Manuel Graumann
2006-Oct-24 07:39 UTC
[Samba] Samba 3.0.22-11 as PDC with openLDAP 2.3.19 => Problem with Shares
Hi there! To set up a samba PDC with openLDAP on my openSUSE 10.1 x86_64 I followed this howto: http://en.opensuse.org/Howto_setup_SUSE_10.1_as_Samba_PDC Every service seems to be running now but now I'm stuck. I was able to join a clean Windows XP Pro test machine to my Domain and I'm able to log on as normal LDAP user. The home-share is mounted and even a login script (actually just the DOS command "PAUSE") works fine. Now I try to create shares on the PDC but it doesn't seem to work to allow LDAP groups access to shares. [web] comment = Intranet path = /data/srv/www create mask = 0600 directory mask = 0700 browseable = Yes guest ok = No force user = root valid users = "Web Admins" admin users = "Domain Admins" read only = No The user trying to access this share is a member of both groups "Web Admins" and "Domain Admins". When accessing the share Windows keeps prompting for account credentials in an infinite loop. The log (samba logs with level 256) does not state anything. Changing the share to: [web] comment = Intranet path = /data/srv/www create mask = 0600 directory mask = 0700 browseable = Yes guest ok = No force user = root valid users = @"Web Admins" admin users = @"Domain Admins" read only = No This makes Windows hang for quite a long time when trying to access the share. Finally I get a dialog box indicating that I was denied access and the share wouldn't any longer being available. Log states: Oct 24 09:24:12 infra slapd[3012]: conn=133 op=8 SRCH base="dc=MYDOM,dc=TLD" scope=2 deref=0 filter="(&(objectClass=nisNetgroup)(cn=web admins))" Oct 24 09:24:12 infra slapd[3012]: conn=133 op=8 SRCH attr=cn nisNetgroupTriple memberNisNetgroup Oct 24 09:24:12 infra slapd[3012]: conn=133 op=8 SEARCH RESULT tag=101 err=0 nentries=0 textOct 24 09:24:12 infra slapd[3012]: conn=133 op=9 SRCH base="dc=MYDOM,dc=TLD" scope=2 deref=0 filter="(&(objectClass=nisNetgroup)(cn=web admins))" Oct 24 09:24:12 infra slapd[3012]: conn=133 op=9 SRCH attr=cn nisNetgroupTriple memberNisNetgroup Oct 24 09:24:12 infra slapd[3012]: conn=133 op=9 SEARCH RESULT tag=101 err=0 nentries=0 textOct 24 09:25:20 infra slapd[3012]: conn=135 fd=93 ACCEPT from IP=127.0.0.1:47205 (IP=0.0.0.0:389) Oct 24 09:25:20 infra slapd[3012]: conn=135 op=0 BIND dn="cn=Manager,dc=MYDOM,dc=TLD" method=128 Oct 24 09:25:20 infra slapd[3012]: conn=135 op=0 BIND dn="cn=Manager,dc=MYDOM,dc=TLD" mech=SIMPLE ssf=0 Oct 24 09:25:20 infra slapd[3012]: conn=135 op=0 RESULT tag=97 err=0 textOct 24 09:25:20 infra slapd[3012]: conn=135 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Oct 24 09:25:20 infra slapd[3012]: conn=135 op=1 SRCH attr=supportedControl Oct 24 09:25:20 infra slapd[3012]: conn=135 op=1 SEARCH RESULT tag=101 err=0 nentries=1 textOct 24 09:25:20 infra slapd[3012]: conn=135 op=2 SRCH base="dc=MYDOM,dc=TLD" scope=2 deref=0 filter="(&(uid=MYUSER)(objectClass=sambaSamAccount))" Oct 24 09:25:20 infra slapd[3012]: conn=135 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Oct 24 09:25:20 infra slapd[3012]: conn=135 op=2 SEARCH RESULT tag=101 err=0 nentries=1 textOct 24 09:25:20 infra slapd[3012]: conn=136 fd=94 ACCEPT from IP=127.0.0.1:47206 (IP=0.0.0.0:389) Oct 24 09:25:20 infra slapd[3012]: conn=136 op=0 BIND dn="" method=128 Oct 24 09:25:20 infra slapd[3012]: conn=136 op=0 RESULT tag=97 err=0 textOct 24 09:25:20 infra slapd[3012]: conn=136 op=1 SRCH base="ou=Users,dc=MYDOM,dc=TLD" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=MYUSER))" Oct 24 09:25:20 infra slapd[3012]: conn=136 op=1 SEARCH RESULT tag=101 err=0 nentries=1 textOct 24 09:25:20 infra slapd[3012]: conn=136 op=2 SRCH base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=MYUSER)(uniqueMember=uid=MYUS ER,ou=users,dc=MYDOM,dc=TLD)))" Oct 24 09:25:20 infra slapd[3012]: conn=136 op=2 SRCH attr=gidNumber Oct 24 09:25:20 infra slapd[3012]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) Oct 24 09:25:20 infra slapd[3012]: conn=136 op=2 SEARCH RESULT tag=101 err=0 nentries=3 textOct 24 09:25:20 infra slapd[3012]: conn=136 op=3 SRCH base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0 filter="(&(objectClass=posixGroup)(uniqueMember=cn=domain admins,ou=groups,dc=MYDOM,dc=TLD))" Oct 24 09:25:20 infra slapd[3012]: conn=136 op=3 SRCH attr=gidNumber Oct 24 09:25:20 infra slapd[3012]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) Oct 24 09:25:20 infra slapd[3012]: conn=136 op=3 SEARCH RESULT tag=101 err=0 nentries=0 textOct 24 09:25:20 infra slapd[3012]: conn=136 op=4 SRCH base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0 filter="(&(objectClass=posixGroup)(uniqueMember=cn=domain users,ou=groups,dc=MYDOM,dc=TLD))" Oct 24 09:25:20 infra slapd[3012]: conn=136 op=4 SRCH attr=gidNumber Oct 24 09:25:20 infra slapd[3012]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) Oct 24 09:25:20 infra slapd[3012]: conn=136 op=4 SEARCH RESULT tag=101 err=0 nentries=0 textOct 24 09:25:20 infra slapd[3012]: conn=136 op=5 SRCH base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0 filter="(&(objectClass=posixGroup)(uniqueMember=cn=web admins,ou=groups,dc=MYDOM,dc=TLD))" Oct 24 09:25:20 infra slapd[3012]: conn=136 op=5 SRCH attr=gidNumber Oct 24 09:25:20 infra slapd[3012]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) Oct 24 09:25:20 infra slapd[3012]: conn=136 op=5 SEARCH RESULT tag=101 err=0 nentries=0 textOct 24 09:25:20 infra slapd[3012]: conn=136 op=6 SRCH base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=512))" Oct 24 09:25:20 infra slapd[3012]: conn=136 op=6 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Oct 24 09:25:20 infra slapd[3012]: conn=136 op=6 SEARCH RESULT tag=101 err=0 nentries=1 textOct 24 09:25:20 infra slapd[3012]: conn=136 op=7 SRCH base="ou=Groups,dc=MYDOM,dc=TLD" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=7134))" Oct 24 09:25:20 infra slapd[3012]: conn=136 op=7 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Oct 24 09:25:20 infra slapd[3012]: conn=136 op=7 SEARCH RESULT tag=101 err=0 nentries=1 textOct 24 09:25:20 infra slapd[3012]: conn=135 op=3 SRCH base="ou=Groups,dc=MYDOM,dc=TLD" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=513))" Oct 24 09:25:20 infra slapd[3012]: conn=135 op=3 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Oct 24 09:25:20 infra slapd[3012]: conn=135 op=3 SEARCH RESULT tag=101 err=0 nentries=1 textOct 24 09:25:20 infra slapd[3012]: conn=135 op=4 SRCH base="ou=Groups,dc=MYDOM,dc=TLD" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=512))" Oct 24 09:25:20 infra slapd[3012]: conn=135 op=4 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Oct 24 09:25:20 infra slapd[3012]: conn=135 op=4 SEARCH RESULT tag=101 err=0 nentries=1 textOct 24 09:25:20 infra slapd[3012]: conn=135 op=5 SRCH base="ou=Groups,dc=MYDOM,dc=TLD" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=7134))" Oct 24 09:25:20 infra slapd[3012]: conn=135 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Oct 24 09:25:20 infra slapd[3012]: conn=135 op=5 SEARCH RESULT tag=101 err=0 nentries=1 textOct 24 09:25:20 infra slapd[3012]: conn=137 fd=95 ACCEPT from IP=127.0.0.1:47207 (IP=0.0.0.0:389) Oct 24 09:25:20 infra slapd[3012]: conn=137 op=0 BIND dn="" method=128 Oct 24 09:25:20 infra slapd[3012]: conn=137 op=0 RESULT tag=97 err=0 textOct 24 09:25:20 infra slapd[3012]: conn=137 op=1 SRCH base="ou=Users,dc=MYDOM,dc=TLD" scope=2 deref=0 filter="(uid=MYUSER)" Oct 24 09:25:20 infra slapd[3012]: conn=137 op=1 SEARCH RESULT tag=101 err=0 nentries=1 textOct 24 09:25:20 infra slapd[3012]: conn=137 op=2 UNBIND Oct 24 09:25:20 infra slapd[3012]: conn=137 fd=95 closed Oct 24 09:25:20 infra slapd[3012]: conn=136 op=8 SRCH base="dc=MYDOM,dc=TLD" scope=2 deref=0 filter="(&(objectClass=nisNetgroup)(cn=web admins))" Oct 24 09:25:20 infra slapd[3012]: conn=136 op=8 SRCH attr=cn nisNetgroupTriple memberNisNetgroup Oct 24 09:25:20 infra slapd[3012]: conn=136 op=8 SEARCH RESULT tag=101 err=0 nentries=0 textOct 24 09:25:20 infra slapd[3012]: conn=136 op=9 SRCH base="dc=MYDOM,dc=TLD" scope=2 deref=0 filter="(&(objectClass=nisNetgroup)(cn=web admins))" Oct 24 09:25:20 infra slapd[3012]: conn=136 op=9 SRCH attr=cn nisNetgroupTriple memberNisNetgroup Oct 24 09:25:20 infra slapd[3012]: conn=136 op=9 SEARCH RESULT tag=101 err=0 nentries=0 text (I changed the username and domain name entries in this log) Changing the share to: [web] comment = Intranet path = /data/srv/www create mask = 0600 directory mask = 0700 browseable = Yes guest ok = No force user = root valid users = +"Web Admins" admin users = +"Domain Admins" read only = No This is leading to the same behaviour in Windows. I don't see the error. Any ideas? I was looking for a kind of tutorial for using samba along with LDAP but didn't find a thing covering the issues I'm looking for. I'm searching advice for managing accounts, groups, printers, rights, logon times and allowed workstations, standard profiles, logon scripts, policies for Windows workstations and so on. Would be great if anybody could help me with a link here ;) Thank you in advance for your kind help! Regards Manuel
Possibly Parallel Threads
Wisdom of the Ancients
