Re: Problem authenticating users from openldap + samba

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Can you grep "1.3.6.1.4.1.7165.2.1.24" in both your existing schema file as
well as the standard samba schema LDIF file?  Do you have an LDAP
Browser/Editor (e.g. Apache Directory Studio) that you can use to browse
LDAP?    The existing entry may actually be correct.   Could you make a copy
of samba.ldif, remove the "cn=samba,cn=schema,cn=config" and see if you can
import the rest?   

Does "pdbedit" show your samba users?  If you type "pdbedit -Lv someuser"
does it show that correct associate unix ID?  Do your user accounts look
good in LDAP?

Can you manually add a samba  user with smbpasswd ?


An samba ldap +unix user should look like 

dn: uid=someuser,ou=.....
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
objectClass: inetOrgPerson
cn: Some User
displayName: Some User
gecos: Some User
gidNumber: 123
givenName: Some
homeDirectory: /home/someuser
loginShell: /bin/tcsh
mber:  
uid: someuser
uidNumber: 123
userPassword:xxxxxxx
samaccountname: someuser
sambaAcctFlags: [UX         ]
sambaHomeDrive: X:
sambaHomePath: \\server\users\someuser
sambaKickoffTime: 
sambaLogoffTime: 
sambaLogonScript: logon.bat
sambaLogonTime: 
sambaNTPassword: xxxxxx
sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000
 0000000000
sambaPrimaryGroupSID: S-1-5-21-xxxx-xxxxx-xxxxxx-xxx
sambaPwdCanChange: 
sambaPwdLastSet: 1317390043
sambaPwdMustChange: 0
sambaSID: S-1-5-21-xxxx-xxxxx-xxxxxx-xxx





-----Original Message-----
From: samba-bounces@xxxxxxxxxxxxxxx [mailto:samba-bounces@xxxxxxxxxxxxxxx]
On Behalf Of Joel Rosental R.
Sent: Thursday, March 29, 2012 8:37 AM
To: samba@xxxxxxxxxxxxxxx
Subject:  Problem authenticating users from openldap + samba

Hello,

I have a Debian Squeeze server and want to configure Samba + OpenLDAP on it.
Following some documentation I've found over Internet,  I see that I must
include the "samba schema" in OpenLDAP but apart from this, I've installed
on the same server a software called "gosa" and it has a samba schema called
"samba3.schema" which I don't know if it's the same that is provided by the
samba-doc debian package or not, or whether this one could work.

When I tried to add the samba-doc schema to my LDAP this is what I got:

ldap:/etc/ldap/slapd.d/cn=config/cn=schema# ldapadd -x -H
ldap://xxx.xxx.xxx.xxx -D "cn=config" -W -f /tmp/cn=samba.ldif Enter LDAP
Password:
adding new entry "cn=samba,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
     additional info: olcAttributeTypes: Duplicate attributeType: 
"1.3.6.1.4.1.7165.2.1.24"

So it seems there's a problem between the "official" samba.schema from
samba-doc package and the one from Gosa.

After configuring smb.conf and smbldap-tools, I'm still unable to
authenticate my users against LDAP using Samba. BTW, I guess PAM is well
configured since I can login into the server via ssh with any user that is
into the LDAP, and when I do: 'getent passwd' it shows me users from my LDAP
server as well.

This is my smb.conf so far:
# Global parameters
[global]
         workgroup = IMDEANETWORKS
         netbios name = PDC-SRV
         security = user
         enable privileges = yes
         #interfaces = 192.168.5.11
         #username map = /etc/samba/smbusers
         server string = Samba Server %v
         #security = ads
         encrypt passwords = Yes
#       min passwd length = 3
         #pam password change = no
         #obey pam restrictions = No

         # method 1:
         #unix password sync = no
         #ldap passwd sync = yes

         # method 2:
         unix password sync = yes
         ldap passwd sync = yes
         passwd program = /usr/sbin/smbldap-passwd -u "%u"
         passwd chat = "Changing *\nNew password*" %n\n "*Retype new
password*" %n\n"

         log level = 2
         syslog = 0
         log file = /var/log/samba/log.%U
         max log size = 100000
         time server = Yes
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         mangling method = hash2
         Dos charset = CP932
         Unix charset = UTF-8

         logon script = logon.bat
         logon drive = H:
         logon home =
         logon path =

         domain logons = Yes
         domain master = Yes
         os level = 65
         preferred master = Yes
         wins support = yes
         # passdb backend = ldapsam:"ldap://ldap1.company.com
ldap://ldap2.company.com";
         passdb backend = ldapsam:ldap://xxx.xxx.xxx.xxx/
         ldap admin dn = cn=yyy,dc=xxx,dc=imdea,dc=org
         #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
         ldap suffix = dc=xxx,dc=imdea,dc=org
         ldap group suffix = ou=Groups
         ldap user suffix = ou=People
         ldap machine suffix = ou=Computers
         #ldap idmap suffix = ou=Idmap
         add user script = /usr/sbin/smbldap-useradd -m "%u"
         #ldap delete dn = Yes
         delete user script = /usr/sbin/smbldap-userdel "%u"
         add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
         add group script = /usr/sbin/smbldap-groupadd -p "%g"
         delete group script = /usr/sbin/smbldap-groupdel "%g"
         add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
         delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
         set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
         admin users = Administrator
         ldap ssl = no
         # printers configuration
         #printer admin = @"Print Operators"
         load printers = Yes
         create mask = 0640
         directory mask = 0750
         #force create mode = 0640
         #force directory mode = 0750
         nt acl support = No
         printing = cups
         printcap name = cups
         deadtime = 10
         guest account = nobody
         map to guest = Bad User
         dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
         show add printer wizard = yes
         ; to maintain capital letters in shortcuts in any of the profile
folders:
         preserve case = yes
         short preserve case = yes
         case sensitive = no

[netlogon]
         path = /home/netlogon/
         browseable = No
         read only = yes

[profiles]
         path = /home/profiles
         read only = no
         create mask = 0600
         directory mask = 0700
         browseable = No
         guest ok = Yes
         profile acls = yes
         csc policy = disable
         # next line is a great way to secure the profiles
         #force user = %U
         # next line allows administrator to access all profiles
         #valid users = %U "Domain Admins"
[printers]
         comment = Network Printers
         #printer admin = @"Print Operators"
         guest ok = yes
         printable = yes
         path = /home/spool/
         browseable = No
         read only  = Yes
         printable = Yes
         print command = /usr/bin/lpr -P%p -r %s
         lpq command = /usr/bin/lpq -P%p
         lprm command = /usr/bin/lprm -P%p %j
         # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
         # lpq command = /usr/bin/lpq -U%U@%M -P%p
         # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
         # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
         # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
         # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
         # queueresume command = /usr/sbin/lpc -U%U@%M start %p

[print$]
         path = /home/printers
         guest ok = No
         browseable = Yes
         read only = Yes
         valid users = @"Print Operators"
         write list = @"Print Operators"
         create mask = 0664
         directory mask = 0775

[public]
         path = /tmp
         guest ok = yes
         browseable = Yes
         writable = yes

[prueba]
        browseable = yes
        comment = Prueba
        path = /tmp
        valid users = Administrator, joel
        writeable = yes
        guest ok = no
        printable = no

I was following this tutorial: 
http://www.server-world.info/en/note?os=Debian_6.0&p=samba&f=4

But once that I finish with this, when I try to access
\\xxx.xxx.xxx.xxx\test from a Windows XP host, I get a prompt for login with
user and passwd, I put any user from the ldap and it doesn't accept my
credentials. This is what appears in the /var/log/samba/log.user file:

[2012/03/29 14:29:04.715182,  2] auth/auth.c:314(check_ntlm_password)
   check_ntlm_password:  Authentication for user [User] -> [User] FAILED
with error NT_STATUS_NO_SUCH_USER
[2012/03/29 14:29:04.719187,  2]
smbd/service.c:587(create_connection_server_info)
   guest user (from session setup) not permitted to access this share
(prueba)
[2012/03/29 14:29:04.719294,  1] smbd/service.c:678(make_connection_snum)
   create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/03/29 14:29:04.831882,  2]
smbd/service.c:587(create_connection_server_info)
   guest user (from session setup) not permitted to access this share
(prueba)
[2012/03/29 14:29:04.831990,  1] smbd/service.c:678(make_connection_snum)
   create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/03/29 14:29:20.777189,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
   init_sam_from_ldap: Entry found for user: Administrator
[2012/03/29 14:29:20.778725,  2]
passdb/pdb_ldap.c:2446(init_group_from_ldap)
   init_group_from_ldap: Entry found for group: 1004


And from a Linux machine:

~$ smbclient -L 192.168.10.100 -U jrosental Enter jrosental's password:
Domain=[IMDEANETWORKS] OS=[Unix] Server=[Samba 3.5.6]

     Sharename       Type      Comment
     ---------       ----      -------
     print$          Disk
     public          Disk
     prueba          Disk      Prueba
     IPC$            IPC       IPC Service (Samba Server 3.5.6)
Domain=[IMDEANETWORKS] OS=[Unix] Server=[Samba 3.5.6]

     Server               Comment
     ---------            -------
     PDC-SRV              Samba Server 3.5.6

     Workgroup            Master
     ---------            -------
     IMDEANETWORKS        PDC-SRV


~$ smbclient \\\\xxx.xxx.xxx.xxx\\prueba -U joel Enter joell's password:
Domain=[IMDEANETWORKS] OS=[Unix] Server=[Samba 3.5.6] tree connect failed:
NT_STATUS_ACCESS_DENIED



Any ideas what could be happening?

Thanks in advance.

--
Joel Rosental R.
Systems Administrator.

GPG Fingerprint = 49AF BC22 A6D1 9833 A421  7330 A0FB E34E AFCB 4CCA

Tel: +34 91 481 6987
Fax: + 34 91 481 6987
Web: http://www.networks.imdea.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Index of Archives]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [RAID]     [Trinity TED Users]     [Yosemite News]
  Powered by Linux