Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.
Strony: 1
Skonfigurowalem sambe+ldapa wg tego: [url]http://stary.dug.net.pl/faq/faq-3-246-Samba___LDAP___Debian.php[/url].
Wszystko dziala elegancko, tylko teraz chcialem jeszcze dorzucic SSL/TSL, do osiagniecia czego skorzystalem z tego poradnika: [url]http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html[/url].
Tego niestety juz nie potrafie ogarnac, a zrobilem tak:
/etc/default/slapd:
SLAPD_SERVICES="ldaps://127.0.0.1:636/
/etc/ldap/slapd.conf:
TLSCACertificateFile /etc/ldap/cacert.pem TLSCerificateFile /etc/ldap/servercrt.pem TLSCertificateKeyFile /etc/ldap/serverkey.pem #TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSVerifyClient demand
/etc/ldap/ldap.conf:
URI ldaps://127.0.0.1:636/ HOST localhost PORT 636 TLS_CACERT /etc/ldap/cacert.pem TLS_REQCERT demand
Co do powyzszego to do [i]TLSCipherSuite[/i] pochodza mi wartosci z:
root@debian:~# gnutls-cli -l Cipher suites: TLS_ANON_DH_ARCFOUR_MD5 0x00, 0x18 SSL3.0 TLS_ANON_DH_3DES_EDE_CBC_SHA1 0x00, 0x1b SSL3.0 TLS_ANON_DH_AES_128_CBC_SHA1 0x00, 0x34 SSL3.0 TLS_ANON_DH_AES_256_CBC_SHA1 0x00, 0x3a SSL3.0 TLS_ANON_DH_CAMELLIA_128_CBC_SHA1 0x00, 0x46 TLS1.0 TLS_ANON_DH_CAMELLIA_256_CBC_SHA1 0x00, 0x89 TLS1.0 TLS_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8a TLS1.0 TLS_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8b TLS1.0 TLS_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x8c TLS1.0 TLS_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x8d TLS1.0 TLS_DHE_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8e TLS1.0 TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8f TLS1.0 TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x90 TLS1.0 TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x91 TLS1.0 TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a TLS1.0 TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d TLS1.0 TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 TLS1.0 TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c TLS1.0 TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b TLS1.0 TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f TLS1.0 TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e TLS1.0 TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 TLS1.0 TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 TLS1.0 TLS_DHE_DSS_ARCFOUR_SHA1 0x00, 0x66 TLS1.0 TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0 TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0 TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0 TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 0x00, 0x44 TLS1.0 TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 0x00, 0x87 TLS1.0 TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0 TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0 TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0 TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x45 TLS1.0 TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x88 TLS1.0 TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0 TLS_RSA_EXPORT_ARCFOUR_40_MD5 0x00, 0x03 SSL3.0 TLS_RSA_ARCFOUR_SHA1 0x00, 0x05 SSL3.0 TLS_RSA_ARCFOUR_MD5 0x00, 0x04 SSL3.0 TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0 TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0 TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0 TLS_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x41 TLS1.0 TLS_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x84 TLS1.0 Certificate types: X.509, OPENPGP Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2 Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, NULL Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK Compression: DEFLATE, NULL
I co najgorsze musze podawac takimi dlugimi nazwami, da sie to podac jakos prosciej tak zeby wymusic tylko szyfrowania bazujace na SSL3?
