samba - May 2008 - SAMBA PDC with LDAP backend syncing unix/samba accounts ...

Hi all ,
         I'm running Debian Etch . I just finished
configuring SAMBA
as PDC to authenticate against LDAP server which works.
The system in question uses default debian etch packages.
As My Linix/unix accounts can authenticate against it. The
LDAP works.
    I  Used the default shipped smbldap-populate script to
setup SAMBA.
       Everything seems to work as Anonymous User or as
user root.

shark:/etc/samba# smbclient -L shark -N
Anonymous login successful
Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]

        Share name       Type      Comment
        ---------       ----      -------
        netlogon        Disk      Network Logon Service
        knoppix         Disk
        IPC$            IPC       IPC Service (Samba Server
3.0.24)
Anonymous login successful
Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]

        Server               Comment
        ---------            -------
        SHARK                Samba Server 3.0.24


      Now when I try and login as normal user, which i have
enabled
with "smbldap-usermod -a  yogesh"

smbldap-usershow yogesh

dn: uid=yogesh,ou=People,dc=biomax,dc=de
uid: yogesh
cn: yogesh
objectClass:
account,posixAccount,top,shadowAccount,sambaSamAccount
userPassword: {MD5}.SOMELONGHASH ....
shadowLastChange: 12900
shadowMax: 10000
loginShell: /bin/bash
uidNumber: 668
gidNumber: 100
homeDirectory: /sk-home/yogesh
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: System User
sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
sambaAcctFlags: [UX ]

-----

Now when I try and connect I get the following failure .
shark:/etc/samba# smbclient -L shark -U yogesh
session setup failed: NT_STATUS_LOGON_FAILURE

After Digging thru the logs I figuered that if I enter
password using
"smbldap-password" . It works.

Now my Stupid questions ?
I already have unix users working of LDAP, How can I
automate the addition of remaining accounts with SAMBA ?

Also whenever a unix user changes passwd samba password is
not updated ?

Any pointers will be of great help.

Thanks in advace
yogesh

did you adjust you pam.d settings to accept MD5 password hashes. 

you can find some usefull tips in the Big samba howto 
http://www.google.nl/search?hl=nl&q=big+samba+howto+debian&meta= 
this one also works for etch.

Louis 
>-----Oorspronkelijk bericht-----
>Van: samba-bounces+belle=bazuin.nl@lists.samba.org 
>[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens yogi
>Verzonden: zaterdag 17 mei 2008 19:29
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] SAMBA PDC with LDAP backend syncing 
>unix/samba accounts ...
>
>Hi all ,
>         I'm running Debian Etch . I just finished
>configuring SAMBA
>as PDC to authenticate against LDAP server which works.
>The system in question uses default debian etch packages.
>As My Linix/unix accounts can authenticate against it. The
>LDAP works.
>    I  Used the default shipped smbldap-populate script to
>setup SAMBA.
>       Everything seems to work as Anonymous User or as
>user root.
>
>shark:/etc/samba# smbclient -L shark -N
>Anonymous login successful
>Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
>
>        Share name       Type      Comment
>        ---------       ----      -------
>        netlogon        Disk      Network Logon Service
>        knoppix         Disk
>        IPC$            IPC       IPC Service (Samba Server
>3.0.24)
>Anonymous login successful
>Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
>
>        Server               Comment
>        ---------            -------
>        SHARK                Samba Server 3.0.24
>
>
>      Now when I try and login as normal user, which i have
>enabled
>with "smbldap-usermod -a  yogesh"
>
>smbldap-usershow yogesh
>
>dn: uid=yogesh,ou=People,dc=biomax,dc=de
>uid: yogesh
>cn: yogesh
>objectClass:
>account,posixAccount,top,shadowAccount,sambaSamAccount
>userPassword: {MD5}.SOMELONGHASH ....
>shadowLastChange: 12900
>shadowMax: 10000
>loginShell: /bin/bash
>uidNumber: 668
>gidNumber: 100
>homeDirectory: /sk-home/yogesh
>sambaPwdLastSet: 0
>sambaLogonTime: 0
>sambaLogoffTime: 2147483647
>sambaKickoffTime: 2147483647
>sambaPwdCanChange: 0
>sambaPwdMustChange: 2147483647
>displayName: System User
>sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
>sambaAcctFlags: [UX ]
>
>-----
>
>Now when I try and connect I get the following failure .
>shark:/etc/samba# smbclient -L shark -U yogesh
>session setup failed: NT_STATUS_LOGON_FAILURE
>
>After Digging thru the logs I figuered that if I enter
>password using
>"smbldap-password" . It works.
>
>Now my Stupid questions ?
>I already have unix users working of LDAP, How can I
>automate the addition of remaining accounts with SAMBA ?
>
>Also whenever a unix user changes passwd samba password is
>not updated ?
>
>Any pointers will be of great help.
>
>Thanks in advace
>yogesh
>
>
>
>      
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

yogi escreveu:
> Hi all ,
>          I'm running Debian Etch . I just finished
> configuring SAMBA
> as PDC to authenticate against LDAP server which works.
> The system in question uses default debian etch packages.
> As My Linix/unix accounts can authenticate against it. The
> LDAP works.
>     I  Used the default shipped smbldap-populate script to
> setup SAMBA.
>   
Good, this is the reason that it is there :)
You will only not want to use if you have a reason, like it messing with 
your already populated base.
>        Everything seems to work as Anonymous User or as
> user root.
>
> shark:/etc/samba# smbclient -L shark -N
> Anonymous login successful
> Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
>
>         Share name       Type      Comment
>         ---------       ----      -------
>         netlogon        Disk      Network Logon Service
>         knoppix         Disk
>         IPC$            IPC       IPC Service (Samba Server
> 3.0.24)
> Anonymous login successful
> Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
>
>         Server               Comment
>         ---------            -------
>         SHARK                Samba Server 3.0.24
>
>
>       Now when I try and login as normal user, which i have
> enabled
> with "smbldap-usermod -a  yogesh"
>
> smbldap-usershow yogesh
>
> dn: uid=yogesh,ou=People,dc=biomax,dc=de
> uid: yogesh
> cn: yogesh
> objectClass:
> account,posixAccount,top,shadowAccount,sambaSamAccount
> userPassword: {MD5}.SOMELONGHASH ....
> shadowLastChange: 12900
> shadowMax: 10000
> loginShell: /bin/bash
> uidNumber: 668
> gidNumber: 100
> homeDirectory: /sk-home/yogesh
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> displayName: System User
> sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
> sambaAcctFlags: [UX ]
>
> -----
>
> Now when I try and connect I get the following failure .
> shark:/etc/samba# smbclient -L shark -U yogesh
> session setup failed: NT_STATUS_LOGON_FAILURE
>   
For me smbldap-usermod -a dont ask for a password, so your error appears 
to be the right behavior of the server, when you try to access the samba 
server with an account that have a posix password but don't have a samba 
password.
If your posix password is hashed and it didn't asked for the password it 
cannot guess it and fill the NT and LM samba hashes.

If you don't know, your account need to end up with three hashes for the 
same password :)
> After Digging thru the logs I figuered that if I enter
> password using
> "smbldap-password" . It works.
>   
Ok, now you have defined your samba password, and it will be synced with 
the posix one, and everyone will be happy.
 
> Now my Stupid questions ?
> I already have unix users working of LDAP, How can I
> automate the addition of remaining accounts with SAMBA ?
>   
Well, as already said your script cannot guess the content of a hash to 
create another that samba needs (this is the purpose of hashes), 
normally people add the samba part (with smbldap-usermod), change the 
password to something else (with smbldap-passwd), mark the account to 
only allow the login if the password is changed (with smbldap-usermod -B 
1), then inform the user of the new password and ask to he to put his 
password back when he tries to login and receive automatically a window 
asking for that.

It will be a process very likely as adding a new user.
> Also whenever a unix user changes passwd samba password is
> not updated ?
>   
Well, this is a little more complicated, depends of how and were they 
are trying to do that, but normally posix tools don't know of the 
existence of samba hashes, anyway its possible to do that too, but you 
will need to be a little more specific. They are trying to do that using 
their own workstations that have Linux or trying to do that accessing 
the server shell?
> Any pointers will be of great help.
>
> Thanks in advace
> yogesh
Appears that theres nothing wrong with your config, you just didn't 
understood what you need to do.


Regards.

Edmundo Valle Neto

yogi escreveu:
> Hi all ,
>          I'm running Debian Etch . I just finished
> configuring SAMBA
> as PDC to authenticate against LDAP server which works.
> The system in question uses default debian etch packages.
> As My Linix/unix accounts can authenticate against it. The
> LDAP works.
>     I  Used the default shipped smbldap-populate script to
> setup SAMBA.
>   
Good, this is the reason that it is there :)
You will only not want to use if you have a reason, like it messing with
your already populated base.
>        Everything seems to work as Anonymous User or as
> user root.
>
> shark:/etc/samba# smbclient -L shark -N
> Anonymous login successful
> Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
>
>         Share name       Type      Comment
>         ---------       ----      -------
>         netlogon        Disk      Network Logon Service
>         knoppix         Disk
>         IPC$            IPC       IPC Service (Samba Server
> 3.0.24)
> Anonymous login successful
> Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
>
>         Server               Comment
>         ---------            -------
>         SHARK                Samba Server 3.0.24
>
>
>       Now when I try and login as normal user, which i have
> enabled
> with "smbldap-usermod -a  yogesh"
>
> smbldap-usershow yogesh
>
> dn: uid=yogesh,ou=People,dc=biomax,dc=de
> uid: yogesh
> cn: yogesh
> objectClass:
> account,posixAccount,top,shadowAccount,sambaSamAccount
> userPassword: {MD5}.SOMELONGHASH ....
> shadowLastChange: 12900
> shadowMax: 10000
> loginShell: /bin/bash
> uidNumber: 668
> gidNumber: 100
> homeDirectory: /sk-home/yogesh
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> displayName: System User
> sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
> sambaAcctFlags: [UX ]
>
> -----
>
> Now when I try and connect I get the following failure .
> shark:/etc/samba# smbclient -L shark -U yogesh
> session setup failed: NT_STATUS_LOGON_FAILURE
>   
For me smbldap-usermod -a dont ask for a password, so your error appears
to be the right behavior of the server, when you try to access the samba
server with an account that have a posix password but don't have a samba
password.
If your posix password is hashed and it didn't asked for the password it
cannot guess it and fill the NT and LM samba hashes.

If you don't know, your account need to end up with three hashes for the
same password :)
> After Digging thru the logs I figuered that if I enter
> password using
> "smbldap-password" . It works.
>   
Ok, now you have defined your samba password, and it will be synced with
the posix one, and everyone will be happy.
> Now my Stupid questions ?
> I already have unix users working of LDAP, How can I
> automate the addition of remaining accounts with SAMBA ?
>   
Well, as already said your script cannot guess the content of a hash to
create another that samba needs (this is the purpose of hashes),
normally people add the samba part (with smbldap-usermod), change the
password to something else (with smbldap-passwd), mark the account to
only allow the login if the password is changed (with smbldap-usermod -B
1), then inform the user of the new password and ask to he to put his
password back when he tries to login and receive automatically a window
asking for that.

It will be a process very likely as adding a new user.
> Also whenever a unix user changes passwd samba password is
> not updated ?
>   
Well, this is a little more complicated, depends of how and were they
are trying to do that, but normally posix tools don't know of the
existence of samba hashes, anyway its possible to do that too, but you
will need to be a little more specific. They are trying to do that using
their own workstations that have Linux or trying to do that accessing
the server shell?
> Any pointers will be of great help.
>
> Thanks in advace
> yogesh
Appears that theres nothing wrong with your config, you just didn't
understood what you need to do.


Regards.

Edmundo Valle Neto

Hi ,
       Thanks Edmundo and Louis for the input.
Edmundo you are absolutely right about three hashes.
I figuered that part. I always wondered how will samba
generate a hash from my unix hash ;).

Now coming back to my question. I will try and be even more
specific.

IF a user tries to change password on his/her wks, then 
he/she uses "passwd" in which case it uses pam  and unix
password is changed leaving samba password.

How do I  provide my users a common password sync option on
their respective workstation ?

Anybody ,

Thanks in advance,
yogesh

yogi escreveu:
> Hi ,
>        Thanks Edmundo and Louis for the input.
> Edmundo you are absolutely right about three hashes.
> I figuered that part. I always wondered how will samba
> generate a hash from my unix hash ;).
>
> Now coming back to my question. I will try and be even more
> specific.
>
> IF a user tries to change password on his/her wks, then 
> he/she uses "passwd" in which case it uses pam  and unix
> password is changed leaving samba password.
>
> How do I  provide my users a common password sync option on
> their respective workstation ?
>
> Anybody ,
>
> Thanks in advance,
> yogesh
>   
You can use "smbpasswd -r pdcname".
This is the simplest way to change the password.

If you really want to use the passwd command, you will need to use 
winbind in these workstations and the pam_winbind.so pam module to 
change the password trough it.

You could even use smbldap-passwd to change the password directly in the 
base, but you would need to make some changes in the script first.


Regards.

Edmundo Valle Neto

do the samba accounts already exist in another format such as smbpasswd 
or tdbsam?  if so, use pdbedit -i smbpasswd:/etc/samba/smbpasswd (dunno 
what the command is for tdbsam though)

to have samba and unix passwords changed at the same time, use ldap 
password sync = yes in smb.conf and when a user in windows hits 
ctrl-alt-del and clicks on change password, it will change both at the 
same time.

yogi wrote:
> Hi all ,
>          I'm running Debian Etch . I just finished
> configuring SAMBA
> as PDC to authenticate against LDAP server which works.
> The system in question uses default debian etch packages.
> As My Linix/unix accounts can authenticate against it. The
> LDAP works.
>     I  Used the default shipped smbldap-populate script to
> setup SAMBA.
>        Everything seems to work as Anonymous User or as
> user root.
>
> shark:/etc/samba# smbclient -L shark -N
> Anonymous login successful
> Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
>
>         Share name       Type      Comment
>         ---------       ----      -------
>         netlogon        Disk      Network Logon Service
>         knoppix         Disk
>         IPC$            IPC       IPC Service (Samba Server
> 3.0.24)
> Anonymous login successful
> Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
>
>         Server               Comment
>         ---------            -------
>         SHARK                Samba Server 3.0.24
>
>
>       Now when I try and login as normal user, which i have
> enabled
> with "smbldap-usermod -a  yogesh"
>
> smbldap-usershow yogesh
>
> dn: uid=yogesh,ou=People,dc=biomax,dc=de
> uid: yogesh
> cn: yogesh
> objectClass:
> account,posixAccount,top,shadowAccount,sambaSamAccount
> userPassword: {MD5}.SOMELONGHASH ....
> shadowLastChange: 12900
> shadowMax: 10000
> loginShell: /bin/bash
> uidNumber: 668
> gidNumber: 100
> homeDirectory: /sk-home/yogesh
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> displayName: System User
> sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
> sambaAcctFlags: [UX ]
>
> -----
>
> Now when I try and connect I get the following failure .
> shark:/etc/samba# smbclient -L shark -U yogesh
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> After Digging thru the logs I figuered that if I enter
> password using
> "smbldap-password" . It works.
>
> Now my Stupid questions ?
> I already have unix users working of LDAP, How can I
> automate the addition of remaining accounts with SAMBA ?
>
> Also whenever a unix user changes passwd samba password is
> not updated ?
>
> Any pointers will be of great help.
>
> Thanks in advace
> yogesh
>
>
>
>       
>
>

Hi ,
      Edmundo Thanks once again ... 
I will  check which solution works best for me.

Ciao
Yogi