thr3ads.net - samba - [Samba] Samba 3 PDC with ldapsam and login problem [May 2005]

If this information is useful, please help other people find it:
Share via:

Marian Steinbach

2005-May-01 10:43 UTC

[Samba] Samba 3 PDC with ldapsam and login problem

Hi,

<foreword>
I am about to set up Samba 3.0.14a on Linux as PDC wit LDAP backend for 
our faculty. However, first tries have only partly been successful. 
First I added samba LDAP-Schema attributes to existing account, created 
their Samba passwords with smbpasswd and it worked so that normal users 
could log in via the windows network neighborhood and use the shares. 
But, I couldn't manage to join machines to the domain. So I backed off 
and started from scratch.
</foreword>

The current LDAP directory only contains more or less what 
"smbldap-populate" creates. I will paste the LDIF at the end of this
mail.

When I try to log in via

   smbclient -L localhost -U root

I get the following message:
Domain=[KISD] OS=[Unix] Server=[Samba 3.0.14a-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED

The password should be correct. When I enter a wrong password, the 
message is NT_STATUS_LOGON_FAILURE.

The LDAP log (also pasted below) shows that the search for a 
sambaGroupMapping with gidNumber=0 fails.

'root', as created by smbldap-populate, has gidNumber=0 (which makes 
sense to me). But there is no group having gidNumber=0 in my LDAP 
directory. Is that the reason why Samba can't authorize root? (In an NIS 
environment, only a group "root" should have the gidNumber=0)

The group "Domain Admins" as smbldap-populate creates it has 
gidNumber=512. And that group has meberUid=root.

Can anybody tell me what I have to teak in order to be able to proceed? 
I appreciate any help!

Marian


==== testparm output ===========================================
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[Profiles]"
Processing section "[netlogon]"
Processing section "[Gruppen]"
Processing section "[Transit]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC


==== LDAP server log ===========================================
May  1 12:01:50 hal slapd[6914]: conn=11 op=1 SRCH base="" scope=0 
deref=0 filter="(objectClass=*)"
May  1 12:01:50 hal slapd[6914]: conn=11 op=1 SRCH attr=supportedControl
May  1 12:01:50 hal slapd[6914]: conn=11 op=1 SEARCH RESULT tag=101 
err=0 nentries=1 textMay  1 12:01:50 hal slapd[6914]: conn=11 op=2 SRCH 
base="ou=DS,o=Fachhochschule Koeln,c=DE" scope=2 deref=0 
filter="(&(uid=root)(objectClass=sambaSamAccount))"
May  1 12:01:50 hal slapd[6914]: conn=11 op=2 SRCH attr=uid uidNumber 
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange 
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn 
displayName sambaHomeDrive sambaHomePath sambaLogonScript 
sambaProfilePath description sambaUserWorkstations sambaSID 
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName 
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount 
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp 
sambaLogonHours modifyTimestamp
May  1 12:01:50 hal slapd[6914]: conn=11 op=2 SEARCH RESULT tag=101 
err=0 nentries=1 textMay  1 12:01:50 hal slapd[6914]: conn=11 op=3 SRCH 
base="ou=Group,ou=DS,o=Fachhochschule Koeln,c=DE" scope=2 deref=0 
filter="(&(objectClass=sambaGroupMapping)(gidNumber=0))"
May  1 12:01:50 hal slapd[6914]: conn=11 op=3 SRCH attr=gidNumber 
sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
May  1 12:01:50 hal slapd[6914]: conn=11 op=3 SEARCH RESULT tag=101 
err=0 nentries=0 textMay  1 12:01:50 hal slapd[6914]: conn=11 fd=24 closed





====  LDIF representation of our directory: ======================

dn: ou=DS,o=Fachhochschule Koeln,c=DE
ou: DS
objectClass: organizationalUnit

dn: ou=People, ou=DS,o=Fachhochschule Koeln,c=DE
ou: People
objectClass: organizationalUnit

dn: ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
ou: Group
objectClass: organizationalUnit

dn: ou=Computers, ou=DS,o=Fachhochschule Koeln,c=DE
ou: Computers
objectClass: organizationalUnit

dn: uid=root,ou=People, ou=DS,o=Fachhochschule Koeln,c=DE
sambaLMPassword: ***secret***
sambaPrimaryGroupSID: S-1-5-21-2224407680-2312910263-3502601358-512
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: ***secret***
sambaLogonTime: 0
sambaHomeDrive: Z:
uid: root
uidNumber: 0
cn: root
sambaLogoffTime: 2147483647
sambaPwdLastSet: 1114941311
loginShell: /bin/bash
sambaAcctFlags: [U          ]
gidNumber: 0
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1
sambaNTPassword: ***secret***
gecos: Netbios Domain Administrator
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-500
homeDirectory: /root
sambaKickoffTime: 2147483647
sn: root
sambaPasswordHistory: 
0000000000000000000000000000000000000000000000000000000
  000000000

