samba - Feb 2004 - Problem validating with LDAP and Samba3.0.1debian

Hi,

I'm running openldap and samba3.0.1 from my debian system, but I have 
used many many hours trying to get samba to validate users on the 
ldap... And is now turning to the last resort ...

This is my configuration

__________________________________________________
the important lines in smb.conf looks like this...
--------------------------------------------------

[global]
    workgroup = SKOLE
    passdb backend = ldapsam:ldap://127.0.0.1/
    ldap suffix = dc=login
    ldap machine suffix = ou=machines
    ldap user suffix = ou=people
    ldap group suffix = ou=groups
    ldap admin dn = "cn=admin,dc=login"
    netbios name = thePri
    load printers = no
    security = user
    encrypt passwords = true
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    local master = yes
    os level = 40
    domain master = yes
    preferred master = yes
    domain logons = yes
    wins support = yes
    dns proxy = no
___________________________
slapd.conf look like this:
---------------------------

allow bind_v2
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/samba.schema
schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd.args
loglevel        256
modulepath      /usr/lib/ldap
moduleload      back_ldbm
database        ldbm
suffix          "dc=login"
rootdn          "cn=admin,dc=login"
rootpw          <MyPaSsWoRd>
directory       "/var/lib/ldap"
index           objectClass,uid,uidNumber,gidNumber,memberUid eq
lastmod         on

access to attribute=userPassword
         by dn="cn=admin,dc=login" write
         by anonymous auth
         by self write
         by * none

access to dn.base="" by * read

access to *
         by dn="cn=admin,dc=login" write
         by * read
_____________________________
/etc/ldap.conf
-----------------------------
HOST    127.0.0.1
BASE    dc=login
_____________________________________________

the samba.schema is copyed from the samba 3.0.1 source 
(/examples/LDAP/samba.schema) and the ldap is populated with the 
polulate tool from smb-tools, and i can see the ldap tree is working 
with lam(lam.sf.net), and create new users from here... a pdbedit -L 
revels the users as well....


the populate tool creates an Administrator, and when I do "smbpasswd 
Administrator" it looks like it succeed, the values in sambaNTPassword 
changes anyway...


THE PROBLEM:
I use the two cases to show my problem, one case with correct passw, and 
one with wrong passwd.


me@compaq:~$ smbclient -L localhost -U Administrator
Password: (CORRECT PASSWORD)
session setup failed: NT_STATUS_LOGON_FAILURE
________________________________
The log for the above looks like this
---------------------------------
Feb 14 21:04:54 compaq slapd[3739]: conn=8 op=2 SRCH base="dc=login" 
scope=2
filter="(&(uid=Administrator)(objectClass=sambaSamAccount))"

Feb 14 21:04:54 compaq slapd[3739]: conn=8 op=2 SRCH attr=uid uidNumber 
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange 
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn 
displayName sambaHomeDrive sambaHomePath sambaLogonScript 
sambaProfilePath description sambaUserWorkstations sambaSID 
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName 
objectClass sambaAcctFlags sambaMungedDial

Feb 14 21:04:54 compaq slapd[3739]: conn=8 op=2 SEARCH RESULT tag=101 
err=0 nentries=1 text
Feb 14 21:04:54 compaq smbd[3754]: [2004/02/14 21:04:54, 0] 
auth/auth_sam.c:check_sam_security(221)

Feb 14 21:04:54 compaq smbd[3754]:   check_sam_security: 
make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'

Feb 14 21:04:54 compaq slapd[3737]: conn=8 fd=9 closed
---------------------------------------------------------------------------------------------

me@compaq:~$ smbclient -L localhost -U Administrator
Password: (WRONG PASSWORD)
session setup failed: NT_STATUS_LOGON_FAILURE
_______________________________________
The log for the above looks like this
---------------------------------------
Feb 14 21:20:56 compaq slapd[3739]: conn=9 op=2 SRCH base="dc=login" 
scope=2
filter="(&(uid=Administrator)(objectClass=sambaSamAccount))"

Feb 14 21:20:56 compaq slapd[3739]: conn=9 op=2 SRCH attr=uid uidNumber 
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange 
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn 
displayName sambaHomeDrive sambaHomePath sambaLogonScript 
sambaProfilePath description sambaUserWorkstations sambaSID 
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName 
objectClass sambaAcctFlags sambaMungedDial

Feb 14 21:20:56 compaq slapd[3739]: conn=9 op=2 SEARCH RESULT tag=101 
err=0 nentries=1 text
Feb 14 21:20:56 compaq slapd[3737]: conn=9 fd=9 closed
---------------------------------------------------------------------------------



So, it seems that the samba-backend recognizes the Administrator, with 
the correct password, but still throws a NT_STATUS_NO_SUCH_USER

I susepect it has something to do with the unix-user sync, but i have no 
idea, at the moment how to deal with this problem!

In the future i would like to sync the samba-user with the unix-user, 
but there is still a LOONG way into the XP-pile before that problem has 
priority....


I sure could use some help!

Thanx
/torben




------------------------------------------
The following is just a snip from a ldap search
-------------------------------
cn:  Administrator
sn:  Administrator
objectclass:  inetOrgPerson
gidnumber:  512
uid:  Administrator
uidnumber:  998
homedirectory:  HOMEPREFIX
sambalogontime:  0
sambalogofftime:  2147483647
sambakickofftime:  2147483647
sambahomepath:  \\PDCNAME\homes
sambahomedrive:  HOMEDRIVE
sambaprofilepath:  \\PDCNAME\profiles\
sambaprimarygroupsid:  S-1-5-21-53176251-1034743845-4114978061-512
sambaacctflags:  [U ]
sambasid:  S-1-5-21-53176251-1034743845-4114978061-2996
loginshell:  /bin/false
gecos:  Netbios Domain Administrator
sambapwdcanchange:  1076792501
sambapwdmustchange:  1078606901
sambalmpassword:  598DDCE2660D3193AAD3B435B51404EE
sambantpassword:  2D20D252A479F485CDF5E171D93985BF
sambapwdlastset:  1076792501
cn:  nobody
sn:  nobody

objectclass:  inetOrgPerson
gidnumber:  514
uid:  nobody
uidnumber:  999
homedirectory:  /dev/null
sambapwdlastset:  0
sambalogontime:  0
sambalogofftime:  2147483647
sambakickofftime:  2147483647
sambapwdcanchange:  0
sambapwdmustchange:  2147483647
sambahomepath:  \\PDCNAME\homes
sambahomedrive:  HOMEDRIVE
sambaprofilepath:  \\PDCNAME\profiles\
sambaprimarygroupsid:  S-1-5-21-53176251-1034743845-4114978061-514
sambalmpassword:  NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambantpassword:  NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaacctflags:  [NU ]
sambasid:  S-1-5-21-53176251-1034743845-4114978061-2998
loginshell:  /bin/false

objectclass:  posixGroup
gidnumber:  512
cn:  Domain Admins
memberuid:  Administrator
description:  Netbios Domain Administrators
sambasid:  S-1-5-21-53176251-1034743845-4114978061-512
sambagrouptype:  2
displayname:  Domain Admins

boka wrote:
> Torben Thomsen wrote:
> 
>> I'm running openldap and samba3.0.1 ...
> 
> 
> forget about 3.0.1 ! better use 3.0.0 or 3.0.2a
Oooops typo ... I ment using 3.0.2debian, and my problem is still real :)

cheers

/torben

On Sun, 2004-02-15 at 13:12, Torben Thomsen wrote:
> Hi,
> 
> I'm running openldap and samba3.0.1 from my debian system, but I have 
> used many many hours trying to get samba to validate users on the 
> ldap... And is now turning to the last resort ...
> access to attribute=userPassword
>          by dn="cn=admin,dc=login" write
>          by anonymous auth
>          by self write
>          by * none
> 
> access to dn.base="" by * read
> 
> access to *
>          by dn="cn=admin,dc=login" write
>          by * read
You should also restrict access to sambaNTpassword and sambaLMpassword,
but that's a matter for after this is working.
> Feb 14 21:04:54 compaq smbd[3754]: [2004/02/14 21:04:54, 0] 
> auth/auth_sam.c:check_sam_security(221)
> 
> Feb 14 21:04:54 compaq smbd[3754]:   check_sam_security: 
> make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
This means that the local unix user (the one with exactly the same name
as the Samba user) does not exist.
> So, it seems that the samba-backend recognizes the Administrator, with 
> the correct password, but still throws a NT_STATUS_NO_SUCH_USER
> 
> I susepect it has something to do with the unix-user sync, but i have no 
> idea, at the moment how to deal with this problem!
Populate LDAP with posixAccount attributes, and configure nss_ldap to
talk to the same ldap server.  This will allow 'getent passwd' to
succeed (showing your samba users), and Samba will then work.
> In the future i would like to sync the samba-user with the unix-user, 
> but there is still a LOONG way into the XP-pile before that problem has 
> priority....
This is now your priority, as it is required to make it work :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040215/bf59b9c9/attachment.bin