[Samba] pGINA and samba - authentication against LDAP userPassword field?
Hi, Back to a while ago, someone mentioned about taking pGINA code to samba, so samba can work against LDAP authentication, but instead of using the sambaNTPassword and sambaLMPassword, this way samba can use the userPassword field directly. This sounds very promissing because we can then just use one set of passwords. It may be not usable in a domain enviroment where machine accounts and other complex stuff are difficult to hand. But it is perfectly okey for a single linux machine in a workgroup mode. It can even provides user authentication to other Windows box with pGINA installed and configured. Here is the original thread discussed about this: http://lists.samba.org/archive/samba/2005-March/101660.html I am wondering where the samba team currently stand for this issue? Or is there anyone else interterested in this? Thanks, JX -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Solved: [Samba] ldapsam backend for standalone server - is it possible?
Hi, List, Now this works, as expected. Top-posted here for a simple confirmation. Once I rebooted the samba+ldap server, everything started working. So maybe it was just cached ldap indexes together with the cached samba info that blocked the authentication. Thanks, J --- J Xu [EMAIL PROTECTED] wrote: --- Volker Lendecke [EMAIL PROTECTED] wrote: On Thu, May 10, 2007 at 08:58:44PM +1000, Andrew Bartlett wrote: 1) I know how to set up a standalone server with tdbsam backend and I can setup a ldapsam based domain controller. Just that I could't get a standalone server with ldapsam backend. I always hoped this kind of thing would work, but I don't think anybody ever tests it... Wait a second -- LDAP has nothing to do with DC or not. I would be very suprised if this did not work. That is what I had thought. But I just could not get it work - always got login failure: no matter how I set sambaSID/sambaPrimaryGroupSID values according to different sambaDomain values; no matter if I deleted and recreated secrets.tdb and/or other cached samba TDBs in /var/lib/samba directory. I am running Debian Etch with samba v3.0.24 by the way. I also tried with CentOS v4.4 with samba v3.0.10 to the same error. ___ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldapsam backend for standalone server - is it possible?
--- Volker Lendecke [EMAIL PROTECTED] wrote: On Thu, May 10, 2007 at 08:58:44PM +1000, Andrew Bartlett wrote: 1) I know how to set up a standalone server with tdbsam backend and I can setup a ldapsam based domain controller. Just that I could't get a standalone server with ldapsam backend. I always hoped this kind of thing would work, but I don't think anybody ever tests it... Wait a second -- LDAP has nothing to do with DC or not. I would be very suprised if this did not work. That is what I had thought. But I just could not get it work - always got login failure: no matter how I set sambaSID/sambaPrimaryGroupSID values according to different sambaDomain values; no matter if I deleted and recreated secrets.tdb and/or other cached samba TDBs in /var/lib/samba directory. I am running Debian Etch with samba v3.0.24 by the way. I also tried with CentOS v4.4 with samba v3.0.10 to the same error. Note that it works when I set the samba server as a PDC or BDC, with LDAP backend, but I do notice that I need wait for a while before I cam actually access the samba shares. I did not figure out exact time I need wait, but it worked after few hours' waiting. This delay is necessary even I tried accessing from localhost (i.e., smbclient //localhost/username on the samba+ldap server), I even start setting a new domain and clear all cached samba TDBs. The official samba docs say about delay (from 5 to 45 minutes? can't remember exactly), but that delay is necessary for network browsing. For my case I tried with wins support on the server, and I even tried to add entries into /etc/samba/lmhosts file, and I can confirm there is no delay for name resolutions by checking /var/lib/samba/wins.dat file. Additionally, if I tried to set a samba standalone server, with ldapsam backend, even I wait overnight, the samba login still gave me the same error. So I am not sure if the time delay is a related issue. So at moment I am stucked with the imcomplete domain mode setup, in order to get the samba authentication work. I really wish to switch to a workgroup mode, am still trying... Would appreciate any help or suggestion. Thanks, J ___ Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now. http://uk.answers.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ldapsam backend for standalone server - is it possible?
Hi, List, I am wondering if it is possible to set up a standalone server with ldapsam backend. I mean, not to set it up as a domain controller; ideally I don't want a windows domain but would like to stick with the windows workgroup mode. All the samba officail documents and other docs on the web are for set it up as a [primary|backup] domain controller. Below I list the mimimal working samba configurations: [global] workgroup = MYGROUP netbios name = LDAPSMB server string = Samba Server security = user passdb backend = ldapsam:ldap://127.0.0.1/ log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap dns proxy = No ldap admin dn = cn=admin,dc=mydomain,dc=com ldap suffix = dc=mydomain,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=People idmap uid = 1-2 idmap gid = 1-2 cups options = raw local master = yes preferred master = yes os level = 33 domain master = yes domain logons = yes [homes] comment = Home Directories read only = No browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon share modes = No [profiles] path = /home/samba/profiles browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No This setup is more or less for a backup domain controller. If I remove domain master = yes and domain logons = yes directives and netlogon and profiles shares, I then can not login - smbclient //localhost/testuser would give an error like this: session setup failed: NT_STATUS_LOGON_FAILURE Any help please? PS: 1) I know how to set up a standalone server with tdbsam backend and I can setup a ldapsam based domain controller. Just that I could't get a standalone server with ldapsam backend. 2) I've put effort to make sure I have proper SIDs in my ldap database. During attempts to setup a standalone server, I tried to change all user/group SIDs to the local domain (i.e., the one got with net getlocalsid), of course with appreciated RIDs appended. And of couser the domain SID (i.e., the one got with net getdomainsid mygroup) only worked when I set the samba server as domain controller. I even tried to start with a clean ldap database and empty samba secrets.tdb. ___ What kind of emailer are you? Find out today - get a free analysis of your email personality. Take the quiz at the Yahoo! Mail Championship. http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] question re multiple backends and the 'guest' backend
I keep most of samba users in an ldap database while still maintain a few users locally. This gave me the flexibility that those users do not depend on ldap. Exactly what I wanted to do. Actually I'm on Debian Sarge and have all my Samba users defined locally. skipped But I can't do it, since I still need my 2/3 days a year local user accounts, and newer releases of Samba don't allow me to do this (if I understand correctly). So my choice is : skipped or : - ? Drop Samba (just joking) From the samba v3.0.23 release notes, samba developer direct people to SLQ passdb module now maintained third-party, http://pdbsql.sourceforge.net/. I read that project tries to provide an external module to re-enable the feature for samba, particularly pdb_multi module enables samba to have multiple passdb backends. However, the latest version is for samba v3.0.23, while on Debian etch we have v3.0.24. Some people asked if the module works with samba v3.0.24 but got no answer. I'll probably have a try myself. This really sucks especially because at the system level user accounts CAN come from different places in a chained configuration with the help of /etc/nsswitch.conf Exactly. With nsswitch.conf and pam, we can arrange our system accounts in this flexible way. I really wish to have similiar flexibility for samba accounts. Is there any good reason to have made this change ? Is there any plan to reintroduce the functionnality at a later date ? Count my vote to re-introduce this feature. Thanks, J ___ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] question re multiple backends and the 'guest' backend
We also removed the support foir multiple passdb backends in latest versions of samba IIRC, so passdb backend should never list more than 1 backend. Does this means it's not possible anymore to have most users coming from an LDAP server, and to have additional local users (because they can't be added to the LDAP server which is managed by other people, for example) ? If this is not possible anymore this sucks. I am exactly in the situation as Jerome described. I keep most of samba users in an ldap database while still maintain a few users locally. This gave me the flexibility that those users do not depend on ldap. I checked the release notes, the support for multiple backends in a chained configuration was dropped since v3.0.23. This is really bad as we planned to upgrade to Debian etch which has v3.0.24 (I tested and can confirm that mixing multiple backends together is not supported). Just wonder if there is any sound reason why this feature is dropped, other than maybe making adding users/groups/machines comlicated for a PDC configuration? Is there any plan to re-enable this feature sometime later? Thanks, J ___ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba