[Samba] Problems ldap authentication for Samba 3.5.11-2-1
rlvcosta
rlvcosta at hotmail.com
Fri Apr 27 20:53:19 MDT 2012
Samba team,
I'm having some problems to have a client Windows XP, I believe all systems
could have the same issue, using Ldap authentication with Samba.
This is a native OpenFiler configuration with a local LDAP server for Samba
shares. The problem is that sharing is never authenticated where my
suspicious is about sambaSID.
Basically I create a test user called "rlvcosta". This user was created into
LDAP as :
dn: uid=rlvcosta,ou=People,dc=flores,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
homeDirectory: /dev/null
loginShell: /bin/false
cn: rlvcosta
givenName: rlvcosta
sn: rlvcosta
uid: rlvcosta
uidNumber: 500
gidNumber: 9126
sambaSID: S-1-5-21-1299536883-3844537390-917088389-1001
This appears to be ok. Although when I put a tcpdumo trace I see:
Lightweight Directory Access Protocol
LDAPMessage searchRequest(161) "dc=flores,dc=com" wholeSubtree
messageID: 161
protocolOp: searchRequest (3)
searchRequest
baseObject: dc=flores,dc=com
scope: wholeSubtree (2)
derefAliases: neverDerefAliases (0)
sizeLimit: 0
timeLimit: 15
typesOnly: False
Filter:
(&(sambaSID=S-1-5-21-1299536883-3844537390-917088389-513)(objectclass=sambaSamAccount))
filter: and (0)
and:
(&(sambaSID=S-1-5-21-1299536883-3844537390-917088389-513)(objectclass=sambaSamAccount))
and: 2 items
Filter:
(sambaSID=S-1-5-21-1299536883-3844537390-917088389-513)
and item: equalityMatch (3)
equalityMatch
attributeDesc: sambaSID
assertionValue:
S-1-5-21-1299536883-3844537390-917088389-513
Filter: (objectclass=sambaSamAccount)
and item: equalityMatch (3)
equalityMatch
attributeDesc: objectclass
assertionValue: sambaSamAccount
attributes: 38 items
AttributeDescription: uid
AttributeDescription: uidNumber
AttributeDescription: gidNumber
AttributeDescription: homeDirectory
AttributeDescription: sambaPwdLastSet
AttributeDescription: sambaPwdCanChange
AttributeDescription: sambaPwdMustChange
AttributeDescription: sambaLogonTime
AttributeDescription: sambaLogoffTime
AttributeDescription: sambaKickoffTime
AttributeDescription: cn
AttributeDescription: sn
AttributeDescription: displayName
AttributeDescription: sambaHomeDrive
AttributeDescription: sambaHomePath
AttributeDescription: sambaLogonScript
AttributeDescription: sambaProfilePath
AttributeDescription: description
AttributeDescription: sambaUserWorkstations
AttributeDescription: sambaSID
AttributeDescription: sambaPrimaryGroupSID
AttributeDescription: sambaLMPassword
AttributeDescription: sambaNTPassword
AttributeDescription: sambaDomainName
AttributeDescription: objectClass
AttributeDescription: sambaAcctFlags
AttributeDescription: sambaMungedDial
AttributeDescription: sambaBadPasswordCount
AttributeDescription: sambaBadPasswordTime
AttributeDescription: sambaPasswordHistory
AttributeDescription: modifyTimestamp
AttributeDescription: sambaLogonHours
AttributeDescription: modifyTimestamp
AttributeDescription: uidNumber
AttributeDescription: gidNumber
AttributeDescription: homeDirectory
AttributeDescription: loginShell
AttributeDescription: gecos
See that by Ldap DB the rlvcosta sambaSID is supposed to be
S-1-5-21-1299536883-3844537390-917088389-1001. But the search made from
Samba use the sufix 513, unless 1001. Samba receives appropriately the
request from client but looks like it doesn't map correctly the search to
LDAP server.
I could not understand by the tcpdump trace the dynamic from Samba
authentication with LDAP. The LDAP has the correct structure but the search
from Samba doesn't create the correct sambaSID.
My understand would be that Samba search the sambaSID prefix, like below,
and then suffix with user. But not sure how it does it or if there is abug
in Samba.
dn: sambaDomainName=CACTO,dc=flores,dc=com
sambaDomainName: CACTO
sambaSID: S-1-5-21-1299536883-3844537390-917088389
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
Do you have any comments? Is there any documentation about detailed ldap
authentication used by Samba?
In the end I can only make shares available using Public guest access, not
controlled access.
--
View this message in context: http://samba.2283325.n4.nabble.com/Problems-ldap-authentication-for-Samba-3-5-11-2-1-tp4594155p4594155.html
Sent from the Samba - General mailing list archive at Nabble.com.
More information about the samba
mailing list