[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP / Samba integration
On Tuesday, 22 March 2011 16:42:11 fuzzy_4711 wrote:
> -------- Original - Text --------
>
> > What are you having problems with? Is this a new installation or an
> > existing system?
>
> It is an new installation on an opensuse 11.4.
> I have both services running on the same box: ldap and samba
>
> When I try to connect using a smb client,
Can you be more specific? Of course, testing with client may be premature if
you haven't tested with pdbedit or 'smbpasswd username' or similar.
> the debug log ist stating "key expired". Before that I got an
> NT_USER_NOT_KNOW.
I don't believe that is actually a valid error, and with 'map to guest = Bad
User' you shouldn't get anything similar, please provide *actual* error.
> But right now I remember that I added the Netbios-Statement in smb.conf
> and in
> that time the debug message changed from user not known to
> key expired. I do not want to use netbios if possible - it was just
> added as another try to get it running. Could it be that I have to
>
> >From my understanding one needs the samba3.schema because Windows
>
> stores passwords different than unix does and there is no way to
> convert. Therefore you only need to set the 2 passwordNT/LM fields
> and the sambaSID - the passwords are taken from those
> NT/LM fields. Is that right?
>
> The group matching will be done without any problems using the
> group value defined in posixAccount. Is that right or am I mistaken?
> So for example: If stefan has defined gidNumber 100, based on
> this information it will be possible to find out that in the config below
> stefan belongs to group users (based again on gidNumber and
> memberUiD). Right or wrong?
Upstream samba doesn't seem to support use of rfc2307bis groups with
ldapsam:trusted = yes. But, lets not worry about groups yet, if you can't
authenticate a user.
> Here are the essentials of my configuration details for both services.
>
> I do have
> dn: ou=Group,dc=xxxxx,dc=de
> dn: ou=People,dc=xxxxx,dc=de
>
> also I have:
>
> dn: uid=stefan,ou=People,dc=xxxxx,dc=de
> uid: stefan
> cn: stefan
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> shadowLastChange: 13572
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 632
> gidNumber: 100
> homeDirectory: /home/users/stefan
> structuralObjectClass: account
> entryUUID: 57264e20-2261-102c-9ecf-9fa815f26773
> creatorsName: cn=Manager,dc=xxxxx,dc=de
> createTimestamp: 20071108161351Z
> sambaSID: S-1-5-21-38098927-3018186934-2063245418
This looks like a domain sid, not a user sid. Of course, pdbedit should tell
you that ...
How did you create this user? Note that 'smbpasswd -a stefan' should have been
able to do it, and would have done it correctly.
> sambaLMPassword: c02717a286a249086de605daecb45436
> sambaNTPassword: c02717a286a249086de605daecb45436
> userPassword:: 1111111111111111111111111=
> =
> sambaPwdLastSet: 0
> sambaPwdMustChange: 0
> entryCSN: 20110321231822.373017Z#000000#000#000000
> modifiersName: cn=Manager,dc=xxxxx,dc=de
> modifyTimestamp: 20110321231822Z
>
>
> Note: the sambaLMPassword and the sambaNTPassword values are
> created via a php script which first builds the md4-sum of the base
> password and after that does another binary transformation. I read this
> should be the format samba is expecting the value. Is that right or did
> I something wrong at this step?
Well, I would exclude software that you may not know works, e.g. use
'smbpasswd username' to set the passwords ...
> ---------------------------------------------------------------------------
> ----- I have this definition also
> dn: cn=users,ou=Group,dc=xxxxx,dc=de
> objectClass: posixGroup
> objectClass: namedObject
> objectClass: top
> cn: users
> userPassword:: 1111111111111111
> gidNumber: 100
> memberUid: sadmin
> memberUid: stefan
> structuralObjectClass: namedObject
> entryUUID: 106c209a-226b-102c-9f4d-9fa815f26773
> creatorsName: cn=Manager,dc=xxxxx,dc=de
> createTimestamp: 20071108172328Z
> entryCSN: 20110321210104.815232Z#000000#000#000000
> modifiersName: cn=Manager,dc=xxxxx,dc=de
> modifyTimestamp: 20110321210104Z
>
> ---------------------------------------------------------------------
>
> Also I do have that, which confuses me: Why does the
> root user only have the value sambaAcctFlags set?
> Where does this entry come from - I did not define
> it in my ldif import.
>
> dn: uid=root,ou=People,dc=xxxxx,dc=de
> uid: root
> sambaSID: S-1-5-21-38098927-3018186934-2063245418-1000
> displayName: root
> sambaPwdCanChange: 1300747942
> sambaNTPassword: 111111111111111111
> sambaPwdLastSet: 1300747942
> sambaAcctFlags: [U ]
> objectClass: sambaSamAccount
> objectClass: account
> structuralObjectClass: account
> entryUUID: a0626f44-e859-102f-8432-f5e997da80c3
> creatorsName: cn=Manager,dc=xxxxx,dc=de
> createTimestamp: 20110321225222Z
Maybe you can tell us what you did at this time ^^^ ?
> entryCSN: 20110321225222.093965Z#000000#000#000000
> modifiersName: cn=Manager,dc=xxxxx,dc=de
> modifyTimestamp: 20110321225222Z
>
>
>
> This is my slapd.conf:
>
> ldapnix:~ # cat /etc/openldap/slapd.conf | grep -vi "^#"
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/rfc2307bis.schema
> include /etc/openldap/schema/yast.schema
> include /etc/openldap/schema/samba3.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
> access to dn.base=""
> by * read
> access to attrs=userPassword,userPKCS12
> by self write
> by * auth
> access to attrs=shadowLastChange
> by self write
> by * read
> access to *
> by * read
> database bdb
> monitoring on
> suffix "dc=xxxxx,dc=de"
> checkpoint 1024 5
> cachesize 10000
> rootdn "cn=Manager,dc=xxxxx,dc=de"
> rootpw secret
> directory /var/lib/ldap
> index objectClass eq
>
You will at minimum need more indexes ...
> -------------------------------------------------------------------------
> This is my smb.conf:
>
>
> [global]
> unix charset = UTF-8
> workgroup = PRIVAT
> interfaces = 192.168.1.46
> update encrypted = Yes
> map to guest = Bad User
> root directory = /
> #username map = /etc/samba/smbusers
> # Logging - 5000 KB, Samba behÃlt eine .old-Datei
> log level = 3
> max log size = 5000
> printcap name = cups
> logon path = \\%L\profiles\.msprofile
> logon drive = P:
> logon home = \\%L\%U\.9xprofile
> domain master = No
> ldap ssl = Off
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> printer admin = @ntadmin, root, administrator
> ldap admin dn = cn=Manager,dc=xxxxx,dc=de
> passdb backend = ldapsam:ldap://ldap.privat.xxxxx.de/
> ldapsam:trusted = yes
> ldapsam:editposix = yes
> ldap debug level = 1
> ldap user suffix = ou=People
> #ldap group suffix = ou=Groups
> ldap group suffix = ou=Group
> ldap machine suffix = ou=Computers
> ldap suffix = dc=xxxxx,dc=de
> wins support = No
> add machine script = /sbin/yast
> /usr/share/YaST2/data/add_machine.ycp %m$
> domain logons = No
> ldap idmap suffix = ou=Idmap
> ldap passwd sync = No
> netbios name = LDAPNIX
> security = user
> wins server =
>
> I do have a share definition like that:
>
> [users]
> comment = All users
> path = /home/users
> valid users = @users, @susers, root
> read only = No
> inherit permissions = Yes
>
> I added the password for the "cn=Manager,dc=xxxxx,dc=de" using
> smbpasswd -w secret
What does 'pdbedit -L' say?
If it doesn't list any users, maybe run 'pdbedit -d10 -L', or 'pdbedit -d10 -L
stefan'. If you can't see a problem here, the LDAP server's logs (at, or
including level 256 or 'stats') would be useful.
> I get this output also:
> ldapnix:~ # net getlocalsid
> SID der DomÃne LDAPNIX ist: S-1-5-21-38098927-3018186934-2063245418
>
>
> I really like to understand. If you guide me what to do
> and it would make sense I would also set it up from scratch to
> understand what is going on. But I do not want to use libs or "special"
> scripts
You could of course use standard utilities (such as smbpasswd, pdbedit etc.)
instead of your own scripts, which may get things wrong ...
> which will hide the process without the chance to understand.
>
> Thanks for your help.
Notice how almost none of my questions have *anything* to do with OpenLDAP
yet?
Regards,
Buchan