[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP / Samba integration



On Tuesday, 22 March 2011 16:42:11 fuzzy_4711 wrote:
> -------- Original - Text --------
> 
> > What are you having problems with?  Is this a new installation or an
> > existing system?
> 
> It is an new installation on an opensuse 11.4.
> I have both services running on the same box: ldap and samba
> 
> When I try to connect using a smb client,

Can you be more specific? Of course, testing with client may be premature if 
you haven't tested with pdbedit or 'smbpasswd username' or similar.

> the debug log ist stating  "key expired". Before that I got an
> NT_USER_NOT_KNOW.

I don't believe that is actually a valid error, and with 'map to guest = Bad 
User' you shouldn't get anything similar, please provide *actual* error.

> But right now I remember that I added the Netbios-Statement in smb.conf
> and in
> that time the debug message changed from user not known to
> key expired. I do not want to use netbios if possible - it was just
> added as another try to get it running. Could it be that I have to
> 
> >From my understanding one needs the samba3.schema because Windows
> 
> stores passwords different than unix does and there is no way to
> convert. Therefore you only need to set the 2 passwordNT/LM fields
> and the sambaSID - the passwords are taken from those
> NT/LM fields. Is that right?
> 
> The group matching will be done without any problems using the
> group value defined in posixAccount. Is that right or am I mistaken?
> So for example: If stefan has defined gidNumber 100, based on
> this information it will be possible to find out that in the config below
> stefan belongs to group users (based again on gidNumber and
> memberUiD). Right or wrong?

Upstream samba doesn't seem to support use of rfc2307bis groups with 
ldapsam:trusted = yes. But, lets not worry about groups yet, if you can't 
authenticate a user.

> Here are the essentials of my configuration details for both services.
> 
> I do have
> dn: ou=Group,dc=xxxxx,dc=de
> dn: ou=People,dc=xxxxx,dc=de
> 
> also I have:
> 
> dn: uid=stefan,ou=People,dc=xxxxx,dc=de
> uid: stefan
> cn: stefan
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> shadowLastChange: 13572
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 632
> gidNumber: 100
> homeDirectory: /home/users/stefan
> structuralObjectClass: account
> entryUUID: 57264e20-2261-102c-9ecf-9fa815f26773
> creatorsName: cn=Manager,dc=xxxxx,dc=de
> createTimestamp: 20071108161351Z
> sambaSID: S-1-5-21-38098927-3018186934-2063245418

This looks like a domain sid, not a user sid. Of course, pdbedit should tell 
you that ...

How did you create this user? Note that 'smbpasswd -a stefan' should have been 
able to do it, and would have done it correctly.

> sambaLMPassword: c02717a286a249086de605daecb45436
> sambaNTPassword: c02717a286a249086de605daecb45436
> userPassword:: 1111111111111111111111111=
>  =
> sambaPwdLastSet: 0
> sambaPwdMustChange: 0
> entryCSN: 20110321231822.373017Z#000000#000#000000
> modifiersName: cn=Manager,dc=xxxxx,dc=de
> modifyTimestamp: 20110321231822Z
> 
> 
> Note: the sambaLMPassword and the sambaNTPassword values are
> created via a php script which first builds the md4-sum of the base
> password and after that does another binary transformation. I read this
> should be the format samba is expecting the value. Is that right or did
> I something wrong at this step?

Well, I would exclude software that you may not know works, e.g. use 
'smbpasswd username' to set the passwords ...

> ---------------------------------------------------------------------------
> ----- I have this definition also
> dn: cn=users,ou=Group,dc=xxxxx,dc=de
> objectClass: posixGroup
> objectClass: namedObject
> objectClass: top
> cn: users
> userPassword:: 1111111111111111
> gidNumber: 100
> memberUid: sadmin
> memberUid: stefan
> structuralObjectClass: namedObject
> entryUUID: 106c209a-226b-102c-9f4d-9fa815f26773
> creatorsName: cn=Manager,dc=xxxxx,dc=de
> createTimestamp: 20071108172328Z
> entryCSN: 20110321210104.815232Z#000000#000#000000
> modifiersName: cn=Manager,dc=xxxxx,dc=de
> modifyTimestamp: 20110321210104Z
> 
> ---------------------------------------------------------------------
> 
> Also I do have that, which confuses me: Why does the
> root user only have the value sambaAcctFlags set?
> Where does this entry come from - I did not define
> it in my ldif import.
> 
> dn: uid=root,ou=People,dc=xxxxx,dc=de
> uid: root
> sambaSID: S-1-5-21-38098927-3018186934-2063245418-1000
> displayName: root
> sambaPwdCanChange: 1300747942
> sambaNTPassword: 111111111111111111
> sambaPwdLastSet: 1300747942
> sambaAcctFlags: [U          ]
> objectClass: sambaSamAccount
> objectClass: account
> structuralObjectClass: account
> entryUUID: a0626f44-e859-102f-8432-f5e997da80c3
> creatorsName: cn=Manager,dc=xxxxx,dc=de
> createTimestamp: 20110321225222Z

Maybe you can tell us what you did at this time ^^^ ?

