[Samba] Problem w/ Samba 3 & LDAP

Craig White craigwhite at azapple.com
Wed Mar 31 21:10:36 GMT 2004 

On Wed, 2004-03-31 at 12:47, Ted Wisniewski wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Here is a description of what I am trying to do (with Samba 3.0.2a & openldap 
> 2.1.27):
> 
> I have all my users populated into the LDAP with all the applicable 
> attributes;  Users can map drives to a server using LDAP as the 
> authentication backend without issue.
> 
> Where I am running into problems is bringing up a PDC using Samba w/LDAP.   
> 
> * I added the appropriate machine accounts (using smbpasswd -a -m) and was 
> able to join the domain.  
> 
> * Any user in the pre-populated LDAP cannot log in, however, any user I add to 
> the LDAP from the machine with Samba running on it CAN log in properly.
> 
> If I delete the original entry from the LDAP, add a new on via (smbpasswd -a), 
> then the user can log in.   This works, but is ultimately not scalable...   I 
> can then place the original LDAP entry back in place and they can log in...  
> Just as long as the password for the account is not changed.
> 
> I am sure there is something I am missing, but I cannot see it for the life of 
> me.    The odd thing is, that in the log.smbd, I get odd errors about reading 
> a socket, but only for the users that have not been added by the local 
> "smbpasswd" command.  They are both in the same LDAP. Any help would be 
> greatly appreciated.
> 
> Ted
> 
> 
> Excerpt from log.smb (non-functional user):
> - ----------------------------------------------------------------------------------------
> [2004/03/31 10:24:11, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
>   process_request_pdu: failed to do schannel processing.
> [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
>   init_sam_from_ldap: Entry found for user: pubtest$
> [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
>   init_sam_from_ldap: Entry found for user: testuser
> [2004/03/31 10:24:11, 2] auth/auth.c:check_ntlm_password(305)
>   check_ntlm_password:  authentication for user [testuser] -> [testuser] -> 
> [testuser] succeeded
> [2004/03/31 10:24:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
>   init_sam_from_ldap: Entry found for user: testuser
> [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_search_domain_info(1331)
>   Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TEST_DOM))]
> [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_open_connection(626)
>   smbldap_open_connection: connection opened
> [2004/03/31 10:24:24, 0] lib/util_sock.c:read_socket_data(342)
>   read_socket_data: recv failure for 4. Error = Connection reset by peer
> [2004/03/31 10:24:24, 2] smbd/server.c:exit_server(558)
> 
> Excerpt from log.smbd (functional user):
> - --------------------------------------------------------------------------------------
> [2004/03/31 10:26:04, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
>   process_request_pdu: failed to do schannel processing.
> [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
>   init_sam_from_ldap: Entry found for user: pubtest$
> [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
>   init_sam_from_ldap: Entry found for user: newuser
> [2004/03/31 10:26:04, 2] auth/auth.c:check_ntlm_password(305)
>   check_ntlm_password:  authentication for user [newuser] -> [newuser] -> 
> [newus
> er] succeeded
> [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
>   init_sam_from_ldap: Entry found for user: newuser
> [2004/03/31 10:26:05, 2] auth/auth.c:check_ntlm_password(305)
>   check_ntlm_password:  authentication for user [newuser] -> [newuser] -> 
> [newuser] succeeded
> [2004/03/31 10:26:05, 1] smbd/service.c:make_connection_snum(705)
>   pubtest (158.136.115.89) connect to service profiles initially as user 
> newuser (uid=18000, gid=31) (pid 85352)
> [2004/03/31 10:26:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
>   Returning domain sid for domain TEST_DOM -> 
> S-1-5-21-204843054-3526713080-3458
> 795326
> [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
>   init_sam_from_ldap: Entry found for user: newuser
> - -------------------------------------------------------------------------------------------
> 
> 
> Global section of smb.conf
-----
it appears that the 'non-functional' user doesn't have the domain
attribute set (or at least set properly).

ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=non-functional)'

and then

ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=functional)'

and the functional users will have attributes such as sambaDomainName
properly set that the non-functional's do not.

Craig

More information about the samba mailing list