[Samba] Domain authentification problem with LDAP

Mon Mar 20 19:43:13 GMT 2006

On Mon, 2006-03-20 at 14:36 -0500, Daniel Tousignant wrote:
> Craig White <craigwhite at azapple.com> a écrit:
> >On Mon, 2006-03-20 at 12:55 -0500, Daniel Tousignant wrote:
> >> Craig White <craigwhite at azapple.com> a Ã©crit:
> >> >On Fri, 2006-03-17 at 16:14 -0500, Daniel Tousignant wrote:
> >> >> Craig White <craigwhite at azapple.com> a ÃƒÂ©crit:
> >> >> >On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote:
> >> >> >> The objectclass sambaSAMAccount and subsequent fields have been
> >> >> >> created. We are using the standard perl script tools that are
> >> >installed
> >> >> >> with
> >> >> >> the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6).
> >> >> >> What I really do not understand is that if I put a user in the
> >> >standard
> >> >> >> ldap
> >> >> >> group "Domain Admins" (gid=512), the user is able to logon to the
> >> >> >domain,
> >> >> >> but not 
> >> >> >> when it is in the "Domain Users" group (gid=513). What is the big
> >> >> >> difference for Samba
> >> >> >> between the two's ? Can it be an ACL problems ?
> >> >> >----
> >> >> >not very likely to be an ACL problem.
> >> >> >
> >> >> >net groupmap list|grep Domain
> >> >> 
> >> >> Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) ->
> >Domain
> >> >> Users
> >> >> Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) ->
> >Domain
> >> >> Guests
> >> >> Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) ->
> >Domain
> >> >> Admins
> >> >> Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) ->
> >> >Domain
> >> >> Machines
> >> >> >
> >> >> >
> >> >> >net getlocalsid
> >> >> 
> >> >> [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494)
> >> >>   Can't fetch domain SID for name: HIPPOLYTE
> >> >----
> >> >this is a MAJOR problem...it should look like
> >> >
> >> >dn: sambaDomainName=EXAMPLE,dc=example,dc=net
> >> >sambaAlgorithmicRidBase: 1000
> >> >structuralObjectClass: sambaDomain
> >> >objectClass: sambaDomain
> >> >objectClass: sambaUnixIdPool
> >> >sambaSID: S-1-5-21-89274850-471284788-6498272
> >> >sambaDomainName: EXAMPLE
> >> >gidNumber: 1021
> >> >uidNumber: 1095
> >> >
> >> >and should have been created either by hand or by idealx 'populate'
> >> >script if you followed someones directions somewhere.
> >> >
> >> >Craig
> >> 
> >> Here is what I have now :
> >> 
> >> [root at hippolyte openldap]# net groupmap list | grep Domain
> >> Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) -> Domain
> >> Users
> >> Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) -> Domain
> >> Guests
> >> Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) -> Domain
> >> Admins
> >> Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) ->
> >Domain
> >> Machines
> >> [root at hippolyte openldap]# net getlocalsid
> >> SID for domain HIPPOLYTE is: S-1-5-21-3194588850-3670737847-3710085093
> >> 
> >>  ... but I still cannot join an xp workstation to the domain, and a
> >domain
> >> user on
> >> windows 98 cannot logon to the domain, althought a domain admin can.
> >> By the way, HIPPOLYTE is the name of the server; the domain name is
> >INTAIR.
> >> Why is the command "net getlocalsid" returning "SID for domain
> >HIPPOLYTE"
> >----
> >can you edit it with some type of GUI editor like phpldapmin or gq?
> 
> yes, we use gq
> >
> >
> >can you fetch it with ldapsearch, modify it with ldapmodify?
> 
> well, I guest not, because this is what I get when I try to execute
> the command :
> 
> [root at hippolyte openldap]# ldapsearch -LLL "(dc=intair)"
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
>         additional info: SASL(-13): user not found: no secret in database
> >
> >
> >can you delete it and then fix it by running smbldap-populate again?
> >(assuming that you have smbldap-tools configuration file fixed)
> 
> The server is a slave ldap server, so we use slapcat on the master, then
> slapadd
> on the slave to populate it.
----
you do recognize that this is really a one time proposition and from
that point forward, slurpd replicates changes on the master to the
slave, right?

Therefore, the changes must be made to the master and replicated to the
slave. You should probably verify...

- the objectclass sambaDomain on the master
- the objectclass sambaDomain on the slave
that they are correct and the same, and then finally,
- that replication is working properly from master to slave
----
> 
>  ... do you have an idea why a member of the group "Domain Admins" is able
> to
> access the shares, but not a member of the "Domain Users" group ? What
> is the difference for samba between the two's ?
----
I wouldn't know that but perhaps it's in the permissions of the share or
in the general section itself.

Craig