samba - Jun 2011 - need recipe for samba to do user authentication against a centos 5.5 openldap server (NO IDMAPS! NO PDC!)

Hi all,

Please help Ive been wasting days at this...
I am not trying to create a PDC, I am not joining an active directory, I am
not needing samba schema in my openldap (or do I?), I am not trying to use
winbind and idmaps for translations from SID to UID/GID, I just want my
samba server which shares linux home directories to authenticate
user+password against my existing linux based openldap server.

These are already POSIX accounts on the openldap server, so the UID and GID
need no translation AFAIK

All I want to do is have users log into the samba share with their openldap
Linux accounts.
unfortunately this is not working... at all.


Samba ver:
samba3x-3.3.8-0.52.el5_5.2
openldap ver:
2.3   (shouldnt matter)





my smb.conf :
-----------------------------------------------------------------------------------

[global]
        server string = %h server

        passdb backend = ldapsam:ldap://ldap.domain.com
*# looks like this syntax is deprecated. Whats the correct syntax?  *smb.conf
manpage is not making sense to me....

        security = user
        ldap passwd sync = yes
# is this needed?

        ldap ssl = no
        ldap admin dn = cn=superadmin,dc=domain,dc=com
        ldap suffix = dc=domain,dc=com
        ldap user suffix = ou=People
        ldap group suffix = ou=Group


[Shared]
        comment = Shared Directories
        path = /shared
        read only = No
        create mask = 0600
        directory mask = 0700

--------------------------------------------------------------------------------------------------------------
I then did

smbpasswd -w myadmindnpasswd


Im super confused as to why the above syntax isnt sufficient, and the howtos
out there are all not very helpful and use depricated syntax....

log level 2 snippet:

-------------------------------------------------------------------------------------------------------------------------------------------
[2011/06/03 19:25:00,  2] lib/smbldap_util.c:smbldap_search_domain_info(277)
  smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=SV3))]
[2011/06/03 19:25:00,  2] lib/smbldap.c:smbldap_open_connection(796)
  smbldap_open_connection: connection opened
[2011/06/03 19:25:00,  1] lib/smbldap_util.c:add_new_domain_info(233)
  add_new_domain_info: failed to add domain
dnsambaDomainName=SV3,dc=domain,dc=com with: Invalid DN syntax
        invalid DN
[2011/06/03 19:25:00,  0] lib/smbldap_util.c:smbldap_search_domain_info(310)
  smbldap_search_domain_info: Adding domain info for SV3 failed with
NT_STATUS_UNSUCCESSFUL
[2011/06/03 19:25:00,  2] passdb/pdb_ldap.c:pdb_init_ldapsam(6259)
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
domain
  pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new
users/groups, and will risk BDCs having inconsistant SIDs
-------------------------------------------------------------------------------------------------------------------------------------------

this doesnt look good at all...  btw the samba server's hostname is SV3, why
is it using the syntax  "domain dn= sambaDomainName=SV3,dc=domain,dc=com
"
this seems to no jive with what is in the smb.conf file, and I have no such
entry for the hostname of this samba server "SV3" or the string
"dnsambaDomainName" specified anywhere in the configuration... I could
of
course be interpreting this log incorrectly..



please help! :-)

Cheers,
-Clayton

On Fri, Jun 03, 2011 at 07:46:49PM -0700, Clayton Hill
wrote:
> Please help Ive been wasting days at this...
> I am not trying to create a PDC, I am not joining an active directory, I am
> not needing samba schema in my openldap (or do I?), I am not trying to use
> winbind and idmaps for translations from SID to UID/GID, I just want my
> samba server which shares linux home directories to authenticate
> user+password against my existing linux based openldap server.
> 
> These are already POSIX accounts on the openldap server, so the UID and GID
> need no translation AFAIK
> 
> All I want to do is have users log into the samba share with their openldap
> Linux accounts.
> unfortunately this is not working... at all.
You need the Samba schema in OpenLDAP and sambaSamAccount
objects, Samba can't use the password attributes OpenLDAP
uses natively.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen

In most cases, your users will have separate unix and windows 
passwords.  Assuming you have password sync working (various ways to do 
this) this will still appear to be a single password to the users.

Use something like Apache Directory Studio to verify that you can login 
to LDAP with the credentials specified to samba.




My smb.conf includes

-----------------------------------------------------------------------------------------------

         workgroup = MYDOMAIN
         server string = myserver
         netbios name = MYSERVER

         passdb backend = ldapsam:ldap://myldapserver.mydomain.com
         domain logons = yes
         preferred master = yes
         domain master =  yes
         local master = yes
         dns proxy = No
         wins support = yes

         ldap suffix=o=mydomain.com
         ldap user suffix=ou=people
         ldap machine suffix=ou=people
         ldap admin dn="cn=Directory Manager"
         ldap ssl = no
         ldap passwd sync = no


         passwd program = /etc/samba/smbldappasswd.sh %u
         passwd chat =*New* %n\n *changed*
         unix password sync = yes


[netlogon]
         comment = Network Logon Service
         path = /export/samba/netlogon
         read only = no
         guest ok = Yes
         share modes = No
         write list = @Administrators






-----------------------------------------------------------------------------------------------

the ldap admin is the built in default ldap admin on my server.

You may need to explicitly create unix groups and group  mappings for 
well know windows groups


net groupmap add ntgroup="Domain Admins" unixgroup=100512 rid=512 
type=domain
net groupmap add ntgroup="Domain Users" unixgroup=100513 rid=513
net groupmap add ntgroup="Domain Guests" unixgroup=100514  rid=514
net groupmap add ntgroup="Domain Computers" unixgroup=100515   rid=515
net groupmap add ntgroup="Domain Controllers" unixgroup=100516  
rid=516


You also need to create a unix account for the Administrator.

will need unix and samba accts for each machine, include the PDC

# smbpasswd -a -m MACHINENAME

And I think you need to join the domain


  net rpc join -S MYSERVER -W MYDOMAIN   -U Administrator


My PDC is a solaris server.  I think on linux machines you may NOT want 
to include the quotes in the ldap admin acct name.

I couldn't get ldap password sync to work-  so I use standard unix pw 
sync which calls an external script to handle setting the ldap pw's.


On 06/03/2011 10:46 PM, Clayton Hill wrote:
> Hi all,
>
> Please help Ive been wasting days at this...
> I am not trying to create a PDC, I am not joining an active directory, I am
> not needing samba schema in my openldap (or do I?), I am not trying to use
> winbind and idmaps for translations from SID to UID/GID, I just want my
> samba server which shares linux home directories to authenticate
> user+password against my existing linux based openldap server.
>
> These are already POSIX accounts on the openldap server, so the UID and GID
> need no translation AFAIK
>
> All I want to do is have users log into the samba share with their openldap
> Linux accounts.
> unfortunately this is not working... at all.
>
>
> Samba ver:
> samba3x-3.3.8-0.52.el5_5.2
> openldap ver:
> 2.3   (shouldnt matter)
>
>
>
>
>
> my smb.conf :
>
-----------------------------------------------------------------------------------
>
> [global]
>          server string = %h server
>
>          passdb backend = ldapsam:ldap://ldap.domain.com
> *# looks like this syntax is deprecated. Whats the correct syntax? 
*smb.conf
> manpage is not making sense to me....
>
>          security = user
>          ldap passwd sync = yes
> # is this needed?
>
>          ldap ssl = no
>          ldap admin dn = cn=superadmin,dc=domain,dc=com
>          ldap suffix = dc=domain,dc=com
>          ldap user suffix = ou=People
>          ldap group suffix = ou=Group
>
>
> [Shared]
>          comment = Shared Directories
>          path = /shared
>          read only = No
>          create mask = 0600
>          directory mask = 0700
>
>
--------------------------------------------------------------------------------------------------------------
> I then did
>
> smbpasswd -w myadmindnpasswd
>
>
> Im super confused as to why the above syntax isnt sufficient, and the
howtos
> out there are all not very helpful and use depricated syntax....
>
> log level 2 snippet:
>
>
-------------------------------------------------------------------------------------------------------------------------------------------
> [2011/06/03 19:25:00,  2]
lib/smbldap_util.c:smbldap_search_domain_info(277)
>    smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=SV3))]
> [2011/06/03 19:25:00,  2] lib/smbldap.c:smbldap_open_connection(796)
>    smbldap_open_connection: connection opened
> [2011/06/03 19:25:00,  1] lib/smbldap_util.c:add_new_domain_info(233)
>    add_new_domain_info: failed to add domain dn>
sambaDomainName=SV3,dc=domain,dc=com with: Invalid DN syntax
>          invalid DN
> [2011/06/03 19:25:00,  0]
lib/smbldap_util.c:smbldap_search_domain_info(310)
>    smbldap_search_domain_info: Adding domain info for SV3 failed with
> NT_STATUS_UNSUCCESSFUL
> [2011/06/03 19:25:00,  2] passdb/pdb_ldap.c:pdb_init_ldapsam(6259)
>    pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
> domain
>    pdb_init_ldapsam: Continuing on regardless, will be unable to allocate
new
> users/groups, and will risk BDCs having inconsistant SIDs
>
-------------------------------------------------------------------------------------------------------------------------------------------
>
> this doesnt look good at all...  btw the samba server's hostname is
SV3, why
> is it using the syntax  "domain dn=
sambaDomainName=SV3,dc=domain,dc=com "
> this seems to no jive with what is in the smb.conf file, and I have no such
> entry for the hostname of this samba server "SV3" or the string
"dn> sambaDomainName" specified anywhere in the configuration... I
could of
> course be interpreting this log incorrectly..
>
>
>
> please help! :-)
>
> Cheers,
> -Clayton