[Samba] sambaUserWorkstations (with LDAP) not working with Groups of Computers ?

Frédéric Nass Frederic.nass at univ-metz.fr
Mon Nov 12 10:51:54 GMT 2007


Same problem with latest samba 3.0.26a stable. So I opened a bug report 
here :

https://bugzilla.samba.org/show_bug.cgi?id=5076

We're stucked on following statement : Only CFLAGS=-DNO_LDAP_SECURITY 
build option can avoid this error. No more infos on the security issues 
this particular option might introduce.

F. NASS.


Frédéric Nass a écrit :
>
> Hi,
>
> I found more infos here :
> http://www.mail-archive.com/samba@lists.samba.org/msg33190.html
>
> This functionality seems to have been implemented in the samba source 
> code (3.0.24 - auth_sam.c) :
> http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0_24/source/auth/auth_sam.c?rev=22815&view=markup 
> <http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0_24/source/auth/auth_sam.c?rev=22815&view=markup> 
>
>
>     if (*workstation_list) {
>         BOOL invalid_ws = True;
>         fstring tok;
>         const char *s = workstation_list;
>
>         const char *machine_name = talloc_asprintf(mem_ctx, "%s$", 
> user_info->wksta_name);
>         if (machine_name == NULL)
>             return NT_STATUS_NO_MEMORY;
>            
>            
>         while (next_token(&s, tok, ",", sizeof(tok))) {
>             DEBUG(10,("sam_account_ok: checking for workstation match 
> %s and %s\n",
>                   tok, user_info->wksta_name));
>             if(strequal(tok, user_info->wksta_name)) {
>                 invalid_ws = False;
>                 break;
>             }
> here ///===>        if (tok[0] == '+') {
>                 DEBUG(10,("sam_account_ok: checking for workstation %s 
> in group: %s\n",                     machine_name, tok + 1));
>                 if (user_in_group(machine_name, tok + 1)) {
>                     invalid_ws = False;
>                     break;
>                 }
>             }
>         }
>        
>         if (invalid_ws)             return NT_STATUS_INVALID_WORKSTATION;
>     }
>
>
> So I used samba debug level 10 in smb.conf :
>
> This is the exact part of the samba workstation log file when auth 
> fails on PC2 : (It should work, as PC2 is also part of "salle1" 
> workstation's group)
>
>  smbldap_search_ext: base => [ou=Groups,dc=test,dc=org], filter => 
> [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-3010)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-515)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-9001)(sambaSIDList=S-1-22-2-515)(sambaSIDList=S-1-22-2-4000)))], 
> scope => [2]
> [2007/11/08 15:07:18, 0] lib/smbldap.c:smbldap_open(1009)
>  smbldap_open: cannot access LDAP when not root..
> [2007/11/08 15:07:18, 10] auth/auth_util.c:add_aliases(653)
>  pdb_enum_alias_memberships failed: NT_STATUS_UNSUCCESSFUL
> [2007/11/08 15:07:18, 10] auth/auth_util.c:user_in_group_sid(1277)
>  could not create token for PC2$
> [2007/11/08 15:07:18, 5] auth/auth.c:check_ntlm_password(273)
>  check_ntlm_password: sam authentication for user [toto] FAILED with 
> error NT_STATUS_INVALID_WORKSTATION
> [2007/11/08 15:07:18, 3] auth/auth_winbind.c:check_winbind_security(80)
>  check_winbind_security: Not using winbind, requested domain [TEST] 
> was for this SAM.
> [2007/11/08 15:07:18, 10] auth/auth.c:check_ntlm_password(261)
>  check_ntlm_password: winbind had nothing to say
> [2007/11/08 15:07:18, 2] auth/auth.c:check_ntlm_password(319)
>  check_ntlm_password:  Authentication for user [toto] -> [toto] FAILED 
> with error NT_STATUS_INVALID_WORKSTATION
> [2007/11/08 15:07:18, 5] auth/auth_util.c:free_user_info(1867)
>  attempting to free (and zero) a user_info structure
> [2007/11/08 15:07:18, 10] auth/auth_util.c:free_user_info(1871)
>  structure was created for toto
> [2007/11/08 15:07:18, 5] 
> rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(934)
>  _net_sam_logon: check_password returned status 
> NT_STATUS_INVALID_WORKSTATION
>
> This is the same time slapd log in syslog file :
>
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=21 SRCH 
> base="dc=test,dc=org" scope=2 deref=0 
> filter="(&(uid=salle1)(objectClass=sambaSamAccount))"
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=21 SRCH attr=uid 
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange 
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn 
> sn displayName sambaHomeDrive sambaHomePath sambaLogonScript 
> sambaProfilePath description sambaUserWorkstations sambaSID 
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName 
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount 
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp 
> sambaLogonHours modifyTimestamp uidNumber
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=21 SEARCH RESULT tag=101 
> err=0 nentries=0 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=22 SRCH 
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0 
> filter="(&(objectClass=sambaGroupMapping)(|(displayName=salle1)(cn=salle1)))" 
>
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=22 SRCH attr=gidNumber 
> sambaSID sambaGroupType sambaSIDList description displayName cn 
> objectClass
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=22 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=23 SRCH 
> base="dc=test,dc=org" scope=2 deref=0 
> filter="(&(uid=pc2$)(objectClass=sambaSamAccount))"
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=23 SRCH attr=uid 
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange 
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn 
> sn displayName sambaHomeDrive sambaHomePath sambaLogonScript 
> sambaProfilePath description sambaUserWorkstations sambaSID 
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName 
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount 
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp 
> sambaLogonHours modifyTimestamp uidNumber
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=23 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=3 op=3 SRCH 
> base="dc=test,dc=org" scope=2 deref=0 
> filter="(&(objectClass=posixAccount)(uid=pc2$))"
> Nov  8 15:07:18 debian slapd[3074]: conn=3 op=3 SRCH attr=uid 
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos 
> description objectClass
> Nov  8 15:07:18 debian slapd[3074]: conn=3 op=3 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=24 SRCH 
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0 
> filter="(&(objectClass=sambaGroupMapping)(gidNumber=515))"
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=24 SRCH attr=gidNumber 
> sambaSID sambaGroupType sambaSIDList description displayName cn 
> objectClass
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=24 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=25 SRCH 
> base="dc=test,dc=org" scope=2 deref=0 
> filter="(&(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515)(objectClass=sambaSamAccount))" 
>
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=25 SRCH attr=uid 
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange 
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn 
> sn displayName sambaHomeDrive sambaHomePath sambaLogonScript 
> sambaProfilePath description sambaUserWorkstations sambaSID 
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName 
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount 
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp 
> sambaLogonHours modifyTimestamp uidNumber
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=25 SEARCH RESULT tag=101 
> err=0 nentries=0 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=26 SRCH 
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0 
> filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515))" 
>
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=26 SRCH attr=gidNumber 
> sambaSID sambaGroupType sambaSIDList description displayName cn 
> objectClass
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=26 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=27 SRCH 
> base="dc=test,dc=org" scope=2 deref=0 
> filter="(&(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515)(objectClass=sambaSamAccount))" 
>
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=27 SRCH attr=uid 
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange 
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn 
> sn displayName sambaHomeDrive sambaHomePath sambaLogonScript 
> sambaProfilePath description sambaUserWorkstations sambaSID 
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName 
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount 
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp 
> sambaLogonHours modifyTimestamp uidNumber
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=27 SEARCH RESULT tag=101 
> err=0 nentries=0 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=28 SRCH 
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0 
> filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515))" 
>
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=28 SRCH attr=gidNumber 
> sambaSID sambaGroupType sambaSIDList description displayName cn 
> objectClass
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=28 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=3 op=4 SRCH 
> base="dc=test,dc=org" scope=2 deref=0 
> filter="(&(objectClass=posixAccount)(uid=pc2$))"
> Nov  8 15:07:18 debian slapd[3074]: conn=3 op=4 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=3 op=5 SRCH 
> base="dc=test,dc=org" scope=2 deref=0 
> filter="(&(objectClass=posixGroup)(|(memberUid=pc2$)(uniqueMember=uid=pc2$,ou=computers,dc=test,dc=org)))" 
>
> Nov  8 15:07:18 debian slapd[3074]: conn=3 op=5 SRCH attr=gidNumber
> Nov  8 15:07:18 debian slapd[3074]: conn=3 op=5 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=3 op=6 SRCH 
> base="dc=test,dc=org" scope=2 deref=0 
> filter="(&(objectClass=posixGroup)(uniqueMember=cn=salle1,ou=groups,dc=test,dc=org))" 
>
> Nov  8 15:07:18 debian slapd[3074]: conn=3 op=6 SRCH attr=gidNumber
> Nov  8 15:07:18 debian slapd[3074]: conn=3 op=6 SEARCH RESULT tag=101 
> err=0 nentries=0 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=29 SRCH 
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0 
> filter="(&(objectClass=sambaGroupMapping)(gidNumber=4000))"
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=29 SRCH attr=gidNumber 
> sambaSID sambaGroupType sambaSIDList description displayName cn 
> objectClass
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=29 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=30 SRCH 
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0 
> filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-545))"
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=30 SRCH attr=gidNumber 
> sambaSID sambaGroupType sambaSIDList description displayName cn 
> objectClass
> Nov  8 15:07:18 debian slapd[3074]: conn=2 op=30 SEARCH RESULT tag=101 
> err=0 nentries=0 text=
> Nov  8 15:07:23 debian exiting on signal 15
>
> I just can get to spot the error. Log files can be downloaded from 
> here : http://www.fichiers.univ-metz.fr/depot/nass/syslog-et-sambalog.tgz
>
> Thanks for any help,
>
> F. NASS.
>
> PS : Config files can be found here : 
> http://lists.samba.org/archive/samba/2007-November/136188.html
>
>
> Frédéric Nass a écrit :
>>
>> Hi,
>>
>> I'm trying to use the sambaUserWorkstations option to allow users to 
>> log on certain computers only. This option looks great... In fact it 
>> looks now a lot better than the 'ldap filter' one than was deprecated 
>> with samba 3.0.20...
>>
>> The fact is, if the sambaUserWorkstations option works well with 
>> machine names, it doesn't seem to work when specifying groups of 
>> machines. I'm using LDAP as a backend + samba 3.0.24 (debian 4).
>>
>> For example, I configured the "sambaUserWorkstations" attibute of my 
>> user "test" with the followings arguments : "sambaUserWorkstations: 
>> PC1,+salle1"
>>
>> This should work for PC1,PC2 (as 'salle1' machine group has PC1$ and 
>> PC2$ for members) but not for PC3, right ? But the user is actually 
>> only allowed to log in PC1, but bounced on PC2. This seemed to be 
>> working easy with files as samba backend.
>>
>> Is this the right syntax for computer groups with ldap ? I tried 
>> using a "@" instead of a "+" but it didn't help ?
>>
>> I use LATEST Debian 4 (samba 3.0.24) UP-TO-DATED.
>>
>> Please find all debug and configuration infos here : 
>> http://www.fichiers.univ-metz.fr/depot/nass/sambaUserWorkstations-Groups-Problem.tar.gz 
>>
>>
>> Thank you for any help you might provide us,
>>
>> Frédéric Nass
>> IUT de Metz - Université de Metz.
>> FRANCE
>> nass_chez_univ-metz_point_fr
>>
>> Tél : +33387547736
>>
>>
>
>



More information about the samba mailing list