[Samba] LDAP authentication problem

Erik Holst Trans eht at it-trans.dk
Mon Jun 7 00:51:34 GMT 2004


Hi Alexander,

First of all, you do not need to make any configuration in your
slapd.conf, this is only if you want to run a LDAP server on your Samba
host.

If you want to use an Novell LDAP server you need to extend its LDAP
schema first, to support the ObjectClass'es and attributes that Samba
uses/need. You probably have to find a version of the schema file that
is compatible with your LDAP server, Novell's LDAP server does't like
the syntax of the standard samba.schema file.

Afterwards you probly need an LDAP-Editor to access the server to add
ObjectClass'es and attributes to user accounts you want to "Samba enable".
Netware Administrator and ConsoleOne don't support those (yet).

Best regards
Erik Holst Trans


Alexander Varga wrote:
> Hi
> I have a little problem with my ldap authorization of samba against Novel LDAP server. 
> This is the log output from the Novel Ldap server:
> ----------------------------------------------------------------------------------------------------
> New TCP connection 0xcb1e3980, monitor = 0x1bf, index = 2
> (0xcb1e3980:0x0001:0x60) DoBind on connection 0xcb1e3980
> (0xcb1e3980:0x0001:0x60) DoBind: name = 'cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS', client version = 3, method = 0x80
> (0xcb1e3980:0x0001:0x60) Sending operation result 0:"":"" to connection 0xcb1e3980
> 
> ###############################
> ### Samba user is the one who can browse the NDS to search for existing user ..he logged in successfully (0:"":"")
> ##############################
> 
> (0xcb1e3980:0x0002:0x63) DoSearch on connection 0xcb1e3980
> (0xcb1e3980:0x0002:0x63) Search request:
>     base: "o=USS"
>     scope:2  derefence:0  sizelimit:0  timelimit:0  attrsonly:0
>     filter: "(&(uid=AlexanderVarga)(objectclass=sambaAccount))
> ################################
> ###### After it he was searching the Directory structure for user AlexanderVarga, but of a type ObjectClass=sambaAccount.... 
> ################################
> (0xcb1e3980:0x0002:0x63)    attribute: "uid"
> (0xcb1e3980:0x0002:0x63)    attribute: "uidNumber"
> (0xcb1e3980:0x0002:0x63)    attribute: "gidNumber"
> (0xcb1e3980:0x0002:0x63)    attribute: "homeDirectory"
> (0xcb1e3980:0x0002:0x63)    attribute: "pwdLastSet"
> ...
> (0xcb1e3980:0x0002:0x63) Sending operation result 0:"":"" to connection 0xcb1e3980
> Monitor 0x1bf found connection 0xcb1e3980 socket closed, err = 57, 0 of 0 bytes read
> Monitor 0x1bf initiating close for connection 0xcb1e3980
> Server closing connection 0xcb1e3980, socket error = 57
> 
> #############################
> ### of course he couldn't find it, because on the novel they have defined ObjectClasses: user, group... so it cannot match and it closes connection
> ############################
> ----------------------------------------------------------------------------
> ----------------------------------------------------------------------------
> here is my slapd.conf ... it doesnot work to start slapd, because he cannot load ldbm database. I compiled everything and I not familiar in that manner with this, , but Vecause I am just a client,maybe I dont need this.:
> 
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/misc.schema
> include /usr/local/etc/openldap/schema/openldap.schema
> include /etc/ldap/samba.schema
> pidfile         /usr/local/var/slapd.pid
> argsfile        /usr/local/var/slapd.args
> database        lbdm
> suffix          "o=USS"
> rootdn          "cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS"
> rootpw          secret
> directory       /usr/local/samba/var/openldap-data
> index   objectClass     eq
> -------------------------------------------------------------------
> ----------------------------------------------------------------------
> here is my ldap.conf... the ldap_cachemgr is working properly... i hope so :)
> 
> BASE    o=USS
> URI     ldap://nv6test.nw.usske.sk:389
> HOST    10.5.3.177
> PORT    389
> ------------------------------------------------------------------------
> -----------------------------------------------------------------------
> here is my smb.conf
> 
> [global]
> workgroup = Inf-ks
> netbios name = SUNV240
> passwd backend = ldapsam://10.5.3.177:389
> ldap admin dn="cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS"
> ldap filter = (&(uid=%u) (o=USS))
> ldap suffix = "o=USS"
> ldap port = 389
> ldap server = 10.5.3.177
> [share1]
> path = /tmp
> ---------------------------------------------------------
> ---------------------------------------------------------
> 
> inbetween i ran this
> 
> ldapclient manual \
> -a profileName=profile-imb \
> -a domainName=o=USS \
> -a serviceSearchDescriptor=passwd:o=USS  \
> -a serviceSearchDescriptor=group:o=USS \
> -a authenticationMethod=simple -a defaultSearchBase=o=USS \
> -a searchTimeLimit=60 -a profileTTL=3600  \
> -a credentialLevel=proxy \
> -a proxyDN=cn=SAMBAuser,OU=SRV100,OU=Resources,O=USS \
> -a proxyPassword=mypassword \
> 10.5.3.177
> System successfully configured
> 
> smbpasswd -w mypassword
> Setting stored password for "cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS" in secrets.tdb
> 
> the sambauser is in the tree OU=SRV100,OU=Resources,O=USS
> and the users have to be searched in the whole o=USS
> ... the problem is this time that, he wants always to search for a user of an objectclass SambaAccount, which in the LDAP server doesn;t exist.
> 
> please help , to solve this
> Alexander
> -----------------------------------
> at last here is the smaba.schema:
> 
> attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
>        DESC 'LanManager Password'
>        EQUALITY caseIgnoreIA5Match
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
>        DESC 'MD4 hash of the unicode password'
>        EQUALITY caseIgnoreIA5Match
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
>        DESC 'Account Flags'
>        EQUALITY caseIgnoreIA5Match
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
>        DESC 'Timestamp of the last password update'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
>        DESC 'Timestamp of when the user is allowed to update the password'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
>        DESC 'Timestamp of when the password will expire'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
>        DESC 'Timestamp of last logon'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
>        DESC 'Timestamp of last logoff'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
>        DESC 'Timestamp of when the user will be logged off automatically'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
>        DESC 'Bad password attempt count'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
>        DESC 'Time of the last bad password attempt'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
>        DESC 'Driver letter of home directory mapping'
>        EQUALITY caseIgnoreIA5Match
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
>        DESC 'Logon script path'
>        EQUALITY caseIgnoreMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
>        DESC 'Roaming profile path'
>        EQUALITY caseIgnoreMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
>        DESC 'List of user workstations the user is allowed to logon to'
>        EQUALITY caseIgnoreMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
>        DESC 'Home directory UNC path'
>        EQUALITY caseIgnoreMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
> attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
>        DESC 'Windows NT domain to which the user belongs'
>        EQUALITY caseIgnoreMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
> attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
>        DESC ''
>        EQUALITY caseExactMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
> attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
>        DESC 'Security ID'
>        EQUALITY caseIgnoreIA5Match
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
>        DESC 'Primary Group Security ID'
>        EQUALITY caseIgnoreIA5Match
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
>        DESC 'Security ID List'
>        EQUALITY caseIgnoreIA5Match
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
> attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
>        DESC 'NT Group Type'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
>        DESC 'Next NT rid to give our for users'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
>        DESC 'Next NT rid to give out for groups'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
>        DESC 'Next NT rid to give out for anything'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
>        DESC 'Base at which the samba RID generation algorithm should operate'
>        EQUALITY integerMatch
>        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
>        DESC 'Samba 3.0 Auxilary SAM Account'
>        MUST ( uid $ sambaSID )
>        MAY  ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
>               sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
>               sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
>               displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
>               sambaProfilePath $ description $ sambaUserWorkstations $
>               sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
>               sambaBadPasswordCount $ sambaBadPasswordTime))
> objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
>        DESC 'Samba Group Mapping'
>        MUST ( gidNumber $ sambaSID $ sambaGroupType )
>        MAY  ( displayName $ description $ sambaSIDList ))
> objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
>        DESC 'Samba Domain Information'
>        MUST ( sambaDomainName $
>               sambaSID )
>        MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
>              sambaAlgorithmicRidBase ) )
> objectclass ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
>        DESC 'Pool for allocating UNIX uids/gids'
>        MUST ( uidNumber $ gidNumber ) )
> objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
>        DESC 'Mapping from a SID to an ID'
>        MUST ( sambaSID )
>        MAY ( uidNumber $ gidNumber ) )
> objectclass ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
>        DESC 'Structural Class for a SID'
>        MUST ( sambaSID ) )



More information about the samba mailing list