Webmaster / Andrei Iordache
2006-May-21 02:16 UTC
[Samba] ldapsam:trusted = yes : trouble getting it to work
I have been trying for a while now to enable set the parameter ?ldapsam:trusted? to ?yes? in smb.conf but as soon as I enable it, users cannot access shares anymore. I am trying to enable this because the users are member of a lot of groups and I want to take the stress off the ldap server. I have searched the lists for previous posts with the same problem and I tried to figure out if it has been answered already. It seems that people had similar problems but even with that information I don?t seem to get a hold of it. The shares are set up as this example: [root@fc4 shares]# pwd /home/samba/shares [root@fc4 shares]# ls -la ... drwxrwx--- 2 nobody consultanta 4096 May 20 04:55 consultanta ... So a user has to be in ?consultanta? group to access the share. In smb.conf I have: ldap admin dn = "cn=DomainAdmin,dc=kapitalgrup,dc=ro" ldap ssl = off passdb backend = ldapsam:ldap://127.0.0.1 ldap delete dn = no ldap suffix = dc=kapitalgrup,dc=ro ldap user suffix = ou=people ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap passwd sync = Yes ldapsam:trusted = yes ldap ssl = No ... [consultanta] comment = Echipa de Consultanta path = /home/samba/shares/consultanta writeable = Yes valid users = +consultanta force user = nobody force group = consultanta create mask = 0771 directory mask = 0770 default case = lower preserve case = No short preserve case = No map archive = Yes map hidden = Yes map system = Yes In ldap the entries are as this example: dn: uid=andrei.iordache,ou=people,dc=kapitalgrup,dc=ro accountStatus: active cn: Andrei Iordache gidNumber: 100 givenName: Andrei loginShell: /bin/bash mail: andrei.iordache@dom1 mail: andrei.iordache@dom2 mail: andrei@dom1 mail: andrei@dom2 objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: qmailUser objectClass: sambaSamAccount qmailGID: 100 qmailUID: 1005 sambaAcctFlags: [U ] sambaLMPassword: AC3B233F668007D8AAD3B435B51404EE sambaNTPassword: 64E9DFEC4AEB99D85474C4CC4D1BA326 sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000 0000000000 sambaPrimaryGroupSID: S-1-5-21-1777914830-570136335-1763571043-513 sambaPwdMustChange: 2147483647 sambaSID: S-1-5-21-1777914830-570136335-1763571043-3010 shadowExpire: -1 shadowFlag: 0 shadowInactive: -1 shadowMax: 999999 shadowMin: -1 shadowWarning: 7 sn: Iordache uidNumber: 1005 sambaPwdCanChange: 1147436629 sambaPwdLastSet: 1147436629 userPassword: {crypt}$1$E5cL0mtc$pCQcAFjCRamoomGB20C2R/ shadowLastChange: 13280 displayName: Andrei Iordache homeDirectory: /home/andrei.iordache mailMessageStore: /home/andrei.iordache/Maildir/ uid: andrei.iordache dn: cn=users,ou=groups,dc=kapitalgrup,dc=ro cn: users description: Local Unix group displayName: Domain Users gidNumber: 100 objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping sambaGroupType: 2 sambaSID: S-1-5-21-1777914830-570136335-1763571043-513 dn: cn=consultanta,ou=groups,dc=kapitalgrup,dc=ro objectClass: top objectClass: posixGroup cn: consultanta gidNumber: 1007 memberUid: andrei.iordache memberUid: other.members ... I can list the shares on the server after I type in the correct user name and password. But I cannot access this one. I can access the home dir and the public shares. I see this at some point in the smbd.log (log level = 10) [2006/05/20 05:06:05, 5] smbd/service.c:make_connection(807) making a connection to 'normal' service consultanta [2006/05/20 05:06:05, 3] lib/access.c:check_access(313) check_access: no hostnames in host allow/deny list. [2006/05/20 05:06:05, 2] lib/access.c:check_access(324) Allowed connection from (192.168.1.33) [2006/05/20 05:06:05, 10] lib/username.c:user_in_list(529) user_in_list: checking user andrei.iordache in list [2006/05/20 05:06:05, 10] lib/username.c:user_in_list(533) user_in_list: checking user |andrei.iordache| against |+consultanta| [2006/05/20 05:06:05, 2] smbd/service.c:make_connection_snum(321) user 'andrei.iordache' (from session setup) not permitted to access this share (consultanta) [2006/05/20 05:06:05, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(415) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED In the ldap logs I see this when I try to access the share: May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 SRCH base="dc=kapitalgrup,dc=ro" scope=2 deref=0 filter="(&(objectClass=posixGroup)(cn=consultanta))" May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 SRCH attr=cn userPassword memberUid uniqueMember gidNumber May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 ENTRY dn="cn=consultanta,ou=groups,dc=kapitalgrup,dc=ro" May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text If I run a manual search on the ldap server with the same filter ="(&(objectClass=posixGroup)(cn=consultanta))" and request the same attributes: cn userPassword memberUid uniqueMember gidNumber, I get: [root@fc4 ~]# ldapsearch -LLL -x "(&(objectClass=posixGroup)(cn=consultanta))" cn userPassword memberUid uniqueMember gidNumber dn: cn=consultanta,ou=groups,dc=kapitalgrup,dc=ro cn: consultanta gidNumber: 1007 memberUid: andrei.iordache memberUid: other.members ... I have the users ?nobody? and ?root? in the ldap. They are duplicates of those in /etc/passwd. ALL WORKS WELL WITH ldapsam:trusted = NO. I have been using Samba for years now and I am pretty familiar with it. I never needed assistance before but now I?m pretty stuck and I have been trying to fix this for a while. Does anybody see what I?m missing ? Thanks much in advance.
Newbie here...wanting to implement and test Samba (current version, 3.0.22) as a PDC on LDAP backend. I'm looking for a good how to. I've already looked at Ignacio Coupeau, CTI, University of Navarra and the IDEALX stuff and find them wanting. (Three passes attempting to make the IDEALX stuff work were a bust...but perhaps that just says more about my skills than IDEALX's how to...) "The Official Samba-3" Howto book is even lighter. I'd prefer a pretty step-by-step how-to, that doesn't assume I know much at all. All are confusing to me. Perhaps I'm just too lazy, but I don't think that's all... Is there a native english speaker who has done a recent and comprehensive how to? Is there one somewhere on the Samba site I'm not aware of? If one doesn't exist, I'd be glad to assist in doing one. I'd like a tech guru to review it and make suggestions so I don't produce a piece of crap that's useless to anyone else. Again, I'd prefer a pretty step-by-step how-to, that doesn't assume I know much at all. That's also the target output I'll use to create my how-to, should it be a useful thing to others. ---- One further question. Is FC5 a decent platform to do this on, or is there something better, like say CentOS? The eventual target environment is mainly small business (<100 users) work-group servers. TIA, Greg
Seemingly Similar Threads
- database got corrupted, users could not login
- smbldap- only user root can login to windows.
- Samba 3.0.22-11 as PDC with openLDAP 2.3.19 => Problem with Shares
- LDAP issue, access denied adding machine to domain, and LDAP user can't make unix-login on the box.
- samba ldap problem