[Samba] Re: smbldap- only user root can login to windows.

paul kölle paul at subsignal.org
Sun Jun 19 12:29:37 GMT 2005 

Ryan Braun wrote:
> Jun 17 15:51:49 ywgldap0 slapd[16885]: conn=102 op=0 BIND dn="" method=128
> Jun 17 15:51:49 ywgldap0 slapd[16885]: conn=102 op=0 RESULT tag=97 err=0 text=
> Jun 17 15:51:49 ywgldap0 slapd[16885]: conn=102 op=1 SRCH 
> base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 
> filter="(&(objectClass=posixAccount)(uid
> =windowsguy))"
> Jun 17 15:51:49 ywgldap0 slapd[16885]: conn=102 op=1 SRCH attr=uid 
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos 
> description objectCla
> ss
> Jun 17 15:51:49 ywgldap0 slapd[16885]: conn=102 op=1 SEARCH RESULT tag=101 
> err=0 nentries=0 text=
this is an anonymous bind from NSS and it returns no entry for
uid=windowsguy. It seems anonymous binds have no read access to the
Users container, check your ACLs.


> SAMBA
> [2005/06/17 15:51:42, 0] lib/util_sock.c:write_socket_data(430)
>   write_socket_data: write failure. Error = Connection reset by peer
> [2005/06/17 15:51:42, 0] lib/util_sock.c:write_socket(455)
>   write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset by 
> peer
> [2005/06/17 15:51:42, 0] lib/util_sock.c:send_smb(647)
>   Error writing 4 bytes to client. -1. (Connection reset by peer)
> [2005/06/17 15:51:42, 2] smbd/server.c:exit_server(609)
>   Closing connections
> [2005/06/17 15:51:49, 2] rpc_parse/parse_prs.c:netsec_decode(1594)
>   netsec_decode: FAILED: packet sequence number:
> [2005/06/17 15:51:49, 2] lib/util.c:dump_data(1995)
>   [000] 2F 5D 35 7D C5 F5 6E 88                           /]5}..n.
> [2005/06/17 15:51:49, 2] rpc_parse/parse_prs.c:netsec_decode(1596)
>   should be:
> [2005/06/17 15:51:49, 2] lib/util.c:dump_data(1995)
>   [000] 00 00 00 00 80 00 00 00                           ........
> [2005/06/17 15:51:49, 2] lib/smbldap.c:smbldap_open_connection(692)
>   smbldap_open_connection: connection opened
> [2005/06/17 15:51:49, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: win2k$
> [2005/06/17 15:51:49, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
>   init_sam_from_ldap: Entry found for user: windowsguy
> [2005/06/17 15:51:49, 1] auth/auth_util.c:make_server_info_sam(840)
>   User windowsguy in passdb, but getpwnam() fails!
that is what samba makes from the empty search result for
(&(objectClass=posixAccount)(uid=windowsguy))

> [2005/06/17 15:51:49, 0] auth/auth_sam.c:check_sam_security(324)
>   check_sam_security: make_server_info_sam() failed with 
> 'NT_STATUS_NO_SUCH_USER'
> [2005/06/17 15:51:49, 2] auth/auth.c:check_ntlm_password(312)
>   check_ntlm_password:  Authentication for user [windowsguy] -> [windowsguy] 
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2005/06/17 15:54:26, 2] smbd/server.c:exit_server(609)
>   Closing connections
> 
> Now the working example for user root (snipped)
> Jun 17 17:15:13 ywgldap0 slapd[16885]: conn=163 fd=10 closed
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 fd=10 ACCEPT from 
> IP=192.168.240.17:34126 (IP=0.0.0.0:389)
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=0 BIND 
> dn="cn=nss,ou=Admins,dc=xxx,dc=xx,dc=xx,dc=xx" method=128
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=0 BIND 
> dn="cn=nss,ou=Admins,dc=xxx,dc=xx,dc=xx,dc=xx" mech=SIMPLE ssf=0
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=0 RESULT tag=97 err=0 text=
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=1 SRCH 
> base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 
> filter="(&(objectClass=posixAccount)(uid=root))"
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=1 ENTRY 
> dn="uid=root,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx"
> Jun 17 17:17:02 ywgldap0 slapd[16885]: conn=164 op=1 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
here, NSS binds with DN and password and the search succeeds.

It seems samba is performing the NSS call as the user trying to log on
to the domain, hence if root logs in NSS uses the DN from "rootbinddn",
and in all other cases the DN from "binddn" which is anonymous by
default. Check your settings for "binddn" and "rootbinddn" in ldap.conf
(the  config for libnss_ldap.so, use strace and getent to find out where
the file is, most likely /etc/ldap.conf). If you don't want to allow
anonymous searches for your users you can use a proxy DN for "binddn"
and put the cleartext password in /etc/ldap.secret (600).

hth
 Paul

More information about the samba mailing list