Re: [Samba] LDAP authentication doesn't refresh
Hi - I have solved this or probably better put understand it better now. the issues is that samba seems to open a service even when a user is denied access to the shared directory represented by that service So if user jtony who is not a member of group hamcity tries to access /server/hamcity, jtony will be denied access. But running >smbstatus shows that this service is now is connected, even tho the user jtony cannot have access to it. What then seems to be true is that while that service is open samba won't recheck the users credentials for changes. if you close the service >./smbcontrol close-share hamcity then smbd WILL ask for the users *nix credentials, when jtony tries to connect again. If changes have taken place to group membership then these will be reflected in sambas response. Thanks Tony On 28 November 2011 11:19, tony archibald wrote: > OS = RHEL 5 > samba version 3.4.15 > OpenLdap 2.3.43 > > > Hi I am struggling with this problem at the very end of deploying a > samba/ldap solution (currently not doing an domain stuff) . It all seems to > working except that when I modify a user by adding the user to a new group > (unix group) this change is not reflected in samba shares. the opposite is > also true. > > > for example the directory listing is > drwxrwx--- 2 root hamcity 4096 Nov 22 10:51 hamcity > > the share is defined in smb.conf > as > [hamcity] > path = /export/hamcity > users = +hamcity > > I have a user jtony (initially not a member of the Group hamcity) > I add jtony to the group hamcity with > >smbldap-usermod -G +hamcity > or using a the open source "LDAP Admin" tool > > at this point jtony cannot access the share \\server\hamcity > > but after I restart the smb service jtony now has access to > \\server\hamcity. > > the big question I have is , "Is this behavior by design?" if not "how do > I force samba to pick up changes in the LDAP directory without restarting > the slapd service?" > > I hope some one can help, I have come so far with this and it hasn't been > easy, id hate to have to give up on what seems like a great open source > solution because of this one stumbling block. > Hoping the issue is my ignorance > > regards Tony > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] LDAP authentication doesn't refresh
OS = RHEL 5 samba version 3.4.15 OpenLdap 2.3.43 Hi I am struggling with this problem at the very end of deploying a samba/ldap solution (currently not doing an domain stuff) . It all seems to working except that when I modify a user by adding the user to a new group (unix group) this change is not reflected in samba shares. the opposite is also true. for example the directory listing is drwxrwx--- 2 root hamcity 4096 Nov 22 10:51 hamcity the share is defined in smb.conf as [hamcity] path = /export/hamcity users = +hamcity I have a user jtony (initially not a member of the Group hamcity) I add jtony to the group hamcity with >smbldap-usermod -G +hamcity or using a the open source "LDAP Admin" tool at this point jtony cannot access the share \\server\hamcity but after I restart the smb service jtony now has access to \\server\hamcity. the big question I have is , "Is this behavior by design?" if not "how do I force samba to pick up changes in the LDAP directory without restarting the slapd service?" I hope some one can help, I have come so far with this and it hasn't been easy, id hate to have to give up on what seems like a great open source solution because of this one stumbling block. Hoping the issue is my ignorance regards Tony -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] LDAP Authentication (Linux Documentation Wiki)
A few months ago, I posted about a "Linux Documentation Wiki" I created at my company. Well, it's moved. It's now here: http://linuxwiki.riverworth.com/ There isn't much on it yet except for my wonderful, excellent, fantastic, "LDAP Authentication" document: http://linuxwiki.riverworth.com/index.php/LDAP_Authentication Okay, perhaps I'm exaggerating the quality a touch! I'm hoping the linux community will help it grow in to something that really is wonderful, excellent, fantastic, and maybe even _complete_! Brian ( [EMAIL PROTECTED] ) --- Watch your thoughts, for they become words. Choose your words, for they become actions. Understand you actions, for they become habits. Study your habits, for they become your character. Develop your character, for it becomes your destiny -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba+ldap: authentication probelm.
Hello Group, I am using RH9, samba-3.-.22. And i have openldap-2.3.11. on another machine. Using mkntpwd i got NT/LM passwords and gave it's output in the ldif file for sambaNTPassword and sambaLMPassword attribute types. when i tried to authenticate by giving the username and plain text equivalent of the NT/LM password, i got the following error: session setup failed: NT_STATUS_LOGON_FAILURE. Pls tell me the reason why i am getting the error. (For adding users i am not using smbldap-tools package.) Also clarify me in that the object class for samba users is sambaAccount or sambaSamAccount. Coz some website's specify sambaAccount. regards, krishnam __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap authentication without 'ldap filter' parameter
OK, it seems to work better : the 'nss_map_attribute uid iufmLogin' tells the system to look at 'iufmLogin' instead of 'uid'. I will work out for the filters but I'm on a good way Thank you so much :-) Gordon Messmer a écrit : Norbert Gomes wrote: After some search, I read that I have to configure nss_ldap. But I don't know how to configure it properly to operate with our LDAP database. Let me explain : We used the 'ldap filter' parameter like this : ldap filter = (&(iufmLogin=%u)(gecos=#*)) I think you want to use these settings in ldap.conf: nss_base_passwd ou=People,dc=example,dc=com?one?gecos=#* nss_map_attribute uid iufmLogin pam_login_attribute iufmLogin I'm not sure whether or not pam_login_attribute is strictly required. I'd try with just the first two settings, and leave it at that if things work as you expect. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap authentication without 'ldap filter' parameter
Norbert Gomes wrote: After some search, I read that I have to configure nss_ldap. But I don't know how to configure it properly to operate with our LDAP database. Let me explain : We used the 'ldap filter' parameter like this : ldap filter = (&(iufmLogin=%u)(gecos=#*)) I think you want to use these settings in ldap.conf: nss_base_passwd ou=People,dc=example,dc=com?one?gecos=#* nss_map_attribute uid iufmLogin pam_login_attribute iufmLogin I'm not sure whether or not pam_login_attribute is strictly required. I'd try with just the first two settings, and leave it at that if things work as you expect. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap authentication without 'ldap filter' parameter
Thank you for your reply Bill. This module don't seems to be implemented on openLDAP 2.2 Release and I can't modify our existent LDAP database. But I'll think of it if we decide to change the openLDAP release. What I would like to know is if it's possible to redefine the 'ldap filter' parameter in an other place than in the smb.conf file ? Thanks Norbert William Jojo a écrit : - Original Message - From: "Norbert Gomes" <[EMAIL PROTECTED]> To: "samba" Sent: Wednesday, February 08, 2006 5:46 AM Subject: [Samba] ldap authentication without 'ldap filter' parameter Hello I'm trying to update samba from 3.0.11 to 3.0.21 and I noticed that the 'ldap filter' paramater has been removed. After some search, I read that I have to configure nss_ldap. But I don't know how to configure it properly to operate with our LDAP database. Let me explain : We used the 'ldap filter' parameter like this : ldap filter = (&(iufmLogin=%u)(gecos=#*)) Well, I understand your position. Tree management can be tough. What you could look at if you are using OpenLDAP is: http://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release This is the rewrite module. It allows you to remap attributes and create conditional changes to client searches and server replies. It works for updates as well, so it's not just smoke and mirrors. This *might* help you out of your jam. I looked at this for our installation (we have a single tree that's used among several DC's with trusts), but with the impending changes for enumerating group RIDs, our own use of group mappings, future AD (read Samba 4) implementation and other political considerations, I've decided to script a tree transform instead. Cheers, Bill Our authentication is based on the 'iufmLogin' attribute (we cannot use the 'uid' attribute) and the gecos has to start with the '#' character for the user to be authenticated. But my problem is that I can't parameter the /etc/ldap.conf file to use these filters. I tried to put this in the /etc/ldap.conf file : pam_filter iufmLogin=%s pam_login_attribute iufmLogin But the system seems to ignore these filters and it only uses the 'uid' attribute when I try the 'getent passwd' command. Can someone explain me how to do this correctly ? Thanks Norbert Gomes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap authentication without 'ldap filter' parameter
- Original Message - From: "Norbert Gomes" <[EMAIL PROTECTED]> To: "samba" Sent: Wednesday, February 08, 2006 5:46 AM Subject: [Samba] ldap authentication without 'ldap filter' parameter > Hello > > I'm trying to update samba from 3.0.11 to 3.0.21 and I noticed that the > 'ldap filter' paramater has been removed. > After some search, I read that I have to configure nss_ldap. But I don't > know how to configure it properly to operate with our LDAP database. > > Let me explain : > > We used the 'ldap filter' parameter like this : > > ldap filter = (&(iufmLogin=%u)(gecos=#*)) > Well, I understand your position. Tree management can be tough. What you could look at if you are using OpenLDAP is: http://www.openldap.org/software/man.cgi?query=slapo-rwm&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release This is the rewrite module. It allows you to remap attributes and create conditional changes to client searches and server replies. It works for updates as well, so it's not just smoke and mirrors. This *might* help you out of your jam. I looked at this for our installation (we have a single tree that's used among several DC's with trusts), but with the impending changes for enumerating group RIDs, our own use of group mappings, future AD (read Samba 4) implementation and other political considerations, I've decided to script a tree transform instead. Cheers, Bill > > Our authentication is based on the 'iufmLogin' attribute (we cannot use > the 'uid' attribute) and the gecos has to start with the '#' character > for the user to be authenticated. > > But my problem is that I can't parameter the /etc/ldap.conf file to use > these filters. > > I tried to put this in the /etc/ldap.conf file : > > pam_filter iufmLogin=%s > pam_login_attribute iufmLogin > > But the system seems to ignore these filters and it only uses the 'uid' > attribute when I try the 'getent passwd' command. > > Can someone explain me how to do this correctly ? > > Thanks > > > Norbert Gomes > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ldap authentication without 'ldap filter' parameter
Hello I'm trying to update samba from 3.0.11 to 3.0.21 and I noticed that the 'ldap filter' paramater has been removed. After some search, I read that I have to configure nss_ldap. But I don't know how to configure it properly to operate with our LDAP database. Let me explain : We used the 'ldap filter' parameter like this : ldap filter = (&(iufmLogin=%u)(gecos=#*)) Our authentication is based on the 'iufmLogin' attribute (we cannot use the 'uid' attribute) and the gecos has to start with the '#' character for the user to be authenticated. But my problem is that I can't parameter the /etc/ldap.conf file to use these filters. I tried to put this in the /etc/ldap.conf file : pam_filter iufmLogin=%s pam_login_attribute iufmLogin But the system seems to ignore these filters and it only uses the 'uid' attribute when I try the 'getent passwd' command. Can someone explain me how to do this correctly ? Thanks Norbert Gomes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap authentication fails
Well as it turns out our problem eas with the sambaSID values in ldap. Apprently Samba 3.0 want the full SID value in those fields (sambaSID, and sambaGroupSID) for any user. We only had the last 4 digits, which are the unique digits for us (I'm not sure if the amount of digits at the end can change). Once we setup the users with with the full Samba SID we were able to execute every Samba command without a problem. Thanks for the help On 1/23/06, Gordon Messmer <[EMAIL PROTECTED]> wrote: > Andy Kesterson wrote: > > > >The problem that we are having is when Samba has the "encrypt > > passwords" option is enabled, we recieve an "session setup failed: > > NT_STATUS_LOGON_FAILURE" message. When "encrypt passwords" is disabled > > the login is succesful. > ... > > We have setup Samba, OpenLDAP, and PAM to use MD5 as their hashing > > function. > > When "encrypt passwords" is disabled, and the client is appropriately > configured, the client will establish a session by sending its username > and password, both in plain text. With the plain text password from the > client, the server can use PAM to authenticate the user. > > However, if you don't want to reconfigure all of your Windows desktops, > and you don't want your passwords sent across the network in plain text > for each connection, you should have "encrypt passwords" turned on. In > this configuration, the client and server engage in a challenge-response > conversation to authenticate the users. To do that, the server needs to > have the plain-text equivalent of the user's password. If you had a > smbpasswd file before converting to LDAP, you can use that to get the > values that you need. If not, then you'll need all of your users to set > their password. However you choose to solve that problem, you need to > make sure that in addition to the "userPassword" attribute, each user > has a "sambaLMPassword" and a "sambaNTPassword" attribute. The values > for those two attributes can be formed using the "mkntpwd" program, if > you want to script the password changes. > > Be careful to configure your LDAP server such that users can not read > the sambaLMPassword and sambaNTPassword attributes from the server. > Those values are plain-text equivalents, and could be used to log in as > the user to whom they belong. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap authentication fails
Andy Kesterson wrote: The problem that we are having is when Samba has the "encrypt passwords" option is enabled, we recieve an "session setup failed: NT_STATUS_LOGON_FAILURE" message. When "encrypt passwords" is disabled the login is succesful. ... We have setup Samba, OpenLDAP, and PAM to use MD5 as their hashing function. When "encrypt passwords" is disabled, and the client is appropriately configured, the client will establish a session by sending its username and password, both in plain text. With the plain text password from the client, the server can use PAM to authenticate the user. However, if you don't want to reconfigure all of your Windows desktops, and you don't want your passwords sent across the network in plain text for each connection, you should have "encrypt passwords" turned on. In this configuration, the client and server engage in a challenge-response conversation to authenticate the users. To do that, the server needs to have the plain-text equivalent of the user's password. If you had a smbpasswd file before converting to LDAP, you can use that to get the values that you need. If not, then you'll need all of your users to set their password. However you choose to solve that problem, you need to make sure that in addition to the "userPassword" attribute, each user has a "sambaLMPassword" and a "sambaNTPassword" attribute. The values for those two attributes can be formed using the "mkntpwd" program, if you want to script the password changes. Be careful to configure your LDAP server such that users can not read the sambaLMPassword and sambaNTPassword attributes from the server. Those values are plain-text equivalents, and could be used to log in as the user to whom they belong. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ldap authentication fails
Hi folks, We are using Samba 3.0.10 and are using OpenLdap to manage users. We are also usign PAM to track the users on the computer. The problem that we are having is when Samba has the "encrypt passwords" option is enabled, we recieve an "session setup failed: NT_STATUS_LOGON_FAILURE" message. When "encrypt passwords" is disabled the login is succesful. When we left work Friday we thought that there was a different encryption method being used between Samba and ldap. However, that doesn't seem to be the case now, but we are not certain of that. We have setup Samba, OpenLDAP, and PAM to use MD5 as their hashing function. This is the setup of our smb.conf global section: [global] ldap ssl = no name resolve order = wins lmhosts hosts bcast passwd chat = *new*password %n\n *new*password %n\n *successfully* idmap gid = 16777216-33554431 passwd program = /usr/local/sbin/smbldap-passwd -o %u allow hosts = 192.168.5.0/24 192.168.10.0/24 192.168.14.0/24 127.0.0.0/8 dns proxy = no netbios name = * idmap uid = 16777216-33554431 local master = yes workgroup = * os level = 65 security = user max log size = 50 log file = /var/log/samba/%m.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 #Make sure that passwords are not empty, & do not encrypt until we #figure our what is going on with the encryption null passwords = no encrypt passwords = yes #encrypt passwords = no #SET TO update unix passwd unix password sync = yes update encrypted = yes #Set as master Samba server domain master = yes winbind use default domain = no passdb backend = ldapsam:ldap://127.0.0.1/ template shell = /bin/false wins support = yes server string = * Samba Server ldap admin dn = "cn=Manager,dc=*,dc=*" ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap user suffix = ou=Users path = /home ldap suffix = dc=*,dc=* add user script = /usr/local/sbin/smbldap-useradd -w %u valid users = @"Domain Admins",@"Domain Users" preferred master = yes domain logons = yes logon script = STARTUP.BAT logon path = \\%N\Profiles\%U #ldap passwd sync = only smb passwd file = /etc/samba/smbpasswd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP authentication and server name
Hello, I am running Samba 3.0.10 under Debian. I have the Samba server running with security=ADS, and I can save files to Samba shares with my windows credentials. We now have some users that need to save files to a share using their UNIX user permissions. To this end, I have set up an LDAP password back end with OpenLDAP 2.1.30, and populated the database with the IDEALX smbldap-tools. So I can now connect to a share on the Samba server with my windows login, or by connecting as a different user name, and using SAMBASERVER\unix-id as my login. If I connect as my UNIX id, then files are saved with the proper UNIX permissions. Now comes the real problem, having shares mapped to the same Samba server with *both* your UNIX and Windows credentials. Since Windows does not (as far as I can tell) allow you to authenticate to the same server with different id's, the workaround is to set up DNS aliases for the Samba server. That way, for instance, you connect to 'winserver' with your windows credentials, and 'unixserver' with your UNIX credentials. Bear in mind again that both these DNS names point at the same server. Unfortunately, I can only authenticate via LDAP to the server name that is in the netbios name = field in smb.conf (or the hostname if I don't specify netbios name). I have added a netbios aliases entry, but I can't authenticate against that server name. Is there a way to authenticate against a LDAP server via Samba using multiple hostnames? For instance SAMBASERVER\unix-id and ALIAS\unix-id? TIA -- Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP authentication only with SAMBA
Hi! Well, I'll give you my point of view according to what I have understood in howto-collection and my samba experiencie: Using LDAP, Samba distinguishes two things: -a) authentication against the UN*X account -b) all the other SAMBA-accounting data (expiration, ntpassword , lmpassword, ...). No matter if you use ldapsam , the users will still have to be authenticated against the UN*X accounts database. So, if you use NSS + PAM + LDAP you can do that those credentials be checked against the LDAP (using pamldap or pamunix) (pamunix is prefered because the passwd moves encrypted through the network). This way you can avoid using the LDAP posix scheme and put all SAMBA-accounting data on your files (smbpasswd...) and doing the first authentication against LDAP (posixaccount...) but you have to remember that you allways have to check LMPassword and NTPassword, which should also be set, and they are part of SAMBA accounting data. So, you'll have to set and change user's passwords both in LDAP and smbpassword file. This way I can't find any advantage on keeping ldap authentication but still having data on smbpasswd file. If you are going to authenticate agains LDAP I think is better to put all the data also on LDAP and it will be easier for you to maintain your accounting database. Hope it helps, James! Adam Tauno Williams wrote: This question has probably been asked before, but I would like to ask it again. I know all about LDAP authentication between samba and a LDAP service with the proper schema in place. You create a entry in the LDAP database with all the samba privileges in place. I want to just authenticate with a LDAP service and not use a special samba schema. No, not possible. (Well you might be able to if you hack to disable encrypted passwords, etc... but I doubt it would work as a DC). We use LDAP to authenticate for telnet, ftp and proxy services. This LDAP service is used for single sign on type of authentication so that the user does not need to have dozens of passwords for different servers and services. I want to use LDAP with samba for the same reason. I will create and entry on the samba host in the samba smbpasswd file, but want to go against the LDAP server for the password. Can this be done? This works, but must be done in collaberation with the Samba schema extensions. -- Angel Galindo Muñoz [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP authentication only with SAMBA
> This question has probably been asked before, but I would like to ask it > again. I know all about LDAP authentication between samba and a LDAP > service with the proper schema in place. You create a entry in the LDAP > database with all the samba privileges in place. I want to just > authenticate with a LDAP service and not use a special samba schema. No, not possible. (Well you might be able to if you hack to disable encrypted passwords, etc... but I doubt it would work as a DC). > We use > LDAP to authenticate for telnet, ftp and proxy services. This LDAP service > is used for single sign on type of authentication so that the user does not > need to have dozens of passwords for different servers and services. I want > to use LDAP with samba for the same reason. I will create and entry on the > samba host in the samba smbpasswd file, but want to go against the LDAP > server for the password. Can this be done? This works, but must be done in collaberation with the Samba schema extensions. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP authentication only with SAMBA
This question has probably been asked before, but I would like to ask it again. I know all about LDAP authentication between samba and a LDAP service with the proper schema in place. You create a entry in the LDAP database with all the samba privileges in place. I want to just authenticate with a LDAP service and not use a special samba schema. We use LDAP to authenticate for telnet, ftp and proxy services. This LDAP service is used for single sign on type of authentication so that the user does not need to have dozens of passwords for different servers and services. I want to use LDAP with samba for the same reason. I will create and entry on the samba host in the samba smbpasswd file, but want to go against the LDAP server for the password. Can this be done? TIA. Jim OBrien NYSDOH [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP authentication problem
First thing that I noticed was that you need to change your search to include sambaSamAccount not sambaAccount. What does that users whole ebtry look like? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Dear list
Maybe we have same problem with smbldap-tools-0.8.4-1
I didnt see password attribute in LDAP entry create by smbldap-tools,
but all user i create can succesfully login to samba machine via ssh.
[EMAIL PROTECTED] samba]# smbldap-usershow administrator
dn: uid=Administrator,ou=Users,dc=mragroup,dc=net
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount
gidNumber: 512
uid: Administrator
uidNumber: 0
homeDirectory: /home/
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaHomeDrive: H:
sambaPrimaryGroupSID: S-1-5-21-3703471949-3718591838-2324585696-512
sambaSID: S-1-5-21-3703471949-3718591838-2324585696-2996
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaPwdCanChange: 1086934364
sambaAcctFlags: [U]
sambaPwdLastSet: 1086934585
sambaPwdMustChange: 1091686585
[EMAIL PROTECTED] samba]# smbldap-passwd administrator
Changing password for administrator
New password :
Retype new password :
[EMAIL PROTECTED] samba]# ldapsearch -x -b 'dc=mragroup,dc=net'
'(objectclass=*)' | more
--snip---
# Administrator, Users, mragroup.net
dn: uid=Administrator,ou=Users,dc=mragroup,dc=net
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 512
uid: Administrator
uidNumber: 0
homeDirectory: /home/
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaHomeDrive: H:
sambaPrimaryGroupSID: S-1-5-21-3703471949-3718591838-2324585696-512
sambaSID: S-1-5-21-3703471949-3718591838-2324585696-2996
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaPwdCanChange: 1086934364
sambaAcctFlags: [U]
--snap---
with thos configuration i cat join my workstation to my samba server..
please help me...
Quoting Beast <[EMAIL PROTECTED]>:
Peter Nyberg wrote:
here's an output. I don't know if one can see anything wrong here. I don't
have
the account administrator in the /etc/passwd. Only in ldap.
[EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator
dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson,sambaSamAccount,posixAccount
gidNumber: 512
uid: Administrator
uidNumber: 998
homeDirectory: /home/Users/
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\s2\home\Users
sambaHomeDrive: H:
sambaProfilePath: \\s2\home\profiles\
sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512
sambaLMPassword: XXX
sambaNTPassword: XXX
Oops, did not see your recent post,sorry.
This both attributes should not contain XXX, this means your previous
smbldappasswd command did not works. Try using "smbpasswd administrator"
or direct modify to ldap entry.
--
--beast
I did the following:
[EMAIL PROTECTED]:/usr/local/samba/bin# ./smbpasswd administrator
New SMB password:
Retype new SMB password:
[EMAIL PROTECTED]:/usr/local/samba/bin#
And now:
[EMAIL PROTECTED]:/usr/local/samba/bin# ./pdbedit administrator
Administrator:4294967295:Administrator
And:
[EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator
dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson,sambaSamAccount,posixAccount
gidNumber: 512
uid: Administrator
uidNumber: 998
homeDirectory: /home/Users/
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdMustChange: 2147483647
sambaHomePath: \\s2\home\Users
sambaHomeDrive: H:
sambaProfilePath: \\s2\home\profiles\
sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512
sambaAcctFlags: [U ]
sambaSID: S-1-5-21-1027936538-659792286-2162639956-2996
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: 176D7D7C26BFB683AAD3B435B51404EE
sambaNTPassword: 2C925CDF69D46A468291C454DEF9CE18
sambaPwdCanChange: 1086864688
sambaPwdLastSet: 1086864688
userPassword: {SMD5}+Ne1vmD3C1zlF/fqRjedOWIngzM=
[EMAIL PROTECTED]:/usr/local/sbin# cd ../samba/bin/
But still:
[EMAIL PROTECTED]:/usr/local/samba/bin# ./net rpc group LIST global -U administrator
Password:
The username or password was not correct.
I have force TLS in my slapd.conf, but in my smb.conf I have
passdb backend = ldapsam:ldap://s2.dbb.su.se
Do you think it should be
passdb backend = ldapsam:ldaps://s2.dbb.su.se
I'm a newbie on both samba and ldap so I'm not sure how to change a password
dirrectly into ldap database. I did a:
[EMAIL PROTECTED]:/usr/bin# ./ldappasswd administrator
ldap_bind: Confidentiality required (13)
additional info: TLS confidentiality required
[EMAIL PROTECTED]:/usr/bin#
That why I think the ldaps thing. I'll try it now and restart samba.
No, still the same
[EMAIL PROTECTED]:/usr/bin# ./ldappasswd administrator
ldap_bind: Confidentiality required (13)
additional info:
Re: [Samba] samba + ldap authentication
Quoting Beast <[EMAIL PROTECTED]>:
> Peter Nyberg wrote:
> > here's an output. I don't know if one can see anything wrong here. I don't
> have
> > the account administrator in the /etc/passwd. Only in ldap.
> >
> > [EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator
> > dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se
> > cn: Administrator
> > sn: Administrator
> > objectClass: inetOrgPerson,sambaSamAccount,posixAccount
> > gidNumber: 512
> > uid: Administrator
> > uidNumber: 998
> > homeDirectory: /home/Users/
> > sambaPwdLastSet: 0
> > sambaLogonTime: 0
> > sambaLogoffTime: 2147483647
> > sambaKickoffTime: 2147483647
> > sambaPwdCanChange: 0
> > sambaPwdMustChange: 2147483647
> > sambaHomePath: \\s2\home\Users
> > sambaHomeDrive: H:
> > sambaProfilePath: \\s2\home\profiles\
> > sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512
> > sambaLMPassword: XXX
> > sambaNTPassword: XXX
>
> Oops, did not see your recent post,sorry.
>
> This both attributes should not contain XXX, this means your previous
> smbldappasswd command did not works. Try using "smbpasswd administrator"
>or direct modify to ldap entry.
>
>
> --
>
> --beast
>
I did the following:
[EMAIL PROTECTED]:/usr/local/samba/bin# ./smbpasswd administrator
New SMB password:
Retype new SMB password:
[EMAIL PROTECTED]:/usr/local/samba/bin#
And now:
[EMAIL PROTECTED]:/usr/local/samba/bin# ./pdbedit administrator
Administrator:4294967295:Administrator
And:
[EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator
dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson,sambaSamAccount,posixAccount
gidNumber: 512
uid: Administrator
uidNumber: 998
homeDirectory: /home/Users/
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdMustChange: 2147483647
sambaHomePath: \\s2\home\Users
sambaHomeDrive: H:
sambaProfilePath: \\s2\home\profiles\
sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512
sambaAcctFlags: [U ]
sambaSID: S-1-5-21-1027936538-659792286-2162639956-2996
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: 176D7D7C26BFB683AAD3B435B51404EE
sambaNTPassword: 2C925CDF69D46A468291C454DEF9CE18
sambaPwdCanChange: 1086864688
sambaPwdLastSet: 1086864688
userPassword: {SMD5}+Ne1vmD3C1zlF/fqRjedOWIngzM=
[EMAIL PROTECTED]:/usr/local/sbin# cd ../samba/bin/
But still:
[EMAIL PROTECTED]:/usr/local/samba/bin# ./net rpc group LIST global -U administrator
Password:
The username or password was not correct.
I have force TLS in my slapd.conf, but in my smb.conf I have
passdb backend = ldapsam:ldap://s2.dbb.su.se
Do you think it should be
passdb backend = ldapsam:ldaps://s2.dbb.su.se
I'm a newbie on both samba and ldap so I'm not sure how to change a password
dirrectly into ldap database. I did a:
[EMAIL PROTECTED]:/usr/bin# ./ldappasswd administrator
ldap_bind: Confidentiality required (13)
additional info: TLS confidentiality required
[EMAIL PROTECTED]:/usr/bin#
That why I think the ldaps thing. I'll try it now and restart samba.
No, still the same
[EMAIL PROTECTED]:/usr/bin# ./ldappasswd administrator
ldap_bind: Confidentiality required (13)
additional info: TLS confidentiality required
I really have to thank you for your time!
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Peter Nyberg wrote: here's an output. I don't know if one can see anything wrong here. I don't have the account administrator in the /etc/passwd. Only in ldap. [EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSamAccount,posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /home/Users/ sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\s2\home\Users sambaHomeDrive: H: sambaProfilePath: \\s2\home\profiles\ sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512 sambaLMPassword: XXX sambaNTPassword: XXX Oops, did not see your recent post,sorry. This both attributes should not contain XXX, this means your previous smbldappasswd command did not works. Try using "smbpasswd administrator" or direct modify to ldap entry. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Peter Nyberg wrote: Hi again! I did the following: [EMAIL PROTECTED]:/usr/local/sbin# smbldap-passwd.pl administrator Changing password for administrator New password : xx Retype new password : xxx [EMAIL PROTECTED]:/usr/local/samba/bin# ./net rpc group LIST global -U administrator Password: xxx The username or password was not correct. Try to get some info for this user first. root# pdbedit -L -v administrator is this mapped account? -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
here's an output. I don't know if one can see anything wrong here. I don't have the account administrator in the /etc/passwd. Only in ldap. [EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSamAccount,posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /home/Users/ sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\s2\home\Users sambaHomeDrive: H: sambaProfilePath: \\s2\home\profiles\ sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-1027936538-659792286-2162639956-2996 loginShell: /bin/false gecos: Netbios Domain Administrator Peter Nyberg Institutionen för Biokemi och Biofysik (DBB) Sv.Arrhenius vägen 12 106 91 Stockholm Tel: 08-16 24 69 Mobil: 070 339 24 69 Fax 08 153679 Quoting Beast <[EMAIL PROTECTED]>: > Peter Nyberg wrote: > > Hi all! > > I have authentication problems with samba + ldap. When I populate the list > > through smbldap-populate.pl a administrator account was created. I asume > this is > > the same account as rootdn "cn=Manager,dc=dbb,dc=su,dc=se". With the same > > password, right? > > No. Administrator is just plain unix and samba account. Why not just set > new password for this account ? > > --beast > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Hi again! I did the following: [EMAIL PROTECTED]:/usr/local/sbin# smbldap-passwd.pl administrator Changing password for administrator New password : xx Retype new password : xxx [EMAIL PROTECTED]:/usr/local/samba/bin# ./net rpc group LIST global -U administrator Password: xxx The username or password was not correct. Isn't this the correct way of doing it? Peter Nyberg Institutionen för Biokemi och Biofysik (DBB) Sv.Arrhenius vägen 12 106 91 Stockholm Tel: 08-16 24 69 Mobil: 070 339 24 69 Fax 08 153679 Quoting Beast <[EMAIL PROTECTED]>: > Peter Nyberg wrote: > > Hi all! > > I have authentication problems with samba + ldap. When I populate the list > > through smbldap-populate.pl a administrator account was created. I asume > this is > > the same account as rootdn "cn=Manager,dc=dbb,dc=su,dc=se". With the same > > password, right? > > No. Administrator is just plain unix and samba account. Why not just set > new password for this account ? > > --beast > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Peter Nyberg wrote: Hi all! I have authentication problems with samba + ldap. When I populate the list through smbldap-populate.pl a administrator account was created. I asume this is the same account as rootdn "cn=Manager,dc=dbb,dc=su,dc=se". With the same password, right? No. Administrator is just plain unix and samba account. Why not just set new password for this account ? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba + ldap authentication
Hi all! I have authentication problems with samba + ldap. When I populate the list through smbldap-populate.pl a administrator account was created. I asume this is the same account as rootdn "cn=Manager,dc=dbb,dc=su,dc=se". With the same password, right? Ldap seams to be ok and when I do [EMAIL PROTECTED]:/usr/local/samba/bin# ./net groupmap list Domain Admins (S-1-5-21-1027936538-659792286-2162639956-512) -> wheel Domain Users (S-1-5-21-1027936538-659792286-2162639956-513) -> smbusers Domain Guests (S-1-5-21-1027936538-659792286-2162639956-514) -> smbguests Administrators (S-1-5-21-1027936538-659792286-2162639956-544) -> 544 users (S-1-5-21-1027936538-659792286-2162639956-545) -> 545 Guests (S-1-5-21-1027936538-659792286-2162639956-546) -> 546 Power Users (S-1-5-21-1027936538-659792286-2162639956-547) -> 547 Account Operators (S-1-5-21-1027936538-659792286-2162639956-548) -> 548 Server Operators (S-1-5-21-1027936538-659792286-2162639956-549) -> 549 Print Operators (S-1-5-21-1027936538-659792286-2162639956-550) -> 550 Backup Operators (S-1-5-21-1027936538-659792286-2162639956-551) -> 551 Replicator (S-1-5-21-1027936538-659792286-2162639956-552) -> 552 Domain Computers (S-1-5-21-1027936538-659792286-2162639956-553) -> 553 Everything seams to be ok When I do a ./net rpc group LIST global -U administrator Password: "same password as for rootdn" The username or password was not correct. I have the same password in secret.tdb as in slapd.conf Isn't administrator=Manager? If not, what's the standard password for administrator then and how could that account have access to the ldap database? I also tried to use ./net rpc group LIST global -U Manager with the same result. Please help me understand how it works. I think I'm very close now. I'm very grateful of all kinds of help in this matter If I log that command with -d 255 I recieve [EMAIL PROTECTED]:/usr/local/samba/bin# ./net rpc group LIST global -U administrator -d 255 [2004/06/10 08:47:13, 5] lib/debug.c:debug_dump_status(360) INFO: Current debug levels: all: True/255 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 [2004/06/10 08:47:13, 3] param/loadparm.c:lp_load(3810) lp_load: refreshing parameters [2004/06/10 08:47:13, 3] param/loadparm.c:init_globals(1300) Initialising global parameters [2004/06/10 08:47:13, 3] param/params.c:pm_process(566) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2004/06/10 08:47:13, 3] param/loadparm.c:do_section(3322) Processing section "[global]" doing parameter ldap ssl = start_tls doing parameter idmap gid = 15000-2 doing parameter delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" doing parameter allow hosts = 130.237.179.0/24 doing parameter netbios name = s2 [2004/06/10 08:47:13, 4] param/loadparm.c:handle_netbios_name(2700) handle_netbios_name: set global_myname to: S2 doing parameter printing = cups doing parameter ldap passwd sync = yes doing parameter idmap uid = 15000-2 doing parameter logon script = logon.bat doing parameter local master = Yes doing parameter workgroup = DBB doing parameter os level = 255 doing parameter ldap admin dn = "cn=Manager,dc=dbb,dc=su,dc=se" doing parameter update encrypted = Yes doing parameter printcap name = cups doing parameter add machine script = /usr/local/sbin/smbldap-useradd -w "%u" doing parameter winbind separator = + doing parameter load printers = yes doing parameter ldap user suffix = ou=Users doing parameter add group script = /usr/local/sbin/smbldap-groupadd -p "%g" doing parameter socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 doing parameter add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" doing parameter logon drive = H: doing parameter username map = /etc/samba/smbusers doing parameter domain master = Yes doing parameter encrypt passwords = Yes doing parameter passdb backend = ldapsam:ldap://s2.dbb.su.se doing parameter logon home = \\%L\%U\.profile doing parameter wins support = Yes doing parameter ldap delete dn = Yes doing parameter server string = Samba PDC running %v doing parameter ldap machine suffix = ou=Computers doing parameter ldap group suffix = ou=Groups doing parameter path = /home/Users doing parameter ldap suffix = dc=dbb,dc=su,dc=se doing parameter logon path = \\%L\profiles\%U doing parameter add user script = /usr/local/sbin/smbldap-useradd -m "%u" doing parameter set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" doing parameter preferred master = Yes doing parameter ldap idmap suffix = ou=Users doing parameter domain logons = Yes [2004/06/10 08:47:13, 4] param/loadparm.c:lp_load(3842)
[Samba] samba + ldap authentication
Hi all! I have authentication problems with samba + ldap. Ldap seams to be ok and when I do Peter Nyberg Institutionen för Biokemi och Biofysik (DBB) Sv.Arrhenius vägen 12 106 91 Stockholm Tel: 08-16 24 69 Mobil: 070 339 24 69 Fax 08 153679 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP authentication problem
Hi Alexander, First of all, you do not need to make any configuration in your slapd.conf, this is only if you want to run a LDAP server on your Samba host. If you want to use an Novell LDAP server you need to extend its LDAP schema first, to support the ObjectClass'es and attributes that Samba uses/need. You probably have to find a version of the schema file that is compatible with your LDAP server, Novell's LDAP server does't like the syntax of the standard samba.schema file. Afterwards you probly need an LDAP-Editor to access the server to add ObjectClass'es and attributes to user accounts you want to "Samba enable". Netware Administrator and ConsoleOne don't support those (yet). Best regards Erik Holst Trans Alexander Varga wrote: Hi I have a little problem with my ldap authorization of samba against Novel LDAP server. This is the log output from the Novel Ldap server: New TCP connection 0xcb1e3980, monitor = 0x1bf, index = 2 (0xcb1e3980:0x0001:0x60) DoBind on connection 0xcb1e3980 (0xcb1e3980:0x0001:0x60) DoBind: name = 'cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS', client version = 3, method = 0x80 (0xcb1e3980:0x0001:0x60) Sending operation result 0:"":"" to connection 0xcb1e3980 ### ### Samba user is the one who can browse the NDS to search for existing user ..he logged in successfully (0:"":"") ## (0xcb1e3980:0x0002:0x63) DoSearch on connection 0xcb1e3980 (0xcb1e3980:0x0002:0x63) Search request: base: "o=USS" scope:2 derefence:0 sizelimit:0 timelimit:0 attrsonly:0 filter: "(&(uid=AlexanderVarga)(objectclass=sambaAccount)) ## After it he was searching the Directory structure for user AlexanderVarga, but of a type ObjectClass=sambaAccount (0xcb1e3980:0x0002:0x63)attribute: "uid" (0xcb1e3980:0x0002:0x63)attribute: "uidNumber" (0xcb1e3980:0x0002:0x63)attribute: "gidNumber" (0xcb1e3980:0x0002:0x63)attribute: "homeDirectory" (0xcb1e3980:0x0002:0x63)attribute: "pwdLastSet" ... (0xcb1e3980:0x0002:0x63) Sending operation result 0:"":"" to connection 0xcb1e3980 Monitor 0x1bf found connection 0xcb1e3980 socket closed, err = 57, 0 of 0 bytes read Monitor 0x1bf initiating close for connection 0xcb1e3980 Server closing connection 0xcb1e3980, socket error = 57 # ### of course he couldn't find it, because on the novel they have defined ObjectClasses: user, group... so it cannot match and it closes connection here is my slapd.conf ... it doesnot work to start slapd, because he cannot load ldbm database. I compiled everything and I not familiar in that manner with this, , but Vecause I am just a client,maybe I dont need this.: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/openldap.schema include /etc/ldap/samba.schema pidfile /usr/local/var/slapd.pid argsfile/usr/local/var/slapd.args databaselbdm suffix "o=USS" rootdn "cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS" rootpw secret directory /usr/local/samba/var/openldap-data index objectClass eq --- -- here is my ldap.conf... the ldap_cachemgr is working properly... i hope so :) BASEo=USS URI ldap://nv6test.nw.usske.sk:389 HOST10.5.3.177 PORT389 --- here is my smb.conf [global] workgroup = Inf-ks netbios name = SUNV240 passwd backend = ldapsam://10.5.3.177:389 ldap admin dn="cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS" ldap filter = (&(uid=%u) (o=USS)) ldap suffix = "o=USS" ldap port = 389 ldap server = 10.5.3.177 [share1] path = /tmp - - inbetween i ran this ldapclient manual \ -a profileName=profile-imb \ -a domainName=o=USS \ -a serviceSearchDescriptor=passwd:o=USS \ -a serviceSearchDescriptor=group:o=USS \ -a authenticationMethod=simple -a defaultSearchBase=o=USS \ -a searchTimeLimit=60 -a profileTTL=3600 \ -a credentialLevel=proxy \ -a proxyDN=cn=SAMBAuser,OU=SRV100,OU=Resources,O=USS \ -a proxyPassword=mypassword \ 10.5.3.177 System successfully configured smbpasswd -w mypassword Sett
[Samba] LDAP authentication problem
Hi
I have a little problem with my ldap authorization of samba against Novel LDAP server.
This is the log output from the Novel Ldap server:
New TCP connection 0xcb1e3980, monitor = 0x1bf, index = 2
(0xcb1e3980:0x0001:0x60) DoBind on connection 0xcb1e3980
(0xcb1e3980:0x0001:0x60) DoBind: name = 'cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS',
client version = 3, method = 0x80
(0xcb1e3980:0x0001:0x60) Sending operation result 0:"":"" to connection 0xcb1e3980
###
### Samba user is the one who can browse the NDS to search for existing user ..he
logged in successfully (0:"":"")
##
(0xcb1e3980:0x0002:0x63) DoSearch on connection 0xcb1e3980
(0xcb1e3980:0x0002:0x63) Search request:
base: "o=USS"
scope:2 derefence:0 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(uid=AlexanderVarga)(objectclass=sambaAccount))
## After it he was searching the Directory structure for user AlexanderVarga, but
of a type ObjectClass=sambaAccount
(0xcb1e3980:0x0002:0x63)attribute: "uid"
(0xcb1e3980:0x0002:0x63)attribute: "uidNumber"
(0xcb1e3980:0x0002:0x63)attribute: "gidNumber"
(0xcb1e3980:0x0002:0x63)attribute: "homeDirectory"
(0xcb1e3980:0x0002:0x63)attribute: "pwdLastSet"
...
(0xcb1e3980:0x0002:0x63) Sending operation result 0:"":"" to connection 0xcb1e3980
Monitor 0x1bf found connection 0xcb1e3980 socket closed, err = 57, 0 of 0 bytes read
Monitor 0x1bf initiating close for connection 0xcb1e3980
Server closing connection 0xcb1e3980, socket error = 57
#
### of course he couldn't find it, because on the novel they have defined
ObjectClasses: user, group... so it cannot match and it closes connection
here is my slapd.conf ... it doesnot work to start slapd, because he cannot load ldbm
database. I compiled everything and I not familiar in that manner with this, , but
Vecause I am just a client,maybe I dont need this.:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /etc/ldap/samba.schema
pidfile /usr/local/var/slapd.pid
argsfile/usr/local/var/slapd.args
databaselbdm
suffix "o=USS"
rootdn "cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS"
rootpw secret
directory /usr/local/samba/var/openldap-data
index objectClass eq
---
--
here is my ldap.conf... the ldap_cachemgr is working properly... i hope so :)
BASEo=USS
URI ldap://nv6test.nw.usske.sk:389
HOST10.5.3.177
PORT389
---
here is my smb.conf
[global]
workgroup = Inf-ks
netbios name = SUNV240
passwd backend = ldapsam://10.5.3.177:389
ldap admin dn="cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS"
ldap filter = (&(uid=%u) (o=USS))
ldap suffix = "o=USS"
ldap port = 389
ldap server = 10.5.3.177
[share1]
path = /tmp
-
-
inbetween i ran this
ldapclient manual \
-a profileName=profile-imb \
-a domainName=o=USS \
-a serviceSearchDescriptor=passwd:o=USS \
-a serviceSearchDescriptor=group:o=USS \
-a authenticationMethod=simple -a defaultSearchBase=o=USS \
-a searchTimeLimit=60 -a profileTTL=3600 \
-a credentialLevel=proxy \
-a proxyDN=cn=SAMBAuser,OU=SRV100,OU=Resources,O=USS \
-a proxyPassword=mypassword \
10.5.3.177
System successfully configured
smbpasswd -w mypassword
Setting stored password for "cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS" in secrets.tdb
the sambauser is in the tree OU=SRV100,OU=Resources,O=USS
and the users have to be searched in the whole o=USS
... the problem is this time that, he wants always to search for a user of an
objectclass SambaAccount, which in the LDAP server doesn;t exist.
please help , to solve this
Alexander
---
at last here is the smaba.schema:
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
DESC 'LanManager Password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
DESC 'MD4 hash of th
[Samba] LDAP authentication.
Samba Folks, Here's my situation I have a linux system, Redhat ES3, Samba 3.0.2. I have the linux box configured to use LDAP authentication to our Corporate LDAP servers, which are Sun I believe. What I need to do now, is setup Samba to use NTLM2, and hit the LDAP server for authentication. I've been working on this for a couple of days now and can't seem to get anywhere. I can get it to work with encrypted passwords turned off and ntlm2 off. But that will violate our corporate security policies. Any help would be great. Thanks, William C. Mount RHCE Webserver Operations Global IT Solutions Caterpillar Inc. 600 W. Washington St. East Peoria IL, 61630 (309) 675-3031 - Desk (309) 256-7045 - Cell [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba LDAP authentication
Vaibhav Gundapwar wrote: Hi We have already setup LADP server for entire institute, but we dont have admin access on that server. What kind of server? Novell, OpenLDAP...? We want to user the same LDAP accounts for samba authentication for department server. Is it possible to do this without admin password for LDAP. Hard to guess, you need at least an instance with appropriate ACL's to manage your samba (and probably posix) accounts. hth I searched alot but couldn't find anything for this. thanx in advance. - v a i b h a v - --- It looked like something resembling white marble, which was probably what it was: something resembling white marble. -- Douglas Adams, "The Hitchhikers Guide to the Galaxy" -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba LDAP authentication
Hi We have already setup LADP server for entire institute, but we dont have admin access on that server. We want to user the same LDAP accounts for samba authentication for department server. Is it possible to do this without admin password for LDAP. I searched alot but couldn't find anything for this. thanx in advance. - v a i b h a v - --- It looked like something resembling white marble, which was probably what it was: something resembling white marble. -- Douglas Adams, "The Hitchhikers Guide to the Galaxy" -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + ldap authentication question
hello all I have read all the doc about ldap in the Samba documentation, and I am not sure I understand how a user authentication is validated by the samba server In the samba doc it is said that the samba ldap admin must be able to retrieve the lmPassword and ntPassword attributes of any user As I understand, when a user authenticates himself against the samba server, the server binds against LDAP server using the samba admin dn, looks for the user's password in the directory and compares it to the password the user provided Am I wrong ? If I am not, why the server doesn't use LDAP authentication with the user's dn and password ? I think it would be closer to the "LDAP spirit" thanks Francois -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Authentication and SSL Conflicts
My solution: That part about the Samba authentication was the most confusing bit, as others suggested: I completely agree with the replies I received that the SSL shouldn't have had anything to do with it. And, it turns out, it didn't. The machine in question had cached my account's authenticator. When it failed to contact the LDAP server (due to the SSL problem), it relied on its own cache. I incorrectly assumed I was authenticating - a deeper study of my logs revealed that SSL was completely unrelated. I didn't even think of this until one of my users tried to authenticate and it didn't work. My problem with the machine not authenticating had to do with the secret salt in /etc/samba/secrets.tdb - the new LDAP machine's account password hash was different. Very frustrating, but I wiped out the old one, rejoined the machine to the domain, and voilla - it's fixed. Thanks again for the responses. - Bill On Thu, 2002-12-05 at 13:55, Bill Alexander wrote: > I'm having a problem with Samba/LDAP authentication for Windows boxen > from my Samba PDC. I've diagnosed as much as I can and fiddled with the > relevant settings I know of, but I'm not making any progress. > REMAINDER DELETED Bill Alexander <[EMAIL PROTECTED]> Mission Research Corporation -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/LDAP Authentication and SSL Conflicts
I'm having a problem with Samba/LDAP authentication for Windows boxen from my Samba PDC. I've diagnosed as much as I can and fiddled with the relevant settings I know of, but I'm not making any progress. I'm running stock Red Hat 8.0 with LDAP (OpenLdap 2.0.25) authentication (fully tested and working). I have Samba (ver. 2.2.5) set up as PDC, which works flawlessly (all shares, roaming profiles, etc.) when using smbpasswd for authentication. However, when I rebuild Samba for LDAP authentication (edit samba.spec to include the --with-ldap option, then rpmbuild -ba samba.spec and reinstall the RPMs), I observe the following problem. 1) In my smb.conf, the "ldap ssl" option is unspecified, which should default to "on". 2) Logon from Windows2000 (from a machine already joined to the domain) is successful - LDAP authenticates the login. 3) However, shares are not visible (e.g. [profiles] and [homes]) because Samba (on the PDC, which is also the share server) can't connect to the LDAP server daemon. Samba can't authenticate the share access request. 4) Set the option "ldap ssl = no" in smb.conf. Restart Samba, but KEEP THE WINDOWS SESSION LOGGED IN (login authentication complete). 5) Share access (on the Windows box) is now granted - Samba can connect to the LDAP server and authenticate. The [homes] share is successfully shared with the already-logged-in Windows2000 session. 6) Logout of the Windows session. Remember that the Samba option "ldap ssl = no" is still set. 7) Logon to the Windows session is now broken. The Windows box can't access the LDAP authentication server, presumably because I turned off SSL. My diagnosis is that Win2kPro uses SSL for secure login but not for share accesses? Does this make any sense? Seems like Samba is polling different ports for the LDAP, and gets a response one way, but not the other. I've tried altering the SSL settings in ldap.conf, but turning these on makes my Unix side logins fail (I'm not using the SSL capable libraries, I think, and this conflicts with PAM, or something like that). I have Samba logs for the events described above, but they're difficult to export. Hopefully the diagnosis above is enough, but if anyone has an idea and the logs would help, I can try to post them as well. The assorted HOWTOs and websites describing Samba/LDAP are a bit sketchy on this point (i.e. the interaction of Windows/Samba/LDAP/SSL), and don't directly address SSL's role in Windows authentication. I just can't decipher what it is that I'm missing. Anybody got an idea for what I can try next? Thanks in advance, - Bill -- Bill Alexander <[EMAIL PROTECTED]> Mission Research Corporation -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP Authentication
Has anyone gotten LDAP authentication to work against the LDAP server for the Lotus Domino Directory? If so would it be possible to se a samble NTF to see how you got this working? I'm having troubles getting the entries returned correctly. # Chris Tooley voice: 512-495-9224x289 Austin Museum of Art pager: 512-613-2603 IT Coordinator 823 Congress Ave Austin, TX 78701 ### -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
