All; I think I may have a clue about what's going wrong in my little environment here, but I could really use a more experienced eye on it. I've been having some strange authentication problems on a new install. With some digging, I may have a "clue" about what's going wrong. Some background: I'm only looking to use samba to share Unix directories to the Windows community. I'm not looking to build a full up login server. This is usually a VERY basic, and simple thing to to. You simply have to be sure that the windows users also have a matching account on the *nix side (doesn't need to be an smbpasswd account, just a very generic *nix account). I've done this several times, so when it blew up on me this time, it has caused me some sleepless nights trying to figure out. Here goes: In the last install I did ( at another company ), I did a very simple install, and it worked for what it was needed to do (simply provide the windows users with access to Unix directories, via shares). I didn't need a login controller, and I don't now. In that case, there was an LDAP server that validated Unix logins, but I pretty much just ignored it, and all was well. The *nix OS handled the authentication just fine (a very basic setup. For this kind of setup, the user only has to exist. The OS could check that very easily). So, I was trying to do the same here. When nothing would work right without making samba specific users (via smbpasswd), I started digging into the LDAP server. This environment is tortured. Here's what I found. On the Windows ADS, user IDs are pure numeric. So, for example, my Windows login is: 123456 Unix doesn't like that.So the unix logins are: u123456 Handling the translation for samba is just a usermap entry u123456 = 123456 Should be simple enough. But I'm getting No Such User errors. So I dug into the LDAP server. The user identification is strange. the dn: here looks like: dn: username=u123456,ou=aixuser,cn=aixsecdb,cn=aixdata uid: 1040 username: u123456 <snip> with u123456 being my *nix login. To me, this looks very wrong (not to mention that there's no dc=). My last LDAP server it looked like: dn: uid=tibbetts,ou=People,dc=ldap-test,dc=com uidNumber: 123456 uid: tibbetts <snip> with "tibbetts" being my login. If I'm seeing this right, shouldn't the login be the "uid" not "username"? Is that what Samba is looking for? With the login being set to username, and uid being (what should be) the uidNumber, I believe that it's confusing Samba, and that's why I'm getting the user not found errors. Is a way to work around this? Or am I just SOL? Or am I all wet, and looking in the wrong place? I'd really appreciate a fresh set of eyes on this. Thanks in advance for any advice on this one!!! -Ric
paul kölle
2005-Sep-27 20:20 UTC
[Samba] Re: Authentication confusion - may be LDAP related
Ric Tibbetts wrote:> dn: username=u123456,ou=aixuser,cn=aixsecdb,cn=aixdata > uid: 1040 > username: u123456 > <snip> > > with u123456 being my *nix login. > > To me, this looks very wrong (not to mention that there's no dc=).It looks wrong and the author surely has had no clue what cn means etc. nevertheless it should work.> If I'm seeing this right, shouldn't the login be the "uid" not > "username"? Is that what Samba is looking for?You can set "ldap filter = (username=%u)" in smb.conf along with a suitable value for "ldap suffix". Check the users with "getent passwd" to test if they are visible to the system.