[Samba] Two Locations, One Domain - LDAP Auth Failure

Andy samba at andrewsmith.plus.com
Tue Sep 20 12:49:11 GMT 2005


Hi Dirk, thanks for your reply!

I definatly want to go down the BDC route so that I always log on to the nearest server. The link between the two isn't really an issue - both have a DSL connection to the 
internet.

I started by modifying my smb.conf files so that each server is a local master for their subnet, but only the uni box is domain master. After fiddling with the 'remote 
announce' and 'remote browse sync' I can now view both servers from a workstation at home (*not* joined to the domain yet). So far so good!

Ok, so LDAP it is... I've followed the tutorial at http://www.idealx.org/prj/samba/smbldap-howto.en.html up to the end of section 5.1, and although I can sucesully create 
and remove accounts, and log on to said accounts over SSH, I cannot connect to the samba server at uni using the credentials of a user in LDAP. The only problem I ran 
into with that tutorial was the following error when starting slapd after making the changes in section 5.1:

Checking configuration files for slapd:  /etc/openldap/slapd.conf: line 93: unknown attr "sambaPrivilegeList" in to clause

So I simply removed 'sambaPrivilegeList' from slapd.conf. I don't know if this is causing samba's authentication to fail... any ideas why slapd moaned about this and how to 
fix it?

Anyway, Uni server is ALPHA, the PDC for domain OMEGA. Home server is GAMMA, home workstation is DELTA. User 'andy' can log in to ALPHA over SSH, but not samba. 
Increasing the log level to 3 and looking at the access log for DELTA on ALPHA when DELTA tries to connect as user 'andy' to view shares:

[2005/09/20 12:44:41, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/09/20 12:44:41, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/09/20 12:44:41, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/09/20 12:44:41, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/09/20 12:44:41, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user [DELTA]\[andy]@[DELTA] with the new password interface
[2005/09/20 12:44:41, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [OMEGA]\[andy]@[DELTA]
[2005/09/20 12:44:41, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/09/20 12:44:41, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/09/20 12:44:41, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/09/20 12:44:41, 2] lib/smbldap.c:smbldap_open_connection(692)
  smbldap_open_connection: connection opened
[2005/09/20 12:44:41, 3] lib/smbldap.c:smbldap_connect_system(866)
  ldap_connect_system: succesful connection to the LDAP server
  ldap_connect_system: LDAP server does not support paged results
[2005/09/20 12:44:41, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/09/20 12:44:41, 3] auth/auth_sam.c:check_sam_security(257)
  check_sam_security: Couldn't find user 'andy' in passdb.
[2005/09/20 12:44:41, 3] auth/auth_winbind.c:check_winbind_security(80)
  check_winbind_security: Not using winbind, requested domain [OMEGA] was for this SAM.
[2005/09/20 12:44:41, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [andy] -> [andy] FAILED with error NT_STATUS_NO_SUCH_USER
[2005/09/20 12:44:41, 3] smbd/process.c:timeout_processing(1334)
  timeout_processing: End of file from client (client has disconnected).
[2005/09/20 12:44:41, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/09/20 12:44:41, 2] smbd/server.c:exit_server(609)
  Closing connections
[2005/09/20 12:44:41, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to 
[2005/09/20 12:44:41, 3] smbd/server.c:exit_server(652)
  Server exit (normal exit)

It looks like the line "ldap_connect_system: LDAP server does not support paged results" indcates the problem here, however I have no idea what it means or how to fix 
it. (Running OpenLDAP 2.2.23-5)

Any suggestions as to whats wrong?

Thanks again,

Andy


--- On Tue Sep 20 10:53 , <Dirk.Laurenz at fujitsu-siemens.com> sent: ---

>Hello Andy,
>
>you should setup a samba domain w/ a PDC and BDC or a dial up line and a local wins server at home (but using a bdc is better).
>more over you should use an ldap backend. this should be your setup:
>
>
>		[HOME]  	---DIAL UP LINE--->	[UNI]
>
>		[SERVER 1]					[SERVER 2]
>		  -OpenLDAP / Slave			  -OpenLDAP / Master
>		  -Samba / BDC  				  -Samba / PDC
>
>I recommend to have a flat rate between UNI and HOME
>
>Mit freundlichem Gruß,
>
>
>
>Dirk Laurenz
>Systems Engineer	
>
>Fujitsu Siemens Computers
>S CE DE SE PS N/O
>Sales Central Europe Deutschland 
>Professional Service Nord / Ost
>
>Hildesheimer Strasse 25
>30880 Laatzen
>Germany
>
>Telephone:	+49 (511) 84 89 - 18 08
>Telefax:	+49 (511) 84 89 - 25 18 08
>Mobile:	+49 (170) 22 10 781
>Email:	dirk.laurenz at fujitsu-siemens.com
>Internet:	http://www.fujitsu-siemens.com
>            http://www.fujitsu-siemens.de/services/index.html
>*******************************************************************************************************************


More information about the samba mailing list