yogi
2008-May-17 17:36 UTC
[Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...
Hi all , I'm running Debian Etch . I just finished configuring SAMBA as PDC to authenticate against LDAP server which works. The system in question uses default debian etch packages. As My Linix/unix accounts can authenticate against it. The LDAP works. I Used the default shipped smbldap-populate script to setup SAMBA. Everything seems to work as Anonymous User or as user root. shark:/etc/samba# smbclient -L shark -N Anonymous login successful Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24] Share name Type Comment --------- ---- ------- netlogon Disk Network Logon Service knoppix Disk IPC$ IPC IPC Service (Samba Server 3.0.24) Anonymous login successful Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24] Server Comment --------- ------- SHARK Samba Server 3.0.24 Now when I try and login as normal user, which i have enabled with "smbldap-usermod -a yogesh" smbldap-usershow yogesh dn: uid=yogesh,ou=People,dc=biomax,dc=de uid: yogesh cn: yogesh objectClass: account,posixAccount,top,shadowAccount,sambaSamAccount userPassword: {MD5}.SOMELONGHASH .... shadowLastChange: 12900 shadowMax: 10000 loginShell: /bin/bash uidNumber: 668 gidNumber: 100 homeDirectory: /sk-home/yogesh sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: System User sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886 sambaAcctFlags: [UX ] ----- Now when I try and connect I get the following failure . shark:/etc/samba# smbclient -L shark -U yogesh session setup failed: NT_STATUS_LOGON_FAILURE After Digging thru the logs I figuered that if I enter password using "smbldap-password" . It works. Now my Stupid questions ? I already have unix users working of LDAP, How can I automate the addition of remaining accounts with SAMBA ? Also whenever a unix user changes passwd samba password is not updated ? Any pointers will be of great help. Thanks in advace yogesh
L.P.H. van Belle
2008-May-19 11:25 UTC
[Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...
did you adjust you pam.d settings to accept MD5 password hashes. you can find some usefull tips in the Big samba howto http://www.google.nl/search?hl=nl&q=big+samba+howto+debian&meta= this one also works for etch. Louis>-----Oorspronkelijk bericht----- >Van: samba-bounces+belle=bazuin.nl@lists.samba.org >[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens yogi >Verzonden: zaterdag 17 mei 2008 19:29 >Aan: samba@lists.samba.org >Onderwerp: [Samba] SAMBA PDC with LDAP backend syncing >unix/samba accounts ... > >Hi all , > I'm running Debian Etch . I just finished >configuring SAMBA >as PDC to authenticate against LDAP server which works. >The system in question uses default debian etch packages. >As My Linix/unix accounts can authenticate against it. The >LDAP works. > I Used the default shipped smbldap-populate script to >setup SAMBA. > Everything seems to work as Anonymous User or as >user root. > >shark:/etc/samba# smbclient -L shark -N >Anonymous login successful >Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24] > > Share name Type Comment > --------- ---- ------- > netlogon Disk Network Logon Service > knoppix Disk > IPC$ IPC IPC Service (Samba Server >3.0.24) >Anonymous login successful >Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24] > > Server Comment > --------- ------- > SHARK Samba Server 3.0.24 > > > Now when I try and login as normal user, which i have >enabled >with "smbldap-usermod -a yogesh" > >smbldap-usershow yogesh > >dn: uid=yogesh,ou=People,dc=biomax,dc=de >uid: yogesh >cn: yogesh >objectClass: >account,posixAccount,top,shadowAccount,sambaSamAccount >userPassword: {MD5}.SOMELONGHASH .... >shadowLastChange: 12900 >shadowMax: 10000 >loginShell: /bin/bash >uidNumber: 668 >gidNumber: 100 >homeDirectory: /sk-home/yogesh >sambaPwdLastSet: 0 >sambaLogonTime: 0 >sambaLogoffTime: 2147483647 >sambaKickoffTime: 2147483647 >sambaPwdCanChange: 0 >sambaPwdMustChange: 2147483647 >displayName: System User >sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886 >sambaAcctFlags: [UX ] > >----- > >Now when I try and connect I get the following failure . >shark:/etc/samba# smbclient -L shark -U yogesh >session setup failed: NT_STATUS_LOGON_FAILURE > >After Digging thru the logs I figuered that if I enter >password using >"smbldap-password" . It works. > >Now my Stupid questions ? >I already have unix users working of LDAP, How can I >automate the addition of remaining accounts with SAMBA ? > >Also whenever a unix user changes passwd samba password is >not updated ? > >Any pointers will be of great help. > >Thanks in advace >yogesh > > > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/samba >
Edmundo Valle Neto
2008-May-19 22:08 UTC
[Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...
