Tags Tags

[Samba] Samba 3.4.7 with LDAP authentication

October 06th, 2011 - 04:10 pm ET by Amit More | Report spam
Help Create a new topic
Hello All,

I have samba (Version 3.4.7) installed on a Ubuntu Server 10.04 (64-bit) using apt. I'm attempting to authenticate users connecting to the samba share over LDAP following the documentation https://help.ubuntu.com/10.04/serve...ldap.html, but the authentication over LDAP fails. The OpenLDAP server was already configured to include the samba.schema, so i have skipped all the steps that fall under the "OpenLDAP Configuration" section of the manual referenced earlier.

I have set the following directives in /etc/samba/smb.cnf file

####### Authentication #######
security = user
encrypt passwords = true
passdb backend = ldapsam:ldaps://ldap1.example.com/
ldap ssl = no
ldap admin dn = cn=root,dc=example,dc=com
ldap user suffix = ou=people,dc=example,dc=com
ldap group suffix = ou=groups,dc=example,dc=com
ldap suffix = dc=example,dc=com
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n *Retype\snew\s*\spassword:* %n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user

== Share Definitions == [Documents]
comment = Ubuntu File Server Share
path = /data/Documents
browsable = yes
guest ok = no
read only = no
create mask = 0755

When a user tries to connect to the samba share the /var/log/samba/log.user file is populated with the following messages,

[2011/10/06 10:15:53, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [FILESERVER]\[amore]@[MACBOOKPRO-1B99] with the new password interface
[2011/10/06 10:15:53, 3] auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [FILESERVER]\[amore]@[MACBOOKPRO-1B99]
[2011/10/06 10:15:53, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/10/06 10:15:53, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/10/06 10:15:53, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/10/06 10:15:53, 2] lib/smbldap.c:890(smbldap_open_connection)
smbldap_open_connection: connection opened
[2011/10/06 10:15:53, 3] lib/smbldap.c:1101(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2011/10/06 10:15:53, 4] lib/smbldap.c:1177(smbldap_open)
The LDAP server is successfully connected
[2011/10/06 10:15:53, 4] passdb/pdb_ldap.c:1600(ldapsam_getsampwnam)
ldapsam_getsampwnam: Unable to locate user [amore] count=0
[2011/10/06 10:15:53, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/10/06 10:15:53, 3] auth/auth_sam.c:282(check_sam_security)
check_sam_security: Couldn't find user 'amore' in passdb.
[2011/10/06 10:15:53, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [amore] -> [amore] FAILED with error NT_STATUS_NO_SUCH_USER
[2011/10/06 10:15:53, 3] smbd/sesssetup.c:42(do_map_to_guest)
No such user amore [FILESERVER] - using guest account
[2011/10/06 10:15:53, 4] passdb/pdb_ldap.c:2550(ldapsam_getgroup)
ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumbere534))


The messages in the /var/log/syslog file on the LDAP server are as follows,

Oct 6 10:03:06 ldap1 slapd[450]: <= bdb_equality_candidates: (host) not indexed
Oct 6 10:03:32 ldap1 slapd[450]: <= bdb_equality_candidates: (sambaSID) not indexed
Oct 6 10:04:32 ldap1 slapd[450]: <= bdb_equality_candidates: (sambaSID) not indexed
Oct 6 10:05:18 ldap1 slapd[450]: <= bdb_equality_candidates: (cn) not indexed
Oct 6 10:05:18 ldap1 slapd[450]: <= bdb_substring_candidates: (sudoUser) not indexed
Oct 6 10:05:58 ldap1 slapd[450]: <= bdb_equality_candidates: (cn) not indexed
Oct 6 10:05:58 ldap1 slapd[450]: <= bdb_substring_candidates: (sudoUser) not indexed
Oct 6 10:05:58 ldap1 slapd[450]: <= bdb_equality_candidates: (sambaDomainName) not indexed
Oct 6 10:05:58 ldap1 slapd[450]: <= bdb_equality_candidates: (sambaGroupType) not indexed
Oct 6 10:05:58 ldap1 slapd[450]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Oct 6 10:05:58 ldap1 slapd[450]: last message repeated 4 times
Oct 6 10:05:58 ldap1 slapd[450]: <= bdb_equality_candidates: (sambaGroupType) not indexed
Oct 6 10:05:58 ldap1 slapd[450]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Oct 6 10:06:13 ldap1 slapd[450]: last message repeated 4 times
Oct 6 10:06:13 ldap1 slapd[450]: <= bdb_equality_candidates: (sambaSID) not indexed
Oct 6 10:07:22 ldap1 slapd[450]: <= bdb_equality_candidates: (sambaSID) not indexed
Oct 6 10:08:33 ldap1 slapd[450]: last message repeated 3 times

Here are some details of the packages installed,
slapd: version 2.4.21-0ubuntu5.4
libnss-ldapd: version 0.7.13

Samba and OpenLDAP are running on two different systems. LDAP users can ssh into the machine running samba without any issues.

Can anybody point me in the right direction? I would appreciate all your time and help.

Thanks,
Amit


To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
email Follow the discussionReplies 8 repliesReplies Make a reply

Similar topics

Replies

#1 Miguel Medalha
October 06th, 2011 - 04:30 pm ET | Report spam
ldap user suffix = ou=people,dc=example,dc=com
ldap group suffix = ou=groups,dc=example,dc=com
ldap suffix = dc=example,dc=com



Since your suffix is already in "ldap suffix", the other entries should be:

ldap user suffix = ou=people
ldap group suffix = ou=groups

Don't you need the entry "ldap machine suffix"?

To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Replies Reply to this message
#2 Miguel Medalha
October 06th, 2011 - 04:30 pm ET | Report spam
passdb backend = ldapsam:ldaps://ldap1.example.com/
ldap ssl = no



You have "ldap ssl = no" and yet you are trying to connect to ldaps?

To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Replies Reply to this message
#3 Amit More
October 06th, 2011 - 05:00 pm ET | Report spam
Thank you for your response. I appreciate it.

I changed the following directives,

passdb backend = ldapsam:ldap://ldap1.example.com/
ldap user suffix = ou=people
ldap group suffix = ou=groups

Added the following,

ldap admin dn = cn=root,dc=example,dc=com
ldap machine suffix = ou=people


LDAP users are still not able to authenticate to the samba share. The error is the same. Heres an extract from the log file (/var/log/samba/user.log)



[2011/10/06 13:48:38, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [FILESERVER]\[amore]@[MACBOOKPRO-1B99] with the new password interface
[2011/10/06 13:48:38, 3] auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [FILESERVER]\[amore]@[MACBOOKPRO-1B99]
[2011/10/06 13:48:38, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/10/06 13:48:38, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/10/06 13:48:38, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/10/06 13:48:38, 2] lib/smbldap.c:890(smbldap_open_connection)
smbldap_open_connection: connection opened
[2011/10/06 13:48:38, 3] lib/smbldap.c:1101(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2011/10/06 13:48:38, 4] lib/smbldap.c:1177(smbldap_open)
The LDAP server is successfully connected
[2011/10/06 13:48:38, 4] passdb/pdb_ldap.c:1600(ldapsam_getsampwnam)
ldapsam_getsampwnam: Unable to locate user [amore] count=0
[2011/10/06 13:48:38, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/10/06 13:48:38, 3] auth/auth_sam.c:282(check_sam_security)
check_sam_security: Couldn't find user 'amore' in passdb.
[2011/10/06 13:48:38, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [amore] -> [amore] FAILED with error NT_STATUS_NO_SUCH_USER
[2011/10/06 13:48:38, 3] smbd/sesssetup.c:42(do_map_to_guest)
No such user amore [FILESERVER] - using guest account
[2011/10/06 13:48:38, 4] passdb/pdb_ldap.c:2550(ldapsam_getgroup)
ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumbere534))
[2011/10/06 13:48:38, 3] smbd/sec_ctx.c:210(push_sec_ctx)


Thanks,
Amit


On Oct 6, 2011, at 1:27 PM, Miguel Medalha wrote:


ldap user suffix = ou=people,dc=example,dc=com
ldap group suffix = ou=groups,dc=example,dc=com
ldap suffix = dc=example,dc=com



Since your suffix is already in "ldap suffix", the other entries should be:

ldap user suffix = ou=people
ldap group suffix = ou=groups

Don't you need the entry "ldap machine suffix"?




To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Replies Reply to this message
#4 Miguel Medalha
October 06th, 2011 - 05:40 pm ET | Report spam
[2011/10/06 13:48:38, 4] passdb/pdb_ldap.c:1600(ldapsam_getsampwnam)
ldapsam_getsampwnam: Unable to locate user [amore] count=0
[2011/10/06 13:48:38, 3] auth/auth_sam.c:282(check_sam_security)
check_sam_security: Couldn't find user 'amore' in passdb.
[2011/10/06 13:48:38, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [amore] -> [amore] FAILED with error NT_STATUS_NO_SUCH_USER
[2011/10/06 13:48:38, 3] smbd/sesssetup.c:42(do_map_to_guest)
No such user amore [FILESERVER] - using guest account
[2011/10/06 13:48:38, 4] passdb/pdb_ldap.c:2550(ldapsam_getgroup)
ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumbere534))



Are you sure that the LDAP database is correct? Are the user and group
names in the correct places?

What is the output of "pdbedit -L" ?
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Replies Reply to this message
#5 Amit More
October 06th, 2011 - 06:00 pm ET | Report spam
the output of `pdbedit -L` is

doing parameter security = user
doing parameter encrypt passwords = true
doing parameter passdb backend = ldapsam:ldap://ldap1.xetus.com/
doing parameter ldap admin dn = cn=root,dc=xetus,dc=com
doing parameter ldap user suffix = ou=people
doing parameter ldap group suffix = ou=groups
doing parameter ldap machine suffix = ou=people
doing parameter ldap suffix = dc=xetus,dc=com
doing parameter ldap ssl = no
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n *Retype\snew\s*\spassword:* %n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=FILESERVER))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
smbldap_search_paged: base => [dc=xetus,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_paged: search was successful
User Search failed!

On Oct 6, 2011, at 2:38 PM, Miguel Medalha wrote:


[2011/10/06 13:48:38, 4] passdb/pdb_ldap.c:1600(ldapsam_getsampwnam)
ldapsam_getsampwnam: Unable to locate user [amore] count=0
[2011/10/06 13:48:38, 3] auth/auth_sam.c:282(check_sam_security)
check_sam_security: Couldn't find user 'amore' in passdb.
[2011/10/06 13:48:38, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [amore] -> [amore] FAILED with error NT_STATUS_NO_SUCH_USER
[2011/10/06 13:48:38, 3] smbd/sesssetup.c:42(do_map_to_guest)
No such user amore [FILESERVER] - using guest account
[2011/10/06 13:48:38, 4] passdb/pdb_ldap.c:2550(ldapsam_getgroup)
ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumbere534))



Are you sure that the LDAP database is correct? Are the user and group names in the correct places?

What is the output of "pdbedit -L" ?



To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Replies Reply to this message
Help Create a new topicNext page Replies Make a reply
Search Make your own search