Hi,
I tried to let Samba authenticate against LDAP but could not figure out
how to build the LDAP tree for Samba.
Fedora core 2
Samba 3.0.10
OpenLDAP 2.1.29
I used the migration tool bundled with OpenLDAP and successfully
imported passwd, group and hosts from NIS into LDAP. I can authenticate
from any of linux client against LDAP server. My LDAP DIT is as follows:
dc=mydomain
|
`--- ou=People : to store user accounts for Unix and Windows
|
`--- ou=Hosts : to store computer accounts for UNIXX & Windows
|
`--- ou=Groups : to store system groups for Unix and Windows
What I did were:
In the OpenLDAP server:
1) install OpenLDAP-2.1.29 RPM
2) configure /etc/openldap/slapd.conf
3) configure /etc/openldap/ldap.conf
4) run migrate_all_nis_offline.sh bundled with OpenLDAP
5) start OpenLDAP
In the Samba Server:
1) Install Samba-3.0.10 RPM
2) Configure smb.conf with SWAT
[global]
workgroup = TESTDM
passdb backend = ldapsam:ldap://10.10.0.101/
log level = 1 passdb:8 auth:8
domain logons = Yes
wins support = Yes
ldap admin dn = cn=root,dc=mydomain
ldap delete dn = Yes
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts
ldap user suffix = ou=People
ldap suffix = dc=mfelc
ldap passwd sync = Yes
ldap ssl = no
[homes]
valid users = %S
read only = No
browseable = No
3) start Samba server
4) run smbclient //smbserver -U myid
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
Attached is the smbd.log, I deleted the normal log and keep failed
messages as below:
passdb/secrets.c:secrets_fetch_trusted_domain_password(334)
secrets_fetch failed!
auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[TESTDM]\[szeng]@[ENZO] with the new password interface
auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [TESTDM]\[szeng]@[ENZO]
passdb/pdb_ldap.c:ldapsam_getsampwnam(1300)
ldapsam_getsampwnam: Unable to locate user [szeng] count=0
auth/auth_sam.c:check_sam_security(244)
check_sam_security: Couldn't find user 'szeng' in passdb file.
auth/auth.c:check_ntlm_password(271)
check_ntlm_password: sam authentication for user [szeng] FAILED with
error NT_STATUS_NO_SUCH_USER
auth/auth_winbind.c:check_winbind_security(80)
check_winbind_security: Not using winbind, requested domain [TESTDM]
was for this SAM.
auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [szeng] -> [szeng]
FAILED with error NT_STATUS_NO_SUCH_USER
auth/auth_util.c:free_user_info(1318)
attempting to free (and zero) a user_info structure
Is there anybody who might have some idea of what is wrong.
Thanks a lot.
--
Regards,
Steve Zeng
Systems Administrator
Mainframe Entertainment Inc
T: (604) 628-1000 ext 5293
Steve Zeng:> I tried to let Samba authenticate against LDAP but could not figure out > how to build the LDAP tree for Samba. > > Fedora core 2 > Samba 3.0.10 > OpenLDAP 2.1.29 > > > I used the migration tool bundled with OpenLDAP and successfully > imported passwd, group and hosts from NIS into LDAP. I can authenticate > from any of linux client against LDAP server. My LDAP DIT is as follows: > > dc=mydomain | > `--- ou=People : to store user accounts for Unix and Windows > | > `--- ou=Hosts : to store computer accounts for UNIXX & Windows > | > `--- ou=Groups : to store system groups for Unix and WindowsO.k. But you could find at a later stage (on, for example, a large installation) that you could do better to separate Samba specific stuff into a subtree, f.ex. under an ou smb. You can still have Samba users in your People container. [...] No comment on the specific OpenLDAP stuff, it looks o.k. and you made it work :)> 2) Configure smb.conf with SWATYou might find out later that a CLI editor is a better choice; it gives you the chance of commenting and trying different settings out temporarily. [...]> ldap suffix = dc=mfelcThis is your immediate problem. Where on earth did you get this from? Your ldap suffix should normally be that of the suffix used in your slapd.conf DSE (could possibly be a subtree): in this case dc=mydomain. --Tonni -- mail: tonye@billy.demon.nl http://www.billy.demon.nl
Judicious snippage, post at the bottom.> I tried to let Samba authenticate against LDAP but could not figure > out how to build the LDAP tree for Samba. > > Fedora core 2 > Samba 3.0.10 > OpenLDAP 2.1.29 > > dc=mydomain > | > `--- ou=People : to store user accounts for Unix and Windows > | > `--- ou=Hosts : to store computer accounts for UNIXX & Windows > | > `--- ou=Groups : to store system groups for Unix and Windows > > > What I did were:> [global] > workgroup = TESTDM > passdb backend = ldapsam:ldap://10.10.0.101/ > log level = 1 passdb:8 auth:8 > domain logons = Yes > wins support = Yes > ldap admin dn = cn=root,dc=mydomain > ldap delete dn = Yes > ldap group suffix = ou=Group > ldap machine suffix = ou=Hosts > ldap user suffix = ou=People > ldap suffix = dc=mfelc > ldap passwd sync = Yes > ldap ssl = no > 3) start Samba server > > 4) run smbclient //smbserver -U myid > Password: > session setup failed: NT_STATUS_LOGON_FAILURE> Attached is the smbd.log, I deleted the normal log and keep failed > messages as below: > check_sam_security: Couldn't find user 'szeng' in passdb file. > auth/auth.c:check_ntlm_password(271) > check_ntlm_password: sam authentication for user [szeng] FAILED with > error NT_STATUS_NO_SUCH_USER> Is there anybody who might have some idea of what is wrong.Yep. You did nothing to create the samba attributes that will have to exist in each user account for the users to log in. I suggest you read the documentation on setting up an LDAP/PDC system that is on the samba.org web site. You've missed quite a few steps here, so you may want to read it through to get a complete idea. Your solution is going to include the following: 1. Obtain and configure the smbldap-tools package. 2. Run the smbldap-populate script 3. Make sure you've got a sambaDomain (I think that's the object type) in the base of your DIT. 4. Join the machine to the domain (since you appear to want a domain setup) 4. Add samba attributes to each user's account. Yes there are 2 #4 entries. Doesn't matter which one comes first. As far as I can remember, those will be the critical steps to not miss. If you've followed the documentation and not done those steps, you've missed something. -- -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Systems Architect Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com