LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 10-20-2007, 03:35 AM   #1
tristanm
Member
 
Registered: Jun 2005
Location: Pretoria, South Africa
Distribution: Ubuntu, Fedora Core, RHEL
Posts: 37

Rep: Reputation: 15
SAMBA and LDAP configuration issues


I am running an LDAP server (openldap version 2.3.27) on RHEL 5 server.
It is configured correctly to allow remote linux logins.
I am also trying to use it as the user database for a SAMBA server running on the same machine.
I have version 3.0.23 of SAMBA.

I can successfully join my windows server to the domain using the samba administrator credentials.
I can successfully login to the windows server using the samba administrator credentials and i get the correct home directory mounted on my H: drive.

However, I am unable to login as a user from the LDAP database at the windows login screen.
I get the following message from windows:
The system cannot log you on due to the following error:
A device attached to the system is not functioning.


This is very strange because, if I login locally to the windows server and browse to the samba server in Windows Explorer, I can click on the server and it will ask me for a user name and password. If I put any username and password in the LDAP database, I can see the contents of the server applicable to that user. I even get the correct home directory (shown in network places but not mounted on H and permissions!

I would really appreciate some help here. This is a very frustrating problem and no amount of googleing has produced the solution.

Sincerely
Tristan

p.s. I am posting this here because the SAMBA mailing list keeps bouncing it.

p.p.s. Another weird phenomenon has arisen in the last two days. I can join the domain using the SAMBA administrator's credentials from only two machines. None of the other machines I have tried will join. They all give me a message saying cannot find user.
 
Old 10-20-2007, 06:09 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Enter the exact error message in Google surrounded in double quotes.
 
Old 10-21-2007, 03:46 AM   #3
tristanm
Member
 
Registered: Jun 2005
Location: Pretoria, South Africa
Distribution: Ubuntu, Fedora Core, RHEL
Posts: 37

Original Poster
Rep: Reputation: 15
Been there, done that. There are a large amount of solutions returned by google, none of which apply to this specific situation. I have tried most of them and none of them work for me. I spent approximately three days trying to solve this problem by following tutorials and suggested solutions returned by googleing the error.

It seems that SAMBA is not using the LDAP database correctly and I suspect that this is a problem with my SAMBA configuration file. I will post my samba configuration file here when I return to work tomorrow.
 
Old 10-21-2007, 07:07 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Look for a samba-doc package. The "Samba-3 By Example" and "Samba 3 Howto & Reference Guide" books cover LDAP. Look at the troubleshooting section as well.
 
Old 10-23-2007, 06:18 AM   #5
tristanm
Member
 
Registered: Jun 2005
Location: Pretoria, South Africa
Distribution: Ubuntu, Fedora Core, RHEL
Posts: 37

Original Poster
Rep: Reputation: 15
I have not found anything in the SAMBA manuals, books or troubleshooting sections that will help me.

smb.conf

Code:
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2007/10/22 16:07:42

[global]
	workgroup = SAMBA
	server string = Samba Server
	interfaces = eth0, lo
	bind interfaces only = Yes
	passdb backend = ldapsam:ldap://example.com/
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	unix password sync = Yes
	log file = /var/log/samba/%m.log
	max log size = 50
	time server = Yes
	add user script = /usr/local/sbin/smbldap-useradd -m '%u'
	delete user script = /usr/local/sbin/smbldap-userdel %u
	add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
	delete group script = /usr/local/sbin/smbldap-groupdel '%g'
	add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
	delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'
	set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
	add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
	logon path = \\%L\%U\profile
	logon drive = H:
	logon home = \\%L\%U
	domain logons = Yes
	os level = 35
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	ldap admin dn = cn=admin,dc=example,dc=com
	ldap group suffix = ou=groups
	ldap machine suffix = ou=computers
	ldap passwd sync = Yes
	ldap suffix = dc=example,dc=com
	ldap ssl = start tls
	ldap user suffix = ou=People
	hosts allow = 192.168.1.0/24, 127.0.0.0/8
	hosts deny = ALL

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[netlogon]
	comment = Domain logon
	path = /var/lib/samba/netlogon
	guest ok = Yes
	hosts allow = 
	hosts deny = 

[share]
	comment = Domain logon
	path = /var/lib/samba/netlogon
	guest ok = Yes
	hosts allow = 
	hosts deny =
Using tcpdump to dump port 445 during an attempted domain login gives output which doesn't make sense (I think its encrypted). Dumping port 139 shows nothing.

The samba message log for the host I am trying to login from shows the following:
Code:
_net_sam_logon: user username has user sid S-1-5-21-1121210806-1153956821-1881123185
   but group sid S-1-5-21-1121210806-1153956821-1881123185-513.
  The conflicting domain portions are not supported for NETLOGON calls
The sabma server daemon message log shows:
Code:
[2007/10/23 12:01:47, 0] lib/util_sock.c:get_peer_addr(1229)
  getpeername failed. Error was Transport endpoint is not connected
I have spent many hours googleing all of these error messages and have not yet found a solution that works for me. Please, I would really appreciate some help. It seems that there is a problem writing to disk or reading the LDAP database or maybe even writing to the LDAP database...
 
