Re: [Samba] Re: Need help with IDMAP storage in LDAP using Winbind

Kristof Bruyninckx wrote:

snipp
> Sep 29 10:59:52 linux14 slapd: ==> ldbm_back_bind: dn:
> cn=Manager,dc=thales,dc=be
> Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=49 matched="" text=""
> Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0
> tvp=NULL
> Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors
> Sep 29 10:59:52 linux14 slapd: daemon: activity on: 8r
> Sep 29 10:59:52 linux14 slapd: daemon: read activity on 8
> Sep 29 10:59:52 linux14 slapd: connection_get(8)
> snip"
>
> which to my opinion is odd since it is no longer used in samba. And it
> fails to authenticate. I tried a reset off the password, and changed the
> entries in ldap.conf and slapd.conf. Once done, I tried to modify an
> existing entry with ldapmodify which was successfully. Is samba here
> still trying to access the LDAP with this account?
Probably not, but I'm pretty sure you have nss-ldap installed with a
configured /etc/ldap.conf or wherever this file is on your distro.


> Sep 29 10:59:52 linux14 slapd: <= check a_dn_pat: anonymous
> Sep 29 10:59:52 linux14 slapd: <= acl_mask: [3] applying auth(=x) (stop)
> Sep 29 10:59:52 linux14 slapd: <= acl_mask: [3] mask: auth(=x)
> Sep 29 10:59:52 linux14 slapd: => access_allowed: auth access granted by
> auth(=x)
> Sep 29 10:59:52 linux14 slapd: daemon: select: listen=7 active_threads=0
> tvp=NULL
> Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched="" text=""
> Sep 29 10:59:52 linux14 slapd: daemon: activity on 1 descriptors
> Sep 29 10:59:52 linux14 slapd: daemon: activity on:
> snip"
>
> What ever is happening here, it seems that the samba users is not
> getting write permissions.
Before the password is checked the bind is "anonymous" and it requests
auth access to userPassword which is granted. That's how things are
supposed to work. err=0 above indicates no error.

> Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] applying write(=wrscx)
> (stop)
> Sep 29 10:59:52 linux14 slapd: <= acl_mask: [1] mask: write(=wrscx)
> Sep 29 10:59:52 linux14 slapd: => access_allowed: read access granted by
> write(=wrscx)
> Sep 29 10:59:52 linux14 slapd: send_ldap_result: err=0 matched="" text=""
> snip"
>
> But here LDAP does grant the samba user the proper permissions.
Sure, the request was for "entry" and "objectClass" etc., so the
condition in the "access to attrs=userPassword" doesn't match here.

> Sep 29 10:59:52 linux14 slapd: modifications:
> Sep 29 10:59:52 linux14 slapd: add: objectClass
> Sep 29 10:59:52 linux14 slapd: one value, length 15
> Sep 29 10:59:53 linux14 slapd: add: uidNumber
> Sep 29 10:59:53 linux14 slapd: one value, length 5
> Sep 29 10:59:53 linux14 slapd: add: gidNumber
> Sep 29 10:59:53 linux14 slapd: one value, length 5
> *Sep 29 10:59:53 linux14 slapd: send_ldap_result: err=21 matched=""
> text="objectClass: value #0 invalid per syntax"*
Google would have told you this error stems from unrecognized
objectClass definitions. You probably miss an "include" statement in
slapd.conf. You need at least core.schema, cosine.schema, nis.schema,
samba.schema (in that order).

cheers
Paul


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba