[Samba] Samba 3.0.22-11 as PDC with openLDAP 2.3.19 => Problem with
Shares
Manuel Graumann
mgraumann at gc-heat.de
Tue Oct 24 07:38:05 GMT 2006
Hi there!
To set up a samba PDC with openLDAP on my openSUSE 10.1 x86_64 I followed
this howto: http://en.opensuse.org/Howto_setup_SUSE_10.1_as_Samba_PDC
Every service seems to be running now but now I'm stuck. I was able to join
a clean Windows XP Pro test machine to my Domain and I'm able to log on as
normal LDAP user. The home-share is mounted and even a login script
(actually just the DOS command "PAUSE") works fine.
Now I try to create shares on the PDC but it doesn't seem to work to allow
LDAP groups access to shares.
[web]
comment = Intranet
path = /data/srv/www
create mask = 0600
directory mask = 0700
browseable = Yes
guest ok = No
force user = root
valid users = "Web Admins"
admin users = "Domain Admins"
read only = No
The user trying to access this share is a member of both groups "Web Admins"
and "Domain Admins". When accessing the share Windows keeps prompting for
account credentials in an infinite loop. The log (samba logs with level 256)
does not state anything.
Changing the share to:
[web]
comment = Intranet
path = /data/srv/www
create mask = 0600
directory mask = 0700
browseable = Yes
guest ok = No
force user = root
valid users = @"Web Admins"
admin users = @"Domain Admins"
read only = No
This makes Windows hang for quite a long time when trying to access the
share. Finally I get a dialog box indicating that I was denied access and
the share wouldn't any longer being available.
Log states:
Oct 24 09:24:12 infra slapd[3012]: conn=133 op=8 SRCH base="dc=MYDOM,dc=TLD"
scope=2 deref=0 filter="(&(objectClass=nisNetgroup)(cn=web admins))"
Oct 24 09:24:12 infra slapd[3012]: conn=133 op=8 SRCH attr=cn
nisNetgroupTriple memberNisNetgroup
Oct 24 09:24:12 infra slapd[3012]: conn=133 op=8 SEARCH RESULT tag=101 err=0
nentries=0 text=
Oct 24 09:24:12 infra slapd[3012]: conn=133 op=9 SRCH base="dc=MYDOM,dc=TLD"
scope=2 deref=0 filter="(&(objectClass=nisNetgroup)(cn=web admins))"
Oct 24 09:24:12 infra slapd[3012]: conn=133 op=9 SRCH attr=cn
nisNetgroupTriple memberNisNetgroup
Oct 24 09:24:12 infra slapd[3012]: conn=133 op=9 SEARCH RESULT tag=101 err=0
nentries=0 text=
Oct 24 09:25:20 infra slapd[3012]: conn=135 fd=93 ACCEPT from
IP=127.0.0.1:47205 (IP=0.0.0.0:389)
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=0 BIND
dn="cn=Manager,dc=MYDOM,dc=TLD" method=128
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=0 BIND
dn="cn=Manager,dc=MYDOM,dc=TLD" mech=SIMPLE ssf=0
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=0 RESULT tag=97 err=0 text=
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=1 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=1 SRCH attr=supportedControl
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=2 SRCH base="dc=MYDOM,dc=TLD"
scope=2 deref=0 filter="(&(uid=MYUSER)(objectClass=sambaSamAccount))"
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=2 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName
sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=2 SEARCH RESULT tag=101 err=0
nentries=1 text=
Oct 24 09:25:20 infra slapd[3012]: conn=136 fd=94 ACCEPT from
IP=127.0.0.1:47206 (IP=0.0.0.0:389)
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=0 BIND dn="" method=128
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=0 RESULT tag=97 err=0 text=
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=1 SRCH
base="ou=Users,dc=MYDOM,dc=TLD" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=MYUSER))"
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=2 SRCH
base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0
filter="(&(objectClass=posixGroup)(|(memberUid=MYUSER)(uniqueMember=uid=MYUS
ER,ou=users,dc=MYDOM,dc=TLD)))"
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=2 SRCH attr=gidNumber
Oct 24 09:25:20 infra slapd[3012]: <= bdb_equality_candidates:
(uniqueMember) index_param failed (18)
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=2 SEARCH RESULT tag=101 err=0
nentries=3 text=
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=3 SRCH
base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0
filter="(&(objectClass=posixGroup)(uniqueMember=cn=domain
admins,ou=groups,dc=MYDOM,dc=TLD))"
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=3 SRCH attr=gidNumber
Oct 24 09:25:20 infra slapd[3012]: <= bdb_equality_candidates:
(uniqueMember) index_param failed (18)
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=3 SEARCH RESULT tag=101 err=0
nentries=0 text=
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=4 SRCH
base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0
filter="(&(objectClass=posixGroup)(uniqueMember=cn=domain
users,ou=groups,dc=MYDOM,dc=TLD))"
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=4 SRCH attr=gidNumber
Oct 24 09:25:20 infra slapd[3012]: <= bdb_equality_candidates:
(uniqueMember) index_param failed (18)
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=4 SEARCH RESULT tag=101 err=0
nentries=0 text=
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=5 SRCH
base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0
filter="(&(objectClass=posixGroup)(uniqueMember=cn=web
admins,ou=groups,dc=MYDOM,dc=TLD))"
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=5 SRCH attr=gidNumber
Oct 24 09:25:20 infra slapd[3012]: <= bdb_equality_candidates:
(uniqueMember) index_param failed (18)
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=5 SEARCH RESULT tag=101 err=0
nentries=0 text=
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=6 SRCH
base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0
filter="(&(objectClass=posixGroup)(gidNumber=512))"
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=6 SRCH attr=cn userPassword
memberUid uniqueMember gidNumber
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=6 SEARCH RESULT tag=101 err=0
nentries=1 text=
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=7 SRCH
base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0
filter="(&(objectClass=posixGroup)(gidNumber=7134))"
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=7 SRCH attr=cn userPassword
memberUid uniqueMember gidNumber
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=7 SEARCH RESULT tag=101 err=0
nentries=1 text=
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=3 SRCH
base="ou=Groups,dc=MYDOM,dc=TLD" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(gidNumber=513))"
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=3 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=3 SEARCH RESULT tag=101 err=0
nentries=1 text=
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=4 SRCH
base="ou=Groups,dc=MYDOM,dc=TLD" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(gidNumber=512))"
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=4 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=4 SEARCH RESULT tag=101 err=0
nentries=1 text=
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=5 SRCH
base="ou=Groups,dc=MYDOM,dc=TLD" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(gidNumber=7134))"
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=5 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Oct 24 09:25:20 infra slapd[3012]: conn=135 op=5 SEARCH RESULT tag=101 err=0
nentries=1 text=
Oct 24 09:25:20 infra slapd[3012]: conn=137 fd=95 ACCEPT from
IP=127.0.0.1:47207 (IP=0.0.0.0:389)
Oct 24 09:25:20 infra slapd[3012]: conn=137 op=0 BIND dn="" method=128
Oct 24 09:25:20 infra slapd[3012]: conn=137 op=0 RESULT tag=97 err=0 text=
Oct 24 09:25:20 infra slapd[3012]: conn=137 op=1 SRCH
base="ou=Users,dc=MYDOM,dc=TLD" scope=2 deref=0 filter="(uid=MYUSER)"
Oct 24 09:25:20 infra slapd[3012]: conn=137 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
Oct 24 09:25:20 infra slapd[3012]: conn=137 op=2 UNBIND
Oct 24 09:25:20 infra slapd[3012]: conn=137 fd=95 closed
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=8 SRCH base="dc=MYDOM,dc=TLD"
scope=2 deref=0 filter="(&(objectClass=nisNetgroup)(cn=web admins))"
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=8 SRCH attr=cn
nisNetgroupTriple memberNisNetgroup
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=8 SEARCH RESULT tag=101 err=0
nentries=0 text=
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=9 SRCH base="dc=MYDOM,dc=TLD"
scope=2 deref=0 filter="(&(objectClass=nisNetgroup)(cn=web admins))"
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=9 SRCH attr=cn
nisNetgroupTriple memberNisNetgroup
Oct 24 09:25:20 infra slapd[3012]: conn=136 op=9 SEARCH RESULT tag=101 err=0
nentries=0 text=
(I changed the username and domain name entries in this log)
Changing the share to:
[web]
comment = Intranet
path = /data/srv/www
create mask = 0600
directory mask = 0700
browseable = Yes
guest ok = No
force user = root
valid users = +"Web Admins"
admin users = +"Domain Admins"
read only = No
This is leading to the same behaviour in Windows.
I don't see the error. Any ideas?
I was looking for a kind of tutorial for using samba along with LDAP but
didn't find a thing covering the issues I'm looking for. I'm searching
advice for managing accounts, groups, printers, rights, logon times and
allowed workstations, standard profiles, logon scripts, policies for Windows
workstations and so on. Would be great if anybody could help me with a link
here ;)
Thank you in advance for your kind help!
Regards
Manuel
More information about the samba
mailing list