[Samba] Workstation joins domain but user cannot log in SMB-LDAP
Peter Van den Wildenbergh
peter at srecengineering.com
Tue Nov 4 21:44:40 GMT 2008
Hi List,
I've done a little bit of SaMBa in the past, but new to LDAP, so bear
with me please. (It is a lengthy post...)
I've (loosely) followed this guide here:
http://www.rrcomputerconsulting.com/view.php?article_id=3
My server is a Ubuntu 8.04 LTS (up-to-date) running :
OpenLDAP: slapd 2.4.9 (Aug 1 2008 01:08:50)
buildd at terranova:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
Samba Version 3.0.28a
Kernel : 2.6.24-21-server #1 SMP Wed Oct 22 00:18:13 UTC 2008 i686 GNU/Linux
I got to the point where things should fall together but they don't...
What is working:
On the server:
Anonymous checking what is available works:
smbclient -L localhost
Password: <EMPTY>
Anonymous login successful
Domain=[SRECENGINEERING] OS=[Unix] Server=[Samba 3.0.28a]
... <snip>
I was also able to succesfully join a laptop to the domain.
The system even shows up in LDAP
ldapsearch -x -b dc=srecengineering,dc=int | grep lpt
# lpt-00005$, Computers, SRECENGINEERING.INT
dn: uid=lpt-00005$,ou=Computers,dc=SRECENGINEERING,dc=INT
cn: lpt-00005$
uid: lpt-00005$
Then trouble started,
I created a user using /usr/sbin/smbldap-useradd
A ldapsearch returns the user.
BUT I cannot log in using that user on a Win XP SP3.
"The system could not log you on..."
Googling things points to troubles between ldap / samba and groupmap
net groupmap list
Domain Admins (S-1-5-21-415917906-1882792140-1713642741-512) -> Domain
Admins
Domain Users (S-1-5-21-415917906-1882792140-1713642741-513) -> Domain Users
Domain Guests (S-1-5-21-415917906-1882792140-1713642741-514) -> Domain
Guests
Domain Computers (S-1-5-21-415917906-1882792140-1713642741-515) ->
Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
In /var/log/samba/log.LPT-00005 I see:
[2008/11/04 14:19:04, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
But is NOT all bad because using 'root' to log in on the WinXP laptop
'works'.
(There are still some err messages in the samba logs, but I see a Z:
drive on the laptop pointing to the SaMBa server)
What else?
I also see a lot of these:
Nov 4 11:53:13 SRV-00002 slapd[9261]: <= bdb_equality_candidates:
(....) not indexed
(.... are diff 'fields like gidNumber, sambaSID etc)
My smb.conf
[global]
workgroup = SRECENGINEERING
server string = fileserver (%h)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
passdb backend = ldapsam:ldap://localhost/
obey pam restrictions = no
ldap admin dn = cn=admin,dc=srecengineering,dc=int
ldap suffix = dc=srecengineering, dc=int
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
domain logons = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
logon path =
logon script = allusers.bat
socket options = TCP_NODELAY
[homes]
comment = Home directories
path = /data/home
browseable = yes
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
hide dot files = yes
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
read only = yes
share modes = no
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
I confirmed that the smbldap are in /usr/sbin
my slapd.conf in /etc/ldap/
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
logfile /var/log/slapd.log
loglevel 256
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
database bdb
suffix "dc=srecengineering,dc=int"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
access to
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=srecengineering,dc=int" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=srecengineering,dc=int" write
by * read
ldap.conf in /etc/ldap
host 127.0.0.1
base dc=srecengineering,dc=int
uri ldap://127.0.0.1/
ldap_version 3
rootbinddn cn=admin,dc=srecengineering,dc=int
bind_policy soft
pam_password md5
I can provide other information if needed.
Your feedback/hints and even solutions are very appreciated.
Regards
Peter
PS. SaMBa-team keep up the good work!
And say hi to Ms. N. Kroess if you see her!
More information about the samba
mailing list