[Samba] Local account login failed when samba join to LDAP

Johnson Cheng Johnson.Cheng at QsanTechnology.com
Mon Mar 31 23:57:07 MDT 2014


Dear Steve,

I am not sure if I get your point.
Does "ldap can hold all the information in just one db" mean it doesn't work when I have two DBs, tdbsam and ldapsam ?

When samb3 join AD, it can work on both local accounts and AD accounts. Why LDAP can only support a DB?

Regards,
Johnson


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Monday, March 31, 2014 8:34 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Local account login failed when samba join to LDAP

On Mon, 2014-03-31 at 08:43 +0100, Rowland Penny wrote:
> On 31/03/14 06:18, Johnson Cheng wrote:
> > Dear Mario,
> >
> > Yes. If we can export local account to ldap server, I think it should be work when backend is set to ldap server (passdb backend = ldapsam:ldap://192.168.8.143<http://192.168.8.143>).
> > How to export local account to ldap server? Just create the account on ldap server manually?
> >
> >
> > Regards,
> > Johnson
> >
> > From: FC Mario Patty [mailto:fcmario76 at gmail.com]
> > Sent: Sunday, March 30, 2014 12:08 AM
> > To: Johnson Cheng
> > Cc: samba at lists.samba.org
> > Subject: Re: [Samba] Local account login failed when samba join to 
> > LDAP
> >
> > Johnson, my previous comment about pam, I think it has nothing to do with samba share, so you have to choose which backend you want to use. In this case, you should export your local account to ldap too. I don't know whether  we can use tdbsam and ldap simultaneously.
> >
> > On Thu, Mar 27, 2014 at 9:32 AM, Johnson Cheng <Johnson.Cheng at qsantechnology.com<mailto:Johnson.Cheng at qsantechnology.com>> wrote:
> > Dear Mario,
> >
> > Whatever I set "domain logons = yes" or not, the results are the same.
> > In addition, whatever I use PAM "obey pam restrictions = yes" or not, the results are the same.
> > I don't know where the problem is??
> >
> > Regards,
> > Johnson
> >
> > From: FC Mario Patty 
> > [mailto:fcmario76 at gmail.com<mailto:fcmario76 at gmail.com>]
> > Sent: Wednesday, March 26, 2014 11:44 PM
> > To: Johnson Cheng
> > Cc: samba at lists.samba.org<mailto:samba at lists.samba.org>
> > Subject: Re: [Samba] Local account login failed when samba join to 
> > LDAP
> >
> > Johnson,
> > Is this a samba pdc or file server? A file server doesn't need "domain logons = yes" parameter. I'm going to check my configuration tomorrow for I'm at home right now. I believe it has something to do with pam.
> >
> > # switch passdb backend from ldap to tdbsam will sure bring back your local samba account - that's where your local accounts live; wbinfo will give you nothing unless you configured samba to be one and you got winbind running.
> >
> > On Fri, Mar 21, 2014 at 4:53 PM, Johnson Cheng <Johnson.Cheng at qsantechnology.com<mailto:Johnson.Cheng at qsantechnology.com>> wrote:
> > Dears,
> >
> > My samba version is 3.6.4
> > I have a problem to co-work with open LDAP server. When samba join to open LDAP server, my local account can NOT login samba anymore, only LDAP account can login.
> > When my samba come back to standalone, the local account is OK. Did I miss something?
> >
> > The following is my configuration files, I list the part of them, 
> > smb.conf server string = "Samba Server"
> > workgroup = WORKGROUP
> > security = user
> > obey pam restrictions = yes
> > passdb backend = ldapsam:ldap://192.168.8.143<http://192.168.8.143>
> > ldap admin dn = cn=admin, dc=ff,dc=com ldap suffix = dc=ff,dc=com 
> > domain logons = yes ldap ssl = off ldap passwd sync = yes ldap group 
> > suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = 
> > ou=Machines ldap delete dn = yes
> >
> > nslcd.conf
> > uid admin
> > gid Administrator_Group
> > uri ldap://192.168.8.143<http://192.168.8.143>
> > base dc=ff,dc=com
> >
> > /etc/nssswitch.conf
> > passwd: files ldap
> > group:  files ldap
> > shadow: files ldap
> >
> > /etc/pam.d/samba
> > auth    sufficient      /usr/lib/security/pam_ldap.so
> > auth    sufficient      /usr/lib/security/pam_unix.so
> > account sufficient      /usr/lib/security/pam_ldap.so
> > account sufficient      /usr/lib/security/pam_unix.so
> > session sufficient      /usr/lib/security/pam_ldap.so
> > session sufficient      /usr/lib/security/pam_unix.so
> >
> > I can use LDAP account to login samba via the below command, 
> > smbclient -L 192.168.8.75 -U kevin2%123456123456
> >
> > But when I use local account to login samba via smbclient, it reports "session setup failed: NT_STATUS_LOGON_FAILURE"
> > smbclient -L 192.168.8.75 -U qq%qq
> >
> > One thing is interested that when I change "passdb backend = ldapsam:ldap://192.168.8.143<http://192.168.8.143>" to "passdb backend = tdbsam", local account can login samba but LDAP account will fail to login.
> > The below is samba output debug message,
> > [2014/03/21 17:44:25.780867,  5] lib/smbldap.c:1439(smbldap_search_ext)
> >    smbldap_search_ext: base => [dc=ff,dc=com], filter => 
> > [(&(uid=qq)(objectclass=sambaSamAccount))], scope => [2]
> > [2014/03/21 17:44:25.781685,  4] passdb/pdb_ldap.c:1581(ldapsam_getsampwnam)
> >    ldapsam_getsampwnam: Unable to locate user [qq] count=0
> > [2014/03/21 17:44:25.781846,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
> >    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2014/03/21 17:44:25.781931,  3] auth/check_samsec.c:399(check_sam_security)
> >    check_sam_security: Couldn't find user 'qq' in passdb.
> > [2014/03/21 17:44:25.782108,  5] auth/auth.c:271(check_ntlm_password)
> >    check_ntlm_password: sam authentication for user [qq] FAILED with 
> > error NT_STATUS_NO_SUCH_USER
> > [2014/03/21 17:44:25.782213, 10] auth/auth_winbind.c:50(check_winbind_security)
> >    Check auth for: [qq]
> > [2014/03/21 17:44:25.782293,  3] auth/auth_winbind.c:60(check_winbind_security)
> >    check_winbind_security: Not using winbind, requested domain [WORKGROUP] was for this SAM.
> > [2014/03/21 17:44:25.782372, 10] auth/auth.c:259(check_ntlm_password)
> >    check_ntlm_password: winbind had nothing to say
> > [2014/03/21 17:44:25.787728,  2] auth/auth.c:334(check_ntlm_password)
> >    check_ntlm_password:  Authentication for user [qq] -> [qq] FAILED 
> > with error NT_STATUS_NO_SUCH_USER
> > [2014/03/21 17:44:25.787936,  3] smbd/error.c:81(error_packet_set)
> >    error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) 
> > NT_STATUS_LOGON_FAILURE
> >
> >
> > Any suggestion will be appreciated.
> >
> > Regards,
> > Johnson
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> Hi, with samba3, users have to exist both in ldap and locally, same 
> username & password. Your problem is that user 'qq' does not seem to 
> be an ldap user so cannot auth against ldap .

Hi
Ooo, can we check that? With tdb you need both local and samba users but ldap can hold all the information in just one db.
Cheers
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list