[Samba] sambaUserWorkstations (with LDAP) not working with Groups
of Computers ?
Frédéric Nass
Frederic.nass at univ-metz.fr
Mon Nov 12 10:51:54 GMT 2007
Same problem with latest samba 3.0.26a stable. So I opened a bug report
here :
https://bugzilla.samba.org/show_bug.cgi?id=5076
We're stucked on following statement : Only CFLAGS=-DNO_LDAP_SECURITY
build option can avoid this error. No more infos on the security issues
this particular option might introduce.
F. NASS.
Frédéric Nass a écrit :
>
> Hi,
>
> I found more infos here :
> http://www.mail-archive.com/samba@lists.samba.org/msg33190.html
>
> This functionality seems to have been implemented in the samba source
> code (3.0.24 - auth_sam.c) :
> http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0_24/source/auth/auth_sam.c?rev=22815&view=markup
> <http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0_24/source/auth/auth_sam.c?rev=22815&view=markup>
>
>
> if (*workstation_list) {
> BOOL invalid_ws = True;
> fstring tok;
> const char *s = workstation_list;
>
> const char *machine_name = talloc_asprintf(mem_ctx, "%s$",
> user_info->wksta_name);
> if (machine_name == NULL)
> return NT_STATUS_NO_MEMORY;
>
>
> while (next_token(&s, tok, ",", sizeof(tok))) {
> DEBUG(10,("sam_account_ok: checking for workstation match
> %s and %s\n",
> tok, user_info->wksta_name));
> if(strequal(tok, user_info->wksta_name)) {
> invalid_ws = False;
> break;
> }
> here ///===> if (tok[0] == '+') {
> DEBUG(10,("sam_account_ok: checking for workstation %s
> in group: %s\n", machine_name, tok + 1));
> if (user_in_group(machine_name, tok + 1)) {
> invalid_ws = False;
> break;
> }
> }
> }
>
> if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION;
> }
>
>
> So I used samba debug level 10 in smb.conf :
>
> This is the exact part of the samba workstation log file when auth
> fails on PC2 : (It should work, as PC2 is also part of "salle1"
> workstation's group)
>
> smbldap_search_ext: base => [ou=Groups,dc=test,dc=org], filter =>
> [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-3010)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-515)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-9001)(sambaSIDList=S-1-22-2-515)(sambaSIDList=S-1-22-2-4000)))],
> scope => [2]
> [2007/11/08 15:07:18, 0] lib/smbldap.c:smbldap_open(1009)
> smbldap_open: cannot access LDAP when not root..
> [2007/11/08 15:07:18, 10] auth/auth_util.c:add_aliases(653)
> pdb_enum_alias_memberships failed: NT_STATUS_UNSUCCESSFUL
> [2007/11/08 15:07:18, 10] auth/auth_util.c:user_in_group_sid(1277)
> could not create token for PC2$
> [2007/11/08 15:07:18, 5] auth/auth.c:check_ntlm_password(273)
> check_ntlm_password: sam authentication for user [toto] FAILED with
> error NT_STATUS_INVALID_WORKSTATION
> [2007/11/08 15:07:18, 3] auth/auth_winbind.c:check_winbind_security(80)
> check_winbind_security: Not using winbind, requested domain [TEST]
> was for this SAM.
> [2007/11/08 15:07:18, 10] auth/auth.c:check_ntlm_password(261)
> check_ntlm_password: winbind had nothing to say
> [2007/11/08 15:07:18, 2] auth/auth.c:check_ntlm_password(319)
> check_ntlm_password: Authentication for user [toto] -> [toto] FAILED
> with error NT_STATUS_INVALID_WORKSTATION
> [2007/11/08 15:07:18, 5] auth/auth_util.c:free_user_info(1867)
> attempting to free (and zero) a user_info structure
> [2007/11/08 15:07:18, 10] auth/auth_util.c:free_user_info(1871)
> structure was created for toto
> [2007/11/08 15:07:18, 5]
> rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(934)
> _net_sam_logon: check_password returned status
> NT_STATUS_INVALID_WORKSTATION
>
> This is the same time slapd log in syslog file :
>
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=21 SRCH
> base="dc=test,dc=org" scope=2 deref=0
> filter="(&(uid=salle1)(objectClass=sambaSamAccount))"
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=21 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp uidNumber
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=21 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=22 SRCH
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0
> filter="(&(objectClass=sambaGroupMapping)(|(displayName=salle1)(cn=salle1)))"
>
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=22 SRCH attr=gidNumber
> sambaSID sambaGroupType sambaSIDList description displayName cn
> objectClass
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=22 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=23 SRCH
> base="dc=test,dc=org" scope=2 deref=0
> filter="(&(uid=pc2$)(objectClass=sambaSamAccount))"
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=23 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp uidNumber
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=23 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=3 SRCH
> base="dc=test,dc=org" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uid=pc2$))"
> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=3 SRCH attr=uid
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
> description objectClass
> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=3 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=24 SRCH
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0
> filter="(&(objectClass=sambaGroupMapping)(gidNumber=515))"
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=24 SRCH attr=gidNumber
> sambaSID sambaGroupType sambaSIDList description displayName cn
> objectClass
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=24 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=25 SRCH
> base="dc=test,dc=org" scope=2 deref=0
> filter="(&(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515)(objectClass=sambaSamAccount))"
>
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=25 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp uidNumber
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=25 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=26 SRCH
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0
> filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515))"
>
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=26 SRCH attr=gidNumber
> sambaSID sambaGroupType sambaSIDList description displayName cn
> objectClass
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=26 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=27 SRCH
> base="dc=test,dc=org" scope=2 deref=0
> filter="(&(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515)(objectClass=sambaSamAccount))"
>
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=27 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp uidNumber
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=27 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=28 SRCH
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0
> filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515))"
>
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=28 SRCH attr=gidNumber
> sambaSID sambaGroupType sambaSIDList description displayName cn
> objectClass
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=28 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=4 SRCH
> base="dc=test,dc=org" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uid=pc2$))"
> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=4 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=5 SRCH
> base="dc=test,dc=org" scope=2 deref=0
> filter="(&(objectClass=posixGroup)(|(memberUid=pc2$)(uniqueMember=uid=pc2$,ou=computers,dc=test,dc=org)))"
>
> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=5 SRCH attr=gidNumber
> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=5 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=6 SRCH
> base="dc=test,dc=org" scope=2 deref=0
> filter="(&(objectClass=posixGroup)(uniqueMember=cn=salle1,ou=groups,dc=test,dc=org))"
>
> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=6 SRCH attr=gidNumber
> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=6 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=29 SRCH
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0
> filter="(&(objectClass=sambaGroupMapping)(gidNumber=4000))"
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=29 SRCH attr=gidNumber
> sambaSID sambaGroupType sambaSIDList description displayName cn
> objectClass
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=29 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=30 SRCH
> base="ou=Groups,dc=test,dc=org" scope=2 deref=0
> filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-545))"
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=30 SRCH attr=gidNumber
> sambaSID sambaGroupType sambaSIDList description displayName cn
> objectClass
> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=30 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> Nov 8 15:07:23 debian exiting on signal 15
>
> I just can get to spot the error. Log files can be downloaded from
> here : http://www.fichiers.univ-metz.fr/depot/nass/syslog-et-sambalog.tgz
>
> Thanks for any help,
>
> F. NASS.
>
> PS : Config files can be found here :
> http://lists.samba.org/archive/samba/2007-November/136188.html
>
>
> Frédéric Nass a écrit :
>>
>> Hi,
>>
>> I'm trying to use the sambaUserWorkstations option to allow users to
>> log on certain computers only. This option looks great... In fact it
>> looks now a lot better than the 'ldap filter' one than was deprecated
>> with samba 3.0.20...
>>
>> The fact is, if the sambaUserWorkstations option works well with
>> machine names, it doesn't seem to work when specifying groups of
>> machines. I'm using LDAP as a backend + samba 3.0.24 (debian 4).
>>
>> For example, I configured the "sambaUserWorkstations" attibute of my
>> user "test" with the followings arguments : "sambaUserWorkstations:
>> PC1,+salle1"
>>
>> This should work for PC1,PC2 (as 'salle1' machine group has PC1$ and
>> PC2$ for members) but not for PC3, right ? But the user is actually
>> only allowed to log in PC1, but bounced on PC2. This seemed to be
>> working easy with files as samba backend.
>>
>> Is this the right syntax for computer groups with ldap ? I tried
>> using a "@" instead of a "+" but it didn't help ?
>>
>> I use LATEST Debian 4 (samba 3.0.24) UP-TO-DATED.
>>
>> Please find all debug and configuration infos here :
>> http://www.fichiers.univ-metz.fr/depot/nass/sambaUserWorkstations-Groups-Problem.tar.gz
>>
>>
>> Thank you for any help you might provide us,
>>
>> Frédéric Nass
>> IUT de Metz - Université de Metz.
>> FRANCE
>> nass_chez_univ-metz_point_fr
>>
>> Tél : +33387547736
>>
>>
>
>
More information about the samba
mailing list