Frédéric Nass
2007-Nov-08 07:33 UTC
[Samba] sambaUserWorkstations (with LDAP) not working with Groups of Computers ?
Hi, I'm trying to use the sambaUserWorkstations option to allow users to log on certain computers only. This option looks great... In fact it looks now a lot better than the 'ldap filter' one than was deprecated with samba 3.0.20... The fact is, if the sambaUserWorkstations option works well with machine names, it doesn't seem to work when specifying groups of machines. I'm using LDAP as a backend + samba 3.0.24 (debian 4). For example, I configured the "sambaUserWorkstations" attibute of my user "test" with the followings arguments : "sambaUserWorkstations: PC1,+salle1" This should work for PC1,PC2 (as 'salle1' machine group has PC1$ and PC2$ for members) but not for PC3, right ? But the user is actually only allowed to log in PC1, but bounced on PC2. This seemed to be working easy with files as samba backend. Is this the right syntax for computer groups with ldap ? I tried using a "@" instead of a "+" but it didn't help ? I use LATEST Debian 4 (samba 3.0.24) UP-TO-DATED. Please find all debug and configuration infos here : http://www.fichiers.univ-metz.fr/depot/nass/sambaUserWorkstations-Groups-Problem.tar.gz Thank you for any help you might provide us, Fr?d?ric Nass IUT de Metz - Universit? de Metz. FRANCE nass_chez_univ-metz_point_fr T?l : +33387547736
Frédéric Nass
2007-Nov-12 10:53 UTC
[Samba] sambaUserWorkstations (with LDAP) not working with Groups of Computers ?
Same problem with latest samba 3.0.26a stable. So I opened a bug report here : https://bugzilla.samba.org/show_bug.cgi?id=5076 We're stucked on following statement : Only CFLAGS=-DNO_LDAP_SECURITY build option can avoid this error. No more infos on the security issues this particular option might introduce. F. NASS. Fr?d?ric Nass a ?crit :> > Hi, > > I found more infos here : > http://www.mail-archive.com/samba@lists.samba.org/msg33190.html > > This functionality seems to have been implemented in the samba source > code (3.0.24 - auth_sam.c) : > http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0_24/source/auth/auth_sam.c?rev=22815&view=markup > <http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0_24/source/auth/auth_sam.c?rev=22815&view=markup> > > > if (*workstation_list) { > BOOL invalid_ws = True; > fstring tok; > const char *s = workstation_list; > > const char *machine_name = talloc_asprintf(mem_ctx, "%s$", > user_info->wksta_name); > if (machine_name == NULL) > return NT_STATUS_NO_MEMORY; > > > while (next_token(&s, tok, ",", sizeof(tok))) { > DEBUG(10,("sam_account_ok: checking for workstation match > %s and %s\n", > tok, user_info->wksta_name)); > if(strequal(tok, user_info->wksta_name)) { > invalid_ws = False; > break; > } > here ///===> if (tok[0] == '+') { > DEBUG(10,("sam_account_ok: checking for workstation %s > in group: %s\n", machine_name, tok + 1)); > if (user_in_group(machine_name, tok + 1)) { > invalid_ws = False; > break; > } > } > } > > if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION; > } > > > So I used samba debug level 10 in smb.conf : > > This is the exact part of the samba workstation log file when auth > fails on PC2 : (It should work, as PC2 is also part of "salle1" > workstation's group) > > smbldap_search_ext: base => [ou=Groups,dc=test,dc=org], filter => > [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-3010)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-515)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-9001)(sambaSIDList=S-1-22-2-515)(sambaSIDList=S-1-22-2-4000)))], > scope => [2] > [2007/11/08 15:07:18, 0] lib/smbldap.c:smbldap_open(1009) > smbldap_open: cannot access LDAP when not root.. > [2007/11/08 15:07:18, 10] auth/auth_util.c:add_aliases(653) > pdb_enum_alias_memberships failed: NT_STATUS_UNSUCCESSFUL > [2007/11/08 15:07:18, 10] auth/auth_util.c:user_in_group_sid(1277) > could not create token for PC2$ > [2007/11/08 15:07:18, 5] auth/auth.c:check_ntlm_password(273) > check_ntlm_password: sam authentication for user [toto] FAILED with > error NT_STATUS_INVALID_WORKSTATION > [2007/11/08 15:07:18, 3] auth/auth_winbind.c:check_winbind_security(80) > check_winbind_security: Not using winbind, requested domain [TEST] > was for this SAM. > [2007/11/08 15:07:18, 10] auth/auth.c:check_ntlm_password(261) > check_ntlm_password: winbind had nothing to say > [2007/11/08 15:07:18, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [toto] -> [toto] FAILED > with error NT_STATUS_INVALID_WORKSTATION > [2007/11/08 15:07:18, 5] auth/auth_util.c:free_user_info(1867) > attempting to free (and zero) a user_info structure > [2007/11/08 15:07:18, 10] auth/auth_util.c:free_user_info(1871) > structure was created for toto > [2007/11/08 15:07:18, 5] > rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(934) > _net_sam_logon: check_password returned status > NT_STATUS_INVALID_WORKSTATION > > This is the same time slapd log in syslog file : > > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=21 SRCH > base="dc=test,dc=org" scope=2 deref=0 > filter="(&(uid=salle1)(objectClass=sambaSamAccount))" > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=21 SRCH attr=uid > uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange > sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn > sn displayName sambaHomeDrive sambaHomePath sambaLogonScript > sambaProfilePath description sambaUserWorkstations sambaSID > sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName > objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount > sambaBadPasswordTime sambaPasswordHistory modifyTimestamp > sambaLogonHours modifyTimestamp uidNumber > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=21 SEARCH RESULT tag=101 > err=0 nentries=0 text> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=22 SRCH > base="ou=Groups,dc=test,dc=org" scope=2 deref=0 > filter="(&(objectClass=sambaGroupMapping)(|(displayName=salle1)(cn=salle1)))" > > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=22 SRCH attr=gidNumber > sambaSID sambaGroupType sambaSIDList description displayName cn > objectClass > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=22 SEARCH RESULT tag=101 > err=0 nentries=1 text> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=23 SRCH > base="dc=test,dc=org" scope=2 deref=0 > filter="(&(uid=pc2$)(objectClass=sambaSamAccount))" > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=23 SRCH attr=uid > uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange > sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn > sn displayName sambaHomeDrive sambaHomePath sambaLogonScript > sambaProfilePath description sambaUserWorkstations sambaSID > sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName > objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount > sambaBadPasswordTime sambaPasswordHistory modifyTimestamp > sambaLogonHours modifyTimestamp uidNumber > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=23 SEARCH RESULT tag=101 > err=0 nentries=1 text> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=3 SRCH > base="dc=test,dc=org" scope=2 deref=0 > filter="(&(objectClass=posixAccount)(uid=pc2$))" > Nov 8 15:07:18 debian slapd[3074]: conn=3 op=3 SRCH attr=uid > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectClass > Nov 8 15:07:18 debian slapd[3074]: conn=3 op=3 SEARCH RESULT tag=101 > err=0 nentries=1 text> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=24 SRCH > base="ou=Groups,dc=test,dc=org" scope=2 deref=0 > filter="(&(objectClass=sambaGroupMapping)(gidNumber=515))" > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=24 SRCH attr=gidNumber > sambaSID sambaGroupType sambaSIDList description displayName cn > objectClass > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=24 SEARCH RESULT tag=101 > err=0 nentries=1 text> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=25 SRCH > base="dc=test,dc=org" scope=2 deref=0 > filter="(&(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515)(objectClass=sambaSamAccount))" > > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=25 SRCH attr=uid > uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange > sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn > sn displayName sambaHomeDrive sambaHomePath sambaLogonScript > sambaProfilePath description sambaUserWorkstations sambaSID > sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName > objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount > sambaBadPasswordTime sambaPasswordHistory modifyTimestamp > sambaLogonHours modifyTimestamp uidNumber > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=25 SEARCH RESULT tag=101 > err=0 nentries=0 text> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=26 SRCH > base="ou=Groups,dc=test,dc=org" scope=2 deref=0 > filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515))" > > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=26 SRCH attr=gidNumber > sambaSID sambaGroupType sambaSIDList description displayName cn > objectClass > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=26 SEARCH RESULT tag=101 > err=0 nentries=1 text> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=27 SRCH > base="dc=test,dc=org" scope=2 deref=0 > filter="(&(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515)(objectClass=sambaSamAccount))" > > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=27 SRCH attr=uid > uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange > sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn > sn displayName sambaHomeDrive sambaHomePath sambaLogonScript > sambaProfilePath description sambaUserWorkstations sambaSID > sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName > objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount > sambaBadPasswordTime sambaPasswordHistory modifyTimestamp > sambaLogonHours modifyTimestamp uidNumber > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=27 SEARCH RESULT tag=101 > err=0 nentries=0 text> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=28 SRCH > base="ou=Groups,dc=test,dc=org" scope=2 deref=0 > filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515))" > > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=28 SRCH attr=gidNumber > sambaSID sambaGroupType sambaSIDList description displayName cn > objectClass > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=28 SEARCH RESULT tag=101 > err=0 nentries=1 text> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=4 SRCH > base="dc=test,dc=org" scope=2 deref=0 > filter="(&(objectClass=posixAccount)(uid=pc2$))" > Nov 8 15:07:18 debian slapd[3074]: conn=3 op=4 SEARCH RESULT tag=101 > err=0 nentries=1 text> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=5 SRCH > base="dc=test,dc=org" scope=2 deref=0 > filter="(&(objectClass=posixGroup)(|(memberUid=pc2$)(uniqueMember=uid=pc2$,ou=computers,dc=test,dc=org)))" > > Nov 8 15:07:18 debian slapd[3074]: conn=3 op=5 SRCH attr=gidNumber > Nov 8 15:07:18 debian slapd[3074]: conn=3 op=5 SEARCH RESULT tag=101 > err=0 nentries=1 text> Nov 8 15:07:18 debian slapd[3074]: conn=3 op=6 SRCH > base="dc=test,dc=org" scope=2 deref=0 > filter="(&(objectClass=posixGroup)(uniqueMember=cn=salle1,ou=groups,dc=test,dc=org))" > > Nov 8 15:07:18 debian slapd[3074]: conn=3 op=6 SRCH attr=gidNumber > Nov 8 15:07:18 debian slapd[3074]: conn=3 op=6 SEARCH RESULT tag=101 > err=0 nentries=0 text> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=29 SRCH > base="ou=Groups,dc=test,dc=org" scope=2 deref=0 > filter="(&(objectClass=sambaGroupMapping)(gidNumber=4000))" > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=29 SRCH attr=gidNumber > sambaSID sambaGroupType sambaSIDList description displayName cn > objectClass > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=29 SEARCH RESULT tag=101 > err=0 nentries=1 text> Nov 8 15:07:18 debian slapd[3074]: conn=2 op=30 SRCH > base="ou=Groups,dc=test,dc=org" scope=2 deref=0 > filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-545))" > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=30 SRCH attr=gidNumber > sambaSID sambaGroupType sambaSIDList description displayName cn > objectClass > Nov 8 15:07:18 debian slapd[3074]: conn=2 op=30 SEARCH RESULT tag=101 > err=0 nentries=0 text> Nov 8 15:07:23 debian exiting on signal 15 > > I just can get to spot the error. Log files can be downloaded from > here : http://www.fichiers.univ-metz.fr/depot/nass/syslog-et-sambalog.tgz > > Thanks for any help, > > F. NASS. > > PS : Config files can be found here : > http://lists.samba.org/archive/samba/2007-November/136188.html > > > Fr?d?ric Nass a ?crit : >> >> Hi, >> >> I'm trying to use the sambaUserWorkstations option to allow users to >> log on certain computers only. This option looks great... In fact it >> looks now a lot better than the 'ldap filter' one than was deprecated >> with samba 3.0.20... >> >> The fact is, if the sambaUserWorkstations option works well with >> machine names, it doesn't seem to work when specifying groups of >> machines. I'm using LDAP as a backend + samba 3.0.24 (debian 4). >> >> For example, I configured the "sambaUserWorkstations" attibute of my >> user "test" with the followings arguments : "sambaUserWorkstations: >> PC1,+salle1" >> >> This should work for PC1,PC2 (as 'salle1' machine group has PC1$ and >> PC2$ for members) but not for PC3, right ? But the user is actually >> only allowed to log in PC1, but bounced on PC2. This seemed to be >> working easy with files as samba backend. >> >> Is this the right syntax for computer groups with ldap ? I tried >> using a "@" instead of a "+" but it didn't help ? >> >> I use LATEST Debian 4 (samba 3.0.24) UP-TO-DATED. >> >> Please find all debug and configuration infos here : >> http://www.fichiers.univ-metz.fr/depot/nass/sambaUserWorkstations-Groups-Problem.tar.gz >> >> >> Thank you for any help you might provide us, >> >> Fr?d?ric Nass >> IUT de Metz - Universit? de Metz. >> FRANCE >> nass_chez_univ-metz_point_fr >> >> T?l : +33387547736 >> >> > >