[Samba] samba+ldap: authentication probelm.
Hello Group, I am using RH9, samba-3.-.22. And i have openldap-2.3.11. on another machine. Using mkntpwd i got NT/LM passwords and gave it's output in the ldif file for sambaNTPassword and sambaLMPassword attribute types. when i tried to authenticate by giving the username and plain text equivalent of the NT/LM password, i got the following error: session setup failed: NT_STATUS_LOGON_FAILURE. Pls tell me the reason why i am getting the error. (For adding users i am not using smbldap-tools package.) Also clarify me in that the object class for samba users is sambaAccount or sambaSamAccount. Coz some website's specify sambaAccount. regards, krishnam __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Dear list Maybe we have same problem with smbldap-tools-0.8.4-1 I didnt see password attribute in LDAP entry create by smbldap-tools, but all user i create can succesfully login to samba machine via ssh. [EMAIL PROTECTED] samba]# smbldap-usershow administrator dn: uid=Administrator,ou=Users,dc=mragroup,dc=net cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount gidNumber: 512 uid: Administrator uidNumber: 0 homeDirectory: /home/ sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaHomeDrive: H: sambaPrimaryGroupSID: S-1-5-21-3703471949-3718591838-2324585696-512 sambaSID: S-1-5-21-3703471949-3718591838-2324585696-2996 loginShell: /bin/false gecos: Netbios Domain Administrator sambaPwdCanChange: 1086934364 sambaAcctFlags: [U] sambaPwdLastSet: 1086934585 sambaPwdMustChange: 1091686585 [EMAIL PROTECTED] samba]# smbldap-passwd administrator Changing password for administrator New password : Retype new password : [EMAIL PROTECTED] samba]# ldapsearch -x -b 'dc=mragroup,dc=net' '(objectclass=*)' | more --snip--- # Administrator, Users, mragroup.net dn: uid=Administrator,ou=Users,dc=mragroup,dc=net cn: Administrator sn: Administrator objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 512 uid: Administrator uidNumber: 0 homeDirectory: /home/ sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaHomeDrive: H: sambaPrimaryGroupSID: S-1-5-21-3703471949-3718591838-2324585696-512 sambaSID: S-1-5-21-3703471949-3718591838-2324585696-2996 loginShell: /bin/false gecos: Netbios Domain Administrator sambaPwdCanChange: 1086934364 sambaAcctFlags: [U] --snap--- with thos configuration i cat join my workstation to my samba server.. please help me... Quoting Beast [EMAIL PROTECTED]: Peter Nyberg wrote: here's an output. I don't know if one can see anything wrong here. I don't have the account administrator in the /etc/passwd. Only in ldap. [EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSamAccount,posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /home/Users/ sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\s2\home\Users sambaHomeDrive: H: sambaProfilePath: \\s2\home\profiles\ sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512 sambaLMPassword: XXX sambaNTPassword: XXX Oops, did not see your recent post,sorry. This both attributes should not contain XXX, this means your previous smbldappasswd command did not works. Try using smbpasswd administrator or direct modify to ldap entry. -- --beast I did the following: [EMAIL PROTECTED]:/usr/local/samba/bin# ./smbpasswd administrator New SMB password: Retype new SMB password: [EMAIL PROTECTED]:/usr/local/samba/bin# And now: [EMAIL PROTECTED]:/usr/local/samba/bin# ./pdbedit administrator Administrator:4294967295:Administrator And: [EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSamAccount,posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /home/Users/ sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdMustChange: 2147483647 sambaHomePath: \\s2\home\Users sambaHomeDrive: H: sambaProfilePath: \\s2\home\profiles\ sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512 sambaAcctFlags: [U ] sambaSID: S-1-5-21-1027936538-659792286-2162639956-2996 loginShell: /bin/false gecos: Netbios Domain Administrator sambaLMPassword: 176D7D7C26BFB683AAD3B435B51404EE sambaNTPassword: 2C925CDF69D46A468291C454DEF9CE18 sambaPwdCanChange: 1086864688 sambaPwdLastSet: 1086864688 userPassword: {SMD5}+Ne1vmD3C1zlF/fqRjedOWIngzM= [EMAIL PROTECTED]:/usr/local/sbin# cd ../samba/bin/ But still: [EMAIL PROTECTED]:/usr/local/samba/bin# ./net rpc group LIST global -U administrator Password: The username or password was not correct. I have force TLS in my slapd.conf, but in my smb.conf I have passdb backend = ldapsam:ldap://s2.dbb.su.se Do you think it should be passdb backend = ldapsam:ldaps://s2.dbb.su.se I'm a newbie on both samba and ldap so I'm not sure how to change a password dirrectly into ldap database. I did a: [EMAIL PROTECTED]:/usr/bin# ./ldappasswd administrator ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required [EMAIL PROTECTED]:/usr/bin# That why I think the ldaps thing. I'll try it now and restart samba. No, still the same [EMAIL PROTECTED]:/usr/bin# ./ldappasswd administrator ldap_bind: Confidentiality required (13) additional info: TLS
[Samba] samba + ldap authentication
Hi all! I have authentication problems with samba + ldap. When I populate the list through smbldap-populate.pl a administrator account was created. I asume this is the same account as rootdn cn=Manager,dc=dbb,dc=su,dc=se. With the same password, right? Ldap seams to be ok and when I do [EMAIL PROTECTED]:/usr/local/samba/bin# ./net groupmap list Domain Admins (S-1-5-21-1027936538-659792286-2162639956-512) - wheel Domain Users (S-1-5-21-1027936538-659792286-2162639956-513) - smbusers Domain Guests (S-1-5-21-1027936538-659792286-2162639956-514) - smbguests Administrators (S-1-5-21-1027936538-659792286-2162639956-544) - 544 users (S-1-5-21-1027936538-659792286-2162639956-545) - 545 Guests (S-1-5-21-1027936538-659792286-2162639956-546) - 546 Power Users (S-1-5-21-1027936538-659792286-2162639956-547) - 547 Account Operators (S-1-5-21-1027936538-659792286-2162639956-548) - 548 Server Operators (S-1-5-21-1027936538-659792286-2162639956-549) - 549 Print Operators (S-1-5-21-1027936538-659792286-2162639956-550) - 550 Backup Operators (S-1-5-21-1027936538-659792286-2162639956-551) - 551 Replicator (S-1-5-21-1027936538-659792286-2162639956-552) - 552 Domain Computers (S-1-5-21-1027936538-659792286-2162639956-553) - 553 Everything seams to be ok When I do a ./net rpc group LIST global -U administrator Password: same password as for rootdn The username or password was not correct. I have the same password in secret.tdb as in slapd.conf Isn't administrator=Manager? If not, what's the standard password for administrator then and how could that account have access to the ldap database? I also tried to use ./net rpc group LIST global -U Manager with the same result. Please help me understand how it works. I think I'm very close now. I'm very grateful of all kinds of help in this matter If I log that command with -d 255 I recieve [EMAIL PROTECTED]:/usr/local/samba/bin# ./net rpc group LIST global -U administrator -d 255 [2004/06/10 08:47:13, 5] lib/debug.c:debug_dump_status(360) INFO: Current debug levels: all: True/255 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 [2004/06/10 08:47:13, 3] param/loadparm.c:lp_load(3810) lp_load: refreshing parameters [2004/06/10 08:47:13, 3] param/loadparm.c:init_globals(1300) Initialising global parameters [2004/06/10 08:47:13, 3] param/params.c:pm_process(566) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2004/06/10 08:47:13, 3] param/loadparm.c:do_section(3322) Processing section [global] doing parameter ldap ssl = start_tls doing parameter idmap gid = 15000-2 doing parameter delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g doing parameter allow hosts = 130.237.179.0/24 doing parameter netbios name = s2 [2004/06/10 08:47:13, 4] param/loadparm.c:handle_netbios_name(2700) handle_netbios_name: set global_myname to: S2 doing parameter printing = cups doing parameter ldap passwd sync = yes doing parameter idmap uid = 15000-2 doing parameter logon script = logon.bat doing parameter local master = Yes doing parameter workgroup = DBB doing parameter os level = 255 doing parameter ldap admin dn = cn=Manager,dc=dbb,dc=su,dc=se doing parameter update encrypted = Yes doing parameter printcap name = cups doing parameter add machine script = /usr/local/sbin/smbldap-useradd -w %u doing parameter winbind separator = + doing parameter load printers = yes doing parameter ldap user suffix = ou=Users doing parameter add group script = /usr/local/sbin/smbldap-groupadd -p %g doing parameter socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 doing parameter add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g doing parameter logon drive = H: doing parameter username map = /etc/samba/smbusers doing parameter domain master = Yes doing parameter encrypt passwords = Yes doing parameter passdb backend = ldapsam:ldap://s2.dbb.su.se doing parameter logon home = \\%L\%U\.profile doing parameter wins support = Yes doing parameter ldap delete dn = Yes doing parameter server string = Samba PDC running %v doing parameter ldap machine suffix = ou=Computers doing parameter ldap group suffix = ou=Groups doing parameter path = /home/Users doing parameter ldap suffix = dc=dbb,dc=su,dc=se doing parameter logon path = \\%L\profiles\%U doing parameter add user script = /usr/local/sbin/smbldap-useradd -m %u doing parameter set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u doing parameter preferred master = Yes doing parameter ldap idmap suffix = ou=Users doing parameter domain logons = Yes [2004/06/10 08:47:13, 4] param/loadparm.c:lp_load(3842) pm_process() returned Yes [2004/06/10
Re: [Samba] samba + ldap authentication
Peter Nyberg wrote: Hi all! I have authentication problems with samba + ldap. When I populate the list through smbldap-populate.pl a administrator account was created. I asume this is the same account as rootdn cn=Manager,dc=dbb,dc=su,dc=se. With the same password, right? No. Administrator is just plain unix and samba account. Why not just set new password for this account ? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Hi again! I did the following: [EMAIL PROTECTED]:/usr/local/sbin# smbldap-passwd.pl administrator Changing password for administrator New password : xx Retype new password : xxx [EMAIL PROTECTED]:/usr/local/samba/bin# ./net rpc group LIST global -U administrator Password: xxx The username or password was not correct. Isn't this the correct way of doing it? Peter Nyberg Institutionen för Biokemi och Biofysik (DBB) Sv.Arrhenius vägen 12 106 91 Stockholm Tel: 08-16 24 69 Mobil: 070 339 24 69 Fax 08 153679 Quoting Beast [EMAIL PROTECTED]: Peter Nyberg wrote: Hi all! I have authentication problems with samba + ldap. When I populate the list through smbldap-populate.pl a administrator account was created. I asume this is the same account as rootdn cn=Manager,dc=dbb,dc=su,dc=se. With the same password, right? No. Administrator is just plain unix and samba account. Why not just set new password for this account ? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
here's an output. I don't know if one can see anything wrong here. I don't have the account administrator in the /etc/passwd. Only in ldap. [EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSamAccount,posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /home/Users/ sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\s2\home\Users sambaHomeDrive: H: sambaProfilePath: \\s2\home\profiles\ sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512 sambaLMPassword: XXX sambaNTPassword: XXX sambaAcctFlags: [U ] sambaSID: S-1-5-21-1027936538-659792286-2162639956-2996 loginShell: /bin/false gecos: Netbios Domain Administrator Peter Nyberg Institutionen för Biokemi och Biofysik (DBB) Sv.Arrhenius vägen 12 106 91 Stockholm Tel: 08-16 24 69 Mobil: 070 339 24 69 Fax 08 153679 Quoting Beast [EMAIL PROTECTED]: Peter Nyberg wrote: Hi all! I have authentication problems with samba + ldap. When I populate the list through smbldap-populate.pl a administrator account was created. I asume this is the same account as rootdn cn=Manager,dc=dbb,dc=su,dc=se. With the same password, right? No. Administrator is just plain unix and samba account. Why not just set new password for this account ? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Peter Nyberg wrote: Hi again! I did the following: [EMAIL PROTECTED]:/usr/local/sbin# smbldap-passwd.pl administrator Changing password for administrator New password : xx Retype new password : xxx [EMAIL PROTECTED]:/usr/local/samba/bin# ./net rpc group LIST global -U administrator Password: xxx The username or password was not correct. Try to get some info for this user first. root# pdbedit -L -v administrator is this mapped account? -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Peter Nyberg wrote: here's an output. I don't know if one can see anything wrong here. I don't have the account administrator in the /etc/passwd. Only in ldap. [EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSamAccount,posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /home/Users/ sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\s2\home\Users sambaHomeDrive: H: sambaProfilePath: \\s2\home\profiles\ sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512 sambaLMPassword: XXX sambaNTPassword: XXX Oops, did not see your recent post,sorry. This both attributes should not contain XXX, this means your previous smbldappasswd command did not works. Try using smbpasswd administrator or direct modify to ldap entry. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Quoting Beast [EMAIL PROTECTED]: Peter Nyberg wrote: here's an output. I don't know if one can see anything wrong here. I don't have the account administrator in the /etc/passwd. Only in ldap. [EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSamAccount,posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /home/Users/ sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\s2\home\Users sambaHomeDrive: H: sambaProfilePath: \\s2\home\profiles\ sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512 sambaLMPassword: XXX sambaNTPassword: XXX Oops, did not see your recent post,sorry. This both attributes should not contain XXX, this means your previous smbldappasswd