Teraz problemu:
1. Jak ustawie [i]TLSVerifyCert[/i] i [i]TLS_REQCERT[/i] na demand to mam cos takiego:
root@debian:~# openssl s_client -connect localhost:636 -state -CAfile /etc/ldap/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=PL/ST=x/O=Kubkomowa/CN=kubkomowa.pl/emailAddress=x@y.com verify return:1 depth=0 /C=PL/ST=x/L=y/O=Kubkomowa/CN=test.kubkomowa.pl/emailAddress=x@y.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:failed in SSLv3 read finished A 3464:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
logi:
Jan 3 19:25:38 debian slapd[3460]: conn=1 fd=13 ACCEPT from IP=127.0.0.1:34183 (IP=127.0.0.1:636) Jan 3 19:25:38 debian slapd[3460]: conn=1 fd=13 closed (TLS negotiation failure)
Natomiast bez tego dziala bez problemu. Z tego co wygoglowalem to brakuje mi certyfikatu klienta ale nie mam pojecia jak mam go dodac/zrobic. :(
Nastepnym problemem jest:
root@debian:~# ldapsearch -x -b ="dc=test,dc=kubkomowa,dc=pl" ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
badz
root@debian:~# ldapsearch ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Prosilbym o wskazowki, nie jestem w tym gdyz nie jestem w tym za bardzo obeznany.
Ostatnio edytowany przez kuebk (2011-01-04 14:13:03)
Offline
A wklej wynik polecenia:
openssl x509 -noout -in /etc/ldap/servercrt.pem -issuer -subject -dates
Offline
root@debian:~# openssl x509 -noout -in /etc/ldap/servercrt.pem -issuer -subject -dates issuer= /C=PL/ST=x/O=Kubkomowa/CN=kubkomowa.pl/emailAddress=x@y.com subject= /C=PL/ST=x/L=y/O=Kubkomowa/CN=test.kubkomowa.pl/emailAddress=x@y.com notBefore=Jan 3 15:34:55 2011 GMT notAfter=Jan 3 15:34:55 2012 GMT
Offline
A w sumie można to było wyczytać z pierwszego posta. Zdaje mi się, że powinieneś skonfigurować serwer tak by działał na takim samym adresie jak issuer name w certyfikacie czyli kubkomowa.pl zamiast 127.0.0.1. I łącz się na kubkomowa.pl, ta nazwa jest porównywana z tym co w certyfikacie przy SSL handshake. Jeśli się nie zgadza może powodować taki błąd jak opisałeś. Spróbuj.
Offline
Ok, zrobilem tak jak mowiles:
/etc/default/slapd:
SLAPD_SERVICES="ldaps://test.kubkomowa.pl:636/
/etc/ldap/ldap.conf:
URI ldaps://test.kubkomowa.pl:636/ HOST test.kubkomowa.pl
Certyfikaty sobie jeszcze raz wygenerowalem tak zebym mial na [i]test.kubkomowa.pl[/i] i problem jest dalej taki sam:
root@debian:~/certs# openssl s_client -connect test.kubkomowa.pl:636 -state -CAfile /etc/ldap/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl verify return:1 depth=0 /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:failed in SSLv3 read finished A 3785:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
root@debian:~/certs# openssl x509 -noout -in /etc/ldap/servercrt.pem -issuer -subject -dates issuer= /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl subject= /C=PL/ST=Some-State/O=Kubkomowa/CN=test.kubkomowa.pl notBefore=Jan 3 19:46:11 2011 GMT notAfter=Jan 3 19:46:11 2012 GMT
Offline
O coś wyczytałem (polecam). Chcesz mieć połączenie do LDAP-a szyfrowane czy chcesz także mieć autoryzację certyfikatem? Twoja konfiguracja wymaga dostarczenia certyfikatu przez klienta, opcja "TLSVerifyClient demand" , więc łącząc się przy pomocy openssl powinieneś go podać po opcji -cert. Pytanie co jest twoim zamierzeniem czy chcesz mieć tylko szyfrowanego LDAP-a czy także autoryzacje certyfikatem.
