[Samba] Users can't login on Samba+Ldap

dogbert dogbert at infinito.it
Mon May 11 21:10:40 GMT 2009 

Dale,

I followed the guide from ubuntu website adding some other detailed because it 
seems that those info aren't complete:
https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html

at this point:
https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#openldap-auth-config
I used a command "dpkg-reconfigure ldap-auth-config" that create an ldap.conf 
files with the parameters I entered. I think that this script also took every 
entry found in the /etc/passwd file and added to the nss_initgroups_ignoreusers 
directive.

Anyway I will chek the guides you geve me.
Thanks

Dale Schroeder wrote:
> Riccardo,
> 
> I use Debian, so setup should be similar to Ubuntu.  Do you have 
> libnss-ldap and libpam-ldap installed?  They were necessary for 
> Samba/ldap to work.
> Have you modified nsswitch.conf and pam.d to use ldap?  Note: Although 
> others have mentioned the possibility, I did not have to modify 
> ldap.conf at all for this to work.
> Here are two different approaches to making this work.  They might 
> possibly fill in some of the blanks.
> https://help.ubuntu.com/community/OpenLDAP-SambaPDC-OrgInfo-Posix
> http://wiki.makethemove.net/index.php?title=LDAP-Samba
> 
> Dale
> 
> 
> dogbert wrote:
>> I've found somewhere (I'm looking again for the document) that from a 
>> certain version it doesn't need anymore the file 
>> libnss_ldap.conf/secret because it's all configured from 
>> ldap.conf/secret (and I don't have libnss_ldap files).
>>
>> Anyway I checked with the getent command and I obtain only entries 
>> from /etc/passwd end group files.
>>
>> I'd like to store all the windows user and workstation informations on 
>> LDAP limiting only the administrative user to passwd.
>>
>> François Legal wrote:
>>> To be honest, I don't know very well all the ldap client configuration
>>> stuff. Anyway, nss is not (AFAIK) configured in /etc/ldap.conf.
>>>
>>> You should have a libnss_ldap.conf/secret files containing the ldap
>>> configuration (bind DN/pwd suffix for users, suffix for groups...) so 
>>> that
>>> NSS can successfully lookup the directory when it has to find user/group
>>> information.
>>>
>>> You can see if it is configured properly by doing getent group and 
>>> getent
>>> passwd
>>> These commands shall display all the groups and user found on the 
>>> system.
>>> That is each user and group present in /etc/passwd /etc/group plus each
>>> user contained in maybe ou=Users,dc=yourcompany,dc=com and
>>> ou=Groups,dc=yourcompany,dc=com and (that one is important too)
>>> ou=Machines,dc=yourcompany,dc=com from your directory.
>>>
>>> Note that if you plan to only use ldap to store user information, you
>>> should no more have real users/groups in /etc/passwd and /etc/group
>>>
>>> François
>>>
>>> On Mon, 11 May 2009 16:51:47 +0200, dogbert at infinito.it wrote:
>>>> I'm checking /etc/ldap.conf and it seems that at the end of this 
>>>> file it
>>>> was
>>>> added a line with the following directive:
>>>> nss_initgroups_ignoreusers
>>>>
>>>> that included more or less every single entry contained in my 
>>>> /etc/passwd
>>>> file at the time of the ldap configuration.
>>>>
>>>> is that normal behaviour ?
>>>>
>>>> Thanks,
>>>> Riccardo
>>>>
>>>>> did you properly configure nssldap ?
>>>>>
>>>>> On Mon, 11 May 2009 14:25:05 +0200, dogbert at infinito.it wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I've migrated from an old samba installation (Samba as PDC) that
>>>>> used
>>>> TDB
>>>>>> backend for password.
>>>>>>
>>>>>> I've setup a box with ubuntu and samba 3 + ldap and I imported the
>>>> old
>>>>>> users.
>>>>>> Old users works fine.
>>>>>>
>>>>>> I have problems with new users and machines.
>>>>>>
>>>>>> Old users works but they don't show up with smbldap-usershow command
>>>> and
>>>>>> I've problem in changing their passwords. If I check the ldap db I
>>>> can
>>>>> find
>>>>>> them (with both ldapsearch and slapcat).
>>>>>>
>>>>>> New users created with smbldap-useradd can be seen with
>>>> smbldap-usershow
>>>>>> command but can't make a logon on workstation
>>>>>>
>>>>>> If I join a workstation (directly by the workstation) it is added to
>>>> ldap
>>>>>> db
>>>>>> but it doesn't see the domain until I manually add an entry for it
>>>>> in
>>>>>> /etc/passwd
>>>>>>
>>>>>> Checking the user entry for two users I can find the following
>>>>> differences.
>>>>>> BERENICE is an user imported from the old system and is working
>>>>> fine:
>>>>>> dn: uid=berenice,ou=Users,dc=DOMAIN,dc=IT
>>>>>> uid: berenice
>>>>>> sambaSID: S-1-5-21-1234567890-123456789-123456789-2018
>>>>>> sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513
>>>>>> displayName: berenice
>>>>>> sambaLogonTime: 0
>>>>>> sambaLogoffTime: 4294967295
>>>>>> sambaKickoffTime: 4294967295
>>>>>> sambaPwdCanChange: 1161193814
>>>>>> sambaPwdMustChange: 4294967295
>>>>>> sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>>> sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>>> sambaPasswordHistory:
>>>>>> 0000000000000000000000000000000000000000000000000000000000000000
>>>>>> sambaPwdLastSet: 1161193814
>>>>>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>>>> sambaAcctFlags: [U          ]
>>>>>> sambaBadPasswordCount: 0
>>>>>> sambaBadPasswordTime: 0
>>>>>> objectClass: sambaSamAccount
>>>>>> objectClass: account
>>>>>> structuralObjectClass: account
>>>>>> entryUUID: af11fe14-8e7a-102d-9b4e-27169ab1b87f
>>>>>> creatorsName: cn=admin,dc=DOMAIN,dc=IT
>>>>>> createTimestamp: 20090214003220Z
>>>>>> entryCSN: 20090214003220.132569Z#000000#000#000000
>>>>>> modifiersName: cn=admin,dc=DOMAIN,dc=IT
>>>>>> modifyTimestamp: 20090214003220Z
>>>>>>
>>>>>> ADAM is a fresly created user and can't logon to workstation:
>>>>>> dn: uid=adam,ou=Users,dc=DOMAIN,dc=IT
>>>>>> objectClass: top
>>>>>> objectClass: person
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: inetOrgPerson
>>>>>> objectClass: posixAccount
>>>>>> objectClass: shadowAccount
>>>>>> objectClass: sambaSamAccount
>>>>>> cn: adam
>>>>>> sn: adam
>>>>>> givenName: adam
>>>>>> uid: adam
>>>>>> uidNumber: 1004
>>>>>> gidNumber: 513
>>>>>> homeDirectory: /home/adam
>>>>>> loginShell: /bin/bash
>>>>>> gecos: System User
>>>>>> structuralObjectClass: inetOrgPerson
>>>>>> entryUUID: f9326600-8e7a-102d-9bb5-27169ab1b87f
>>>>>> creatorsName: cn=admin,dc=DOMAIN,dc=IT
>>>>>> createTimestamp: 20090214003424Z
>>>>>> sambaLogonTime: 0
>>>>>> sambaLogoffTime: 2147483647
>>>>>> sambaKickoffTime: 2147483647
>>>>>> sambaPwdCanChange: 0
>>>>>> displayName: adam
>>>>>> sambaSID: S-1-5-21-1234567890-123456789-123456789-3008
>>>>>> sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513
>>>>>> sambaLogonScript: logon.bat
>>>>>> sambaProfilePath: serverprofilesadam
>>>>>> sambaHomePath: serveradam
>>>>>> sambaHomeDrive: C:
>>>>>> sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>>> sambaAcctFlags: [U]
>>>>>> sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>>> sambaPwdLastSet: 1234571674
>>>>>> sambaPwdMustChange: 1238459674
>>>>>> userPassword:: e1NTSEF9SStEUWVhay9tV2ROTGtOZy9QSlRqTDIrdmM1d1V6ZE4=
>>>>>> shadowLastChange: 14289
>>>>>> shadowMax: 45
>>>>>> entryCSN: 20090214003434.475223Z#000000#000#000000
>>>>>> modifiersName: cn=admin,dc=DOMAIN,dc=IT
>>>>>> modifyTimestamp: 20090214003434Z
>>>>>>
>>>>>>
>>>>>> Any help would be appreciated.
>>>>>> Thanks,
>>>>>> Riccardo
>>>
>>
>

More information about the samba mailing list