Qing Chang
2012-Aug-20 15:13 UTC
[Samba] samba 3.0.14a works with ldapsam backend but not 3.5.10-125.el6
we are migrating our standalone Samba sever (3.0.14a) on a Solaris 10 box to an RHEL 6.3 box. Testing shows that on Solaris 3.0.14a works with both the OpenLDAP server we are currently using and the IPA2.2 server as LDAP backend. But 3.5.10-125.el6 on a RHEL 6.3 box does not work with either. I can still map a share with 3.5 as owner of the shared directory, but secondary group ownership does not appear to resolve properly. Below is an excerpt of log.smbd, removed many noisy lines: ===== log.smbd for samba 3.5 ====[2012/08/16 12:47:39.499996, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: qchang [2012/08/16 12:47:39.528627, 3] passdb/pdb_ldap.c:5215(ldapsam_gid_to_sid) ERROR: Got 0 entries for gid 201, expected one [2012/08/16 12:47:39.822830, 4] auth/auth_sam.c:180(sam_account_ok) sam_account_ok: Checking SMB password for user qchang [2012/08/16 12:47:39.822931, 5] auth/auth_sam.c:162(logon_hours_ok) logon_hours_ok: user qchang allowed to logon at this time (Thu Aug 16 16:47:39 2012 ) [2012/08/16 12:47:39.839645, 3] passdb/pdb_ldap.c:3057(ldapsam_enum_group_memberships) primary group of [qchang] not found [2012/08/16 12:47:39.840098, 5] auth/auth_util.c:649(make_server_info_sam) make_server_info_sam: made server info for user qchang -> qchang [2012/08/16 12:47:39.840196, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/08/16 12:47:39.840284, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: sam authentication for user [QChang] succeeded [2012/08/16 12:47:39.840916, 5] auth/auth.c:291(check_ntlm_password) check_ntlm_password: PAM Account for user [qchang] succeeded [2012/08/16 12:47:39.840994, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [QChang] -> [QChang] -> [qchang] succeeded [2012/08/16 12:47:39.841072, 5] auth/auth_util.c:2119(free_user_info) attempting to free (and zero) a user_info structure [2012/08/16 12:47:39.841148, 10] auth/auth_util.c:2123(free_user_info) structure was created for QChang [2012/08/16 12:47:39.846308, 4] passdb/pdb_ldap.c:2562(ldapsam_getgroup) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)) [2012/08/16 12:47:39.852131, 3] auth/token_util.c:467(create_local_nt_token) Failed to fetch domain sid for RESEARCH [2012/08/16 12:47:39.875509, 10] auth/token_util.c:531(debug_nt_user_token) NT user token of user S-1-5-21-3516781642-1962875130-3438800523-41232 contains 5 SIDs SID[ 0]: S-1-5-21-3516781642-1962875130-3438800523-41232 SID[ 1]: S-1-1-0 SID[ 2]: S-1-5-2 SID[ 3]: S-1-5-11 SID[ 4]: S-1-22-1-20117 SE_PRIV 0x0 0x0 0x0 0x0 [2012/08/16 12:47:39.876009, 10] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 20117 Primary group is 201 and contains 0 supplementary groups [2012/08/16 12:47:39.876370, 3] smbd/password.c:282(register_existing_vuid) register_existing_vuid: User name: qchang Real name: Qing Chang [2012/08/16 12:47:39.876457, 3] smbd/password.c:292(register_existing_vuid) register_existing_vuid: UNIX uid 20117 is UNIX user qchang, and will be vuid 100 [2012/08/16 12:47:39.877319, 3] smbd/password.c:223(register_homes_share) Adding homes service for user 'qchang' using home directory: '/home2/qchang' [2012/08/16 12:47:40.614903, 3] smbd/service.c:1070(make_connection_snum) ws62203 connect to service IPC$ initially as user qchang (uid=20117, gid=201) (pid 6951) ==== pdbedit -L has different output: ===== 3.0.14a ====Trying to load: ldapsam:ldap://ipa1.sri.utoronto.ca Attempting to find an passdb backend to match ldapsam:ldap://ipa1.sri.utoronto.ca (ldapsam) Found pdb backend ldapsam Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OCTANE))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does support paged results pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init ldapsam_setsampwent: 1507 entries in the base dc=sri,dc=utoronto,dc=ca init_sam_from_ldap: Entry found for user: qchang ==== ===== 3.5.10-125.el6 ====smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init smbldap_search_paged: base => [dc=sri,dc=utoronto,dc=ca], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024] smbldap_search_paged: search was successful sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca ==== Here is the smb.conf related to LDAP for both 3.0.14a and 3.5.10-125.el6: ==== security = user ldap admin dn = "cn=Directory Manager" ldap ssl = off passdb backend = ldapsam:ldap://ipa1.sri.utoronto.ca ldap delete dn = no ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap suffix = dc=sri,dc=utoronto,dc=ca ldap passwd sync = Yes ==== It appears to me that 3.5 tries to be a domain controller be default? Your advice is greatly appreciated. Qing Chang
Qing Chang
2012-Aug-20 17:23 UTC
[Samba] samba 3.0.14a works with ldapsam backend but not 3.5.10-125.el6
On 20/08/2012 11:13 AM, Qing Chang wrote:> we are migrating our standalone Samba sever (3.0.14a) on a Solaris 10 box to > an RHEL 6.3 box. > > Testing shows that on Solaris 3.0.14a works with both the OpenLDAP server > we are currently using and the IPA2.2 server as LDAP backend. But 3.5.10-125.el6 > on a RHEL 6.3 box does not work with either. > > I can still map a share with 3.5 as owner of the shared directory, but secondary > group ownership does not appear to resolve properly. Below is an excerpt of > log.smbd, removed many noisy lines: > ===== log.smbd for samba 3.5 ====> [2012/08/16 12:47:39.499996, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: qchang > [2012/08/16 12:47:39.528627, 3] passdb/pdb_ldap.c:5215(ldapsam_gid_to_sid) > ERROR: Got 0 entries for gid 201, expected one > [2012/08/16 12:47:39.822830, 4] auth/auth_sam.c:180(sam_account_ok) > sam_account_ok: Checking SMB password for user qchang > [2012/08/16 12:47:39.822931, 5] auth/auth_sam.c:162(logon_hours_ok) > logon_hours_ok: user qchang allowed to logon at this time (Thu Aug 16 16:47:39 2012 ) > [2012/08/16 12:47:39.839645, 3] passdb/pdb_ldap.c:3057(ldapsam_enum_group_memberships) > primary group of [qchang] not found > [2012/08/16 12:47:39.840098, 5] auth/auth_util.c:649(make_server_info_sam) > make_server_info_sam: made server info for user qchang -> qchang > [2012/08/16 12:47:39.840196, 3] smbd/sec_ctx.c:418(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2012/08/16 12:47:39.840284, 3] auth/auth.c:265(check_ntlm_password) > check_ntlm_password: sam authentication for user [QChang] succeeded > [2012/08/16 12:47:39.840916, 5] auth/auth.c:291(check_ntlm_password) > check_ntlm_password: PAM Account for user [qchang] succeeded > [2012/08/16 12:47:39.840994, 2] auth/auth.c:304(check_ntlm_password) > check_ntlm_password: authentication for user [QChang] -> [QChang] -> [qchang] succeeded > [2012/08/16 12:47:39.841072, 5] auth/auth_util.c:2119(free_user_info) > attempting to free (and zero) a user_info structure > [2012/08/16 12:47:39.841148, 10] auth/auth_util.c:2123(free_user_info) > structure was created for QChang > [2012/08/16 12:47:39.846308, 4] passdb/pdb_ldap.c:2562(ldapsam_getgroup) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)) > [2012/08/16 12:47:39.852131, 3] auth/token_util.c:467(create_local_nt_token) > Failed to fetch domain sid for RESEARCH > [2012/08/16 12:47:39.875509, 10] auth/token_util.c:531(debug_nt_user_token) > NT user token of user S-1-5-21-3516781642-1962875130-3438800523-41232 > contains 5 SIDs > SID[ 0]: S-1-5-21-3516781642-1962875130-3438800523-41232 > SID[ 1]: S-1-1-0 > SID[ 2]: S-1-5-2 > SID[ 3]: S-1-5-11 > SID[ 4]: S-1-22-1-20117 > SE_PRIV 0x0 0x0 0x0 0x0 > [2012/08/16 12:47:39.876009, 10] auth/token_util.c:551(debug_unix_user_token) > UNIX token of user 20117 > Primary group is 201 and contains 0 supplementary groups > [2012/08/16 12:47:39.876370, 3] smbd/password.c:282(register_existing_vuid) > register_existing_vuid: User name: qchang Real name: Qing Chang > [2012/08/16 12:47:39.876457, 3] smbd/password.c:292(register_existing_vuid) > register_existing_vuid: UNIX uid 20117 is UNIX user qchang, and will be vuid 100 > [2012/08/16 12:47:39.877319, 3] smbd/password.c:223(register_homes_share) > Adding homes service for user 'qchang' using home directory: '/home2/qchang' > [2012/08/16 12:47:40.614903, 3] smbd/service.c:1070(make_connection_snum) > ws62203 connect to service IPC$ initially as user qchang (uid=20117, gid=201) (pid 6951) > ====> > pdbedit -L has different output: > > ===== 3.0.14a ====> Trying to load: ldapsam:ldap://ipa1.sri.utoronto.ca > Attempting to find an passdb backend to match ldapsam:ldap://ipa1.sri.utoronto.ca (ldapsam) > Found pdb backend ldapsam > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OCTANE))] > smbldap_open_connection: connection opened > ldap_connect_system: succesful connection to the LDAP server > ldap_connect_system: LDAP server does support paged results > pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init > Attempting to find an passdb backend to match guest (guest) > Found pdb backend guest > pdb backend guest has a valid init > ldapsam_setsampwent: 1507 entries in the base dc=sri,dc=utoronto,dc=ca > init_sam_from_ldap: Entry found for user: qchang > ====> > ===== 3.5.10-125.el6 ====> smbldap_open_connection: connection opened > ldap_connect_system: successful connection to the LDAP server > pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init > smbldap_search_paged: base => [dc=sri,dc=utoronto,dc=ca], filter => > [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024] > smbldap_search_paged: search was successful > sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain > Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca > ====> > Here is the smb.conf related to LDAP for both 3.0.14a and 3.5.10-125.el6: > ====> security = user > ldap admin dn = "cn=Directory Manager" > ldap ssl = off > passdb backend = ldapsam:ldap://ipa1.sri.utoronto.ca > ldap delete dn = no > ldap user suffix = cn=users,cn=accounts > ldap group suffix = cn=groups,cn=accounts > ldap suffix = dc=sri,dc=utoronto,dc=ca > ldap passwd sync = Yes > ====> > It appears to me that 3.5 tries to be a domain controller be default? Your advice is greatly > appreciated. > > Qing Chang >I thought these may help clarifying the situation a bit more: ===== pdbedit -L -v qchang output for samba3.0.14 ====init_sam_from_ldap: Entry found for user: qchang Opening cache file at /usr/local/samba3014/var/locks/login_cache.tdb Unix username: qchang NT username: qchang Account Flags: [U ] User SID: S-1-5-21-3516781642-1962875130-3438800523-41232 Primary Group SID: S-1-5-21-1197990898-71428884-4196996049-513 Full Name: Qing Chang Home Directory: \\octane\qchang HomeDir Drive: Logon Script: Profile Path: \\octane\qchang\profile Domain: OCTANE Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 