Hi, I've migrated from an old samba installation (Samba as PDC) that used TDB backend for password. I've setup a box with ubuntu and samba 3 + ldap and I imported the old users. Old users works fine. I have problems with new users and machines. Old users works but they don't show up with smbldap-usershow command and I've problem in changing their passwords. If I check the ldap db I can find them (with both ldapsearch and slapcat). New users created with smbldap-useradd can be seen with smbldap-usershow command but can't make a logon on workstation If I join a workstation (directly by the workstation) it is added to ldap db but it doesn't see the domain until I manually add an entry for it in /etc/passwd Checking the user entry for two users I can find the following differences. BERENICE is an user imported from the old system and is working fine: dn: uid=berenice,ou=Users,dc=DOMAIN,dc=IT uid: berenice sambaSID: S-1-5-21-1234567890-123456789-123456789-2018 sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513 displayName: berenice sambaLogonTime: 0 sambaLogoffTime: 4294967295 sambaKickoffTime: 4294967295 sambaPwdCanChange: 1161193814 sambaPwdMustChange: 4294967295 sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000000000 sambaPwdLastSet: 1161193814 sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF sambaAcctFlags: [U ] sambaBadPasswordCount: 0 sambaBadPasswordTime: 0 objectClass: sambaSamAccount objectClass: account structuralObjectClass: account entryUUID: af11fe14-8e7a-102d-9b4e-27169ab1b87f creatorsName: cn=admin,dc=DOMAIN,dc=IT createTimestamp: 20090214003220Z entryCSN: 20090214003220.132569Z#000000#000#000000 modifiersName: cn=admin,dc=DOMAIN,dc=IT modifyTimestamp: 20090214003220Z ADAM is a fresly created user and can't logon to workstation: dn: uid=adam,ou=Users,dc=DOMAIN,dc=IT objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: adam sn: adam givenName: adam uid: adam uidNumber: 1004 gidNumber: 513 homeDirectory: /home/adam loginShell: /bin/bash gecos: System User structuralObjectClass: inetOrgPerson entryUUID: f9326600-8e7a-102d-9bb5-27169ab1b87f creatorsName: cn=admin,dc=DOMAIN,dc=IT createTimestamp: 20090214003424Z sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: adam sambaSID: S-1-5-21-1234567890-123456789-123456789-3008 sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513 sambaLogonScript: logon.bat sambaProfilePath: \serverprofilesadam sambaHomePath: \serveradam sambaHomeDrive: C: sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sambaAcctFlags: [U] sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sambaPwdLastSet: 1234571674 sambaPwdMustChange: 1238459674 userPassword:: e1NTSEF9SStEUWVhay9tV2ROTGtOZy9QSlRqTDIrdmM1d1V6ZE4shadowLastChange: 14289 shadowMax: 45 entryCSN: 20090214003434.475223Z#000000#000#000000 modifiersName: cn=admin,dc=DOMAIN,dc=IT modifyTimestamp: 20090214003434Z Any help would be appreciated. Thanks, Riccardo
do you have ldap machine suffix = ou=Computers in smb.conf? dogbert@infinito.it wrote:> > If I join a workstation (directly by the workstation) it is added to ldap db > but it doesn't see the domain until I manually add an entry for it in > /etc/passwd > >
Yes, this is the [GLOBAL] section of my smb.conf
[global]
dos charset = 850
unix charset = ISO8859-1
workgroup = DOMAIN.IT
server string = SERVERNAME
map to guest = Bad User
passdb backend = ldapsam:ldap://localhost/
syslog = 0
log file = /var/log/samba/%m
max log size = 100000
smb ports = 3D 139
time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
logon script = logon.bat
logon path logon drive = C:
logon home domain logons = Yes
os level = 15
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=admin,dc=DOMAIN,dc=IT
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=DOMAIN,dc=IT
ldap user suffix = ou=Users
create mask = 0640
directory mask = 0750
nt acl support = No
case sensitive = No
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>
>
> do you have ldap machine suffix = ou=Computers
> in smb.conf?
>
> dogbert@infinito.it wrote:
> >
> > If I join a workstation (directly by the workstation) it is added
to
ldap db> > but it doesn't see the domain until I manually add an entry
for it in
> > /etc/passwd
> >
> >
>
>
sorry... forgot to crosspost answer to the list: I'm checking /etc/ldap.conf and it seems that at the end of this file it was added a line with the following directive: nss_initgroups_ignoreusers that included more or less every single entry contained in my /etc/passwd file at the time of the ldap configuration. is that normal behaviour ? Thanks, Riccardo> > did you properly configure nssldap ? > > On Mon, 11 May 2009 14:25:05 +0200, dogbert@infinito.it wrote: > > Hi, > > > > I've migrated from an old samba installation (Samba as PDC) that usedTDB> > backend for password. > > > > I've setup a box with ubuntu and samba 3 + ldap and I imported theold> > users. > > Old users works fine. > > > > I have problems with new users and machines. > > > > Old users works but they don't show up with smbldap-usershow commandand> > I've problem in changing their passwords. If I check the ldap db Ican> find > > them (with both ldapsearch and slapcat). > > > > New users created with smbldap-useradd can be seen withsmbldap-usershow> > command but can't make a logon on workstation > > > > If I join a workstation (directly by the workstation) it is added toldap> > db > > but it doesn't see the domain until I manually add an entry for it in > > /etc/passwd > > > > Checking the user entry for two users I can find the following > differences. > > BERENICE is an user imported from the old system and is working fine: > > dn: uid=berenice,ou=Users,dc=DOMAIN,dc=IT > > uid: berenice > > sambaSID: S-1-5-21-1234567890-123456789-123456789-2018 > > sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513 > > displayName: berenice > > sambaLogonTime: 0 > > sambaLogoffTime: 4294967295 > > sambaKickoffTime: 4294967295 > > sambaPwdCanChange: 1161193814 > > sambaPwdMustChange: 4294967295 > > sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > sambaPasswordHistory: > > 0000000000000000000000000000000000000000000000000000000000000000 > > sambaPwdLastSet: 1161193814 > > sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > sambaAcctFlags: [U ] > > sambaBadPasswordCount: 0 > > sambaBadPasswordTime: 0 > > objectClass: sambaSamAccount > > objectClass: account > > structuralObjectClass: account > > entryUUID: af11fe14-8e7a-102d-9b4e-27169ab1b87f > > creatorsName: cn=admin,dc=DOMAIN,dc=IT > > createTimestamp: 20090214003220Z > > entryCSN: 20090214003220.132569Z#000000#000#000000 > > modifiersName: cn=admin,dc=DOMAIN,dc=IT > > modifyTimestamp: 20090214003220Z > > > > ADAM is a fresly created user and can't logon to workstation: > > dn: uid=adam,ou=Users,dc=DOMAIN,dc=IT > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: shadowAccount > > objectClass: sambaSamAccount > > cn: adam > > sn: adam > > givenName: adam > > uid: adam > > uidNumber: 1004 > > gidNumber: 513 > > homeDirectory: /home/adam > > loginShell: /bin/bash > > gecos: System User > > structuralObjectClass: inetOrgPerson > > entryUUID: f9326600-8e7a-102d-9bb5-27169ab1b87f > > creatorsName: cn=admin,dc=DOMAIN,dc=IT > > createTimestamp: 20090214003424Z > > sambaLogonTime: 0 > > sambaLogoffTime: 2147483647 > > sambaKickoffTime: 2147483647 > > sambaPwdCanChange: 0 > > displayName: adam > > sambaSID: S-1-5-21-1234567890-123456789-123456789-3008 > > sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513 > > sambaLogonScript: logon.bat > > sambaProfilePath: serverprofilesadam > > sambaHomePath: serveradam > > sambaHomeDrive: C: > > sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > sambaAcctFlags: [U] > > sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > sambaPwdLastSet: 1234571674 > > sambaPwdMustChange: 1238459674 > > userPassword:: e1NTSEF9SStEUWVhay9tV2ROTGtOZy9QSlRqTDIrdmM1d1V6ZE4> > shadowLastChange: 14289 > > shadowMax: 45 > > entryCSN: 20090214003434.475223Z#000000#000#000000 > > modifiersName: cn=admin,dc=DOMAIN,dc=IT > > modifyTimestamp: 20090214003434Z > > > > > > Any help would be appreciated. > > Thanks, > > Riccardo >
ADAM and BERENICE are fake username (I had to cover real username and domain informations before posting)> > is ADAM the username of a user or a machine account? > >
Is this the section that has to be configured in ldap.conf? #nss_base_passwd ou=People,dc=padl,dc=com?one #nss_base_shadow ou=People,dc=padl,dc=com?one #nss_base_group ou=Group,dc=padl,dc=com?one #nss_base_hosts ou=Hosts,dc=padl,dc=com?one #nss_base_services ou=Services,dc=padl,dc=com?one #nss_base_networks ou=Networks,dc=padl,dc=com?one #nss_base_protocols ou=Protocols,dc=padl,dc=com?one #nss_base_rpc ou=Rpc,dc=padl,dc=com?one #nss_base_ethers ou=Ethers,dc=padl,dc=com?one #nss_base_netmasks ou=Networks,dc=padl,dc=com?ne #nss_base_bootparams ou=Ethers,dc=padl,dc=com?one #nss_base_aliases ou=Aliases,dc=padl,dc=com?one #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one because all the directives are commented excepted the following: base dc=DOMAIN,dc=IT binddn cn=anonymous,dc=DOMAIN,dc=IT bindpw xxxxxxx ldap_version 3 nss_initgroups_ignoreusers pam_password md5 rootbinddn cn=admin,dc=dc=DOMAIN,dc=IT uri ldap://127.0.0.1/ > /etc/ldap.conf has to include a lookup for passwd in the ou=Computers section or machines have to be duplicated in /etc/passwdjust find the one for Users and add a similar one for Computers.From: "dogbert@infinito.it" <dogbert@infinito.it>To: Adam Williams <awilliam@mdah.state.ms.us>Cc: samba@lists.samba.orgSent: Monday, 11 May, 2009 7:35:01Subject: Re: [Samba] Users can't login on Samba+LdapYes, this is the [GLOBAL] section of my smb.conf[global] dos charset = 850 unix charset ISO8859-1 workgroup = DOMAIN.IT server string = SERVERNAME map to guest = Bad User passdb backend ldapsam:ldap://localhost/ syslog = 0 log file = /var/log/samba/%m max log size = 100000 smb ports = 3D 139 time server = Yes deadtime 10 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups > add user script = /usr/sbin/smbldap-useradd -m"%u" delete user script /usr/sbin/smbldap-userdel "%u" add group script /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u""%g" set primary group script /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" logon script = logon.bat logon path = logon drive = C: logon home = domain logons = Yes os level = 15 preferred> master = Yes domain master = Yes wins support = Yes ldap admin dn cn=admin,dc=DOMAIN,dc=IT ldap group suffix ou=Groups ldap machine suffix ou=Computers ldap passwd sync = Yes ldap suffix = dc=DOMAIN,dc=IT ldap user suffix = ou=Users create mask = 0640 directory mask = 0750 nt acl support = No case sensitive = No dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd> > > do you have ldap machine suffix = ou=Computers> in smb.conf?> > dogbert@infinito.it wrote:> &gt;> &gt; If I join a workstation (directly by the workstation) it is added toldap db> &gt; but it doesn't see the domain until I manually add an entry for it in> &gt; /etc/passwd> &gt;> &gt; > > -- To unsubscribe from this list go to the following URL and read theinstructions: https://lists.samba.org/mailman/options/samba> > > >
I've found somewhere (I'm looking again for the document) that from a certain version it doesn't need anymore the file libnss_ldap.conf/secret because it's all configured from ldap.conf/secret (and I don't have libnss_ldap files). Anyway I checked with the getent command and I obtain only entries from /etc/passwd end group files. I'd like to store all the windows user and workstation informations on LDAP limiting only the administrative user to passwd. Fran?ois Legal wrote:> To be honest, I don't know very well all the ldap client configuration > stuff. Anyway, nss is not (AFAIK) configured in /etc/ldap.conf. > > You should have a libnss_ldap.conf/secret files containing the ldap > configuration (bind DN/pwd suffix for users, suffix for groups...) so that > NSS can successfully lookup the directory when it has to find user/group > information. > > You can see if it is configured properly by doing getent group and getent > passwd > These commands shall display all the groups and user found on the system. > That is each user and group present in /etc/passwd /etc/group plus each > user contained in maybe ou=Users,dc=yourcompany,dc=com and > ou=Groups,dc=yourcompany,dc=com and (that one is important too) > ou=Machines,dc=yourcompany,dc=com from your directory. > > Note that if you plan to only use ldap to store user information, you > should no more have real users/groups in /etc/passwd and /etc/group > > Fran?ois > > On Mon, 11 May 2009 16:51:47 +0200, dogbert@infinito.it wrote: >> I'm checking /etc/ldap.conf and it seems that at the end of this file it >> was >> added a line with the following directive: >> nss_initgroups_ignoreusers >> >> that included more or less every single entry contained in my /etc/passwd >> file at the time of the ldap configuration. >> >> is that normal behaviour ? >> >> Thanks, >> Riccardo >> >>> did you properly configure nssldap ? >>> >>> On Mon, 11 May 2009 14:25:05 +0200, dogbert@infinito.it wrote: >>>> Hi, >>>> >>>> I've migrated from an old samba installation (Samba as PDC) that >>> used >> TDB >>>> backend for password. >>>> >>>> I've setup a box with ubuntu and samba 3 + ldap and I imported the >> old >>>> users. >>>> Old users works fine. >>>> >>>> I have problems with new users and machines. >>>> >>>> Old users works but they don't show up with smbldap-usershow command >> and >>>> I've problem in changing their passwords. If I check the ldap db I >> can >>> find >>>> them (with both ldapsearch and slapcat). >>>> >>>> New users created with smbldap-useradd can be seen with >> smbldap-usershow >>>> command but can't make a logon on workstation >>>> >>>> If I join a workstation (directly by the workstation) it is added to >> ldap >>>> db >>>> but it doesn't see the domain until I manually add an entry for it >>> in >>>> /etc/passwd >>>> >>>> Checking the user entry for two users I can find the following >>> differences. >>>> BERENICE is an user imported from the old system and is working >>> fine: >>>> dn: uid=berenice,ou=Users,dc=DOMAIN,dc=IT >>>> uid: berenice >>>> sambaSID: S-1-5-21-1234567890-123456789-123456789-2018 >>>> sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513 >>>> displayName: berenice >>>> sambaLogonTime: 0 >>>> sambaLogoffTime: 4294967295 >>>> sambaKickoffTime: 4294967295 >>>> sambaPwdCanChange: 1161193814 >>>> sambaPwdMustChange: 4294967295 >>>> sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> sambaPasswordHistory: >>>> 0000000000000000000000000000000000000000000000000000000000000000 >>>> sambaPwdLastSet: 1161193814 >>>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >>>> sambaAcctFlags: [U ] >>>> sambaBadPasswordCount: 0 >>>> sambaBadPasswordTime: 0 >>>> objectClass: sambaSamAccount >>>> objectClass: account >>>> structuralObjectClass: account >>>> entryUUID: af11fe14-8e7a-102d-9b4e-27169ab1b87f >>>> creatorsName: cn=admin,dc=DOMAIN,dc=IT >>>> createTimestamp: 20090214003220Z >>>> entryCSN: 20090214003220.132569Z#000000#000#000000 >>>> modifiersName: cn=admin,dc=DOMAIN,dc=IT >>>> modifyTimestamp: 20090214003220Z >>>> >>>> ADAM is a fresly created user and can't logon to workstation: >>>> dn: uid=adam,ou=Users,dc=DOMAIN,dc=IT >>>> objectClass: top >>>> objectClass: person >>>> objectClass: organizationalPerson >>>> objectClass: inetOrgPerson >>>> objectClass: posixAccount >>>> objectClass: shadowAccount >>>> objectClass: sambaSamAccount >>>> cn: adam >>>> sn: adam >>>> givenName: adam >>>> uid: adam >>>> uidNumber: 1004 >>>> gidNumber: 513 >>>> homeDirectory: /home/adam >>>> loginShell: /bin/bash >>>> gecos: System User >>>> structuralObjectClass: inetOrgPerson >>>> entryUUID: f9326600-8e7a-102d-9bb5-27169ab1b87f >>>> creatorsName: cn=admin,dc=DOMAIN,dc=IT >>>> createTimestamp: 20090214003424Z >>>> sambaLogonTime: 0 >>>> sambaLogoffTime: 2147483647 >>>> sambaKickoffTime: 2147483647 >>>> sambaPwdCanChange: 0 >>>> displayName: adam >>>> sambaSID: S-1-5-21-1234567890-123456789-123456789-3008 >>>> sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513 >>>> sambaLogonScript: logon.bat >>>> sambaProfilePath: serverprofilesadam >>>> sambaHomePath: serveradam >>>> sambaHomeDrive: C: >>>> sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> sambaAcctFlags: [U] >>>> sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx >>>> sambaPwdLastSet: 1234571674 >>>> sambaPwdMustChange: 1238459674 >>>> userPassword:: e1NTSEF9SStEUWVhay9tV2ROTGtOZy9QSlRqTDIrdmM1d1V6ZE4>>>> shadowLastChange: 14289 >>>> shadowMax: 45 >>>> entryCSN: 20090214003434.475223Z#000000#000#000000 >>>> modifiersName: cn=admin,dc=DOMAIN,dc=IT >>>> modifyTimestamp: 20090214003434Z >>>> >>>> >>>> Any help would be appreciated. >>>> Thanks, >>>> Riccardo >
Yes, I followed the guides at Ubuntu site: https://help.ubuntu.com/8.10/serverguide/C/network-authentication.html and it included the installation of libnss_ldap Fran?ois Legal wrote:> Did you install the libnss_ldap package ? > > On Mon, 11 May 2009 23:32:00 +0200, dogbert <dogbert@infinito.it> wrote: >> Adam Williams wrote: >>> can you post your /etc/nsswitch.conf? >>> >>> >> >> # /etc/nsswitch.conf >> # >> # Example configuration of GNU Name Service Switch functionality. >> # If you have the `glibc-doc-reference' and `info' packages installed, > try: >> # `info libc "Name Service Switch"' for information about this file. >> >> # pre_auth-client-config # passwd: files >> passwd: files ldap >> # pre_auth-client-config # shadow: files >> shadow: files ldap >> # pre_auth-client-config # group: files >> group: files ldap >> >> >> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> # netgroup: nis >> # pre_auth-client-config # netgroup: nis >> netgroup: nis >
Miguel Medalha wrote:> Based on your smb.conf, you must have the following entries in > /etc/ldap.conf > > nss_base_passwd ou=Users,dc=DOMAIN,dc=IT?one > nss_base_passwd ou=Computers,dc=DOMAIN,dc=IT?one > nss_base_shadow ou=Users,dc=DOMAIN,dc=IT?one > nss_base_group ou=Groups,dc=DOMAIN,dc=IT?one > >Hi, I've tried this configuration and I still have some problems. Trying to connect with a user created only in LDAP (smbldap-useradd) I get the following error in samba log: [2009/05/19 10:59:30, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210) pdb_get_group_sid: Failed to find Unix account for utentest [2009/05/19 10:59:30, 0] auth/auth_sam.c:check_sam_security(355) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2009/05/19 10:59:30, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210) pdb_get_group_sid: Failed to find Unix account for utentest If I try to connect with a user that exist in both the LDAP and etc/passwd files I cannot get it to authenticate (error user is invalid or bad password) but I don't get any log in the samba files I can't understand what's wrong with this installation.