[Samba] Domain authentification problem with LDAP

Mon Mar 20 19:36:19 GMT 2006

Craig White <craigwhite at azapple.com> a écrit:
>On Mon, 2006-03-20 at 12:55 -0500, Daniel Tousignant wrote:
>> Craig White <craigwhite at azapple.com> a Ã©crit:
>> >On Fri, 2006-03-17 at 16:14 -0500, Daniel Tousignant wrote:
>> >> Craig White <craigwhite at azapple.com> a ÃƒÂ©crit:
>> >> >On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote:
>> >> >> The objectclass sambaSAMAccount and subsequent fields have been
>> >> >> created. We are using the standard perl script tools that are
>> >installed
>> >> >> with
>> >> >> the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6).
>> >> >> What I really do not understand is that if I put a user in the
>> >standard
>> >> >> ldap
>> >> >> group "Domain Admins" (gid=512), the user is able to logon to the
>> >> >domain,
>> >> >> but not 
>> >> >> when it is in the "Domain Users" group (gid=513). What is the big
>> >> >> difference for Samba
>> >> >> between the two's ? Can it be an ACL problems ?
>> >> >----
>> >> >not very likely to be an ACL problem.
>> >> >
>> >> >net groupmap list|grep Domain
>> >> 
>> >> Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) ->
>Domain
>> >> Users
>> >> Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) ->
>Domain
>> >> Guests
>> >> Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) ->
>Domain
>> >> Admins
>> >> Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) ->
>> >Domain
>> >> Machines
>> >> >
>> >> >
>> >> >net getlocalsid
>> >> 
>> >> [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494)
>> >>   Can't fetch domain SID for name: HIPPOLYTE
>> >----
>> >this is a MAJOR problem...it should look like
>> >
>> >dn: sambaDomainName=EXAMPLE,dc=example,dc=net
>> >sambaAlgorithmicRidBase: 1000
>> >structuralObjectClass: sambaDomain
>> >objectClass: sambaDomain
>> >objectClass: sambaUnixIdPool
>> >sambaSID: S-1-5-21-89274850-471284788-6498272
>> >sambaDomainName: EXAMPLE
>> >gidNumber: 1021
>> >uidNumber: 1095
>> >
>> >and should have been created either by hand or by idealx 'populate'
>> >script if you followed someones directions somewhere.
>> >
>> >Craig
>> 
>> Here is what I have now :
>> 
>> [root at hippolyte openldap]# net groupmap list | grep Domain
>> Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) -> Domain
>> Users
>> Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) -> Domain
>> Guests
>> Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) -> Domain
>> Admins
>> Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) ->
>Domain
>> Machines
>> [root at hippolyte openldap]# net getlocalsid
>> SID for domain HIPPOLYTE is: S-1-5-21-3194588850-3670737847-3710085093
>> 
>>  ... but I still cannot join an xp workstation to the domain, and a
>domain
>> user on
>> windows 98 cannot logon to the domain, althought a domain admin can.
>> By the way, HIPPOLYTE is the name of the server; the domain name is
>INTAIR.
>> Why is the command "net getlocalsid" returning "SID for domain
>HIPPOLYTE"
>----
>can you edit it with some type of GUI editor like phpldapmin or gq?

yes, we use gq
>
>
>can you fetch it with ldapsearch, modify it with ldapmodify?

well, I guest not, because this is what I get when I try to execute
the command :

[root at hippolyte openldap]# ldapsearch -LLL "(dc=intair)"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-13): user not found: no secret in database
>
>
>can you delete it and then fix it by running smbldap-populate again?
>(assuming that you have smbldap-tools configuration file fixed)

The server is a slave ldap server, so we use slapcat on the master, then
slapadd
on the slave to populate it.

 ... do you have an idea why a member of the group "Domain Admins" is able
to
access the shares, but not a member of the "Domain Users" group ? What
is the difference for samba between the two's ?

Daniel Tousignant
Support informatique
Intair Transit
Courriel : daniel_tousignant at travelcom.com
Telephone : (514) 286-8515 poste 3326