[Samba] samba with customized ldap backend

Arun Gupta arung at cdac.in
Mon Nov 7 13:00:51 UTC 2016 

Sir,

As you told that Samba normaly set uid=Username and not the uidNumber. 
Here due some requirement we had configured ldap with dn uid="user's emp 
id" and it is very well working with all the services like nagios 
anonymous authentication, ssh, smtp, imap authentication, rdesktop means 
all the possible services but I am very badly stuck with samba 
authentication.

For example I have created below ldif uid='user's empid'

dn: uid=102220,ou=People,dc=pn,ou=User,dc=cdac,dc=in
empID: 102220
username: micki
cn: Demo Account
centre: PN
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
oldempid: 2220
mail: micki at cdac.in
givenName: Demo Accoung
shadowLastChange: 15587
loginShell: /bin/bash
uidNumber: 5345
gidNumber: 5345
homeDirectory: /mbox1.1/micki
userPassword:: 
{SSHA256}v7vlA8YYjJ27IbPQQa8eaChdHFcpu6EGYWxZH1O7w13ZocmtLTb9nw==
sambaPwdLastSet: 1473165911
sambaLMPassword: 7e58f6a33f8b3ef68ef354180a3a1da7
sambaSID: S-1-5-21-4079184197-2446238136-3299756537-1008
sambaAcctFlags: [UX         ]
sambaNTPassword: 0242A7FEC5CD294F916925766089E573
uid: 102220
description: Unix

## pdbedit -L -v -u 102220
-----------------------------
Unix username:        102220
NT username:          102220
Account Flags:        [UX         ]
User SID:             S-1-5-21-4079184197-2446238136-3299756537-1008
Finding user 102220
Trying _Get_Pwnam(), username as lowercase is 102220
Checking combinations of 0 uppercase letters in 102220
Get_Pwnam_internals didn't find user [102220]!
Primary Group SID:    (NULL SID)
Full Name:            Demo Account
Home Directory:       \\report\102220
HomeDir Drive:
Logon Script:
Profile Path:         \\report\102220\profile
Domain:               REPORT
Account desc:         Unix
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Tue, 06 Sep 2016 18:15:11 IST
Password can change:  Tue, 06 Sep 2016 18:15:11 IST
Password must change: Tue, 19 Jan 2038 08:44:07 IST
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
----------------------

here Unix username found 102220 and I am able to authenticate by uid 
(102220 ) instead of username (micki), if we can customze 
somwhere in samba search pattern I am sure my goal will be complete for 
that kindly give me some suggestions for the same

Regard
Arun

On Wed, 12 Oct 2016, L.P.H. van Belle wrote:

> Your error.
>
>>>             dn: uid=102220,ou=User,dc=example,dc=com
>>>             uid: 102220
>>>             username: test1
>
> Samba normaly set uid=Username and not the uidNumber
> First find why you have uid=Number and not uid=Username.
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arun Gupta via
>> samba
>> Verzonden: woensdag 12 oktober 2016 11:56
>> Aan: mathias dufresne
>> CC: samba
>> Onderwerp: Re: [Samba] samba with customized ldap backend
>>
>>
>> Sir,
>>
>>
>>   No AD, that's some NT4 domain.
>> Yes, it has no AD
>>
>> - No Winbind because Winbind is using samacccountname as user login and
>> not UID.
>> --> Not configured
>>
>>> - Issue happens on Linux or UNIX clients.
>> On both client
>>
>>
>> I am using sssd and pam_ldap for user retrival and modified
>> pam_login_attribute (pam_ldap.conf file) to username instead of uid (by
>> default value) so I am very well able to authenticate with many services
>> like ssh, smtp
>> auth etc but in sabma case it is trying to contact uid='numeric value'
>> instead of username=test1.
>>
>> I think somewhere in configuration, we may define username attribute
>> instead of uid which is samba configured.
>>
>> Regards,
>> Arun
>>
>>
>>
>>
>> On Wed, 12 Oct 2016, mathias dufresne wrote:
>>
>>> I have to assume much, I'll try. So...
>>> - No AD, that's some NT4 domain.
>>> - No Winbind because Winbind is using samacccountname as user login and
>> not UID.
>>> - Issue happens on Linux or UNIX clients.
>>>
>>>
>>> The question is what tool (SSSD, pam_ldap / nss_ldap, nslcd...) are you
>> using to retrieve information from LDAP to forge users on system side.
>>>
>>> Once you get an answer to this previous question check how to configure
>> that tool to tell it that uid is uid and login. Most of them can do that.
>>>
>>> 2016-10-12 7:30 GMT+02:00 Arun Gupta via samba <samba at lists.samba.org>:
>>>       Sir,
>>>
>>>       Please help me out
>>>
>>>       Regards,
>>>       Arun
>>>
>>>       On Tue, 4 Oct 2016, Arun Gupta wrote:
>>>
>>>             Dear All,
>>>
>>>             I have configured ldap with uid='some numeric' instead of
>> uid=username
>>>
>>>             like that;
>>>
>>>             dn: uid=102220,ou=User,dc=example,dc=com
>>>             uid: 102220
>>>             username: test1
>>>             cn: Test Account
>>>             objectClass: inetOrgPerson
>>>             objectClass: posixAccount
>>>             objectClass: top
>>>             objectClass: shadowAccount
>>>             objectClass: sambaSamAccount
>>>             mail: test1 at cdac.in
>>>             shadowLastChange: 15587
>>>             loginShell: /bin/bash
>>>             uidNumber: 5345
>>>             gidNumber: 5345
>>>             homeDirectory: /home/test1
>>>             userPassword: {SSHA256}v7vlA8YYjJ27IbPQQa8eaChdHFcnw==
>>>             sambaPwdLastSet: 1473165911
>>>             sambaLMPassword: 7e58f6a33f8b3ef68ef354180a3a1da7
>>>             sambaSID: S-1-5-21-4079184197-2446238136-3299756537-1008
>>>             sambaAcctFlags: [UX         ]
>>>             sambaNTPassword: 0242A7FEC5CD294F916925766089E573
>>>
>>>
>>>             when I configured samba with ldap backend then samba is not
>> able to get user information (because samba always search attribute
>>>             uid=numeric), but when I replace uid=username (uid=test1
>> instead of uid=102220) it works and authenticate successful.
>>>
>>>             As I have 3000+ users in ldap and it is not possible to
>> change to all user settings, request to you kindly give me some clue to
>> find out
>>>             the solution, I will highly obliged for the same.
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>> -------------------------------------------------------
>>> [ C-DAC is on Social-Media too. Kindly follow us at:
>>> Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ]
>>>
>>> This e-mail is for the sole use of the intended recipient(s) and may
>>> contain confidential and privileged information. If you are not the
>>> intended recipient, please contact the sender by reply e-mail and
>> destroy
>>> all copies and the original message. Any unauthorized review, use,
>>> disclosure, dissemination, forwarding, printing or copying of this email
>>> is strictly prohibited and appropriate legal action will be taken.
>>> ------------------------------------------------------------------------
>> -------------------------------------------------------
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>>
>>
>> --
>>
>> Thanks & Regards,
>>
>> Arun Kumar Gupta
>> Mail Administrator
>> HPC Infrastructure and Ecosystem Group
>> Centre for Development of Advanced Computing
>> Savitribai Phule Pune University Campus
>> PUNE-Maharastra
>> Phone :	+91-20-25704347
>> WEB   : http://www.cdac.in/
>>
>> --------------------------------------------------------------------------
>> -----------------------------------------------------
>> [ C-DAC is on Social-Media too. Kindly follow us at:
>> Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ]
>>
>> This e-mail is for the sole use of the intended recipient(s) and may
>> contain confidential and privileged information. If you are not the
>> intended recipient, please contact the sender by reply e-mail and destroy
>> all copies and the original message. Any unauthorized review, use,
>> disclosure, dissemination, forwarding, printing or copying of this email
>> is strictly prohibited and appropriate legal action will be taken.
>> --------------------------------------------------------------------------
>> -----------------------------------------------------
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>

-- 

Thanks & Regards,

Arun Kumar Gupta
Mail Administrator
HPC Infrastructure and Ecosystem Group
Centre for Development of Advanced Computing
Savitribai Phule Pune University Campus
PUNE-Maharastra
Phone :	+91-20-25704347
WEB   : http://www.cdac.in/

-------------------------------------------------------------------------------------------------------------------------------
[ C-DAC is on Social-Media too. Kindly follow us at:
Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ]

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
-------------------------------------------------------------------------------------------------------------------------------

More information about the samba mailing list