[Samba] Re: Samba 3.0.0 - LDAP Authetication trouble
Bart Bekker
bartro at go.ro
Thu Nov 13 13:02:16 GMT 2003
Finally I was able to browse my [bart] home share from windows. But
trying to change anything to the files resulted in an error and in the
samba log appeared:
---
[2003/11/13 12:05:10, 5] rpc_parse/parse_prs.c:prs_uint32s(861)
0064 sub_auths : 00000015 03f528bd 261676f7
45c6efd9 00000201
[2003/11/13 12:05:10, 3] smbd/error.c:error_packet(113)
error packet at smbd/nttrans.c(1707) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED
[2003/11/13 12:05:10, 5] lib/util.c:show_msg(456)
---
Also other shares, both on a acl enabled and non-acl filesystem give the
same error.
So I decided to try to change the ldap data concerning uid and gid for
user bart in ldap, since I figured that during my desperate
(andtherefore not always by causal explanation) search for a solution I
messed something up there. I removed user bart from ldap, and added
again with smbldap-useradd.pl -a bart.
In the ldap entries is now the following information:
idunumber = 1007 (equal to unix uid),
SambaSID = domainSID + after the dash 3014,
gidnumber = 513 (equal to unix gid),
SambaPrimaryGroupSID= domainSID + after the dash 2027.
If I look from windows now, the owner of a share (that is bart in unix)
is \\linux\sys (linux being the samba server hostname), it used to say
\\linux\bart when my sambaSID was the domain SID + 1007 after the dash
and, and my home share with name bart dissappeared, and the homes share
is not accessible.
>From the samba log I caught this:
---
NT user token: (NULL)
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2003/11/13 13:57:28, 2] lib/smbldap.c:smbldap_search_suffix(1066)
smbldap_search_suffix: searching
for:[(&(sambaSID=S-1-5-21-66398397-639006455-1170665433-501)(objectclass=sambaSamAccount))]
[2003/11/13 13:57:28, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1099)
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-66398397-639006455-1170665433-501] count=0
---
and
---
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_nt_user_token(491)
NT user token of user S-1-5-21-66398397-639006455-1170665433-501
contains 7 SIDs
SID[ 0]: S-1-5-21-66398397-639006455-1170665433-501
SID[ 1]: S-1-5-21-66398397-639006455-1170665433-514
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-32-546
SID[ 5]: S-1-5-21-66398397-639006455-1170665433-132067
SID[ 6]: S-1-5-21-66398397-639006455-1170665433-132069
[2003/11/13 13:57:28, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 65534
Primary group is 65533 and contains 3 supplementary groups
Group[ 0]: 65533
Group[ 1]: 65533
Group[ 2]: 65534
---
I have no uid 501 anywhere specified.
I have the feeling that I am lost somewhere between LDAP
authentification (this works, but not when I use sid's as proposed by
Adrew Bartlett - see below and above) and unix authentication (even when
LDAP authenticates my user, I can not change anything in the share, just
read access).
Where can I find information about how to populate the LDAP-directory?
Or an example of a working configuration?
Bart.
On Thu, 2003-11-13 at 01:16, Andrew Bartlett wrote:
> On Thu, 2003-11-13 at 03:11, Carl Weiss wrote:
> > Ok if all your users have the same SID xxx-3000 they are not incrementing
> > correctly in the add user script. I had this same problem when I wasn't
> > correctly authenticating to the LDAP server I was in fact using the
> > /etc/passwd file, and then using the same test user accounts that I had on
> > the box, i.e. cweiss in ldap and cweiss in /etc/passwd.
> >
> > To further test change all your SID's manually with an graphical editor like
> > GQ. I'm guessing you don't have too many because it's a test install. Also
> > make sure to change the SID's of any computers you added.
> >
> > When I initially found this problem I created a new function in the adduser
> > script to find the highest UID and increment by one. The user sid is
> > calculated by UID+RID*2
>
> UID*2 + 1000
>
> GID*2 + 1001
>
> is the traditional algorithm. Use it if possible.
More information about the samba
mailing list