Tim Boneko
2007-Mar-05 17:02 UTC
[Samba] samba+ldap: Simu.- login of 2 different users => user rejected
Has anybody had this problem before? If not, where should i start digging?
I'm running Samba 3.0.24 on Debian stable with slapd-2.2.23 backend.
smb.conf is attached below.
When two different users log in at the same moment, the login process
seems to freeze for a minute and the client (win2k) complains about
missing profile or missing access to profile. A single user login works
perfectly.
The log.smbd contains this:
krake smbd[28474]: [2007/03/05 15:06:09, 0]
auth/pampass.c:smb_pam_account(573)
krake smbd[28474]: smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during
Account Management for User: ws13
krake smbd[28474]: [2007/03/05 15:06:09, 0]
auth/pampass.c:smb_pam_accountcheck(781)
krake smbd[28474]: smb_pam_accountcheck: PAM: Account Validation
Failed - Rejecting User ws13!
Nothing interesting in auth.log and the same message in syslog (where
slapd logs to).
I don't know if this is a samba issue or ldap or network...
Any suggestions are highly welcome. We've got 20+ clients and users
typically log in simultaneously.
timbo
smb.conf:
panic action = /usr/share/samba/panic-action %d
dos charset = 850
unix charset = ISO-8859-15
display charset = ISO-8859-15
netbios name = KRAKE
workgroup = GHSWA
hosts allow = 192.168.
inherit acls = yes
update encrypted = yes
obey pam restrictions = yes
pam password change = yes
socket options = IPTOS_LOWDELAY SO_SNDBUF=32768 SO_RCVBUF=32768
passdb backend = ldapsam:ldap://127.0.0.1
os level = 65
preferred master = yes
domain master = yes
local master = yes
wins support = yes
time server = yes
security = user
admin users = supervisor
add user script = smbldap-useradd -m -a %u
delete user script = smbldap-userdel %u
add group script = smbldap-groupadd -p %g
delete group script = smbldap-groupdel %g
add user to group script = smbldap-groupmod -m %u %g
delete user from group script = smbldap-groupmod -x %u %g
set primary group script = smbldap-usermod -g %u %g
add machine script = smbldap-useradd -w %u
domain logons = yes
logon path = \\KRAKE\%U\.winprofile
logon home = \\%L\%U
logon script = logon.bat
preserve case = yes
short preserve case = yes
case sensitive = no
guest ok = no
printcap = cups
ldap admin dn = cn=supervisor,dc=ghswa
ldap delete dn = yes
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=ghswa
ldap ssl = no
host msdfs = yes
[netlogon]
path = /ghswa/home/netlogon
write list = supervisor
browseable = yes
[profiles]
path = /ghswa/home/%u
writeable = yes
write list = %u
browseable = no
[...other shares...]
Felipe Augusto van de Wiel
2007-Mar-06 14:28 UTC
[Samba] samba+ldap: Simu.- login of 2 different users => user rejected
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/05/2007 02:02 PM, Tim Boneko wrote:> Has anybody had this problem before? If not, where should i > start digging?By the logs you sent, definetely PAM. :-)> I'm running Samba 3.0.24 on Debian stable with slapd-2.2.23 backend. > smb.conf is attached below. > When two different users log in at the same moment, the login process > seems to freeze for a minute and the client (win2k) complains about > missing profile or missing access to profile. A single user login works > perfectly. > > The log.smbd contains this: > > krake smbd[28474]: [2007/03/05 15:06:09, 0] > auth/pampass.c:smb_pam_account(573) > krake smbd[28474]: smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during > Account Management for User: ws13 > krake smbd[28474]: [2007/03/05 15:06:09, 0] > auth/pampass.c:smb_pam_accountcheck(781) > krake smbd[28474]: smb_pam_accountcheck: PAM: Account Validation > Failed - Rejecting User ws13!PAM: UNKNOWN PAM ERROR is not something nice to see on your longs. By the description of the problem, I would say that the try to access the profile (specially if it is a big one) could lead do RO/RW problems, but I'm not sure, that's just MHO.> Nothing interesting in auth.log and the same message in > syslog (where slapd logs to). > I don't know if this is a samba issue or ldap or network...It seems something in the middle. ;) Did you already increase the log level of Samba?> Any suggestions are highly welcome. We've got 20+ clients and users > typically log in simultaneously.Simultaneously should be interpreted "at the exactly same time", or should be interpreted as "a user logs in the morning and the same user logs in the afternoon".> timbo > > smb.conf:[...]> obey pam restrictions = yes > pam password change = yesYou are using PAM, so you really should check there, it could be the problem.> socket options = IPTOS_LOWDELAY SO_SNDBUF=32768 SO_RCVBUF=32768Are you aware that under kernel 2.6.x you can have a better network performance if you remove SO_SNDBUF and SO_RCVBUF?> [netlogon] > path = /ghswa/home/netlogon > write list = supervisor > browseable = yes > > [profiles] > path = /ghswa/home/%u > writeable = yes > write list = %u > browseable = noMaybe you should try 'csc policy = disable' and maybe 'profile acls' can help you on this one. Kind regards, - -- Felipe Augusto van de Wiel <felipe@paranacidade.org.br> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF7XpfCj65ZxU4gPQRArDWAJ0T7jbRlTwSdcS9dpOQsmExj5h5/QCbBV6X m6NLCHaK2kRH2GlafeZROyU=Mzz/ -----END PGP SIGNATURE-----