I have an fc5 system running samba-3.0.22-1.fc5 and smbldap-tools-0.9.2-2.fc5. This server acts as my pdc (netbios name HOME) and a server for /home directories. I use ldapsam with openldap to store all account info. I noticed while troubleshooting something else that if I try to browse to the home directory of a system account, such as "ldap" at \\HOME\ldap -- I am presented with a username/password dialogue, even though the user "ldap" only exists in the systems /etc/passwd file and is not in my openldap directory. It seems as though I should get a "not found" message rather than confirmation that this account exists on the system. Why is samba also looking for users in the /etc/passwd file if I have specified that I want to use ldapsam? How do i stop this behavior? Any help or direction would be appreciated. My smb.conf and smbusers file are below: ### /etc/samba/smb.conf ### [global] workgroup = example.com netbios name = home server string = Samba Domain Server hosts allow = 127.0.0.1 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 hosts deny = 0.0.0.0/0 interfaces = lo eth0 bind interfaces only = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap load printers = no printing = cups cups options = raw guest account = nobody log file = /var/log/samba/samba.log max log size = 1024 log level = 1 security = user lanman auth = no client ntlmv2 auth = yes enable privileges = yes ldap passwd sync = no ldap admin dn = "uid=sambaroot,ou=People,dc=example,dc=com" passdb backend = ldapsam:ldap://127.0.0.1 ldap ssl = off ldap delete dn = yes ldap suffix = dc=example,dc=com ldap user suffix = ou=People ldap group suffix = ou=Group ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap,dc=example,dc=com idmap backend = ldap:ldap://127.0.0.1 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" encrypt passwords = yes unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* username map = /etc/samba/smbusers local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon script = %U.bat logon drive = H: logon home = \\%L\%U name resolve order = wins lmhosts bcast wins support = yes wins proxy = no dns proxy = no preserve case = yes nt acl support = yes template shell = /bin/false winbind use default domain = no [homes] comment = Home Directory for %U csc policy = disable browseable = no writable = yes valid users = %S hide files = /Desktop.ini/desktop.ini/RECYCLER/Thumbs.db/ [netlogon] comment = Network Logon Service path = /etc/samba/netlogon guest ok = yes writable = no browseable = no share modes = no ### /etc/samba/smbusers ### #(all users are commented out) #root = administrator admin #nobody = guest -- Anthony http://messinet.com http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba/attachments/20060704/a84fb818/signature.bin
cause samba relies in your setup probably on NSS, which has files, ldap settings?!?! you could try to use "ldapsam:trusted (G)" or invalid users = root, ldap, ... greez Anthony Messina wrote:> I have an fc5 system running samba-3.0.22-1.fc5 and > smbldap-tools-0.9.2-2.fc5. This server acts as my pdc (netbios name > HOME) and a server for /home directories. I use ldapsam with openldap to > store all account info. I noticed while troubleshooting something else > that if I try to browse to the home directory of a system account, such > as "ldap" at \\HOME\ldap -- I am presented with a username/password > dialogue, even though the user "ldap" only exists in the systems > /etc/passwd file and is not in my openldap directory. > > It seems as though I should get a "not found" message rather than > confirmation that this account exists on the system. Why is samba also > looking for users in the /etc/passwd file if I have specified that I > want to use ldapsam? How do i stop this behavior? > > Any help or direction would be appreciated. My smb.conf and smbusers > file are below: > > ### /etc/samba/smb.conf ### > [global] > workgroup = example.com > netbios name = home > server string = Samba Domain Server > hosts allow = 127.0.0.1 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 > hosts deny = 0.0.0.0/0 > interfaces = lo eth0 > bind interfaces only = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > printcap name = /etc/printcap > load printers = no > printing = cups > cups options = raw > > guest account = nobody > > log file = /var/log/samba/samba.log > max log size = 1024 > log level = 1 > security = user > lanman auth = no > client ntlmv2 auth = yes > enable privileges = yes > > ldap passwd sync = no > ldap admin dn = "uid=sambaroot,ou=People,dc=example,dc=com" > passdb backend = ldapsam:ldap://127.0.0.1 > ldap ssl = off > ldap delete dn = yes > ldap suffix = dc=example,dc=com > ldap user suffix = ou=People > ldap group suffix = ou=Group > ldap machine suffix = ou=Computers > ldap idmap suffix = ou=Idmap,dc=example,dc=com > idmap backend = ldap:ldap://127.0.0.1 > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > > add user script = /usr/sbin/smbldap-useradd -m "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > add machine script = /usr/sbin/smbldap-useradd -w "%u" > add group script = /usr/sbin/smbldap-groupadd -p "%g" > delete group script = /usr/sbin/smbldap-groupdel "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > > encrypt passwords = yes > unix password sync = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > > username map = /etc/samba/smbusers > > local master = yes > os level = 33 > domain master = yes > preferred master = yes > domain logons = yes > > logon script = %U.bat > logon drive = H: > logon home = \\%L\%U > > name resolve order = wins lmhosts bcast > wins support = yes > wins proxy = no > dns proxy = no > > preserve case = yes > > nt acl support = yes > > template shell = /bin/false > winbind use default domain = no > > [homes] > comment = Home Directory for %U > csc policy = disable > browseable = no > writable = yes > valid users = %S > hide files = /Desktop.ini/desktop.ini/RECYCLER/Thumbs.db/ > > [netlogon] > comment = Network Logon Service > path = /etc/samba/netlogon > guest ok = yes > writable = no > browseable = no > share modes = no > > ### /etc/samba/smbusers ### > #(all users are commented out) > #root = administrator admin > #nobody = guest > >-- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399
Michael Gasch wrote:> cause samba relies in your setup probably on NSS, which has files, ldap > settings?!?! > > you could try to use "ldapsam:trusted (G)" or invalid users = root, > ldap, ... > > greez > > Anthony Messina wrote: >> I have an fc5 system running samba-3.0.22-1.fc5 and >> smbldap-tools-0.9.2-2.fc5. This server acts as my pdc (netbios name >> HOME) and a server for /home directories. I use ldapsam with openldap to >> store all account info. I noticed while troubleshooting something else >> that if I try to browse to the home directory of a system account, such >> as "ldap" at \\HOME\ldap -- I am presented with a username/password >> dialogue, even though the user "ldap" only exists in the systems >> /etc/passwd file and is not in my openldap directory. >> >> It seems as though I should get a "not found" message rather than >> confirmation that this account exists on the system. Why is samba also >> looking for users in the /etc/passwd file if I have specified that I >> want to use ldapsam? How do i stop this behavior? >> >> Any help or direction would be appreciated. My smb.conf and smbusers >> file are below: >> >> ### /etc/samba/smb.conf ### >> [global] >> workgroup = example.com >> netbios name = home >> server string = Samba Domain Server >> hosts allow = 127.0.0.1 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 >> hosts deny = 0.0.0.0/0 >> interfaces = lo eth0 >> bind interfaces only = yes >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >> >> printcap name = /etc/printcap >> load printers = no >> printing = cups >> cups options = raw >> >> guest account = nobody >> >> log file = /var/log/samba/samba.log >> max log size = 1024 >> log level = 1 >> security = user >> lanman auth = no >> client ntlmv2 auth = yes >> enable privileges = yes >> >> ldap passwd sync = no >> ldap admin dn = "uid=sambaroot,ou=People,dc=example,dc=com" >> passdb backend = ldapsam:ldap://127.0.0.1 >> ldap ssl = off >> ldap delete dn = yes >> ldap suffix = dc=example,dc=com >> ldap user suffix = ou=People >> ldap group suffix = ou=Group >> ldap machine suffix = ou=Computers >> ldap idmap suffix = ou=Idmap,dc=example,dc=com >> idmap backend = ldap:ldap://127.0.0.1 >> idmap uid = 16777216-33554431 >> idmap gid = 16777216-33554431 >> >> add user script = /usr/sbin/smbldap-useradd -m "%u" >> delete user script = /usr/sbin/smbldap-userdel "%u" >> add machine script = /usr/sbin/smbldap-useradd -w "%u" >> add group script = /usr/sbin/smbldap-groupadd -p "%g" >> delete group script = /usr/sbin/smbldap-groupdel "%g" >> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" >> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" >> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" >> >> encrypt passwords = yes >> unix password sync = Yes >> passwd program = /usr/bin/passwd %u >> passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n >> *passwd:*all*authentication*tokens*updated*successfully* >> >> username map = /etc/samba/smbusers >> >> local master = yes >> os level = 33 >> domain master = yes >> preferred master = yes >> domain logons = yes >> >> logon script = %U.bat >> logon drive = H: >> logon home = \\%L\%U >> >> name resolve order = wins lmhosts bcast >> wins support = yes >> wins proxy = no >> dns proxy = no >> >> preserve case = yes >> >> nt acl support = yes >> >> template shell = /bin/false >> winbind use default domain = no >> >> [homes] >> comment = Home Directory for %U >> csc policy = disable >> browseable = no >> writable = yes >> valid users = %S >> hide files = /Desktop.ini/desktop.ini/RECYCLER/Thumbs.db/ >> >> [netlogon] >> comment = Network Logon Service >> path = /etc/samba/netlogon >> guest ok = yes >> writable = no >> browseable = no >> share modes = no >> >> ### /etc/samba/smbusers ### >> #(all users are commented out) >> #root = administrator admin >> #nobody = guest >>ok, i have my pdc and bdc working with ldapsam:trusted = yes, and the same issue occurs. i then added invalid users = root, ldap, ... and it continues to occur. what am i missing? samba wants to hand out home directories for any user in /etc/passwd even with invalid users and ldapsam:trusted set. -- Anthony http://messinet.com http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba/attachments/20060704/45d5d507/signature.bin