URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID1
Нить номер: 94045
[ Назад ]

Исходное сообщение
"LDAP и gidNumber. Не пускает в систему"

Отправлено oleg_skat , 19-Ноя-12 12:09 
Доброго времени!

Хочу попросить сообщество помоч разобраться в проблеме:
FreeBSD8.2
nss_ldap-1.265_7
openldap-client-2.4.33
openldap-server-2.4.33
samba36-3.6.7      
smbldap-tools-0.9.9

Поднят PDC с базой пользователей в LDAP. Аутентификация PAM.
Работало без осложнений, пока не ушёл в отпуск.
В общем,  LDAP не пускает в систему.
Ищет несуществующую группу.


/usr/local/etc/nss_ldap.conf
=======================================================
base dc=smbdomain,dc=local
bind_policy soft
bind_timelimit 10
host 192.168.0.4
idle_timelimit 3600
ldap_version 3
nss_base_group  ou=Groups,dc=smbdomain,dc=local?one
nss_base_passwd ou=People,dc=smbdomain,dc=local?one
nss_base_passwd ou=Computers,dc=smbdomain,dc=local?one
nss_base_shadow ou=People,dc=smbdomain,dc=local?one
nss_connect_policy persist
nss_paged_results yes
pagesize 1000
port 389
scope one
timelimit 30
pam_password clear
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_template_login_attribute uid
pam_member_attribute gid
pam_min_uid 1000
pam_max_uid 65530
pam_lookup_policy no
pam_check_host_attr no
pam_check_service_attr no
pam_groupdn cn=Domain Users,ou=Groups,dc=smbdomain,dc=local

=================================================================
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/mail.schema
loglevel 256
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb
# security
#ssf=1
#update_ssf=112
#simple_bind=64
#allow bind_v2
#disallow bind_anon
#require authc
#ACL На время отладки закоментировано
#access to *
#      by  peername.ip=192.168.0.0%5.255.255.248 read
#      by self =xw
#      by * none

#access to attrs=userPassword,gidNumber
#                by self =xw
#                by * none
#######################################################################
# BDB database definitions
#######################################################################
database        bdb
suffix          "dc=smbdomain,dc=local"
rootdn          "cn=Manager,dc=smbdomain,dc=local"
rootpw          {SSHA}Хэш
directory       /var/db/openldap-data
# Indices to maintain
index   objectClass     eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   uid             pres,sub,eq
index   displayName     pres,sub,eq
index   uidNumber       pres,eq
index   gidNumber       pres,eq
index   memberUID               eq
index   sambaSID                eq
index   sambaPrimaryGroupSID    eq
index   sambaDomainName         eq
index   default                 sub
#
index   uniqueMember             eq,pres
index ou,mail,givenname    pres,sub,eq
============================================================================
[root@dn] ~# smbclient //dn/root -Uroot%passwd
session setup failed: NT_STATUS_LOGON_FAILURE

less /var/log/slapd.log
Nov 19 11:15:00 dn slapd[3924]: conn=1011 fd=10 ACCEPT from IP=192.168.0.4:43875 (IP=192.168.0.4:389)
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=0 BIND dn="" method=128
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=0 RESULT tag=97 err=0 text=
Nov 19 11:15:00 dn slapd[3924]: connection_input: conn=1011 deferring operation: binding
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=1 SRCH base="ou=People,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=root))"
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=2 SRCH base="ou=Groups,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=root)(uniqueMember=uid=root,ou=people,dc=smbdomain,dc=local)))"
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=2 SRCH attr=gidNumber
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=3 SRCH base="ou=Groups,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixGroup)(uniqueMember=cn=domain admins,ou=groups,dc=smbdomain,dc=local))"
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=3 SRCH attr=gidNumber
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 11:15:00 dn slapd[3924]: conn=1011 fd=10 closed (connection lost)

uniqueMember=cn=domain admins Но

# slapcat | grep 'cn=domain admins'
#
#net getlocalsid ns
failed to bind to server ldap://ns.smbdomain.local/ with dn="cn=Manager,dc=smbdomain,dc=local" Error: Can't contact LDAP server
        (unknown)
Can't fetch domain SID for name: ns

less /var/log/slapd.log
Nov 19 12:11:00 dn slapd[3924]: conn=1029 fd=10 ACCEPT from IP=192.168.0.4:22346 (IP=192.168.0.4:389)
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=0 BIND dn="" method=128
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=0 RESULT tag=97 err=0 text=
Nov 19 12:11:00 dn slapd[3924]: connection_input: conn=1029 deferring operation: binding
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=1 SRCH base="ou=People,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=operator))"
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=2 SRCH base="ou=Computers,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=operator))"
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=3 SRCH base="ou=Groups,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixGroup)(memberUid=operator))"
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=3 SRCH attr=gidNumber
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 12:11:00 dn slapd[3924]: conn=1029 fd=10 closed (connection lost)

SRCH attr=gidNumber - Ясно, что проблема в этом. Но что предпринять .... ?

# slapcat | grep gidNumber
gidNumber: 0
gidNumber: 512
gidNumber: 513
gidNumber: 515
gidNumber: 544
gidNumber: 548
gidNumber: 550
gidNumber: 551
gidNumber: 552
gidNumber: 515
..............


Содержание

Сообщения в этом обсуждении
"LDAP и gidNumber. Не пускает в систему"
Отправлено oleg_skat , 19-Ноя-12 14:03 
# slapcat | grep 'cn=domain admins'
#

Виноват, запись присутствует.... Тем более, не понятно в чём дело.

~# ldapsearch -xLLL 'cn=domain admins'
dn: cn=Domain Admins,ou=Groups,dc=smbdomain,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 512
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2492099779-3981522855-2891784192-512
sambaGroupType: 2
displayName: Domain Admins