[Samba] user authentication issue
rowlandpenny at googlemail.com
Sat Apr 18 11:00:28 MDT 2015
On 18/04/15 17:17, Itamar Gal wrote:
> Hey Rowland,
> Thank you so much for your help and patience.
> OK, just a few questions based on what is in your smb.conf, which
> seems to show that it is running as an NT-4 style PDC.
> That's consistent with my understanding.
> passdb backend = ldapsam:"ldap://hosturl"
> I take it that 'hosturl' is the fqdn of the machine that samba is
> running on.
> Yeah, sorry. I anonymized some of the parameters in order to
> (hopefully) comply with policy. I'll take this opportunity to
> apologize for all past and future clumsiness.
No, it is not a problem, I was just checking that ldap was running on
the same machine as samba, so there is no apology needed.
> ldap suffix = o=org
> Is this correct ?? I would expect something like 'dc=example,dc=com'
> Actually, yes. Moreover, there is no line of the form
> 'dc=example,dc=com' anywhere in the file.
> unix password sync = no
> This means that there is no sync between samba and local unix
> users i.e. they can have different passwords!
> Yeah, that directive is brutally intuitive; it's funny what total
> intellectual disorientation causes me to view with suspicion. I was
> thinking that it was possible that some other directive might have a
> side effect that overrides the 'unix password sync' directive.
Got to be honest here, I have never seen an ldap with a root of 'o=org',
but if that is what is in ldap, you will just have to work with it.
> logon home = \\%N\%U
> %N means 'replace this with the name of your NIS home directory
> Do you have a NIS home directory server ?
> If not (and samba as been compiled in the right way) this could
> also mean the NetBIOS name of the server, in which case it may be
> better to just set this to NetBIOS name.
> I don't believe that there is a NIS home directory server running.
> I've replaced "logon home = \\%N\%U" with "logon home = \\%L\%U";
> thanks for the pointer.
> map to guest = bad user
> There doesn't seem to be much point to this because all the shares
> have this: 'guest ok = no'
> Got it.
> As is, your users need to exist, but if they don't, they get
> mapped to nobody and can see the shares, but because 'guest ok =
> no' is set on the shares, they cannot do anything.
> Ah. Ok, I think I understand, sort of. However I'm still required to
> authenticate using the user's Samba password (set via smbpasswd) in
> order to view the shares. Is that consistent with the user being
> mapped to nobody?
No, change the line 'unix password sync = no' to 'unix password sync =
yes', restart samba, then as root run 'smbpasswd -a <username>' this
should set the users password for the samba and local unix user, this
user should then be able to connect to the shares.
> I'm also still unclear on why Samba doesn't see the user; the user
> appears in the list generated by 'pdbedit -L', for instance. What gives?
> Thanks again for your help!
More information about the samba