yogi escreveu:> Hi all , > I'm running Debian Etch . I just finished > configuring SAMBA > as PDC to authenticate against LDAP server which works. > The system in question uses default debian etch packages. > As My Linix/unix accounts can authenticate against it. The > LDAP works. > I Used the default shipped smbldap-populate script to > setup SAMBA. >Good, this is the reason that it is there :) You will only not want to use if you have a reason, like it messing with your already populated base.> Everything seems to work as Anonymous User or as > user root. > > shark:/etc/samba# smbclient -L shark -N > Anonymous login successful > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24] > > Share name Type Comment > --------- ---- ------- > netlogon Disk Network Logon Service > knoppix Disk > IPC$ IPC IPC Service (Samba Server > 3.0.24) > Anonymous login successful > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24] > > Server Comment > --------- ------- > SHARK Samba Server 3.0.24 > > > Now when I try and login as normal user, which i have > enabled > with "smbldap-usermod -a yogesh" > > smbldap-usershow yogesh > > dn: uid=yogesh,ou=People,dc=biomax,dc=de > uid: yogesh > cn: yogesh > objectClass: > account,posixAccount,top,shadowAccount,sambaSamAccount > userPassword: {MD5}.SOMELONGHASH .... > shadowLastChange: 12900 > shadowMax: 10000 > loginShell: /bin/bash > uidNumber: 668 > gidNumber: 100 > homeDirectory: /sk-home/yogesh > sambaPwdLastSet: 0 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaPwdMustChange: 2147483647 > displayName: System User > sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886 > sambaAcctFlags: [UX ] > > ----- > > Now when I try and connect I get the following failure . > shark:/etc/samba# smbclient -L shark -U yogesh > session setup failed: NT_STATUS_LOGON_FAILURE >For me smbldap-usermod -a dont ask for a password, so your error appears to be the right behavior of the server, when you try to access the samba server with an account that have a posix password but don't have a samba password. If your posix password is hashed and it didn't asked for the password it cannot guess it and fill the NT and LM samba hashes. If you don't know, your account need to end up with three hashes for the same password :)> After Digging thru the logs I figuered that if I enter > password using > "smbldap-password" . It works. >Ok, now you have defined your samba password, and it will be synced with the posix one, and everyone will be happy.> Now my Stupid questions ? > I already have unix users working of LDAP, How can I > automate the addition of remaining accounts with SAMBA ? >Well, as already said your script cannot guess the content of a hash to create another that samba needs (this is the purpose of hashes), normally people add the samba part (with smbldap-usermod), change the password to something else (with smbldap-passwd), mark the account to only allow the login if the password is changed (with smbldap-usermod -B 1), then inform the user of the new password and ask to he to put his password back when he tries to login and receive automatically a window asking for that. It will be a process very likely as adding a new user.> Also whenever a unix user changes passwd samba password is > not updated ? >Well, this is a little more complicated, depends of how and were they are trying to do that, but normally posix tools don't know of the existence of samba hashes, anyway its possible to do that too, but you will need to be a little more specific. They are trying to do that using their own workstations that have Linux or trying to do that accessing the server shell?> Any pointers will be of great help. > > Thanks in advace > yogeshAppears that theres nothing wrong with your config, you just didn't understood what you need to do. Regards. Edmundo Valle Neto
Edmundo Valle Neto
2008-May-20 03:05 UTC
[Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...
yogi escreveu:> Hi all , > I'm running Debian Etch . I just finished > configuring SAMBA > as PDC to authenticate against LDAP server which works. > The system in question uses default debian etch packages. > As My Linix/unix accounts can authenticate against it. The > LDAP works. > I Used the default shipped smbldap-populate script to > setup SAMBA. >Good, this is the reason that it is there :) You will only not want to use if you have a reason, like it messing with your already populated base.> Everything seems to work as Anonymous User or as > user root. > > shark:/etc/samba# smbclient -L shark -N > Anonymous login successful > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24] > > Share name Type Comment > --------- ---- ------- > netlogon Disk Network Logon Service > knoppix Disk > IPC$ IPC IPC Service (Samba Server > 3.0.24) > Anonymous login successful > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24] > > Server Comment > --------- ------- > SHARK Samba Server 3.0.24 > > > Now when I try and login as normal user, which i have > enabled > with "smbldap-usermod -a yogesh" > > smbldap-usershow yogesh > > dn: uid=yogesh,ou=People,dc=biomax,dc=de > uid: yogesh > cn: yogesh > objectClass: > account,posixAccount,top,shadowAccount,sambaSamAccount > userPassword: {MD5}.SOMELONGHASH .... > shadowLastChange: 12900 > shadowMax: 10000 > loginShell: /bin/bash > uidNumber: 668 > gidNumber: 100 > homeDirectory: /sk-home/yogesh > sambaPwdLastSet: 0 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaPwdMustChange: 2147483647 > displayName: System User > sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886 > sambaAcctFlags: [UX ] > > ----- > > Now when I try and connect I get the following failure . > shark:/etc/samba# smbclient -L shark -U yogesh > session setup failed: NT_STATUS_LOGON_FAILURE >For me smbldap-usermod -a dont ask for a password, so your error appears to be the right behavior of the server, when you try to access the samba server with an account that have a posix password but don't have a samba password. If your posix password is hashed and it didn't asked for the password it cannot guess it and fill the NT and LM samba hashes. If you don't know, your account need to end up with three hashes for the same password :)> After Digging thru the logs I figuered that if I enter > password using > "smbldap-password" . It works. >Ok, now you have defined your samba password, and it will be synced with the posix one, and everyone will be happy.> Now my Stupid questions ? > I already have unix users working of LDAP, How can I > automate the addition of remaining accounts with SAMBA ? >Well, as already said your script cannot guess the content of a hash to create another that samba needs (this is the purpose of hashes), normally people add the samba part (with smbldap-usermod), change the password to something else (with smbldap-passwd), mark the account to only allow the login if the password is changed (with smbldap-usermod -B 1), then inform the user of the new password and ask to he to put his password back when he tries to login and receive automatically a window asking for that. It will be a process very likely as adding a new user.> Also whenever a unix user changes passwd samba password is > not updated ? >Well, this is a little more complicated, depends of how and were they are trying to do that, but normally posix tools don't know of the existence of samba hashes, anyway its possible to do that too, but you will need to be a little more specific. They are trying to do that using their own workstations that have Linux or trying to do that accessing the server shell?> Any pointers will be of great help. > > Thanks in advace > yogeshAppears that theres nothing wrong with your config, you just didn't understood what you need to do. Regards. Edmundo Valle Neto
yogi
2008-May-20 09:42 UTC
[Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...
Hi , Thanks Edmundo and Louis for the input. Edmundo you are absolutely right about three hashes. I figuered that part. I always wondered how will samba generate a hash from my unix hash ;). Now coming back to my question. I will try and be even more specific. IF a user tries to change password on his/her wks, then he/she uses "passwd" in which case it uses pam and unix password is changed leaving samba password. How do I provide my users a common password sync option on their respective workstation ? Anybody , Thanks in advance, yogesh
Edmundo Valle Neto
2008-May-20 18:20 UTC
[Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...
yogi escreveu:> Hi , > Thanks Edmundo and Louis for the input. > Edmundo you are absolutely right about three hashes. > I figuered that part. I always wondered how will samba > generate a hash from my unix hash ;). > > Now coming back to my question. I will try and be even more > specific. > > IF a user tries to change password on his/her wks, then > he/she uses "passwd" in which case it uses pam and unix > password is changed leaving samba password. > > How do I provide my users a common password sync option on > their respective workstation ? > > Anybody , > > Thanks in advance, > yogesh >You can use "smbpasswd -r pdcname". This is the simplest way to change the password. If you really want to use the passwd command, you will need to use winbind in these workstations and the pam_winbind.so pam module to change the password trough it. You could even use smbldap-passwd to change the password directly in the base, but you would need to make some changes in the script first. Regards. Edmundo Valle Neto
Adam Williams
2008-May-21 15:44 UTC
[Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...
do the samba accounts already exist in another format such as smbpasswd or tdbsam? if so, use pdbedit -i smbpasswd:/etc/samba/smbpasswd (dunno what the command is for tdbsam though) to have samba and unix passwords changed at the same time, use ldap password sync = yes in smb.conf and when a user in windows hits ctrl-alt-del and clicks on change password, it will change both at the same time. yogi wrote:> Hi all , > I'm running Debian Etch . I just finished > configuring SAMBA > as PDC to authenticate against LDAP server which works. > The system in question uses default debian etch packages. > As My Linix/unix accounts can authenticate against it. The > LDAP works. > I Used the default shipped smbldap-populate script to > setup SAMBA. > Everything seems to work as Anonymous User or as > user root. > > shark:/etc/samba# smbclient -L shark -N > Anonymous login successful > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24] > > Share name Type Comment > --------- ---- ------- > netlogon Disk Network Logon Service > knoppix Disk > IPC$ IPC IPC Service (Samba Server > 3.0.24) > Anonymous login successful > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24] > > Server Comment > --------- ------- > SHARK Samba Server 3.0.24 > > > Now when I try and login as normal user, which i have > enabled > with "smbldap-usermod -a yogesh" > > smbldap-usershow yogesh > > dn: uid=yogesh,ou=People,dc=biomax,dc=de > uid: yogesh > cn: yogesh > objectClass: > account,posixAccount,top,shadowAccount,sambaSamAccount > userPassword: {MD5}.SOMELONGHASH .... > shadowLastChange: 12900 > shadowMax: 10000 > loginShell: /bin/bash > uidNumber: 668 > gidNumber: 100 > homeDirectory: /sk-home/yogesh > sambaPwdLastSet: 0 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaPwdMustChange: 2147483647 > displayName: System User > sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886 > sambaAcctFlags: [UX ] > > ----- > > Now when I try and connect I get the following failure . > shark:/etc/samba# smbclient -L shark -U yogesh > session setup failed: NT_STATUS_LOGON_FAILURE > > After Digging thru the logs I figuered that if I enter > password using > "smbldap-password" . It works. > > Now my Stupid questions ? > I already have unix users working of LDAP, How can I > automate the addition of remaining accounts with SAMBA ? > > Also whenever a unix user changes passwd samba password is > not updated ? > > Any pointers will be of great help. > > Thanks in advace > yogesh > > > > > >
Possibly Parallel Threads
- NUT -2.7.4 with Tripp Lite SMX1000 LCD on RPI4 runing 64bit ubuntu 20.04
- NUT -2.7.4 with Tripp Lite SMX1000 LCD on RPI4 runing 64bit ubuntu 20.04
- Samba as PDC - Can't get user profiles to save properly
- how to use 'points' function to plot two curves with errbar
- [LLVMdev] [cfe-dev] -fsanitize=address on centos 6.4