Re: [Samba] Re: Samba 3.0.0 - LDAP Authetication trouble
Finally I was able to browse my [bart] home share from windows. But trying to change anything to the files resulted in an error and in the samba log appeared: --- [2003/11/13 12:05:10, 5] rpc_parse/parse_prs.c:prs_uint32s(861) 0064 sub_auths : 0015 03f528bd 261676f7 45c6efd9 0201 [2003/11/13 12:05:10, 3] smbd/error.c:error_packet(113) error packet at smbd/nttrans.c(1707) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED [2003/11/13 12:05:10, 5] lib/util.c:show_msg(456) --- Also other shares, both on a acl enabled and non-acl filesystem give the same error. So I decided to try to change the ldap data concerning uid and gid for user bart in ldap, since I figured that during my desperate (andtherefore not always by causal explanation) search for a solution I messed something up there. I removed user bart from ldap, and added again with smbldap-useradd.pl -a bart. In the ldap entries is now the following information: idunumber = 1007 (equal to unix uid), SambaSID = domainSID + after the dash 3014, gidnumber = 513 (equal to unix gid), SambaPrimaryGroupSID= domainSID + after the dash 2027. If I look from windows now, the owner of a share (that is bart in unix) is \\linux\sys (linux being the samba server hostname), it used to say \\linux\bart when my sambaSID was the domain SID + 1007 after the dash and, and my home share with name bart dissappeared, and the homes share is not accessible. From the samba log I caught this: --- NT user token: (NULL) [2003/11/13 13:57:28, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2003/11/13 13:57:28, 2] lib/smbldap.c:smbldap_search_suffix(1066) smbldap_search_suffix: searching for:[((sambaSID=S-1-5-21-66398397-639006455-1170665433-501)(objectclass=sambaSamAccount))] [2003/11/13 13:57:28, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1099) ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-66398397-639006455-1170665433-501] count=0 --- and --- [2003/11/13 13:57:28, 5] auth/auth_util.c:debug_nt_user_token(491) NT user token of user S-1-5-21-66398397-639006455-1170665433-501 contains 7 SIDs SID[ 0]: S-1-5-21-66398397-639006455-1170665433-501 SID[ 1]: S-1-5-21-66398397-639006455-1170665433-514 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-32-546 SID[ 5]: S-1-5-21-66398397-639006455-1170665433-132067 SID[ 6]: S-1-5-21-66398397-639006455-1170665433-132069 [2003/11/13 13:57:28, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 65534 Primary group is 65533 and contains 3 supplementary groups Group[ 0]: 65533 Group[ 1]: 65533 Group[ 2]: 65534 --- I have no uid 501 anywhere specified. I have the feeling that I am lost somewhere between LDAP authentification (this works, but not when I use sid's as proposed by Adrew Bartlett - see below and above) and unix authentication (even when LDAP authenticates my user, I can not change anything in the share, just read access). Where can I find information about how to populate the LDAP-directory? Or an example of a working configuration? Bart. On Thu, 2003-11-13 at 01:16, Andrew Bartlett wrote: On Thu, 2003-11-13 at 03:11, Carl Weiss wrote: Ok if all your users have the same SID xxx-3000 they are not incrementing correctly in the add user script. I had this same problem when I wasn't correctly authenticating to the LDAP server I was in fact using the /etc/passwd file, and then using the same test user accounts that I had on the box, i.e. cweiss in ldap and cweiss in /etc/passwd. To further test change all your SID's manually with an graphical editor like GQ. I'm guessing you don't have too many because it's a test install. Also make sure to change the SID's of any computers you added. When I initially found this problem I created a new function in the adduser script to find the highest UID and increment by one. The user sid is calculated by UID+RID*2 UID*2 + 1000 GID*2 + 1001 is the traditional algorithm. Use it if possible. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba 3.0.0 - LDAP Authetication trouble
My smbpasswd file is empty. I am ptretty sure Samba uses LDAP for authenticating users. Changing the password in LDAP database results in login errors, so there is a connection. The bart account is indeed the first, but I already noticed other accounts use the same user SID, so there is something wrong here with the increment indeed. My system runs on Suse 8.2, and for now uses /etc/passwd file for local login since I could not configure ldap login at installation time. I have to admit samba 3.0.0. takes a lot longer to get to work (at least with ldap backend) than the 2.2.x versions. I am not an unexperienced user, but I keep running in to problems. Also, there are numerous sources (how-to's etc) to be found on the www, all telling different stories. Especially the LDAP configuration seems to be, at least in my case, the cause of trouble.. Thanks, Bart. Carl Weiss wrote: If this solved you problem is sounds like your not really authenticating to LDAP and just using the smbpassdb file, although it can read from LDAP it may not be using it for Authentication. Verify that you are using LDAP for authentication, you can run Authconfig in redhat, otherwise you'll have to check you PAM. To test simply you can try to login with your user Bart at the console( verify that the account isn't in /etc/password). Is the Bart account is the first user you created SID x3000 this is the default first user, if all your accounts have this same sid they will not authenticate. Points to an issue with the script smbldap-useradd.pl not incrementing the sid, may also point to the above PAM problem. -=carl=- Bart Bekker [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks, problem solved. But I am still confused. Why are those password tools delivered with Samba, if they are not useful.. I saw in the LDAP that smbpasswd uses a SMD5 encryption for the password; the smbldap-passwd tools adds them using SSHA. No wonder it did not work. Thanks again. Bart. Andrew Bartlett wrote: On Tue, 2003-11-11 at 23:42, Bart Bekker wrote: For quite some time I am trying to get samba 3.0.0 woring with an LDAP backend. The latest problem I have is that user authenticaltion doe not work. The passwords are right, added them with the ldaptools from the samba source, Add them with smbpasswd. The passwords in LDAP is simply not the password that the user is sending. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba 3.0.0 - LDAP Authetication trouble
Ok if all your users have the same SID xxx-3000 they are not incrementing correctly in the add user script. I had this same problem when I wasn't correctly authenticating to the LDAP server I was in fact using the /etc/passwd file, and then using the same test user accounts that I had on the box, i.e. cweiss in ldap and cweiss in /etc/passwd. To further test change all your SID's manually with an graphical editor like GQ. I'm guessing you don't have too many because it's a test install. Also make sure to change the SID's of any computers you added. When I initially found this problem I created a new function in the adduser script to find the highest UID and increment by one. The user sid is calculated by UID+RID*2 I believe, in any event it is based on the UID. If it comes down to this I have another method how it would write the function. I just wanted to get it working then. It's my experience that you should be able to log in using your LDAP accounts to the samba server, unless explicitly denied in the users LDAP entry. If it's all configured correctly. It took me 3 days before I made ANY progress with this project and not 3 8 hour days. If it's driving you nuts, it got to me too. There is so little information out there for samba LDAP and then the differences between 2 and 3 schema. -=Carl Weiss=- good luck - Original Message - From: Bart Bekker [EMAIL PROTECTED] To: Carl Weiss [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 2:33 AM Subject: Re: [Samba] Re: Samba 3.0.0 - LDAP Authetication trouble My smbpasswd file is empty. I am ptretty sure Samba uses LDAP for authenticating users. Changing the password in LDAP database results in login errors, so there is a connection. The bart account is indeed the first, but I already noticed other accounts use the same user SID, so there is something wrong here with the increment indeed. My system runs on Suse 8.2, and for now uses /etc/passwd file for local login since I could not configure ldap login at installation time. I have to admit samba 3.0.0. takes a lot longer to get to work (at least with ldap backend) than the 2.2.x versions. I am not an unexperienced user, but I keep running in to problems. Also, there are numerous sources (how-to's etc) to be found on the www, all telling different stories. Especially the LDAP configuration seems to be, at least in my case, the cause of trouble.. Thanks, Bart. Carl Weiss wrote: If this solved you problem is sounds like your not really authenticating to LDAP and just using the smbpassdb file, although it can read from LDAP it may not be using it for Authentication. Verify that you are using LDAP for authentication, you can run Authconfig in redhat, otherwise you'll have to check you PAM. To test simply you can try to login with your user Bart at the console( verify that the account isn't in /etc/password). Is the Bart account is the first user you created SID x3000 this is the default first user, if all your accounts have this same sid they will not authenticate. Points to an issue with the script smbldap-useradd.pl not incrementing the sid, may also point to the above PAM problem. -=carl=- Bart Bekker [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks, problem solved. But I am still confused. Why are those password tools delivered with Samba, if they are not useful.. I saw in the LDAP that smbpasswd uses a SMD5 encryption for the password; the smbldap-passwd tools adds them using SSHA. No wonder it did not work. Thanks again. Bart. Andrew Bartlett wrote: On Tue, 2003-11-11 at 23:42, Bart Bekker wrote: For quite some time I am trying to get samba 3.0.0 woring with an LDAP backend. The latest problem I have is that user authenticaltion doe not work. The passwords are right, added them with the ldaptools from the samba source, Add them with smbpasswd. The passwords in LDAP is simply not the password that the user is sending. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba 3.0.0 - LDAP Authetication trouble
On Thu, 2003-11-13 at 03:11, Carl Weiss wrote: Ok if all your users have the same SID xxx-3000 they are not incrementing correctly in the add user script. I had this same problem when I wasn't correctly authenticating to the LDAP server I was in fact using the /etc/passwd file, and then using the same test user accounts that I had on the box, i.e. cweiss in ldap and cweiss in /etc/passwd. To further test change all your SID's manually with an graphical editor like GQ. I'm guessing you don't have too many because it's a test install. Also make sure to change the SID's of any computers you added. When I initially found this problem I created a new function in the adduser script to find the highest UID and increment by one. The user sid is calculated by UID+RID*2 UID*2 + 1000 GID*2 + 1001 is the traditional algorithm. Use it if possible. -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3.0.0 - LDAP Authetication trouble
If this solved you problem is sounds like your not really authenticating to LDAP and just using the smbpassdb file, although it can read from LDAP it may not be using it for Authentication. Verify that you are using LDAP for authentication, you can run Authconfig in redhat, otherwise you'll have to check you PAM. To test simply you can try to login with your user Bart at the console( verify that the account isn't in /etc/password). Is the Bart account is the first user you created SID x3000 this is the default first user, if all your accounts have this same sid they will not authenticate. Points to an issue with the script smbldap-useradd.pl not incrementing the sid, may also point to the above PAM problem. -=carl=- Bart Bekker [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks, problem solved. But I am still confused. Why are those password tools delivered with Samba, if they are not useful.. I saw in the LDAP that smbpasswd uses a SMD5 encryption for the password; the smbldap-passwd tools adds them using SSHA. No wonder it did not work. Thanks again. Bart. Andrew Bartlett wrote: On Tue, 2003-11-11 at 23:42, Bart Bekker wrote: For quite some time I am trying to get samba 3.0.0 woring with an LDAP backend. The latest problem I have is that user authenticaltion doe not work. The passwords are right, added them with the ldaptools from the samba source, Add them with smbpasswd. The passwords in LDAP is simply not the password that the user is sending. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba