LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 12-29-2009, 01:05 PM   #1
CNBarnes
Member
 
Registered: Apr 2004
Location: Texas
Distribution: Debian
Posts: 41

Rep: Reputation: 15
Samba authentication from openLdap


I really hope someone can help me with this. I recently migrated my servers to new hardware, and everything is working EXCEPT getting samba to authenticate correctly from the Ldap server.

The error I am getting in the /var/log/samba/log.machinename is:
Quote:
[2009/12/29 12:57:03, 2] lib/smbldap.c:smbldap_open_connection(796)
smbldap_open_connection: connection opened
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_sam_from_ldap(571)
init_sam_from_ldap: Entry found for user: cbarnes
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 503
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 503
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 1072
[2009/12/29 12:57:03, 2] auth/auth.c:check_ntlm_password(308)
check_ntlm_password: authentication for user [cbarnes] -> [cbarnes] -> [cbarnes] succeeded
[2009/12/29 12:57:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(571)
init_sam_from_ldap: Entry found for user: cbarnes
[2009/12/29 12:57:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 503
[2009/12/29 12:57:04, 0] passdb/passdb.c:lookup_global_sam_name(595)
User cbarnes with invalid SID S-1-5-21-2155476239-1178794481-2882495138 in passdb
[2009/12/29 12:57:04, 2] smbd/service.c:make_connection_snum(740)
user 'cbarnes' (from session setup) not permitted to access this share (cbarnes)

* Samba and OpenLdap are not on the same box.
* both are running Debian

The /etc/samba/smb.conf file is:

Quote:
[global]
## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = Physics

# server string is the equivalent of the NT Description field
# server string = %h server
server string = Samba
netbios name = Samba
log level = 2

# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#; bind interfaces only = true


####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
# security = user
# security = server
password server = LDAP

# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
passdb backend = ldapsam:ldap://ldap.physics.tamu.edu
ldap server = ldap.physics.tamu.edu
ldap suffix = dc=physics,dc=tamu,dc=edu
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
idmap backend = "ldap://ldap.physics.tamu.edu"
idmap gid = 500-20000
idmap uid = 500-20000
ldap admin dn = cn=Admin,dc=physics,dc=tamu,dc=edu
ldap ssl = off

obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
; unix password sync = no

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *$

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
; pam password change = no
 
Old 12-29-2009, 01:32 PM   #2
CNBarnes
Member
 
Registered: Apr 2004
Location: Texas
Distribution: Debian
Posts: 41

Original Poster
Rep: Reputation: 15
Question

More information: now this is interesting. I only get this error when I attempt to connect to the \\samba\userid share. But a share explicitly defined connects perfectly. More of the smb.conf file:

Quote:
#======================= Share Definitions =======================

[homes]
comment = Home Directories
browseable = no

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0744
force create mode = 0744

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0755
force directory mask = 0755

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
follow symlinks = yes

# User group shares

[SuperSecret$]
path = /home/workinggroups/supersecret
public = no
writable = yes
force directory mode = 2775
force create mode = 2774
valid users = @somegroup
write list = @somegroup
guest ok = no

In other words, I cannot connect to \\samba\userid, but I CAN connect to \\samba\supersecret$.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenLdap authentication akhtar.bhat Linux - Newbie 2 10-06-2009 07:23 PM
samba and openldap authentication issues! kcorupe Linux - Server 2 04-24-2008 08:14 PM
regarding openldap authentication Bharatsoni Linux - Enterprise 0 08-16-2006 04:59 AM
openldap authentication sunhui Linux - Software 1 08-03-2006 09:09 PM
OpenLDAP Authentication error paul_mat Linux - Networking 1 07-18-2005 12:48 AM


All times are GMT -5. The time now is 12:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration