Problem number one: ------------------- I'm running a few-hours-old CVS version of Samba 3.0 with LDAP as the authentication backend, and I'm having some problems trying to set up the LDAP accounts using "smbpasswd". I build the structure of the LDAP database by importing a couple of LDIF's, and then I import the following user account to create an administrative account within samba: dn: uid=smbadmin,ou=users,o=caedm,dc=gilliam objectClass: person objectClass: sambaAccount objectClass: posixAccount cn: smbadmin sn: smbadmin uid: smbadmin rid: 500 #ntSid: 500 primaryGroupId: 512 uidNumber: 0 gidNumber: 0 homeDirectory: /dev/null loginShell: /bin/false description: SMB Administrative Account gecos: SMB Administrative Account pwdLastSet: 0 logonTime: 0 logoffTime: 0 kickoffTime: 0 pwdCanChange: 0 pwdMustChange: 0 smbHome: \\%N\ homeDrive: K: profilePath: \\%N\profile acctFlags: [UX ] If I do "finger smbadmin" then his proper information comes up, I can set his system password with "passwd," and 'login' authenticates him (though I don't get very far with home=/dev/null and shell=/bin/false) so I know that my LDAP and NSS are working properly. However, when I run "smbpasswd -D 4 smbadmin" then I get the following error: [...smbpasswd negotiates LDAP connection...] Entry found for user: smbadmin no rid or ntSid attribute found for this user smbadmin ldapsam_getsampwnam: init_sam_from_ldap failed for user 'smbadmin'! Failed to find entry for user smbadmin. Failed to modify password entry for user smbadmin With a more verbose error dump, I can confirm that it is finding the smbadmin user's data, but that it isn't finding the attribute ntSid, and thus is aborting. However, the problem is that according to the samba LDAP schema, ntSid is a valid attribute only for objectClass sambaGroupMapping. It isn't a valid attribute for objectClass sambaAccount, so OpenLDAP won't let me create a sambaAccount object with an ntSid attribute. If I add ntSid to the objectClass sambaAccount in the samba.schema, restart OpenLDAP, uncomment the ntSid line in the LDIF example I gave above, then I can use smbpasswd to give smbadmin a password. Evidently from the smbpasswd debugging output, smbpasswd should check for the existence of the rid attribute, and continue if either ntSid or rid are found. But it doesn't check for rid, only ntSid, and aborts. So I guess either the samba.schema or the code for smbpasswd has to be changed. I'm not really sure which. Problem number two: ------------------- Running "smbpasswd -a soren" returns: NO user RID specified on account soren, cannot add! ldap_add_sam_account: init_ldap_from_sam failed! Failed to add entry for user soren. Failed to modify password entry for user soren Perhaps it's an "undocumented feature" or just something I missed, but I don't see a way to specify a RID when creating a new account. -- Soren Harward soren@byu.edu
Problem number one: ------------------- I'm running a few-hours-old CVS version of Samba 3.0 with LDAP as the authentication backend, and I'm having some problems trying to set up the LDAP accounts using "smbpasswd". I build the structure of the LDAP database by importing a couple of LDIF's, and then I import the following user account to create an administrative account within samba: dn: uid=smbadmin,ou=users,o=caedm,dc=gilliam objectClass: person objectClass: sambaAccount objectClass: posixAccount cn: smbadmin sn: smbadmin uid: smbadmin rid: 500 #ntSid: 500 primaryGroupId: 512 uidNumber: 0 gidNumber: 0 homeDirectory: /dev/null loginShell: /bin/false description: SMB Administrative Account gecos: SMB Administrative Account pwdLastSet: 0 logonTime: 0 logoffTime: 0 kickoffTime: 0 pwdCanChange: 0 pwdMustChange: 0 smbHome: \\%N\ homeDrive: K: profilePath: \\%N\profile acctFlags: [UX ] If I do "finger smbadmin" then his proper information comes up, I can set his system password with "passwd," and 'login' authenticates him (though I don't get very far with home=/dev/null and shell=/bin/false) so I know that my LDAP and NSS are working properly. However, when I run "smbpasswd -D 4 smbadmin" then I get the following error: [...smbpasswd negotiates LDAP connection...] Entry found for user: smbadmin no rid or ntSid attribute found for this user smbadmin ldapsam_getsampwnam: init_sam_from_ldap failed for user 'smbadmin'! Failed to find entry for user smbadmin. Failed to modify password entry for user smbadmin With a more verbose error dump, I can confirm that it is finding the smbadmin user's data, but that it isn't finding the attribute ntSid, and thus is aborting. However, the problem is that according to the samba LDAP schema, ntSid is a valid attribute only for objectClass sambaGroupMapping. It isn't a valid attribute for objectClass sambaAccount, so OpenLDAP won't let me create a sambaAccount object with an ntSid attribute. If I add ntSid to the objectClass sambaAccount in the samba.schema, restart OpenLDAP, uncomment the ntSid line in the LDIF example I gave above, then I can use smbpasswd to give smbadmin a password. Evidently from the smbpasswd debugging output, smbpasswd should check for the existence of the rid attribute, and continue if either ntSid or rid are found. But it doesn't check for rid, only ntSid, and aborts. So I guess either the samba.schema or the code for smbpasswd has to be changed. I'm not really sure which. Problem number two: ------------------- Running "smbpasswd -a soren" returns: NO user RID specified on account soren, cannot add! ldap_add_sam_account: init_ldap_from_sam failed! Failed to add entry for user soren. Failed to modify password entry for user soren Perhaps it's an "undocumented feature" or just something I missed, but I don't see a way to specify a RID when creating a new account. -- Soren Harward soren@byu.edu
Gerald (Jerry) Carter
2003-May-23 11:31 UTC
[Samba] smbpasswd and RID/SID problems with LDAP
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 12 May 2003, Soren Harward wrote:> Problem number one: > ------------------- > > I'm running a few-hours-old CVS version of Samba 3.0 with LDAP as the > authentication backend, and I'm having some problems trying to set up > the LDAP accounts using "smbpasswd". I build the structure of the > LDAP database by importing a couple of LDIF's, and then I import the > following user account to create an administrative account within samba: > > dn: uid=smbadmin,ou=users,o=caedm,dc=gilliam > objectClass: person > objectClass: sambaAccountYou do know the schema has been changed right ? Either use 'passdb backend = ldapsam_compat:ldap://localhost/ guest' with the old schema, or use 'passdb backend = ldapsam:ldap://localhost/ guest' with the new sambaSamAccount schema. cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+zgacIR7qMdg1EfYRAgXPAKCXOfqUS5HSIWTmbuA3oP/MfUVUyQCfZsp0 xfjrNQYFzRpDGwn68iG4jE4=LZIN -----END PGP SIGNATURE-----