CNBarnes |
12-29-2009 01:05 PM |
Samba authentication from openLdap
I really hope someone can help me with this. I recently migrated my servers to new hardware, and everything is working EXCEPT getting samba to authenticate correctly from the Ldap server.
The error I am getting in the /var/log/samba/log. machinename is:
Quote:
[2009/12/29 12:57:03, 2] lib/smbldap.c:smbldap_open_connection(796)
smbldap_open_connection: connection opened
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_sam_from_ldap(571)
init_sam_from_ldap: Entry found for user: cbarnes
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 503
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 503
[2009/12/29 12:57:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 1072
[2009/12/29 12:57:03, 2] auth/auth.c:check_ntlm_password(308)
check_ntlm_password: authentication for user [cbarnes] -> [cbarnes] -> [cbarnes] succeeded
[2009/12/29 12:57:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(571)
init_sam_from_ldap: Entry found for user: cbarnes
[2009/12/29 12:57:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 503
[2009/12/29 12:57:04, 0] passdb/passdb.c:lookup_global_sam_name(595)
User cbarnes with invalid SID S-1-5-21-2155476239-1178794481-2882495138 in passdb
[2009/12/29 12:57:04, 2] smbd/service.c:make_connection_snum(740)
user 'cbarnes' (from session setup) not permitted to access this share (cbarnes)
|
* Samba and OpenLdap are not on the same box.
* both are running Debian
The /etc/samba/smb.conf file is:
Quote:
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = Physics
# server string is the equivalent of the NT Description field
# server string = %h server
server string = Samba
netbios name = Samba
log level = 2
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#; bind interfaces only = true
####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
# security = user
# security = server
password server = LDAP
# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
passdb backend = ldapsam:ldap://ldap.physics.tamu.edu
ldap server = ldap.physics.tamu.edu
ldap suffix = dc=physics,dc=tamu,dc=edu
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
idmap backend = "ldap://ldap.physics.tamu.edu"
idmap gid = 500-20000
idmap uid = 500-20000
ldap admin dn = cn=Admin,dc=physics,dc=tamu,dc=edu
ldap ssl = off
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
; unix password sync = no
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *$
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
; pam password change = no
|
|