Old 10-26-2007, 05:04 PM   #6
zen0n
LQ Newbie
 
Registered: Jul 2004
Location: Winnipeg
Distribution: debian
Posts: 22

Rep: Reputation: 15
I think you're best bet would be to reconfigure samba and smbldap-tools packages to not use any kind of encryption when talking to you're ldap server. It's far easier to troubleshoot when the data is in the clear. You can always enable encryption later.

Also, I'm going to assume in your smb.conf the line

passdb backend = ldapsam:ldap://example.com/

was you just hiding the true name of your ldap server. If not, that needs to get fixed asap

After that I would watch both the ldap logs and traffic to see what happens when samba troes to talk to ldap.

zen0n
 
Old 10-27-2007, 06:49 AM   #7
tristanm
Member
 
Registered: Jun 2005
Location: Pretoria, South Africa
Distribution: Ubuntu, Fedora Core, RHEL
Posts: 37

Original Poster
Rep: Reputation: 15
Hi zenOn

Yes: example.com is simply hiding the name of my ldap server. SAMBA can communicate with the LDAP server because I can authenticate with LDAP credentials when viewing the Samba server from Network Neighbourhood on another Windows machine.
The problem arises when I try and log on to the domain using LDAP credentials.

I have tried without encryption but I still seem to get the same problem. I don't really need encryption sice both the SAMBA server and the LDAP server run on the same host.

I never thought of looking at the LDAP logs. I will give that a try next week.

A note: I am also exporting the home directories with NFS for the linux boxes on my network. Yesterday I tried turning the NFS server off and then logging into the SAMBA domain and I still get the same error message: A device attached to the system is not functioning.
 
Old 10-27-2007, 07:21 AM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
This seems out of place if you are using ldap:
Code:
	passwd program = /usr/bin/passwd %u
Also, this samba.org mailing list has a user with 2 of your errors. The problem in that case is with some mappings.
http://lists.samba.org/archive/samba...il/084342.html

----

Maybe this explains why (from the smbslapd-tools.pdf):
Code:
6.8   The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u
      is not called, or i got a error message when changing the password
      from windows
The directive is called if you also set unix password sync = Yes. Notes:
   • if you use OpenLDAP, none of those two options are needed. You just need ldap
     passwd sync = Yes.
   • the script called here must only update the userPassword attribute. This is the reason
     of the -u option. Samba passwords will be updated by samba itself.
   • the passwd chat directive must match what is prompted when using the smbldap-passwd
     command

Last edited by jschiwal; 10-27-2007 at 07:51 AM.
 
Old 11-15-2007, 01:43 AM   #9
tristanm
Member
 
Registered: Jun 2005
Location: Pretoria, South Africa
Distribution: Ubuntu, Fedora Core, RHEL
Posts: 37

Original Poster
Rep: Reputation: 15
I've changed the password program. In fact, becuase I am using OpenLDAP I have removed the directive complete according to the second part of jschiwal's reply. I have also removed the unix password sync directive and the ldap password sync was always set to yes.

Here is the new version of the config file:

Code:
 
 Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2007/11/15 08:10:22

[global]
	workgroup = SAMBA
	netbios name = TANGO
	server string = Samba Server
	passdb backend = ldapsam:ldap://192.168.1.11/
	pam password change = Yes
	log file = /var/log/samba/%m.log
	max log size = 50
	add user script = /usr/local/sbin/smbldap-useradd -m '%u'
	delete user script = /usr/local/sbin/smbldap-userdel %u
	add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
	delete group script = /usr/local/sbin/smbldap-groupdel '%g'
	add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
	delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'
	set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
	add machine script = /usr/local/sbin/smbldap-useradd -t 0 -w "%u"
	logon drive = H:
	domain logons = Yes
	os level = 65
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	ldap admin dn = cn=admin,dc=tmi
	ldap group suffix = ou=groups
	ldap machine suffix = ou=computers
	ldap passwd sync = Yes
	ldap suffix = dc=tmi
	ldap ssl = start tls
	ldap user suffix = ou=People

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[netlogon]
	comment = Domain logon
	path = /var/lib/samba/netlogon
	browseable = No

[share]
	comment = Shared directory
	path = /home/share
	guest ok = Yes
I cannot find the database file group_mapping.tdb mentioned here: http://lists.samba.org/archive/samba...il/084342.html

The error message has changed! I now get:
Quote:
The system could not log you on. Make sure that your User name and domain are correct, then type your password again.
When I try to change the password on the Samba server using the following command:
Code:
smbpasswd username
I get the following error message:
Quote:
Failed to issue the StartTLS instruction: Connect error
Connection to LDAP server failed for the 1 try!
So it seems that Samba is failing to connect to LDAP using TLS. When I set:
Code:
ldap ssl = no
the system gives me my original error message about a device attached to the system not functioning.

Do I need to tell Samba where the ldap server certificate is? How do I do that?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ldap configuration rajesh.nigam12 Linux - Enterprise 3 10-08-2007 01:25 PM
ldap configuration ssilayaraja Linux - Networking 2 09-25-2006 01:21 AM
LDAP configuration calutateo Linux - Software 0 04-30-2006 07:41 AM
ldap configuration linuxlastslonge Linux - Software 1 06-17-2005 09:04 AM
ldap configuration ravi_sambaji Linux - Networking 1 06-27-2003 09:26 AM


All times are GMT -5. The time now is 05:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration