I made a lot progress with all your great help. I could authenticate the same user account during UNIX login and Samba login. Great!!
There is one thing left. I could not join a windows machine to the domain. It is said there is a Samba bug related to this. Is it fixed in Samba 3.0.10 or not? Is there any walk-around solution?
Below is my samba log:
make_user_info_map: Mapping user [TESTDOMAIN]\[administrator] from workstation [AJATAR]
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
is_trusted_domain: Checking for domain trust with [TESTDOMAIN]
secrets_fetch failed!
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
Cache entry with key = TDOM/TESTDOMAIN couldn't be found
no entry for trusted domain TESTDOMAIN found.
Steve Zeng
Nathan,
I could not use "smbldap-passwd" and any other "smbldap-xxxxx" commands. I got error like this:
# smbldap-passwd administrator /usr/sbin/smbldap-passwd: user administrator doesn't exist
The only way I can change passwd is to use smbpasswd.
any idea why is that?
Thanks.
Steve
Smbldap-tools has a passwd script which will change/sync the password(s);
you can even configure samba to utilize this script when a client from a
windows machine tries to change their password, (see example below). I might
also recommend you look into a decent web-based or graphical LDAP account
manager, (LAM comes to mind, not sure what platform you're working from, but
on FreeBSD it's just a matter of installing it from the ports check the
website out - http://lam.sf.net/).
We are using LDAP, in conjunction with nss_ldap & pam_ldap on the unix side
plus samba 3.0.11 on the windows side; single sign on regardless of which
machine/platform any user is on. Roaving profiles on the windows network,
and even Sun stations can share the same pam database for authentication and
nss information - all works very well, and has suited us perfectly. We are
currently using either LAM, (Ldap Account Manager - http://lam.sf.net/ ), or
manual ldap insert/delete/modify commands to administer our users. LAM takes
about ten minutes to setup and get going, and even less to figure out and
work with; gives the ability to control Unix, Posix, Samba, and other
attributes of any user, group, domain, or domain-machine (host) account.
Anyhow, just my two cents - but you should take a look into something like
LAM to save you time; (I know there are other utilities/user managers, one
in particular we tried which runs from X-win... But we found the simplicity
of LAM to be key).
Here's an example of how to configure samba to use smbldap-tools' password
script:
ldap passwd sync = yes passwd program = /server/bin/smbldap-tools/smbldap-passwd.pl -u %u passwd chat = "Changing password for*\nNew Password*" %n\n "*Retype new password*" %n\n
-- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate & Tool Ltd. http://www.wmplt.com/
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
Zeng
Sent: Thursday, March 03, 2005 7:59 PM
To: [EMAIL PROTECTED]
Cc: [email protected]
Subject: Re: [Samba] samba failed to authenticate to openLDAP
Paul and Craig,
I finally got it working. The reason it failed before is the way I built the LDAP DIT. I also found a problem in smbldap-populate script which I will describe below.
Here were what I did:
1) run configure.pl
2) edit smbldap-populate and change the following line:
my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*),dc=(.*)$/);
to: my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*)$/);
The reason is I only have a single name for my domain, i.e. "dc=mfelc". but the perl script will suppose we have exactly two names, for example, dc=idealx, dc=org. It also won't work if you have three names in your domain. (dc=mydept, dc=mycompany, dc=com)
3) run smbldap-populate it works perfectly to build the DIT
4) use smbldap-migrate-unix-accounts to migrate NIS accounts
5) use smbldap-migrate-unix-groups to migrate NIS group
this time when I use smbclient with a NIS account, the log will show wrong password. So I run smbpasswd to give this account a new samba password and run smbclient again. it works.
There are two problems here:
1) how to migrate NIS hosts into LDAP?
2) I checked the LDAP attributes and found three password fieds:
SambaLMPassword SambaNTPassword userPassword
How can I sync them so that I don't have to keep two or more password for one user account?
Best Regards,
Steve
Paul,
I downloaded smbldap-tools-0.8.7 and tried the following:
1) run configure.pl
2) initialize LDAP base and then start LDAP server dn: dc=mfelc dc: mfelc objectClass: top objectClass: domain
3) run smbldap-populate
4) run the following migration tool to import users from NIS: smbldap-migrate-unix-accounts -a -P /tmp/passwd.nis
5) run the following migration tool to import groups from NIS: smbldap-migrate-unix-groups -a -G /tmp/group.nis
6) smbldap-useradd -a -m testuser1 smbldap-passwd testuser1
6) smbclient //enzo/testuser1 -U testuser1
got the following errors: ------------------------------------- User testuser1 in passdb, but getpwnam() fails! [2005/03/01 18:12:11, 5] auth/auth_util.c:free_server_info(1344) attempting to free (and zero) a server_info structure [2005/03/01 18:12:11, 0] auth/auth_sam.c:check_sam_security(306) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2005/03/01 18:12:11, 5] auth/auth.c:check_ntlm_password(271) check_ntlm_password: sam authentication for user [testuser1] FAILED with error NT_STATUS_NO_SUCH_USER [2005/03/01 18:12:11, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [TESTDM] was for this SAM. [2005/03/01 18:12:11, 10] auth/auth.c:check_ntlm_password(259) check_ntlm_password: winbind had nothing to say [2005/03/01 18:12:11, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [testuser1] -> [testuser1] FAILED with error NT_STATUS_NO_SUCH_USER --------------------------------------------------
No idea what is missing. Thanks a lot for any hints.
Steve
Judicious snippage, post at the bottom.
I tried to let Samba authenticate against LDAP but could not figure out how to build the LDAP tree for Samba.
Fedora core 2 Samba 3.0.10 OpenLDAP 2.1.29
dc=mydomain | `--- ou=People : to store user accounts for Unix and Windows | `--- ou=Hosts : to store computer accounts for UNIXX & Windows | `--- ou=Groups : to store system groups for Unix and Windows
What I did were:
[global] workgroup = TESTDM passdb backend = ldapsam:ldap://10.10.0.101/ log level = 1 passdb:8 auth:8 domain logons = Yes wins support = Yes ldap admin dn = cn=root,dc=mydomain ldap delete dn = Yes ldap group suffix = ou=Group ldap machine suffix = ou=Hosts ldap user suffix = ou=People ldap suffix = dc=mfelc ldap passwd sync = Yes ldap ssl = no 3) start Samba server
4) run smbclient //smbserver -U myid Password: session setup failed: NT_STATUS_LOGON_FAILURE
Attached is the smbd.log, I deleted the normal log and keep failed messages as below: check_sam_security: Couldn't find user 'szeng' in passdb file. auth/auth.c:check_ntlm_password(271) check_ntlm_password: sam authentication for user [szeng] FAILED with error NT_STATUS_NO_SUCH_USER
Is there anybody who might have some idea of what is wrong.
Yep. You did nothing to create the samba attributes that will have to exist in each user account for the users to log in. I suggest you read the documentation on setting up an LDAP/PDC system that is on the samba.org web site. You've missed quite a few steps here, so you may want to read it through to get a complete idea. Your solution is going to include the following:
1. Obtain and configure the smbldap-tools package. 2. Run the smbldap-populate script 3. Make sure you've got a sambaDomain (I think that's the object type) in the base of your DIT. 4. Join the machine to the domain (since you appear to want a domain setup) 4. Add samba attributes to each user's account.
Yes there are 2 #4 entries. Doesn't matter which one comes first. As far as I can remember, those will be the critical steps to not miss. If you've followed the documentation and not done those steps, you've missed something.
-- Regards,
Steve Zeng Systems Administrator Mainframe Entertainment Inc T: (604) 628-1000 ext 5293 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
-- Regards,
Steve Zeng Systems Administrator Mainframe Entertainment Inc T: (604) 628-1000 ext 5293 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
