Hi Dirk, thanks for your reply! I definatly want to go down the BDC route so that I always log on to the nearest server. The link between the two isn't really an issue - both have a DSL connection to the internet. I started by modifying my smb.conf files so that each server is a local master for their subnet, but only the uni box is domain master. After fiddling with the 'remote announce' and 'remote browse sync' I can now view both servers from a workstation at home (*not* joined to the domain yet). So far so good! Ok, so LDAP it is... I've followed the tutorial at http://www.idealx.org/prj/samba/smbldap-howto.en.html up to the end of section 5.1, and although I can sucesully create and remove accounts, and log on to said accounts over SSH, I cannot connect to the samba server at uni using the credentials of a user in LDAP. The only problem I ran into with that tutorial was the following error when starting slapd after making the changes in section 5.1: Checking configuration files for slapd: /etc/openldap/slapd.conf: line 93: unknown attr "sambaPrivilegeList" in to clause So I simply removed 'sambaPrivilegeList' from slapd.conf. I don't know if this is causing samba's authentication to fail... any ideas why slapd moaned about this and how to fix it? Anyway, Uni server is ALPHA, the PDC for domain OMEGA. Home server is GAMMA, home workstation is DELTA. User 'andy' can log in to ALPHA over SSH, but not samba. Increasing the log level to 3 and looking at the access log for DELTA on ALPHA when DELTA tries to connect as user 'andy' to view shares: [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2005/09/20 12:44:41, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/09/20 12:44:41, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [DELTA]\[andy]@[DELTA] with the new password interface [2005/09/20 12:44:41, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [OMEGA]\[andy]@[DELTA] [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2005/09/20 12:44:41, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2005/09/20 12:44:41, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/09/20 12:44:41, 3] lib/smbldap.c:smbldap_connect_system(866) ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does not support paged results [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/09/20 12:44:41, 3] auth/auth_sam.c:check_sam_security(257) check_sam_security: Couldn't find user 'andy' in passdb. [2005/09/20 12:44:41, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [OMEGA] was for this SAM. [2005/09/20 12:44:41, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [andy] -> [andy] FAILED with error NT_STATUS_NO_SUCH_USER [2005/09/20 12:44:41, 3] smbd/process.c:timeout_processing(1334) timeout_processing: End of file from client (client has disconnected). [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/09/20 12:44:41, 2] smbd/server.c:exit_server(609) Closing connections [2005/09/20 12:44:41, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2005/09/20 12:44:41, 3] smbd/server.c:exit_server(652) Server exit (normal exit) It looks like the line "ldap_connect_system: LDAP server does not support paged results" indcates the problem here, however I have no idea what it means or how to fix it. (Running OpenLDAP 2.2.23-5) Any suggestions as to whats wrong? Thanks again, Andy --- On Tue Sep 20 10:53 , <Dirk.Laurenz@fujitsu-siemens.com> sent: --->Hello Andy, > >you should setup a samba domain w/ a PDC and BDC or a dial up line and a local wins server at home (but using a bdc is better). >more over you should use an ldap backend. this should be your setup: > > > [HOME] ---DIAL UP LINE---> [UNI] > > [SERVER 1] [SERVER 2] > -OpenLDAP / Slave -OpenLDAP / Master > -Samba / BDC -Samba / PDC > >I recommend to have a flat rate between UNI and HOME > >Mit freundlichem Gru?, > > > >Dirk Laurenz >Systems Engineer > >Fujitsu Siemens Computers >S CE DE SE PS N/O >Sales Central Europe Deutschland >Professional Service Nord / Ost > >Hildesheimer Strasse 25 >30880 Laatzen >Germany > >Telephone: +49 (511) 84 89 - 18 08 >Telefax: +49 (511) 84 89 - 25 18 08 >Mobile: +49 (170) 22 10 781 >Email: dirk.laurenz@fujitsu-siemens.com >Internet: http://www.fujitsu-siemens.com > http://www.fujitsu-siemens.de/services/index.html >*******************************************************************************************************************
Dirk.Laurenz@fujitsu-siemens.com
2005-Sep-20 12:55 UTC
[Samba] Two Locations, One Domain - LDAP Auth Failure
Hi,
here's the problem:
check_ntlm_password: Authentication for user [andy] -> [andy] FAILED with
error NT_STATUS_NO_SUCH_USER
[2005/09/20 12:44:41, 3] smbd/process.c:timeout_processing(1334)
has the user the sambasid attribute? Is it filled? did you use smbldap-tools?
Mit freundlichem Gru?,
Dirk Laurenz
Systems Engineer
Fujitsu Siemens Computers
S CE DE SE PS N/O
Sales Central Europe Deutschland
Professional Service Nord / Ost
Hildesheimer Strasse 25
30880 Laatzen
Germany
Telephone: +49 (511) 84 89 - 18 08
Telefax: +49 (511) 84 89 - 25 18 08
Mobile: +49 (170) 22 10 781
Email: mailto:dirk.laurenz@fujitsu-siemens.com
Internet: http://www.fujitsu-siemens.com
http://www.fujitsu-siemens.de/services/index.html
*******************************************************************************************************************
-| -----Original Message-----
-| From:
-| samba-bounces+dirk.laurenz=fujitsu-siemens.com@lists.samba.o
-| rg
-| [mailto:samba-bounces+dirk.laurenz=fujitsu-siemens.com@lists
-| .samba.org] On Behalf Of Andy
-| Sent: Tuesday, September 20, 2005 2:49 PM
-| To: Laurenz, Dirk
-| Cc: samba@lists.samba.org
-| Subject: RE: [Samba] Two Locations, One Domain - LDAP Auth Failure
-|
-| Hi Dirk, thanks for your reply!
-|
-| I definatly want to go down the BDC route so that I always
-| log on to the nearest server. The link between the two
-| isn't really an issue - both have a DSL connection to the
-| internet.
-|
-| I started by modifying my smb.conf files so that each
-| server is a local master for their subnet, but only the uni
-| box is domain master. After fiddling with the 'remote
-| announce' and 'remote browse sync' I can now view both
-| servers from a workstation at home (*not* joined to the
-| domain yet). So far so good!
-|
-| Ok, so LDAP it is... I've followed the tutorial at
-| http://www.idealx.org/prj/samba/smbldap-howto.en.html up to
-| the end of section 5.1, and although I can sucesully create
-| and remove accounts, and log on to said accounts over SSH,
-| I cannot connect to the samba server at uni using the
-| credentials of a user in LDAP. The only problem I ran
-| into with that tutorial was the following error when
-| starting slapd after making the changes in section 5.1:
-|
-| Checking configuration files for slapd:
-| /etc/openldap/slapd.conf: line 93: unknown attr
-| "sambaPrivilegeList" in to clause
-|
-| So I simply removed 'sambaPrivilegeList' from slapd.conf. I
-| don't know if this is causing samba's authentication to
-| fail... any ideas why slapd moaned about this and how to
-| fix it?
-|
-| Anyway, Uni server is ALPHA, the PDC for domain OMEGA. Home
-| server is GAMMA, home workstation is DELTA. User 'andy' can
-| log in to ALPHA over SSH, but not samba.
-| Increasing the log level to 3 and looking at the access log
-| for DELTA on ALPHA when DELTA tries to connect as user
-| 'andy' to view shares:
-|
-| [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:push_sec_ctx(256)
-| push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
-| [2005/09/20 12:44:41, 3] smbd/uid.c:push_conn_ctx(365)
-| push_conn_ctx(0) : conn_ctx_stack_ndx = 0
-| [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:set_sec_ctx(288)
-| setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
-| [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
-| pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
-| [2005/09/20 12:44:41, 3] auth/auth.c:check_ntlm_password(219)
-| check_ntlm_password: Checking password for unmapped user
-| [DELTA]\[andy]@[DELTA] with the new password interface
-| [2005/09/20 12:44:41, 3] auth/auth.c:check_ntlm_password(222)
-| check_ntlm_password: mapped user is: [OMEGA]\[andy]@[DELTA]
-| [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:push_sec_ctx(256)
-| push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
-| [2005/09/20 12:44:41, 3] smbd/uid.c:push_conn_ctx(365)
-| push_conn_ctx(0) : conn_ctx_stack_ndx = 0
-| [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:set_sec_ctx(288)
-| setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
-| [2005/09/20 12:44:41, 2] lib/smbldap.c:smbldap_open_connection(692)
-| smbldap_open_connection: connection opened
-| [2005/09/20 12:44:41, 3] lib/smbldap.c:smbldap_connect_system(866)
-| ldap_connect_system: succesful connection to the LDAP server
-| ldap_connect_system: LDAP server does not support paged results
-| [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
-| pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
-| [2005/09/20 12:44:41, 3] auth/auth_sam.c:check_sam_security(257)
-| check_sam_security: Couldn't find user 'andy' in passdb.
-| [2005/09/20 12:44:41, 3]
-| auth/auth_winbind.c:check_winbind_security(80)
-| check_winbind_security: Not using winbind, requested
-| domain [OMEGA] was for this SAM.
-| [2005/09/20 12:44:41, 2] auth/auth.c:check_ntlm_password(312)
-| check_ntlm_password: Authentication for user [andy] ->
-| [andy] FAILED with error NT_STATUS_NO_SUCH_USER
-| [2005/09/20 12:44:41, 3] smbd/process.c:timeout_processing(1334)
-| timeout_processing: End of file from client (client has
-| disconnected).
-| [2005/09/20 12:44:41, 3] smbd/sec_ctx.c:set_sec_ctx(288)
-| setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
-| [2005/09/20 12:44:41, 2] smbd/server.c:exit_server(609)
-| Closing connections
-| [2005/09/20 12:44:41, 3] smbd/connection.c:yield_connection(69)
-| Yielding connection to
-| [2005/09/20 12:44:41, 3] smbd/server.c:exit_server(652)
-| Server exit (normal exit)
-|
-| It looks like the line "ldap_connect_system: LDAP server
-| does not support paged results" indcates the problem here,
-| however I have no idea what it means or how to fix
-| it. (Running OpenLDAP 2.2.23-5)
-|
-| Any suggestions as to whats wrong?
-|
-| Thanks again,
-|
-| Andy
-|
-|
-| --- On Tue Sep 20 10:53 ,
-| <Dirk.Laurenz@fujitsu-siemens.com> sent: ---
-|
-| >Hello Andy,
-| >
-| >you should setup a samba domain w/ a PDC and BDC or a dial
-| up line and a local wins server at home (but using a bdc is better).
-| >more over you should use an ldap backend. this should be
-| your setup:
-| >
-| >
-| > [HOME] ---DIAL UP LINE---> [UNI]
-| >
-| > [SERVER 1]
-| [SERVER 2]
-| > -OpenLDAP / Slave
-| -OpenLDAP / Master
-| > -Samba / BDC
-| -Samba / PDC
-| >
-| >I recommend to have a flat rate between UNI and HOME
-| >
-| >Mit freundlichem Gru?,
-| >
-| >
-| >
-| >Dirk Laurenz
-| >Systems Engineer
-| >
-| >Fujitsu Siemens Computers
-| >S CE DE SE PS N/O
-| >Sales Central Europe Deutschland
-| >Professional Service Nord / Ost
-| >
-| >Hildesheimer Strasse 25
-| >30880 Laatzen
-| >Germany
-| >
-| >Telephone: +49 (511) 84 89 - 18 08
-| >Telefax: +49 (511) 84 89 - 25 18 08
-| >Mobile: +49 (170) 22 10 781
-| >Email: dirk.laurenz@fujitsu-siemens.com
-| >Internet: http://www.fujitsu-siemens.com
-| > http://www.fujitsu-siemens.de/services/index.html
-| >***********************************************************
-| ********************************************************
-| --
-| To unsubscribe from this list go to the following URL and read the
-| instructions: https://lists.samba.org/mailman/listinfo/samba
-|
>here's the problem: > check_ntlm_password: Authentication for user [andy] -> [andy] FAILED with error NT_STATUS_NO_SUCH_USER > [2005/09/20 12:44:41, 3] smbd/process.c:timeout_processing(1334)Are you sure? That comes after the line: [2005/09/20 12:44:41, 3] auth/auth_sam.c:check_sam_security(257) check_sam_security: Couldn't find user 'andy' in passdb. ...which seems to imply that because the LDAP auth failed, samab attempted to use old-style passwd-based auth instead - which will fail because 'andy' only exists in the LDAP directory, not passwd/smbpasswd.>has the user the sambasid attribute? Is it filled? did you use smbldap-tools?No idea... I'm an LDAP n00b! How would I find this out? But yes, to add the user I used "smbldap-useradd" and "smbldap-passwd". Any thoughts? Thanks, Andy
>does wbinfo -u show up the user?No, it doesnt: [root@alpha ~]# wbinfo -u Error looking up domain users And if I try to look at what groups exist: [root@alpha ~]# wbinfo -g BUILTIN\administrators BUILTIN\account operators BUILTIN\print operators BUILTIN\backup operators BUILTIN\replicators Which is odd, because surely "domain users" (or "authenticated users") should be there too? (I assume it's one of those groups which 'wbinfo -u' is trying to list?) But "Domain Users" must exist exist somewhere as 'andy' is part of that group: [root@alpha ~]# cd /home [root@alpha home]# ls -ltr drwx------ 3 andy Domain Users 4096 Sep 19 13:57 andy [root@alpha home]# su andy [andy@alpha home]$ id uid=1002(andy) gid=513(Domain Users) groups=513(Domain Users) context=user_u:system_r:unconfined_t Any ideas? Thanks again, Andy
>has the user the sambasid attribute? Is it filled? did you use smbldap-tools?Ah ha, just found myself a nice GUI LDAP browser... user 'andy' has no samba-related properties. The 'root' user *does* have samba properties and I found I could access ALPHA using these credentials. So my problem is the correct creation of user accounts. I've just gone back and re-read the document - turns out I was using: smbldap-useradd -m username to add users, but this only adds POSIX accounts, not samaba accounts. The correct command is: smbldap-useradd -a -m -c "User Name" username Now on to set up a slave LDAP directory and BDC... no doubt I'll be posting to this list again a little later ;-) Thanks for your guidance! Regards, Andy