[Samba] samba failed to authenticate to openLDAP

Steve Zeng szeng at mainframe.ca
Fri Mar 4 19:20:14 GMT 2005 

Nathan,

I could not use "smbldap-passwd" and any other "smbldap-xxxxx" commands. 
  I got error like this:

# smbldap-passwd administrator
/usr/sbin/smbldap-passwd: user administrator doesn't exist

The only way I can change passwd is to use smbpasswd.

any idea why is that?

Thanks.

Steve

> Smbldap-tools has a passwd script which will change/sync the password(s);
> you can even configure samba to utilize this script when a client from a
> windows machine tries to change their password, (see example below). I might
> also recommend you look into a decent web-based or graphical LDAP account
> manager, (LAM comes to mind, not sure what platform you're working from, but
> on FreeBSD it's just a matter of installing it from the ports check the
> website out - http://lam.sf.net/).
> 
> We are using LDAP, in conjunction with nss_ldap & pam_ldap on the unix side
> plus samba 3.0.11 on the windows side; single sign on regardless of which
> machine/platform any user is on. Roaving profiles on the windows network,
> and even Sun stations can share the same pam database for authentication and
> nss information - all works very well, and has suited us perfectly. We are
> currently using either LAM, (Ldap Account Manager - http://lam.sf.net/ ), or
> manual ldap insert/delete/modify commands to administer our users. LAM takes
> about ten minutes to setup and get going, and even less to figure out and
> work with; gives the ability to control Unix, Posix, Samba, and other
> attributes of any user, group, domain, or domain-machine (host) account.
> 
> Anyhow, just my two cents - but you should take a look into something like
> LAM to save you time; (I know there are other utilities/user managers, one
> in particular we tried which runs from X-win... But we found the simplicity
> of LAM to be key).
> 
> Here's an example of how to configure samba to use smbldap-tools' password
> script:
> 
> ldap passwd sync = yes
> passwd program = /server/bin/smbldap-tools/smbldap-passwd.pl -u %u
> passwd chat = "Changing password for*\nNew Password*" %n\n "*Retype new
> password*" %n\n
> 
> 
> --
> Nathan Vidican
> nvidican at wmptl.com
> Windsor Match Plate & Tool Ltd.
> http://www.wmplt.com/
> 
> 
> -----Original Message-----
> From: samba-bounces+nvidican=wmptl.com at lists.samba.org
> [mailto:samba-bounces+nvidican=wmptl.com at lists.samba.org] On Behalf Of Steve
> Zeng
> Sent: Thursday, March 03, 2005 7:59 PM
> To: craigwhite at azapple.com
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] samba failed to authenticate to openLDAP
> 
> 
> Paul and Craig,
> 
> I finally got it working. The reason it failed before is the way I built
> the LDAP DIT. I also found a problem in smbldap-populate script which I
> will describe below.
> 
> Here were what I did:
> 
> 1) run configure.pl
> 
> 2) edit smbldap-populate and change the following line:
> 
> my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*),dc=(.*)$/);
> 
> to:
> my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*)$/);
> 
> The reason is I only have a single name for my domain, i.e. "dc=mfelc".
> but the perl script will suppose we have exactly two names, for example,
> dc=idealx, dc=org. It also won't work if you have three names in your
> domain. (dc=mydept, dc=mycompany, dc=com)
> 
> 3) run smbldap-populate
>     it works perfectly to build the DIT
> 
> 4) use smbldap-migrate-unix-accounts to migrate NIS accounts
> 
> 5) use smbldap-migrate-unix-groups to migrate NIS group
> 
> this time when I use smbclient with a NIS account, the log will show
> wrong password. So I run smbpasswd to give this account a new samba
> password and run smbclient again. it works.
> 
> There are two problems here:
> 
> 1) how to migrate NIS hosts into LDAP?
> 
> 2) I checked the LDAP attributes and found three password fieds:
> 
> SambaLMPassword
> SambaNTPassword
> userPassword
> 
> How can I sync them so that I don't have to keep two or more password
> for one user account?
> 
> Best Regards,
> 
> Steve
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>>Paul,
>>
>>I downloaded smbldap-tools-0.8.7 and tried the following:
>>
>>1) run configure.pl
>>
>>2) initialize LDAP base and then start LDAP server
>>dn: dc=mfelc
>>dc: mfelc
>>objectClass: top
>>objectClass: domain
>>
>>3) run smbldap-populate
>>
>>4) run the following migration tool to import users from NIS:
>>smbldap-migrate-unix-accounts -a -P /tmp/passwd.nis
>>
>>5) run the following migration tool to import groups from NIS:
>>smbldap-migrate-unix-groups -a -G /tmp/group.nis
>>
>>6) smbldap-useradd -a -m testuser1
>>   smbldap-passwd testuser1
>>
>>6) smbclient //enzo/testuser1 -U testuser1
>>
>>
>>got the following errors:
>>-------------------------------------
>>  User testuser1 in passdb, but getpwnam() fails!
>>[2005/03/01 18:12:11, 5] auth/auth_util.c:free_server_info(1344)
>>  attempting to free (and zero) a server_info structure [2005/03/01
>>18:12:11, 0] auth/auth_sam.c:check_sam_security(306)
>>  check_sam_security: make_server_info_sam() failed with
>>'NT_STATUS_NO_SUCH_USER'
>>[2005/03/01 18:12:11, 5] auth/auth.c:check_ntlm_password(271)
>>  check_ntlm_password: sam authentication for user [testuser1] FAILED
>>with error NT_STATUS_NO_SUCH_USER
>>[2005/03/01 18:12:11, 3] auth/auth_winbind.c:check_winbind_security(80)
>>  check_winbind_security: Not using winbind, requested domain [TESTDM]
>>was for this SAM.
>>[2005/03/01 18:12:11, 10] auth/auth.c:check_ntlm_password(259)
>>  check_ntlm_password: winbind had nothing to say
>>[2005/03/01 18:12:11, 2] auth/auth.c:check_ntlm_password(312)
>>  check_ntlm_password:  Authentication for user [testuser1] ->
>>[testuser1] FAILED with error NT_STATUS_NO_SUCH_USER
>>--------------------------------------------------
>>
>>No idea what is missing. Thanks a lot for any hints.
>>
>>Steve
>>
>>
>>>Judicious snippage, post at the bottom.
>>>
>>>
>>>>I tried to let Samba authenticate against LDAP but could not figure
>>>>out how to build the LDAP tree for Samba.
>>>>
>>>>Fedora core 2
>>>>Samba 3.0.10
>>>>OpenLDAP 2.1.29
>>>>
>>>>dc=mydomain
>>>> |
>>>> `--- ou=People    : to store user accounts for Unix and Windows
>>>> |
>>>> `--- ou=Hosts     : to store computer accounts for UNIXX & Windows
>>>> |
>>>> `--- ou=Groups    : to store system groups for Unix and Windows
>>>>
>>>>
>>>>What I did were:
>>>
>>>
>>>
>>>>   [global]
>>>>        workgroup = TESTDM
>>>>        passdb backend = ldapsam:ldap://10.10.0.101/
>>>>        log level = 1 passdb:8 auth:8
>>>>        domain logons = Yes
>>>>        wins support = Yes
>>>>        ldap admin dn = cn=root,dc=mydomain
>>>>        ldap delete dn = Yes
>>>>        ldap group suffix = ou=Group
>>>>        ldap machine suffix = ou=Hosts
>>>>        ldap user suffix = ou=People
>>>>        ldap suffix = dc=mfelc
>>>>        ldap passwd sync = Yes
>>>>        ldap ssl = no
>>>>3) start Samba server
>>>>
>>>>4) run smbclient //smbserver -U myid
>>>>   Password:
>>>>   session setup failed: NT_STATUS_LOGON_FAILURE
>>>
>>>
>>>
>>>>Attached is the smbd.log, I deleted the normal log and keep failed
>>>>messages as below:
>>>>  check_sam_security: Couldn't find user 'szeng' in passdb file.
>>>>auth/auth.c:check_ntlm_password(271)
>>>>  check_ntlm_password: sam authentication for user [szeng] FAILED
>>>>with error NT_STATUS_NO_SUCH_USER
>>>
>>>
>>>
>>>>Is there anybody who might have some idea of what is wrong.
>>>
>>>
>>>
>>>Yep.  You did nothing to create the samba attributes that will have to
>>>exist in each user account for the users to log in.   I suggest you
>>>read the documentation on setting up an LDAP/PDC system that is on
>>>the
>>>samba.org web site.  You've missed quite a few steps here, so you may
>>>want to read it through to get a complete idea.  Your solution is
>>>going to include the following:
>>>
>>>1. Obtain and configure the smbldap-tools package.
>>>2. Run the smbldap-populate script
>>>3. Make sure you've got a sambaDomain (I think that's the object
>>>type)
>>>in the base of your DIT.
>>>4. Join the machine to the domain (since you appear to want a domain
>>>setup)
>>>4. Add samba attributes to each user's account.
>>>
>>>Yes there are 2 #4 entries.  Doesn't matter which one comes first.  As
>>>far as I can remember, those will be the critical steps to not miss.
>>>If you've followed the documentation and not done those steps, you've
>>>missed something.
>>>
>>>
>>
> 
> --
> Regards,
> 
> Steve Zeng
> Systems Administrator
> Mainframe Entertainment Inc
> T: (604) 628-1000 ext 5293
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
> 
> 

-- 
Regards,

Steve Zeng
Systems Administrator
Mainframe Entertainment Inc
T: (604) 628-1000 ext 5293

More information about the samba mailing list