Offline
Dzieki, cos sie ruszylo ale nie do konca, mianowicie
root@debian:~/certs# openssl s_client -connect test.kubkomowa.pl:636 -state -CAfile /etc/ldap/cacert.pem -key /etc/smbldap-tools/ldap.client.key.pem -cert /etc/smbldap-tools/ldap.client.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl verify return:1 depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl --- Server certificate -----BEGIN CERTIFICATE----- blablabla -----END CERTIFICATE----- subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl --- Acceptable client certificate CA names /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.kubkomowa.pl --- SSL handshake has read 1132 bytes and written 1203 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 58E018390F16B3451D97EF409CCF348CD037356A4A9335BE3ACA60FEB83A9B4F Session-ID-ctx: Master-Key: 0CDC4508CBBCAE9006C3C00D3946D2CCCDB6472A56EE531F4727E1EA3FBF473FE6CB5E68200900109E64C5B11BC7088A Key-Arg : None Start Time: 1294086367 Timeout : 300 (sec) Verify return code: 0 (ok) --- SSL3 alert read:warning:close notify closed SSL3 alert write:warning:close notify
ale w logach mam:
Jan 3 21:26:07 debian slapd[4127]: conn=4 fd=13 ACCEPT from IP=192.168.180.129:52865 (IP=192.168.180.129:636) Jan 3 21:26:07 debian slapd[4127]: conn=4 fd=13 closed (TLS negotiation failure)
Domyslam sie ze problem moze byc podany CommonName w certyfikatach dla klienta ale nie wiem co mam tam wpisac. :(
EDIT: Co do dalszej czesci wypowiedzi to zalezy mi zarowno na szyfrowaniu jak i autoryzowaniu poszczegolnych klientow.
Ostatnio edytowany przez kuebk (2011-01-03 21:32:57)
Offline
[quote=kuebk]EDIT: Co do dalszej czesci wypowiedzi to zalezy mi zarowno na szyfrowaniu jak i autoryzowaniu poszczegolnych klientow.[/quote]
Autoryzowanie jak najbardziej, pytanie czy na pewno chcesz to robić przy użyciu certyfikatów. Mógłbyś użyć innych mechanizmów np. najprostsze login/hasło. Trzeba odróżnić dwie rzeczy: szyfrowanie połączenia i autoryzację. Szyfrowanie połączenia wymaga posiadania certyfikatu na serwerze bo używasz SSL/TLS, ale raczej nie oznacza konieczności używania certyfikatu klienta do autoryzacji. Są inne sposoby najlepiej poczytać: http://www.openldap.org/doc/admin24/security.html , http://www.openldap.org/doc/admin24/tls.html . W sumie nie mam wielkiego doświadczenia z LDAP, ale pewnie kwestia jest taka sama jak w przypadku serwera WWW, SMTP itp. Gdzie możesz mieć szyfrowane połączenia SSL/TLS, a autoryzacja najczęściej odbywa się przy pomocy pary login/hasło. Rzadziej stosuje się autoryzację wymagając certyfikatu klienta. Lepiej poczytaj dokumentację w całości będziesz wiedział wszystko, ja trochę nie mam na to czasu ;]
Offline
Zrezygnowalem z autoryzacji klienta poprzez certyfikaty, wszystko juz prawie zrobilem tylko mam jeszcze kilka problemow, samba uparcie probuje robic StartTLS jak juz jest zrobione.
[2011/01/04 01:50:45.408459, 3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains) [ 3013]: list trusted domains [2011/01/04 01:50:45.415006, 0] lib/smbldap.c:731(smb_ldap_start_tls) Failed to issue the StartTLS instruction: Operations error [2011/01/04 01:50:45.415030, 1] lib/smbldap.c:1330(another_ldap_try) Connection to LDAP server failed for the 1 try! [2011/01/04 01:50:46.415748, 3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL [2011/01/04 01:50:46.415840, 1] winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms [2011/01/04 01:55:45.408690, 3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains) [ 3013]: list trusted domains [2011/01/04 01:55:45.415181, 0] lib/smbldap.c:731(smb_ldap_start_tls) Failed to issue the StartTLS instruction: Operations error [2011/01/04 01:55:45.415196, 1] lib/smbldap.c:1330(another_ldap_try) Connection to LDAP server failed for the 1 try! [2011/01/04 01:55:46.415999, 3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL [2011/01/04 01:55:46.416086, 1] winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms [2011/01/04 02:00:45.412059, 3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains) [ 3013]: list trusted domains [2011/01/04 02:00:45.418513, 0] lib/smbldap.c:731(smb_ldap_start_tls) Failed to issue the StartTLS instruction: Operations error [2011/01/04 02:00:45.418528, 1] lib/smbldap.c:1330(another_ldap_try) Connection to LDAP server failed for the 1 try! [2011/01/04 02:00:46.419439, 3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL [2011/01/04 02:00:46.419530, 1] winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms [2011/01/04 02:05:45.412294, 3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains) [ 3013]: list trusted domains [2011/01/04 02:05:45.419047, 0] lib/smbldap.c:731(smb_ldap_start_tls) Failed to issue the StartTLS instruction: Operations error [2011/01/04 02:05:45.419091, 1] lib/smbldap.c:1330(another_ldap_try) Connection to LDAP server failed for the 1 try! [2011/01/04 02:05:46.419608, 3] winbindd/winbindd_misc.c:166(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL [2011/01/04 02:05:46.419693, 1] winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms
W logach sladp wyglada to tak:
Jan 4 01:08:33 debian slapd[3539]: conn=9 fd=17 ACCEPT from IP=192.168.180.129:35624 (IP=192.168.180.129:636) Jan 4 01:08:33 debian slapd[3539]: conn=9 fd=17 TLS established tls_ssf=128 ssf=128 Jan 4 01:08:33 debian slapd[3539]: conn=9 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 4 01:08:33 debian slapd[3539]: conn=9 op=0 STARTTLS Jan 4 01:08:33 debian slapd[3539]: conn=9 op=0 RESULT oid= err=1 text=TLS already started Jan 4 01:08:34 debian slapd[3539]: conn=9 op=1 SRCH base="dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=0))" Jan 4 01:08:34 debian slapd[3539]: conn=9 op=1 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jan 4 01:08:34 debian slapd[3539]: conn=9 op=1 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required
Wyglada na to ze samba probuje zainicjowac TLS mimo tego ze juz jest co skutkuje err=1 a potem err=53.
Ostatnio edytowany przez kuebk (2011-01-04 02:07:54)
Offline
A ustawiłeś autoryzację połączenia samby z LDAP?
Offline
Wydaje mi sie ze wszystko jest ustawione poprawnie, tymbardziej ze to tylko winbind cos grymasi.
