[Samba] LDAP authentication problem
Alexander Varga
alexandervarga at usske.sk
Sun Jun 6 12:52:44 GMT 2004
Hi
I have a little problem with my ldap authorization of samba against Novel LDAP server.
This is the log output from the Novel Ldap server:
----------------------------------------------------------------------------------------------------
New TCP connection 0xcb1e3980, monitor = 0x1bf, index = 2
(0xcb1e3980:0x0001:0x60) DoBind on connection 0xcb1e3980
(0xcb1e3980:0x0001:0x60) DoBind: name = 'cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS', client version = 3, method = 0x80
(0xcb1e3980:0x0001:0x60) Sending operation result 0:"":"" to connection 0xcb1e3980
###############################
### Samba user is the one who can browse the NDS to search for existing user ..he logged in successfully (0:"":"")
##############################
(0xcb1e3980:0x0002:0x63) DoSearch on connection 0xcb1e3980
(0xcb1e3980:0x0002:0x63) Search request:
base: "o=USS"
scope:2 derefence:0 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(uid=AlexanderVarga)(objectclass=sambaAccount))
################################
###### After it he was searching the Directory structure for user AlexanderVarga, but of a type ObjectClass=sambaAccount....
################################
(0xcb1e3980:0x0002:0x63) attribute: "uid"
(0xcb1e3980:0x0002:0x63) attribute: "uidNumber"
(0xcb1e3980:0x0002:0x63) attribute: "gidNumber"
(0xcb1e3980:0x0002:0x63) attribute: "homeDirectory"
(0xcb1e3980:0x0002:0x63) attribute: "pwdLastSet"
...
(0xcb1e3980:0x0002:0x63) Sending operation result 0:"":"" to connection 0xcb1e3980
Monitor 0x1bf found connection 0xcb1e3980 socket closed, err = 57, 0 of 0 bytes read
Monitor 0x1bf initiating close for connection 0xcb1e3980
Server closing connection 0xcb1e3980, socket error = 57
#############################
### of course he couldn't find it, because on the novel they have defined ObjectClasses: user, group... so it cannot match and it closes connection
############################
----------------------------------------------------------------------------
----------------------------------------------------------------------------
here is my slapd.conf ... it doesnot work to start slapd, because he cannot load ldbm database. I compiled everything and I not familiar in that manner with this, , but Vecause I am just a client,maybe I dont need this.:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /etc/ldap/samba.schema
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
database lbdm
suffix "o=USS"
rootdn "cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS"
rootpw secret
directory /usr/local/samba/var/openldap-data
index objectClass eq
-------------------------------------------------------------------
----------------------------------------------------------------------
here is my ldap.conf... the ldap_cachemgr is working properly... i hope so :)
BASE o=USS
URI ldap://nv6test.nw.usske.sk:389
HOST 10.5.3.177
PORT 389
------------------------------------------------------------------------
-----------------------------------------------------------------------
here is my smb.conf
[global]
workgroup = Inf-ks
netbios name = SUNV240
passwd backend = ldapsam://10.5.3.177:389
ldap admin dn="cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS"
ldap filter = (&(uid=%u) (o=USS))
ldap suffix = "o=USS"
ldap port = 389
ldap server = 10.5.3.177
[share1]
path = /tmp
---------------------------------------------------------
---------------------------------------------------------
inbetween i ran this
ldapclient manual \
-a profileName=profile-imb \
-a domainName=o=USS \
-a serviceSearchDescriptor=passwd:o=USS \
-a serviceSearchDescriptor=group:o=USS \
-a authenticationMethod=simple -a defaultSearchBase=o=USS \
-a searchTimeLimit=60 -a profileTTL=3600 \
-a credentialLevel=proxy \
-a proxyDN=cn=SAMBAuser,OU=SRV100,OU=Resources,O=USS \
-a proxyPassword=mypassword \
10.5.3.177
System successfully configured
smbpasswd -w mypassword
Setting stored password for "cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS" in secrets.tdb
the sambauser is in the tree OU=SRV100,OU=Resources,O=USS
and the users have to be searched in the whole o=USS
... the problem is this time that, he wants always to search for a user of an objectclass SambaAccount, which in the LDAP server doesn;t exist.
please help , to solve this
Alexander
-----------------------------------
at last here is the smaba.schema:
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
DESC 'LanManager Password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
DESC 'MD4 hash of the unicode password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
DESC 'Account Flags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
DESC 'Timestamp of the last password update'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
DESC 'Timestamp of when the user is allowed to update the password'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
DESC 'Timestamp of when the password will expire'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
DESC 'Timestamp of last logon'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
DESC 'Timestamp of last logoff'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
DESC 'Timestamp of when the user will be logged off automatically'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
DESC 'Bad password attempt count'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
DESC 'Time of the last bad password attempt'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
DESC 'Driver letter of home directory mapping'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
DESC 'Logon script path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
DESC 'Roaming profile path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
DESC 'List of user workstations the user is allowed to logon to'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
DESC 'Home directory UNC path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
DESC 'Windows NT domain to which the user belongs'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
DESC ''
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
DESC 'Security ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
DESC 'Primary Group Security ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
DESC 'Security ID List'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
DESC 'NT Group Type'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
DESC 'Next NT rid to give our for users'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
DESC 'Next NT rid to give out for groups'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
DESC 'Next NT rid to give out for anything'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
DESC 'Base at which the samba RID generation algorithm should operate'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
DESC 'Samba 3.0 Auxilary SAM Account'
MUST ( uid $ sambaSID )
MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
sambaProfilePath $ description $ sambaUserWorkstations $
sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
sambaBadPasswordCount $ sambaBadPasswordTime))
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
DESC 'Samba Group Mapping'
MUST ( gidNumber $ sambaSID $ sambaGroupType )
MAY ( displayName $ description $ sambaSIDList ))
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
DESC 'Samba Domain Information'
MUST ( sambaDomainName $
sambaSID )
MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
sambaAlgorithmicRidBase ) )
objectclass ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
DESC 'Pool for allocating UNIX uids/gids'
MUST ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
DESC 'Mapping from a SID to an ID'
MUST ( sambaSID )
MAY ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
DESC 'Structural Class for a SID'
MUST ( sambaSID ) )
More information about the samba
mailing list