-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is a description of what I am trying to do (with Samba 3.0.2a & openldap 2.1.27): I have all my users populated into the LDAP with all the applicable attributes; Users can map drives to a server using LDAP as the authentication backend without issue. Where I am running into problems is bringing up a PDC using Samba w/LDAP. * I added the appropriate machine accounts (using smbpasswd -a -m) and was able to join the domain. * Any user in the pre-populated LDAP cannot log in, however, any user I add to the LDAP from the machine with Samba running on it CAN log in properly. If I delete the original entry from the LDAP, add a new on via (smbpasswd -a), then the user can log in. This works, but is ultimately not scalable... I can then place the original LDAP entry back in place and they can log in... Just as long as the password for the account is not changed. I am sure there is something I am missing, but I cannot see it for the life of me. The odd thing is, that in the log.smbd, I get odd errors about reading a socket, but only for the users that have not been added by the local "smbpasswd" command. They are both in the same LDAP. Any help would be greatly appreciated. Ted Excerpt from log.smb (non-functional user): - ---------------------------------------------------------------------------------------- [2004/03/31 10:24:11, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) process_request_pdu: failed to do schannel processing. [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: pubtest$ [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: testuser [2004/03/31 10:24:11, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [testuser] -> [testuser] -> [testuser] succeeded [2004/03/31 10:24:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: testuser [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_search_domain_info(1331) Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TEST_DOM))] [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_open_connection(626) smbldap_open_connection: connection opened [2004/03/31 10:24:24, 0] lib/util_sock.c:read_socket_data(342) read_socket_data: recv failure for 4. Error = Connection reset by peer [2004/03/31 10:24:24, 2] smbd/server.c:exit_server(558) Excerpt from log.smbd (functional user): - -------------------------------------------------------------------------------------- [2004/03/31 10:26:04, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) process_request_pdu: failed to do schannel processing. [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: pubtest$ [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: newuser [2004/03/31 10:26:04, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [newuser] -> [newuser] -> [newus er] succeeded [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: newuser [2004/03/31 10:26:05, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [newuser] -> [newuser] -> [newuser] succeeded [2004/03/31 10:26:05, 1] smbd/service.c:make_connection_snum(705) pubtest (158.136.115.89) connect to service profiles initially as user newuser (uid=18000, gid=31) (pid 85352) [2004/03/31 10:26:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) Returning domain sid for domain TEST_DOM -> S-1-5-21-204843054-3526713080-3458 795326 [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: newuser - ------------------------------------------------------------------------------------------- Global section of smb.conf - ------------------------------------------------------------------------------------------- ; [global] print command = lpr -r -P%p %s printer name = lp printcap name = /etc/printcap guest account = nobody dont descend = /dev,/proc lock directory= /usr/local/server/samba/var/locks load printers = yes server string = EMERALD - Samba Server %v socket options = TCP_NODELAY os level = 65 max disk size = 2000 printer admin = @winprint netbios name = EMERALD workgroup = TEST_DOM preferred master = yes domain master = yes local master = yes max log size = 35000 wins support = yes domain logons = yes logon script = logon.bat security = user encrypt passwords = yes debug level = 2 logon drive = m: logon home = \\emerald\%u logon path = \\emerald\profiles\%U ldap admin dn = "cn=Manager,dc=plymouth,dc=edu" passdb backend = ldapsam:ldap://localhost:389 ldap delete dn = no ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap suffix = dc=plymouth,dc=edu ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))" idmap backend = ldap:ldap://localhost:389 idmap gid = 10000-15000 idmap uid = 16000-20000 - -- | Ted Wisniewski E-Mail: ted@mail.plymouth.edu | | Manager, Systems Group WEB: http://oz.plymouth.edu/~ted/ | | Information Technology Services | | Plymouth State University Phone: (603) 535-2661 | | Plymouth NH, 03264 Fax: (603) 535-2263 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFAayBTLoXjVqfQ0u4RAtCuAKCRBMazpYXFHw4V4leDGK0fG4bKlgCgt5G2 WnEtI/RvsZCEYiB/yFF0qpQ=BZUZ -----END PGP SIGNATURE-----
On Wed, 2004-03-31 at 12:47, Ted Wisniewski wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Here is a description of what I am trying to do (with Samba 3.0.2a & openldap > 2.1.27): > > I have all my users populated into the LDAP with all the applicable > attributes; Users can map drives to a server using LDAP as the > authentication backend without issue. > > Where I am running into problems is bringing up a PDC using Samba w/LDAP. > > * I added the appropriate machine accounts (using smbpasswd -a -m) and was > able to join the domain. > > * Any user in the pre-populated LDAP cannot log in, however, any user I add to > the LDAP from the machine with Samba running on it CAN log in properly. > > If I delete the original entry from the LDAP, add a new on via (smbpasswd -a), > then the user can log in. This works, but is ultimately not scalable... I > can then place the original LDAP entry back in place and they can log in... > Just as long as the password for the account is not changed. > > I am sure there is something I am missing, but I cannot see it for the life of > me. The odd thing is, that in the log.smbd, I get odd errors about reading > a socket, but only for the users that have not been added by the local > "smbpasswd" command. They are both in the same LDAP. Any help would be > greatly appreciated. > > Ted > > > Excerpt from log.smb (non-functional user): > - ---------------------------------------------------------------------------------------- > [2004/03/31 10:24:11, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) > process_request_pdu: failed to do schannel processing. > [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: pubtest$ > [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: testuser > [2004/03/31 10:24:11, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [testuser] -> [testuser] -> > [testuser] succeeded > [2004/03/31 10:24:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: testuser > [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_search_domain_info(1331) > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TEST_DOM))] > [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_open_connection(626) > smbldap_open_connection: connection opened > [2004/03/31 10:24:24, 0] lib/util_sock.c:read_socket_data(342) > read_socket_data: recv failure for 4. Error = Connection reset by peer > [2004/03/31 10:24:24, 2] smbd/server.c:exit_server(558) > > Excerpt from log.smbd (functional user): > - -------------------------------------------------------------------------------------- > [2004/03/31 10:26:04, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) > process_request_pdu: failed to do schannel processing. > [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: pubtest$ > [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: newuser > [2004/03/31 10:26:04, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [newuser] -> [newuser] -> > [newus > er] succeeded > [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: newuser > [2004/03/31 10:26:05, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [newuser] -> [newuser] -> > [newuser] succeeded > [2004/03/31 10:26:05, 1] smbd/service.c:make_connection_snum(705) > pubtest (158.136.115.89) connect to service profiles initially as user > newuser (uid=18000, gid=31) (pid 85352) > [2004/03/31 10:26:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) > Returning domain sid for domain TEST_DOM -> > S-1-5-21-204843054-3526713080-3458 > 795326 > [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: newuser > - ------------------------------------------------------------------------------------------- > > > Global section of smb.conf----- it appears that the 'non-functional' user doesn't have the domain attribute set (or at least set properly). ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=non-functional)' and then ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=functional)' and the functional users will have attributes such as sambaDomainName properly set that the non-functional's do not. Craig
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the response, but the odd thing is that both had the same set of parameters in the LDAP. I took your advice and added some other parameters to the LDAP for a non working entry... Same result. Example LDIF (Working): dn: uid=newuser, ou=People, dc=plymouth,dc=edu sambaPwdLastSet: 1080739453 sambaAcctFlags: [U ] displayName: New User sambaPwdMustChange: 2147483647 objectClass: sambaSamAccount objectClass: account uid: newuser sambaSID: S-1-5-21-204843054-3526713080-3458795326-37000 sambaPwdCanChange: 1080739453 sambaNTPassword: 5A6A0AFE9618570BF8B167BC1B9E4B1D sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1063 sambaLMPassword: 54E8D1FD3821A0A8AAD3B435B51404EE Example LDIF (NOT WORKING) dn: uid=notworking, ou=People, dc=plymouth,dc=edu sambaPwdLastSet: 1080739453 sambaAcctFlags: [U ] displayName: Not Working sambaPwdMustChange: 2147483647 objectClass: sambaSamAccount objectClass: account uid: notworking sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472 sambapwdCanChange: 1080739453 sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303 sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399 sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE Any ideas? I can map to the home share without difficulty... It is only a problem when doing a domain logon. If I delete the LDAP entry and do the (smbpasswd -a) from the command line, the entries look identical. The only difference is one works and the other does not. Is there another place where info is recorded? In the LDAP? in a TDB file? Ted>On Wed, 2004-03-31 at 12:47, Ted Wisniewski wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Here is a description of what I am trying to do (with Samba 3.0.2a &openldap>> 2.1.27): >> >> I have all my users populated into the LDAP with all the applicable >> attributes; Users can map drives to a server using LDAP as the >> authentication backend without issue. >> >> Where I am running into problems is bringing up a PDC using Samba w/LDAP. >> >> * I added the appropriate machine accounts (using smbpasswd -a -m) and was >> able to join the domain. >> >> * Any user in the pre-populated LDAP cannot log in, however, any user I addto>> the LDAP from the machine with Samba running on it CAN log in properly. >> >> If I delete the original entry from the LDAP, add a new on via (smbpasswd- -a),>> then the user can log in. This works, but is ultimately not scalable...I>> can then place the original LDAP entry back in place and they can log in... >> Just as long as the password for the account is not changed. >> >> I am sure there is something I am missing, but I cannot see it for the lifeof>> me. The odd thing is, that in the log.smbd, I get odd errors aboutreading> a socket, but only for the users that have not been added by the local > "smbpasswd" command. They are both in the same LDAP. Any help would be > greatly appreciated. > > Ted >- -- SNIP --> Global section of smb.conf- ----- it appears that the 'non-functional' user doesn't have the domain attribute set (or at least set properly). ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=non-functional)' and then ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=functional)' and the functional users will have attributes such as sambaDomainName properly set that the non-functional's do not. Craig - -- | Ted Wisniewski E-Mail: ted@mail.plymouth.edu | | Manager, Systems Group WEB: http://oz.plymouth.edu/~ted/ | | Information Technology Services | | Plymouth State University Phone: (603) 535-2661 | | Plymouth NH, 03264 Fax: (603) 535-2263 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFAbCUOLoXjVqfQ0u4RAlMJAKDtX1d/e6APTME3VC7uGEUDm4+z3wCgjQyL XVfh2hqDuua+mD54Ai46LE8=GIld -----END PGP SIGNATURE-----
Possibly Parallel Threads
- Problems with NT passwords using Samba3 and LDAP
- Bug: Dovecot index loosing sync with FTS despite "fts_autoindex = yes"
- Bug: Dovecot index loosing sync with FTS despite "fts_autoindex = yes"
- Bizarre permissions problem
- Problem adding new users after upgrade to 3.4.0