[Samba] Authentication confusion - may be LDAP related

Ric Tibbetts rtibbetts at lanl.gov
Tue Sep 27 16:44:51 GMT 2005


I think I may have a clue about what's going wrong in my little 
environment here, but I could really use a more experienced eye on it.
I've been having some strange authentication problems on a new 
install. With some digging, I may have a "clue" about what's going wrong.

Some background: I'm only looking to use samba to share Unix 
directories to the Windows community. I'm not looking to build a full 
up login server. This is usually a VERY basic, and simple thing to 
to. You simply have to be sure that the windows users also have a 
matching account on the *nix side (doesn't need to be an smbpasswd 
account, just a very generic *nix account). I've done this several 
times, so when it blew up on me this time, it has caused me some 
sleepless nights trying to figure out.

Here goes:

In the last install I did ( at another company ), I did a very simple 
install, and it worked for what it was needed to do (simply provide 
the windows users with access to Unix directories, via shares). I 
didn't need a login controller, and I don't now.

In that case, there was an LDAP server that validated Unix logins, 
but I pretty much just ignored it, and all was well. The *nix OS 
handled the authentication just fine (a very basic setup. For this 
kind of setup, the user only has to exist. The OS could check that 
very easily).

So, I was trying to do the same here. When nothing would work right 
without making samba specific users (via smbpasswd), I started 
digging into the LDAP server. This environment is tortured. Here's 
what I found.

On the Windows ADS, user IDs are pure numeric.
So, for example, my Windows login is:  123456

Unix doesn't like that.So the unix logins are:  u123456

Handling the translation for samba is just a usermap entry   u123456 = 123456

Should be simple enough. But I'm getting No Such User errors. So I 
dug into the LDAP server.
The user identification is strange. the dn: here looks like:

dn: username=u123456,ou=aixuser,cn=aixsecdb,cn=aixdata
uid: 1040
username: u123456

with u123456 being my *nix login.

To me, this looks very wrong (not to mention that there's no dc=).
My last LDAP server it looked like:

dn: uid=tibbetts,ou=People,dc=ldap-test,dc=com
uidNumber: 123456
uid: tibbetts

with "tibbetts" being my login.

If I'm seeing this right, shouldn't the login be the "uid" not 
"username"? Is that what Samba is looking for?
With the login being set to username, and uid being (what should be) 
the uidNumber, I believe that it's confusing Samba, and that's why 
I'm getting the user not found errors.
Is a way to work around this? Or am I just SOL?

Or am I all wet, and looking in the wrong place?
I'd really appreciate a fresh set of eyes on this.

Thanks in advance for any advice on this one!!!


More information about the samba mailing list