Tomasz Chmielewski
2004-Oct-22 07:26 UTC
[Samba] Samba + LDAP as a PDC - unable to log in (but able to join a domain)
Hello, I'm trying to get Samba to work as a PDC for a group of Windows clients. I followed two tutorials form IBM developers works: 1) using Samba as a PDC (which is missing domain controller = yes), 2) Using an LDAP Directory for Samba authentication. So I was able tu run Samba 3 as a PDC (without LDAP) - I could join a domain, add a user, machines were added automatically, roaming profiles worked etc. Then I decided to add LDAP support to Samba. In this case, I am able to join a domain, but unable to log in as a user. Interestingly, Samba logs tell that authentication for a "machine" and "user" (which are in LDAP) was successful, but Windows tell me that username or password were wrong. If I give a wrong password, Samba Says so in logs. Anyone had a similar case? I use OpenLDAP 2.2.6, Samba 3.0.4 on SuSE 9.1, clients are Win2k with SP4. If needed, I could paste my config files, too. Tomek
Martynas
2004-Oct-22 08:10 UTC
[Samba] Samba + LDAP as a PDC - unable to log in (but able to join a domain)
I have the same problem with samba 3.0.7+ldap as PDC on fedora 2. regards, Martynas> Hello, > > I'm trying to get Samba to work as a PDC for a group of Windows clients. > > I followed two tutorials form IBM developers works: 1) using Samba as aPDC (which is missing domain controller = yes), 2) Using an LDAP Directory for Samba authentication.> > > So I was able tu run Samba 3 as a PDC (without LDAP) - I could join adomain, add a user, machines were added automatically, roaming profiles worked etc.> > Then I decided to add LDAP support to Samba. > > In this case, I am able to join a domain, but unable to log in as a user. > > Interestingly, Samba logs tell that authentication for a "machine" and"user" (which are in LDAP) was successful, but Windows tell me that username or password were wrong.> If I give a wrong password, Samba Says so in logs. > > > Anyone had a similar case? > > I use OpenLDAP 2.2.6, Samba 3.0.4 on SuSE 9.1, clients are Win2k with SP4. > > If needed, I could paste my config files, too. > > > Tomek > > -- > To unsubscribe from this list go to the following URL and read theinstructions: http://lists.samba.org/mailman/listinfo/samba>
Tomasz Chmielewski
2004-Oct-22 18:53 UTC
[Samba] Samba + LDAP as a PDC - unable to log in (but able to join a domain)
John H Terpstra wrote:
> a) Your configuration information. From this someone may be able to
see things that are not as they need to be. That may help you to find a
solution.
In case anyone wondered, here's my smb.conf and slapd.conf.
As I said, without LDAP, I can join a domain, log in as a user, roaming
profiles work etc,
With OpenLDAP added, I can join the domain, but then I'm unable to log
in as a user from the Windows workstation (w2k SP4).
Samba logs say that user authentication was successful, but Windows says
that user/password were wrong.
smb.conf:
[global]
;basic server settings
workgroup = MAGISTA
netbios name = Server
server string = Samba PDC running %v
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192
;PDC and master browser settings
os level = 65
preferred master = yes
local master = yes
domain master = yes
domain logons = yes
wins support = yes
remote announce = 192.168.0.255/MAGISTA
;security and logging settings
security = user
encrypt passwords = yes
log file = /var/log/samba/log.%m
log level = 2
max log size = 50
hosts allow = 127.0.0.1 192.168.0.0/255.255.255.0
;password sync
passwd program = /usr/local/sbin/smbldap-passwd -o %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*
unix password sync = Yes
;LDAP-specific settings
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=magista,dc=de
ldap ssl = no
ldap suffix = dc=magista,dc=de
ldap group suffix = ou=Users
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
add user script = /usr/local/sbin/smbldap-useradd -d /dev/null -s
/bin/false -g machine %u
;user profiles and home directory
logon home = \\%L\%U\
logon drive = H:
logon path = \\%L\profiles\%U
logon script = netlogon.bat
# ==== shares ===
[homes]
comment = Home Directories
browseable = no
writeable = yes
[profiles]
path = /home/samba/profiles
writeable = yes
browseable = no
create mask = 0600
directory mask = 0700
[netlogon]
comment = Network Logon Service
path = /home/netlogon
read only = yes
browseable = no
write list = tom
[unattended]
comment = Installation Sources
path = /home/unattended
read only = yes
browseable = no
valid users = unattended
### EOF smb.conf
slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/openldap/modules
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attr=userPassword,userPKCS12
by self write
by * auth
access to attr=shadowLastChange
by self write
by * read
access to *
by self write
by users read
by anonymous auth
database ldbm
cachesize 10000
suffix "dc=magista,dc=de"
rootdn "cn=Manager,dc=magista,dc=de"
rootpw xxxxxx
directory /var/lib/ldap
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index member eq
index default sub
# Logging
loglevel 256
### EOF slapd.conf
Tomek