Same problem with latest samba 3.0.26a stable. So I opened a bug report
here :
https://bugzilla.samba.org/show_bug.cgi?id=5076
We're stucked on following statement : Only CFLAGS=-DNO_LDAP_SECURITY
build option can avoid this error. No more infos on the security issues
this particular option might introduce.
F. NASS.
Frédéric Nass a écrit :
Hi,
I found more infos here :
http://www.mail-archive.com/[email protected]/msg33190.html
This functionality seems to have been implemented in the samba source
code (3.0.24 - auth_sam.c) :
http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0_24/source/auth/auth_sam.c?rev=22815&view=markup
<http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0_24/source/auth/auth_sam.c?rev=22815&view=markup>
if (*workstation_list) {
BOOL invalid_ws = True;
fstring tok;
const char *s = workstation_list;
const char *machine_name = talloc_asprintf(mem_ctx, "%s$",
user_info->wksta_name);
if (machine_name == NULL)
return NT_STATUS_NO_MEMORY;
while (next_token(&s, tok, ",", sizeof(tok))) {
DEBUG(10,("sam_account_ok: checking for workstation match
%s and %s\n",
tok, user_info->wksta_name));
if(strequal(tok, user_info->wksta_name)) {
invalid_ws = False;
break;
}
here ///===> if (tok[0] == '+') {
DEBUG(10,("sam_account_ok: checking for workstation %s
in group: %s\n", machine_name, tok + 1));
if (user_in_group(machine_name, tok + 1)) {
invalid_ws = False;
break;
}
}
}
if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION;
}
So I used samba debug level 10 in smb.conf :
This is the exact part of the samba workstation log file when auth
fails on PC2 : (It should work, as PC2 is also part of "salle1"
workstation's group)
smbldap_search_ext: base => [ou=Groups,dc=test,dc=org], filter =>
[(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-3010)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-515)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-9001)(sambaSIDList=S-1-22-2-515)(sambaSIDList=S-1-22-2-4000)))],
scope => [2]
[2007/11/08 15:07:18, 0] lib/smbldap.c:smbldap_open(1009)
smbldap_open: cannot access LDAP when not root..
[2007/11/08 15:07:18, 10] auth/auth_util.c:add_aliases(653)
pdb_enum_alias_memberships failed: NT_STATUS_UNSUCCESSFUL
[2007/11/08 15:07:18, 10] auth/auth_util.c:user_in_group_sid(1277)
could not create token for PC2$
[2007/11/08 15:07:18, 5] auth/auth.c:check_ntlm_password(273)
check_ntlm_password: sam authentication for user [toto] FAILED with
error NT_STATUS_INVALID_WORKSTATION
[2007/11/08 15:07:18, 3] auth/auth_winbind.c:check_winbind_security(80)
check_winbind_security: Not using winbind, requested domain [TEST]
was for this SAM.
[2007/11/08 15:07:18, 10] auth/auth.c:check_ntlm_password(261)
check_ntlm_password: winbind had nothing to say
[2007/11/08 15:07:18, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [toto] -> [toto] FAILED
with error NT_STATUS_INVALID_WORKSTATION
[2007/11/08 15:07:18, 5] auth/auth_util.c:free_user_info(1867)
attempting to free (and zero) a user_info structure
[2007/11/08 15:07:18, 10] auth/auth_util.c:free_user_info(1871)
structure was created for toto
[2007/11/08 15:07:18, 5]
rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(934)
_net_sam_logon: check_password returned status
NT_STATUS_INVALID_WORKSTATION
This is the same time slapd log in syslog file :
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=21 SRCH
base="dc=test,dc=org" scope=2 deref=0
filter="(&(uid=salle1)(objectClass=sambaSamAccount))"
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=21 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp uidNumber
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=21 SEARCH RESULT tag=101
err=0 nentries=0 text=
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=22 SRCH
base="ou=Groups,dc=test,dc=org" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(|(displayName=salle1)(cn=salle1)))"
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=22 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn
objectClass
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=22 SEARCH RESULT tag=101
err=0 nentries=1 text=
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=23 SRCH
base="dc=test,dc=org" scope=2 deref=0
filter="(&(uid=pc2$)(objectClass=sambaSamAccount))"
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=23 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp uidNumber
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=23 SEARCH RESULT tag=101
err=0 nentries=1 text=
Nov 8 15:07:18 debian slapd[3074]: conn=3 op=3 SRCH
base="dc=test,dc=org" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=pc2$))"
Nov 8 15:07:18 debian slapd[3074]: conn=3 op=3 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Nov 8 15:07:18 debian slapd[3074]: conn=3 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=24 SRCH
base="ou=Groups,dc=test,dc=org" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(gidNumber=515))"
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=24 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn
objectClass
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=24 SEARCH RESULT tag=101
err=0 nentries=1 text=
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=25 SRCH
base="dc=test,dc=org" scope=2 deref=0
filter="(&(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515)(objectClass=sambaSamAccount))"
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=25 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp uidNumber
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=25 SEARCH RESULT tag=101
err=0 nentries=0 text=
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=26 SRCH
base="ou=Groups,dc=test,dc=org" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515))"
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=26 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn
objectClass
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=26 SEARCH RESULT tag=101
err=0 nentries=1 text=
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=27 SRCH
base="dc=test,dc=org" scope=2 deref=0
filter="(&(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515)(objectClass=sambaSamAccount))"
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=27 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp uidNumber
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=27 SEARCH RESULT tag=101
err=0 nentries=0 text=
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=28 SRCH
base="ou=Groups,dc=test,dc=org" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-747375223-3054175255-2287932516-515))"
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=28 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn
objectClass
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=28 SEARCH RESULT tag=101
err=0 nentries=1 text=
Nov 8 15:07:18 debian slapd[3074]: conn=3 op=4 SRCH
base="dc=test,dc=org" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=pc2$))"
Nov 8 15:07:18 debian slapd[3074]: conn=3 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Nov 8 15:07:18 debian slapd[3074]: conn=3 op=5 SRCH
base="dc=test,dc=org" scope=2 deref=0
filter="(&(objectClass=posixGroup)(|(memberUid=pc2$)(uniqueMember=uid=pc2$,ou=computers,dc=test,dc=org)))"
Nov 8 15:07:18 debian slapd[3074]: conn=3 op=5 SRCH attr=gidNumber
Nov 8 15:07:18 debian slapd[3074]: conn=3 op=5 SEARCH RESULT tag=101
err=0 nentries=1 text=
Nov 8 15:07:18 debian slapd[3074]: conn=3 op=6 SRCH
base="dc=test,dc=org" scope=2 deref=0
filter="(&(objectClass=posixGroup)(uniqueMember=cn=salle1,ou=groups,dc=test,dc=org))"
Nov 8 15:07:18 debian slapd[3074]: conn=3 op=6 SRCH attr=gidNumber
Nov 8 15:07:18 debian slapd[3074]: conn=3 op=6 SEARCH RESULT tag=101
err=0 nentries=0 text=
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=29 SRCH
base="ou=Groups,dc=test,dc=org" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(gidNumber=4000))"
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=29 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn
objectClass
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=29 SEARCH RESULT tag=101
err=0 nentries=1 text=
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=30 SRCH
base="ou=Groups,dc=test,dc=org" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-545))"
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=30 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn
objectClass
Nov 8 15:07:18 debian slapd[3074]: conn=2 op=30 SEARCH RESULT tag=101
err=0 nentries=0 text=
Nov 8 15:07:23 debian exiting on signal 15
I just can get to spot the error. Log files can be downloaded from
here : http://www.fichiers.univ-metz.fr/depot/nass/syslog-et-sambalog.tgz
Thanks for any help,
F. NASS.
PS : Config files can be found here :
http://lists.samba.org/archive/samba/2007-November/136188.html
Frédéric Nass a écrit :
Hi,
I'm trying to use the sambaUserWorkstations option to allow users to
log on certain computers only. This option looks great... In fact it
looks now a lot better than the 'ldap filter' one than was deprecated
with samba 3.0.20...
The fact is, if the sambaUserWorkstations option works well with
machine names, it doesn't seem to work when specifying groups of
machines. I'm using LDAP as a backend + samba 3.0.24 (debian 4).
For example, I configured the "sambaUserWorkstations" attibute of my
user "test" with the followings arguments : "sambaUserWorkstations:
PC1,+salle1"
This should work for PC1,PC2 (as 'salle1' machine group has PC1$ and
PC2$ for members) but not for PC3, right ? But the user is actually
only allowed to log in PC1, but bounced on PC2. This seemed to be
working easy with files as samba backend.
Is this the right syntax for computer groups with ldap ? I tried
using a "@" instead of a "+" but it didn't help ?
I use LATEST Debian 4 (samba 3.0.24) UP-TO-DATED.
Please find all debug and configuration infos here :
http://www.fichiers.univ-metz.fr/depot/nass/sambaUserWorkstations-Groups-Problem.tar.gz
Thank you for any help you might provide us,
Frédéric Nass
IUT de Metz - Université de Metz.
FRANCE
nass_chez_univ-metz_point_fr
Tél : +33387547736
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