EST Kickoff time: Mon, 18 Jan 2038 22:14:07 EST Password last set: Tue, 14 Aug 2012 11:10:08 EST Password can change: Thu, 03 Nov 2011 10:55:32 EST Password must change: Mon, 18 Jan 2038 22:14:07 EST Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF ==== ===== pdb -L -v qchang output for samba 3.5 ====init_sam_from_ldap: Entry found for user: qchang ERROR: Got 0 entries for gid 201, expected one ERROR: Got 0 entries for gid 201, expected one ERROR: Got 0 entries for gid 201, expected one Opening cache file at /var/lib/samba/login_cache.tdb Unix username: qchang NT username: qchang Account Flags: [U ] User SID: S-1-5-21-3516781642-1962875130-3438800523-41232 Primary Group SID: S-1-5-21-2087785539-322754622-381919433-513 Full Name: Qing Chang Home Directory: \\smb2\qchang HomeDir Drive: Logon Script: Profile Path: \\smb2\qchang\profile Domain: SMB2 Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Tue, 14 Aug 2012 11:10:08 EDT Password can change: Tue, 14 Aug 2012 11:10:08 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF =====
Qing Chang
2012-Sep-10 14:38 UTC
[Samba] samba 3.0.14a works with ldapsam backend but not 3.5.10-125.el6
On 04/09/2012 4:03 PM, Volker Lendecke wrote:> On Tue, Sep 04, 2012 at 03:59:25PM -0400, Qing Chang wrote: >> If I understand right, as a STANDALONE server, Samba should only care about finding and >> authenticating againt a matching uid to Windows username on the samba server (which >> uses LDAP), and then using the uid and gid(s) to provide shared resources, which is the >> behavior observed with 3.0.14a, but not with 3.5.10-125.el6. >> >> In fact, SID never matters with 3.0.14a, I have populated all users with the same SIDs and >> 3.0.14a has been serving shares for years. > Well, Samba has moved on to put more emphasis on SIDs. If > that does not match your requirements, you should better > stick with 3.0.14a and find someone from > http://samba.org/samba/support to maintain it for you.so which is the highest version that does not require strict SID check? Thanks, Qing> With best regards, > > Volker Lendecke >
Volker Lendecke
2012-Sep-10 14:47 UTC
[Samba] samba 3.0.14a works with ldapsam backend but not 3.5.10-125.el6
On Mon, Sep 10, 2012 at 10:38:01AM -0400, Qing Chang wrote:> > On 04/09/2012 4:03 PM, Volker Lendecke wrote: > >On Tue, Sep 04, 2012 at 03:59:25PM -0400, Qing Chang wrote: > >>If I understand right, as a STANDALONE server, Samba should only care about finding and > >>authenticating againt a matching uid to Windows username on the samba server (which > >>uses LDAP), and then using the uid and gid(s) to provide shared resources, which is the > >>behavior observed with 3.0.14a, but not with 3.5.10-125.el6. > >> > >>In fact, SID never matters with 3.0.14a, I have populated all users with the same SIDs and > >>3.0.14a has been serving shares for years. > >Well, Samba has moved on to put more emphasis on SIDs. If > >that does not match your requirements, you should better > >stick with 3.0.14a and find someone from > >http://samba.org/samba/support to maintain it for you. > so which is the highest version that does not require strict SID check?The main switch came with 3.0.25. With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
Possibly Parallel Threads
- error in logs after upgrade to 3.0.1
- suse 8.2 Samba 3 LDAP Domain Join Error : Logon failure: unknown user name or bad password (fwd)
- [Fwd: Re: Samba 3.0.1 W2K Joing domain error - the user name couldnot be found]
- Creation of Domain- and PDC-SID in samba
- Samba With LDAP