On Wed, 2004-03-31 at 12:47, Ted Wisniewski wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Here is a description of what I am trying to do (with Samba 3.0.2a & openldap > 2.1.27): > > I have all my users populated into the LDAP with all the applicable > attributes; Users can map drives to a server using LDAP as the > authentication backend without issue. > > Where I am running into problems is bringing up a PDC using Samba w/LDAP. > > * I added the appropriate machine accounts (using smbpasswd -a -m) and was > able to join the domain. > > * Any user in the pre-populated LDAP cannot log in, however, any user I add to > the LDAP from the machine with Samba running on it CAN log in properly. > > If I delete the original entry from the LDAP, add a new on via (smbpasswd -a), > then the user can log in. This works, but is ultimately not scalable... I > can then place the original LDAP entry back in place and they can log in... > Just as long as the password for the account is not changed. > > I am sure there is something I am missing, but I cannot see it for the life of > me. The odd thing is, that in the log.smbd, I get odd errors about reading > a socket, but only for the users that have not been added by the local > "smbpasswd" command. They are both in the same LDAP. Any help would be > greatly appreciated. > > Ted > > > Excerpt from log.smb (non-functional user): > - > ---------------------------------------------------------------------------------------- > [2004/03/31 10:24:11, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) > process_request_pdu: failed to do schannel processing. > [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: pubtest$ > [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: testuser > [2004/03/31 10:24:11, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [testuser] -> [testuser] -> > [testuser] succeeded > [2004/03/31 10:24:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: testuser > [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_search_domain_info(1331) > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TEST_DOM))] > [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_open_connection(626) > smbldap_open_connection: connection opened > [2004/03/31 10:24:24, 0] lib/util_sock.c:read_socket_data(342) > read_socket_data: recv failure for 4. Error = Connection reset by peer > [2004/03/31 10:24:24, 2] smbd/server.c:exit_server(558) > > Excerpt from log.smbd (functional user): > - > -------------------------------------------------------------------------------------- > [2004/03/31 10:26:04, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) > process_request_pdu: failed to do schannel processing. > [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: pubtest$ > [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: newuser > [2004/03/31 10:26:04, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [newuser] -> [newuser] -> > [newus > er] succeeded > [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: newuser > [2004/03/31 10:26:05, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [newuser] -> [newuser] -> > [newuser] succeeded > [2004/03/31 10:26:05, 1] smbd/service.c:make_connection_snum(705) > pubtest (158.136.115.89) connect to service profiles initially as user > newuser (uid=18000, gid=31) (pid 85352) > [2004/03/31 10:26:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) > Returning domain sid for domain TEST_DOM -> > S-1-5-21-204843054-3526713080-3458 > 795326 > [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: newuser > - > ------------------------------------------------------------------------------------------- > > > Global section of smb.conf ----- it appears that the 'non-functional' user doesn't have the domain attribute set (or at least set properly).
ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=non-functional)' and then ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=functional)' and the functional users will have attributes such as sambaDomainName properly set that the non-functional's do not. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba