I was wondering if anyone could help me with this one. I am having trouble getting LDAP and samba working properly on my Debian Woody box. I am using OpenLDAP 2.0.27-3 and the unsable packaged Samba version 2.999+3.0 and am using the samba.schema for my LDAP database. Whenever I try to join the network using either W2K or smbclient the LDAP debug log shows that the following filter is being used: .... Jan 24 12:32:01 boo slapd[14586]: filter: (&(objectClass=posixAccount)(uid=ELUCIDATION\5CROOT)) .... So the problem is that the domain name is being prefixed to the userid but my LDAP database only wants a userid. I thought the "ldap filter" parm in smb.conf might allow me to change this, but it doesn't seem to do anything. Does anyone have any suggestions?? Thanks in advance. John jpeak@yahoo.com
On Fri, 2003-01-24 at 13:15, Samba Newsgroups wrote:> I was wondering if anyone could help me with this one. I am having trouble > getting LDAP and samba working properly on my Debian Woody box. I am using > OpenLDAP 2.0.27-3 and the unsable packaged Samba version 2.999+3.0 and am > using the samba.schema for my LDAP database. > > Whenever I try to join the network using either W2K or smbclient the LDAP > debug log shows that the following filter is being used: > .... > Jan 24 12:32:01 boo slapd[14586]: filter: > (&(objectClass=posixAccount)(uid=ELUCIDATION\5CROOT))you'd better show your smb.conf... brad -- Bradley W. Langhorst <brad@langhorst.com>
I am sure there are some extraneous parameters in it from all the things
I've tried, but here it is....
# Samba config file created using SWAT
# from 192.168.1.8 (192.168.1.8)
# Date: 2003/01/20 21:34:50
# Global parameters
[global]
realm = ELUCIDATION
workgroup = ELUCIDATION
netbios name = Boo
server string = %h server (Samba %v)
security = USER
obey pam restrictions = Yes
guest account = guest
passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
passwd chat = *new*password* %n\n *new*password* %n\n
*successfully*
unix password sync = Yes
encrypt passwords = Yes
log level = 5
log file = /var/log/samba/%m.log
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = No
logon script = startup.bat
os level = 80
preferred master = Yes
domain master = Yes
local master = Yes
dns proxy = No
wins support = Yes
ldap suffix = dc=ELUCIDATION
ldap machine suffix = dc=ELUCIDATION
ldap user suffix = dc=ELUCIDATION
ldap admin dn = cn=Manager,dc=ELUCIDATION
ldap ssl = Yes
ldap filter = "(&(uid=%u)(objectclass=ixAccount))"
printing = lprng
add user script = /usr/local/sbin/smbldap-useradd.pl -w %u
panic action = /usr/share/samba/panic-action %d
invalid users = root
hosts allow = 192.168.1.0/255.255.255.0
logon drive = H:
logon home = \\boo\%u
domain admin group = " @"Domain Admins" "
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[netlogon]
comment = Network Logon Service
path = /opt/samba/netlogon
guest ok = Yes
[doc]
path=/usr/share/doc
public=yes
writable=no
read only=no
create mask = 0750
guest ok = Yes
[profiles]
path = /opt/samba/profiles
read only = Yes
create mask = 0644
directory mask = 0775
guest ok = Yes
browseable = No
[printers]
comment = All Printers
path = /tmp
create mask = 0700
printable = Yes
browseable = No
[tmp]
comment = Temporary file space
path = /tmp
read only = No
guest ok = Yes
~-~-~-~-~-~-~-~-~-~-~-~-~-~
John Peak
Revenue Cycle Solutions
McKesson Corp.
john.peak@mckesson.com
404.338.2701
-----Original Message-----
From: Bradley W. Langhorst [ mailto:brad@langhorst.com
<mailto:brad@langhorst.com> ]
Sent: Friday, January 24, 2003 4:16 PM
To: Peak, John
Cc: samba@lists.samba.org
Subject: Re: [Samba] LDAP Filter Problem
On Fri, 2003-01-24 at 13:15, Samba Newsgroups wrote: > I was wondering if anyone could help me with this one. I am having
trouble > getting LDAP and samba working properly on my Debian Woody box. I am
using > OpenLDAP 2.0.27-3 and the unsable packaged Samba version 2.999+3.0 and
am > using the samba.schema for my LDAP database.
>
> Whenever I try to join the network using either W2K or smbclient the
LDAP > debug log shows that the following filter is being used:
> ....
> Jan 24 12:32:01 boo slapd[14586]: filter:
> (&(objectClass=posixAccount)(uid=ELUCIDATION\5CROOT))
you'd better show your smb.conf...
brad
--
Bradley W. Langhorst <brad@langhorst.com>
-------------- next part --------------
HTML attachment scrubbed and removed
Brad, Thanks for the suggestions. I got rid of the realm and changed back the LDAP filter to what you suggested to no avail. I assume that Samba is directly responsible for sending the LDAP search query to slapd. Is this correct? With the slapd debugging turned on I see that LDAP gets the same query twice to retrieve an account when I try to connect as a Samba client (see details below). Is the filter defined in smb.conf the same filter that is supposed to be used in this query because if so it doesn't seem to work. Also, is it correct for Samba to prefix the domain name to the userid before querying the LDAP database? If I query my LDAP database using this filter it obviously returns nothing, but if I remove the "ELUCIDATION\" domain prefix it does return the user record. It's frustrating because I feel like I know what the problem is, but don't know how to fix it. Any other ideas would be greatly appreciated! John Samba Client Connection ================== smbclient -d 4 -L boo -U root%password -W ELUCIDATION debug.log: ======= Jan 27 07:37:14 boo slapd[8038]: connection_get(25) Jan 27 07:39:40 boo slapd[8038]: connection_get(25) Jan 27 07:39:40 boo slapd[14586]: send_ldap_result: 0:: Jan 27 07:39:40 boo slapd[8038]: connection_get(25) Jan 27 07:39:40 boo slapd[14719]: SRCH "ou=Users,dc=ELUCIDATION" 1 0 Jan 27 07:39:40 boo slapd[14719]: 1 0 0 Jan 27 07:39:40 boo slapd[14719]: filter: (&(objectClass=posixAccount)(uid=elucidation\5Croot)) Jan 27 07:39:40 boo slapd[14719]: attrs: Jan 27 07:39:40 boo slapd[14719]: uid Jan 27 07:39:40 boo slapd[14719]: userPassword Jan 27 07:39:40 boo slapd[14719]: uidNumber Jan 27 07:39:40 boo slapd[14719]: gidNumber Jan 27 07:39:40 boo slapd[14719]: cn Jan 27 07:39:40 boo slapd[14719]: homeDirectory Jan 27 07:39:40 boo slapd[14719]: loginShell Jan 27 07:39:40 boo slapd[14719]: gecos Jan 27 07:39:40 boo slapd[14719]: description Jan 27 07:39:40 boo slapd[14719]: objectClass Jan 27 07:39:40 boo slapd[14719]: Jan 27 07:39:40 boo slapd[8038]: connection_get(25) Jan 27 07:39:40 boo slapd[9285]: SRCH "ou=Users,dc=ELUCIDATION" 1 0 Jan 27 07:39:40 boo slapd[9285]: 1 0 0 Jan 27 07:39:40 boo slapd[9285]: filter: (&(objectClass=posixAccount)(uid=ELUCIDATION\5CROOT)) Jan 27 07:39:40 boo slapd[9285]: attrs: Jan 27 07:39:40 boo slapd[9285]: uid Jan 27 07:39:40 boo slapd[9285]: userPassword Jan 27 07:39:40 boo slapd[9285]: uidNumber Jan 27 07:39:40 boo slapd[9285]: gidNumber Jan 27 07:39:40 boo slapd[9285]: cn Jan 27 07:39:40 boo slapd[9285]: homeDirectory Jan 27 07:39:40 boo slapd[9285]: loginShell Jan 27 07:39:40 boo slapd[9285]: gecos Jan 27 07:39:40 boo slapd[9285]: description Jan 27 07:39:40 boo slapd[9285]: objectClass Jan 27 07:39:40 boo slapd[9285]: Jan 27 07:39:41 boo slapd[8038]: connection_get(25) ~-~-~-~-~-~-~-~-~-~-~-~-~-~ John Peak Revenue Cycle Solutions McKesson Corp. john.peak@mckesson.com 404.338.2701 -----Original Message----- From: Bradley W. Langhorst [ mailto:brad@langhorst.com <mailto:brad@langhorst.com> ] Sent: Friday, January 24, 2003 4:52 PM To: Peak, John Cc: samba@lists.samba.org Subject: RE: [Samba] LDAP Filter Problem On Fri, 2003-01-24 at 16:32, Peak, John wrote:> I am sure there are some extraneous parameters in it from all the > things I've tried, but here it is.......> # Global parameters > [global] > realm = ELUCIDATIONwhat's this doing here?> ldap filter = "(&(uid=%u)(objectclass=ixAccount))"i think this should be ldap filter = (&(uid=%u)(objectclass=sambaAccount)) unless you've done something unusual brad -- Bradley W. Langhorst <brad@langhorst.com> -------------- next part -------------- HTML attachment scrubbed and removed