[Samba] Problem w/ Samba 3 & LDAP

Ted Wisniewski ted at ness.plymouth.edu
Thu Apr 1 14:30:55 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry,
	I found a clue.   In these below, I made the SID the same and it worked.   In 
my case, I will have multiple domains all pulling from the same LDAP.   How 
can I make this work without having to have the SID's for each domain be the 
same.   (Which I am pretty sure would be a bad idea, right?)

Ted


On Thursday 01 April 2004 09:19 am, Ted Wisniewski wrote:
> Thanks for the response, but the odd thing is that both had the same set of
> parameters in the LDAP.  I took your advice and added some other parameters
> to the LDAP for a non working entry...   Same result.
>
> Example LDIF (Working):
>
> dn: uid=newuser, ou=People, dc=plymouth,dc=edu
> sambaPwdLastSet: 1080739453
> sambaAcctFlags: [U          ]
> displayName: New User
> sambaPwdMustChange: 2147483647
> objectClass: sambaSamAccount
> objectClass: account
> uid: newuser
> sambaSID: S-1-5-21-204843054-3526713080-3458795326-37000
> sambaPwdCanChange: 1080739453
> sambaNTPassword: 5A6A0AFE9618570BF8B167BC1B9E4B1D
> sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1063
> sambaLMPassword: 54E8D1FD3821A0A8AAD3B435B51404EE
>
> Example LDIF (NOT WORKING)
> dn: uid=notworking, ou=People, dc=plymouth,dc=edu
> sambaPwdLastSet: 1080739453
> sambaAcctFlags: [U          ]
> displayName: Not Working
> sambaPwdMustChange: 2147483647
> objectClass: sambaSamAccount
> objectClass: account
> uid: notworking
> sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472
> sambapwdCanChange: 1080739453
> sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303
> sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399
> sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE
>
>
>
> Any ideas?  I can map to the home share without difficulty...   It is only
> a problem when doing a domain logon.   If I delete the LDAP entry and do
> the (smbpasswd -a) from the command line, the entries look identical.  The
> only difference is one works and the other does not.   Is there another
> place where info is recorded?  In the LDAP?  in a TDB file?
>
> Ted
>
> >On Wed, 2004-03-31 at 12:47, Ted Wisniewski wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Here is a description of what I am trying to do (with Samba 3.0.2a &
>
> openldap
>
> >> 2.1.27):
> >>
> >> I have all my users populated into the LDAP with all the applicable
> >> attributes;  Users can map drives to a server using LDAP as the
> >> authentication backend without issue.
> >>
> >> Where I am running into problems is bringing up a PDC using Samba
> >> w/LDAP.
> >>
> >> * I added the appropriate machine accounts (using smbpasswd -a -m) and
> >> was able to join the domain.
> >>
> >> * Any user in the pre-populated LDAP cannot log in, however, any user I
> >> add
>
> to
>
> >> the LDAP from the machine with Samba running on it CAN log in properly.
> >>
> >> If I delete the original entry from the LDAP, add a new on via
> >> (smbpasswd
>
> -a),
>
> >> then the user can log in.   This works, but is ultimately not
> >> scalable...
>
> I
>
> >> can then place the original LDAP entry back in place and they can log
> >> in... Just as long as the password for the account is not changed.
> >>
> >> I am sure there is something I am missing, but I cannot see it for the
> >> life
>
> of
>
> >> me.    The odd thing is, that in the log.smbd, I get odd errors about
>
> reading
>
> > a socket, but only for the users that have not been added by the local
> > "smbpasswd" command.  They are both in the same LDAP. Any help would be
> > greatly appreciated.
> >
> > Ted
>
> -- SNIP --
>
> > Global section of smb.conf
>
> -----
> it appears that the 'non-functional' user doesn't have the domain
> attribute set (or at least set properly).
>
> ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=non-functional)'
>
> and then
>
> ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=functional)'
>
> and the functional users will have attributes such as sambaDomainName
> properly set that the non-functional's do not.
>
> Craig

- -- 
| Ted Wisniewski                    E-Mail: ted at mail.plymouth.edu        |
| Manager, Systems Group            WEB:    http://oz.plymouth.edu/~ted/ |
| Information Technology Services					 |
| Plymouth State University         Phone:  (603) 535-2661               |
| Plymouth NH, 03264                Fax:    (603) 535-2263               |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFAbCegLoXjVqfQ0u4RAgHyAJ9Vl35VH06crVDvKugwq+mFbF9HKQCeOj4u
I1LMqAnUzzzHEyXMwRpbwXM=
=hCgI
-----END PGP SIGNATURE-----



More information about the samba mailing list