[Samba] Re: PDC with LDAP backend login issue

Mon Jun 13 21:43:14 GMT 2005

For prosperity,

the problem was eDirectory. To get PAM/NSS 100% working you *HAVE* to
create a proxy user that has specific permissions as explained in the
article:

http://www.novell.com/coolsolutions/feature/1630.html   "Configure
Linux to Authenticate to eDirectory via LDAP"

After this getpwnam() works and I can logon to the domain using any
user I want. Still I don't understand why connecting to a share
doesn't seem to do the same as logging on to the domain (from a
authentication point of view).

The indication that led me to the solution was implementing LDAP
authentication for 'su'. After changing the pam.d/su file so su was
using my ldap server I noticed that, although I could do 'su testuser'
the prompt said 'this users has no name' or something alike. So,
somehow, the link between 'su' and the ldap server was incomplete. I
also found a couple of posts in other mailing lists about getpwnam()
problems in combination with eDirectory. This led me to to above
mentioned article.

Hope this helps someone in the future,
Dennis

On 6/9/05, dennis vijlbrief <dennis.vijlbrief at gmail.com> wrote:
> Hi all,
> 
> I'm very close to having a working setup after blundering through a
> couple of typing errors that cost me several days of my life, with the
> following config:
> Samba 3.0.14a as a PDC
> Suse 9.2 Professional
> LDAP (eDirectory 8.7.3) passwd backend
> Idealx scripts
> Windows XP SP1
> 
> I can connect to any of the samba shares just fine using any of the
> users I've created, from XP and from linux using SMBCLIENT. I can join
> workstations to the Domain and I can log on from a WindowsXP
> workstation, but only as root. This is the problem, or the symtom ;-)
> If I try logging on as a different user I get the same error message
> as when I use a non-existing user. I've tried users I've created
> manually, users created with smbldap-useradd and users created by
> smbldap-populate.
> 
> The only thing I did that was not described anywhere to get the idealx
> scripts working was exporting to an ldif file and adding the entry:
> "objectClass: Group" to all the groups the script wants to create. I
> had to do this otherwise smbldap-populate couldn't create groups like
> "Domain Admins" because of "OBJECT CLASS VIOLATION" errors.
> 
> Also I put users, workstations and groups in the same container now to
> minimize the risk of running into some issues I've been reading.
> 
> I don't see how it can be possible to have access to all shares but
> not be able to really logon. Unless it has something to do with the
> netlogon service or IPC$ ¡? But I can connect just fine to those
> shares to using a different user.
> 
> Below are extracts from a log I made using the loggin level: 0
> passdb:4 auth:4 tdb:4
> Hope anyone can shed some light on this.
> 
> Any help would be appreciated.
> 
> My log show this:
> 
> check_ntlm_password:  Checking password for unmapped user
> [NDSDOM]\[testuser3]@[SCLXPWD4104] with the new password interface
> [2005/06/06 05:36:24, 3] auth/auth.c:check_ntlm_password(222)
>  check_ntlm_password:  mapped user is: [NDSDOM]\[testuser3]@[SCLXPWD4104]
> [2005/06/06 05:36:24, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>  init_sam_from_ldap: Entry found for user: testuser3
> [2005/06/06 05:36:24, 4] auth/auth_sam.c:sam_account_ok(119)
>  sam_account_ok: Checking SMB password for user testuser3
> [2005/06/06 05:36:24, 1] auth/auth_util.c:make_server_info_sam(840)
>  User testuser3 in passdb, but getpwnam() fails!
> [2005/06/06 05:36:24, 0] auth/auth_sam.c:check_sam_security(324)
>  check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> [2005/06/06 05:36:24, 3] auth/auth_winbind.c:check_winbind_security(80)
>  check_winbind_security: Not using winbind, requested domain [NDSDOM]
> was for this SAM.
> 
> 
> In case of the user root I don't see any reference to getpwnam():
> 
> [2005/06/06 05:36:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>  init_sam_from_ldap: Entry found for user: root
> [2005/06/06 05:36:11, 3] auth/auth.c:check_ntlm_password(219)
>  check_ntlm_password:  Checking password for unmapped user
> []\[]@[SCLXPWD4104] with the new password interface
> [2005/06/06 05:36:11, 3] auth/auth.c:check_ntlm_password(222)
>  check_ntlm_password:  mapped user is: [NDSDOM]\[]@[SCLXPWD4104]
> [2005/06/06 05:36:11, 3] auth/auth.c:check_ntlm_password(268)
>  check_ntlm_password: guest authentication for user [] succeeded
> 
> This is the log when I successfully map to a samba share from the XP
> machine (logged on locally):
> 
> [2005/06/06 06:20:16.569305, 3, pid=7535, effective(0, 0), real(0, 0)]
> auth/auth.c:check_ntlm_password(219)
>  check_ntlm_password:  Checking password for unmapped user
> [SCLLSTST]\[testuser]@[SCLXPWD4104] with the new password interfac
> e
> [2005/06/06 06:20:16.570605, 3, pid=7535, effective(0, 0), real(0, 0)]
> auth/auth.c:check_ntlm_password(222)
>  check_ntlm_password:  mapped user is: [NDSDOM]\[testuser]@[SCLXPWD4104]
> [2005/06/06 06:20:16.596668, 2, pid=7535, effective(0, 0), real(0, 0)]
> passdb/pdb_ldap.c:init_sam_from_ldap(499)
>  init_sam_from_ldap: Entry found for user: testuser
> [2005/06/06 06:20:16.603283, 4, pid=7535, effective(0, 0), real(0, 0)]
> libsmb/ntlm_check.c:ntlm_password_check(326)
>  ntlm_password_check: Checking NT MD4 password
> [2005/06/06 06:20:16.604362, 4, pid=7535, effective(0, 0), real(0, 0)]
> auth/auth_sam.c:sam_account_ok(119)
>  sam_account_ok: Checking SMB password for user testuser
> [2005/06/06 06:20:16.904762, 4, pid=7535, effective(0, 0), real(0, 0)]
> passdb/pdb_ldap.c:ldapsam_getgroup(2106)
>  ldapsam_getgroup: Did not find group
> [2005/06/06 06:20:16.908227, 3, pid=7535, effective(0, 0), real(0, 0)]
> auth/auth.c:check_ntlm_password(268)
>  check_ntlm_password: sam authentication for user [testuser] succeeded
> [2005/06/06 06:20:16.910629, 2, pid=7535, effective(0, 0), real(0, 0)]
> auth/auth.c:check_ntlm_password(305)
>  check_ntlm_password:  authentication for user [testuser] ->
> [testuser] -> [testuser] succeeded
>