[Samba] ldap guest account mapping looks broken
Eric A. Hall
ehall at ehsco.com
Thu Sep 1 18:44:23 GMT 2005
Judging from these lines in the log.smbd file:
| [2005/09/01 01:00:02, 4] lib/smbldap.c:smbldap_open(869)
| The LDAP server is succesfully connected
| [2005/09/01 01:00:02, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1335)
| ldapsam_getsampwnam: Unable to locate user [] count=0
and the detailed output from ldap log file:
| Sep 1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH
| base="dc=labs,dc=ntrg,dc=com" scope=2 deref=0
| filter="(&(?=undefined)(objectClass=sambaSamAccount))"
it would indeed appear that the "(?=undefined)" LDAP search filter is
being generated by pdb_ldap.c but a grep through that file doesn't return
any obvious hits
Anybody got any suggestions here?
On 9/1/2005 1:18 AM, Eric A. Hall wrote:
> I'm running the samba-3.0.20-0.1 SUSE RPM. I was using the
> version that came with 9.3 but upgraded to see if this specific
> problem would go away.
>
> Guest access does not appear to be working correctly, and it looks
> like the problem is due to guest not getting mapped into the LDAP
> query correctly.
>
> Specifically, I can login with local account, join workstation to the
> domain, browse shares, and everything else that requires
> authentication, but cannot login to domain nor browse the domain in
> explorer or anything else that requires guest access.
>
> Looking at the smbd log with loglevel 4 shows:
>
> [2005/09/01 01:00:02, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
> Got user=[] domain=[] workstation=[RHINO-VM-PC-1] len1=1 len2=0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:push_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 3] smbd/uid.c:push_conn_ctx(388)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] auth/auth.c:check_ntlm_password(219)
> check_ntlm_password: Checking password for unmapped user
> []\[]@[RHINO-VM-PC-1] with the new password interface
> [2005/09/01 01:00:02, 3] auth/auth.c:check_ntlm_password(222)
> check_ntlm_password: mapped user is: [LABS]\[]@[RHINO-VM-PC-1]
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:push_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 3] smbd/uid.c:push_conn_ctx(388)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 2] lib/smbldap.c:smbldap_open_connection(630)
> smbldap_open_connection: connection opened
> [2005/09/01 01:00:02, 3] lib/smbldap.c:smbldap_connect_system(805)
> ldap_connect_system: succesful connection to the LDAP server
> [2005/09/01 01:00:02, 4] lib/smbldap.c:smbldap_open(869)
> The LDAP server is succesfully connected
> [2005/09/01 01:00:02, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1335)
> ldapsam_getsampwnam: Unable to locate user [] count=0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] auth/auth_sam.c:check_sam_security(260)
> check_sam_security: Couldn't find user '' in passdb.
> [2005/09/01 01:00:02, 2] auth/auth.c:check_ntlm_password(317)
> check_ntlm_password: Authentication for user [] -> [] FAILED with
> error NT_STATUS_NO_SUCH_USER
>
> Looking in the slapd log with loglevel 256 shows:
>
> Sep 1 01:00:02 rhino slapd[8360]: conn=123 fd=28 ACCEPT from
> IP=207.65.71.3:55418 (IP=0.0.0.0:389)
> Sep 1 01:00:02 rhino slapd[8360]: conn=123 op=0 BIND
> dn="***hidden***" method=128
> Sep 1 01:00:02 rhino slapd[8360]: conn=123 op=0 BIND
> dn="uid=root,ou=Users,dc=labs,dc=ntrg,dc=com" mech=SIMPLE ssf=0
> Sep 1 01:00:02 rhino slapd[8360]: conn=123 op=0 RESULT tag=97 err=0
> text=
> Sep 1 01:00:02 rhino slapd[8360]: conn=123 op=1 SRCH base="" scope=0
> deref=0 filter="(objectClass=*)"
> Sep 1 01:00:02 rhino slapd[8360]: conn=123 op=1 SRCH
> attr=supportedControl
> Sep 1 01:00:02 rhino slapd[8360]: conn=123 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Sep 1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH
> base="dc=labs,dc=ntrg,dc=com" scope=2 deref=0
> filter="(&(?=undefined)(objectClass=sambaSamAccount))"
> Sep 1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp
> Sep 1 01:00:02 rhino slapd[8360]: conn=123 op=2 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> Sep 1 01:00:13 rhino slapd[8360]: conn=123 fd=28 closed
>
> It looks like "filter="(&(?=undefined)(objectClass=sambaSamAccount))""
> produces zero responses (as would be expected), which is resulting in
> the "Unable to locate user [] count=0" SMB error.
>
> smb.conf has "guest account = guest"
>
> The output for "pdbedit --user=guest --verbose" is:
>
> Unix username: guest
> NT username: guest
> Account Flags: [U ]
> User SID: S-1-5-21-284210356-3264030311-3336521042-501
> Primary Group SID: S-1-5-21-284210356-3264030311-3336521042-514
> Full Name: Unknown or guest user
> Home Directory: \\rhino\guest\.9xprofile
> HomeDir Drive: P:
> Logon Script: logon.cmd
> Profile Path: \\rhino\profiles\.msprofile
> Domain: LABS
> Account desc: Unknown or guest user
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: Mon, 18 Jan 2038 22:14:07 GMT
> Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT
> Password last set: Wed, 31 Aug 2005 22:44:22 GMT
> Password can change: Wed, 31 Aug 2005 22:44:22 GMT
> Password must change: Mon, 18 Jan 2038 22:14:07 GMT
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> The guest account is defined, is valid, and has a password.
>
> I'm pretty sure the whole problem here is with the malformed LDAP
> lookup but I could be wrong.
>
> Anybody got any ideas or suggestions here?
>
> Thanks
>
>
>
--
Eric A. Hall http://www.ehsco.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
More information about the samba
mailing list