HOWTO: Samba PDC with LDAP backend

Sylhouette · #1 December 3rd, 2008, 11:40

Hello all.
I have put this Howto in an HTML on the web.

This makes it easier to edit it, and keep it up to date.

you can find it here
http://www.xs4all.nl/~doub/samba-ldap/index.html

I updated it.
This howto uses FreeBSD 8.1 with the ports tree from 12-10-2010

I put in the BIND and DHCP config also.

regards,
Johan

**DutchDaemon** · #2 October 15th, 2010, 16:34

Since the first post was radically altered, the entire thread following it became 'orphaned', so we may as well start over again with the new information in the first post as a starting point.

fdge · #3 October 21st, 2010, 20:52

I keep getting "segmentation fault" with slapd and I'm just lost now with what could be wrong.

Sylhouette · #4 October 22nd, 2010, 10:56

What do you get when you do a pkg_info

Also have you tried pkg_delete openldap-server-<version>
And the a reinstall.
you can also try pkg_add -r openldap-server, this way you install a package.
If that one also crash, something else is going on.

regards,
Syl

fdge · #5 October 22nd, 2010, 13:34

Thank you.

For the record I was using:
pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/po...ver-2.4.23.tbz

and trying pkg_add -r openldap-server led me to this and it worked.

pkg_add -r openldap24-server
( pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/po...p24-server.tbz)

alisel · #6 October 27th, 2010, 14:01

Hi! I followed the HOWTO (thank you very much for your efforts!!) but I have a little issue. After applying changes to nsswitch.conf I get: nss_ldap could not search LDAP server. Slapd is up and running. Any ideas?

Sylhouette · #7 November 2nd, 2010, 11:56

Did you fill the database..

Also make sure the ldap.conf file is correct.!

Gr
Syl

TitanIT · #8 November 4th, 2010, 04:38

Thank you for the good job on that howto.

I setup a 8.1 box based on this config using Nov 1st 2010 ports...

I think I ended up using a newer version of perl.. but it all went fairly smooth and it seems to work.

I joined a XP box to the domain, successfully logged in as root and I decided to download Usermgr.exe as mentioned in the howto. I downloaded usermgr.exe from Microsoft.... I can see the accounts but once I try to do anything. it says

Code:

A device attached to the system is not functioning

Nothing strange on the workstation/firewall or whatnots.. and nothing odd in the logs, that I can tell.

Anyone experience this that knows a quick fix?

Cheers

- Chris

Sylhouette · #9 November 4th, 2010, 14:48

Did you do the last step,

Code:

net rpc join -S smb-server01 -Uroot

Also you can try to use quotes around the %x settings in the smb.conf file like below, and reload/restart samba

Code:

# scripts invoked by samba
      add user script               = /usr/local/sbin/smbldap-useradd -m "%u"
      delete user script            = /usr/local/sbin/smbldap-userdel "%u"
      add group script              = /usr/local/sbin/smbldap-groupadd -p "%g"
      delete group script           = /usr/local/sbin/smbldap-groupdel "%g"
      add user to group script      = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
      delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
      set primary group script      = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
      add machine script            = /usr/local/sbin/smbldap-useradd -w "%m"

regards,
Johan

fuzzy-hat · #10 November 14th, 2010, 21:17

Tried following this a few times, always running into some sort of error.

Cleaned 8.1 FreeBSD install and I followed the guide until I get to the part about starting slapd and get the following error:

Code:

# /usr/local/etc/rc.d/slapd start
Starting slapd.
Unrecognized database type (bdb)
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd

I can't see to figure out how to fix it. I watched it install BDB, so I'm not sure why it's complaining. I ended up using Samba 3.4.8 because apparently I can't figure out how to get the newest version to appear in /usr/ports/. Hopefully that won't matter...

TitanIT · #11 November 15th, 2010, 17:56

fuzzy-hat -
Samba 3.5.6 was in ports 2 weeks back.. now it is a bad plist.

I had the same issue make sure you have the following line in your slapd.conf:

Code:

moduleload back_bdb

Sylhouette -

I did the net join command first time around.. I havn't been able to test the quotes yet.. let you know if that fixes it.

Thanks,

- Chris

Sylhouette · #12 November 15th, 2010, 20:07

About the moduleload back_bdb in the slapd.conf file, i had to remover it.
If i did leave it in there, it would not start, and errors out with something like module BDB already loaded.(out of my head)

I will add it to the howto.

Gr
Syl

TitanIT · #13 November 15th, 2010, 22:55

Syl, i think its the way the newer version is built in ports..

I tried to use quotes around the %x settings in the smb.conf but unfortunately still getting the same error as posted earlier.
- Chris

Sylhouette · #14 November 16th, 2010, 22:05

I know i had this error message once.
I do not remember what i did to resolv this.

Could it be that cups is not running?
If my memory serves me well, it had something to do with a service that is not running, but i could be wrong.

If i have some more time, i will look into this.

Gr
Syl

fuzzy-hat · #15 November 25th, 2010, 22:35

Thanks for the suggestion.
I'm going to give it another go.

fuzzy-hat · #16 November 29th, 2010, 21:56

I'd like to start by pointing out I'm an idiot. I've found some of my mistakes. So for anyone else reading this

Quote:

Originally Posted by fuzzy-hat

# /usr/local/etc/rc.d/slapd start
Starting slapd.
Unrecognized database type (bdb)
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd

I can't see to figure out how to fix it. I watched it install BDB, so I'm not sure why it's complaining.

This is actually addressed in the HOW TO. It's possible it wasn't there until recently but more likely I skimmed over it because I've never had to change that value before. All I had to do was actually read the guide and uncomment

Code:

moduleload back_bdb

in the slapd.conf file to make it work.

Quote:

Originally Posted by fuzzy-hat

I ended up using Samba 3.4.8 because apparently I can't figure out how to get the newest version to appear in /usr/ports/.

As for this, from what I understood from googling, the way to update your ports tree was to use csup or cvsup (I think I tried something else as well). It of course looked like it was updating to me, but nothing ever changed.

Today I finally found out that you run:
portsnap fetch
portsnap extract

to update your ports tree.

Next time I will try to read better. Sorry for wasting people's time.

tanked · #17 December 22nd, 2010, 15:31

Hello, if I want to add a FreeBSD ZFS file server to a Windows 2003 AD domain, could anybody point out what modifications I need to make to this how-to (obviously I won't need LDAP, DHCP etc...)

Sylhouette · #18 December 23rd, 2010, 20:52

try following the directions i posted in the following thread

http://forums.freebsd.org/showthread.php?t=20007

Gr
Syl

padrino · #19 March 20th, 2011, 15:08

Hi

First of all, thank you for the HowTO!

I have some little problems with my config. I try to get my ldap into a jail, so my network config of the host is:

Code:

fxp0 192.168.1.66

with alias for the jail on 192.168.100.1 the jail is called "ldap-jail"

So the first problem I have, is running slapd with

Code:

slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://127.0.0.1/ ldap://192.168.100.1/"'

Without the parameter ldap://192.168.100.1 slapd starts without problems, but with the parameter I get:

Code:

Mar 18 21:28:39 LDAP slapd[25467]: @(#) $OpenLDAP: slapd 2.4.24 (Mar 18 2011 16:32:42) $ 	root@LDAP:/usr/ports/net/openldap24-
server/work/openldap-2.4.24/servers/slapd
Mar 18 21:28:39 LDAP slapd[25467]: daemon: bind(8) failed errno=48 (Address already in use)
Mar 18 21:28:39 LDAP slapd[25467]: slapd stopped.
Mar 18 21:28:39 LDAP slapd[25467]: connections_destroy: nothing to destroy.

So I proceed without this parameter, but at the end of the samba section I have another problem when I try to populate the database:

Code:

smb-server01# smbldap-populate -u 10000 -g 10000 -r 10000
Populating LDAP directory for domain TESTDOMAIN (S-1-5-21-3989252577-37338151-2932095156)
(using builtin directory structure)

adding new entry: dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 7.
adding new entry: ou=People,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 12.
adding new entry: ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 17.
adding new entry: ou=Computers,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 22.
adding new entry: ou=Idmap,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 27.
adding new entry: uid=root,ou=People,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 58.
adding new entry: uid=nobody,ou=People,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 89.
adding new entry: cn=Domain Admins,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 101.
adding new entry: cn=Domain Users,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 112.
adding new entry: cn=Domain Guests,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 123.
adding new entry: cn=Domain Computers,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 134.
adding new entry: cn=Administrators,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 179.
adding new entry: cn=Account Operators,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 201.
adding new entry: cn=Print Operators,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 212.
adding new entry: cn=Backup Operators,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 223.
adding new entry: cn=Replicators,ou=Groups,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 234.
adding new entry: sambaDomainName=TESTDOMAIN,dc=testdomain,dc=com
failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500, <GEN1> line 242.

Please provide a password for the domain root: 
No such object at /usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 409.

Now I don't know how to resolve this issue and proceed... any ideas?

Thank you

P.S. at the end of smbldap.conf there is

Code:

smbpasswd="/usr/local/bin/smbpasswd"

that should be

Code:

smbpasswd="/usr/local/sbin/smbpasswd"

padrino · #20 March 20th, 2011, 17:37

Sorry for the double-post.

The second issue I had is now solved, I forgot a "{" in my configuration file. Unfortunately I'm still not able to join my domaincontroller.

Code:

smb-server01# net rpc join -S smb-server01 -Uroot
Connection failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Enter root's password:
Could not connect to server smb-server01
Connection failed: NT_STATUS_INVALID_NETWORK_RESPONSE

It also fails, when I'm trying do join from a Windows-Client, maybe the reason is the missing parameter 192.168.100.1 in the /etc/rc.conf?

CKeoni86 · #21 April 21st, 2011, 22:39

Hello,

I'm running into the same error as padrino. I followed the tutorial for setting up a Samba PDC with LDAP backend from Sylhouette quite strictly.

Code:

Please provide a password for the domain root:
No such object at /usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 409.

Can anyone point me into the right direction to righting this dilemma?

Thanks in advance.

toomanysecrets · #22 May 9th, 2011, 11:49

Hi Padrino.

Quote:

Originally Posted by padrino

Sorry for the double-post.

The second issue I had is now solved, I forgot a "{" in my configuration file. Unfortunately I'm still not able to join my domaincontroller.

Please, could you tell me in what configuration file did you forgot the "{"? I'm also following the same URL to FreeBSD+Samba+PDC and have the same issue as you.

Thank you!!

bsus · #23 July 9th, 2011, 12:20

Hi, I followed the howto until net getlocalsid but here I am getting following output:

Code:

net getlocalsid
[2011/01/15 14:18:01.950062,  0] lib/smbldap.c:1151(smbldap_connect_system)
  failed to bind to server ldap://192.168.178.4/ with dn="cn=Manager,dc=fritz,dc=box" Error: Can't contact LDAP server
  	(unknown)
SID for domain SAMBA_SERVER is: S-1-5-21-995152089-1900560301-1122320211

Can I ignore this or is this more then just a warning?

Regards

Sylhouette · #24 November 2nd, 2011, 17:20

Yes you can, i did a little upgrade to the howto and use the smbldap config script.

It times out because the ldap server is not running.

regards
Johan

illex · #25 November 5th, 2011, 13:20

Hi! When I used the testparm command, I received some warrnings. Can somebody help me with that? And thanks for HOWTO.

Code:

srv01# testparm /usr/local/etc/smb.conf
Load smb config files from /usr/local/etc/smb.conf
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
WARNING: The "enable privileges" option is deprecated
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Processing section "[netlogon]"
Processing section "[homes]"
Processing section "[Profiles]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[data]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
HOWTO: QEMU on FreeBSD	vermaden	Howtos & FAQs (Moderated)	53	June 28th, 2012 03:36
HOWTO: FreeBSD with CCACHE	vermaden	Howtos & FAQs (Moderated)	52	June 2nd, 2012 15:45
HOWTO: Setup a Pure-FTPd server with virtual users	tangram	Howtos & FAQs (Moderated)	38	April 25th, 2012 12:15
HOWTO: FreeBSD CPU Scaling and Power Saving	vermaden	Howtos & FAQs (Moderated)	47	December 30th, 2011 15:25
HOWTO: Install and setup MLDonkey on FreeBSD	tangram	Howtos & FAQs (Moderated)	0	November 17th, 2008 11:30

The Following 9 Users Say Thank You to Sylhouette For This Useful Post:
Bink (January 5th, 2010), Daren (January 4th, 2012), nakal (December 24th, 2008), radhus (December 22nd, 2008), rocky (December 25th, 2008), roy2098 (February 23rd, 2009), royvandam (March 8th, 2011), Shane (January 21st, 2009), tanked (January 21st, 2009)

The Following User Says Thank You to Sylhouette For This Useful Post:
fdge (October 23rd, 2010)

The Following User Says Thank You to TitanIT For This Useful Post:
fuzzy-hat (November 25th, 2010)

The Following User Says Thank You to Sylhouette For This Useful Post:
tanked (December 24th, 2010)