[Samba] Samba 3 PDC with ldapsam and login problem
Marian Steinbach
marian at kisd.de
Sun May 1 10:43:01 GMT 2005
Hi,
<foreword>
I am about to set up Samba 3.0.14a on Linux as PDC wit LDAP backend for
our faculty. However, first tries have only partly been successful.
First I added samba LDAP-Schema attributes to existing account, created
their Samba passwords with smbpasswd and it worked so that normal users
could log in via the windows network neighborhood and use the shares.
But, I couldn't manage to join machines to the domain. So I backed off
and started from scratch.
</foreword>
The current LDAP directory only contains more or less what
"smbldap-populate" creates. I will paste the LDIF at the end of this mail.
When I try to log in via
smbclient -L localhost -U root
I get the following message:
Domain=[KISD] OS=[Unix] Server=[Samba 3.0.14a-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED
The password should be correct. When I enter a wrong password, the
message is NT_STATUS_LOGON_FAILURE.
The LDAP log (also pasted below) shows that the search for a
sambaGroupMapping with gidNumber=0 fails.
'root', as created by smbldap-populate, has gidNumber=0 (which makes
sense to me). But there is no group having gidNumber=0 in my LDAP
directory. Is that the reason why Samba can't authorize root? (In an NIS
environment, only a group "root" should have the gidNumber=0)
The group "Domain Admins" as smbldap-populate creates it has
gidNumber=512. And that group has meberUid=root.
Can anybody tell me what I have to teak in order to be able to proceed?
I appreciate any help!
Marian
==== testparm output ============================================
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[Profiles]"
Processing section "[netlogon]"
Processing section "[Gruppen]"
Processing section "[Transit]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
==== LDAP server log ============================================
May 1 12:01:50 hal slapd[6914]: conn=11 op=1 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
May 1 12:01:50 hal slapd[6914]: conn=11 op=1 SRCH attr=supportedControl
May 1 12:01:50 hal slapd[6914]: conn=11 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
May 1 12:01:50 hal slapd[6914]: conn=11 op=2 SRCH
base="ou=DS,o=Fachhochschule Koeln,c=DE" scope=2 deref=0
filter="(&(uid=root)(objectClass=sambaSamAccount))"
May 1 12:01:50 hal slapd[6914]: conn=11 op=2 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp
May 1 12:01:50 hal slapd[6914]: conn=11 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
May 1 12:01:50 hal slapd[6914]: conn=11 op=3 SRCH
base="ou=Group,ou=DS,o=Fachhochschule Koeln,c=DE" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(gidNumber=0))"
May 1 12:01:50 hal slapd[6914]: conn=11 op=3 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
May 1 12:01:50 hal slapd[6914]: conn=11 op=3 SEARCH RESULT tag=101
err=0 nentries=0 text=
May 1 12:01:50 hal slapd[6914]: conn=11 fd=24 closed
==== LDIF representation of our directory: =======================
dn: ou=DS,o=Fachhochschule Koeln,c=DE
ou: DS
objectClass: organizationalUnit
dn: ou=People, ou=DS,o=Fachhochschule Koeln,c=DE
ou: People
objectClass: organizationalUnit
dn: ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
ou: Group
objectClass: organizationalUnit
dn: ou=Computers, ou=DS,o=Fachhochschule Koeln,c=DE
ou: Computers
objectClass: organizationalUnit
dn: uid=root,ou=People, ou=DS,o=Fachhochschule Koeln,c=DE
sambaLMPassword: ***secret***
sambaPrimaryGroupSID: S-1-5-21-2224407680-2312910263-3502601358-512
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: ***secret***
sambaLogonTime: 0
sambaHomeDrive: Z:
uid: root
uidNumber: 0
cn: root
sambaLogoffTime: 2147483647
sambaPwdLastSet: 1114941311
loginShell: /bin/bash
sambaAcctFlags: [U ]
gidNumber: 0
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1
sambaNTPassword: ***secret***
gecos: Netbios Domain Administrator
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-500
homeDirectory: /root
sambaKickoffTime: 2147483647
sn: root
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000
000000000
dn: uid=nobody,ou=People, ou=DS,o=Fachhochschule Koeln,c=DE
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaPrimaryGroupSID: S-1-5-21-2224407680-2312910263-3502601358-514
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
sambaLogonTime: 0
sambaHomeDrive: Z:
uid: nobody
uidNumber: 999
cn: nobody
sambaLogoffTime: 2147483647
sambaPwdLastSet: 0
loginShell: /bin/false
sambaAcctFlags: [NUD ]
gidNumber: 514
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 0
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-2998
homeDirectory: /dev/null
sambaKickoffTime: 2147483647
sn: nobody
dn: cn=Domain Admins,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 512
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-512
memberUid: root
sambaGroupType: 2
displayName: Domain Admins
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Administrators
cn: Domain Admins
dn: cn=Domain Users,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 513
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-513
sambaGroupType: 2
displayName: Domain Users
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Users
cn: Domain Users
dn: cn=Domain Guests,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 514
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-514
sambaGroupType: 2
displayName: Domain Guests
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Guests Users
cn: Domain Guests
dn: cn=Domain Computers,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 515
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-515
sambaGroupType: 2
displayName: Domain Computers
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Computers accounts
cn: Domain Computers
dn: cn=Administrators,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 544
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Members can fully administer the
computer/sambaDo
mainName
cn: Administrators
dn: cn=Account Operators,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 548
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Users to manipulate users accounts
cn: Account Operators
dn: cn=Print Operators,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 550
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Print Operators
cn: Print Operators
dn: cn=Backup Operators,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 551
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Members can bypass file security to back up
files
cn: Backup Operators
dn: cn=Replicators,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 552
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Supports file replication in a sambaDomainName
cn: Replicators
dn: sambaDomainName=KISD, ou=DS,o=Fachhochschule Koeln,c=DE
sambaSID: S-1-5-21-2224407680-2312910263-3502601358
gidNumber: 1000
uidNumber: 1000
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: KISD
More information about the samba
mailing list