[Samba] ldap guest account mapping looks broken

Eric A. Hall ehall at ehsco.com
Thu Sep 1 18:44:23 GMT 2005 

Judging from these lines in the log.smbd file:

| [2005/09/01 01:00:02, 4] lib/smbldap.c:smbldap_open(869)
|   The LDAP server is succesfully connected
| [2005/09/01 01:00:02, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1335)
|   ldapsam_getsampwnam: Unable to locate user [] count=0

and the detailed output from ldap log file:

| Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH
| base="dc=labs,dc=ntrg,dc=com" scope=2 deref=0
| filter="(&(?=undefined)(objectClass=sambaSamAccount))"

it would indeed appear that the "(?=undefined)" LDAP search filter is
being generated by pdb_ldap.c but a grep through that file doesn't return
any obvious hits

Anybody got any suggestions here?


On 9/1/2005 1:18 AM, Eric A. Hall wrote:
> I'm running the samba-3.0.20-0.1 SUSE RPM. I was using the
> version that came with 9.3 but upgraded to see if this specific
> problem would go away.
> 
> Guest access does not appear to be working correctly, and it looks
> like the problem is due to guest not getting mapped into the LDAP
> query correctly.
> 
> Specifically, I can login with local account, join workstation to the
> domain, browse shares, and everything else that requires
> authentication, but cannot login to domain nor browse the domain in
> explorer or anything else that requires guest access.
> 
> Looking at the smbd log with loglevel 4 shows:
> 
> [2005/09/01 01:00:02, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
>   Got user=[] domain=[] workstation=[RHINO-VM-PC-1] len1=1 len2=0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:push_sec_ctx(256)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 3] smbd/uid.c:push_conn_ctx(388)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] auth/auth.c:check_ntlm_password(219)
>   check_ntlm_password:  Checking password for unmapped user
> []\[]@[RHINO-VM-PC-1] with the new password interface
> [2005/09/01 01:00:02, 3] auth/auth.c:check_ntlm_password(222)
>   check_ntlm_password:  mapped user is: [LABS]\[]@[RHINO-VM-PC-1]
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:push_sec_ctx(256)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 3] smbd/uid.c:push_conn_ctx(388)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/09/01 01:00:02, 2] lib/smbldap.c:smbldap_open_connection(630)
>   smbldap_open_connection: connection opened
> [2005/09/01 01:00:02, 3] lib/smbldap.c:smbldap_connect_system(805)
>   ldap_connect_system: succesful connection to the LDAP server
> [2005/09/01 01:00:02, 4] lib/smbldap.c:smbldap_open(869)
>   The LDAP server is succesfully connected
> [2005/09/01 01:00:02, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1335)
>   ldapsam_getsampwnam: Unable to locate user [] count=0
> [2005/09/01 01:00:02, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/09/01 01:00:02, 3] auth/auth_sam.c:check_sam_security(260)
>   check_sam_security: Couldn't find user '' in passdb.
> [2005/09/01 01:00:02, 2] auth/auth.c:check_ntlm_password(317)
>   check_ntlm_password:  Authentication for user [] -> [] FAILED with
> error NT_STATUS_NO_SUCH_USER
> 
> Looking in the slapd log with loglevel 256 shows:
> 
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 fd=28 ACCEPT from
> IP=207.65.71.3:55418 (IP=0.0.0.0:389)
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 BIND
> dn="***hidden***" method=128
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 BIND
> dn="uid=root,ou=Users,dc=labs,dc=ntrg,dc=com" mech=SIMPLE ssf=0
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 RESULT tag=97 err=0
> text=
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SRCH base="" scope=0
> deref=0 filter="(objectClass=*)"
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SRCH
> attr=supportedControl
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH
> base="dc=labs,dc=ntrg,dc=com" scope=2 deref=0
> filter="(&(?=undefined)(objectClass=sambaSamAccount))"
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp
> Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> Sep  1 01:00:13 rhino slapd[8360]: conn=123 fd=28 closed
> 
> It looks like "filter="(&(?=undefined)(objectClass=sambaSamAccount))""
> produces zero responses (as would be expected), which is resulting in
> the "Unable to locate user [] count=0" SMB error.
> 
> smb.conf has "guest account = guest"
> 
> The output for "pdbedit --user=guest --verbose" is:
> 
> Unix username:        guest
> NT username:          guest
> Account Flags:        [U          ]
> User SID:             S-1-5-21-284210356-3264030311-3336521042-501
> Primary Group SID:    S-1-5-21-284210356-3264030311-3336521042-514
> Full Name:            Unknown or guest user
> Home Directory:       \\rhino\guest\.9xprofile
> HomeDir Drive:        P:
> Logon Script:         logon.cmd
> Profile Path:         \\rhino\profiles\.msprofile
> Domain:               LABS
> Account desc:         Unknown or guest user
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          Mon, 18 Jan 2038 22:14:07 GMT
> Kickoff time:         Mon, 18 Jan 2038 22:14:07 GMT
> Password last set:    Wed, 31 Aug 2005 22:44:22 GMT
> Password can change:  Wed, 31 Aug 2005 22:44:22 GMT
> Password must change: Mon, 18 Jan 2038 22:14:07 GMT
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> 
> The guest account is defined, is valid, and has a password.
> 
> I'm pretty sure the whole problem here is with the malformed LDAP
> lookup but I could be wrong.
> 
> Anybody got any ideas or suggestions here?
> 
> Thanks
> 
> 
> 

-- 
Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/

More information about the samba mailing list