Re: Does samba 3.0.14Aa on OS 5.0.6 work with ldapsam backend on another LDAP server?

On Oct 31, 10:24 pm, Bob Troester <r...@xxxxxxxxxxxxxxx> wrote:
I have been using samba 3.0.14Aa on SCO Open Server 5.0.6.a with
gwxlibs 2.1.0Ba successfully for several months as a Backup Domain
Controller using a smbpasswd text file back end. Before that I had
used 3.0.9 on SCO 5.0.6 for quite some time after suffering problems I
detailed in this list back in 2005 inhttp://groups.google.com/group/comp.unix.sco.misc/browse_thread/threa...

I wanted to use passdb=ldapsam so it could share passwords with my
PDC, a RedHat4 box running samba 3.0.10 and OpenLDAP 2.2.13. I
realized that the SCO samba didn't have winbindd support, no PAM, no
name service switch, and no LDAP server (although there were the
client programs like ldapadd and some LDAP libraries as part of
gwxlibs, and ldapsmb (the Suse utility) as part of samba), so LDAP
didn't look possible - but then I got a bright idea: Just point samba
to the RedHat box! So I tried changing the passdb to 'ldapsam:ldap://
<ldap server domain name>/' - and it worked! I was able to access a
share on the SCO server without any smbpasswd on that server!

Well, it did work for exactly 15 minutes, then smbd stopped running. I
could restart smbd and it would work fine for another 15 minutes, then
stop running again. I started seeing smbd daemons left in a CLOSED
state but I couldn't see any messages in the logs that showed a
problem. (For what it's worth, I also tried using the ldapsmb utility
on the SCO box, and that produced a log that showed it successfully
bound with the external LDAP server.) Finally I gave up and went back
to using smbpasswd on my SCO server. Trying ldapsam again later, I
thought samba survived somewhat more than 15 minutes, but again smbd
finally stopped running.

So that's where I am. Does anyone understand what samba is doing every
15 minutes that would result in smbd crashing? I know that samba has
an option deadtime = 15 that kills inactive processes every 15
minutes. Also there is the election process in about that time-frame
but I don't really know what to look for.

It's a shame, because I'm so close to having it working. I need the
SCO server because it's the only platform I have to run old
WordPerfect 7 for Unix and I need WP7 for some old reports that I
can't currently replace.

Do I really need a full LDAP/pam/nss setup (+Kerberos and SASL?) to
make samba work this way? There was a version of LDAP "3.3" as part
of the old Skunkware 2000, but I didn't even try to use that due to
potential conflicts with the current gwxlibs.

I'm including below my smb.conf for possible clues.

Thanks in advance. I really do appreciate all the SCO experts on this
list. Hope there's one who's an expert on _this_ problem!

Bob Troester
Systems Developer
VT Agency of Agriculture, Food & Markets
-------------------------------------------------------------------------------------------------------------
# Samba config file created using SWAT
# from 159.105.50.3 (159.105.50.3)
# Date: 2007/10/31 22:01:27

# Global parameters
[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = VTAGR
netbios name = VTAGR02
netbios aliases =
netbios scope =
server string = VT Agr Samba Server (%m) %v
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
hosts equiv =
min password length = 5
map to guest = Bad User
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = smbpasswd
algorithmic rid base = 1000
root directory =
guest account = smbprint
enable privileges = No
pam password change = No
passwd program = /bin/passwd %u
passwd chat = *Enter*choice* \n *New*password* %n\n *enter*password*
%n\n \n .
passwd chat debug = No
passwd chat timeout = 2
check password script =
username map = /etc/samba/smbusers
password level = 8
username level = 0
unix password sync = Yes
restrict anonymous = 0
lanman auth = Yes
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes
preload modules =
use kerberos keytab = No
log level = 1
syslog = 1
syslog only = No
log file = /var/log/samba/logs/log.%m
max log size = 5000
debug timestamp = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 445 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility =
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = lmhosts wins host bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
change notify timeout = 60
deadtime = 15
getwd cache = Yes
keepalive = 300
kernel change notify = Yes
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 10000
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=8192
SO_RCVBUF=8192
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap cache time = 0
printcap name = lpstat
cups server =
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
mangling method = hash2
mangle prefix = 1
stat cache = Yes
machine password timeout = 604800
add user script =
delete user script =
add group script =
delete group script =
add user to group script =
delete user from group script =
set primary group script =
add machine script =
shutdown script =
abort shutdown script =
logon script = startup.bat
logon path = \\%N\%U\profile
logon drive =
logon home = \\%N\%U\profile
domain logons = Yes
os level = 33
lm announce = Auto
lm interval = 60
preferred master = No
local master = Yes
domain master = No
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = No
wins server =
wins support = Yes
wins hook =
wins partners =
kernel oplocks = No
lock spin count = 3
lock spin time = 10
oplock break wait time = 0
ldap admin dn = cn=Manager,dc=agr,dc=state,dc=vt,dc=us
ldap delete dn = No
ldap filter = (uid=%u)
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap replication sleep = 1000
ldap suffix = dc=agr,dc=state,dc=vt,dc=us
ldap ssl = no
ldap timeout = 15
ldap user suffix = ou=People
add share command =
change share command =
delete share command =
config file =
preload =
lock directory = /var/lib/samba
pid directory = /var/run/samba
utmp directory =
wtmp directory =
utmp = No
default service =
message command = /bin/mailx -s'Message from %f on %m' root<%s; rm %s
dfree command =
get quota command =
set quota command =
remote announce = nnn.nnn.nnn.127/ADMIN
remote browse sync =
socket address = 0.0.0.0
homedir map =
afs username map =
afs token lifetime = 604800
log nt token command =
time offset = 0
NIS homedir = No
panic action =
host msdfs = No
enable rid algorithm = Yes
idmap backend =
idmap uid =
idmap gid =
template primary group = nogroup
template homedir = /usr/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 300
winbind enable local accounts = No
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
comment =
path =
username =
invalid users =
valid users =
admin users = VTAGR\@domadm
read list =
write list =
printer admin = VTAGR\@domadm
force user =
force group =
read only = Yes
create mask = 0775
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0775
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = No
inherit permissions = No
inherit acls = No
guest only = No
guest ok = No
only user = No
hosts allow = nnn.nnn.nnn.0/255.255.255.128
hosts deny =
allocation roundup size = 1048576
ea support = No
nt acl support = Yes
profile acls = No
map acl inherit = No
afs share = No
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
max reported print jobs = 0
max print jobs = 1000
printable = No
printing = sysv
cups options =
print command = lp -c -d%p %s; rm %s
lpq command = lpstat -o%p
lprm command = cancel %p-%j
lppause command = lp -i %p-%j -H hold
lpresume command = lp -i %p-%j -H resume
queuepause command = disable %p
queueresume command = enable %p
printer name =
use client driver = No
default devmode = No
force printername = No
default case = lower
case sensitive = Auto
preserve case = Yes
short preserve case = Yes
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map system = No
map hidden = No
map archive = No
mangled names = Yes
mangled map =
store dos attributes = No
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = No
level2 oplocks = No
oplock contention limit = 2
posix locking = Yes
strict locking = Yes
share modes = Yes
copy =
include =
preexec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = No
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = Yes
dos filemode = No
dos filetimes = Yes
dos filetime resolution = No
fake directory create times = No
vfs objects =
msdfs root = No
msdfs proxy =

-----shares edited------
[homes]
comment = Home Directories
valid users = %S
read only = No
inherit acls = Yes
hosts allow = nnn.nnn.nnn.0/255.255.255.128
browseable = No

[Profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes
browseable = No

[public]
comment = Temporary storage for all users
path = /usr2/u/public
read only = No
inherit acls = Yes
hosts allow = nnn.nnn.nnn.0/255.255.255.128

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
inherit acls = Yes
hosts allow = nnn.nnn.nnn.0/255.255.255.128
browseable = No
share modes = No

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0600
min print space = 5000
printable = Yes
use client driver = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
hosts allow = nnn.nnn.nnn.0/255.255.255.128

[L1]
comment = LaserJet 4350dtn - 1st floor main room
path = /usr/spool/samba
read only = No
create mask = 0600
guest ok = Yes
min print space = 5000
printable = Yes
printer name = L1

Hi Bob,

I have not run the 3.0.14 version with an LDAP backend, so no idea
what would be going wrong. The first recomendation would be to update
Samba to a later version, 3.0.20 is available from SCO on the 5.0.7
Supplement CD 5. You will find some release notes that detail the
prerequisites.

http://www.sco.com/support/update/download/release.php?rid=187

A matter of semantics only, SCO Samba does have winbind support but
without a Name Service Switch library the OS can make no use of it.
Given the Samba requirement that all Samba accounts must map back to a
UNIX ID it means that you will be mapping or creating all the users on
SCO.

You may also wish to spend some time checking your smb.conf line by
line and remove inappropriate declarations. Although Samba should
over rule or ignore conflicting lines and disregard the ones that do
not apply it may not be perfect and could cause strange results.

Some examples:

smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = smbpasswd

So you are not connecting to LDAP?

password server = *

Hopefully ignored with "security = user"


obey pam restrictions = No

There is no PAM support on OSR5, and the "encrypt passwords = yes"
should over rule this.

client schannel = Auto
server schannel = Auto

Are you joining a domain and want winbind to use a secure channel?

wins server =
wins support = Yes

Why do you want OSR5 to be WINS server? Is there another WINS server
on the network?


comment = LaserJet 4350dtn - 1st floor main room
path = /usr/spool/samba
read only = No
create mask = 0600
guest ok = Yes
min print space = 5000
printable = Yes
printer name = L1

"read only = No" is ignored when "printable = Yes"

oplocks = No
level2 oplocks = No
oplock contention limit = 2
posix locking = Yes
strict locking = Yes

Does your application require this? "oplock contention limit = 2"
will be ignored if oplocks are turned off. With many applications the
above settings will slow Samba and the client to a crawl and increase
network load with no benefit.

available = Yes

In the [Global] section? "available = no" in a share section will
turn off that service, no idea what it does in the global area.


Mike

.

Relevant Pages