samba服务器使用ldap管理用户的棘手的问题！！！！

fengmx

安装的包有：SuSE10.1，samba 3.0.22-11, openldap2-2.3.19-1,nss_ldap-246-14

  现在服务器可以正常使用，就是当我重启ldap时，总是出现以下错误：

Sep 12 15:49:05 file1 slapd[11094]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Sep 12 15:49:05 file1 slapd[11094]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Sep 12 15:49:05 file1 slapd[11094]: nss_ldap: could not search LDAP server - Server is unavailable
Sep 12 15:49:05 file1 slapd[11094]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Sep 12 15:49:05 file1 slapd[11094]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Sep 12 15:49:05 file1 slapd[11094]: nss_ldap: could not search LDAP server - Server is unavailable
   我已经郁闷了有半月之久，真的不知道怎么回事，前些日子有为老兄让我把samba中的passdb backend 改为：ldapsam:ldap://192.168.27.10（服务器的IP），可是还是一样的错误，我现在把 /etc/ldap.conf 和 /etc/nsswitch.conf 贴出来，请大家指点迷津, 在下万分感激！

/etc/ldap.conf
#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#

# Your LDAP server. Must be resolvable without using LDAP.
host    127.0.0.1

# The distinguished name of the search base.
base    dc=hasux,dc=com

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version    3

# Don't try forever if the LDAP server is not reacheable
bind_policy     soft

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=Manager,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=Manager,dc=example,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
#bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password   crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd        ou=People,dc=padl,dc=com?one
#nss_base_shadow        ou=People,dc=padl,dc=com?one
#nss_base_group         ou=Group,dc=padl,dc=com?one
#nss_base_hosts         ou=Hosts,dc=padl,dc=com?one
#nss_base_services      ou=Services,dc=padl,dc=com?one
#nss_base_networks      ou=Networks,dc=padl,dc=com?one
#nss_base_protocols     ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc           ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers        ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases       ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one
nss_base_passwd ou=Users,dc=hasux,dc=com?sub
nss_base_passwd ou=Computers,dc=hasux,dc=com?sub
nss_base_shadow ou=Users,dc=hasux,dc=com?sub
nss_base_group ou=Groups,dc=hasux,dc=com?one
debug 256
logdir /var/log/ldap
pam_password ssha

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute      rfc2307attribute        mapped_attribute
#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member

# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds

# For IBM SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl     no
nss_map_attribute       uniqueMember member
pam_filter      objectclass=posixAccount
#nss_base_passwd        dc=hasux,dc=com
#nss_base_shadow        dc=hasux,dc=com
#nss_base_group dc=hasux,dc=com
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

/etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd:         files ldap
shadow:         files ldap
group:          files ldap

hosts:          files wins dns
networks:       files dns

services:       files ldap
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files ldap
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files ldap
#passwd_compat: ldap
#group_compat:  ldap



  等待你们的帮助！！！

coolend

这个问题偶以前也遇到过，但大多情况是没有开启 LDAP 服务或 LDAP 服务器地址指定不正确，即使这样，NSS_LDAP还是不会放弃连接的，它会暂时睡眠，并且过几秒钟再次检测，如果服务器又开启了，那么会重新连接成功的。

如果只是重启 LDAP服务，那么时间应该很短，应该不会出现这种情况。

确认下你的 OpenLDAP 运行时有没有监听 127.0.0.1，或是有没有指定特殊的参数(-h)之类的？

lsof -nPi|grep slapd
ps aux|grep slapd

如果你的 Samba 和 LDAP 是同一台机器，smb.conf 中 LDAP 配置可以直接用
passdb backend = ldapsam:ldap://127.0.0.1

BTW: 贴出配置文件时请事先将注释去掉，这样别人好看些

sed '/^#/d;/^$/d' /etc/ldap.conf

[ 本帖最后由 coolend 于 2006-9-12 16:56 编辑 ]

py

不太明白为什么这个报错：
Sep 12 15:49:05 file1 slapd[11094]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
和samba有什么关系？
把samba停掉，用一个别的使用LDAP的服务看看nss_ldap是不是还是报错？
最后可以尝试的办法就是把一切都停掉，手工编译nss_ldap和openldap
我从没遇到过这个问题。

fengmx

谢谢你们，听你们一说我立刻看了一下ldap的运行状态，发现这么一个问题，当ldap运行的时候，他的状态是：
# ps aux|grep slapd
ldap      3709  0.1  2.3  47380  3736 ?        Ssl  14:37   0:00 /usr/lib/openldap/slapd -h ldap:/// -u ldap -g ldap -o slp=on
samba-file:~ # lsof -nPi|grep slapd
slapd   3709   ldap    7u  IPv6  10312       TCP *:389 (LISTEN)
slapd   3709   ldap    8u  IPv4  10313       TCP *:389 (LISTEN)

看样子，ldap没有监听127.0.0.1,怎么会这样呢？为什么bind不上去呢？是哪里出了问题？请指教一下！！！！！

coolend

晕，刚刚看到你的/etc/ldap.conf

bind_policy     soft
### soft means: return immediately on server failure

注视掉这个试试？

fengmx

谢谢你！！还不行的，一样的错误。

ipigzhu

回复 1# fengmx


    今天我也遇到了和你一样的情况，几乎一模一样

   请问您，后来是怎么解决的？？？？？