# LDAP gidNumber Enter into the system It's impossible



## oleg_skat (Nov 19, 2012)

Hi to all! Want to ask all for help me to my problem. I've got some trouble with LDAP it doesn't allow to enter into the system for users. Everything worked well, but it happened now.

```
FreeBSD8.2
nss_ldap-1.265_7 
openldap-client-2.4.33 
openldap-server-2.4.33 
samba36-3.6.7       
smbldap-tools-0.9.9
```

There is PDC with PAM authentification. The LDAP doesn't find that necessary and we can't use our system.

The parameters:

/usr/local/etc/nss_ldap.conf

```
base dc=smbdomain,dc=local

bind_policy soft
bind_timelimit 10
host 192.168.0.4
idle_timelimit 3600
ldap_version 3

nss_base_group  ou=Groups,dc=smbdomain,dc=local?one
nss_base_passwd ou=People,dc=smbdomain,dc=local?one
nss_base_passwd ou=Computers,dc=smbdomain,dc=local?one
nss_base_shadow ou=People,dc=smbdomain,dc=local?one

nss_connect_policy persist
nss_paged_results yes

pagesize 1000
port 389
scope one
timelimit 30

pam_password clear
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_template_login_attribute uid
pam_member_attribute gid
pam_min_uid 1000
pam_max_uid 65530
pam_lookup_policy no
pam_check_host_attr no
pam_check_service_attr no
pam_groupdn cn=Domain Users,ou=Groups,dc=smbdomain,dc=local
```


```
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/mail.schema

loglevel 256

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=smbdomain,dc=local"
rootdn          "cn=Manager,dc=smbdomain,dc=local"
rootpw          {SSHA}/......................./

directory       /var/db/openldap-data

# Indices to maintain
index   objectClass     eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   uid             pres,sub,eq
index   displayName     pres,sub,eq
index   uidNumber       pres,eq
index   gidNumber       pres,eq
index   memberUID               eq
index   sambaSID                eq
index   sambaPrimaryGroupSID    eq
index   sambaDomainName         eq
index   default                 sub
#
index   uniqueMember             eq,pres
index ou,mail,givenname    pres,sub,eq
```

`# smbclient //dn/root -Uroot%passwd`

```
session setup failed: NT_STATUS_LOGON_FAILURE
```


```
less /var/log/slapd.log
Nov 19 11:15:00 dn slapd[3924]: conn=1011 fd=10 ACCEPT from IP=192.168.0.4:43875 (IP=192.168.0.4:389)
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=0 BIND dn="" method=128
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=0 RESULT tag=97 err=0 text=
Nov 19 11:15:00 dn slapd[3924]: connection_input: conn=1011 deferring operation: binding
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=1 SRCH base="ou=People,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=root))"
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=2 SRCH base="ou=Groups,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=root)(uniqueMember=uid=root,ou=people,dc=smbdomain,dc=local)))"
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=2 SRCH attr=gidNumber
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=3 SRCH base="ou=Groups,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixGroup)(uniqueMember=cn=domain admins,ou=groups,dc=smbdomain,dc=local))"
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=3 SRCH attr=gidNumber
Nov 19 11:15:00 dn slapd[3924]: conn=1011 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 11:15:00 dn slapd[3924]: conn=1011 fd=10 closed (connection lost)
```
uniqueMember=cn=domain admins And

`# ldapsearch -xLLL 'cn=domain admins'`

```
dn: cn=Domain Admins,ou=Groups,dc=smbdomain,dc=local
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 512
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2492099779-3981522855-2891784192-512
sambaGroupType: 2
displayName: Domain Admins
```
What's wrong?

```
#net getlocalsid ns
failed to bind to server ldap://ns.smbdomain.local/ with dn="cn=Manager,dc=smbdomain,dc=local" Error: Can't contact LDAP server
        (unknown)
Can't fetch domain SID for name: ns

less /var/log/slapd.log
Nov 19 12:11:00 dn slapd[3924]: conn=1029 fd=10 ACCEPT from IP=192.168.0.4:22346 (IP=192.168.0.4:389)
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=0 BIND dn="" method=128
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=0 RESULT tag=97 err=0 text=
Nov 19 12:11:00 dn slapd[3924]: connection_input: conn=1029 deferring operation: binding
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=1 SRCH base="ou=People,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=operator))"
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=2 SRCH base="ou=Computers,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=operator))"
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=3 SRCH base="ou=Groups,dc=smbdomain,dc=local" scope=1 deref=0 filter="(&(objectClass=posixGroup)(memberUid=operator))"
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=3 SRCH attr=gidNumber
Nov 19 12:11:00 dn slapd[3924]: conn=1029 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Nov 19 12:11:00 dn slapd[3924]: conn=1029 fd=10 closed (connection lost)
```
SRCH attr=gidNumber - is the reason, but what must i do .... ?

```
# slapcat | grep gidNumber
gidNumber: 0
gidNumber: 512
gidNumber: 513
gidNumber: 515
gidNumber: 544
gidNumber: 548
gidNumber: 550
gidNumber: 551
gidNumber: 552
gidNumber: 515
```


----------



## mamalos (Nov 20, 2012)

If your config was working before, try to remember what was the last thing you changed. The configuration you're asking about is faaaaaar from trivial and the information you've given is not the one that matters the most. We have no clue about your samba config or your ldap acls, which do play a major role on that. Try to reproduce the query your nss client is sending (I assume it's anonymous simple bind cause I don't see any binddn directive anywhere. The queries can be inferred from the filter fields you've posted) and watch the results. The queries should be sent by the client that fails to respond, not the server! Lastly, by running slapcat you are giving us no info, since no acls are applied to your query.

And to be frank, even if you post all your configs, without some decent explanation as to what is working and what is not, I am afraid that it will be difficult to give you a proper answer. Usually if a config is working and then stops, something totally unrelated to configuration has happened that messed things up. Try to remember about port updates that may have taken place before the incident, network rearrangements, etc.


----------



## oleg_skat (Dec 10, 2012)

mamalos
I am glad to receive the answer. But the time was expired for decision and I compelled to use the reserve system and system, where the problem, was restored from a backup copy. But your information is valuable and I think it able to help me in my job


----------

