Prezados da Lista, Estou usando no Debian Sarge esquema de autenticação de rede Windows com Samba 3.0.6-3 e OpenLdap 2.1.30-3.
Enquanto utilizava o Samba 3.0.5 tudo corria bem. Os usuários autenticavam e tudo que configurei de mais complexo estava funcionando normalmente. Quando dei o último apt-get upgrade a versão do Samba subiu para 3.0.6 e tudo desandou. Como o schema muda de uma versão para outra atualizei o schema corrigindo os erros no log do ldap. Se cadastro uma máquina no samba tudo corre normalmente pelo Assistente do Windows XP. Após o boot é que as coisas pioram. O problema que surgiu foi que quando logo com o Windows XP na rede aparece o seguinte erro: "Não foi possível fazer logon no sistema. Verifique se o nome de usuário e o domínio estão corretos e digite a senha novamente. As letras das senhas devem ser digitadas levando-se em consideração maiúsculas e minúsculas." Desconfiado do Samba desativei o ldap e loguei direto com usuários criados diretamente no Samba. Desta vez o logon aconteceu com sucesso. Por isso me restou desconfiar do openldap ou de algum parâmetro com faltou ser compilado no Samba 3.0.6. Na tentativa de logon o log do ldap me retorna: Sep 13 17:43:26 localhost slapd[2679]: conn=75 op=10 SRCH base="dc=empresa,dc=com,dc=br" scope=2 filter="(&(uid=TESTE4$)(objectClass=sambaSamAccount))" Sep 13 17:43:26 localhost slapd[2679]: conn=75 op=10 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Sep 13 17:43:26 localhost slapd[2679]: conn=75 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 13 17:43:26 localhost slapd[2678]: conn=75 op=11 SRCH base="dc=empresa,dc=com,dc=br" scope=2 filter="(&(uid=TESTE4$)(objectClass=sambaSamAccount))" Sep 13 17:43:26 localhost slapd[2678]: conn=75 op=11 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Sep 13 17:43:26 localhost slapd[2678]: conn=75 op=11 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=12 SRCH base="dc=empresa,dc=com,dc=br" scope=2 filter="(&(sambaSID=S-1-5-21-3961270634-907415745-1566956690-501)(objectClas s=sambaSamAccount))" Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=12 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=12 SEARCH RESULT tag=101 err=0 nentries=0 text= Sep 13 17:43:26 localhost slapd[2679]: conn=76 op=7 SRCH base="dc=empresa,dc=com,dc=br" scope=2 filter="(&(objectClass=posixAccount)(uid=nobody))" Sep 13 17:43:26 localhost slapd[2679]: conn=76 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=8 SRCH base="dc=conab,dc=gov,dc=br" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=uid=nobo dy,ou=matriz,dc=empresa,dc=com,dc=br)))" Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=8 SRCH attr=gidNumber Sep 13 17:43:26 localhost slapd[2678]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=13 SRCH base="dc=conab,dc=gov,dc=br" scope=2 filter="(&(uid=Administrator)(objectClass=sambaSamAccount))" Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=13 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=13 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 13 17:43:26 localhost slapd[2679]: conn=76 op=9 SRCH base="dc=conab,dc=gov,dc=br" scope=2 filter="(&(objectClass=posixAccount)(uid=Administrator))" Sep 13 17:43:26 localhost slapd[2679]: conn=76 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=10 SRCH base="dc=conab,dc=gov,dc=br" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=Administrator)(uniqueMember=u id=administrator,ou=matriz,dc=empresa,dc=com,dc=br)))" Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=10 SRCH attr=gidNumber Sep 13 17:43:26 localhost slapd[2678]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text= Meu smb.conf está da seguinte forma: [global] workgroup = EMPRESA netbios name = DFBSA58 server string = Samba Server %v security = user encrypt passwords = True min passwd length = 6 obey pam restrictions = no ldap passwd sync = Yes log level = 256 syslog = 0 log file = /var/log/samba/log.%m max log size = 100000 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon path = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes passdb backend = ldapsam:ldap://127.0.0.1/ # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u)) ldap admin dn = cn=admin,dc=empresa,dc=com,dc=br ldap suffix = dc=empresa,dc=com,dc=br ldap group suffix = ou=grupos ldap user suffix = ou=matriz ldap machine suffix = ou=maquinas ldap idmap suffix = ou=Idmap ldap ssl = no add user script = /usr/local/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes #delete user script = /usr/local/sbin/smbldap-userdel "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" #delete group script = /usr/local/sbin/smbldap-groupdel "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" # printers configuration printer admin = @"Print Operators" load printers = Yes create mask = 0640 directory mask = 0750 nt acl support = No printing = cups printcap name = cups deadtime = 10 #guest account = nobody #map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes ; to maintain capital letters in shortcuts in any of the profile folders: preserve case = yes short preserve case = yes case sensitive = no [homes] comment = repertoire de %U, %u read only = No create mask = 0644 directory mask = 0775 browseable = No [netlogon] path = /home/netlogon/ browseable = No read only = yes [profiles] path = /home/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U "Domain Admins" [printers] comment = Network Printers printer admin = @"Print Operators" guest ok = yes printable = yes path = /home/spool/ browseable = No read only = Yes printable = Yes print command = /usr/bin/lpr -P%p -r %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j [print$] path = /home/printers guest ok = No browseable = Yes read only = Yes valid users = @"Print Operators" write list = @"Print Operators" create mask = 0664 directory mask = 0775 [public] comment = Repertoire public path = /home/public browseable = Yes guest ok = Yes read only = No directory mask = 0775 create mask = 0664 Meu slapd.conf está assim: # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd.args # Read slapd.conf(5) for possible values loglevel 256 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=empresa,dc=com,dc=br" # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attribute=userPassword by dn="cn=admin,dc=empresa,dc=com,dc=br" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=empresa,dc=com,dc=br" write by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=conab,dc=gov,dc=br" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org" index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none Alguém também enfrentou este problema usando o Sarge? Já pesquisei por novos parâmetros de configuração e ainda não encontrei nenhuma novidade. Agradeço desde já qualquer ajuda. Gustavo