Доброго времени!Хочу попросить сообщество помоч разобраться в проблеме:
FreeBSD8.2
nss_ldap-1.265_7
openldap-client-2.4.33
openldap-server-2.4.33
samba36-3.6.7
smbldap-tools-0.9.9Поднят PDC с базой пользователей в LDAP. Аутентификация PAM.
Работало без осложнений, пока не ушёл в отпуск.
В общем, LDAP не пускает в систему.
Ищет несуществующую группу.
/usr/local/etc/nss_ldap.conf
=======================================================
base dc=smbdomain,dc=local
bind_policy soft
bind_timelimit 10
host 192.168.0.4
idle_timelimit 3600
ldap_version 3
nss_base_group ou=Groups,dc=smbdomain,dc=local?one
nss_base_passwd ou=People,dc=smbdomain,dc=local?one
nss_base_passwd ou=Computers,dc=smbdomain,dc=local?one
nss_base_shadow ou=People,dc=smbdomain,dc=local?one
nss_connect_policy persist
nss_paged_results yes
pagesize 1000
port 389
scope one
timelimit 30
pam_password clear
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_template_login_attribute uid
pam_member_attribute gid
pam_min_uid 1000
pam_max_uid 65530
pam_lookup_policy no
pam_check_host_attr no
pam_check_service_attr no
pam_groupdn cn=Domain Users,ou=Groups,dc=smbdomain,dc=local=================================================================
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/mail.schema
loglevel 256
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
# security
#ssf=1
#update_ssf=112
#simple_bind=64
#allow bind_v2
#disallow bind_anon
#require authc
#ACL На время отладки закоментировано
#access to *
# by peername.ip=192.168.0.0%5.255.255.248 read
# by self =xw
# by * none#access to attrs=userPassword,gidNumber
# by self =xw
# by * none
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=smbdomain,dc=local"
rootdn "cn=Manager,dc=smbdomain,dc=local"
rootpw {SSHA}Хэш
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber pres,eq
index gidNumber pres,eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
#
index uniqueMember eq,pres
index ou,mail,givenname pres,sub,eq
============================================================================
[root@dn] ~# smbclient //dn/root -Uroot%passwd
session setup failed: NT_STATUS_LOGON_FAILUREless /var/log/slapd.log
Nov 19 11:15:00 dn slapd[3924]: conn=1011 fd=10 ACCEPT from IP=192.168.0.4:43875 (IP=192.168.0.4:389)
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=0 BIND dn="" method=128
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=0 RESULT tag=97 err=0 text=
Nov 19 11:15:00 dn slapd[3924]: connection_input: conn=1011 deferring operation: binding
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=1 SRCH base="ou=People,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=root))"
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=2 SRCH base="ou=Groups,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=root)(uniqueMember=uid=root,ou=people,dc=smbdomain,dc=local)))"
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=2 SRCH attr=gidNumber
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=3 SRCH base="ou=Groups,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixGroup)(uniqueMember=cn=domain admins,ou=groups,dc=smbdomain,dc=local))"
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=3 SRCH attr=gidNumber
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 11:15:00 dn slapd[3924]: conn=1011 fd=10 closed (connection lost)uniqueMember=cn=domain admins Но
# slapcat | grep 'cn=domain admins'
#
#net getlocalsid ns
failed to bind to server ldap://ns.smbdomain.local/ with dn="cn=Manager,dc=smbdomain,dc=local" Error: Can't contact LDAP server
(unknown)
Can't fetch domain SID for name: nsless /var/log/slapd.log
Nov 19 12:11:00 dn slapd[3924]: conn=1029 fd=10 ACCEPT from IP=192.168.0.4:22346 (IP=192.168.0.4:389)
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=0 BIND dn="" method=128
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=0 RESULT tag=97 err=0 text=
Nov 19 12:11:00 dn slapd[3924]: connection_input: conn=1029 deferring operation: binding
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=1 SRCH base="ou=People,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=operator))"
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=2 SRCH base="ou=Computers,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=operator))"
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=3 SRCH base="ou=Groups,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixGroup)(memberUid=operator))"
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=3 SRCH attr=gidNumber
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 12:11:00 dn slapd[3924]: conn=1029 fd=10 closed (connection lost)SRCH attr=gidNumber - Ясно, что проблема в этом. Но что предпринять .... ?
# slapcat | grep gidNumber
gidNumber: 0
gidNumber: 512
gidNumber: 513
gidNumber: 515
gidNumber: 544
gidNumber: 548
gidNumber: 550
gidNumber: 551
gidNumber: 552
gidNumber: 515
..............
# slapcat | grep 'cn=domain admins'
#Виноват, запись присутствует.... Тем более, не понятно в чём дело.
~# ldapsearch -xLLL 'cn=domain admins'
dn: cn=Domain Admins,ou=Groups,dc=smbdomain,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 512
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2492099779-3981522855-2891784192-512
sambaGroupType: 2
displayName: Domain Admins