[Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED

Craig White craigwhite at azapple.com
Sat Jul 17 12:50:55 GMT 2004 

On Fri, 2004-07-16 at 22:53, Craig White wrote:
> On Fri, 2004-07-16 at 13:39, abebe lsslp wrote:
> > 
> > I couldn't find any hint that leads me to believe the
> > ldap doesn't work, but you might see something I
> > don't.  you will find the whole 'slapd.log' file here:
> > http://150.208.105.24/smbldap-pdc/. (there are also
> > log files for the xp machine. ('winxp.log.html' is log
> > level 10 and 'winxp_log.html' is log level 3). Log
> > level 10 doesn't really tell me anything log level 3
> > doesn't.    
> ----
> SID's don't match...
> 
> dn: uid=Administrator,ou=Users,dc=wbcoll,dc=edu
> <snip>
> sambaPrimaryGroupSID: S-1-5-21-952094410-1508517273-1204454084-512
> sambaSID: S-1-5-21-952094410-1508517273-1204454084-2996
> 
> pdbedit -Lv testuser1
> <snip>
> User SID:             S-1-5-21-1414736517-1990894286-2385622597-3000
> Primary Group SID:    S-1-5-21-1414736517-1990894286-2385622597-513
> 
> Who knows which SID is in smbldap_conf and which SID is in dn=SambaDomainName,dc=wbcoll,dc=edu
> 
> This should be one of the first things you check.
> 
> Also - just for a point of reference (not that what I do is at all correct or even recommended by the many people that know way more than I do), I set the primary posix gid for all users to a posix labeled group and my /etc/samba/smbusers looks like this:
> # cat /etc/samba/smbusers
> # Unix_name = SMB_name1 SMB_name2 ...
> root = Administrator administrator admin
> nobody = guest pcguest smbguest
> 
> I hope this helps.
----
I went back and checked some more things - to further amplify what I see
happening is that your smbldap isn't working at all.

The sambaSamAccount objects weren't added at all to your testuser1.
Neither the objectclass nor any of the typical samba objects showed up
at the bottom of your slapcat listing for testuser1 - they did appear
for the other groups and users - which I presume were derived from your
efforts to rpc net vampire. Since they appear when you enter the pdbedit
-Lv testuser1, they are apparently getting supplied from somewhere or
something but not from the testuser1 object in LDAP where it certainly
needs to be. Clearly the SID in dn:
sambaDomainName=AGUILAS,dc=wbcoll,dc=edu doesn't match other SID's (and
curiously doesn't match that supplied in pdbedit -Lv testuser1). And
then who knows what you're gonna get when you net getlocalsid?

Also - when you net rpc vampire, you get posix Groups such as 'Domain
Users' which don't work all that well for posix stuff because of the
case, spaces, etc. While these will work fine for samba, I would
strongly recommend that users be assigned to posix labeled groups such
as 'users' - typically gidnumber 100 on a Red Hat system or similar or
change the cn of those groups to be posix-like since the 'displayName'
'sambaGroupMapping' 'sambaSID' and 'sambaGroupType' objects are what
Windows sees.

Craig

More information about the samba mailing list