Web lists-archives.com

Re: [Samba] Samba NT4 to AD- LDAP




On Sun, 25 Mar 2018 17:53:31 +1300
Andrew Bartlett <abartlet@xxxxxxxxx> wrote:

> On Sat, 2018-03-24 at 20:00 +0000, Rowland Penny via samba wrote:
> > On Sun, 25 Mar 2018 08:01:57 +1300
> > Andrew Bartlett <abartlet@xxxxxxxxx> wrote:
> > 
> > > On Sat, 2018-03-24 at 12:50 +0000, Praveen Ghimire via samba
> > > wrote:
> > > > Hi Rowland,
> > > > 
> > > > I did that initially and that came with 
> > > > Failed to connect to ldap URL 'ldap://lin-pdc.lin - LDAP client
> > > > internal error: NT_STATUS_BAD_NETWORK_NAME Hence I removed the
> > > > whole ldap:// bit
> > > > 
> > > > After your email I tried again but using ldap://localhost and it
> > > > seems to have worked. Not sure what the issue is with the fqdn.
> > > > I could run ldap queries when using fqdn.
> > > > 
> > > 
> > > This patch should fix it.
> > > 
> > > Praveen can you test it?  
> > > 
> > > Rowland, after Praveen has tested it, perhaps you would like to
> > > review it?  We don't have the infrastructure for a test against
> > > the LDAP backend (a long-standing problem) so sadly there is no
> > > automatic test. 
> > > 
> > > Thanks,
> > > 
> > > Andrew Bartlett
> > > 
> > 
> > Hi Andrew,, but what if the ldap server isn't on localhost ?
> 
> Then there would have needed to be a server specified in the passdb
> backend option. 
> 
> > Praveen's smb.conf had this:
> > 
> > idmap config *: ldap_url = ldap://lin-pdc.lin/
> > 
> > This is valid, so it looks like the 'idmap config' lines need to be
> > parsed as well. Check if 'ldapsam' contains the URL, if not parse
> > the 'idmap config' lines for the URL and then, if still not found,
> > fall back to 'localhost'
> 
> It is unclear to me what exactly what is going on in this
> configuration (passdb and idmap should be pointing at the same server
> in most configurations).  
> 
> However it doesn't change what passdb is pointing at, and for the
> moment I don't want to make it more complex, while respecting in
> python the default from the C code.  
> 
> As background: when I wrote the upgrade code I wasn't aware of the
> localhost default, as I've always used ldapi:// on local connections.
> 
> I hope this clarifies things,
> 
> Andrew Bartlett

Yes, After reading man smb.conf , I find you are quite correct and I
think this probably explains why I couldn't get an NT4-style domain Unix
domain member to work. The 'passdb backend = ldapsam' line was trying to
connect to 'localhost' and the 'idmap config *: ldap_url =
ldap://PDC.FQDN/' line was trying to connect to the PDC.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba