[Samba] Problem validating with LDAP and Samba3.0.1debian
Torben Thomsen
torben at itcampus.dk
Sun Feb 15 02:12:46 GMT 2004
Hi,
I'm running openldap and samba3.0.1 from my debian system, but I have
used many many hours trying to get samba to validate users on the
ldap... And is now turning to the last resort ...
This is my configuration
__________________________________________________
the important lines in smb.conf looks like this...
--------------------------------------------------
[global]
workgroup = SKOLE
passdb backend = ldapsam:ldap://127.0.0.1/
ldap suffix = dc=login
ldap machine suffix = ou=machines
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap admin dn = "cn=admin,dc=login"
netbios name = thePri
load printers = no
security = user
encrypt passwords = true
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = yes
os level = 40
domain master = yes
preferred master = yes
domain logons = yes
wins support = yes
dns proxy = no
___________________________
slapd.conf look like this:
---------------------------
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 256
modulepath /usr/lib/ldap
moduleload back_ldbm
database ldbm
suffix "dc=login"
rootdn "cn=admin,dc=login"
rootpw <MyPaSsWoRd>
directory "/var/lib/ldap"
index objectClass,uid,uidNumber,gidNumber,memberUid eq
lastmod on
access to attribute=userPassword
by dn="cn=admin,dc=login" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=login" write
by * read
_____________________________
/etc/ldap.conf
-----------------------------
HOST 127.0.0.1
BASE dc=login
_____________________________________________
the samba.schema is copyed from the samba 3.0.1 source
(/examples/LDAP/samba.schema) and the ldap is populated with the
polulate tool from smb-tools, and i can see the ldap tree is working
with lam(lam.sf.net), and create new users from here... a pdbedit -L
revels the users as well....
the populate tool creates an Administrator, and when I do "smbpasswd
Administrator" it looks like it succeed, the values in sambaNTPassword
changes anyway...
THE PROBLEM:
I use the two cases to show my problem, one case with correct passw, and
one with wrong passwd.
me at compaq:~$ smbclient -L localhost -U Administrator
Password: (CORRECT PASSWORD)
session setup failed: NT_STATUS_LOGON_FAILURE
________________________________
The log for the above looks like this
---------------------------------
Feb 14 21:04:54 compaq slapd[3739]: conn=8 op=2 SRCH base="dc=login"
scope=2 filter="(&(uid=Administrator)(objectClass=sambaSamAccount))"
Feb 14 21:04:54 compaq slapd[3739]: conn=8 op=2 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Feb 14 21:04:54 compaq slapd[3739]: conn=8 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Feb 14 21:04:54 compaq smbd[3754]: [2004/02/14 21:04:54, 0]
auth/auth_sam.c:check_sam_security(221)
Feb 14 21:04:54 compaq smbd[3754]: check_sam_security:
make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
Feb 14 21:04:54 compaq slapd[3737]: conn=8 fd=9 closed
---------------------------------------------------------------------------------------------
me at compaq:~$ smbclient -L localhost -U Administrator
Password: (WRONG PASSWORD)
session setup failed: NT_STATUS_LOGON_FAILURE
_______________________________________
The log for the above looks like this
---------------------------------------
Feb 14 21:20:56 compaq slapd[3739]: conn=9 op=2 SRCH base="dc=login"
scope=2 filter="(&(uid=Administrator)(objectClass=sambaSamAccount))"
Feb 14 21:20:56 compaq slapd[3739]: conn=9 op=2 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Feb 14 21:20:56 compaq slapd[3739]: conn=9 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Feb 14 21:20:56 compaq slapd[3737]: conn=9 fd=9 closed
---------------------------------------------------------------------------------
So, it seems that the samba-backend recognizes the Administrator, with
the correct password, but still throws a NT_STATUS_NO_SUCH_USER
I susepect it has something to do with the unix-user sync, but i have no
idea, at the moment how to deal with this problem!
In the future i would like to sync the samba-user with the unix-user,
but there is still a LOONG way into the XP-pile before that problem has
priority....
I sure could use some help!
Thanx
/torben
------------------------------------------
The following is just a snip from a ldap search
-------------------------------
cn: Administrator
sn: Administrator
objectclass: inetOrgPerson
gidnumber: 512
uid: Administrator
uidnumber: 998
homedirectory: HOMEPREFIX
sambalogontime: 0
sambalogofftime: 2147483647
sambakickofftime: 2147483647
sambahomepath: \\PDCNAME\homes
sambahomedrive: HOMEDRIVE
sambaprofilepath: \\PDCNAME\profiles\
sambaprimarygroupsid: S-1-5-21-53176251-1034743845-4114978061-512
sambaacctflags: [U ]
sambasid: S-1-5-21-53176251-1034743845-4114978061-2996
loginshell: /bin/false
gecos: Netbios Domain Administrator
sambapwdcanchange: 1076792501
sambapwdmustchange: 1078606901
sambalmpassword: 598DDCE2660D3193AAD3B435B51404EE
sambantpassword: 2D20D252A479F485CDF5E171D93985BF
sambapwdlastset: 1076792501
cn: nobody
sn: nobody
objectclass: inetOrgPerson
gidnumber: 514
uid: nobody
uidnumber: 999
homedirectory: /dev/null
sambapwdlastset: 0
sambalogontime: 0
sambalogofftime: 2147483647
sambakickofftime: 2147483647
sambapwdcanchange: 0
sambapwdmustchange: 2147483647
sambahomepath: \\PDCNAME\homes
sambahomedrive: HOMEDRIVE
sambaprofilepath: \\PDCNAME\profiles\
sambaprimarygroupsid: S-1-5-21-53176251-1034743845-4114978061-514
sambalmpassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambantpassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaacctflags: [NU ]
sambasid: S-1-5-21-53176251-1034743845-4114978061-2998
loginshell: /bin/false
objectclass: posixGroup
gidnumber: 512
cn: Domain Admins
memberuid: Administrator
description: Netbios Domain Administrators
sambasid: S-1-5-21-53176251-1034743845-4114978061-512
sambagrouptype: 2
displayname: Domain Admins
More information about the samba
mailing list