[Samba] Samba 3.2 Ldap problem
Ernesto Silva
silva at ort.edu.uy
Wed Jul 2 18:36:41 GMT 2008
The Ldap log sais nothing, every operation is fine, BUT, the samba log sais that it can't find the 'uid' attribute for the user. As I understand samba first tries to map the user with idmap (which I don't understand at all), then it makes the bind against the Ldap and last but not least enters the share specific permissions phase.
>From the samba logging system I extracted this first lines with the "error":
[2008/07/01 23:24:50, 4] smbd/map_username.c:map_username(145)
Scanning username map /etc/samba/smbusers
[2008/07/01 23:24:50, 5] auth/auth_util.c:make_user_info_map(178)
make_user_info_map: Mapping user [WORKGROUP]\[silva] from workstation [ERNIE]
[2008/07/01 23:24:50, 5] auth/auth_util.c:make_user_info(92)
attempting to make a user_info for silva (silva)
[2008/07/01 23:24:50, 5] auth/auth_util.c:make_user_info(102)
making strings for silva's user_info struct
[2008/07/01 23:24:50, 5] auth/auth_util.c:make_user_info(134)
making blobs for silva's user_info struct
[2008/07/01 23:24:50, 3] auth/auth.c:check_ntlm_password(220)
check_ntlm_password: Checking password for unmapped user [WORKGROUP]\[silva]@[ERNIE] with the new password interface
[2008/07/01 23:24:50, 3] auth/auth.c:check_ntlm_password(223)
check_ntlm_password: mapped user is: [OPEN]\[silva]@[ERNIE]
[2008/07/01 23:24:50, 5] lib/util.c:dump_data(2226)
[000] 82 EB 85 FE 24 80 63 76 ....$.cv
[2008/07/01 23:24:50, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/07/01 23:24:50, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/07/01 23:24:50, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/07/01 23:24:50, 5] auth/token_util.c:debug_nt_user_token(464)
NT user token: (NULL)
[2008/07/01 23:24:50, 5] auth/token_util.c:debug_unix_user_token(490)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2008/07/01 23:24:50, 5] lib/smbldap.c:smbldap_search_ext(1183)
smbldap_search_ext: base => [dc=ort,dc=edu,dc=uy], filter => [(&(uid=silva)(objectclass=sambaSamAccount))], scope => [2]
[2008/07/01 23:24:50, 5] lib/smbldap.c:smbldap_close(1086)
The connection to the LDAP server was closed
[2008/07/01 23:24:50, 2] lib/smbldap.c:smbldap_open_connection(772)
smbldap_open_connection: connection opened
[2008/07/01 23:24:50, 3] lib/smbldap.c:smbldap_connect_system(983)
ldap_connect_system: successful connection to the LDAP server
[2008/07/01 23:24:50, 4] lib/smbldap.c:smbldap_open(1066)
The LDAP server is successfully connected
[2008/07/01 23:24:50, 1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
init_sam_from_ldap: No uid attribute found for this user!
[2008/07/01 23:24:50, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'silva'!
[2008/07/01 23:24:50, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/07/01 23:24:50, 3] auth/auth_sam.c:check_sam_security(281)
check_sam_security: Couldn't find user 'silva' in passdb.
[2008/07/01 23:24:50, 5] auth/auth.c:check_ntlm_password(272)
check_ntlm_password: sam authentication for user [silva] FAILED with error NT_STATUS_NO_SUCH_USER
[2008/07/01 23:24:50, 2] auth/auth.c:check_ntlm_password(318)
check_ntlm_password: Authentication for user [silva] -> [silva] FAILED with error NT_STATUS_NO_SUCH_USER
This is the openLdap log from the transaction:
conn=129952 fd=153 ACCEPT from IP=172.30.150.100:14793 (IP=0.0.0.0:389)
conn=129952 op=0 BIND dn="cn=Manager,dc=my,dc=company" method=128
conn=129952 op=0 BIND dn="cn=Manager,dc=my,dc=company" mech=SIMPLE ssf=0
conn=129952 op=0 RESULT tag=97 err=0 text=
conn=129952 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
conn=129952 op=1 SRCH attr=supportedControl
conn=129952 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=129952 op=2 SRCH base="dc=my,dc=company" scope=2 deref=0 filter="(&(uid=silva)(objectClass=sambaSamAccount))"
slapd[2498]: conn=129952 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber
conn=129952 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=129952 op=3 SRCH base="ou=Groups,dc=my,dc=company" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=65533))"
conn=129952 op=3 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
conn=129952 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=129952 op=4 SRCH base="sambaDomainName=OPEN,dc=my,dc=company" scope=0 deref=0 filter="(objectClass=*)"
conn=129952 op=4 SRCH attr=sambaPwdHistoryLength
conn=129952 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=129952 fd=153 closed (connection lost)
I've changed the share configuration to the following but still....
[www2]
comment = webpages
path = /path/to/webpages
public = no
writeable = yes
browseable = yes
valid users = silva
dont descend = /proc,/dev,/etc,/bin,/usr...
Best regards,
--
Ing. Ernesto Silva.
Coordinador de Desarrollo Web y Sistemas Abiertos
Centro de Procesamiento de Datos
Universidad ORT Uruguay.
E-mail: silva at ort.edu.uy
Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
Fax: (+5982) 900-2952
misty at borkholder.com wrote:
>> [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
>> init_sam_from_ldap: No uid attribute found for this user!
>> [2008/07/01 04:54:01, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
>> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'xxxxx'!
>>
>
> Have you looked in the LDAP log to see what attribute it's actually
> looking for? I haven't used 3.2 yet but I guess it's possible that
> something has changed with that.
>
>
>> [global]
>>
>> os level = 64
>
> I don't think you need or want this since you are not a WINS server...
>
>
>> ldap admin dn = cn=Manager,dc=my,dc=company
>> ldap suffix = dc=my,dc=company
>> ldap machine suffix = ou=Computers
>> ldap group suffix = ou=Groups
>> ldap idmap suffix = ou=Idmap
>> ldap user suffix = ou=People
>> ldap passwd sync = Yes
>
>
> Have you run smbpasswd -w to write the LDAP admin password into secrets.tdb?
>
>>
>> [www2]
>> valid users = +groupA +groupB
>> force user = www2
>
> Only last night I was dealing with a terrible problem with 3.0.28a wih
> these two parameters. Try commenting these out and see if you can get to
> your share. Try naming individual users instead of groups. Also,
> apparently the required syntax for expanding groups has changed and I
> think it should be +DOMAIN\groupA and the like. Though I'm not sure that
> the '+' syntax is still favored either. You'll need to look in the docs
> for your version to verify this. Comment them out for testing anyway.
>
> Also I was made aware last night that it is better to set the sticky bit
> on the directory than to use 'force user' or 'force group' (thanks JHT).
> It will solve the 'create mask' too, I think.
>
>
>> create mask = 0775
>
>> Best regards,
>> --
>> Ing. Ernesto Silva.
>> Coordinador de Desarrollo Web y Sistemas Abiertos
>> Centro de Procesamiento de Datos
>> Universidad ORT Uruguay.
>> E-mail: silva at ort.edu.uy
>> Tel: (+5982) 903-1995, (+5982) 902-9687 ext. 102
>> Fax: (+5982) 900-2952
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>
>
>
>
More information about the samba
mailing list