[Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...

Edmundo Valle Neto edmundo.vn at gmail.com
Tue May 20 03:04:30 GMT 2008


yogi escreveu:
> Hi all ,
>          I'm running Debian Etch . I just finished
> configuring SAMBA
> as PDC to authenticate against LDAP server which works.
> The system in question uses default debian etch packages.
> As My Linix/unix accounts can authenticate against it. The
> LDAP works.
>     I  Used the default shipped smbldap-populate script to
> setup SAMBA.
>   

Good, this is the reason that it is there :)
You will only not want to use if you have a reason, like it messing with
your already populated base.

>        Everything seems to work as Anonymous User or as
> user root.
>
> shark:/etc/samba# smbclient -L shark -N
> Anonymous login successful
> Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
>
>         Share name       Type      Comment
>         ---------       ----      -------
>         netlogon        Disk      Network Logon Service
>         knoppix         Disk
>         IPC$            IPC       IPC Service (Samba Server
> 3.0.24)
> Anonymous login successful
> Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
>
>         Server               Comment
>         ---------            -------
>         SHARK                Samba Server 3.0.24
>
>
>       Now when I try and login as normal user, which i have
> enabled
> with "smbldap-usermod -a  yogesh"
>
> smbldap-usershow yogesh
>
> dn: uid=yogesh,ou=People,dc=biomax,dc=de
> uid: yogesh
> cn: yogesh
> objectClass:
> account,posixAccount,top,shadowAccount,sambaSamAccount
> userPassword: {MD5}.SOMELONGHASH ....
> shadowLastChange: 12900
> shadowMax: 10000
> loginShell: /bin/bash
> uidNumber: 668
> gidNumber: 100
> homeDirectory: /sk-home/yogesh
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> displayName: System User
> sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
> sambaAcctFlags: [UX ]
>
> -----
>
> Now when I try and connect I get the following failure .
> shark:/etc/samba# smbclient -L shark -U yogesh
> session setup failed: NT_STATUS_LOGON_FAILURE
>   

For me smbldap-usermod -a dont ask for a password, so your error appears
to be the right behavior of the server, when you try to access the samba
server with an account that have a posix password but don't have a samba
password.
If your posix password is hashed and it didn't asked for the password it
cannot guess it and fill the NT and LM samba hashes.

If you don't know, your account need to end up with three hashes for the
same password :)

> After Digging thru the logs I figuered that if I enter
> password using
> "smbldap-password" . It works.
>   

Ok, now you have defined your samba password, and it will be synced with
the posix one, and everyone will be happy.

> Now my Stupid questions ?
> I already have unix users working of LDAP, How can I
> automate the addition of remaining accounts with SAMBA ?
>   

Well, as already said your script cannot guess the content of a hash to
create another that samba needs (this is the purpose of hashes),
normally people add the samba part (with smbldap-usermod), change the
password to something else (with smbldap-passwd), mark the account to
only allow the login if the password is changed (with smbldap-usermod -B
1), then inform the user of the new password and ask to he to put his
password back when he tries to login and receive automatically a window
asking for that.

It will be a process very likely as adding a new user.

> Also whenever a unix user changes passwd samba password is
> not updated ?
>   

Well, this is a little more complicated, depends of how and were they
are trying to do that, but normally posix tools don't know of the
existence of samba hashes, anyway its possible to do that too, but you
will need to be a little more specific. They are trying to do that using
their own workstations that have Linux or trying to do that accessing
the server shell?

> Any pointers will be of great help.
>
> Thanks in advace
> yogesh

Appears that theres nothing wrong with your config, you just didn't
understood what you need to do.


Regards.

Edmundo Valle Neto




More information about the samba mailing list