[Samba] samba failed to authenticate to openLDAP

Nathan Vidican nvidican at wmptl.com
Fri Mar 4 14:46:21 GMT 2005


Smbldap-tools has a passwd script which will change/sync the password(s);
you can even configure samba to utilize this script when a client from a
windows machine tries to change their password, (see example below). I might
also recommend you look into a decent web-based or graphical LDAP account
manager, (LAM comes to mind, not sure what platform you're working from, but
on FreeBSD it's just a matter of installing it from the ports check the
website out - http://lam.sf.net/).

We are using LDAP, in conjunction with nss_ldap & pam_ldap on the unix side
plus samba 3.0.11 on the windows side; single sign on regardless of which
machine/platform any user is on. Roaving profiles on the windows network,
and even Sun stations can share the same pam database for authentication and
nss information - all works very well, and has suited us perfectly. We are
currently using either LAM, (Ldap Account Manager - http://lam.sf.net/ ), or
manual ldap insert/delete/modify commands to administer our users. LAM takes
about ten minutes to setup and get going, and even less to figure out and
work with; gives the ability to control Unix, Posix, Samba, and other
attributes of any user, group, domain, or domain-machine (host) account.

Anyhow, just my two cents - but you should take a look into something like
LAM to save you time; (I know there are other utilities/user managers, one
in particular we tried which runs from X-win... But we found the simplicity
of LAM to be key).

Here's an example of how to configure samba to use smbldap-tools' password
script:

ldap passwd sync = yes
passwd program = /server/bin/smbldap-tools/smbldap-passwd.pl -u %u
passwd chat = "Changing password for*\nNew Password*" %n\n "*Retype new
password*" %n\n


--
Nathan Vidican
nvidican at wmptl.com
Windsor Match Plate & Tool Ltd.
http://www.wmplt.com/


-----Original Message-----
From: samba-bounces+nvidican=wmptl.com at lists.samba.org
[mailto:samba-bounces+nvidican=wmptl.com at lists.samba.org] On Behalf Of Steve
Zeng
Sent: Thursday, March 03, 2005 7:59 PM
To: craigwhite at azapple.com
Cc: samba at lists.samba.org
Subject: Re: [Samba] samba failed to authenticate to openLDAP


Paul and Craig,

I finally got it working. The reason it failed before is the way I built
the LDAP DIT. I also found a problem in smbldap-populate script which I
will describe below.

Here were what I did:

1) run configure.pl

2) edit smbldap-populate and change the following line:

my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*),dc=(.*)$/);

to:
my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*)$/);

The reason is I only have a single name for my domain, i.e. "dc=mfelc".
but the perl script will suppose we have exactly two names, for example,
dc=idealx, dc=org. It also won't work if you have three names in your
domain. (dc=mydept, dc=mycompany, dc=com)

3) run smbldap-populate
    it works perfectly to build the DIT

4) use smbldap-migrate-unix-accounts to migrate NIS accounts

5) use smbldap-migrate-unix-groups to migrate NIS group

this time when I use smbclient with a NIS account, the log will show
wrong password. So I run smbpasswd to give this account a new samba
password and run smbclient again. it works.

There are two problems here:

1) how to migrate NIS hosts into LDAP?

2) I checked the LDAP attributes and found three password fieds:

SambaLMPassword
SambaNTPassword
userPassword

How can I sync them so that I don't have to keep two or more password
for one user account?

Best Regards,

Steve









> Paul,
>
> I downloaded smbldap-tools-0.8.7 and tried the following:
>
> 1) run configure.pl
>
> 2) initialize LDAP base and then start LDAP server
> dn: dc=mfelc
> dc: mfelc
> objectClass: top
> objectClass: domain
>
> 3) run smbldap-populate
>
> 4) run the following migration tool to import users from NIS:
> smbldap-migrate-unix-accounts -a -P /tmp/passwd.nis
>
> 5) run the following migration tool to import groups from NIS:
> smbldap-migrate-unix-groups -a -G /tmp/group.nis
>
> 6) smbldap-useradd -a -m testuser1
>    smbldap-passwd testuser1
>
> 6) smbclient //enzo/testuser1 -U testuser1
>
>
> got the following errors:
> -------------------------------------
>   User testuser1 in passdb, but getpwnam() fails!
> [2005/03/01 18:12:11, 5] auth/auth_util.c:free_server_info(1344)
>   attempting to free (and zero) a server_info structure [2005/03/01
> 18:12:11, 0] auth/auth_sam.c:check_sam_security(306)
>   check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> [2005/03/01 18:12:11, 5] auth/auth.c:check_ntlm_password(271)
>   check_ntlm_password: sam authentication for user [testuser1] FAILED
> with error NT_STATUS_NO_SUCH_USER
> [2005/03/01 18:12:11, 3] auth/auth_winbind.c:check_winbind_security(80)
>   check_winbind_security: Not using winbind, requested domain [TESTDM]
> was for this SAM.
> [2005/03/01 18:12:11, 10] auth/auth.c:check_ntlm_password(259)
>   check_ntlm_password: winbind had nothing to say
> [2005/03/01 18:12:11, 2] auth/auth.c:check_ntlm_password(312)
>   check_ntlm_password:  Authentication for user [testuser1] ->
> [testuser1] FAILED with error NT_STATUS_NO_SUCH_USER
> --------------------------------------------------
>
> No idea what is missing. Thanks a lot for any hints.
>
> Steve
>
>> Judicious snippage, post at the bottom.
>>
>>> I tried to let Samba authenticate against LDAP but could not figure
>>> out how to build the LDAP tree for Samba.
>>>
>>> Fedora core 2
>>> Samba 3.0.10
>>> OpenLDAP 2.1.29
>>>
>>> dc=mydomain
>>>  |
>>>  `--- ou=People    : to store user accounts for Unix and Windows
>>>  |
>>>  `--- ou=Hosts     : to store computer accounts for UNIXX & Windows
>>>  |
>>>  `--- ou=Groups    : to store system groups for Unix and Windows
>>>
>>>
>>> What I did were:
>>
>>
>>
>>>    [global]
>>>         workgroup = TESTDM
>>>         passdb backend = ldapsam:ldap://10.10.0.101/
>>>         log level = 1 passdb:8 auth:8
>>>         domain logons = Yes
>>>         wins support = Yes
>>>         ldap admin dn = cn=root,dc=mydomain
>>>         ldap delete dn = Yes
>>>         ldap group suffix = ou=Group
>>>         ldap machine suffix = ou=Hosts
>>>         ldap user suffix = ou=People
>>>         ldap suffix = dc=mfelc
>>>         ldap passwd sync = Yes
>>>         ldap ssl = no
>>> 3) start Samba server
>>>
>>> 4) run smbclient //smbserver -U myid
>>>    Password:
>>>    session setup failed: NT_STATUS_LOGON_FAILURE
>>
>>
>>
>>> Attached is the smbd.log, I deleted the normal log and keep failed
>>> messages as below:
>>>   check_sam_security: Couldn't find user 'szeng' in passdb file.
>>> auth/auth.c:check_ntlm_password(271)
>>>   check_ntlm_password: sam authentication for user [szeng] FAILED
>>> with error NT_STATUS_NO_SUCH_USER
>>
>>
>>
>>> Is there anybody who might have some idea of what is wrong.
>>
>>
>>
>> Yep.  You did nothing to create the samba attributes that will have to
>> exist in each user account for the users to log in.   I suggest you
>> read the documentation on setting up an LDAP/PDC system that is on
>> the
>> samba.org web site.  You've missed quite a few steps here, so you may
>> want to read it through to get a complete idea.  Your solution is
>> going to include the following:
>>
>> 1. Obtain and configure the smbldap-tools package.
>> 2. Run the smbldap-populate script
>> 3. Make sure you've got a sambaDomain (I think that's the object
>> type)
>> in the base of your DIT.
>> 4. Join the machine to the domain (since you appear to want a domain
>> setup)
>> 4. Add samba attributes to each user's account.
>>
>> Yes there are 2 #4 entries.  Doesn't matter which one comes first.  As
>> far as I can remember, those will be the critical steps to not miss.
>> If you've followed the documentation and not done those steps, you've
>> missed something.
>>
>>
>

--
Regards,

Steve Zeng
Systems Administrator
Mainframe Entertainment Inc
T: (604) 628-1000 ext 5293
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba




More information about the samba mailing list