Can't start CIFS after enabling LDAP

[zstar69]

Anytime I configure LDAP, CIFS fails to start with this message:

Code:

 winbindd[7157]:   STATUS=daemon 'winbindd' finished starting up and ready to serve connectionsadd_new_domain_info: failed to add domain dn= sambaDomainName=NAS-1,ou=company,c=ca with: Object class violation
Aug 20 15:21:56 NAS-1 winbindd[7157]:      Entry sambaDomainName=NAS-1,ou=company,c=ca violates the Directory Server schema configuration because it does not include a structural objectclass.  All entries must contain a structural objectclass
Aug 20 15:21:56 NAS-1 winbindd[7157]: [2014/08/20 15:21:56.804892,  0] ../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
Aug 20 15:21:56 NAS-1 winbindd[7157]:   smbldap_search_domain_info: Adding domain info for NAS-1 failed with NT_STATUS_UNSUCCESSFUL
Aug 20 15:21:56 NAS-1 winbindd[7157]: [2014/08/20 15:21:56.805278,  0] ../source3/passdb/pdb_ldap.c:6529(pdb_ldapsam_init_common)
Aug 20 15:21:56 NAS-1 winbindd[7157]:   pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
Aug 20 15:21:56 NAS-1 winbindd[7157]: [2014/08/20 15:21:56.805637,  0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name)
Aug 20 15:21:56 NAS-1 winbindd[7157]:   pdb backend ldapsam:ldap://1.2.3.4:1389 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
Aug 20 15:21:56 NAS-1 winbindd[7157]: [2014/08/20 15:21:56.806026,  0] ../source3/lib/util.c:785(smb_panic_s3)
Aug 20 15:21:56 NAS-1 winbindd[7157]:   PANIC (pid 7157): pdb_get_methods: failed to get pdb methods for backend ldapsam:ldap://1.2.3.4:1389
Aug 20 15:12:56 NAS-1 winbindd[4182]:   BACKTRACE: 20 stack frames:
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #0 0x80555f292 <smb_panic_s3+108> at /usr/local/lib/libsmbconf.so.0
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #1 0x800b5af9a <smb_panic+40> at /usr/local/lib/libsamba-util.so.0
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #2 0x8028242e3 <make_pdb_method_name+1320> at /usr/local/lib/libpdb.so.0
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #3 0x802826826 <pdb_capabilities+13> at /usr/local/lib/libpdb.so.0
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #4 0x4b24ab <_lsa_EnumTrustedDomainsEx+22> at /usr/local/sbin/winbindd
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #5 0x4bcbd7 <_lsa_LSARADTREPORTSECURITYEVENT+37285> at /usr/local/sbin/winbindd
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #6 0x4809ce <make_internal_rpc_pipe_p+1436> at /usr/local/sbin/winbindd
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #7 0x480c59 <make_internal_rpc_pipe_p+2087> at /usr/local/sbin/winbindd
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #8 0x8025f488c <dcerpc_binding_handle_raw_call_send+195> at /usr/local/lib/libdcerpc-binding.so.0
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #9 0x8025f51a4 <dcerpc_binding_handle_call_send+953> at /usr/local/lib/libdcerpc-binding.so.0
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #10 0x8025f55b1 <dcerpc_binding_handle_call+153> at /usr/local/lib/libdcerpc-binding.so.0
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #11 0x8020bff3e <dcerpc_lsa_EnumTrustedDomainsEx_r+63> at /usr/local/lib/samba/libdcerpc-samba.so
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #12 0x8020c036b <dcerpc_lsa_EnumTrustedDomainsEx+119> at /usr/local/lib/samba/libdcerpc-samba.so
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #13 0x455c0f <rpc_trusted_domains+139> at /usr/local/sbin/winbindd
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #14 0x45c6c2 <open_internal_samr_conn+2385> at /usr/local/sbin/winbindd
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #15 0x4397ba <wcache_lookup_groupmem+3280> at /usr/local/sbin/winbindd
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #16 0x447b00 <winbindd_dual_list_trusted_domains+158> at /usr/local/sbin/winbindd
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #17 0x45f0d4 <wb_domain_request_recv+374> at /usr/local/sbin/winbindd
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #18 0x461ba2 <wb_child_domain+287> at /usr/local/sbin/winbindd
Aug 20 15:12:56 NAS-1 winbindd[4182]:    #19 0x80742a7d3 <tevent_req_print+3587> at /usr/local/lib/libtevent.so.0
Aug 20 15:12:56 NAS-1 winbindd[4182]: [2014/08/20 15:12:56.022480,  0] ../source3/lib/util.c:797(smb_panic_s3)
Aug 20 15:12:56 NAS-1 winbindd[4182]:   smb_panic(): calling panic action [/usr/local/libexec/samba/samba-backtrace]
Aug 20 15:12:56 NAS-1 LDAP: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py stop cifs
Aug 20 15:12:56 NAS-1 winbindd[4182]: [2014/08/20 15:12:56.582576,  0] ../source3/lib/util.c:805(smb_panic_s3)
Aug 20 15:12:56 NAS-1 winbindd[4182]:   smb_panic(): action returned status 0
Aug 20 15:12:56 NAS-1 winbindd[4182]: [2014/08/20 15:12:56.583169,  0] ../source3/lib/dumpcore.c:317(dump_core)
Aug 20 15:12:56 NAS-1 winbindd[4182]:   dumping core in /mnt/TimeMachine/.system/cores
Aug 20 15:12:56 NAS-1 winbindd[4182]:
Aug 20 15:12:56 NAS-1 winbindd[4180]:   STATUS=daemon 'winbindd' finished starting up and ready to serve connectionsCould not receive trustdoms
Aug 20 15:12:56 NAS-1 kernel: pid 4182 (winbindd), uid 0: exited on signal 6 (core dumped)
Aug 20 15:12:56 NAS-1 notifier: Stopping winbindd.
Aug 20 15:12:56 NAS-1 winbindd[4180]: [2014/08/20 15:12:56.838565,  0] ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
Aug 20 15:12:56 NAS-1 winbindd[4180]:   Got sig[15] terminate (is_parent=1)
Aug 20 15:12:56 NAS-1 notifier: Waiting for PIDS: 4180.
Aug 20 15:12:56 NAS-1 notifier: smbd not running? (check /var/run/samba/smbd.pid).
Aug 20 15:12:56 NAS-1 notifier: Stopping nmbd.
Aug 20 15:12:56 NAS-1 nmbd[4172]:   STATUS=daemon 'nmbd' finished starting up and ready to serve connectionsGot SIGTERM: going down...
Aug 20 15:12:56 NAS-1 notifier: Waiting for PIDS: 4172.

I have looked all over the world for the answer to this and I cannot find it. Do I need to have Samba Schemas in my LDAP? Is there no possible way to have LDAP auth for the GUI/SSH etc..but have Samba/CIFS use local accounts? Thank you for any input, I am going mad..

 

[dlavigne]

Do I need to have Samba Schemas in my LDAP? Is there no possible way to have LDAP auth for the GUI/SSH etc..but have Samba/CIFS use local accounts? Thank you for any input, I am going mad..

For CIFS, you do need this:

NOTE: LDAP will not work with CIFS shares until the LDAP directory has been configured for and populated with Samba attributes. The most popular script for performing this task is smbldap-tools and instructions for using it can be found at The Linux Samba-OpenLDAP Howto.

Do you get an error with LDAP when you start SSH? e.g. does LDAP work over SSH for you?

 

[zstar69]

Yes LDAP works over SSH, getent works. I wish we had the option of using local accounts with Samba. We will only be using it for a guest share(no samba authentication). But the LDAP auth comes in for SSH, NFS, and Time Machine.

 

[zstar69]

I checked out your link..We really do not want to do that to enable a guest samba share. This sucks I guess we will just..disable LDAP...

 

[zstar69]

I really don't think it's necessary to have these SMBLDAP tools setup. I think this is a bug..

I have decided to forget about the CIFS share. So I disabled the CIFS service and want to re-enable LDAP. I will use it for Time Machine, SSH and NFS.

I turn off CIFS and when I start Directory Services, CIFS goes back on and Directory Services stays turned off. Why is Directory Services forcing CIFS to start? Can this automatic CIFS service start be stopped somehow? Basically I am unable to use LDAP at all because of this..

 

[dlavigne]

Which version of FreeNAS?

 

[zstar69]

This is 9.2.1.6 and also 9.2.1.7

I edited my post, I was wrong.

I am close, I want to be clear before I post the solution.

 

[dlavigne]

Yes, please post your solution when you find it. I'm not sure what is needed for that fine-grained a configuration.

 

[zstar69]

Hi Sorry.

So the problem _was_ in fact the samba schema. But I couldn't believe it at first. Then I was convinced it was LDAPS

When I imported the schemas, I restarted the Directory Service and all worked. Then I removed the schemas from the LDAP, expecting things to break again. They did not. That threw me right off.

It turns out that once the schemas are installed and the LDAP makes 1 successful connection, it registers and imports itself into the LDAP. Then you can remove the schemas and it will still work because the entries are still there. (removing the schema does not remove the entry the NAS made in the LDAP)

I verified this by removing the schemas, restarting the Directory Service successfully. Then changing the hostname and domain of the NAS and restarting the Directory Service again and having it fail with the 20 Stack Trace error.

The LDAP entry: "sambaDomainName=NAS-1,ou=company,c=ca" was still in my LDAP..But when the hostname changed to OMGNAS-2, it couldn't import it and gave the error:

Code:

Entry sambaDomainName=OMGNAS-2,ou=company,c=ca violates the Directory Server schema configuration because it does not include a structural objectclass.  All entries must contain a structural objectclass

So yes, the Samba schemas needed to be installed in the LDAP.

To be honest, I don't think the NAS should be designed this way. QNAP allows you to setup LDAP, and asks you to use Samba with local/LDAP users. In my case I would simply select local users for Samba and all was good to use Time Machine/SSH with LDAP. But because FreeNAS forces CIFS/Samba to use the same "global auth", you absolutely need to install these Samba schemas into your LDAP or you simply cannot get LDAP to work. Maybe I found a bug? I don't know. But until those schemas were in, I could not use LDAP at all. Let alone Samba.

Bottomline: You need Samba Schemas in your LDAP..

Also, it would be nice to be able to not worry about hostnames with LDAPS..Like a checkbox or something..

Thanks for any help, hope this helps someone else.

 

[dlavigne]

Thanks for the update.

I'm not sure what the technical ramifications are for not requiring the Samba schema. However, you could create a feature request for this at bugs.freenas.org so it could be researched. If you create a feature request, explain why it would be useful and that QNAP uses it, then post the issue number here.