[Samba] Problem w/ Samba 3 & LDAP

Craig White craigwhite at azapple.com
Thu Apr 1 23:02:59 GMT 2004


On Thu, 2004-04-01 at 07:30, Ted Wisniewski wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Sorry,
> 	I found a clue.   In these below, I made the SID the same and it worked.   In 
> my case, I will have multiple domains all pulling from the same LDAP.   How 
> can I make this work without having to have the SID's for each domain be the 
> same.   (Which I am pretty sure would be a bad idea, right?)
> 
> Ted
> 
> 
> On Thursday 01 April 2004 09:19 am, Ted Wisniewski wrote:
> > Thanks for the response, but the odd thing is that both had the same set of
> > parameters in the LDAP.  I took your advice and added some other parameters
> > to the LDAP for a non working entry...   Same result.
> >
> > Example LDIF (Working):
> >
> > dn: uid=newuser, ou=People, dc=plymouth,dc=edu
> > sambaPwdLastSet: 1080739453
> > sambaAcctFlags: [U          ]
> > displayName: New User
> > sambaPwdMustChange: 2147483647
> > objectClass: sambaSamAccount
> > objectClass: account
> > uid: newuser
> > sambaSID: S-1-5-21-204843054-3526713080-3458795326-37000
> > sambaPwdCanChange: 1080739453
> > sambaNTPassword: 5A6A0AFE9618570BF8B167BC1B9E4B1D
> > sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1063
> > sambaLMPassword: 54E8D1FD3821A0A8AAD3B435B51404EE
> >
> > Example LDIF (NOT WORKING)
> > dn: uid=notworking, ou=People, dc=plymouth,dc=edu
> > sambaPwdLastSet: 1080739453
> > sambaAcctFlags: [U          ]
> > displayName: Not Working
> > sambaPwdMustChange: 2147483647
> > objectClass: sambaSamAccount
> > objectClass: account
> > uid: notworking
> > sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472
> > sambapwdCanChange: 1080739453
> > sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303
> > sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399
> > sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE
> >
> >
> >
> > Any ideas?  I can map to the home share without difficulty...   It is only
> > a problem when doing a domain logon.   If I delete the LDAP entry and do
> > the (smbpasswd -a) from the command line, the entries look identical.  The
> > only difference is one works and the other does not.   Is there another
> > place where info is recorded?  In the LDAP?  in a TDB file?
----
It appeared that you edited the info to the point of making it difficult
to trust what is actually being reported from the ldapsearch command.

It seems as though your smbuser in one case matches up to a unix user
and in the other case (where it doesn't work) doesn't match up but if it
works when you delete and then create the samba user, then both parts
are certainly done.

I have both posix and sambaSamAccount objectclass for all my users... a
typical user looks like:

# testuser, People, Domain US
dn: uid=testuser, ou=People,o=Domain,c=US
sambaPwdCanChange: 1075657455
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1075657455
shadowLastChange: 12449
sambaProfilePath: \\linserv1\profiles\testuser
sambaLogonScript: users-pr.bat
cn: testuser
uidNumber: 1054
sambaAcctFlags: [U          ]
gecos: testuser
mail: testuser at domain.com
sambaLMPassword: **removed**
uid: testuser
sambaHomePath: \\linserv2\homes\testuser
homeDirectory: /home/users/testuser
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgperson
objectClass: sambaSamAccount
sambaDomainName: DOMAIN
gidNumber: 1000
sambaSID: S-1-5-21-1292501092-333717336-619646970-3108
sambaNTPassword:  **removed**
sn: User
givenName: Test
loginShell: /bin/sh
userPassword::  **removed**
sambaPrimaryGroupSID: S-1-5-21-1292501092-333717336-619646970-513

NOTE:
sambaPrimaryGroupSID: ends in -513 ("Domain Users")
posix attributes not necessary with samba:
loginShell, givenName, sn, cn, gecos, homeDirectory, and objectclasses
posixAccount-inetOrgPerson-shadowAccount

LDAP for samba should have 1 and only 1 domain (windows variety) and 1
SID (obtainable with net getlocalSID command).

Craig



More information about the samba mailing list