Hello,
Since I have trouble with ipasam I am now trying to get ldapsam working.
I have a IPA user for the bind in smb.conf
The problem is that smb and winbind won't start because it wants to create
domain the domain info. This user has no privilege for that. My question is:
what privilege does such a user need in IPA?
Or, is it perhaps possible to run ipa-adtrust-install --add-sids on this Samba
server (which is not a IPA master)?
Part of my smb.conf
###################################################
# Global parameters
[global]
create krb5 conf = No
dedicated keytab file = /etc/samba/samba.keytab
disable spoolss = Yes
domain logons = Yes
domain master = Yes
kerberos method = dedicated keytab
ldap debug level = 99
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap ssl = no
ldap suffix = dc=example,dc=com
ldap user suffix = cn=users,cn=accounts
ldap admin dn = uid=samba_admin,cn=users,cn=accounts,dc=example,dc=com
#log level = 99
log level = 1
log file = /var/log/samba/log.%m
max log size = 100000
# passdb backend =
ipasam:ldaps://rotte.example.com
passdb backend =
ldapsam:ldap://rotte.example.com
realm =
EXAMPLE.COM
registry shares = Yes
security = USER
workgroup = EXAMPLE
rpc_daemon:lsasd = fork
rpc_daemon:epmd = fork
rpc_server:tcpip = yes
rpc_server:netlogon = external
rpc_server:samr = external
rpc_server:lsasd = external
rpc_server:lsass = external
rpc_server:lsarpc = external
#rpc_server:epmapper = external
ldapsam:trusted = yes
idmap config * : backend = tdb
###################################################
The error I'm getting is:
###################################################
[2022/10/17 10:28:05.097093, 0]
../../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
smbldap_search_domain_info: Adding domain info for EXAMPLE failed with
NT_STATUS_UNSUCCESSFUL
[2022/10/17 10:28:05.097202, 0]
../../source3/passdb/pdb_ldap.c:6754(pdb_ldapsam_init_common)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We
cannot work reliably without it.
[2022/10/17 10:28:05.097307, 0]
../../source3/passdb/pdb_interface.c:181(make_pdb_method_name)
pdb backend
ldapsam:ldap://rotte.example.com did not correctly init (error was
NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2022/10/17 10:28:05.097524, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Failed to initialize passdb backend! Check the
'passdb backend' variable in your smb.conf file., error code 22
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/openldap/ldap.conf
ldap_init: using /etc/openldap/ldap.conf
ldap_url_parse_ext(ldaps://rotte.example.com)
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
[2022/10/17 10:41:56.487397, 0] ../../source3/winbindd/winbindd.c:1723(main)
winbindd version 4.16.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2022
[2022/10/17 10:41:56.487826, 1]
../../lib/param/loadparm.c:1766(lpcfg_do_global_parameter)
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2022/10/17 10:41:56.509672, 1]
../../source3/passdb/pdb_ldap_util.c:235(add_new_domain_info)
add_new_domain_info: failed to add domain dn= sambaDomainName=EXAMPLE,dc=example,dc=com
with: Insufficient access
Insufficient 'add' privilege to add the entry
'sambaDomainName=EXAMPLE,dc=example,dc=com'.
[2022/10/17 10:41:56.509704, 0]
../../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
smbldap_search_domain_info: Adding domain info for EXAMPLE failed with
NT_STATUS_UNSUCCESSFUL
[2022/10/17 10:41:56.509731, 0]
../../source3/passdb/pdb_ldap.c:6754(pdb_ldapsam_init_common)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We
cannot work reliably without it.
[2022/10/17 10:41:56.509748, 0]
../../source3/passdb/pdb_interface.c:181(make_pdb_method_name)
pdb backend
ldapsam:ldap://rotte.example.com did not correctly init (error was
NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2022/10/17 10:41:56.509791, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Failed to initialize passdb backend! Check the
'passdb backend' variable in your smb.conf file., error code 22
###################################################
--
Kees