On Tuesday, 22 March 2011 16:42:11 fuzzy_4711 wrote: > -------- Original - Text -------- > > > What are you having problems with? Is this a new installation or an > > existing system? > > It is an new installation on an opensuse 11.4. > I have both services running on the same box: ldap and samba > > When I try to connect using a smb client,
Can you be more specific? Of course, testing with client may be premature if you haven't tested with pdbedit or 'smbpasswd username' or similar. > the debug log ist stating "key expired". Before that I got an > NT_USER_NOT_KNOW. I don't believe that is actually a valid error, and with 'map to guest = Bad User' you shouldn't get anything similar, please provide *actual* error. > But right now I remember that I added the Netbios-Statement in smb.conf > and in > that time the debug message changed from user not known to > key expired. I do not want to use netbios if possible - it was just > added as another try to get it running. Could it be that I have to > > >From my understanding one needs the samba3.schema because Windows > > stores passwords different than unix does and there is no way to > convert. Therefore you only need to set the 2 passwordNT/LM fields > and the sambaSID - the passwords are taken from those > NT/LM fields. Is that right? > > The group matching will be done without any problems using the > group value defined in posixAccount. Is that right or am I mistaken? > So for example: If stefan has defined gidNumber 100, based on > this information it will be possible to find out that in the config below > stefan belongs to group users (based again on gidNumber and > memberUiD). Right or wrong? Upstream samba doesn't seem to support use of rfc2307bis groups with ldapsam:trusted = yes. But, lets not worry about groups yet, if you can't authenticate a user. > Here are the essentials of my configuration details for both services. > > I do have > dn: ou=Group,dc=xxxxx,dc=de > dn: ou=People,dc=xxxxx,dc=de > > also I have: > > dn: uid=stefan,ou=People,dc=xxxxx,dc=de > uid: stefan > cn: stefan > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > objectClass: sambaSamAccount > shadowLastChange: 13572 > shadowMax: 99999 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 632 > gidNumber: 100 > homeDirectory: /home/users/stefan > structuralObjectClass: account > entryUUID: 57264e20-2261-102c-9ecf-9fa815f26773 > creatorsName: cn=Manager,dc=xxxxx,dc=de > createTimestamp: 20071108161351Z > sambaSID: S-1-5-21-38098927-3018186934-2063245418 This looks like a domain sid, not a user sid. Of course, pdbedit should tell you that ... How did you create this user? Note that 'smbpasswd -a stefan' should have been able to do it, and would have done it correctly. > sambaLMPassword: c02717a286a249086de605daecb45436 > sambaNTPassword: c02717a286a249086de605daecb45436 > userPassword:: 1111111111111111111111111= > = > sambaPwdLastSet: 0 > sambaPwdMustChange: 0 > entryCSN: 20110321231822.373017Z#000000#000#000000 > modifiersName: cn=Manager,dc=xxxxx,dc=de > modifyTimestamp: 20110321231822Z > > > Note: the sambaLMPassword and the sambaNTPassword values are > created via a php script which first builds the md4-sum of the base > password and after that does another binary transformation. I read this > should be the format samba is expecting the value. Is that right or did > I something wrong at this step? Well, I would exclude software that you may not know works, e.g. use 'smbpasswd username' to set the passwords ... > --------------------------------------------------------------------------- > ----- I have this definition also > dn: cn=users,ou=Group,dc=xxxxx,dc=de > objectClass: posixGroup > objectClass: namedObject > objectClass: top > cn: users > userPassword:: 1111111111111111 > gidNumber: 100 > memberUid: sadmin > memberUid: stefan > structuralObjectClass: namedObject > entryUUID: 106c209a-226b-102c-9f4d-9fa815f26773 > creatorsName: cn=Manager,dc=xxxxx,dc=de > createTimestamp: 20071108172328Z > entryCSN: 20110321210104.815232Z#000000#000#000000 > modifiersName: cn=Manager,dc=xxxxx,dc=de > modifyTimestamp: 20110321210104Z > > --------------------------------------------------------------------- > > Also I do have that, which confuses me: Why does the > root user only have the value sambaAcctFlags set? > Where does this entry come from - I did not define > it in my ldif import. > > dn: uid=root,ou=People,dc=xxxxx,dc=de > uid: root > sambaSID: S-1-5-21-38098927-3018186934-2063245418-1000 > displayName: root > sambaPwdCanChange: 1300747942 > sambaNTPassword: 111111111111111111 > sambaPwdLastSet: 1300747942 > sambaAcctFlags: [U ] > objectClass: sambaSamAccount > objectClass: account > structuralObjectClass: account > entryUUID: a0626f44-e859-102f-8432-f5e997da80c3 > creatorsName: cn=Manager,dc=xxxxx,dc=de > createTimestamp: 20110321225222Z Maybe you can tell us what you did at this time ^^^ ? > entryCSN: 20110321225222.093965Z#000000#000#000000 > modifiersName: cn=Manager,dc=xxxxx,dc=de > modifyTimestamp: 20110321225222Z > > > > This is my slapd.conf: > > ldapnix:~ # cat /etc/openldap/slapd.conf | grep -vi "^#" > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/rfc2307bis.schema > include /etc/openldap/schema/yast.schema > include /etc/openldap/schema/samba3.schema > > pidfile /var/run/slapd/slapd.pid > argsfile /var/run/slapd/slapd.args > access to dn.base="" > by * read > access to attrs=userPassword,userPKCS12 > by self write > by * auth > access to attrs=shadowLastChange > by self write > by * read > access to * > by * read > database bdb > monitoring on > suffix "dc=xxxxx,dc=de" > checkpoint 1024 5 > cachesize 10000 > rootdn "cn=Manager,dc=xxxxx,dc=de" > rootpw secret > directory /var/lib/ldap > index objectClass eq > You will at minimum need more indexes ... > ------------------------------------------------------------------------- > This is my smb.conf: > > > [global] > unix charset = UTF-8 > workgroup = PRIVAT > interfaces = 192.168.1.46 > update encrypted = Yes > map to guest = Bad User > root directory = / > #username map = /etc/samba/smbusers > # Logging - 5000 KB, Samba behält eine .old-Datei > log level = 3 > max log size = 5000 > printcap name = cups > logon path = \\%L\profiles\.msprofile > logon drive = P: > logon home = \\%L\%U\.9xprofile > domain master = No > ldap ssl = Off > idmap uid = 10000-20000 > idmap gid = 10000-20000 > printer admin = @ntadmin, root, administrator > ldap admin dn = cn=Manager,dc=xxxxx,dc=de > passdb backend = ldapsam:ldap://ldap.privat.xxxxx.de/ > ldapsam:trusted = yes > ldapsam:editposix = yes > ldap debug level = 1 > ldap user suffix = ou=People > #ldap group suffix = ou=Groups > ldap group suffix = ou=Group > ldap machine suffix = ou=Computers > ldap suffix = dc=xxxxx,dc=de > wins support = No > add machine script = /sbin/yast > /usr/share/YaST2/data/add_machine.ycp %m$ > domain logons = No > ldap idmap suffix = ou=Idmap > ldap passwd sync = No > netbios name = LDAPNIX > security = user > wins server = > > I do have a share definition like that: > > [users] > comment = All users > path = /home/users > valid users = @users, @susers, root > read only = No > inherit permissions = Yes > > I added the password for the "cn=Manager,dc=xxxxx,dc=de" using > smbpasswd -w secret What does 'pdbedit -L' say? If it doesn't list any users, maybe run 'pdbedit -d10 -L', or 'pdbedit -d10 -L stefan'. If you can't see a problem here, the LDAP server's logs (at, or including level 256 or 'stats') would be useful. > I get this output also: > ldapnix:~ # net getlocalsid > SID der Domäne LDAPNIX ist: S-1-5-21-38098927-3018186934-2063245418 > > > I really like to understand. If you guide me what to do > and it would make sense I would also set it up from scratch to > understand what is going on. But I do not want to use libs or "special" > scripts You could of course use standard utilities (such as smbpasswd, pdbedit etc.) instead of your own scripts, which may get things wrong ... > which will hide the process without the chance to understand. > > Thanks for your help. Notice how almost none of my questions have *anything* to do with OpenLDAP yet? Regards, Buchan
