[Samba] Authentication confusion - may be LDAP related
rtibbetts at lanl.gov
Tue Sep 27 16:44:51 GMT 2005
I think I may have a clue about what's going wrong in my little
environment here, but I could really use a more experienced eye on it.
I've been having some strange authentication problems on a new
install. With some digging, I may have a "clue" about what's going wrong.
Some background: I'm only looking to use samba to share Unix
directories to the Windows community. I'm not looking to build a full
up login server. This is usually a VERY basic, and simple thing to
to. You simply have to be sure that the windows users also have a
matching account on the *nix side (doesn't need to be an smbpasswd
account, just a very generic *nix account). I've done this several
times, so when it blew up on me this time, it has caused me some
sleepless nights trying to figure out.
In the last install I did ( at another company ), I did a very simple
install, and it worked for what it was needed to do (simply provide
the windows users with access to Unix directories, via shares). I
didn't need a login controller, and I don't now.
In that case, there was an LDAP server that validated Unix logins,
but I pretty much just ignored it, and all was well. The *nix OS
handled the authentication just fine (a very basic setup. For this
kind of setup, the user only has to exist. The OS could check that
So, I was trying to do the same here. When nothing would work right
without making samba specific users (via smbpasswd), I started
digging into the LDAP server. This environment is tortured. Here's
what I found.
On the Windows ADS, user IDs are pure numeric.
So, for example, my Windows login is: 123456
Unix doesn't like that.So the unix logins are: u123456
Handling the translation for samba is just a usermap entry u123456 = 123456
Should be simple enough. But I'm getting No Such User errors. So I
dug into the LDAP server.
The user identification is strange. the dn: here looks like:
with u123456 being my *nix login.
To me, this looks very wrong (not to mention that there's no dc=).
My last LDAP server it looked like:
with "tibbetts" being my login.
If I'm seeing this right, shouldn't the login be the "uid" not
"username"? Is that what Samba is looking for?
With the login being set to username, and uid being (what should be)
the uidNumber, I believe that it's confusing Samba, and that's why
I'm getting the user not found errors.
Is a way to work around this? Or am I just SOL?
Or am I all wet, and looking in the wrong place?
I'd really appreciate a fresh set of eyes on this.
Thanks in advance for any advice on this one!!!
More information about the samba