LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Samba authentication from openLdap (https://www.linuxquestions.org/questions/linux-server-73/samba-authentication-from-openldap-778734/)

CNBarnes 12-29-2009 01:05 PM
Samba authentication from openLdap
 
I really hope someone can help me with this. I recently migrated my servers to new hardware, and everything is working EXCEPT getting samba to authenticate correctly from the Ldap server.

The error I am getting in the /var/log/samba/log.machinename is:
Quote:
[2009/12/29 12:57:03, 2] lib/smbldap.c:smbldap_open_connection(796)
smbldap_open_connection: connection opened
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_sam_from_ldap(571)
init_sam_from_ldap: Entry found for user: cbarnes
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 503
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 503
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 1072
[2009/12/29 12:57:03, 2] auth/auth.c:check_ntlm_password(308)
check_ntlm_password: authentication for user [cbarnes] -> [cbarnes] -> [cbarnes] succeeded
[2009/12/29 12:57:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(571)
init_sam_from_ldap: Entry found for user: cbarnes
[2009/12/29 12:57:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 503
[2009/12/29 12:57:04, 0] passdb/passdb.c:lookup_global_sam_name(595)
User cbarnes with invalid SID S-1-5-21-2155476239-1178794481-2882495138 in passdb
[2009/12/29 12:57:04, 2] smbd/service.c:make_connection_snum(740)
user 'cbarnes' (from session setup) not permitted to access this share (cbarnes)

* Samba and OpenLdap are not on the same box.
* both are running Debian

The /etc/samba/smb.conf file is:

Quote:
[global]
## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = Physics

# server string is the equivalent of the NT Description field
# server string = %h server
server string = Samba
netbios name = Samba
log level = 2

# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#; bind interfaces only = true


####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
# security = user
# security = server
password server = LDAP

# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
passdb backend = ldapsam:ldap://ldap.physics.tamu.edu
ldap server = ldap.physics.tamu.edu
ldap suffix = dc=physics,dc=tamu,dc=edu
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
idmap backend = "ldap://ldap.physics.tamu.edu"
idmap gid = 500-20000
idmap uid = 500-20000
ldap admin dn = cn=Admin,dc=physics,dc=tamu,dc=edu
ldap ssl = off

obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
; unix password sync = no

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *$

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
; pam password change = no

CNBarnes 12-29-2009 01:32 PM
More information: now this is interesting. I only get this error when I attempt to connect to the \\samba\userid share. But a share explicitly defined connects perfectly. More of the smb.conf file:

Quote:
#======================= Share Definitions =======================

[homes]
comment = Home Directories
browseable = no

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0744
force create mode = 0744

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0755
force directory mask = 0755

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
follow symlinks = yes

# User group shares

[SuperSecret$]
path = /home/workinggroups/supersecret
public = no
writable = yes
force directory mode = 2775
force create mode = 2774
valid users = @somegroup
write list = @somegroup
guest ok = no

In other words, I cannot connect to \\samba\userid, but I CAN connect to \\samba\supersecret$.


All times are GMT -5. The time now is 10:01 AM.