Network and Storage Protocols

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network and Storage Protocols

Ask a Question

Can't get LDAP to work.

shane_mcewan
‎2009-09-03 03:59 AM
4,623 Views

G'day!

I can't get LDAP to work on my filer at all! I know other people have it working so I must be doing something wrong. Can someone sanity check my config?

Here's the setup:

FAS3140 running 7.3.1.1

OpenLDAP 2.3.43

Samba 3.0.33

QTree with Unix style permissions.

Samba NT4 domain with LDAP backend.

Linux hosts authenticate to LDAP directly.

Windows hosts authenticate to LDAP via Samba domain controller.

Windows usernames are the same as Linux usernames.

What works:

Linux LDAP authentication.

Windows LDAP/Domain authentication.

Filer can join Windows domain (Option 1 or 2 in 'cifs setup' command authentication question.)

NFS mounts from Linux. (Correct Unix permissions.)

CIFS mounts if 'wafl.default_unix_user' is set to 'pcuser'. (Auth via domain seems to work but all CIFS users are mapped to this user.)

What doesn't work:

getXXbyYY getpwbyname_r username (Returns 'Could not get passwd entry for name = username')

wcc -u username (returns 'no passwd entry for username')

wcc -s username (returns Domain user information but has 'UNIX uid = 65534')

Setting 'wafl.default_unix_user' to null results in 'Permission denied' message during CIFS mount.

Output during a CIFS mount attempt when 'cifs.trace_login' is ON:

With wafl.default_unix_user=pcuser:

Thu Sep  3 11:30:14 BST [AWFiler002: auth.trace.authenticateUser.loginTraceIP:info]: AUTH: Login attempt by user smcewan of domain CGI2 from client machine 172.17.52.123 (OAK).
Thu Sep  3 11:30:14 BST [AWFiler002: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- attempting authentication with domain controller \\AW-LDAP.
Thu Sep  3 11:30:14 BST [AWFiler002: auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: User from 172.17.52.123 authenticated by DC.
Thu Sep  3 11:30:14 BST [AWFiler002: auth.trace.mapNTToUnix:info]: AUTH: Mapping Windows user smcewan to Unix user smcewan.
Thu Sep  3 11:30:14 BST [AWFiler002: auth.trace.mapNTToUnix:info]: AUTH: Mapping Windows user smcewan to Unix user pcuser.
Thu Sep  3 11:30:14 BST [AWFiler002: auth.trace.authenticateUser.loginAccepted:info]: AUTH: Login by smcewan from 172.17.52.123 accepted.

(Mount succeeds but all access is mapped to the 'pcuser' Unix user.)

With wafl.default_unix_user="":

Thu Sep  3 10:59:27 BST [AWFiler002: auth.trace.authenticateUser.loginTraceIP:info]: AUTH: Login attempt by user smcewan of domain CGI2 from client machine 172.17.52.123 (OAK).
Thu Sep  3 10:59:27 BST [AWFiler002: auth.dc.trace.DCConnection.statusMsg:info]: AUTH: TraceDC- attempting authentication with domain controller \\AW-LDAP.
Thu Sep  3 10:59:28 BST [AWFiler002: auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: User from 172.17.52.123 authenticated by DC.
Thu Sep  3 10:59:28 BST [AWFiler002: auth.trace.mapNTToUnix:info]: AUTH: Mapping Windows user smcewan to Unix user smcewan.
Thu Sep  3 10:59:28 BST [AWFiler002: auth.mapNTToUnix.failed:error]: AUTH: Error mapping NT user smcewan to Unix user: 0xc0000001 (Unix user name not valid). Login is rejected.

(Mount fails with 'Permission denied'.)

Leaving the Domain and choosing option 4 (passwd, NIS or LDAP auth) during 'cifs setup' results in an 'Input/Output' error on the CIFS client and NO authentication trace messages from the filer. I don't really care if the filer is part of the Domain or not (we're 95% Linux) as long as I can get Windows clients to read and write files with the correct Unix ownership.

From the above, and the fact that I'm not seeing any connections from the filer to the LDAP server, I've come to the conclusion that the filer isn't talking to the LDAP server at all.

My 'options ldap' output:

ldap.ADdomain
ldap.base                    dc=mydomain,dc=com
ldap.base.group              ou=Groups,dc=mydomain,dc=com
ldap.base.netgroup
ldap.base.passwd             ou=Users,dc=mydomain,dc=com
ldap.enable                  on
ldap.minimum_bind_level      anonymous
ldap.name
ldap.nssmap.attribute.gecos  gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory homeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid    uid
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount posixAccount
ldap.nssmap.objectClass.posixGroup posixGroup
ldap.passwd                  ******
ldap.port                    389
ldap.servers                 ldap.mydomain.com
ldap.servers.preferred       ldap.mydomain.com
ldap.ssl.enable              off
ldap.timeout                 20
ldap.usermap.attribute.unixaccount unixaccount
ldap.usermap.attribute.windowsaccount windowsaccount
ldap.usermap.base
ldap.usermap.enable          off

My /etc/nsswitch.conf file:

hosts: files       nis     dns
passwd: ldap files      nis
netgroup: ldap files    nis
group: ldap files       nis
shadow: files      nis

/etc/usermap.cfg is empty.

I'm at a loss. Can anyone offer some advice?

Thanks!

0 Kudos
View By:
1 REPLY 1

shane_mcewan
‎2009-09-03 06:55 AM
4,623 Views

I knew I was doing something stupid!

The filer couldn't resolve the name of the LDAP server. I put in the IP address and it started working! It would have been helpful if there was a DNS lookup error message or something in the logs rather than just silently failing. It could have saved me several hours.

0 Kudos
Announcements
All Community Forums
Public