I've spent the last several days trying to get Samba to bind to our OpenDirectory server for user authentication with no success. Whenever I try start Samba, it complains that the connection to the LDAP server failed with invalid credentials. I am authenticating other services against the LDAP server through NSS, so I am a bit at a loss as to why Samba won't run. I'm also a bit at a loss as to why I can't just tell Samba to use the same PAM modules that the other servers are using and just have authentication chug happily along through existing mechanisms. At any rate, here are the details right now: Samba 3.0.26a built with ./configure --prefix=/usr/local --enable-fhs --with-ldap --with-pam --with-configdir=/etc/samba --with-logfilebase=/var/log/samba $ cat /etc/samba/smb.conf [global] workgroup = WORKGROUP netbios name = Samuel security = user passdb backend = ldapsam:ldap://192.168.19.1/ ldap suffix = dc=vpn,dc=a3dauto,dc=com ldap admin dn = dc=vpn,dc=a3dauto,dc=com ldap user suffix = cn=users ldap group suffix = cn=groups [test] path = /mnt/smb read only = no guest ok = no $ sudo /usr/local/sbin/smbd -iS smbd version 3.0.26a started. Copyright Andrew Tridgell and the Samba Team 1992-2007 failed to bind to server ldap://192.168.19.1/ with dn="dc=vpn,dc=a3dauto,dc=com" Error: Invalid credentials (unknown) Connection to LDAP server failed for the 1 try! Connection to LDAP server failed for the 2 try! I am able to query the LDAP server using ldapsearch -x just fine, which tells me that my settings in /etc/openldap/ldap.conf are correct. I assumed that I could just duplicate the same settings in smb.conf, add my admin password through smbpasswd -W and everything would Just Work (tm), but that is obviously not the case. I did some reviewing of network traffic comparing and it seems that the only difference between successful binds and Samba's binds is that Samba is sending the dn when trying to bind and others are just binding then sending the dn later. So my questions are as follows: 1) Is there anything that I am missing in the configuration that would make everything roll over? 2) Is there a way to make Samba use the PAM / NSS mechanism that is already working? Thanks.
Thu, Nov 15, 2007 at 09:55:01AM -0600, Steve Brown napsal(a):> $ sudo /usr/local/sbin/smbd -iS > smbd version 3.0.26a started. > Copyright Andrew Tridgell and the Samba Team 1992-2007 > failed to bind to server ldap://192.168.19.1/ with > dn="dc=vpn,dc=a3dauto,dc=com" Error: Invalid credentials > (unknown) > Connection to LDAP server failed for the 1 try! > Connection to LDAP server failed for the 2 try!I see no smbpasswd -w ;o) Regards, Luf
> > $ sudo tdbdump /usr/local/private/secrets.tdb > > { > > key(45) = "SECRETS/LDAP_BIND_PW/dc=vpn,dc=a3dauto,dc=com" > > data(7) = "mypass\00" > > } > > > I believe this one will not connect to the ldap server because you are > not specfying the uid or cn to conncet with.I would expect that to happen also, but that is how the PAM/NSS is configured, so I would expect it to be the same.
> Yup, I did: > > $ sudo tdbdump /usr/local/private/secrets.tdb > { > key(45) = "SECRETS/LDAP_BIND_PW/dc=vpn,dc=a3dauto,dc=com" > data(7) = "mypass\00" > } >I believe this one will not connect to the ldap server because you are not specfying the uid or cn to conncet with. John
> I would expect that to happen also, but that is how the PAM/NSS is > configured, so I would expect it to be the same. >I see. PAM/NSS uses an anonymous bind and does this as read only I believe. -- John M. Drescher
> I see. PAM/NSS uses an anonymous bind and does this as read only I believe.So can I configure Samba to do an anonymous bind?
> > I see. PAM/NSS uses an anonymous bind and does this as read only I believe. > > So can I configure Samba to do an anonymous bind? >I have never tried that. John
On Nov 15, 2007 11:42 AM, Steve Brown <sbrown25@gmail.com> wrote:> > I see. PAM/NSS uses an anonymous bind and does this as read only I believe. > > So can I configure Samba to do an anonymous bind? >BTW, Here is what I have in my ldap config for samba: [global] passdb backend = ldapsam:"ldap://sysserv0.radimg.pitt.edu ldap://192.168.1.230" ldap ssl = false ldap admin dn = "cn=Manager,dc=radimg,dc=pitt,dc=edu" ldap user suffix = ou=People ldap delete dn = yes ldap machine suffix = ou=Hosts ldap group suffix = ou=Groups ldapsam:trusted=yes ldap suffix = dc=radimg,dc=pitt,dc=edu John
Steve Brown writes:> I've spent the last several days trying to get Samba to bind to our > OpenDirectory server for user authentication with no success. > Whenever I try start Samba, it complains that the connection to the > LDAP server failed with invalid credentials. I am authenticating > other services against the LDAP server through NSS, so I am a bit at a > loss as to why Samba won't run. I'm also a bit at a loss as to why I > can't just tell Samba to use the same PAM modules that the other > servers are using and just have authentication chug happily along > through existing mechanisms.My guess is that you can when you use pam - only you would need another passdb backend the (for example tdbsam).> Samba 3.0.26a built with ./configure --prefix=/usr/local --enable-fhs > --with-ldap --with-pam --with-configdir=/etc/samba > --with-logfilebase=/var/log/sambaLooks good.> $ cat /etc/samba/smb.conf > [global] > workgroup = WORKGROUP > netbios name = Samuel > security = user > > passdb backend = ldapsam:ldap://192.168.19.1/ > ldap suffix = dc=vpn,dc=a3dauto,dc=com > ldap admin dn = dc=vpn,dc=a3dauto,dc=com > ldap user suffix = cn=users > ldap group suffix = cn=groupsIt strikes me as strange that your ldap suffix and ldap admin dn are identical. I'm not familiar with OpenDirectory, but do they have a 'root dn' like OpenLDAP does or are you authenticating against an entry in the database itself?> I am able to query the LDAP server using ldapsearch -x just fine, > which tells me that my settings in /etc/openldap/ldap.conf are > correct.Settings in /etc/openldap/ldap.conf are not used by samba, AFAIK.> I assumed that I could just duplicate the same settings in > smb.conf, add my admin password through smbpasswd -W and everything > would Just Work (tm), but that is obviously not the case.Well, it should be. :) You say you can use ldapsearch; can you also do authenticated binds with it? E.g. does this work: ldapsearch -h 192.168.19.1 -D dc=vpn,dc=a3dauto,dc=com -w mypass -x objectClass=* and this: ldapsearch -h 192.168.19.1 -D uid=diradmin,dc=vpn,dc=a3dauto,dc=com -w mypass -x objectClass=* Is your nss config authenticated or not? (You can set the bindpw flag in /etc/ldap.conf, but you can also leave it out.) That might give you a clue to whether your authenticated setup is working.> 1) Is there anything that I am missing in the configuration that would > make everything roll over?It looks good - apart from the fact that your admin dn might be incorrect - but that may also be caused by your testing, like you mention in another message.> 2) Is there a way to make Samba use the PAM / NSS mechanism that is > already working?Yes, but you would need another passdb backend then. Additionally, you cannot configure it to do an anonymous bind. Samba needs access to private information in the ldap server (passwords and such) and to grant this access to anonymous users is not recommended. Regards, roel
> > 2) Is there a way to make Samba use the PAM / NSS mechanism that is > > already working? > > Yes, but you would need another passdb backend then.Which passdb backend would I need to use in this case? Perhaps I should just start over with an explanation of my environment. We run a largely Mac environment with many services happily authenticating against an OpenDirectory (OpenLDAP) server running on Mac OS X server. We have need for Windows clients to access certain shares on the network. I would like to use Samba to do this. I would also like to not have to re-enter all user accounts on the Samba box. What is the best way to go about this?