Hey Samba list, First a brief comment regarding my background and situation. This is my first time posting to this list. I've been asked to resolve a Samba authentication issue, but I have next to no experience using Samba. Unfortunately no one else here knows how to use it either; we're operating with an inherited environment from a sysadmin who left minimal documentation, and we have limited human resources in the context of IT. Now on to my problem! A user is unable to access a Samba share. My company has a web interface for adding new users, but apparently it's not doing the trick this time for some reason. That's all of the information I've been given, along with the user's UID. Preferring to work at the command line, I've tried the following (from the host running the Samba server): 1. First I checked that the user has an entry in our LDAP server: ldapsearch -h sambahost -x -LLL uid=userid This returns an entry of the following form: dn: uid=userid,ou=people,o=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount uid:: c2tkNjg0IA=uidNumber: 1076 homeDirectory:: L2hvbWUvc2tkNjg0IA=loginShell: /bin/bash gidNumber: 1076 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaSID: S-1-5-21-3439207220-2335887646-243107566-3152 sambaPrimaryGroupSID: S-1-5-21-3439207220-2335887646-243107566-3153 sn: Lastname cn: Firstname Lastname displayName: Firstname Lastname givenName: Firstname sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 sambaAcctFlags: [UX ] sambaPwdLastSet: 1429299642 2. Next, I tried using pdbedit to search for the user: sudo pdbedit -L | grep userid This yielded the following output: init_sam_from_ldap: Entry found for user: userid userid :4294967295:Firstname Lastname I also tried pdbclient with verbose output enabled: sudo pdbedit -L -v | grep userid This resulted in the following output: init_sam_from_ldap: Entry found for user: userid Failed to find a Unix account for userid init_sam_from_ldap: Entry found for user: otheruserid Unix username: userid NT username: userid Home Directory: \\files\userid Profile Path: \\files\userid \profile 3. I reset the user's password: echo -e "password\npassword\n" | passwordsudo smbpasswd -s Then I tried to connect to the Samba server as the user: smbclient //fileserver/domain -U userid Unfortunately I was unable to authenticate; I get the following error message: Domain=[domain] OS=[Unix] Server=[Samba 3.6.3] tree connect failed: NT_STATUS_ACCESS_DENIED 4. I checked to see if there was in fact a Unix account for the user, and there wasn't, so I added one, and set the UNIX password to match the password set with smbpasswd. Then I tried again to connect to the Samba server, but was still unable to connect. Can anyone shed any light on this? Help! Thanks in advance for your time and consideration. Cheers, Itamar
On 15:14:40 wrote Itamar Gal:> Hey Samba list, > > First a brief comment regarding my background and situation. This is > my first time posting to this list. I've been asked to resolve a > Samba authentication issue, but I have next to no experience using > Samba. Unfortunately no one else here knows how to use it either; > we're operating with an inherited environment from a sysadmin who > left minimal documentation, and we have limited human resources in > the context of IT. > > Now on to my problem! A user is unable to access a Samba share. My > company has a web interface for adding new users, but apparently > it's not doing the trick this time for some reason. That's all of > the information I've been given, along with the user's UID. > Preferring to work at the command line, I've tried the following > (from the host running the Samba server): > > 1. First I checked that the user has an entry in our LDAP server: > > ldapsearch -h sambahost -x -LLL uid=userid > > This returns an entry of the following form: > > dn: uid=userid,ou=people,o=org > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: sambaSamAccount > uid:: c2tkNjg0IA=> uidNumber: 1076 > homeDirectory:: L2hvbWUvc2tkNjg0IA=> loginShell: /bin/bash > gidNumber: 1076 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaPwdMustChange: 2147483647 > sambaSID: S-1-5-21-3439207220-2335887646-243107566-3152 > sambaPrimaryGroupSID: S-1-5-21-3439207220-2335887646-243107566-3153 > sn: Lastname > cn: Firstname Lastname > displayName: Firstname Lastname > givenName: Firstname > sambaPasswordHistory: > 00000000000000000000000000000000000000000000000000000000 > 00000000 > sambaAcctFlags: [UX ] > sambaPwdLastSet: 1429299642 > > 2. Next, I tried using pdbedit to search for the user: > > sudo pdbedit -L | grep userid > > This yielded the following output: > > init_sam_from_ldap: Entry found for user: userid > userid :4294967295:Firstname Lastname > > I also tried pdbclient with verbose output enabled: > > sudo pdbedit -L -v | grep userid > > This resulted in the following output: > > init_sam_from_ldap: Entry found for user: userid > Failed to find a Unix account for userid init_sam_from_ldap: Entry > found for user: otheruserid > Unix username: userid > NT username: userid > Home Directory: \\files\userid > Profile Path: \\files\userid \profile > > 3. I reset the user's password: > > echo -e "password\npassword\n" | passwordsudo smbpasswd -s > > Then I tried to connect to the Samba server as the user: > > smbclient //fileserver/domain -U userid > > Unfortunately I was unable to authenticate; I get the following error > message: > > Domain=[domain] OS=[Unix] Server=[Samba 3.6.3] > tree connect failed: NT_STATUS_ACCESS_DENIED > > 4. I checked to see if there was in fact a Unix account for the user, > and there wasn't, so I added one, and set the UNIX password to match > the password set with smbpasswd. Then I tried again to connect to > the Samba server, but was still unable to connect. > > Can anyone shed any light on this? Help!No problem 1. DO NOT CREATE USERS WITH A TRAILING SPACE !!! 2. Use the same name in DN and UID !!! dn: uid=userid,ou=people,o=org uid:: c2tkNjg0IA= uid here is base64 encoded, because of the trailing space. # echo -n c2tkNjg0IA== |base64 -d "skd684 " The dn is build with "uid=userid", but "uid=skd684 "> > Thanks in advance for your time and consideration. > > Cheers, > Itamar-- Regards Harry Jede
Hey Harry, Thank you for your input! Ultimately I resolved the issue (following Rowland's advice) by manually removing the user from our LDAP server and then rerunning the user creation script (which, if I understand it correctly, queries an external LDAP server and then synchronizes it with our LDAP and Samba databases). However I was still confused as to why some attributes of this specific user were encoded where as the corresponding attributes for other users were not. Thank you for clearing that up for me! Cheers, Itamar On Mon, Apr 20, 2015 at 8:23 AM, Harry Jede <walk2sun at arcor.de> wrote:> On 15:14:40 wrote Itamar Gal: > > Hey Samba list, > > > > First a brief comment regarding my background and situation. This is > > my first time posting to this list. I've been asked to resolve a > > Samba authentication issue, but I have next to no experience using > > Samba. Unfortunately no one else here knows how to use it either; > > we're operating with an inherited environment from a sysadmin who > > left minimal documentation, and we have limited human resources in > > the context of IT. > > > > Now on to my problem! A user is unable to access a Samba share. My > > company has a web interface for adding new users, but apparently > > it's not doing the trick this time for some reason. That's all of > > the information I've been given, along with the user's UID. > > Preferring to work at the command line, I've tried the following > > (from the host running the Samba server): > > > > 1. First I checked that the user has an entry in our LDAP server: > > > > ldapsearch -h sambahost -x -LLL uid=userid > > > > This returns an entry of the following form: > > > > dn: uid=userid,ou=people,o=org > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: sambaSamAccount > > uid:: c2tkNjg0IA=> > uidNumber: 1076 > > homeDirectory:: L2hvbWUvc2tkNjg0IA=> > loginShell: /bin/bash > > gidNumber: 1076 > > sambaLogonTime: 0 > > sambaLogoffTime: 2147483647 > > sambaKickoffTime: 2147483647 > > sambaPwdCanChange: 0 > > sambaPwdMustChange: 2147483647 > > sambaSID: S-1-5-21-3439207220-2335887646-243107566-3152 > > sambaPrimaryGroupSID: S-1-5-21-3439207220-2335887646-243107566-3153 > > sn: Lastname > > cn: Firstname Lastname > > displayName: Firstname Lastname > > givenName: Firstname > > sambaPasswordHistory: > > 00000000000000000000000000000000000000000000000000000000 > > 00000000 > > sambaAcctFlags: [UX ] > > sambaPwdLastSet: 1429299642 > > > > 2. Next, I tried using pdbedit to search for the user: > > > > sudo pdbedit -L | grep userid > > > > This yielded the following output: > > > > init_sam_from_ldap: Entry found for user: userid > > userid :4294967295:Firstname Lastname > > > > I also tried pdbclient with verbose output enabled: > > > > sudo pdbedit -L -v | grep userid > > > > This resulted in the following output: > > > > init_sam_from_ldap: Entry found for user: userid > > Failed to find a Unix account for userid init_sam_from_ldap: Entry > > found for user: otheruserid > > Unix username: userid > > NT username: userid > > Home Directory: \\files\userid > > Profile Path: \\files\userid \profile > > > > 3. I reset the user's password: > > > > echo -e "password\npassword\n" | passwordsudo smbpasswd -s > > > > Then I tried to connect to the Samba server as the user: > > > > smbclient //fileserver/domain -U userid > > > > Unfortunately I was unable to authenticate; I get the following error > > message: > > > > Domain=[domain] OS=[Unix] Server=[Samba 3.6.3] > > tree connect failed: NT_STATUS_ACCESS_DENIED > > > > 4. I checked to see if there was in fact a Unix account for the user, > > and there wasn't, so I added one, and set the UNIX password to match > > the password set with smbpasswd. Then I tried again to connect to > > the Samba server, but was still unable to connect. > > > > Can anyone shed any light on this? Help! > No problem > > 1. DO NOT CREATE USERS WITH A TRAILING SPACE !!! > 2. Use the same name in DN and UID !!! > > dn: uid=userid,ou=people,o=org > uid:: c2tkNjg0IA=> > uid here is base64 encoded, because of the trailing space. > > # echo -n c2tkNjg0IA== |base64 -d > "skd684 " > > The dn is build with "uid=userid", but > "uid=skd684 " > > > > > Thanks in advance for your time and consideration. > > > > Cheers, > > Itamar > > > -- > > Regards > Harry Jede > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >