dn: cn={8}quota,cn=schema,cn=config



check your secrets.tdb in /var/lib/samba
# tdbdump secrets.tdb |egrep 'SID|LDAP'
key(16) = "SECRETS/SID/ALIX"
key(18) = "SECRETS/SID/SCHULE"
key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=afrika,dc=xx"

key16 is the hostname,
key18 is the netbios domain name, both in upper case
key45 is the admin DN of your ldap server and should contain the admin password, like:
data(8) = "secrets\00"

And check that this ldap server is authoritive for your samba domain:

# ldapsearch -xLLL -b dc=afrika,dc=xx -s sub -D cn=admin,dc=afrika,dc=xx -w 'sambadomainname=*'
dn: sambaDomainName=SCHULE,dc=afrika,dc=xx
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: SCHULE
sambaSID: S-1-5-21-1507708399-2130971284-2230424465
sambaAlgorithmicRidBase: 1000
sambaNextRid: 100000
sambaNextUserRid: 2000
sambaNextGroupRid: 100000
uidNumber: 10001
gidNumber: 2000
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0

Important is "objectClass, sambaDomainName and sambaSID"

And please, show us the imortant sections of your smb.conf. Perhaps in a private mail:

# cat /etc/samba/smb.conf| egrep -v '^[[:space:]]*#|^;|^$'
[global]
        server string        = Schulserver %h
        workgroup = SCHULE
        netbios name         = alix
        interfaces           = lo  10.100.0.1/255.255.0.0
        bind interfaces only = Yes
        hosts allow          = 127. 10.100.
        unix extensions      = yes
        time server          = yes
        case sensitive       = no
        preserve case        = yes
        short preserve case  = yes
        logon script         = logon.bat %u %U %a %g %G %m
        logon path           = \\%L\profile\%G\%U\%a
        logon drive          = L:
        logon home           = \\%L\profile\%G\%U\%a
        domain logons        = yes
        domain master        = yes
        local master         = yes
        os level             = 99
        preferred master     = yes
        passdb backend       = ldapsam
        ldap passwd sync     = yes
        pam password change  = yes
        security             = user
        ldap suffix          = dc=afrika,dc=xx
        ldap admin dn        = cn=admin,dc=afrika,dc=xx
        ldap group suffix    = ou=groups
        ldap user suffix     = ou=people,ou=accounts
        ldap machine suffix  = ou=machines,ou=accounts
        passwd program       = /usr/sbin/smbldap-passwd %u
        add machine script   = /usr/local/sbin/delixs-smb-useradd "%u"
        ldap delete dn       = yes
        ldap ssl             = no 
        ldap passwd sync     = yes
        passwd chat          = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
        encrypt passwords = true
        dns proxy            = no
        wins support         = yes
        admin users          = adm, root, Administrator
        enable privileges    = yes 
        guest account        = nobody
        mangled names        = no
        log level            = 1
        veto files           = /*.eml/*.nws/riched20.dll/autorun.inf/
[netlogon]
        comment              = Anmeldeverzeichnis
        browsable            = yes
        path                 = /etc/samba/scripts
        public               = yes
        write list           = adm, root
        guest ok             = yes
        locking              = no
        root preexec         = /etc/samba/exec/prelogon %u %U %a %g %G %m
[homes]
        comment              = Stammverzeichnis
        browseable           = no
        read only            = no
        inherit permissions  = yes
        create mask          = 0755
        map hidden           = yes
        map system           = yes
        hide dot files       = yes
        wide links           = no

This is *not* the best smb.conf you should have but it is a working one with smbldap tools.

Today samba is much faster with these settings and w/o smbldap:
ldapsam:trusted = yes
ldapsam:editposix = yes

> On Thu, Mar 1, 2018 at 10:51 AM, Rob Thoman <emailthomasrob@xxxxxxxxx>
> wrote:
> > Yes please
> > 
> > On Wed, Feb 28, 2018 at 9:34 PM, Rowland Penny via samba <
> > 
> > samba@xxxxxxxxxxxxxxx> wrote:
> >> On Wed, 28 Feb 2018 20:41:43 +1000
> >> 
> >> Rob Thoman via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >> > root@sam3dc # smbldap-populate
> >> > Use of qw(...) as parentheses is deprecated at /usr/share/perl5/
> >> > smbldap_tools.pm line 1423, <DATA> line 522.
> >> > Unable to open /etc/smbldap-tools/smbldap.conf for reading !
> >> > Compilation failed in require at /usr/sbin/smbldap-populate line
> >> > 30.
> >> > BEGIN failed--compilation aborted at /usr/sbin/smbldap-populate
> >> > line
> >> > 30.
> >> 
> >> The problem is that smbldap-tools appears to be a dead project,
> >> last
> >> time I looked, it had disappeared from the internet.
> >> That's the bad news, the good news is, you do not need it ;-)
> >> 
> >> You have (in your smb.conf):
> >> 
> >> ldapsam:trusted = yes
> >> ldapsam:editposix = yes
> >> 
> >> With these lines, Samba itself can admin ldap, I can provide you
> >> with
> >> some notes I made last year when testing this very subject,
> >> interested ?>> 
> >> > The file in question doesn't even exist. Any ideas?
> >> > 
> >> > Also, in one of the samba list articles, I read that we'll need
> >> > to run pdbedit -i tdbsam -e ldapsam to import the info from tdb
> >> > to ldap. When do we do this one?
> >> 
> >> Presumably, once you get your PDC up and running, the how is a
> >> question I cannot answer ;-)
> >> 
> >> Rowland
> >> 
> >> 
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba


-- 

Gruss
	Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba