[Samba] Samba3.5 + OpenLDAP config/install problem
: No privileges assigned to SID [S-1-5-21-2642364908-3785178431-1037763545-3003] [2013/02/11 17:40:43.133259, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2642364908-3785178431-1037763545-61003] [2013/02/11 17:40:43.133279, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-509675986-796770002-1500055658-61055] [2013/02/11 17:40:43.133299, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61137] [2013/02/11 17:40:43.133320, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61139] [2013/02/11 17:40:43.133354, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61141] [2013/02/11 17:40:43.133382, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61143] [2013/02/11 17:40:43.133404, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61171] [2013/02/11 17:40:43.133424, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61277] [2013/02/11 17:40:43.133453, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2013/02/11 17:40:43.133470, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2013/02/11 17:40:43.133484, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/02/11 17:40:43.133855, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/02/11 17:40:43.134001, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2013/02/11 17:40:43.134026, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2013/02/11 17:40:43.134049, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/02/11 17:40:43.134480, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/02/11 17:40:43.134534, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2013/02/11 17:40:43.134552, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2013/02/11 17:40:43.134566, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/02/11 17:40:43.134892, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/02/11 17:40:43.135065, 3] libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2013/02/11 17:40:43.135090, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 [2013/02/11 17:40:43.135112, 3] smbd/password.c:282(register_existing_vuid) register_existing_vuid: User name: wmodes Real name: Wes Modes [2013/02/11 17:40:43.135129, 3] smbd/password.c:292(register_existing_vuid) register_existing_vuid: UNIX uid 502 is UNIX user wmodes, and will be vuid 100 [2013/02/11 17:40:43.135202, 3] smbd/password.c:223(register_homes_share) Adding homes service for user 'wmodes' using home directory: '/home/wmodes' [2013/02/11 17:40:43.135254, 3] param/loadparm.c:6290(lp_add_home) adding home's share [wmodes] for user 'wmodes' at '/data/home/%S' [2013/02/11 17:40:43.135534, 3] smbd/process.c:1489(process_smb) Transaction 3 of length 80 (0 toread) [2013/02/11 17:40:43.135583, 3] smbd/process.c:1298(switch_message) switch message SMBtconX (pid 14343) conn 0x0 [2013/02/11 17:40:43.135599, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/02/11 17:40:43.135644, 3] lib/access.c:365(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (127.) [2013/02/11 17:40:43.135683, 3] lib/access.c:399(check_access) check_access: hostnames in host allow/deny list. [2013/02/11 17:40:43.135779, 2] lib/access.c:409(check_access) Allowed connection from :::128.114.163.34 (:::128.114.163.34) [2013/02/11 17:40:43.135812, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2013/02/11 17:40:43.135831, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2013/02/11 17:40:43.135846, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/02/11 17:40:43.135871, 3] smbd
[Samba] Problem with User and Group Ownership listing
I am installing smb 3.5 on a CentOS 6.2 host using smbldap-tools. I've previously installed a similar configuration on RHEL4 using smb 3.0 but CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations cannot be moved straight across. When I do a listing of a share directory that should have user and group ownership determined by LDAP, I get the uidNumbers and gidNumbers rather than the UIDs and GIDs. [root@edgar2 openldap]# ls -l /data/home | tail drwx--. 2 30634 30080 4096 Mar 18 2009 userdir1 drwx--. 33 30548 30075 4096 Jan 29 15:20 userdir2 drwx--. 3 30554 30075 4096 Jan 26 2009 userdir3 drwx--. 12 30467 30075 4096 Jun 21 2012 userdir4 drwx--. 4 30543 30075 4096 Oct 21 2008 userdir5 drwx--. 8 30555 30075 4096 Oct 31 10:36 userdir5 Other details: centos 6.2, samba 3.5, smbldap-tools 0.9.6, openldap 2.4.23 I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. And selinux is off. I know the machine is successfully connecting to LDAP. An ldapsearch works from this machine, and I can even connect to a samba share with an ldap login through smbclient. Relevant parts of /etc/nsswitch: passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files ldap rpc:files services: files ldap netgroup: nisplus ldap #netgroup: ldap publickey: nisplus automount: files nisplus ldap #automount: files ldap aliases:files nisplus Relevant parts of /etc/pam_ldap.conf (everything else is commented out): host dir1.ourdomain.com base dc=.ourdomain,dc=com #uri ldaps://dir1.ourdomain.com uri ldap://dir1.ourdomain.com # basic auth config binddn cn=admin,dc=ourdomain,dc=com rootbinddn cn=admin,dc=ourdomain,dc=com # random stuff #timelimit 120 #bind_timelimit 120 #bind_policy hard # brought these times down wmodes Aug 11, 2008 timelimit 30 bind_timelimit 30 bind_policy soft idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap # pam config #pam_password md5 pam_password md5 # config for nss nss_base_passwd ou=people,dc=ourdomain,dc=com?one nss_base_shadow ou=people,dc=ourdomain,dc=com?one nss_base_group ou=group,dc=ourdomain,dc=com?one # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl no # OpenLDAP SSL options # Require and verify server certificate (yes/no) #tls_checkpeer yes # CA certificates for server certificate verification tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts # Client certificate and key tls_cert /etc/openldap/cacerts/servercert.pem tls_key /etc/openldap/cacerts/serverkey.pem Relevant parts of /etc/pam.d/system-auth: authrequired pam_env.so authsufficientpam_fprintd.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_ldap.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=077 And the only line in /etc/sysconfig/authconfig I changed was: USELDAP=yes Any thoughts? For those who are experienced with nis and pam, I'm sure this is a no brainer, but I could sure use the little bit of your brain that knows how to fix this. Wes -- Wes Modes Systems Designer, Developer, and Administrator University Library ITS University of California, Santa Cruz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem with User and Group Ownership listing
I am installing smb 3.5 on a CentOS 6.2 host using smbldap-tools. I've previously installed a similar configuration on RHEL4 using smb 3.0 but CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations cannot be moved straight across. When I do a listing of a share directory that should have user and group ownership determined by LDAP, I get the uidNumbers and gidNumbers rather than the UIDs and GIDs. [root@edgar2 openldap]# ls -l /data/home | tail drwx--. 2 30634 30080 4096 Mar 18 2009 userdir1 drwx--. 33 30548 30075 4096 Jan 29 15:20 userdir2 drwx--. 3 30554 30075 4096 Jan 26 2009 userdir3 drwx--. 12 30467 30075 4096 Jun 21 2012 userdir4 drwx--. 4 30543 30075 4096 Oct 21 2008 userdir5 drwx--. 8 30555 30075 4096 Oct 31 10:36 userdir5 Other details: centos 6.2, samba 3.5, smbldap-tools 0.9.6, openldap 2.4.23 I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. And selinux is off. I know the machine is successfully connecting to LDAP. An ldapsearch works from this machine, and I can even connect to a samba share with an ldap login through smbclient. Relevant parts of /etc/nsswitch: passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files ldap rpc:files services: files ldap netgroup: nisplus ldap #netgroup: ldap publickey: nisplus automount: files nisplus ldap #automount: files ldap aliases:files nisplus Relevant parts of /etc/pam_ldap.conf (everything else is commented out): host dir1.ourdomain.com base dc=.ourdomain,dc=com #uri ldaps://dir1.ourdomain.com uri ldap://dir1.ourdomain.com # basic auth config binddn cn=admin,dc=ourdomain,dc=com rootbinddn cn=admin,dc=ourdomain,dc=com # random stuff #timelimit 120 #bind_timelimit 120 #bind_policy hard # brought these times down wmodes Aug 11, 2008 timelimit 30 bind_timelimit 30 bind_policy soft idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap # pam config #pam_password md5 pam_password md5 # config for nss nss_base_passwd ou=people,dc=ourdomain,dc=com?one nss_base_shadow ou=people,dc=ourdomain,dc=com?one nss_base_group ou=group,dc=ourdomain,dc=com?one # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl no # OpenLDAP SSL options # Require and verify server certificate (yes/no) #tls_checkpeer yes # CA certificates for server certificate verification tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts # Client certificate and key tls_cert /etc/openldap/cacerts/servercert.pem tls_key /etc/openldap/cacerts/serverkey.pem Relevant parts of /etc/pam.d/system-auth: authrequired pam_env.so authsufficientpam_fprintd.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_ldap.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=077 And the only line in /etc/sysconfig/authconfig I changed was: USELDAP=yes Any thoughts? For those who are experienced with nis and pam, I'm sure this is a no brainer, but I could sure use the little bit of your brain that knows how to fix this. Wes -- Wes Modes Systems Designer, Developer, and Administrator University Library ITS University of California, Santa Cruz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba3.5 + OpenLDAP config/install problem
(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2013/02/11 17:40:43.133219, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-11] [2013/02/11 17:40:43.133239, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2642364908-3785178431-1037763545-3003] [2013/02/11 17:40:43.133259, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2642364908-3785178431-1037763545-61003] [2013/02/11 17:40:43.133279, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-509675986-796770002-1500055658-61055] [2013/02/11 17:40:43.133299, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61137] [2013/02/11 17:40:43.133320, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61139] [2013/02/11 17:40:43.133354, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61141] [2013/02/11 17:40:43.133382, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61143] [2013/02/11 17:40:43.133404, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61171] [2013/02/11 17:40:43.133424, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61277] [2013/02/11 17:40:43.135112, 3] smbd/password.c:282(register_existing_vuid) register_existing_vuid: User name: wmodes Real name: Wes Modes [2013/02/11 17:40:43.135129, 3] smbd/password.c:292(register_existing_vuid) register_existing_vuid: UNIX uid 502 is UNIX user wmodes, and will be vuid 100 [2013/02/11 17:40:43.135202, 3] smbd/password.c:223(register_homes_share) Adding homes service for user 'wmodes' using home directory: '/home/wmodes' [2013/02/11 17:40:43.135254, 3] param/loadparm.c:6290(lp_add_home) adding home's share [wmodes] for user 'wmodes' at '/data/home/%S' [2013/02/11 17:40:43.135644, 3] lib/access.c:365(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (127.) [2013/02/11 17:40:43.135683, 3] lib/access.c:399(check_access) check_access: hostnames in host allow/deny list. [2013/02/11 17:40:43.135779, 2] lib/access.c:409(check_access) Allowed connection from :::128.114.163.34 (:::128.114.163.34) [2013/02/11 17:40:43.136056, 3] smbd/service.c:807(make_connection_snum) Connect path is '/tmp' for service [IPC$] [2013/02/11 17:40:43.136462, 3] smbd/service.c:1070(make_connection_snum) monitor (:::128.114.163.34) connect to service IPC$ initially as user wmodes (uid=502, gid=503) (pid 14343) [2013/02/11 17:40:43.136899, 3] smbd/msdfs.c:840(get_referred_path) get_referred_path: |cns| in dfs path \edgar2\cns is not a dfs root. [2013/02/11 17:40:43.136922, 3] smbd/error.c:80(error_packet_set) error packet at smbd/trans2.c(8056) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND [2013/02/11 17:40:43.137259, 3] smbd/service.c:1251(close_cnum) monitor (:::128.114.163.34) closed connection to service IPC$ [2013/02/11 17:40:43.137277, 3] smbd/connection.c:31(yield_connection) Yielding connection to IPC$ [2013/02/11 17:40:43.137619, 3] lib/access.c:365(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (127.) [2013/02/11 17:40:43.137638, 3] lib/access.c:399(check_access) check_access: hostnames in host allow/deny list. [2013/02/11 17:40:43.137673, 2] lib/access.c:409(check_access) Allowed connection from :::128.114.163.34 (:::128.114.163.34) [2013/02/11 17:40:43.137788, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @cns does not start with 'S-'. [2013/02/11 17:40:43.139344, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 30001 [2013/02/11 17:40:43.139894, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @cns-read does not start with 'S-'. [2013/02/11 17:40:43.141015, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 30034 [2013/02/11 17:40:43.141528, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @admin does not start with 'S-'. [2013/02/11 17:40:43.142516, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1001 [2013/02/11 17:40:43.143057, 2] smbd/service.c:598(create_connection_server_info
[Samba] Samba3.5 + OpenLDAP config/install problem
(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2013/02/11 17:40:43.133219, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-11] [2013/02/11 17:40:43.133239, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2642364908-3785178431-1037763545-3003] [2013/02/11 17:40:43.133259, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2642364908-3785178431-1037763545-61003] [2013/02/11 17:40:43.133279, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-509675986-796770002-1500055658-61055] [2013/02/11 17:40:43.133299, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61137] [2013/02/11 17:40:43.133320, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61139] [2013/02/11 17:40:43.133354, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61141] [2013/02/11 17:40:43.133382, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61143] [2013/02/11 17:40:43.133404, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61171] [2013/02/11 17:40:43.133424, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-2154974163-3334587364-3558233830-61277] [2013/02/11 17:40:43.135112, 3] smbd/password.c:282(register_existing_vuid) register_existing_vuid: User name: wmodes Real name: Wes Modes [2013/02/11 17:40:43.135129, 3] smbd/password.c:292(register_existing_vuid) register_existing_vuid: UNIX uid 502 is UNIX user wmodes, and will be vuid 100 [2013/02/11 17:40:43.135202, 3] smbd/password.c:223(register_homes_share) Adding homes service for user 'wmodes' using home directory: '/home/wmodes' [2013/02/11 17:40:43.135254, 3] param/loadparm.c:6290(lp_add_home) adding home's share [wmodes] for user 'wmodes' at '/data/home/%S' [2013/02/11 17:40:43.135644, 3] lib/access.c:365(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (127.) [2013/02/11 17:40:43.135683, 3] lib/access.c:399(check_access) check_access: hostnames in host allow/deny list. [2013/02/11 17:40:43.135779, 2] lib/access.c:409(check_access) Allowed connection from :::128.114.163.34 (:::128.114.163.34) [2013/02/11 17:40:43.136056, 3] smbd/service.c:807(make_connection_snum) Connect path is '/tmp' for service [IPC$] [2013/02/11 17:40:43.136462, 3] smbd/service.c:1070(make_connection_snum) monitor (:::128.114.163.34) connect to service IPC$ initially as user wmodes (uid=502, gid=503) (pid 14343) [2013/02/11 17:40:43.136899, 3] smbd/msdfs.c:840(get_referred_path) get_referred_path: |cns| in dfs path \edgar2\cns is not a dfs root. [2013/02/11 17:40:43.136922, 3] smbd/error.c:80(error_packet_set) error packet at smbd/trans2.c(8056) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND [2013/02/11 17:40:43.137259, 3] smbd/service.c:1251(close_cnum) monitor (:::128.114.163.34) closed connection to service IPC$ [2013/02/11 17:40:43.137277, 3] smbd/connection.c:31(yield_connection) Yielding connection to IPC$ [2013/02/11 17:40:43.137619, 3] lib/access.c:365(only_ipaddrs_in_list) only_ipaddrs_in_list: list has non-ip address (127.) [2013/02/11 17:40:43.137638, 3] lib/access.c:399(check_access) check_access: hostnames in host allow/deny list. [2013/02/11 17:40:43.137673, 2] lib/access.c:409(check_access) Allowed connection from :::128.114.163.34 (:::128.114.163.34) [2013/02/11 17:40:43.137788, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @cns does not start with 'S-'. [2013/02/11 17:40:43.139344, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 30001 [2013/02/11 17:40:43.139894, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @cns-read does not start with 'S-'. [2013/02/11 17:40:43.141015, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 30034 [2013/02/11 17:40:43.141528, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @admin does not start with 'S-'. [2013/02/11 17:40:43.142516, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1001 [2013/02/11 17:40:43.143057, 2] smbd/service.c:598(create_connection_server_info
[Samba] Mysterious new problem: nss_ldap: could not soft reconnect to LDAP server
Suddenly as of this morning, none of my users can authenticate to samba because nss_ldap is producing cryptic errors. Nothing has changed on either the LDAP server or the Samba server. Looks like this in /var/log/messages: Aug 11 11:19:29 edgar smbd[8394]: nss_ldap: could not soft reconnect to LDAP server - Server is unavailable Yet, the LDAP server IS available, and happily chirping away serving as an LDAP server for several other services. Only Samba seems to be having the trouble. Anyone else encounter this? I believe the library staff is headed to my office at just this moment with pitchforks and torches. Please help. Wes -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Mysterious new problem: nss_ldap: could not soft reconnect to LDAP server
I didn't try that. but if it happens again I shall. I knew the LDAP servers were working, but that the Samba server (via nss) wasn't talking to it. What I ended up doing, was turned off nss' use of TLS. That fixed it. In RHEL, the command is authconfig. Why it suddenly stopped talking to each other, I still don't know. Obviously I need to come in during non-office hours and config and test and retest to get TLS working at both ends again. Wes John Drescher wrote: On Mon, Aug 11, 2008 at 2:20 PM, Wes Modes [EMAIL PROTECTED] wrote: Suddenly as of this morning, none of my users can authenticate to samba because nss_ldap is producing cryptic errors. Nothing has changed on either the LDAP server or the Samba server. Looks like this in /var/log/messages: Aug 11 11:19:29 edgar smbd[8394]: nss_ldap: could not soft reconnect to LDAP server - Server is unavailable Have you made sure your ldap servers are working? # slapcat # getent group # getent passwd John -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] User invalid SID with home directory - Bueller?
The [homes] share is configured similarly to the [home] share, though one would mount it different: \\fileserver.ucsc.edu\home for the [home] share \\fileserver.ucsc.edu\wmodes for the [homes] share and for users who have the problem, they have the SID problem in mounting both shares. On my server, even for those accounts that work fine, there is little similarity in the SID for the domain and the user's SambaSID, and the SambaPrimaryGroupSID. I am beginning to suspect, I reset the machine SID after I created many of my accounts. And so the old SID somewhere somehow encoded within the user's old SambaSID turns up as invalid. If anybody knows how to specify that I can trust these accounts so I don't have the SID problem, that'd be swell. W. Charlie wrote: The first part of any SID is the domain portion. It should be pretty constant throughout your domain as I understand things. When dealing with users and groups, the bit after the last dash is the RID or relative ID and it must be unique within the domain. Really really unique! If samba created your user group sids the groups will be odd-numbered and users will be even-numbered. So, for example, the domain SID for my domain looks somewhat like this: SID for domain DARKAGES is: S-1-5-21-267844371-1268535915-2638854549 And the SID for my PDC and BDCs are exactly the same, although other servers (that are not either PDCs or BDCs) have their own unique SIDs. My personal SID looks like this: S-1-5-21-267844371-1268535915-2638854549-1802 Notice my RID of 1802 on the end there? I have a uidNumber of 401 on the POSIX side. The beginning bit seems to define my domain membership, though. If I change the domain SID on my PDC with net setlocalsid I can no longer log in using my own account, apparently because I do not have the right SID. There are ways to get around that involving winbind and/or domain trust accounts - but I can't explain those things because I don't understand them either. My knowledge of CIFS and samba is pretty shallow. We may be off in the weeds here, though - you should check out samba's automagical [homes] share and see if you can make it do what you want without having to do the %U thing. --Charlie On Wed, May 14, 2008 at 6:23 PM, Wes Modes [EMAIL PROTECTED] wrote: It does not. But then the SID of each user doesn't match those of each other either. I've seen that asked before, but are you sure the machine's SID and every user SID should be the same? W. Charlie wrote: If you do a net getlocalsid at your shell prompt on the samba server that hosts the share, does the preamble of the SID returned match that of the SID you see in your error messages? I'm betting not... --Charlie On Tue, May 13, 2008 at 2:39 PM, Wes Modes [EMAIL PROTECTED] wrote: So even though I see this popping up in tons of posts, no one has encountered it and successfully solved the problem or can illuminate the issue? Here's what I did not knowing what else to do: 1. Deleted the account. (smbldap-userdel) 2. Recreated the account (smbldap-useradd) 3. Searched for any files owned by the old user, and chown'd them to the new user It is not an elegant solution, but it is the only one I have now. So far I haven't gotten any accounts that have had the problem reoccur. But I'm waiting to see. Wes Wes Modes wrote: I'm having the problem in which users can access their group shares, but not their home shares. These two shares are defined thusly in smb.conf: [seref] comment = Science Engineering Reference Section path = /data/group/seref valid users = @seref, @seref-read, @admin read list = @seref-read write list = @seref, @admin force group = seref create mask = 0664 directory mask = 0770 [home] comment = %u's Personal Share Directory path = /data/home/%U valid users = %U, @admin write list = %U, @admin create mask = 0600 directory mask = 0700 browseable = No It seems that the %U variable, causes Samba to do a lookup_global_sam_name which fails. [EMAIL PROTECTED] smbclient -Ujoeblow '\\edgar.library.ucsc.edu\home' tree connect failed: NT_STATUS_ACCESS_DENIED Here's the relevant section of the log: passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: joeblow passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 30023 passdb/passdb.c:lookup_global_sam_name(596) User joeblow with invalid SID S-1-5-21-2642364908-3785178431-1037763545-61756 in passdb passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1001 smbd/service.c:make_connection_snum(616) user 'joeblow' (from session setup) not permitted to access this share (home) Please note that I am not using the ADS security
Re: [Samba] User invalid SID with home directory - Bueller?
It does not. But then the SID of each user doesn't match those of each other either. I've seen that asked before, but are you sure the machine's SID and every user SID should be the same? W. Charlie wrote: If you do a net getlocalsid at your shell prompt on the samba server that hosts the share, does the preamble of the SID returned match that of the SID you see in your error messages? I'm betting not... --Charlie On Tue, May 13, 2008 at 2:39 PM, Wes Modes [EMAIL PROTECTED] wrote: So even though I see this popping up in tons of posts, no one has encountered it and successfully solved the problem or can illuminate the issue? Here's what I did not knowing what else to do: 1. Deleted the account. (smbldap-userdel) 2. Recreated the account (smbldap-useradd) 3. Searched for any files owned by the old user, and chown'd them to the new user It is not an elegant solution, but it is the only one I have now. So far I haven't gotten any accounts that have had the problem reoccur. But I'm waiting to see. Wes Wes Modes wrote: I'm having the problem in which users can access their group shares, but not their home shares. These two shares are defined thusly in smb.conf: [seref] comment = Science Engineering Reference Section path = /data/group/seref valid users = @seref, @seref-read, @admin read list = @seref-read write list = @seref, @admin force group = seref create mask = 0664 directory mask = 0770 [home] comment = %u's Personal Share Directory path = /data/home/%U valid users = %U, @admin write list = %U, @admin create mask = 0600 directory mask = 0700 browseable = No It seems that the %U variable, causes Samba to do a lookup_global_sam_name which fails. [EMAIL PROTECTED] smbclient -Ujoeblow '\\edgar.library.ucsc.edu\home' tree connect failed: NT_STATUS_ACCESS_DENIED Here's the relevant section of the log: passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: joeblow passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 30023 passdb/passdb.c:lookup_global_sam_name(596) User joeblow with invalid SID S-1-5-21-2642364908-3785178431-1037763545-61756 in passdb passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1001 smbd/service.c:make_connection_snum(616) user 'joeblow' (from session setup) not permitted to access this share (home) Please note that I am not using the ADS security model, nor do I care to at the moment. Here's the significant part of my smb.conf: ### Basic information for server workgroup = MCHSTAFF netbios name = EDGAR server string = Library Samba Server hosts allow = 169.233. hosts allow = 128.114. enable privileges = yes security = user encrypt passwords = yes preferred master = yes domain master = yes domain logons = yes local master = yes username map = /etc/samba/smbusers logon path = wins support = yes dns proxy = no So why I am I getting the failure User joeblow with invalid SID? Wes -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] User invalid SID with home directory - Bueller?
So even though I see this popping up in tons of posts, no one has encountered it and successfully solved the problem or can illuminate the issue? Here's what I did not knowing what else to do: 1. Deleted the account. (smbldap-userdel) 2. Recreated the account (smbldap-useradd) 3. Searched for any files owned by the old user, and chown'd them to the new user It is not an elegant solution, but it is the only one I have now. So far I haven't gotten any accounts that have had the problem reoccur. But I'm waiting to see. Wes Wes Modes wrote: I'm having the problem in which users can access their group shares, but not their home shares. These two shares are defined thusly in smb.conf: [seref] comment = Science Engineering Reference Section path = /data/group/seref valid users = @seref, @seref-read, @admin read list = @seref-read write list = @seref, @admin force group = seref create mask = 0664 directory mask = 0770 [home] comment = %u's Personal Share Directory path = /data/home/%U valid users = %U, @admin write list = %U, @admin create mask = 0600 directory mask = 0700 browseable = No It seems that the %U variable, causes Samba to do a lookup_global_sam_name which fails. [EMAIL PROTECTED] smbclient -Ujoeblow '\\edgar.library.ucsc.edu\home' tree connect failed: NT_STATUS_ACCESS_DENIED Here's the relevant section of the log: passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: joeblow passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 30023 passdb/passdb.c:lookup_global_sam_name(596) User joeblow with invalid SID S-1-5-21-2642364908-3785178431-1037763545-61756 in passdb passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1001 smbd/service.c:make_connection_snum(616) user 'joeblow' (from session setup) not permitted to access this share (home) Please note that I am not using the ADS security model, nor do I care to at the moment. Here's the significant part of my smb.conf: ### Basic information for server workgroup = MCHSTAFF netbios name = EDGAR server string = Library Samba Server hosts allow = 169.233. hosts allow = 128.114. enable privileges = yes security = user encrypt passwords = yes preferred master = yes domain master = yes domain logons = yes local master = yes username map = /etc/samba/smbusers logon path = wins support = yes dns proxy = no So why I am I getting the failure User joeblow with invalid SID? Wes -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Users SID problem
Don't these tests make some presumptions? For instance, Shacky didn't say that he was attempting to join an active directory domain. In fact, he has security=User, security=ADS. I'd like to understand the problem he is having, because I am having the same one. However, I don't want to be distracted if ADS is a red herring. Wes Linux Addict wrote: Its okay not to have domain's SID. This is not the reason you are not able to login. What is the output of 1.wbinfo -t 2.wbinfo -g 3.testparm 4.net ads info 5.kinit AD username On Tue, May 6, 2008 at 3:41 AM, shacky [EMAIL PROTECTED] wrote: Hi. I realized that I have a problem with the users SID. Thy are different between the SID of the domain. Let's see the output of these commands: server:/home/utenti/user# net getlocalsid SID for domain SERVER is: S-1-5-21-1375271547-2371556575-3111006354 server:/home/utenti/user# pdbedit -Lv test Unix username:test NT username: Account Flags:[U ] User SID: S-1-5-21-73733321-1646160496-1160744844-3004 Primary Group SID:S-1-5-21-73733321-1646160496-1160744844-513 Full Name:Test Home Directory: HomeDir Drive: Logon Script: test.bat Profile Path: Domain: MYDOMAIN Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 9223372036854775807 seconds since the Epoch Kickoff time: 9223372036854775807 seconds since the Epoch Password last set:lun, 05 mag 2008 10:44:20 CEST Password can change: lun, 05 mag 2008 10:44:20 CEST Password must change: 9223372036854775807 seconds since the Epoch Last bad password : 0 Bad password count : 0 Logon hours : FF Please note that the User SID and the Primary Group SID don't contain the SID of the domain, are completely different. It is the same for all user. Is it normal or is it a problem? I cannot logon to the domain from the Windows clients. How I can solve this problem, and how I can make the change definitive for all new users too? Thank you very much! Ciao. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] User SID problem with home directory
I'm having the problem in which users can access their group shares, but not their home shares. These two shares are defined thusly in smb.conf: [seref] comment = Science Engineering Reference Section path = /data/group/seref valid users = @seref, @seref-read, @admin read list = @seref-read write list = @seref, @admin force group = seref create mask = 0664 directory mask = 0770 [home] comment = %u's Personal Share Directory path = /data/home/%U valid users = %U, @admin write list = %U, @admin create mask = 0600 directory mask = 0700 browseable = No It seems that the %U variable, causes Samba to do a lookup_global_sam_name which fails. [EMAIL PROTECTED] smbclient -Ujoeblow '\\edgar.library.ucsc.edu\home' tree connect failed: NT_STATUS_ACCESS_DENIED Here's the relevant section of the log: passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: joeblow passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 30023 passdb/passdb.c:lookup_global_sam_name(596) User joeblow with invalid SID S-1-5-21-2642364908-3785178431-1037763545-61756 in passdb passdb/pdb_ldap.c:init_group_from_ldap(2158) init_group_from_ldap: Entry found for group: 1001 smbd/service.c:make_connection_snum(616) user 'joeblow' (from session setup) not permitted to access this share (home) Please note that I am not using the ADS security model, nor do I care to at the moment. Here's the significant part of my smb.conf: ### Basic information for server workgroup = MCHSTAFF netbios name = EDGAR server string = Library Samba Server hosts allow = 169.233. hosts allow = 128.114. enable privileges = yes security = user encrypt passwords = yes preferred master = yes domain master = yes domain logons = yes local master = yes username map = /etc/samba/smbusers logon path = wins support = yes dns proxy = no So why I am I getting the failure User joeblow with invalid SID? Wes -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] User SID problem with home directory
You are correct that I should have had wins support set to no rather than yes. Here's how the smb.conf man page describes that option: This boolean controls if the nmbd(8) http://us3.samba.org/samba/docs/man/manpages-3/nmbd.8.html process in Samba will act as a WINS server. You should not set this to |yes| unless you have a multi-subnetted network and you wish a particular |nmbd| to be your WINS server. Note that you should /NEVER/ set this to |yes| on more than one machine in your network. HOWEVER, setting it to No, did not fix this problem: User joeblow with invalid SID user 'joeblow' (form session setup) not permitted to access this share (home) Wes Helmut Hullen wrote: Hallo, Wes, Du (wmodes) meintest am 12.05.08: It seems that the %U variable, causes Samba to do a lookup_global_sam_name which fails. [EMAIL PROTECTED] smbclient -Ujoeblow '\\edgar.library.ucsc.edu\home' tree connect failed: NT_STATUS_ACCESS_DENIED I've seen this message when winbindd is running - my samba server (now 3.0.28a) doesn't need winbindd. It's the one and only server. Viele Gruesse! Helmut -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] problem with [homes] share for users with unix logins
Thanks for the suggestions. I wanted unix users (exclusively sysadmins and developers) to still get their normal unix login directories. On the other hand, since this is a file server, any connection via samba, should connect people to their samba file directories. It looks like your suggestion is ldapsam:trusted = yes in smb.conf. Here's a good explanation from the Samba docs: By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that are used to deal with user and group attributes lack such optimization. To make Samba scale well in large environments, the ldapsam:trusted = yes option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are stored together with the POSIX data in the same LDAP object. If these assumptions are met, ldapsam:trusted = yes can be activated and Samba can bypass the NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries is easily achieved. Wes Gémes Géza wrote: From my memory: Unless you use ldapsam trusted = yes parameter samba does an nss lookup to find out the details of the user, so you either 1. remove local users 2. synchronize them to ldap 3. configure /etc/nsswitch.conf to look in ldap first then in files 4. tell samba to trust the ldap database for nss information with the parameter mentioned above. Regards Geza I have the [homes] section set up in my smb.conf so that \\server.name\user connects to the user's home directory. Since I am using OpenLDAP as a backend via smbldap-tools, for most users the home directory comes from the homeDirectory variable in OpenLDAP. However, when I have a user who also has a login on the samba machine, that is, an entry in /etc/passwd, Samba seems to ignore the value of homeDirectory and use the entry in /etc/passwd instead. Here is the section from smb.conf [homes] comment = %u's Personal Share Directory browseable = no valid users = %S @admin write list = %S @admin create mask = 0600 directory mask = 0700 I even tried adding the line path = /data/home/%S to the [homes] section, but it seems to be ignored. Any suggestions how I can make Samba prefer the value in HomeDirectory over /etc/passwd? Wes -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] problem with [homes] share for users with unix logins
I have the [homes] section set up in my smb.conf so that \\server.name\user connects to the user's home directory. Since I am using OpenLDAP as a backend via smbldap-tools, for most users the home directory comes from the homeDirectory variable in OpenLDAP. However, when I have a user who also has a login on the samba machine, that is, an entry in /etc/passwd, Samba seems to ignore the value of homeDirectory and use the entry in /etc/passwd instead. Here is the section from smb.conf [homes] comment = %u's Personal Share Directory browseable = no valid users = %S @admin write list = %S @admin create mask = 0600 directory mask = 0700 I even tried adding the line path = /data/home/%S to the [homes] section, but it seems to be ignored. Any suggestions how I can make Samba prefer the value in HomeDirectory over /etc/passwd? Wes -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Questions about Active Directory Password Cache overlay
Thanks to Buchan Milne, I'm looking into the Active Directory Password Cache overlay for OpenLDAP, which seems to offer more or less what I'm trying to do. Is anyone here experienced with it? Is this the right place to ask or is there an openLDAP overlays list? I understand this description of ADPC: Active Directory Password Cache === Active Directory does not provide any means to read user credentials on any public API. It is possible, to install additional libraries as password sniffer to catch and forward cleartext passwords on changes. In case you cannot or simply dont want to install such libraries, the Active Directory Password Cache overlay is your option. The Active Directory Password Cache overlay allows to mirror user account credentials without any modification on the AD server. It only takes one occasional simple bind authentication against the OpenLDAP server. If the credential has not been mirrored yet, the overlay uses the krbPrincipalName and the password provided by the user to perform a Kerberos init against the Active Directory. A successful Kerberos init guarantees a correct password for this principal, and therefor the bind finally succeeds. Within this overlay operation, the password gets encrypted with the default OpenLDAP hash alorithm and stored as userPassword attribute. There is an option to update the sambaNTPassword also (using code borrowed from Howard Chu's smbk5pwd overlay). All following simple bind authentications will first try these cached credentials, making the OpenLDAP server independent from AD. In case the user changes its password on the Active Directory server, the old password stays valid in OpenLDAP until the user first presents the new password for an simple bind. Within this bind operation, the overlay performs another Kerberos init and updates the cached credentials in OpenLDAP. It is clear to me that after a password change, that a failure to authenticate initiates a new auth attempt against the KDC, and if it succeeds, ADPC caches the passwd as a hash in OpenLDAP. But if Samba fails to authenticate against the hash stored in sambaNTPassword, is a new authentication attempt made against the KDC? And if it does, where does it get the passwd to hash (since Samba never gets the passwd in NTLM authentication)? Practically speaking, it seems that the password that the overlay hashes has to come from a source other than Samba. A web app? How have people used it in the past? W. -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
So far answers I've received on this list have been inconsistent at best and downright inaccurate at worst. I'm going to try one more time and see if, at the very least, someone can give me a lead. I ask you to consider what I'm asking remotely possible, and then seek a solution. (Particularly before one blasts off an ill-thought out message that says simple, Can't be done, simple because you've never done it or haven't heard of it being done.) So consider this a challenge or a riddle. 1. I have an OpenLDAP directory server that I am using for user and group information. I would like to use it also to authenticate against. This way, whatever I hook up to it (Samba, webstuff, PHP apps, CMS) can both authenticate and authorize from one source. 2. There is a separate Kerberos server that has users' campus-wide passwords. I have access to it, but do not control it. 3. I have a separate linux file server running Samba. PCs and Macs will connect to it. I know I can do Kerberos authentication directly from Samba, but I'd prefer OpenLDAP do the Kerberos connection. Here's why: a) I can solve the problem once, rather than have to work out BOTH LDAP and Kerberos connections for every new authenticated service I add, and b) LDAP hooks are more common than Kerberos hooks for other services for which I will eventually want authentication and authroization. And yes, I know it breaks the Kerberos model. The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? Wes -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication to Kerberos via OpenLDAP, third and last try
Volker Lendecke wrote: On Thu, Apr 03, 2008 at 01:34:30PM -0700, Wes Modes wrote: The question and the challenge: Any leads on how I might convince Samba to pass the input password on to OpenLDAP so that OpenLDAP can authenticate it against Kerberos? The only chance is that you modify each client's registry to send plain text passwords to the server over the network, downgrading your security to what telnet provided ages ago. You can guess that this is ABSOLUTELY NOT recommended. If you go with standard Windows authentication schemes, the SMB server never sees the user's plain text password which would be required to authenticate against Kerberos. Volker Yeah, I'm not so keen on sending plaintext passwords anywhere. It is already moderately-well documented how to connect Samba up to use Kerberos authentication. And my guess is that the Kerberos model would not allow passwords to be sent plaintext. More likely an encrypted hash gets passed? I don't know the precise mechanism, but would like to. But beyond that, how could one use Samba to pass that encrypted password to LDAP to pass on to Kerberos to authenticate? W. -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Kerberos authentication for non-windows KDCs
I was told recently that Kerberos authentication won't work against a non-windows KDC. Is that accurate? So for instance, it is not possible for Samba running on say RHEL, to authenticate against a Linux server running MIT Kerberos? Additionally, many people said that setting this up was well-documented. Any suggestions of particularly good docs / how-to's?' And lastly, is there anyone here currently who's set up both Kerberos authentication AND an OpenLDAP user/group data repository for their Samba server? W. -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos authentication for non-windows KDCs
This is what I'd heard. Jeremy or others, you don't have any docs or howtos that point to setting this up do you? W. Jeremy Allison wrote: On Tue, Mar 11, 2008 at 02:07:47PM -0400, Sean Elble wrote: On 3/11/08 1:46 PM, Wes Modes [EMAIL PROTECTED] wrote: I was told recently that Kerberos authentication won't work against a non-windows KDC. Is that accurate? So for instance, it is not possible for Samba running on say RHEL, to authenticate against a Linux server running MIT Kerberos? In general, it is not possible for *Samba* to authenticate against a MIT Kerberos server. Technically, it's not possible, period, with Samba 3. With Samba 4, I am less sure, but I would assume you are trying to work with Samba 3. That's just not true. Many people are successfully using Samba3 to authenticate with tokens from MIT or Heimdal kerberos servers. The problem is getting the Windows clients to *get* these tickets, not in Samba interpreting them. Check out the use kerberos keytab option in smb.conf for a common use of this. Please don't spread erroneous info on the list. Thanks, Jeremy. -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba to Kerberos via OpenLDAP
First, I'll just say this is a question principally about the arcane
mysteries of Samba to OpenLDAP authentication.
I've had Samba to OpenLDAP authentication running for a while now using
the samba.schema and the ldapsam module. Now I'd like to understand a
bit more about how that works in order to take it a step further and get
openLDAP to bind against a Kerberos database via SASL.
An aside; Yes, I'd heard that Samba can be configured to authenticate
against Kerberos directly, but for my own reasons, I'd prefer that Samba
talk only to OpenLDAP, and OpenLDAP can do the authentication. I'll
fall back on the Samba to Kerberos direct route if I can't find a way to
do what I want.
I've noted that the Samba schema and smbldap-tools add to the user
record two Samba specific password fields, sambaNTPassword and
sambaLMPassword.
If I have the ldapsam module specified as the passdb backend in
smb.conf, is OpenLDAP merely storing the samba passwords while Samba
does the password comparisons? Or does OpenLDAP do the authentication
and return a yes or no?
Is it possible to have Samba defer authentication to OpenLDAP? If so, I
can have OpenLDAP use the {SASL} method to do authentication via kerberos.
Wes
--
Wes Modes
Server Administrator Programmer Analyst
McHenry Library
Computing Network Services
Information and Technology Services
459-5208
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba to Kerberos via OpenLDAP
First, I'll just say this is a question principally about the arcane
mysteries of Samba to OpenLDAP authentication.
I've had Samba to OpenLDAP authentication running for a while now using
the samba.schema and the ldapsam module. Now I'd like to understand a
bit more about how that works in order to take it a step further and get
openLDAP to bind against a Kerberos database via SASL.
An aside; Yes, I'd heard that Samba can be configured to authenticate
against Kerberos directly, but for my own reasons, I'd prefer that Samba
talk only to OpenLDAP, and OpenLDAP can do the authentication. I'll
fall back on the Samba to Kerberos direct route if I can't find a way to
do what I want.
I've noted that the Samba schema and smbldap-tools add to the user
record two Samba specific password fields, sambaNTPassword and
sambaLMPassword.
If I have the ldapsam module specified as the passdb backend in
smb.conf, is OpenLDAP merely storing the samba passwords while Samba
does the password comparisons? Or does OpenLDAP do the authentication
and return a yes or no?
Is it possible to have Samba defer authentication to OpenLDAP? If so, I
can have OpenLDAP use the {SASL} method to do authentication via kerberos.
Wes
--
Wes Modes
Server Administrator Programmer Analyst
McHenry Library
Computing Network Services
Information and Technology Services
459-5208
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
