Hello all.
I have put this Howto in an HTML on the web.

This makes it easier to edit it, and keep it up to date.

you can find it here
http://www.xs4all.nl/~doub/samba-ldap/index.html

I updated it.
This howto uses FreeBSD 8.1 with the ports tree from 12-10-2010


I put in the BIND and DHCP config also.

regards,
Johan

Since the first post was radically altered, the entire thread following it became 'orphaned', so we may as well start over again with the new information in the first post as a starting point.

I keep getting "segmentation fault" with slapd and I'm just lost now with what could be wrong.

What do you get when you do a pkg_info

Also have you tried pkg_delete openldap-server-<version>
And the a reinstall.
you can also try pkg_add -r openldap-server, this way you install a package.
If that one also crash, something else is going on.

regards,
Syl

Thank you.

For the record I was using:
pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/All/openldap-server-2.4.23.tbz

and trying pkg_add -r openldap-server led me to this and it worked.

pkg_add -r openldap24-server
(pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/openldap24-server.tbz)

Hi! I followed the HOWTO (thank you very much for your efforts!!) but I have a little issue. After applying changes to nsswitch.conf I get: nss_ldap could not search LDAP server. Slapd is up and running. Any ideas?

Did you fill the database..

Also make sure the ldap.conf file is correct.!

Gr
Syl

Thank you for the good job on that howto.

I setup a 8.1 box based on this config using Nov 1st 2010 ports...

I think I ended up using a newer version of perl.. but it all went fairly smooth and it seems to work.

I joined a XP box to the domain, successfully logged in as root and I decided to download Usermgr.exe as mentioned in the howto. I downloaded usermgr.exe from Microsoft.... I can see the accounts but once I try to do anything. it says A device attached to the system is not functioning Nothing strange on the workstation/firewall or whatnots.. and nothing odd in the logs, that I can tell.

Anyone experience this that knows a quick fix?

Cheers

- Chris

Did you do the last step,

net rpc join -S smb-server01 -Uroot


Also you can try to use quotes around the %x settings in the smb.conf file like below, and reload/restart samba


# scripts invoked by samba
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%m"


regards,
Johan

Tried following this a few times, always running into some sort of error.

Cleaned 8.1 FreeBSD install and I followed the guide until I get to the part about starting slapd and get the following error:

# /usr/local/etc/rc.d/slapd start
Starting slapd.
Unrecognized database type (bdb)
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd


I can't see to figure out how to fix it. I watched it install BDB, so I'm not sure why it's complaining. I ended up using Samba 3.4.8 because apparently I can't figure out how to get the newest version to appear in /usr/ports/. Hopefully that won't matter...

fuzzy-hat -
Samba 3.5.6 was in ports 2 weeks back.. now it is a bad plist.

I had the same issue make sure you have the following line in your slapd.conf:

moduleload back_bdb

Sylhouette -

I did the net join command first time around.. I havn't been able to test the quotes yet.. let you know if that fixes it.

Thanks,

- Chris

About the moduleload back_bdb in the slapd.conf file, i had to remover it.
If i did leave it in there, it would not start, and errors out with something like module BDB already loaded.(out of my head)


I will add it to the howto.

Gr
Syl

Syl, i think its the way the newer version is built in ports..

I tried to use quotes around the %x settings in the smb.conf but unfortunately still getting the same error as posted earlier.
- Chris

I know i had this error message once.
I do not remember what i did to resolv this.

Could it be that cups is not running?
If my memory serves me well, it had something to do with a service that is not running, but i could be wrong.

If i have some more time, i will look into this.

Gr
Syl

Thanks for the suggestion.
I'm going to give it another go.

I'd like to start by pointing out I'm an idiot. I've found some of my mistakes. So for anyone else reading this


# /usr/local/etc/rc.d/slapd start
Starting slapd.
Unrecognized database type (bdb)
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd

I can't see to figure out how to fix it. I watched it install BDB, so I'm not sure why it's complaining.
This is actually addressed in the HOW TO. It's possible it wasn't there until recently but more likely I skimmed over it because I've never had to change that value before. All I had to do was actually read the guide and uncomment
moduleload back_bdb
in the slapd.conf file to make it work.

I ended up using Samba 3.4.8 because apparently I can't figure out how to get the newest version to appear in /usr/ports/.
As for this, from what I understood from googling, the way to update your ports tree was to use csup or cvsup (I think I tried something else as well). It of course looked like it was updating to me, but nothing ever changed.

Today I finally found out that you run:
portsnap fetch
portsnap extract

to update your ports tree.

Next time I will try to read better. Sorry for wasting people's time.

Hello, if I want to add a FreeBSD ZFS file server to a Windows 2003 AD domain, could anybody point out what modifications I need to make to this how-to (obviously I won't need LDAP, DHCP etc...)

try following the directions i posted in the following thread

http://forums.freebsd.org/showthread.php?t=20007

Gr
Syl

Hi

First of all, thank you for the HowTO!

I have some little problems with my config. I try to get my ldap into a jail, so my network config of the host is: fxp0 192.168.1.66 with alias for the jail on 192.168.100.1 the jail is called "ldap-jail"

So the first problem I have, is running slapd with
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://127.0.0.1/ ldap://192.168.100.1/"'

Without the parameter ldap://192.168.100.1 slapd starts without problems, but with the parameter I get:

Mar 18 21:28:39 LDAP slapd[25467]: @(#) $OpenLDAP: slapd 2.4.24 (Mar 18 2011 16:32:42) $ root@LDAP:/usr/ports/net/openldap24-
server/work/openldap-2.4.24/servers/slapd
Mar 18 21:28:39 LDAP slapd[25467]: daemon: bind(8) failed errno=48 (Address already in use)
Mar 18 21:28:39 LDAP slapd[25467]: slapd stopped.
Mar 18 21:28:39 LDAP slapd[25467]: connections_destroy: nothing to destroy.


So I proceed without this parameter, but at the end of the samba section I have another problem when I try to populate the database:


smb-server01# smbldap-populate -u 10000 -g 10000 -r 10000
Populating LDAP directory for domain TESTDOMAIN (S-1-5-21-3989252577-37338151-2932095156)
(using builtin directory structure)

adding new entry: dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 7.
adding new entry: ou=People,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 12.
adding new entry: ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 17.
adding new entry: ou=Computers,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 22.
adding new entry: ou=Idmap,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 27.
adding new entry: uid=root,ou=People,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 58.
adding new entry: uid=nobody,ou=People,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 89.
adding new entry: cn=Domain Admins,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 101.
adding new entry: cn=Domain Users,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 112.
adding new entry: cn=Domain Guests,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 123.
adding new entry: cn=Domain Computers,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 134.
adding new entry: cn=Administrators,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 179.
adding new entry: cn=Account Operators,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 201.
adding new entry: cn=Print Operators,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 212.
adding new entry: cn=Backup Operators,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 223.
adding new entry: cn=Replicators,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 234.
adding new entry: sambaDomainName=TESTDOMAIN,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 242.

Please provide a password for the domain root:
No such object at /usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 409.


Now I don't know how to resolve this issue and proceed... any ideas?

Thank you

P.S. at the end of smbldap.conf there is smbpasswd="/usr/local/bin/smbpasswd" that should be smbpasswd="/usr/local/sbin/smbpasswd"

Sorry for the double-post.

The second issue I had is now solved, I forgot a "{" in my configuration file. Unfortunately I'm still not able to join my domaincontroller.


smb-server01# net rpc join -S smb-server01 -Uroot
Connection failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Enter root's password:
Could not connect to server smb-server01
Connection failed: NT_STATUS_INVALID_NETWORK_RESPONSE


It also fails, when I'm trying do join from a Windows-Client, maybe the reason is the missing parameter 192.168.100.1 in the /etc/rc.conf? :\

Hello,

I'm running into the same error as padrino. I followed the tutorial for setting up a Samba PDC with LDAP backend from Sylhouette quite strictly.


Please provide a password for the domain root:
No such object at /usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 409.


Can anyone point me into the right direction to righting this dilemma?

Thanks in advance.

Hi Padrino.

Sorry for the double-post.

The second issue I had is now solved, I forgot a "{" in my configuration file. Unfortunately I'm still not able to join my domaincontroller.



Please, could you tell me in what configuration file did you forgot the "{"? I'm also following the same URL to FreeBSD+Samba+PDC and have the same issue as you.

Thank you!!

Hi, I followed the howto until net getlocalsid but here I am getting following output:
net getlocalsid
[2011/01/15 14:18:01.950062, 0] lib/smbldap.c:1151(smbldap_connect_system)
failed to bind to server ldap://192.168.178.4/ with dn="cn=Manager,dc=fritz,dc=box" Error: Can't contact LDAP server
(unknown)
SID for domain SAMBA_SERVER is: S-1-5-21-995152089-1900560301-1122320211

Can I ignore this or is this more then just a warning?

Regards

Yes you can, i did a little upgrade to the howto and use the smbldap config script.

It times out because the ldap server is not running.

regards
Johan

Hi! When I used the testparm command, I received some warrnings. Can somebody help me with that? And thanks for HOWTO.


srv01# testparm /usr/local/etc/smb.conf
Load smb config files from /usr/local/etc/smb.conf
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
WARNING: The "enable privileges" option is deprecated
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Processing section "[netlogon]"
Processing section "[homes]"
Processing section "[Profiles]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[data]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

Oh,
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)

It was fixed by editing a /boot/loader.conf. But WARNINGS still continuous.

/boot/loader.conf values are only read at bootup.
So you need to reboot the machine.

regards
Johan

Yeah, I fixed it. Now I have:


srv01# testparm /usr/local/etc/smb.conf
Load smb config files from /usr/local/etc/smb.conf
WARNING: The "enable privileges" option is deprecated
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Processing section "[netlogon]"
Processing section "[homes]"
Processing section "[Profiles]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[data]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions


So how can I fix this WARNINGS? thx

I think you use a newer version of samba then 3.5.x.
Are you using samba 3.6.1?

If so, comment out by putting a # before the following lines.

enable privileges = yes
idmap backend = ldap:ldap://smb-server01.testdomain.com
idmap uid = 10000-20000
idmap gid = 10000-20000

That should get rid of the errors.

Gr
Johan

Yes, I'm using samba 3.6.1.
I've commented those lines and now it has no warnings, but does it's ok without those lines? :)

Now I have some problem with connection to domain:

srv01# net rpc join -S srv01 -U root
Connection failed: NT_STATUS_INVALID_PARAMETER
Enter root's password:
Could not connect to server srv01
Connection failed: NT_STATUS_INVALID_PARAMETER

Do you know how to fix it?
thx

No i have not used samba 3.6.1 before.
Maybe i have some time next week to try it, but i can not promise if i get to it.

Is everything running?
Cups, samba,(smbd, nmbd and winbind) slapd and so on.
Also try -Uroot without a space, i do not know if it makes a difference.

If you find the solution yourself, please let me know, then i can edit the howto.

regards
Johan

I guess the problem was because of I tried to install samba as pdc on computer with 2 ethernet card and PF firewall :)

Now it works!

I'm sorry for newbie question, but how should I add users? I've downloaded "LDAP Admin", but I'm not sure that it's right way. Maybe I should use some commands?

Hello, there are several ways.

one is LDAP Admin like you installed.

There is also ldap account manager also in the ports tree.

http://www.ldap-account-manager.org/


or you could use the command line.

http://clark-technet.com/linux-guides/adding-users-to-samba-ldap

The commands in your /usr/local/etc/smb.conf file can be used also from the command line.


add user script = /usr/local/sbin/smbldap-useradd -m %u
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
add machine script = /usr/local/sbin/smbldap-useradd -w %m


So the following comman will add the user illex to the system

/usr/local/sbin/smbldap-useradd -m illex


The following command will add a new group named experts


/usr/local/sbin/smbldap-groupadd -p experts


The following command will add the user illex to the group experts

/usr/local/sbin/smbldap-groupmod -m illex experts


So there are many ways

regards
Johan

Hi

I know it's been a while since this has been updated, but firstly: thanks!

I am having a small issue regarding certain aspects of the "net rpc" command though.

If I do:
# net rpc info -U root%password

I get output as expected (listing domain name, sid, number of users etc.), however the following happens if I try to list groups, for instance:

# net rpc group list -U root%password
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_INVALID_PARAMETER

I get something similar if I try the command relating to users, but with an additional error:
# net rpc user info darenr -U root%password
Connection to localhost failed (Error NT_STATUS_INVALID_PARAMETER)
Failed to get groups for 'darenr' with error: Failed to connect to IPC$ share on localhost.

I have tried a bit of googling, but nothing seems to come up (or I'm going blind ;))

I have been able to successfully join a workstation to the domain, and login as a user I added via LAM, as well as successfully adding files to the test share I have set up.

If you could give any pointers or hints as to what I may have missed, I'd much appreciate it.

Thanks
Daren

I found out my issue. Although I had looked at it so many times, I had missed a "0" on the end of the lo0 interface in smb.conf.

What an idiot I feel :r