[Samba] Help with Samba (net vampire) not pulling passwords into openLDAP backend - fails pam_ldap authentication - pam_unix used instead ?

Craig White craigwhite at azapple.com
Sat Jan 8 05:29:02 GMT 2005


On Fri, 2005-01-07 at 23:01 -0500, Franciszek Michal Misa wrote:
> Hi All,
> 
> Hope someone here can help me ?
---
you REALLY need to read through the documentation on samba site.

<http://us1.samba.org/samba/docs/man/Samba-Guide/>
<http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/>

John Terpstra has done a phenomenal job documenting just about all you
need to know.
----
> I'm looking for advice or links to clear documentation on the use and
> configuration of "net vampire" and it's ability to download PDC accounts
> with passwords intact.
> 
> I have successfully used "net vampire" to synchronize my Samba BDC --
> with my companies PDC.  I've switched my linux box authentication --
> using "authconfig" -- to authenticate against LDAP.
> 
> Seems to be working for all but accounts "net vampired" over.....
> 
> My original users (root - stored in /etc/passwd) as well as newly
> created users (created with smbldap-useradd - stored in LDAP) -- can log
> into my system fine -- OK.
> 
> My problem....  all the newly created users (from PDC using net vampire)
> can be switched to as root using: 
>     su - newDomainAccountUser
> BUT -- These users cannot log into the system console themselves....
> All the /home/userX directories have been created -- and LDAP is
> populated with everything it seems but the correct password -- I think ?
> 
> -----------------------------------------
> tail -f /var/log/message reveals:
> >>Jan  7 17:05:04 host06 su(pam_unix)[26618]: check pass; user unknown
> >>Jan  7 17:05:04 host06 su(pam_unix)[26618]: authentication failure;  
>        logname=fXXXX uid=500 euid=0 tty= ruser=fXXXX rhost=
> >>Jan  7 17:05:04 host06 su[26618]: pam_ldap: error trying to bind as
>        user "uid=product,ou=Users,dc=XXXXX,dc=ca" (Invalid credentials)
> NOTE:  XXXX replaced sensitive information...
----
invalid credentials is significant.

ldap admin in samba must have write privileges to LDAP
smbpasswd -w secret #encrypts password for use with ldap admin 
                    #access to ldap
----
> 
> An ldap client I'm using reveals {CRYPT} X  -- in place of the NT
> password hashes....
----
passwords didn't migrate - PDC didn't trust your samba machine enough to
transmit sam info
----
>   Questions:
> ===========
> I'm unclear about the following -- and see many conflicting suggestions
> on the internet:
> *) Should /etc/samba/smb.conf => encrypt passwords =yes
----
that's the default of samba 3.x - doesn't hurt though
----
> *) My BDC /etc/samba/smb.conf is setup with:
>    domain master = no 
----
I think you will need domain master = yes in order to get passwords to
vampire over - depends upon whether PDC trusts your computer enough. At
the moment you execute the rpc net vampire command, your computer is
supposed to be recognized by PDC as a BDC
----
>    preferred master = no
>    domain logons = yes
>    name resolve order = wins lmhosts bcast
>    wins server = X.X.X.X  (our company WINS server...)
>    dns proxy = no
>    passdb backend = ldapsam:ldap://127.0.0.1/
>    ...
>    ... And all remaining LDAP settings/scripts/admin/suffix etc.
----
these might be significant
----
>    ...
>    Dos charset =850                                             
>    Unix charset = ISO8859-1 
>    
> *) Should /etc/ldap.conf    => pam_password md5    or    crypt
----
mine is set to 
pam_password md5
----
> *) Should my /etc/openldap/slapd.conf   roopw==> be encrypted ?  for now
> I'm using plain text with /etc/ldap.conf: bindpw & rootbinddn used in
> combination with  plain text /etc/ldap.secret
----
should be easy enough...
slappasswd -c crypt -s secret or omit the -c crypt and you'll probably
get an SSHA passwd
----
> *) Beside removing my host from the PDC's list of detected BDC prior to:
>        net rpc join -S MY_PDC -UAdministrator%myAdminPassWd
> I'm not doing anything on the remote PDC machine ?
----
not that I can see
----
> Is there any remote configuration I need to perform for "trust" ?
----
I think that you're supposed to join the domain first
----
>    Note:  My BDC -- has the same SID and Workgroup name as my PDC and
>    I'm able to "join" the domain OK... no errors.
> *) I'm using IDEALX scripts -- why doesn't Samba provide similar
> utilities ?  Are there better 3rd party scripts out there ?
----
none that I know of
----
> **) What might I be missing ?  What must I do to get "net vampire" to
> pull and store the PDC/SAM passwords OK ?
----
you're close
----
> *) Should I be using SambaTNG instead ?
----
I wouldn't
----
> *) Could I use "net rpc samdump" instead -- and manual scripts to
> convert to LDIF ?
----
never done that
----
> 
> 
>   Background:
> ============
> All I want to do is reproduce MSWinNT&2000-PDC/SAM user/computer/group
> information in LDAP so I can authenticate web applications and other
> applications without having to manually maintain all this user
> information by hand.  Later I may also want to synch. with
> account/address information in LotusNotes and ADP....
> I dont't care to have my host as fulltime BDC -- I don't need my host to
> replace the PDC -- I don't need the host to authenticate Windows users
> on the WinDOMAIN;  A cron job to synch with PDC each night -- and then
> shutdown would be OK.
----
evidently, you haven't read the documentation on samba web site enough.
>From what you are describing, you should bother with LDAP or BDC.
winbind is all you need. vampire is a one time process. A samba based
BDC cannot co-exist with Windows PDC - read the documentation.

net rpc vampire command is difficult to get working with LDAP. You have
to set up base LDAP and slapcat it to an ldif. Try to vampire the PDC
and see what doesn't work right, dump the db, slapadd it, slapindex it,
fix what was wrong with setup and vampire again. It's Groundhog
Day...you have to keep doing it until you get it right. You are however,
in my opinion from your 'background' going about it the wrong way. Let
Windows handle the authentication elements and access it via winbind.

Craig



More information about the samba mailing list