> entryCSN: 20110321225222.093965Z#000000#000#000000
> modifiersName: cn=Manager,dc=xxxxx,dc=de
> modifyTimestamp: 20110321225222Z
> 
> 
> 
> This is my slapd.conf:
> 
> ldapnix:~ # cat /etc/openldap/slapd.conf | grep -vi "^#"
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/rfc2307bis.schema
> include         /etc/openldap/schema/yast.schema
> include         /etc/openldap/schema/samba3.schema
> 
> pidfile         /var/run/slapd/slapd.pid
> argsfile        /var/run/slapd/slapd.args
> access to dn.base=""
>         by * read
> access to attrs=userPassword,userPKCS12
>         by self write
>         by * auth
> access to attrs=shadowLastChange
>         by self write
>         by * read
> access to *
>         by * read
> database        bdb
> monitoring      on
> suffix          "dc=xxxxx,dc=de"
> checkpoint      1024    5
> cachesize       10000
> rootdn          "cn=Manager,dc=xxxxx,dc=de"
> rootpw          secret
> directory       /var/lib/ldap
> index   objectClass     eq
>

You will at minimum need more indexes ...
 
> -------------------------------------------------------------------------
> This is my smb.conf:
> 
> 
> [global]
>         unix charset = UTF-8
>         workgroup = PRIVAT
>         interfaces = 192.168.1.46
>         update encrypted = Yes
>         map to guest = Bad User
>         root directory = /
> #username map = /etc/samba/smbusers
>                # Logging - 5000 KB, Samba behÃlt eine .old-Datei
>         log level = 3
>         max log size = 5000
>           printcap name = cups
>         logon path = \\%L\profiles\.msprofile
>         logon drive = P:
>         logon home = \\%L\%U\.9xprofile
>         domain master = No
>         ldap ssl = Off
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         printer admin = @ntadmin, root, administrator
>         ldap admin dn = cn=Manager,dc=xxxxx,dc=de
>         passdb backend = ldapsam:ldap://ldap.privat.xxxxx.de/
>         ldapsam:trusted = yes
>         ldapsam:editposix = yes
>         ldap debug level = 1
>         ldap user suffix = ou=People
> #ldap group suffix = ou=Groups
>         ldap group suffix = ou=Group
>         ldap machine suffix = ou=Computers
>         ldap suffix = dc=xxxxx,dc=de
>         wins support = No
>         add machine script = /sbin/yast
> /usr/share/YaST2/data/add_machine.ycp %m$
>         domain logons = No
>         ldap idmap suffix = ou=Idmap
>         ldap passwd sync = No
>         netbios name = LDAPNIX
>         security = user
>         wins server =
> 
> I do have a share definition like that:
> 
> [users]
>         comment = All users
>         path = /home/users
>         valid users = @users, @susers, root
>         read only = No
>         inherit permissions = Yes
> 
> I added the password for the "cn=Manager,dc=xxxxx,dc=de" using
> smbpasswd -w secret


What does 'pdbedit -L' say?

If it doesn't list any users, maybe run 'pdbedit -d10 -L', or 'pdbedit -d10 -L 
stefan'. If you can't see a problem here, the LDAP server's logs (at, or 
including level 256 or 'stats') would be useful.

> I get this output also:
> ldapnix:~ # net getlocalsid
> SID der DomÃne LDAPNIX ist: S-1-5-21-38098927-3018186934-2063245418
> 
> 
> I really like to understand. If you guide me what to do
> and it would make sense I would also set it up from scratch to
> understand what is going on. But I do not want to use libs or "special"
> scripts

You could of course use standard utilities (such as smbpasswd, pdbedit etc.) 
instead of your own scripts, which may get things wrong ...

> which will hide the process without the chance to understand.
> 
> Thanks for your help.

Notice how almost none of my questions have *anything* to do with OpenLDAP 
yet?

Regards,
Buchan