[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP / Samba integration




-------- Original - Text --------
> What are you having problems with?  Is this a new installation or an
> existing system? 
It is an new installation on an opensuse 11.4.
I have both services running on the same box: ldap and samba

When I try to connect using a smb client,
the debug log ist stating  "key expired". Before that I got an
NT_USER_NOT_KNOW.
But right now I remember that I added the Netbios-Statement in smb.conf
and in
that time the debug message changed from user not known to
key expired. I do not want to use netbios if possible - it was just
added as another try to get it running. Could it be that I have to

>From my understanding one needs the samba3.schema because Windows
stores passwords different than unix does and there is no way to
convert. Therefore you only need to set the 2 passwordNT/LM fields
and the sambaSID - the passwords are taken from those
NT/LM fields. Is that right?

The group matching will be done without any problems using the
group value defined in posixAccount. Is that right or am I mistaken?
So for example: If stefan has defined gidNumber 100, based on
this information it will be possible to find out that in the config below
stefan belongs to group users (based again on gidNumber and
memberUiD). Right or wrong?


Here are the essentials of my configuration details for both services.

I do have
dn: ou=Group,dc=xxxxx,dc=de
dn: ou=People,dc=xxxxx,dc=de

also I have:

dn: uid=stefan,ou=People,dc=xxxxx,dc=de
uid: stefan
cn: stefan
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowLastChange: 13572
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 632
gidNumber: 100
homeDirectory: /home/users/stefan
structuralObjectClass: account
entryUUID: 57264e20-2261-102c-9ecf-9fa815f26773
creatorsName: cn=Manager,dc=xxxxx,dc=de
createTimestamp: 20071108161351Z
sambaSID: S-1-5-21-38098927-3018186934-2063245418
sambaLMPassword: c02717a286a249086de605daecb45436
sambaNTPassword: c02717a286a249086de605daecb45436
userPassword:: 1111111111111111111111111=
 =
sambaPwdLastSet: 0
sambaPwdMustChange: 0
entryCSN: 20110321231822.373017Z#000000#000#000000
modifiersName: cn=Manager,dc=xxxxx,dc=de
modifyTimestamp: 20110321231822Z


Note: the sambaLMPassword and the sambaNTPassword values are
created via a php script which first builds the md4-sum of the base password
and after that does another binary transformation. I read this
should be the format samba is expecting the value. Is that right or did
I something wrong at this step?


--------------------------------------------------------------------------------
I have this definition also
dn: cn=users,ou=Group,dc=xxxxx,dc=de
objectClass: posixGroup
objectClass: namedObject
objectClass: top
cn: users
userPassword:: 1111111111111111
gidNumber: 100
memberUid: sadmin
memberUid: stefan
structuralObjectClass: namedObject
entryUUID: 106c209a-226b-102c-9f4d-9fa815f26773
creatorsName: cn=Manager,dc=xxxxx,dc=de
createTimestamp: 20071108172328Z
entryCSN: 20110321210104.815232Z#000000#000#000000
modifiersName: cn=Manager,dc=xxxxx,dc=de
modifyTimestamp: 20110321210104Z

---------------------------------------------------------------------

Also I do have that, which confuses me: Why does the
root user only have the value sambaAcctFlags set?
Where does this entry come from - I did not define
it in my ldif import.

dn: uid=root,ou=People,dc=xxxxx,dc=de
uid: root
sambaSID: S-1-5-21-38098927-3018186934-2063245418-1000
displayName: root
sambaPwdCanChange: 1300747942
sambaNTPassword: 111111111111111111
sambaPwdLastSet: 1300747942
sambaAcctFlags: [U          ]
objectClass: sambaSamAccount
objectClass: account
structuralObjectClass: account
entryUUID: a0626f44-e859-102f-8432-f5e997da80c3
creatorsName: cn=Manager,dc=xxxxx,dc=de
createTimestamp: 20110321225222Z
entryCSN: 20110321225222.093965Z#000000#000#000000
modifiersName: cn=Manager,dc=xxxxx,dc=de
modifyTimestamp: 20110321225222Z



This is my slapd.conf:

ldapnix:~ # cat /etc/openldap/slapd.conf | grep -vi "^#"
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/rfc2307bis.schema
include         /etc/openldap/schema/yast.schema
include         /etc/openldap/schema/samba3.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
access to dn.base=""
        by * read
access to attrs=userPassword,userPKCS12
        by self write
        by * auth
access to attrs=shadowLastChange
        by self write
        by * read
access to *
        by * read
database        bdb
monitoring      on
suffix          "dc=xxxxx,dc=de"
checkpoint      1024    5
cachesize       10000
rootdn          "cn=Manager,dc=xxxxx,dc=de"
rootpw          secret
directory       /var/lib/ldap
index   objectClass     eq


-------------------------------------------------------------------------
This is my smb.conf:


[global]
        unix charset = UTF-8
        workgroup = PRIVAT
        interfaces = 192.168.1.46
        update encrypted = Yes
        map to guest = Bad User
        root directory = /
#username map = /etc/samba/smbusers
       
        # Logging - 5000 KB, Samba behält eine .old-Datei
        log level = 3
        max log size = 5000
  
        printcap name = cups
        logon path = \\%L\profiles\.msprofile
        logon drive = P:
        logon home = \\%L\%U\.9xprofile
        domain master = No
        ldap ssl = Off
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        printer admin = @ntadmin, root, administrator
        ldap admin dn = cn=Manager,dc=xxxxx,dc=de
        passdb backend = ldapsam:ldap://ldap.privat.xxxxx.de/
        ldapsam:trusted = yes
        ldapsam:editposix = yes
        ldap debug level = 1
        ldap user suffix = ou=People
#ldap group suffix = ou=Groups
        ldap group suffix = ou=Group
        ldap machine suffix = ou=Computers
        ldap suffix = dc=xxxxx,dc=de
        wins support = No
        add machine script = /sbin/yast
/usr/share/YaST2/data/add_machine.ycp %m$
        domain logons = No
        ldap idmap suffix = ou=Idmap
        ldap passwd sync = No
        netbios name = LDAPNIX
        security = user
        wins server =

I do have a share definition like that:

[users]
        comment = All users
        path = /home/users
        valid users = @users, @susers, root
        read only = No
        inherit permissions = Yes

I added the password for the "cn=Manager,dc=xxxxx,dc=de" using
smbpasswd -w secret
The tdbdump /etc/samba/secrets.tdb command shows thoses entries:
key(53) = "SECRETS/LDAP_BIND_PW/cn=Manager,dc=xxxxx,dc=de"
data(7) = "secret\00"
}
{
key(21) = "SECRETS/SID/PRIVAT"
data(68) =
"\01\04\00\00\00\00\00\05\15\00\00\00\EFWE\02\B6\E0\E5\B3j\A0\FAz\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}
{
key(19) = "SECRETS/SID/LDAPNIX"
data(68) =
"\01\04\00\00\00\00\00\05\15\00\00\00\EFWE\02\B6\E0\E5\B3j\A0\FAz\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00"
}

I get this output also:
ldapnix:~ # net getlocalsid
SID der Domäne LDAPNIX ist: S-1-5-21-38098927-3018186934-2063245418


I really like to understand. If you guide me what to do
and it would make sense I would also set it up from scratch to
understand what is going on. But I do not want to use libs or "special"
scripts
which will hide the process without the chance to understand.

Thanks for your help.

-fuz