dn: uid=nobody,ou=People, ou=DS,o=Fachhochschule Koeln,c=DE
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaPrimaryGroupSID: S-1-5-21-2224407680-2312910263-3502601358-514
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
sambaLogonTime: 0
sambaHomeDrive: Z:
uid: nobody
uidNumber: 999
cn: nobody
sambaLogoffTime: 2147483647
sambaPwdLastSet: 0
loginShell: /bin/false
sambaAcctFlags: [NUD        ]
gidNumber: 514
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 0
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-2998
homeDirectory: /dev/null
sambaKickoffTime: 2147483647
sn: nobody

dn: cn=Domain Admins,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 512
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-512
memberUid: root
sambaGroupType: 2
displayName: Domain Admins
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Administrators
cn: Domain Admins

dn: cn=Domain Users,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 513
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-513
sambaGroupType: 2
displayName: Domain Users
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Users
cn: Domain Users

dn: cn=Domain Guests,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 514
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-514
sambaGroupType: 2
displayName: Domain Guests
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Guests Users
cn: Domain Guests

dn: cn=Domain Computers,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 515
sambaSID: S-1-5-21-2224407680-2312910263-3502601358-515
sambaGroupType: 2
displayName: Domain Computers
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Computers accounts
cn: Domain Computers

dn: cn=Administrators,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 544
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Members can fully administer the 
computer/sambaDo
  mainName
cn: Administrators

dn: cn=Account Operators,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 548
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Users to manipulate users accounts
cn: Account Operators

dn: cn=Print Operators,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 550
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Print Operators
cn: Print Operators

dn: cn=Backup Operators,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 551
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Members can bypass file security to back up 
files
cn: Backup Operators

dn: cn=Replicators,ou=Group, ou=DS,o=Fachhochschule Koeln,c=DE
gidNumber: 552
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
objectClass: posixGroup
objectClass: sambaGroupMapping
description: Netbios Domain Supports file replication in a sambaDomainName
cn: Replicators

dn: sambaDomainName=KISD, ou=DS,o=Fachhochschule Koeln,c=DE
sambaSID: S-1-5-21-2224407680-2312910263-3502601358
gidNumber: 1000
uidNumber: 1000
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: KISD

Marian Steinbach

2005-May-01 17:08 UTC

head link

[Samba] Samba 3 PDC with ldapsam and login problem

Meanwhile I tried the same as described in my original post, but with 
higher log level.

The only negative message (I don't really know what to look for) is this 
one: "user 'root' (from session setup) not permitted to access this
share (IPC$)".

I also added a group "root" which represents the posixGroup with 
gidNumber=0 and root as a member. This doesn't help, obviously.

Still glad for any help,

Marian


[2005/05/01 19:01:12, 3] smbd/password.c:register_vuid(222)
   User name: root       Real name: root
[2005/05/01 19:01:12, 3] smbd/password.c:register_vuid(241)
   UNIX uid 0 is UNIX user root, and will be vuid 100
[2005/05/01 19:01:12, 3] smbd/password.c:register_vuid(270)
   Adding homes service for user 'root' using home directory:
'/root'
[2005/05/01 19:01:12, 3] param/loadparm.c:lp_add_home(2368)
   adding home's share [root] for user 'root' at '/root'
[2005/05/01 19:01:12, 3] smbd/process.c:process_smb(1091)
   Transaction 3 of length 88
[2005/05/01 19:01:12, 5] lib/util.c:show_msg(464)
[2005/05/01 19:01:12, 5] lib/util.c:show_msg(474)
   size=84
   smb_com=0x75
   smb_rcls=0
   smb_reh=0
   smb_err=0
   smb_flg=8
   smb_flg2=51201
   smb_tid=0
   smb_pid=7988
   smb_uid=100
   smb_mid=4
   smt_wct=4
   smb_vwv[ 0]=  255 (0xFF)
   smb_vwv[ 1]=    0 (0x0)
   smb_vwv[ 2]=    0 (0x0)
   smb_vwv[ 3]=    1 (0x1)
   smb_bcc=41
[2005/05/01 19:01:12, 3] smbd/process.c:switch_message(886)
   switch message SMBtconX (pid 7989) conn 0x0
[2005/05/01 19:01:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/05/01 19:01:12, 5] auth/auth_util.c:debug_nt_user_token(485)
   NT user token: (NULL)
[2005/05/01 19:01:12, 5] auth/auth_util.c:debug_unix_user_token(506)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2005/05/01 19:01:12, 5] smbd/uid.c:change_to_root_user(296)
   change_to_root_user: now uid=(0,0) gid=(0,0)
[2005/05/01 19:01:12, 4] smbd/reply.c:reply_tcon_and_X(407)
   Client requested device type [?????] for share [IPC$]
[2005/05/01 19:01:12, 5] smbd/service.c:make_connection(807)
   making a connection to 'normal' service ipc$
[2005/05/01 19:01:12, 2] smbd/service.c:make_connection_snum(321)
   user 'root' (from session setup) not permitted to access this share 
(IPC$)

Possibly Parallel Threads

Search for more maybe matching threads

samba - May 2005 - Samba 3 PDC with ldapsam and login problem

[Samba] Samba 3 PDC with ldapsam and login problem

[Samba] Samba 3 PDC with ldapsam and login problem

Possibly Parallel Threads