[Samba] Problems ldap authentication for Samba 3.5.11-2-1

Rodrigo Costa rlvcosta at hotmail.com
Sat Apr 28 09:16:23 MDT 2012 

Hi Christian,



The attributes I sent where just a glance of the user profile. The complete one can be seen below:



dn: uid=rlvcosta,ou=People,dc=flores,dc=com

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: sambaSamAccount

homeDirectory: /dev/null

loginShell: /bin/false

cn: rlvcosta

givenName: rlvcosta

sn: rlvcosta

uid: rlvcosta

uidNumber: 500

gidNumber: 9126

sambaSID: S-1-5-21-1299536883-3844537390-917088389-1001

displayName: rlvcosta

sambaNTPassword: 2D20D252A479F485CDF5E171D93985BF

sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000

 00000000

sambaAcctFlags: [U          ]

sambaPwdLastSet: 1335551014

userPassword:: ...



I believe its completed. I will give a look in the howto confirming it.



In any case I was confuse in how the sambaSID suffix is included. By
the LDAP search with filters for a user with the correct sambaSID I was
expecting some sort of previous search from Samba to LDAP, for example
for SID. The suffix would come from somewhere else like passwd or
smbpasswd.



Or maybe the dynamics are different and I'm not sure if this information is included in Howto, since it is a design information.



Best Regards,



Rodrigo.

To: rlvcosta at hotmail.com
Subject: Re: [Samba] Problems ldap authentication for Samba 3.5.11-2-1
From: christian.rost at rocon-it.de
Date: Sat, 28 Apr 2012 09:21:15 +0200
CC: samba at lists.samba.org

Hi rlvcosta,



the official samba howto provides all the information you are looking for. IMHO the LDAP user profile is incomplete, because necessary attributes are missing. 



So check out the howto and search for LDAP and/ or go to the section concerning Domain Backup.



Cheers



Christian



Von meinem iPod gesendet



Am 28.04.2012 um 04:53 schrieb rlvcosta :



> Samba team,

> 

> I'm having some problems to have a client Windows XP, I believe all systems

> could have the same issue, using Ldap authentication with Samba.

> 

> This is a native OpenFiler configuration with a local LDAP server for Samba

> shares. The problem is that sharing is never authenticated where my

> suspicious is about sambaSID.

> 

> Basically I create a test user called "rlvcosta". This user was created into

> LDAP as :

> 

> dn: uid=rlvcosta,ou=People,dc=flores,dc=com

> objectClass: inetOrgPerson

> objectClass: posixAccount

> objectClass: sambaSamAccount

> homeDirectory: /dev/null

> loginShell: /bin/false

> cn: rlvcosta

> givenName: rlvcosta

> sn: rlvcosta

> uid: rlvcosta

> uidNumber: 500

> gidNumber: 9126

> sambaSID: S-1-5-21-1299536883-3844537390-917088389-1001

> 

> This appears to be ok. Although when I put a tcpdumo trace I see:

> 

> Lightweight Directory Access Protocol

> LDAPMessage searchRequest(161) "dc=flores,dc=com" wholeSubtree

> messageID: 161

> protocolOp: searchRequest (3)

> searchRequest

> baseObject: dc=flores,dc=com

> scope: wholeSubtree (2)

> derefAliases: neverDerefAliases (0)

> sizeLimit: 0

> timeLimit: 15

> typesOnly: False

> Filter:

> (&(sambaSID=S-1-5-21-1299536883-3844537390-917088389-513)(objectclass=sambaSamAccount))

> filter: and (0)

> and:

> (&(sambaSID=S-1-5-21-1299536883-3844537390-917088389-513)(objectclass=sambaSamAccount))

> and: 2 items

> Filter:

> (sambaSID=S-1-5-21-1299536883-3844537390-917088389-513)

> and item: equalityMatch (3)

> equalityMatch

> attributeDesc: sambaSID

> assertionValue:

> S-1-5-21-1299536883-3844537390-917088389-513

> Filter: (objectclass=sambaSamAccount)

> and item: equalityMatch (3)

> equalityMatch

> attributeDesc: objectclass

> assertionValue: sambaSamAccount

> attributes: 38 items

> AttributeDescription: uid

> AttributeDescription: uidNumber

> AttributeDescription: gidNumber

> AttributeDescription: homeDirectory

> AttributeDescription: sambaPwdLastSet

> AttributeDescription: sambaPwdCanChange

> AttributeDescription: sambaPwdMustChange

> AttributeDescription: sambaLogonTime

> AttributeDescription: sambaLogoffTime

> AttributeDescription: sambaKickoffTime

> AttributeDescription: cn

> AttributeDescription: sn

> AttributeDescription: displayName

> AttributeDescription: sambaHomeDrive

> AttributeDescription: sambaHomePath

> AttributeDescription: sambaLogonScript

> AttributeDescription: sambaProfilePath

> AttributeDescription: description

> AttributeDescription: sambaUserWorkstations

> AttributeDescription: sambaSID

> AttributeDescription: sambaPrimaryGroupSID

> AttributeDescription: sambaLMPassword

> AttributeDescription: sambaNTPassword

> AttributeDescription: sambaDomainName

> AttributeDescription: objectClass

> AttributeDescription: sambaAcctFlags

> AttributeDescription: sambaMungedDial

> AttributeDescription: sambaBadPasswordCount

> AttributeDescription: sambaBadPasswordTime

> AttributeDescription: sambaPasswordHistory

> AttributeDescription: modifyTimestamp

> AttributeDescription: sambaLogonHours

> AttributeDescription: modifyTimestamp

> AttributeDescription: uidNumber

> AttributeDescription: gidNumber

> AttributeDescription: homeDirectory

> AttributeDescription: loginShell

> AttributeDescription: gecos

> 

> See that by Ldap DB the rlvcosta sambaSID is supposed to be

> S-1-5-21-1299536883-3844537390-917088389-1001. But the search made from

> Samba use the sufix 513, unless 1001. Samba receives appropriately the

> request from client but looks like it doesn't map correctly the search to

> LDAP server.

> 

> I could not understand by the tcpdump trace the dynamic from Samba

> authentication with LDAP. The LDAP has the correct structure but the search

> from Samba doesn't create the correct sambaSID.

> 

> My understand would be that Samba search the sambaSID prefix, like below,

> and then suffix with user. But not sure how it does it or if there is abug

> in Samba.

> 

> dn: sambaDomainName=CACTO,dc=flores,dc=com

> sambaDomainName: CACTO

> sambaSID: S-1-5-21-1299536883-3844537390-917088389

> sambaAlgorithmicRidBase: 1000

> objectClass: sambaDomain

> 

> Do you have any comments? Is there any documentation about detailed ldap

> authentication used by Samba?

> 

> In the end I can only make shares available using Public guest access, not

> controlled access.

> 

> 

> 

> --

> View this message in context: http://samba.2283325.n4.nabble.com/Problems-ldap-authentication-for-Samba-3-5-11-2-1-tp4594155p4594155.html

> Sent from the Samba - General mailing list archive at Nabble.com.

> -- 

> To unsubscribe from this list go to the following URL and read the

> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list