[Samba] Problem w/ Samba 3 & LDAP

Ted Wisniewski ted at ness.plymouth.edu
Thu Apr 1 14:19:58 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the response, but the odd thing is that both had the same set of 
parameters in the LDAP.  I took your advice and added some other parameters 
to the LDAP for a non working entry...   Same result.

Example LDIF (Working):

dn: uid=newuser, ou=People, dc=plymouth,dc=edu
sambaPwdLastSet: 1080739453
sambaAcctFlags: [U          ]
displayName: New User
sambaPwdMustChange: 2147483647
objectClass: sambaSamAccount
objectClass: account
uid: newuser
sambaSID: S-1-5-21-204843054-3526713080-3458795326-37000
sambaPwdCanChange: 1080739453
sambaNTPassword: 5A6A0AFE9618570BF8B167BC1B9E4B1D
sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1063
sambaLMPassword: 54E8D1FD3821A0A8AAD3B435B51404EE

Example LDIF (NOT WORKING)
dn: uid=notworking, ou=People, dc=plymouth,dc=edu
sambaPwdLastSet: 1080739453
sambaAcctFlags: [U          ]
displayName: Not Working
sambaPwdMustChange: 2147483647
objectClass: sambaSamAccount
objectClass: account
uid: notworking
sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472
sambapwdCanChange: 1080739453
sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303
sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399
sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE



Any ideas?  I can map to the home share without difficulty...   It is only a 
problem when doing a domain logon.   If I delete the LDAP entry and do the 
(smbpasswd -a) from the command line, the entries look identical.  The only 
difference is one works and the other does not.   Is there another place 
where info is recorded?  In the LDAP?  in a TDB file?

Ted

>On Wed, 2004-03-31 at 12:47, Ted Wisniewski wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Here is a description of what I am trying to do (with Samba 3.0.2a & 
openldap 
>> 2.1.27):
>> 
>> I have all my users populated into the LDAP with all the applicable 
>> attributes;  Users can map drives to a server using LDAP as the 
>> authentication backend without issue.
>> 
>> Where I am running into problems is bringing up a PDC using Samba w/LDAP.   
>> 
>> * I added the appropriate machine accounts (using smbpasswd -a -m) and was 
>> able to join the domain.  
>> 
>> * Any user in the pre-populated LDAP cannot log in, however, any user I add 
to 
>> the LDAP from the machine with Samba running on it CAN log in properly.
>> 
>> If I delete the original entry from the LDAP, add a new on via (smbpasswd 
- -a), 
>> then the user can log in.   This works, but is ultimately not scalable...   
I 
>> can then place the original LDAP entry back in place and they can log in...  
>> Just as long as the password for the account is not changed.
>> 
>> I am sure there is something I am missing, but I cannot see it for the life 
of 
>> me.    The odd thing is, that in the log.smbd, I get odd errors about 
reading 
> a socket, but only for the users that have not been added by the local 
> "smbpasswd" command.  They are both in the same LDAP. Any help would be 
> greatly appreciated.
> 
> Ted
> 
- -- SNIP --

> Global section of smb.conf
- -----
it appears that the 'non-functional' user doesn't have the domain
attribute set (or at least set properly).

ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=non-functional)'

and then

ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=functional)'

and the functional users will have attributes such as sambaDomainName
properly set that the non-functional's do not.

Craig


- -- 
| Ted Wisniewski                    E-Mail: ted at mail.plymouth.edu        |
| Manager, Systems Group            WEB:    http://oz.plymouth.edu/~ted/ |
| Information Technology Services					 |
| Plymouth State University         Phone:  (603) 535-2661               |
| Plymouth NH, 03264                Fax:    (603) 535-2263               |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFAbCUOLoXjVqfQ0u4RAlMJAKDtX1d/e6APTME3VC7uGEUDm4+z3wCgjQyL
XVfh2hqDuua+mD54Ai46LE8=
=GIld
-----END PGP SIGNATURE-----



More information about the samba mailing list