[Samba] SAMBA3 + LDAP = Round 5 :(((

Bruno Guerreiro bruno.guerreiro at ine.pt
Tue Mar 22 10:35:31 GMT 2005


Yes, that's normal.
And i see, that you've edited your slapd.conf.
Does your setupwork now?

Best regards,
Bruno Guerreiro

-----Original Message-----
From: benjamin.dupuis at armorarena-fr.com
[mailto:benjamin.dupuis at armorarena-fr.com]
Sent: terça-feira, 22 de Março de 2005 10:31
To: benjamin.dupuis at armorarena-fr.com
Cc: Bruno Guerreiro; 'Poil'; samba at lists.samba.org
Subject: Re: [Samba] SAMBA3 + LDAP = Round 5 :(((


When checking my samba log I have :

[2005/03/22 11:25:39, 0] lib/util_sock.c:get_peer_addr(1136)
  getpeername failed. Error was Transport endpoint is not connected
[2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket_data(430)
  write_socket_data: write failure. Error = Connection reset by peer
[2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket(455)
  write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection 
reset by peer
[2005/03/22 11:25:39, 0] lib/util_sock.c:send_smb(647)
  Error writing 4 bytes to client. -1. (Connection reset by peer)
[2005/03/22 11:25:39, 2] smbd/server.c:exit_server(575)


Is it normal ? I think no ... :/

benjamin.dupuis at armorarena-fr.com a écrit :

> I've got :
>
> # users can authenticate and change their password
> access to attrs=userPassword,sambaNTPassword,sambaLMPassword
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
>        by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" write
>        by self write
>        by anonymous auth
>
> # the objectClass needed for everyone
> access to attrs=objectClass,entry
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" read
>        by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
>        by dn="cn=postfix-auth,ou=DSA,dc=arzur,dc=local" read
>        by self read
>
> # some attributes need to be readable by everyone
> access to attrs=uidNumber,gidNumber
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
>        by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
>        by self read
>
> # some attributes can be writable by users themselves
> access to attrs=description,telephoneNumber
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
>        by self write
>        by users read
>
> # some attributes need to be readable so that 'id user' can answer 
> correctly
> access to attrs=@posixAccount, at posixGroup, at inetOrgPerson
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
>        by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
>        by self read
>
> # some attributes need to be writable for samba
> access to 
>
attrs=@sambaSamAccount, at sambaGroupMapping, at sambaTrustPassword, at sambaDomain,@
sambaShare, at sambaConfigOption, at sambaPrivilege 
>
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
>        by self read
>
> # samba need to be able to create the sambaDomain account and 
> NextFreeUnixId
> access to dn="dc=arzur,dc=local" attrs=children
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
> access to dn="cn=NextFreeUnixId,dc=arzur,dc=local"
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
> access to dn.one="dc=arzur,dc=local" filter="(objectClass=sambaDomain)"
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
>
> # samba need to be able to create new users account
> access to dn="ou=People,dc=arzur,dc=local"
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
>
> # samba need to be able to create new groups account
> access to dn="ou=Groups,dc=arzur,dc=local"
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
>
> # samba need to be able to create new computers account
> access to dn="ou=Computers,dc=arzur,dc=local"
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
>
> # samba need to be able to create new idmap entries
> access to dn="ou=Idmap,dc=arzur,dc=local"
>        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
>
> # Default access rights
> access to *
>       by self read
>
> Bruno Guerreiro a écrit :
>
>> Hi, i think i've found your problem.
>> You've set rootbinddn    cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you 
>> didn't
>> give that user Admin LDAP rights.
>> Have you done this? 
>> http://samba.idealx.org/smbldap-howto.en.html#htoc116
>> And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111
>> attention that since you're using an root bind different from 
>> Manager, you
>> must give it admin acess. Something like
>> access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write
>>
>> This is a very WIDE configuration, you may restrict which object you 
>> admin
>> user can access, in order for it to have write permissions only to samba
>> objects.
>> Something like
>> access to
>>
attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb

>>
>>
aAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaPr

>>
>>
ofilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSI

>>
>>
D,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgori

>>
>> thmicRidBase,
>>
>> Best Regards,
>> Bruno Guerreiro
>>
>> -----Original Message-----
>> From: Poil [mailto:poil at own-you.com]
>> Sent: terça-feira, 22 de Março de 2005 8:55
>> To: samba at lists.samba.org
>> Subject: [Samba] SAMBA3 + LDAP = Round 5 :(((
>>
>>
>> Okay, if anyone can help me, I put all my config and log on 
>> http://www.arzurproduction.com/temp/
>>
>> I cannot join the domain on my Windows XP (Access Deny)
>>
>> So I try :
>> 1- An Administrator user create by smbldap-populate, I have root = 
>> Administrator on my /etc/samba/smbusers
>> Error :
>> [2005/03/21 10:09:03, 2] auth/auth.c:check_ntlm_password(312)
>>  check_ntlm_password:  Authentication for user [administrator] -> 
>> [root] FAILED with error NT_STATUS_NO_SUCH_USER
>>
>>
>> 2- The same Administrator but I comment root = Administrator
>> Error :
>> [2005/03/22 09:47:04, 2] lib/smbldap.c:smbldap_open_connection(692)
>>  smbldap_open_connection: connection opened
>> [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
>>  init_sam_from_ldap: Entry found for user: Administrator
>> [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
>>  init_group_from_ldap: Entry found for group: 512
>> [2005/03/22 09:47:04, 2] auth/auth.c:check_ntlm_password(305)
>>  check_ntlm_password:  authentication for user [administrator] -> 
>> [administrator] -> [Administrator] succeeded
>> [2005/03/22 09:47:05, 2] 
>> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
>>  Returning domain sid for domain ARZUR-NT -> 
>> S-1-5-21-1874299889-3982645529-2160850509
>> [2005/03/22 09:47:05, 2] 
>> rpc_server/srv_samr_nt.c:access_check_samr_object(93)
>>  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
>> [2005/03/22 09:47:05, 2] 
>> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
>>  Returning domain sid for domain ARZUR-NT -> 
>> S-1-5-21-1874299889-3982645529-2160850509
>> [2005/03/22 09:47:05, 2] 
>> rpc_server/srv_samr_nt.c:access_check_samr_function(115)
>>  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required: 
>> 0x00000010)
>> [2005/03/22 09:47:05, 2] smbd/server.c:exit_server(575)
>>  Closing connections
>>
>>
>> 3- The same Administrator, I create a root ldap user (same as the old 
>> smbldap-tools)
>> [2005/03/22 09:49:42, 2] lib/smbldap.c:smbldap_open_connection(692)
>>  smbldap_open_connection: connection opened
>> [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
>>  init_sam_from_ldap: Entry found for user: root
>> [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
>>  init_group_from_ldap: Entry found for group: 513
>> [2005/03/22 09:49:42, 2] auth/auth.c:check_ntlm_password(305)
>>  check_ntlm_password:  authentication for user [administrator] -> 
>> [root] -> [root] succeeded
>> [2005/03/22 09:49:43, 2] 
>> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
>>  Returning domain sid for domain ARZUR-NT -> 
>> S-1-5-21-1874299889-3982645529-2160850509
>> [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
>>  init_group_from_ldap: Entry found for group: 515
>> [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929)
>>  init_ldap_from_sam: Setting entry for user: poil-barebone$
>> [2005/03/22 09:49:43, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552)
>>  ldapsam_modify_entry: Failed to modify user dn= 
>> uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient 
>> access
>>
>> [2005/03/22 09:49:43, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994)
>>  ldapsam_add_sam_account: failed to modify/add user with uid = 
>> poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local)
>> [2005/03/22 09:49:43, 0] 
>> rpc_server/srv_samr_nt.c:_samr_create_user(2272)
>>  could not add user/computer poil-barebone$ to passdb.  Check 
>> permissions?
>> [2005/03/22 09:49:43, 2] smbd/server.c:exit_server(575)
>>  Closing connections
>>
>>
>> 4- In root (ldap root)
>> [2005/03/22 09:50:21, 2] lib/smbldap.c:smbldap_open_connection(692)
>>  smbldap_open_connection: connection opened
>> [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
>>  init_sam_from_ldap: Entry found for user: root
>> [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
>>  init_group_from_ldap: Entry found for group: 513
>> [2005/03/22 09:50:21, 2] auth/auth.c:check_ntlm_password(305)
>>  check_ntlm_password:  authentication for user [root] -> [root] -> 
>> [root] succeeded
>> [2005/03/22 09:50:22, 2] 
>> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
>>  Returning domain sid for domain ARZUR-NT -> 
>> S-1-5-21-1874299889-3982645529-2160850509
>> [2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
>>  init_group_from_ldap: Entry found for group: 515
>> [2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929)
>>  init_ldap_from_sam: Setting entry for user: poil-barebone$
>> [2005/03/22 09:50:22, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552)
>>  ldapsam_modify_entry: Failed to modify user dn= 
>> uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient 
>> access
>>
>> [2005/03/22 09:50:22, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994)
>>  ldapsam_add_sam_account: failed to modify/add user with uid = 
>> poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local)
>> [2005/03/22 09:50:22, 0] 
>> rpc_server/srv_samr_nt.c:_samr_create_user(2272)
>>  could not add user/computer poil-barebone$ to passdb.  Check 
>> permissions?
>> [2005/03/22 09:50:22, 2] smbd/server.c:exit_server(575)
>>  Closing connections
>>
>>
>> Thanks all for helping me!
>>  
>>
>


More information about the samba mailing list