[global] workgroup = ELOSZKA netbios name = CZUPAKABRA server string = Samba PDC socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_SNDBUF=8192 SO_RCVBUF=8192 os level = 65 preferred master = yes local master = yes domain master = yes domain logons = yes security = user guest ok = no encrypt passwords = yes null passwords = no hosts allow = 127.0.0.1 192.168.1.0/24 192.168.180.0/24 wins support = yes name resolve order = wins lmhosts host bcast dns proxy = no log file = /var/log/smb/log.%m log level = 3 syslog = 0 max log size = 1024 ;hide unreadable = yes ;hide dot files = yes passdb backend = ldapsam:ldaps://test.kubkomowa.pl:636 ldap suffix = dc=test,dc=kubkomowa,dc=pl ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=test,dc=kubkomowa,dc=pl enable privileges = yes logon home = \\%L\%U logon path = \\%L\profiles logon drive = Z: logon script = logon.cmd time server = yes ldap ssl = no ldap passwd sync = yes ldap delete dn = yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %nn *Retype*new*password* %nn *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" unix charset = ISO8859-2 dos charset = CP852 idmap backend = ldap:"ldaps://test.kubkomowa.pl:636" idmap alloc backend = ldap:"ldaps://test.kubkomowa.pl:636" idmap uid = 10000 - 20000 idmap gid = 10000 - 20000
Chociaz jak teraz robie tak:
debian:~# wbinfo -i test8 test8:*:3009:512:test8:/home/ELOSZKA/test8:/bin/false
To po logach wyglada na to ze problem przez noc przestal wystepowac
[2011/01/04 10:47:39.020394, 3] winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains) [ 3015]: list trusted domains [2011/01/04 10:47:39.177549, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 3673]: request interface version [2011/01/04 10:47:39.177616, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 3673]: request location of privileged pipe [2011/01/04 10:47:39.177699, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam test8 [2011/01/04 10:47:39.178596, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: test8 [2011/01/04 10:47:39.180168, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: test8
Jan 4 10:47:39 debian slapd[2706]: conn=4 op=24 SRCH base="sambaDomainName=ELOSZKA,dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(objectClass=sambaTrustedDomainPassword)" Jan 4 10:47:39 debian slapd[2706]: conn=4 op=24 SRCH attr=sambaDomainName sambaSID Jan 4 10:47:39 debian slapd[2706]: conn=4 op=24 SEARCH RESULT tag=101 err=0 nentries=0 text= Jan 4 10:47:39 debian slapd[2706]: conn=4 op=25 SRCH base="dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(&(uid=test8)(objectClass=sambaSamAccount))" Jan 4 10:47:39 debian slapd[2706]: conn=4 op=25 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos Jan 4 10:47:39 debian slapd[2706]: <= bdb_equality_candidates: (uid) not indexed Jan 4 10:47:39 debian slapd[2706]: conn=4 op=25 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 4 10:47:39 debian slapd[2706]: conn=4 op=26 SRCH base="sambaDomainName=ELOSZKA,dc=test,dc=kubkomowa,dc=pl" scope=0 deref=0 filter="(objectClass=sambaDomain)" Jan 4 10:47:39 debian slapd[2706]: conn=4 op=26 SRCH attr=sambaPwdHistoryLength Jan 4 10:47:39 debian slapd[2706]: conn=4 op=26 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 4 10:47:39 debian slapd[2706]: conn=4 op=27 SRCH base="sambaDomainName=ELOSZKA,dc=test,dc=kubkomowa,dc=pl" scope=0 deref=0 filter="(objectClass=sambaDomain)" Jan 4 10:47:39 debian slapd[2706]: conn=4 op=27 SRCH attr=sambaMaxPwdAge Jan 4 10:47:39 debian slapd[2706]: conn=4 op=27 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 4 10:47:39 debian slapd[2706]: conn=4 op=28 SRCH base="dc=test,dc=kubkomowa,dc=pl" scope=2 deref=0 filter="(&(sambaSID=s-1-5-21-2559545835-4069677334-2214471925-7018)(objectClass=sambaSamAccount))" Jan 4 10:47:39 debian slapd[2706]: conn=4 op=28 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos Jan 4 10:47:39 debian slapd[2706]: <= bdb_equality_candidates: (sambaSID) not indexed Jan 4 10:47:39 debian slapd[2706]: conn=4 op=28 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aczkolwiek nie wiem czy w taki sposob jestem w stanie powtorzyc blad z poprzedniego posta.
Ostatnio edytowany przez kuebk (2011-01-04 10:50:16)
Offline
Czyli wszystko już gra? Jeśli tak do następnego problemu ;]
Offline
No wyglada na to ze tak, tyle ze do nie wiem czemu ostatni problem wystepowal i czemu sam sie naprawil.
Mam wrazenie ze restart maszyny czasami daje wiecej niz restart samby.
Bardzo dziekuje za pomoc. :)
Do pelni szczescia dorobilem jeszcze jedna zmiane w smb.conf,
bylo:
idmap backend = ldap:"ldaps://test.kubkomowa.pl:636" idmap alloc backend = ldap:"ldaps://test.kubkomowa.pl:636" idmap uid = 10000 - 20000 idmap gid = 10000 - 20000
jest:
idmap config ELOSZKA: default = yes idmap config ELOSZKA: readonly = no idmap config ELOSZKA: backend = ldap idmap config ELOSZKA: ldap_url = ldaps://test.kubkomowa.pl idmap config ELOSZKA: ldap_base_dn = ou=Idmap,dc=test,dc=kubkomowa,dc=pl idmap config ELOSZKA: ldap_user_dn = cn=admin,dc=test,dc=kubkomowa,dc=pl idmap config ELOSZKA: range = 10000 - 20000 idmap alloc backend = ldap idmap alloc config: ldap_url = ldaps://test.kubkomowa.pl idmap alloc config: ldap_base_dn = ou=Idmap,dc=test,dc=kubkomowa,dc=pl idmap alloc config: ldap_user_dn = cn=admin,dc=test,dc=kubkomowa,dc=pl
Na poprzedniej wersji konfiguracji dla idmap nie wiem czemu najpierw chcial mi sie laczyc z backendem w postaci passdb a nie ldap.
Ostatnio edytowany przez kuebk (2011-01-04 18:32:15)
Offline
Dalej mam jakas dupe z tym winbindem,
logi:
==> log.winbindd-idmap <== [2011/01/07 01:34:22.803153, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.803181, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.803197, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.803213, 3] winbindd/idmap.c:359(idmap_init_default_domain) idmap_init: using 'tdb' as remote backend [2011/01/07 01:34:22.803230, 3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init) Warning: 'idmap uid' not set! [2011/01/07 01:34:22.803245, 3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init) Warning: 'idmap gid' not set! [2011/01/07 01:34:22.803260, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges) idmap uid missing [2011/01/07 01:34:22.803304, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db) Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration [2011/01/07 01:34:22.803326, 1] winbindd/idmap.c:321(idmap_init_domain) idmap initialization returned NT_STATUS_UNSUCCESSFUL [2011/01/07 01:34:22.804319, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.804340, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.804356, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.804372, 3] winbindd/idmap.c:359(idmap_init_default_domain) idmap_init: using 'tdb' as remote backend [2011/01/07 01:34:22.804387, 3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init) Warning: 'idmap uid' not set! [2011/01/07 01:34:22.804402, 3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init) Warning: 'idmap gid' not set! [2011/01/07 01:34:22.804417, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges) idmap uid missing [2011/01/07 01:34:22.804451, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db) Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration [2011/01/07 01:34:22.804472, 1] winbindd/idmap.c:321(idmap_init_domain) idmap initialization returned NT_STATUS_UNSUCCESSFUL [2011/01/07 01:34:22.804489, 3] winbindd/idmap.c:670(idmap_new_mapping) no default domain, no place to write [2011/01/07 01:34:22.805627, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.805648, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.805664, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.805681, 1] winbindd/idmap_ldap.c:268(idmap_ldap_alloc_init) idmap uid or idmap gid missing [2011/01/07 01:34:22.805697, 0] winbindd/idmap.c:589(idmap_alloc_init) ERROR: Initialization failed for alloc backend, deferred! [2011/01/07 01:34:22.808602, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.808624, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.808639, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.808655, 3] winbindd/idmap.c:359(idmap_init_default_domain) idmap_init: using 'tdb' as remote backend [2011/01/07 01:34:22.808671, 3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init) Warning: 'idmap uid' not set! [2011/01/07 01:34:22.808685, 3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init) Warning: 'idmap gid' not set! [2011/01/07 01:34:22.808699, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges) idmap uid missing [2011/01/07 01:34:22.808735, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db) Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration [2011/01/07 01:34:22.808757, 1] winbindd/idmap.c:321(idmap_init_domain) idmap initialization returned NT_STATUS_UNSUCCESSFUL [2011/01/07 01:34:22.809980, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.809998, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.810015, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.810033, 1] winbindd/idmap_ldap.c:268(idmap_ldap_alloc_init) idmap uid or idmap gid missing [2011/01/07 01:34:22.810048, 0] winbindd/idmap.c:589(idmap_alloc_init) ERROR: Initialization failed for alloc backend, deferred! [2011/01/07 01:34:22.811787, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2011/01/07 01:34:22.811813, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2011/01/07 01:34:22.811830, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2011/01/07 01:34:22.811845, 3] winbindd/idmap.c:359(idmap_init_default_domain) idmap_init: using 'tdb' as remote backend [2011/01/07 01:34:22.811862, 3] winbindd/idmap_tdb.c:618(idmap_tdb_db_init) Warning: 'idmap uid' not set! [2011/01/07 01:34:22.811880, 3] winbindd/idmap_tdb.c:632(idmap_tdb_db_init) Warning: 'idmap gid' not set! [2011/01/07 01:34:22.811895, 1] winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges) idmap uid missing [2011/01/07 01:34:22.811931, 0] winbindd/idmap_tdb.c:287(idmap_tdb_open_db) Upgrade of IDMAP_VERSION from -1 to 2 is not possible with incomplete configuration [2011/01/07 01:34:22.811953, 1] winbindd/idmap.c:321(idmap_init_domain) idmap initialization returned NT_STATUS_UNSUCCESSFUL [2011/01/07 01:34:22.811970, 3] winbindd/idmap.c:670(idmap_new_mapping) no default domain, no place to write
smb.conf:
idmap uid = 10000 - 20000 idmap gid = 10000 - 20000 idmap config ELOSZKA: default = yes idmap config ELOSZKA: readonly = no idmap config ELOSZKA: backend = ldap idmap config ELOSZKA: ldap_url = ldaps://ldap.test.kubkomowa.pl idmap config ELOSZKA: ldap_base_dn = ou=Idmap,dc=ldap,dc=test,dc=kubkomowa,dc=pl idmap config ELOSZKA: ldap_user_dn = cn=admin,dc=ldap,dc=test,dc=kubkomowa,dc=pl idmap config ELOSZKA: range = 10000 - 20000 idmap alloc backend = ldap idmap alloc config: ldap_url = ldaps://ldap.test.kubkomowa.pl idmap alloc config: ldap_base_dn = ou=Idmap,dc=ldap,dc=test,dc=kubkomowa,dc=pl idmap alloc config: ldap_user_dn = cn=admin,dc=ldap,dc=test,dc=kubkomowa,dc=pl idmap alloc config: range = 10000 - 20000
Nie rozumiem czemu sie rzuca o parametry idmap uid, idmap gid skoro sa ustawione.
Offline
Strony: 1
Time (s) | Query |
---|---|
0.00011 | SET CHARSET latin2 |
0.00005 | SET NAMES latin2 |
0.00133 | SELECT u.*, g.*, o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='18.116.90.57' WHERE u.id=1 |
0.00082 | UPDATE punbb_online SET logged=1732301914 WHERE ident='18.116.90.57' |
0.00053 | SELECT * FROM punbb_online WHERE logged<1732301614 |
0.00068 | DELETE FROM punbb_online WHERE ident='18.116.49.243' |
0.00063 | DELETE FROM punbb_online WHERE ident='18.116.81.255' |
0.00084 | DELETE FROM punbb_online WHERE ident='18.117.94.77' |
0.00077 | DELETE FROM punbb_online WHERE ident='18.118.144.98' |
0.00097 | DELETE FROM punbb_online WHERE ident='18.222.56.251' |
0.00071 | DELETE FROM punbb_online WHERE ident='3.133.108.47' |
0.00068 | SELECT topic_id FROM punbb_posts WHERE id=161863 |
0.00005 | SELECT id FROM punbb_posts WHERE topic_id=18029 ORDER BY posted |
0.00066 | SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=18029 AND t.moved_to IS NULL |
0.00005 | SELECT search_for, replace_with FROM punbb_censoring |
0.00178 | SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=18029 ORDER BY p.id LIMIT 0,25 |
0.00077 | UPDATE punbb_topics SET num_views=num_views+1 WHERE id=18029 |
Total query time: 0.01143 s |