Re: [Samba] Re: Authentication confusion - may be LDAP related
At 03:34 PM 9/27/2005, paul kölle wrote: Ric Tibbetts wrote: > This is from the error log: > > attempting to make a user_info for u212442 (212442) > making strings for u212442's user_info struct > making blobs for u212442's user_info struct > made an encrypted user_info for u212442 (212442) > check_ntlm_password: mapped user is: [EMAIL PROTECTED] > getsampwnam (smbpasswd): search by name: u212442 > check_sam_security: Couldn't find user 'u212442' in passdb. > check_ntlm_password: Authentication for user [212442] -> [u212442] > FAILED with error NT_STATUS_NO_SUCH_USER If you can increase the log level for the LDAP server you can see what filter is used above and find out why the object is not found. Have you added the sambaSamAccount objectClass and attributes to the user? You can use smbldap-tools for that. The above was done with log level = 100 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authentication confusion - may be LDAP related
Ric Tibbetts wrote: > This is from the error log: > > attempting to make a user_info for u212442 (212442) > making strings for u212442's user_info struct > making blobs for u212442's user_info struct > made an encrypted user_info for u212442 (212442) > check_ntlm_password: mapped user is: [EMAIL PROTECTED] > getsampwnam (smbpasswd): search by name: u212442 > check_sam_security: Couldn't find user 'u212442' in passdb. > check_ntlm_password: Authentication for user [212442] -> [u212442] > FAILED with error NT_STATUS_NO_SUCH_USER If you can increase the log level for the LDAP server you can see what filter is used above and find out why the object is not found. Have you added the sambaSamAccount objectClass and attributes to the user? You can use smbldap-tools for that. > > Yet, from that same AIX box if I check my id: > > #> id u212442 > uid=1040(u212442) gid=1001(sysadmin) > > So the OS knows the id exists, it's just not passing that info to Samba. Sorry, I don't know AIX, but if all users and groups samba needs to know about are in LDAP, you can probably set "ldapsam:trusted = yes" in smb.conf bypassing the whole NSS story. Read the manpage of smb.conf what this parameter does. hth Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authentication confusion - may be LDAP related
At 02:20 PM 9/27/2005, paul kölle wrote: Ric Tibbetts wrote: > dn: username=u123456,ou=aixuser,cn=aixsecdb,cn=aixdata > uid: 1040 > username: u123456 > > > with u123456 being my *nix login. > > To me, this looks very wrong (not to mention that there's no dc=). It looks wrong and the author surely has had no clue what cn means etc. nevertheless it should work. Suprisingly enough (maybe not...) this is the default configuration from IBM for thier LDAP server. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authentication confusion - may be LDAP related
At 02:20 PM 9/27/2005, paul kölle wrote: Ric Tibbetts wrote: > dn: username=u123456,ou=aixuser,cn=aixsecdb,cn=aixdata > uid: 1040 > username: u123456 > > > with u123456 being my *nix login. > > To me, this looks very wrong (not to mention that there's no dc=). It looks wrong and the author surely has had no clue what cn means etc. nevertheless it should work. > If I'm seeing this right, shouldn't the login be the "uid" not > "username"? Is that what Samba is looking for? You can set "ldap filter = (username=%u)" in smb.conf along with a suitable value for "ldap suffix". Check the users with "getent passwd" to test if they are visible to the system. This is from the error log: attempting to make a user_info for u212442 (212442) making strings for u212442's user_info struct making blobs for u212442's user_info struct made an encrypted user_info for u212442 (212442) check_ntlm_password: mapped user is: [EMAIL PROTECTED] getsampwnam (smbpasswd): search by name: u212442 check_sam_security: Couldn't find user 'u212442' in passdb. check_ntlm_password: Authentication for user [212442] -> [u212442] FAILED with error NT_STATUS_NO_SUCH_USER Yet, from that same AIX box if I check my id: #> id u212442 uid=1040(u212442) gid=1001(sysadmin) So the OS knows the id exists, it's just not passing that info to Samba. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authentication confusion - may be LDAP related
At 02:20 PM 9/27/2005, paul kölle wrote: Ric Tibbetts wrote: > dn: username=u123456,ou=aixuser,cn=aixsecdb,cn=aixdata > uid: 1040 > username: u123456 > > > with u123456 being my *nix login. > > To me, this looks very wrong (not to mention that there's no dc=). It looks wrong and the author surely has had no clue what cn means etc. nevertheless it should work. > If I'm seeing this right, shouldn't the login be the "uid" not > "username"? Is that what Samba is looking for? You can set "ldap filter = (username=%u)" in smb.conf along with a suitable value for "ldap suffix". Check the users with "getent passwd" to test if they are visible to the system. Okay, I tried this. Here's my smb.conf: # Global parameters [global] workgroup = WIN server string = RX01 %a-%v security = user password server = username map = /usr/local/samba/private/smbusers log level = 100 log file = /var/log/samba/%m.log max log size = 500 wins server = socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ldap filter = (username=%u) ldap admin dn = cn=root ldap suffix = cn=aixsecdb,cn=aixdata ldap group suffix = ou=aixgroup ldap user suffix = ou=aixuser ldap machine suffix = cn=aixid,ou=system [Homes] comment = User Home Directories valid users = %S read only = No guest ok = Yes Still no good. I have no "getent" installed. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authentication confusion - may be LDAP related
Ric Tibbetts wrote: > dn: username=u123456,ou=aixuser,cn=aixsecdb,cn=aixdata > uid: 1040 > username: u123456 > > > with u123456 being my *nix login. > > To me, this looks very wrong (not to mention that there's no dc=). It looks wrong and the author surely has had no clue what cn means etc. nevertheless it should work. > If I'm seeing this right, shouldn't the login be the "uid" not > "username"? Is that what Samba is looking for? You can set "ldap filter = (username=%u)" in smb.conf along with a suitable value for "ldap suffix". Check the users with "getent passwd" to test if they are visible to the system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba