[Samba] samba failed to authenticate to openLDAP
Steve Zeng
szeng at mainframe.ca
Tue Mar 8 01:51:15 GMT 2005
Nathan,
I made a lot progress with all your great help. I could authenticate the
same user account during UNIX login and Samba login. Great!!
There is one thing left. I could not join a windows machine to the
domain. It is said there is a Samba bug related to this. Is it fixed in
Samba 3.0.10 or not? Is there any walk-around solution?
Below is my samba log:
make_user_info_map: Mapping user [TESTDOMAIN]\[administrator] from
workstation [AJATAR]
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
is_trusted_domain: Checking for domain trust with [TESTDOMAIN]
secrets_fetch failed!
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
Cache entry with key = TDOM/TESTDOMAIN couldn't be found
no entry for trusted domain TESTDOMAIN found.
Steve Zeng
> Nathan,
>
> I could not use "smbldap-passwd" and any other "smbldap-xxxxx" commands.
> I got error like this:
>
> # smbldap-passwd administrator
> /usr/sbin/smbldap-passwd: user administrator doesn't exist
>
> The only way I can change passwd is to use smbpasswd.
>
> any idea why is that?
>
> Thanks.
>
> Steve
>
>> Smbldap-tools has a passwd script which will change/sync the password(s);
>> you can even configure samba to utilize this script when a client from a
>> windows machine tries to change their password, (see example below). I
>> might
>> also recommend you look into a decent web-based or graphical LDAP account
>> manager, (LAM comes to mind, not sure what platform you're working
>> from, but
>> on FreeBSD it's just a matter of installing it from the ports check the
>> website out - http://lam.sf.net/).
>>
>> We are using LDAP, in conjunction with nss_ldap & pam_ldap on the unix
>> side
>> plus samba 3.0.11 on the windows side; single sign on regardless of which
>> machine/platform any user is on. Roaving profiles on the windows network,
>> and even Sun stations can share the same pam database for
>> authentication and
>> nss information - all works very well, and has suited us perfectly. We
>> are
>> currently using either LAM, (Ldap Account Manager - http://lam.sf.net/
>> ), or
>> manual ldap insert/delete/modify commands to administer our users. LAM
>> takes
>> about ten minutes to setup and get going, and even less to figure out and
>> work with; gives the ability to control Unix, Posix, Samba, and other
>> attributes of any user, group, domain, or domain-machine (host) account.
>>
>> Anyhow, just my two cents - but you should take a look into something
>> like
>> LAM to save you time; (I know there are other utilities/user managers,
>> one
>> in particular we tried which runs from X-win... But we found the
>> simplicity
>> of LAM to be key).
>>
>> Here's an example of how to configure samba to use smbldap-tools'
>> password
>> script:
>>
>> ldap passwd sync = yes
>> passwd program = /server/bin/smbldap-tools/smbldap-passwd.pl -u %u
>> passwd chat = "Changing password for*\nNew Password*" %n\n "*Retype new
>> password*" %n\n
>>
>>
>> --
>> Nathan Vidican
>> nvidican at wmptl.com
>> Windsor Match Plate & Tool Ltd.
>> http://www.wmplt.com/
>>
>>
>> -----Original Message-----
>> From: samba-bounces+nvidican=wmptl.com at lists.samba.org
>> [mailto:samba-bounces+nvidican=wmptl.com at lists.samba.org] On Behalf Of
>> Steve
>> Zeng
>> Sent: Thursday, March 03, 2005 7:59 PM
>> To: craigwhite at azapple.com
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] samba failed to authenticate to openLDAP
>>
>>
>> Paul and Craig,
>>
>> I finally got it working. The reason it failed before is the way I built
>> the LDAP DIT. I also found a problem in smbldap-populate script which I
>> will describe below.
>>
>> Here were what I did:
>>
>> 1) run configure.pl
>>
>> 2) edit smbldap-populate and change the following line:
>>
>> my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*),dc=(.*)$/);
>>
>> to:
>> my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*)$/);
>>
>> The reason is I only have a single name for my domain, i.e. "dc=mfelc".
>> but the perl script will suppose we have exactly two names, for example,
>> dc=idealx, dc=org. It also won't work if you have three names in your
>> domain. (dc=mydept, dc=mycompany, dc=com)
>>
>> 3) run smbldap-populate
>> it works perfectly to build the DIT
>>
>> 4) use smbldap-migrate-unix-accounts to migrate NIS accounts
>>
>> 5) use smbldap-migrate-unix-groups to migrate NIS group
>>
>> this time when I use smbclient with a NIS account, the log will show
>> wrong password. So I run smbpasswd to give this account a new samba
>> password and run smbclient again. it works.
>>
>> There are two problems here:
>>
>> 1) how to migrate NIS hosts into LDAP?
>>
>> 2) I checked the LDAP attributes and found three password fieds:
>>
>> SambaLMPassword
>> SambaNTPassword
>> userPassword
>>
>> How can I sync them so that I don't have to keep two or more password
>> for one user account?
>>
>> Best Regards,
>>
>> Steve
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> Paul,
>>>
>>> I downloaded smbldap-tools-0.8.7 and tried the following:
>>>
>>> 1) run configure.pl
>>>
>>> 2) initialize LDAP base and then start LDAP server
>>> dn: dc=mfelc
>>> dc: mfelc
>>> objectClass: top
>>> objectClass: domain
>>>
>>> 3) run smbldap-populate
>>>
>>> 4) run the following migration tool to import users from NIS:
>>> smbldap-migrate-unix-accounts -a -P /tmp/passwd.nis
>>>
>>> 5) run the following migration tool to import groups from NIS:
>>> smbldap-migrate-unix-groups -a -G /tmp/group.nis
>>>
>>> 6) smbldap-useradd -a -m testuser1
>>> smbldap-passwd testuser1
>>>
>>> 6) smbclient //enzo/testuser1 -U testuser1
>>>
>>>
>>> got the following errors:
>>> -------------------------------------
>>> User testuser1 in passdb, but getpwnam() fails!
>>> [2005/03/01 18:12:11, 5] auth/auth_util.c:free_server_info(1344)
>>> attempting to free (and zero) a server_info structure [2005/03/01
>>> 18:12:11, 0] auth/auth_sam.c:check_sam_security(306)
>>> check_sam_security: make_server_info_sam() failed with
>>> 'NT_STATUS_NO_SUCH_USER'
>>> [2005/03/01 18:12:11, 5] auth/auth.c:check_ntlm_password(271)
>>> check_ntlm_password: sam authentication for user [testuser1] FAILED
>>> with error NT_STATUS_NO_SUCH_USER
>>> [2005/03/01 18:12:11, 3] auth/auth_winbind.c:check_winbind_security(80)
>>> check_winbind_security: Not using winbind, requested domain [TESTDM]
>>> was for this SAM.
>>> [2005/03/01 18:12:11, 10] auth/auth.c:check_ntlm_password(259)
>>> check_ntlm_password: winbind had nothing to say
>>> [2005/03/01 18:12:11, 2] auth/auth.c:check_ntlm_password(312)
>>> check_ntlm_password: Authentication for user [testuser1] ->
>>> [testuser1] FAILED with error NT_STATUS_NO_SUCH_USER
>>> --------------------------------------------------
>>>
>>> No idea what is missing. Thanks a lot for any hints.
>>>
>>> Steve
>>>
>>>
>>>> Judicious snippage, post at the bottom.
>>>>
>>>>
>>>>> I tried to let Samba authenticate against LDAP but could not figure
>>>>> out how to build the LDAP tree for Samba.
>>>>>
>>>>> Fedora core 2
>>>>> Samba 3.0.10
>>>>> OpenLDAP 2.1.29
>>>>>
>>>>> dc=mydomain
>>>>> |
>>>>> `--- ou=People : to store user accounts for Unix and Windows
>>>>> |
>>>>> `--- ou=Hosts : to store computer accounts for UNIXX & Windows
>>>>> |
>>>>> `--- ou=Groups : to store system groups for Unix and Windows
>>>>>
>>>>>
>>>>> What I did were:
>>>>
>>>>
>>>>
>>>>
>>>>> [global]
>>>>> workgroup = TESTDM
>>>>> passdb backend = ldapsam:ldap://10.10.0.101/
>>>>> log level = 1 passdb:8 auth:8
>>>>> domain logons = Yes
>>>>> wins support = Yes
>>>>> ldap admin dn = cn=root,dc=mydomain
>>>>> ldap delete dn = Yes
>>>>> ldap group suffix = ou=Group
>>>>> ldap machine suffix = ou=Hosts
>>>>> ldap user suffix = ou=People
>>>>> ldap suffix = dc=mfelc
>>>>> ldap passwd sync = Yes
>>>>> ldap ssl = no
>>>>> 3) start Samba server
>>>>>
>>>>> 4) run smbclient //smbserver -U myid
>>>>> Password:
>>>>> session setup failed: NT_STATUS_LOGON_FAILURE
>>>>
>>>>
>>>>
>>>>
>>>>> Attached is the smbd.log, I deleted the normal log and keep failed
>>>>> messages as below:
>>>>> check_sam_security: Couldn't find user 'szeng' in passdb file.
>>>>> auth/auth.c:check_ntlm_password(271)
>>>>> check_ntlm_password: sam authentication for user [szeng] FAILED
>>>>> with error NT_STATUS_NO_SUCH_USER
>>>>
>>>>
>>>>
>>>>
>>>>> Is there anybody who might have some idea of what is wrong.
>>>>
>>>>
>>>>
>>>>
>>>> Yep. You did nothing to create the samba attributes that will have to
>>>> exist in each user account for the users to log in. I suggest you
>>>> read the documentation on setting up an LDAP/PDC system that is on
>>>> the
>>>> samba.org web site. You've missed quite a few steps here, so you may
>>>> want to read it through to get a complete idea. Your solution is
>>>> going to include the following:
>>>>
>>>> 1. Obtain and configure the smbldap-tools package.
>>>> 2. Run the smbldap-populate script
>>>> 3. Make sure you've got a sambaDomain (I think that's the object
>>>> type)
>>>> in the base of your DIT.
>>>> 4. Join the machine to the domain (since you appear to want a domain
>>>> setup)
>>>> 4. Add samba attributes to each user's account.
>>>>
>>>> Yes there are 2 #4 entries. Doesn't matter which one comes first. As
>>>> far as I can remember, those will be the critical steps to not miss.
>>>> If you've followed the documentation and not done those steps, you've
>>>> missed something.
>>>>
>>>>
>>>
>>
>> --
>> Regards,
>>
>> Steve Zeng
>> Systems Administrator
>> Mainframe Entertainment Inc
>> T: (604) 628-1000 ext 5293
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
>>
>
--
Regards,
Steve Zeng
Systems Administrator
Mainframe Entertainment Inc
T: (604) 628-1000 ext 5293
More information about the samba
mailing list