command did not works. Try using smbpasswd administrator or direct modify to ldap entry. -- --beast I did the following: [EMAIL PROTECTED]:/usr/local/samba/bin# ./smbpasswd administrator New SMB password: Retype new SMB password: [EMAIL PROTECTED]:/usr/local/samba/bin# And now: [EMAIL PROTECTED]:/usr/local/samba/bin# ./pdbedit administrator Administrator:4294967295:Administrator And: [EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSamAccount,posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /home/Users/ sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdMustChange: 2147483647 sambaHomePath: \\s2\home\Users sambaHomeDrive: H: sambaProfilePath: \\s2\home\profiles\ sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512 sambaAcctFlags: [U ] sambaSID: S-1-5-21-1027936538-659792286-2162639956-2996 loginShell: /bin/false gecos: Netbios Domain Administrator sambaLMPassword: 176D7D7C26BFB683AAD3B435B51404EE sambaNTPassword: 2C925CDF69D46A468291C454DEF9CE18 sambaPwdCanChange: 1086864688 sambaPwdLastSet: 1086864688 userPassword: {SMD5}+Ne1vmD3C1zlF/fqRjedOWIngzM= [EMAIL PROTECTED]:/usr/local/sbin# cd ../samba/bin/ But still: [EMAIL PROTECTED]:/usr/local/samba/bin# ./net rpc group LIST global -U administrator Password: The username or password was not correct. I have force TLS in my slapd.conf, but in my smb.conf I have passdb backend = ldapsam:ldap://s2.dbb.su.se Do you think it should be passdb backend = ldapsam:ldaps://s2.dbb.su.se I'm a newbie on both samba and ldap so I'm not sure how to change a password dirrectly into ldap database. I did a: [EMAIL PROTECTED]:/usr/bin# ./ldappasswd administrator ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required [EMAIL PROTECTED]:/usr/bin# That why I think the ldaps thing. I'll try it now and restart samba. No, still the same [EMAIL PROTECTED]:/usr/bin# ./ldappasswd administrator ldap_bind: Confidentiality required (13) additional info: TLS confidentiality required I really have to thank you for your time! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba LDAP authentication
Hi We have already setup LADP server for entire institute, but we dont have admin access on that server. We want to user the same LDAP accounts for samba authentication for department server. Is it possible to do this without admin password for LDAP. I searched alot but couldn't find anything for this. thanx in advance. - v a i b h a v - --- It looked like something resembling white marble, which was probably what it was: something resembling white marble. -- Douglas Adams, The Hitchhikers Guide to the Galaxy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + ldap authentication question
hello all I have read all the doc about ldap in the Samba documentation, and I am not sure I understand how a user authentication is validated by the samba server In the samba doc it is said that the samba ldap admin must be able to retrieve the lmPassword and ntPassword attributes of any user As I understand, when a user authenticates himself against the samba server, the server binds against LDAP server using the samba admin dn, looks for the user's password in the directory and compares it to the password the user provided Am I wrong ? If I am not, why the server doesn't use LDAP authentication with the user's dn and password ? I think it would be closer to the LDAP spirit thanks Francois -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Authentication and SSL Conflicts
My solution: That part about the Samba authentication was the most confusing bit, as others suggested: I completely agree with the replies I received that the SSL shouldn't have had anything to do with it. And, it turns out, it didn't. The machine in question had cached my account's authenticator. When it failed to contact the LDAP server (due to the SSL problem), it relied on its own cache. I incorrectly assumed I was authenticating - a deeper study of my logs revealed that SSL was completely unrelated. I didn't even think of this until one of my users tried to authenticate and it didn't work. My problem with the machine not authenticating had to do with the secret salt in /etc/samba/secrets.tdb - the new LDAP machine's account password hash was different. Very frustrating, but I wiped out the old one, rejoined the machine to the domain, and voilla - it's fixed. Thanks again for the responses. - Bill On Thu, 2002-12-05 at 13:55, Bill Alexander wrote: I'm having a problem with Samba/LDAP authentication for Windows boxen from my Samba PDC. I've diagnosed as much as I can and fiddled with the relevant settings I know of, but I'm not making any progress. REMAINDER DELETED Bill Alexander [EMAIL PROTECTED] Mission Research Corporation -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba