Webmaster / Andrei Iordache
2006-May-21 02:16 UTC
[Samba] ldapsam:trusted = yes : trouble getting it to work
I have been trying for a while now to enable set the parameter ?ldapsam:trusted?
to ?yes? in smb.conf but as soon as I enable it, users cannot access shares
anymore. I am trying to enable this because the users are member of a lot of
groups and I want to take the stress off the ldap server. I have searched the
lists for previous posts with the same problem and I tried to figure out if it
has been answered already. It seems that people had similar problems but even
with that information I don?t seem to get a hold of it.
The shares are set up as this example:
[root@fc4 shares]# pwd
/home/samba/shares
[root@fc4 shares]# ls -la
...
drwxrwx--- 2 nobody consultanta 4096 May 20 04:55 consultanta
...
So a user has to be in ?consultanta? group to access the share.
In smb.conf I have:
ldap admin dn = "cn=DomainAdmin,dc=kapitalgrup,dc=ro"
ldap ssl = off
passdb backend = ldapsam:ldap://127.0.0.1
ldap delete dn = no
ldap suffix = dc=kapitalgrup,dc=ro
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap passwd sync = Yes
ldapsam:trusted = yes
ldap ssl = No
...
[consultanta]
comment = Echipa de Consultanta
path = /home/samba/shares/consultanta
writeable = Yes
valid users = +consultanta
force user = nobody
force group = consultanta
create mask = 0771
directory mask = 0770
default case = lower
preserve case = No
short preserve case = No
map archive = Yes
map hidden = Yes
map system = Yes
In ldap the entries are as this example:
dn: uid=andrei.iordache,ou=people,dc=kapitalgrup,dc=ro
accountStatus: active
cn: Andrei Iordache
gidNumber: 100
givenName: Andrei
loginShell: /bin/bash
mail: andrei.iordache@dom1
mail: andrei.iordache@dom2
mail: andrei@dom1
mail: andrei@dom2
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: qmailUser
objectClass: sambaSamAccount
qmailGID: 100
qmailUID: 1005
sambaAcctFlags: [U ]
sambaLMPassword: AC3B233F668007D8AAD3B435B51404EE
sambaNTPassword: 64E9DFEC4AEB99D85474C4CC4D1BA326
sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000
0000000000
sambaPrimaryGroupSID: S-1-5-21-1777914830-570136335-1763571043-513
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-1777914830-570136335-1763571043-3010
shadowExpire: -1
shadowFlag: 0
shadowInactive: -1
shadowMax: 999999
shadowMin: -1
shadowWarning: 7
sn: Iordache
uidNumber: 1005
sambaPwdCanChange: 1147436629
sambaPwdLastSet: 1147436629
userPassword: {crypt}$1$E5cL0mtc$pCQcAFjCRamoomGB20C2R/
shadowLastChange: 13280
displayName: Andrei Iordache
homeDirectory: /home/andrei.iordache
mailMessageStore: /home/andrei.iordache/Maildir/
uid: andrei.iordache
dn: cn=users,ou=groups,dc=kapitalgrup,dc=ro
cn: users
description: Local Unix group
displayName: Domain Users
gidNumber: 100
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-1777914830-570136335-1763571043-513
dn: cn=consultanta,ou=groups,dc=kapitalgrup,dc=ro
objectClass: top
objectClass: posixGroup
cn: consultanta
gidNumber: 1007
memberUid: andrei.iordache
memberUid: other.members
...
I can list the shares on the server after I type in the correct user name and
password. But I cannot access this one. I can access the home dir and the public
shares. I see this at some point in the smbd.log (log level = 10)
[2006/05/20 05:06:05, 5] smbd/service.c:make_connection(807)
making a connection to 'normal' service consultanta
[2006/05/20 05:06:05, 3] lib/access.c:check_access(313)
check_access: no hostnames in host allow/deny list.
[2006/05/20 05:06:05, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.1.33)
[2006/05/20 05:06:05, 10] lib/username.c:user_in_list(529)
user_in_list: checking user andrei.iordache in list
[2006/05/20 05:06:05, 10] lib/username.c:user_in_list(533)
user_in_list: checking user |andrei.iordache| against |+consultanta|
[2006/05/20 05:06:05, 2] smbd/service.c:make_connection_snum(321)
user 'andrei.iordache' (from session setup) not permitted to access
this share (consultanta)
[2006/05/20 05:06:05, 3] smbd/error.c:error_packet(129)
error packet at smbd/reply.c(415) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
In the ldap logs I see this when I try to access the share:
May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 SRCH
base="dc=kapitalgrup,dc=ro" scope=2 deref=0
filter="(&(objectClass=posixGroup)(cn=consultanta))"
May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 SRCH attr=cn userPassword
memberUid uniqueMember gidNumber
May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 ENTRY
dn="cn=consultanta,ou=groups,dc=kapitalgrup,dc=ro"
May 20 05:17:27 fc4 slapd[1524]: conn=90 op=8 SEARCH RESULT tag=101 err=0
nentries=1 text
If I run a manual search on the ldap server with the same filter
="(&(objectClass=posixGroup)(cn=consultanta))" and request the
same attributes: cn userPassword memberUid uniqueMember gidNumber, I get:
[root@fc4 ~]# ldapsearch -LLL -x
"(&(objectClass=posixGroup)(cn=consultanta))" cn userPassword
memberUid uniqueMember gidNumber
dn: cn=consultanta,ou=groups,dc=kapitalgrup,dc=ro
cn: consultanta
gidNumber: 1007
memberUid: andrei.iordache
memberUid: other.members
...
I have the users ?nobody? and ?root? in the ldap. They are duplicates of those
in /etc/passwd. ALL WORKS WELL WITH ldapsam:trusted = NO. I have been using
Samba for years now and I am pretty familiar with it. I never needed assistance
before but now I?m pretty stuck and I have been trying to fix this for a while.
Does anybody see what I?m missing ? Thanks much in advance.
Newbie here...wanting to implement and test Samba (current version, 3.0.22) as a PDC on LDAP backend. I'm looking for a good how to. I've already looked at Ignacio Coupeau, CTI, University of Navarra and the IDEALX stuff and find them wanting. (Three passes attempting to make the IDEALX stuff work were a bust...but perhaps that just says more about my skills than IDEALX's how to...) "The Official Samba-3" Howto book is even lighter. I'd prefer a pretty step-by-step how-to, that doesn't assume I know much at all. All are confusing to me. Perhaps I'm just too lazy, but I don't think that's all... Is there a native english speaker who has done a recent and comprehensive how to? Is there one somewhere on the Samba site I'm not aware of? If one doesn't exist, I'd be glad to assist in doing one. I'd like a tech guru to review it and make suggestions so I don't produce a piece of crap that's useless to anyone else. Again, I'd prefer a pretty step-by-step how-to, that doesn't assume I know much at all. That's also the target output I'll use to create my how-to, should it be a useful thing to others. ---- One further question. Is FC5 a decent platform to do this on, or is there something better, like say CentOS? The eventual target environment is mainly small business (<100 users) work-group servers. TIA, Greg
Seemingly Similar Threads
- database got corrupted, users could not login
- smbldap- only user root can login to windows.
- Samba 3.0.22-11 as PDC with openLDAP 2.3.19 => Problem with Shares
- LDAP issue, access denied adding machine to domain, and LDAP user can't make unix-login on the box.
- samba ldap problem