[Samba] user authentication issue

Itamar Gal itamarggal at gmail.com
Sat Apr 18 10:17:28 MDT 2015 

Hey Rowland,

Thank you so much for your help and patience.

OK, just a few questions based on what is in your smb.conf, which seems to
> show that it is running as an NT-4 style PDC.
>

That's consistent with my understanding.

passdb backend = ldapsam:"ldap://hosturl"
> I take it that 'hosturl' is the fqdn of the machine that samba is running
> on.
>

Yeah, sorry. I anonymized some of the parameters in order to (hopefully)
comply with policy. I'll take this opportunity to apologize for all past
and future clumsiness.


> ldap suffix = o=org
> Is this correct ?? I would expect something like 'dc=example,dc=com'
>

Actually, yes. Moreover, there is no line of the form 'dc=example,dc=com'
anywhere in the file.


> unix password sync = no
> This means that there is no sync between samba and local unix users i.e.
> they can have different passwords!
>

Yeah, that directive is brutally intuitive; it's funny what total
intellectual disorientation causes me to view with suspicion. I was
thinking that it was possible that some other directive might have a side
effect that overrides the 'unix password sync' directive.


> logon home = \\%N\%U
> %N means 'replace this with the name of your NIS home directory server'
> Do you have a NIS home directory server ?
> If not (and samba as been compiled in the right way) this could also mean
> the NetBIOS name of the server, in which case it may be better to just set
> this to NetBIOS name.
>

I don't believe that there is a NIS home directory server running. I've
replaced "logon home = \\%N\%U" with "logon home = \\%L\%U"; thanks for the
pointer.


> map to guest = bad user
> There doesn't seem to be much point to this because all the shares have
> this: 'guest ok = no'
>

Got it.


> As is, your users need to exist, but if they don't, they get mapped to
> nobody and can see the shares, but because 'guest ok = no' is set on the
> shares, they cannot do anything.


Ah. Ok, I think I understand, sort of. However I'm still required to
authenticate using the user's Samba password (set via smbpasswd) in order
to view the shares. Is that consistent with the user being mapped to nobody?

I'm also still unclear on why Samba doesn't see the user; the user appears
in the list generated by 'pdbedit -L', for instance. What gives?

Thanks again for your help!

Cheers,
Itamar

More information about the samba mailing list