[Samba] Help with Samba (net vampire) not pulling passwords into
openLDAP
backend - fails pam_ldap authentication - pam_unix used instead ?
Franciszek Michal Misa
fmisa at sympatico.ca
Sat Jan 8 04:01:07 GMT 2005
Hi All,
Hope someone here can help me ?
*See end for background and system information...
I'm looking for advice or links to clear documentation on the use and
configuration of "net vampire" and it's ability to download PDC accounts
with passwords intact.
I have successfully used "net vampire" to synchronize my Samba BDC --
with my companies PDC. I've switched my linux box authentication --
using "authconfig" -- to authenticate against LDAP.
Seems to be working for all but accounts "net vampired" over.....
My original users (root - stored in /etc/passwd) as well as newly
created users (created with smbldap-useradd - stored in LDAP) -- can log
into my system fine -- OK.
My problem.... all the newly created users (from PDC using net vampire)
can be switched to as root using:
su - newDomainAccountUser
BUT -- These users cannot log into the system console themselves....
All the /home/userX directories have been created -- and LDAP is
populated with everything it seems but the correct password -- I think ?
-----------------------------------------
tail -f /var/log/message reveals:
>>Jan 7 17:05:04 host06 su(pam_unix)[26618]: check pass; user unknown
>>Jan 7 17:05:04 host06 su(pam_unix)[26618]: authentication failure;
logname=fXXXX uid=500 euid=0 tty= ruser=fXXXX rhost=
>>Jan 7 17:05:04 host06 su[26618]: pam_ldap: error trying to bind as
user "uid=product,ou=Users,dc=XXXXX,dc=ca" (Invalid credentials)
NOTE: XXXX replaced sensitive information...
-----------------------------------------
An ldap client I'm using reveals {CRYPT} X -- in place of the NT
password hashes....
I'm unclear why -- "net vampire" -- did not pull down the user passwords
correctly. I've searched the internet/forums etc. -- and cannot find any
solution that helps or clearly explains what's going on; though many
people seem to be having similar issues with "net vampire"
I've tried the following:
- different pam_ldap versions (156 & 176)
- tweaking /etc/ldap.conf settings including pam_password key
- tweaking various pam.d config files
- confirm my local SID matches the PDC/remote SID
Questions:
===========
I'm unclear about the following -- and see many conflicting suggestions
on the internet:
*) Should /etc/samba/smb.conf => encrypt passwords =yes
*) My BDC /etc/samba/smb.conf is setup with:
security = user
password level = 8
username level = 8
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
obey pam restrictions = no
ldap passwd sync = yes
domain master = no
preferred master = no
domain logons = yes
name resolve order = wins lmhosts bcast
wins server = X.X.X.X (our company WINS server...)
dns proxy = no
passdb backend = ldapsam:ldap://127.0.0.1/
...
... And all remaining LDAP settings/scripts/admin/suffix etc.
...
Dos charset =850
Unix charset = ISO8859-1
*) Should /etc/ldap.conf => pam_password md5 or crypt
*) Should my /etc/openldap/slapd.conf roopw==> be encrypted ? for now
I'm using plain text with /etc/ldap.conf: bindpw & rootbinddn used in
combination with plain text /etc/ldap.secret
*) Beside removing my host from the PDC's list of detected BDC prior to:
net rpc join -S MY_PDC -UAdministrator%myAdminPassWd
I'm not doing anything on the remote PDC machine ?
Is there any remote configuration I need to perform for "trust" ?
Note: My BDC -- has the same SID and Workgroup name as my PDC and
I'm able to "join" the domain OK... no errors.
*) I'm using IDEALX scripts -- why doesn't Samba provide similar
utilities ? Are there better 3rd party scripts out there ?
**) What might I be missing ? What must I do to get "net vampire" to
pull and store the PDC/SAM passwords OK ?
*) Should I be using SambaTNG instead ?
*) Could I use "net rpc samdump" instead -- and manual scripts to
convert to LDIF ?
Background:
============
All I want to do is reproduce MSWinNT&2000-PDC/SAM user/computer/group
information in LDAP so I can authenticate web applications and other
applications without having to manually maintain all this user
information by hand. Later I may also want to synch. with
account/address information in LotusNotes and ADP....
I dont't care to have my host as fulltime BDC -- I don't need my host to
replace the PDC -- I don't need the host to authenticate Windows users
on the WinDOMAIN; A cron job to synch with PDC each night -- and then
shutdown would be OK.
SYSTEM INFORMATION:
=====================
uname -a
>>Linux host06 2.4.21-20.ELsmp #1 SMP
>>Wed Aug 18 20:46:40 EDT 2004 i686 i686 i386 GNU/Linux
cat /etc/redhat-release
>>Red Hat Enterprise Linux ES release 3 (Taroon Update 3)
rpm -qa | grep -i '???'
>>samba-3.0.6-2.3E
>>nss_ldap-207-11
>>openldap-2.0.27-17
>>pam-0.75-58
>>Note: I've tried pam_ldap v156 & v176 ? no difference
SambaPDC/LDAP Scripts
>> I'm using IDEALX scripts and tried several documents/guides
>> most follow the following link closely:
https://mams.melcoe.mq.edu.au/zope/mams/kb/all/samba-ldap/view
Samba Schema
>> I had to download the samba.schema from the Samba groups CVS
>> server Note: My samba.schema was from source base for:
>> Samba v3.1.0
More information about the samba
mailing list