samba - Jul 2008 - Samba 3.2 Ldap problem

Hi,
	I've running a samba 3.0.22-13.30 server in standalone mode (security=user)
for quite a while. It's authenticated against an openLdap and works great,
say Server A.

A few days ago I've installed OpenSuSE 11 Beta 2 in another server, it came
with samba 3.2.0-18, so as I'm very lazy I copied the smb.conf file from the
working server to the new one  with little modifications like the netbios name
and which shares it serves, say Server B. I'm connecting to the same Ldap
server.

The problem is that I can't reach any share, from the Server B logs...

	[2008/07/01 04:54:01,  1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
	  init_sam_from_ldap: No uid attribute found for this user!
	[2008/07/01 04:54:01,  1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
	  ldapsam_getsampwnam: init_sam_from_ldap failed for user 'xxxxx'!

I've been "googleing" for the last 8 hours and I can't fix the
problem, with a more verbose debug level I can see that the Ldap connection
works fine. I've also checked the Ldap logs and everything is fine.

May be it's a problem with idmap-ing.

Here is my smb.conf file from the Server B, I've placed comments on lines
which differ from the Server A and commented out lines I believe are not
relevant to Server B.

-----------------------------------------------------------------
[global]

    passdb expand explicit = no
    utmp = Yes
    workgroup = CPD
    netbios name = OPEN                # I've changed the
    server string = File Server
    passdb backend = ldapsam:ldap://ldapon.my.company
    time server = Yes
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    username map = /etc/samba/smbusers
    map to guest = Bad User
    wins support = no                  # it's 'Yes' in the old
server
    local master = no                  # it's 'Yes' in the old
server
    domain master = no                 # it's 'Yes' in the old
server
    domain logons = no                 # it's 'Yes' in the old
server
    security = user
    preferred master = no
    os level = 64
    encrypt passwords = yes
#    logon script = test.bat
#    logon path = \\%L\profiles\%U
#    logon home = \\%L\%U
#    logon drive = z:
#    add user script = ldapsmb -a -u "%u"
#    delete user script = ldapsmb -d -u "%u"
#    add machine script = ldapsmb -a -s -wks "%u" -v --logfile
/var/log/samba/ldapsmb.log
#    add group script = ldapsmb -a -g "%g"
#    delete group script = ldapsmb -d -g "%g"
#    add user to group script = ldapsmb -j -u "%u" -g "%g"
#    delete user from group script = ldapsmb -j -u "%u" -g
"%g"
#    set primary group script = ldapsmb -m -u "%u" -gid "%g"
    ldap admin dn   = cn=Manager,dc=my,dc=company
    ldap suffix     = dc=my,dc=company
    ldap machine suffix     = ou=Computers
    ldap group suffix   = ou=Groups
    ldap idmap suffix   = ou=Idmap
    ldap user suffix    = ou=People
    ldap passwd sync    = Yes
    log file = /var/log/samba/%m.log
    log level = 1
    load printers = no


[www2]
    comment = webpages
    path = /path/to/webpages
    public = no
    writeable = yes
    browseable = yes
    valid users = +groupA +groupB
    force user = www2
    create mask = 0775
    dont descend = /bin,/boot,/dev,/etc,/lib,.....

-----------------------------------------------------------------


Please, any ideas?

Best regards,
-- 
Ing. Ernesto Silva.
Coordinador de Desarrollo Web y Sistemas Abiertos
Centro de Procesamiento de Datos
Universidad ORT Uruguay.
E-mail: silva@ort.edu.uy
Tel: (+5982) 903-1995, (+5982) 902-9687  ext. 102 
Fax: (+5982) 900-2952

> 	[2008/07/01 04:54:01,  1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
> 	  init_sam_from_ldap: No uid attribute found for this user!
> 	[2008/07/01 04:54:01,  1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
> 	  ldapsam_getsampwnam: init_sam_from_ldap failed for user 'xxxxx'!
>
Have you looked in the LDAP log to see what attribute it's actually
looking for?  I haven't used 3.2 yet but I guess it's possible that
something has changed with that.

> [global]
>
>     os level = 64
I don't think you need or want this since you are not a WINS server...

>     ldap admin dn   = cn=Manager,dc=my,dc=company
>     ldap suffix     = dc=my,dc=company
>     ldap machine suffix     = ou=Computers
>     ldap group suffix   = ou=Groups
>     ldap idmap suffix   = ou=Idmap
>     ldap user suffix    = ou=People
>     ldap passwd sync    = Yes

Have you run smbpasswd -w to write the LDAP admin password into secrets.tdb?
>
>
> [www2]
>     valid users = +groupA +groupB
>     force user = www2
Only last night I was dealing with a terrible problem with 3.0.28a wih
these two parameters.  Try commenting these out and see if you can get to
your share.  Try naming individual users instead of groups.  Also,
apparently the required syntax for expanding groups has changed and I
think it should be +DOMAIN\groupA and the like.  Though I'm not sure that
the '+' syntax is still favored either.  You'll need to look in the
docs
for your version to verify this.  Comment them out for testing anyway.

Also I was made aware last night that it is better to set the sticky bit
on the directory than to use 'force user' or 'force group'
(thanks JHT).
It will solve the 'create mask' too, I think.

>     create mask = 0775
> Best regards,
> --
> Ing. Ernesto Silva.
> Coordinador de Desarrollo Web y Sistemas Abiertos
> Centro de Procesamiento de Datos
> Universidad ORT Uruguay.
> E-mail: silva@ort.edu.uy
> Tel: (+5982) 903-1995, (+5982) 902-9687  ext. 102
> Fax: (+5982) 900-2952
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Have you installed the libnss-ldap module on Server B? It's required if you
have your users in an LDAP-database.

What do you see if you type the command on Server B:

id <username>

For example, I have a user in my LDAP database, named "kissg_02a". In
my
case, I see the followings:

root@lemontree# id kissg_02a
uid=10003(kissg_02a) gid=513(Domain Users) groups=513(Domain Users)

Try to set "loglevel 256" on your slapd.conf and look for entries in
your
syslog file, which have an "err" value, other than zero. If you
don't have
any, it means that communication with the LDAP-server works as expected, but
Samba cannot access the uid attribute. It can also be, that the samba.schema
file changed since Samba version 3.0, and the new version stores UIDs in a
different attribute or in a different place of the LDAP directory structure.
Check if there is a new version available for Samba 3.2.

Best regards
Gergely Kiss

2008/7/2 Ernesto Silva <silva@ort.edu.uy>:
> Hi,
>        I've running a samba 3.0.22-13.30 server in standalone mode
> (security=user) for quite a while. It's authenticated against an
openLdap
> and works great, say Server A.
>
> A few days ago I've installed OpenSuSE 11 Beta 2 in another server, it
came
> with samba 3.2.0-18, so as I'm very lazy I copied the smb.conf file
from the
> working server to the new one  with little modifications like the netbios
> name and which shares it serves, say Server B. I'm connecting to the
same
> Ldap server.
>
> The problem is that I can't reach any share, from the Server B logs...
>
>        [2008/07/01 04:54:01,  1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
>          init_sam_from_ldap: No uid attribute found for this user!
>        [2008/07/01 04:54:01,  1]
> passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
>          ldapsam_getsampwnam: init_sam_from_ldap failed for user
'xxxxx'!
>
> I've been "googleing" for the last 8 hours and I can't
fix the problem,
> with a more verbose debug level I can see that the Ldap connection works
> fine. I've also checked the Ldap logs and everything is fine.
>
> May be it's a problem with idmap-ing.
>
> Here is my smb.conf file from the Server B, I've placed comments on
lines
> which differ from the Server A and commented out lines I believe are not
> relevant to Server B.
>
> -----------------------------------------------------------------
> [global]
>
>   passdb expand explicit = no
>   utmp = Yes
>   workgroup = CPD
>   netbios name = OPEN                # I've changed the
>   server string = File Server
>   passdb backend = ldapsam:ldap://ldapon.my.company
>   time server = Yes
>   printing = cups
>   printcap name = cups
>   printcap cache time = 750
>   cups options = raw
>   username map = /etc/samba/smbusers
>   map to guest = Bad User
>   wins support = no                  # it's 'Yes' in the old
server
>   local master = no                  # it's 'Yes' in the old
server
>   domain master = no                 # it's 'Yes' in the old
server
>   domain logons = no                 # it's 'Yes' in the old
server
>   security = user
>   preferred master = no
>   os level = 64
>   encrypt passwords = yes
> #    logon script = test.bat
> #    logon path = \\%L\profiles\%U
> #    logon home = \\%L\%U
> #    logon drive = z:
> #    add user script = ldapsmb -a -u "%u"
> #    delete user script = ldapsmb -d -u "%u"
> #    add machine script = ldapsmb -a -s -wks "%u" -v --logfile
> /var/log/samba/ldapsmb.log
> #    add group script = ldapsmb -a -g "%g"
> #    delete group script = ldapsmb -d -g "%g"
> #    add user to group script = ldapsmb -j -u "%u" -g
"%g"
> #    delete user from group script = ldapsmb -j -u "%u" -g
"%g"
> #    set primary group script = ldapsmb -m -u "%u" -gid
"%g"
>   ldap admin dn   = cn=Manager,dc=my,dc=company
>   ldap suffix     = dc=my,dc=company
>   ldap machine suffix     = ou=Computers
>   ldap group suffix   = ou=Groups
>   ldap idmap suffix   = ou=Idmap
>   ldap user suffix    = ou=People
>   ldap passwd sync    = Yes
>   log file = /var/log/samba/%m.log
>   log level = 1
>   load printers = no
>
>
> [www2]
>   comment = webpages
>   path = /path/to/webpages
>   public = no
>   writeable = yes
>   browseable = yes
>   valid users = +groupA +groupB
>   force user = www2
>   create mask = 0775
>   dont descend = /bin,/boot,/dev,/etc,/lib,.....
>
> -----------------------------------------------------------------
>
>
> Please, any ideas?
>
> Best regards,
> --
> Ing. Ernesto Silva.
> Coordinador de Desarrollo Web y Sistemas Abiertos
> Centro de Procesamiento de Datos
> Universidad ORT Uruguay.
> E-mail: silva@ort.edu.uy
> Tel: (+5982) 903-1995, (+5982) 902-9687  ext. 102 Fax: (+5982) 900-2952
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

I think that you overlooked the SID

In standalone mode you're not worrying about a domain - the data in LDAP is
for your old server.

The new samba installation has a new SID and it's doing its search in LDAP
for that, finding no users.

I've only used samba and ldap in a domain so don't know much about your
options in standalone mode.



2008/7/2 Ernesto Silva <silva@ort.edu.uy>:
> Hi,
>        I've running a samba 3.0.22-13.30 server in standalone mode
> (security=user) for quite a while. It's authenticated against an
openLdap
> and works great, say Server A.
>
> A few days ago I've installed OpenSuSE 11 Beta 2 in another server, it
came
> with samba 3.2.0-18, so as I'm very lazy I copied the smb.conf file
from the
> working server to the new one  with little modifications like the netbios
> name and which shares it serves, say Server B. I'm connecting to the
same
> Ldap server.
>
> The problem is that I can't reach any share, from the Server B logs...
>
>        [2008/07/01 04:54:01,  1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
>          init_sam_from_ldap: No uid attribute found for this user!
>        [2008/07/01 04:54:01,  1]
> passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
>          ldapsam_getsampwnam: init_sam_from_ldap failed for user
'xxxxx'!
>
> I've been "googleing" for the last 8 hours and I can't
fix the problem,
> with a more verbose debug level I can see that the Ldap connection works
> fine. I've also checked the Ldap logs and everything is fine.
>
> May be it's a problem with idmap-ing.
>
> Here is my smb.conf file from the Server B, I've placed comments on
lines
> which differ from the Server A and commented out lines I believe are not
> relevant to Server B.
>
> -----------------------------------------------------------------
> [global]
>
>   passdb expand explicit = no
>   utmp = Yes
>   workgroup = CPD
>   netbios name = OPEN                # I've changed the
>   server string = File Server
>   passdb backend = ldapsam:ldap://ldapon.my.company
>   time server = Yes
>   printing = cups
>   printcap name = cups
>   printcap cache time = 750
>   cups options = raw
>   username map = /etc/samba/smbusers
>   map to guest = Bad User
>   wins support = no                  # it's 'Yes' in the old
server
>   local master = no                  # it's 'Yes' in the old
server
>   domain master = no                 # it's 'Yes' in the old
server
>   domain logons = no                 # it's 'Yes' in the old
server
>   security = user
>   preferred master = no
>   os level = 64
>   encrypt passwords = yes
> #    logon script = test.bat
> #    logon path = \\%L\profiles\%U
> #    logon home = \\%L\%U
> #    logon drive = z:
> #    add user script = ldapsmb -a -u "%u"
> #    delete user script = ldapsmb -d -u "%u"
> #    add machine script = ldapsmb -a -s -wks "%u" -v --logfile
> /var/log/samba/ldapsmb.log
> #    add group script = ldapsmb -a -g "%g"
> #    delete group script = ldapsmb -d -g "%g"
> #    add user to group script = ldapsmb -j -u "%u" -g
"%g"
> #    delete user from group script = ldapsmb -j -u "%u" -g
"%g"
> #    set primary group script = ldapsmb -m -u "%u" -gid
"%g"
>   ldap admin dn   = cn=Manager,dc=my,dc=company
>   ldap suffix     = dc=my,dc=company
>   ldap machine suffix     = ou=Computers
>   ldap group suffix   = ou=Groups
>   ldap idmap suffix   = ou=Idmap
>   ldap user suffix    = ou=People
>   ldap passwd sync    = Yes
>   log file = /var/log/samba/%m.log
>   log level = 1
>   load printers = no
>
>
> [www2]
>   comment = webpages
>   path = /path/to/webpages
>   public = no
>   writeable = yes
>   browseable = yes
>   valid users = +groupA +groupB
>   force user = www2
>   create mask = 0775
>   dont descend = /bin,/boot,/dev,/etc,/lib,.....
>
> -----------------------------------------------------------------
>
>
> Please, any ideas?
>
> Best regards,
> --
> Ing. Ernesto Silva.
> Coordinador de Desarrollo Web y Sistemas Abiertos
> Centro de Procesamiento de Datos
> Universidad ORT Uruguay.
> E-mail: silva@ort.edu.uy
> Tel: (+5982) 903-1995, (+5982) 902-9687  ext. 102 Fax: (+5982) 900-2952
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

On Tue, Jul 1, 2008 at 8:16 PM, Ernesto Silva <silva@ort.edu.uy>
wrote:
>
> A few days ago I've installed OpenSuSE 11 Beta 2 in another server, it
came
> with samba 3.2.0-18, so as I'm very lazy I copied the smb.conf file
from the
> working server to the new one  with little modifications like the netbios
> name and which shares it serves, say Server B. I'm connecting to the
same
> Ldap server.
Did you copy over the secrets.tdb as well?  If not, you are going to
have to use "net setlocalsid" to set the machine SID to match the old
one, and "smbpasswd -w" to set the LDAP access password.  Samba tracks
users by SID now (which I don't like, personally, but it's something
that the Samba Team apparently had to do if they wanted to
interoperate with later versions of Microsoft's networking stack) so
your users will have SIDs that were created by the old system.

You also will want to put a "sub" index on the sambaSID attribute in
OpenLDAP's slapd.conf file if you haven't already done so.  Later
versions of samba need it... you get a nice efficiency boost.  Um, and
watch your search limits in OpenLDAP also -the "machine suffix" and
"user suffix" parameters in smb.conf are not applied as filters in the
searches that samba makes in LDAP, so search returns might be bigger
than you anticipate, and I'm not sure that samba can properly handle
an RFC-compliant paged LDAP search result like OpenLDAP might return.

I prefer using net setlocalsid and smbpasswd rather than just copying
over an old secrets.tdb - but use tdbdump on the old one to see if
there is anything else in there (like domain trust passwords) before
you decide.

--Charlie

Kevin, unix users works fine, I can login into the server with my username and
password with both stored in the directory, the only "problem" here is
that I don't have a home directory so I the Linux server warns me and
assumes '/'.

Regards,
-- 
Ing. Ernesto Silva.
Coordinador de Desarrollo Web y Sistemas Abiertos
Centro de Procesamiento de Datos
Universidad ORT Uruguay.
E-mail: silva@ort.edu.uy
Tel: (+5982) 903-1995, (+5982) 902-9687  ext. 102 
Fax: (+5982) 900-2952


Kevin Bedford wrote:
> Ernesto Silva wrote:
>> Hi,
>>     I've running a samba 3.0.22-13.30 server in standalone mode 
>> (security=user) for quite a while. It's authenticated against an 
>> openLdap and works great, say Server A.
>>
>> A few days ago I've installed OpenSuSE 11 Beta 2 in another server,
it
>> came with samba 3.2.0-18, so as I'm very lazy I copied the smb.conf
>> file from the working server to the new one  with little modifications 
>> like the netbios name and which shares it serves, say Server B. I'm
>> connecting to the same Ldap server.
>>
>> The problem is that I can't reach any share, from the Server B
logs...
>>
>>     [2008/07/01 04:54:01,  1] passdb/pdb_ldap.c:init_sam_from_ldap(567)
>>       init_sam_from_ldap: No uid attribute found for this user!
>>     [2008/07/01 04:54:01,  1]
passdb/pdb_ldap.c:ldapsam_getsampwnam(1531)
>>       ldapsam_getsampwnam: init_sam_from_ldap failed for user
'xxxxx'!
>>
>> I've been "googleing" for the last 8 hours and I
can't fix the
>> problem, with a more verbose debug level I can see that the Ldap 
>> connection works fine. I've also checked the Ldap logs and
everything
>> is fine.
>>
>> May be it's a problem with idmap-ing.
>>
>> Here is my smb.conf file from the Server B, I've placed comments on
>> lines which differ from the Server A and commented out lines I believe 
>> are not relevant to Server B.
>>
>> -----------------------------------------------------------------
>> [global]
>>
>>    passdb expand explicit = no
>>    utmp = Yes
>>    workgroup = CPD
>>    netbios name = OPEN                # I've changed the
>>    server string = File Server
>>    passdb backend = ldapsam:ldap://ldapon.my.company
>>    time server = Yes
>>    printing = cups
>>    printcap name = cups
>>    printcap cache time = 750
>>    cups options = raw
>>    username map = /etc/samba/smbusers
>>    map to guest = Bad User
>>    wins support = no                  # it's 'Yes' in the
old server
>>    local master = no                  # it's 'Yes' in the
old server
>>    domain master = no                 # it's 'Yes' in the
old server
>>    domain logons = no                 # it's 'Yes' in the
old server
>>    security = user
>>    preferred master = no
>>    os level = 64
>>    encrypt passwords = yes
>> #    logon script = test.bat
>> #    logon path = \\%L\profiles\%U
>> #    logon home = \\%L\%U
>> #    logon drive = z:
>> #    add user script = ldapsmb -a -u "%u"
>> #    delete user script = ldapsmb -d -u "%u"
>> #    add machine script = ldapsmb -a -s -wks "%u" -v
--logfile
>> /var/log/samba/ldapsmb.log
>> #    add group script = ldapsmb -a -g "%g"
>> #    delete group script = ldapsmb -d -g "%g"
>> #    add user to group script = ldapsmb -j -u "%u" -g
"%g"
>> #    delete user from group script = ldapsmb -j -u "%u" -g
"%g"
>> #    set primary group script = ldapsmb -m -u "%u" -gid
"%g"
>>    ldap admin dn   = cn=Manager,dc=my,dc=company
>>    ldap suffix     = dc=my,dc=company
>>    ldap machine suffix     = ou=Computers
>>    ldap group suffix   = ou=Groups
>>    ldap idmap suffix   = ou=Idmap
>>    ldap user suffix    = ou=People
>>    ldap passwd sync    = Yes
>>    log file = /var/log/samba/%m.log
>>    log level = 1
>>    load printers = no
>>
>>
>> [www2]
>>    comment = webpages
>>    path = /path/to/webpages
>>    public = no
>>    writeable = yes
>>    browseable = yes
>>    valid users = +groupA +groupB
>>    force user = www2
>>    create mask = 0775
>>    dont descend = /bin,/boot,/dev,/etc,/lib,.....
>>
>> -----------------------------------------------------------------
>>
>>
>> Please, any ideas?
>>
>> Best regards,
> Is the new server set up to resolve Unix uid's and gid's from your
LDAP
> server?  Just a thought.
> 
> Cheers
> 
>