[Samba] (no subject)

jmpatagonia jmpatagonia at gmail.com
Thu Jul 2 17:27:01 UTC 2020 

1) Does 'getent passwd policia\gafranchello' produce output when run on a
Unix client ?
If try to logon on unis console

--> auth.log
Jul  2 14:13:59 samba-cliente sshd[11654]: Invalid user
POLICIA+gafranchello from 172.33.10.1
Jul  2 14:13:59 samba-cliente sshd[11654]: input_userauth_request: invalid
user POLICIA+gafranchello [preauth]
Jul  2 14:14:04 samba-cliente sshd[11654]: pam_winbind(sshd:auth): getting
password (0x00000000)
Jul  2 14:14:04 samba-cliente sshd[11654]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10),
NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Jul  2 14:14:04 samba-cliente sshd[11654]: pam_unix(sshd:auth): check pass;
user unknown
Jul  2 14:14:04 samba-cliente sshd[11654]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=172.33.10.1
Jul  2 14:14:05 samba-cliente sshd[11654]: Failed password for invalid user
POLICIA+gafranchello from 172.33.10.1 port 54715 ssh2
----
Jul  2 14:22:07 samba-cliente sshd[11699]: Invalid user
policia\\gafranchello from 172.33.10.1
Jul  2 14:22:07 samba-cliente sshd[11699]: input_userauth_request: invalid
user policia\\\\gafranchello [preauth]
Jul  2 14:22:09 samba-cliente sshd[11699]: pam_winbind(sshd:auth): getting
password (0x00000000)
Jul  2 14:22:09 samba-cliente sshd[11699]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Jul  2 14:22:09 samba-cliente sshd[11699]: pam_winbind(sshd:auth): user
'policia\gafranchello' denied access (incorrect password or invalid
membership)
Jul  2 14:22:09 samba-cliente sshd[11699]: pam_unix(sshd:auth): check pass;
user unknown
Jul  2 14:22:09 samba-cliente sshd[11699]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=172.33.10.1
Jul  2 14:22:11 samba-cliente sshd[11699]: Failed password for invalid user
policia\\gafranchello from 172.33.10.1 port 54725 ssh2
---

This is other user that is created on the machine and can logon on desktop
client whith domain credential, but can't logon on unis/console client

Jul  2 14:23:15 samba-cliente sshd[11703]: Invalid user policia\\jmperrote
from 172.33.10.1
Jul  2 14:23:15 samba-cliente sshd[11703]: input_userauth_request: invalid
user policia\\\\jmperrote [preauth]
Jul  2 14:23:19 samba-cliente sshd[11703]: pam_winbind(sshd:auth): getting
password (0x00000000)
Jul  2 14:23:19 samba-cliente sshd[11703]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Jul  2 14:23:19 samba-cliente sshd[11703]: pam_winbind(sshd:auth): user
'policia\jmperrote' denied access (incorrect password or invalid membership)
Jul  2 14:23:19 samba-cliente sshd[11703]: pam_unix(sshd:auth): check pass;
user unknown
Jul  2 14:23:19 samba-cliente sshd[11703]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=172.33.10.1
Jul  2 14:23:22 samba-cliente sshd[11703]: Failed password for invalid user
policia\\jmperrote from 172.33.10.1 port 54726 ssh2
Jul  2 14:23:40 samba-cliente sshd[11703]: Connection closed by 172.33.10.1
port 54726 [preauth]


2) What are the 'other purposes' you are using LDAP for ? Most, if not all,
can be added to Samba AD.

The think is very complex because we have various products authenticating
whith ldap squid/git/syspass/moodle/openfire/zentyal/etc  and we are
modified and adapted the ldap schema with some ldap entries for this
products, the samba schema in the same schema (we have only one lsap
schema), and we interactive with this via a ad hoc developed interface.
Change or update samba to samba 4 AD implies that we have change the unis
schema, receding the interface, proves, etc it is to much time.

We try once to implemente samba 4 AD and notice that the ldap schema are
very different that we have, so many changes, that implies to many
development on the interface.

Know I thinking that is posible to make another ldap schema just for samba
4 AD and continue using the other for rest of products, but this implies to
redising the interface to update users, groups on both schemas.

Another question: Thinking on samba 4 AD, when a user logon on desktop
client, it can map o access direct to resources shared on samba server or
need to authenticate almost at once ? Because actually on windows clients
this is not needed, when a user logon on domain can map or access shared
folders whitout authentication again.

Regards.





El jue., 2 jul. 2020 a las 9:52, Rowland penny via samba (<
samba at lists.samba.org>) escribió:

> On 02/07/2020 13:03, jmpatagonia via samba wrote:
> > Hello we use a samba with a old ldap (zentyal-ebox), for now it is
> > impossible to update to new samba version because we use the ldap schema
> > repository for others purposes, son we can move to another version that
> > support samba 4 AD, for the moment we just keep this version.
> > It is possible to join and validate user with linux desktop, we actually
> > use a lot of clients with windows xp/7 and work perfectly.
> >
> This gets worse, XP and Windows 7 are both EOL, but you have what you
> have :-(
>
> Does 'getent passwd policia\gafranchello' produce output when run on a
> Unix client ?
>
> What are the 'other purposes' you are using LDAP for ? Most, if not all,
> can be added to Samba AD.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list