On 20/08/2012 11:13 AM, Qing Chang wrote:
we are migrating our standalone Samba sever (3.0.14a) on a Solaris 10 box to
an RHEL 6.3 box.
Testing shows that on Solaris 3.0.14a works with both the OpenLDAP server
we are currently using and the IPA2.2 server as LDAP backend. But 3.5.10-125.el6
on a RHEL 6.3 box does not work with either.
I can still map a share with 3.5 as owner of the shared directory, but secondary
group ownership does not appear to resolve properly. Below is an excerpt of
log.smbd, removed many noisy lines:
===== log.smbd for samba 3.5 =====
[2012/08/16 12:47:39.499996, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: qchang
[2012/08/16 12:47:39.528627, 3] passdb/pdb_ldap.c:5215(ldapsam_gid_to_sid)
ERROR: Got 0 entries for gid 201, expected one
[2012/08/16 12:47:39.822830, 4] auth/auth_sam.c:180(sam_account_ok)
sam_account_ok: Checking SMB password for user qchang
[2012/08/16 12:47:39.822931, 5] auth/auth_sam.c:162(logon_hours_ok)
logon_hours_ok: user qchang allowed to logon at this time (Thu Aug 16
16:47:39 2012 )
[2012/08/16 12:47:39.839645, 3]
passdb/pdb_ldap.c:3057(ldapsam_enum_group_memberships)
primary group of [qchang] not found
[2012/08/16 12:47:39.840098, 5] auth/auth_util.c:649(make_server_info_sam)
make_server_info_sam: made server info for user qchang -> qchang
[2012/08/16 12:47:39.840196, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/08/16 12:47:39.840284, 3] auth/auth.c:265(check_ntlm_password)
check_ntlm_password: sam authentication for user [QChang] succeeded
[2012/08/16 12:47:39.840916, 5] auth/auth.c:291(check_ntlm_password)
check_ntlm_password: PAM Account for user [qchang] succeeded
[2012/08/16 12:47:39.840994, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [QChang] -> [QChang] ->
[qchang] succeeded
[2012/08/16 12:47:39.841072, 5] auth/auth_util.c:2119(free_user_info)
attempting to free (and zero) a user_info structure
[2012/08/16 12:47:39.841148, 10] auth/auth_util.c:2123(free_user_info)
structure was created for QChang
[2012/08/16 12:47:39.846308, 4] passdb/pdb_ldap.c:2562(ldapsam_getgroup)
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))
[2012/08/16 12:47:39.852131, 3] auth/token_util.c:467(create_local_nt_token)
Failed to fetch domain sid for RESEARCH
[2012/08/16 12:47:39.875509, 10] auth/token_util.c:531(debug_nt_user_token)
NT user token of user S-1-5-21-3516781642-1962875130-3438800523-41232
contains 5 SIDs
SID[ 0]: S-1-5-21-3516781642-1962875130-3438800523-41232
SID[ 1]: S-1-1-0
SID[ 2]: S-1-5-2
SID[ 3]: S-1-5-11
SID[ 4]: S-1-22-1-20117
SE_PRIV 0x0 0x0 0x0 0x0
[2012/08/16 12:47:39.876009, 10] auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 20117
Primary group is 201 and contains 0 supplementary groups
[2012/08/16 12:47:39.876370, 3] smbd/password.c:282(register_existing_vuid)
register_existing_vuid: User name: qchang Real name: Qing Chang
[2012/08/16 12:47:39.876457, 3] smbd/password.c:292(register_existing_vuid)
register_existing_vuid: UNIX uid 20117 is UNIX user qchang, and will be vuid
100
[2012/08/16 12:47:39.877319, 3] smbd/password.c:223(register_homes_share)
Adding homes service for user 'qchang' using home directory: '/home2/qchang'
[2012/08/16 12:47:40.614903, 3] smbd/service.c:1070(make_connection_snum)
ws62203 connect to service IPC$ initially as user qchang (uid=20117, gid=201)
(pid 6951)
=====
pdbedit -L has different output:
===== 3.0.14a =====
Trying to load: ldapsam:ldap://ipa1.sri.utoronto.ca
Attempting to find an passdb backend to match
ldapsam:ldap://ipa1.sri.utoronto.ca (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OCTANE))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
ldapsam_setsampwent: 1507 entries in the base dc=sri,dc=utoronto,dc=ca
init_sam_from_ldap: Entry found for user: qchang
=====
===== 3.5.10-125.el6 =====
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
smbldap_search_paged: base => [dc=sri,dc=utoronto,dc=ca], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our
domain
Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
=====
Here is the smb.conf related to LDAP for both 3.0.14a and 3.5.10-125.el6:
=====
security = user
ldap admin dn = "cn=Directory Manager"
ldap ssl = off
passdb backend = ldapsam:ldap://ipa1.sri.utoronto.ca
ldap delete dn = no
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap suffix = dc=sri,dc=utoronto,dc=ca
ldap passwd sync = Yes
=====
It appears to me that 3.5 tries to be a domain controller be default? Your advice is greatly
appreciated.
Qing Chang
I thought these may help clarifying the situation a bit more:
===== pdbedit -L -v qchang output for samba3.0.14 =====
init_sam_from_ldap: Entry found for user: qchang
Opening cache file at /usr/local/samba3014/var/locks/login_cache.tdb
Unix username: qchang
NT username: qchang
Account Flags: [U ]
User SID: S-1-5-21-3516781642-1962875130-3438800523-41232
Primary Group SID: S-1-5-21-1197990898-71428884-4196996049-513
Full Name: Qing Chang
Home Directory: \\octane\qchang
HomeDir Drive:
Logon Script:
Profile Path: \\octane\qchang\profile
Domain: OCTANE
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Mon, 18 Jan 2038 22:14:07 EST
Kickoff time: Mon, 18 Jan 2038 22:14:07 EST
Password last set: Tue, 14 Aug 2012 11:10:08 EST
Password can change: Thu, 03 Nov 2011 10:55:32 EST
Password must change: Mon, 18 Jan 2038 22:14:07 EST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
=====
===== pdb -L -v qchang output for samba 3.5 =====
init_sam_from_ldap: Entry found for user: qchang
ERROR: Got 0 entries for gid 201, expected one
ERROR: Got 0 entries for gid 201, expected one
ERROR: Got 0 entries for gid 201, expected one
Opening cache file at /var/lib/samba/login_cache.tdb
Unix username: qchang
NT username: qchang
Account Flags: [U ]
User SID: S-1-5-21-3516781642-1962875130-3438800523-41232
Primary Group SID: S-1-5-21-2087785539-322754622-381919433-513
Full Name: Qing Chang
Home Directory: \\smb2\qchang
HomeDir Drive:
Logon Script:
Profile Path: \\smb2\qchang\profile
Domain: SMB2
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Tue, 14 Aug 2012 11:10:08 EDT
Password can change: Tue, 14 Aug 2012 11:10:08 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
=====
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
