[Samba] ldapsam:trusted = yes : trouble getting it to work

Webmaster / Andrei Iordache webmaster at sologics.ro
Sun May 21 01:48:28 GMT 2006 

I have been trying for a while now to enable set the parameter ‘ldapsam:trusted’ to ‘yes’ in smb.conf but as soon as I enable it, users cannot access shares anymore. I am trying to enable this because the users are member of a lot of groups and I want to take the stress off the ldap server.  I have searched the lists for previous posts with the same problem and I tried to figure out if it has been answered already. It seems that people had similar problems but even with that information I don’t seem to get a hold of it. 

The shares are set up as this example:

[root at fc4 shares]# pwd
/home/samba/shares
[root at fc4 shares]# ls -la
...
drwxrwx---   2 nobody consultanta 4096 May 20 04:55 consultanta
...

So a user has to be in ‘consultanta’ group to access the share.

In smb.conf I have:

        ldap admin dn = "cn=DomainAdmin,dc=kapitalgrup,dc=ro"
        ldap ssl = off
        passdb backend = ldapsam:ldap://127.0.0.1

        ldap delete dn = no
        ldap suffix = dc=kapitalgrup,dc=ro
        ldap user suffix = ou=people
        ldap group suffix = ou=groups
        ldap machine suffix = ou=computers
        ldap passwd sync = Yes
        ldapsam:trusted = yes
        ldap ssl = No
...
[consultanta]
        comment = Echipa de Consultanta
        path = /home/samba/shares/consultanta
        writeable = Yes
        valid users = +consultanta
        force user = nobody
        force group = consultanta
        create mask = 0771
        directory mask = 0770
        default case = lower
        preserve case = No
        short preserve case = No
        map archive = Yes
        map hidden = Yes
        map system = Yes


In ldap the entries are as this example:

dn: uid=andrei.iordache,ou=people,dc=kapitalgrup,dc=ro
accountStatus: active
cn: Andrei Iordache
gidNumber: 100
givenName: Andrei
loginShell: /bin/bash
mail: andrei.iordache at dom1
mail: andrei.iordache at dom2
mail: andrei at dom1
mail: andrei at dom2
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: qmailUser
objectClass: sambaSamAccount
qmailGID: 100
qmailUID: 1005
sambaAcctFlags: [U          ]
sambaLMPassword: AC3B233F668007D8AAD3B435B51404EE
sambaNTPassword: 64E9DFEC4AEB99D85474C4CC4D1BA326
sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000
 0000000000
sambaPrimaryGroupSID: S-1-5-21-1777914830-570136335-1763571043-513
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-1777914830-570136335-1763571043-3010
shadowExpire: -1
shadowFlag: 0
shadowInactive: -1
shadowMax: 999999
shadowMin: -1
shadowWarning: 7
sn: Iordache
uidNumber: 1005
sambaPwdCanChange: 1147436629
sambaPwdLastSet: 1147436629
userPassword: {crypt}$1$E5cL0mtc$pCQcAFjCRamoomGB20C2R/
shadowLastChange: 13280
displayName: Andrei Iordache
homeDirectory: /home/andrei.iordache
mailMessageStore: /home/andrei.iordache/Maildir/
uid: andrei.iordache

dn: cn=users,ou=groups,dc=kapitalgrup,dc=ro
cn: users
description: Local Unix group
displayName: Domain Users
gidNumber: 100
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-1777914830-570136335-1763571043-513


dn: cn=consultanta,ou=groups,dc=kapitalgrup,dc=ro
objectClass: top
objectClass: posixGroup
cn: consultanta
gidNumber: 1007
memberUid: andrei.iordache
memberUid: other.members
...


I can list the shares on the server after I type in the correct user name and password. But I cannot access this one. I can access the home dir and the public shares. I see this at some point in the smbd.log (log level = 10)

[2006/05/20 05:06:05, 5] smbd/service.c:make_connection(807)
  making a connection to 'normal' service consultanta
[2006/05/20 05:06:05, 3] lib/access.c:check_access(313)
  check_access: no hostnames in host allow/deny list.
[2006/05/20 05:06:05, 2] lib/access.c:check_access(324)
  Allowed connection from  (192.168.1.33)
[2006/05/20 05:06:05, 10] lib/username.c:user_in_list(529)
  user_in_list: checking user andrei.iordache in list
[2006/05/20 05:06:05, 10] lib/username.c:user_in_list(533)
  user_in_list: checking user |andrei.iordache| against |+consultanta|
[2006/05/20 05:06:05, 2] smbd/service.c:make_connection_snum(321)
  user 'andrei.iordache' (from session setup) not permitted to access this share (consultanta)
[2006/05/20 05:06:05, 3] smbd/error.c:error_packet(129)
  error packet at smbd/reply.c(415) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

In the ldap logs I see this when I try to access the share:

May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 SRCH base="dc=kapitalgrup,dc=ro" scope=2 deref=0 filter="(&(objectClass=posixGroup)(cn=consultanta))"
May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 ENTRY dn="cn=consultanta,ou=groups,dc=kapitalgrup,dc=ro"
May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=

If I run a manual search on the ldap server with the same filter ="(&(objectClass=posixGroup)(cn=consultanta))" and request the same attributes: cn userPassword memberUid uniqueMember gidNumber, I get:

[root at fc4 ~]# ldapsearch -LLL -x "(&(objectClass=posixGroup)(cn=consultanta))" cn userPassword memberUid uniqueMember gidNumber
dn: cn=consultanta,ou=groups,dc=kapitalgrup,dc=ro
cn: consultanta
gidNumber: 1007
memberUid: andrei.iordache
memberUid: other.members
...

I have the users ‘nobody’ and ‘root’ in the ldap. They are duplicates of those in /etc/passwd. ALL WORKS WELL WITH ldapsam:trusted = NO. I have been using Samba for years now and I am pretty familiar with it. I never needed assistance before but now I’m pretty stuck and I have been trying to fix this for a while. Does anybody see what I’m missing ? Thanks much in advance.

More information about the samba mailing list