Samba with remote LDAP authentication doesn`t see users properly
Posted
by
LucasBr
on Server Fault
See other posts from Server Fault
or by LucasBr
Published on 2012-10-19T11:50:33Z
Indexed on
2012/10/23
11:04 UTC
Read the original article
Hit count: 383
I'm trying to setup a samba server authenticated by a remote LDAP server, and I'm having some problems that I can't figure how to solve.
I was able to make an getent passwd
at samba server and I could see all users at ldapserver
, but when I tried to access \\SAMBASERVER
at my windows box I had this at the /var/log/samba/log.mywindowsbox
:
<...snip...>
[2012/10/19 13:05:22.449684, 2] smbd/sesssetup.c:1413(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/10/19 13:05:22.449692, 3] smbd/sesssetup.c:1212(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/10/19 13:05:22.449701, 3] smbd/sesssetup.c:1254(reply_sesssetup_and_X_spnego)
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/10/19 13:05:22.449717, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
Got user=[lucas] domain=[BUSINESS] workstation=[MYWINDOWSBOX] len1=24 len2=24
[2012/10/19 13:05:22.449747, 3] auth/auth.c:216(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [BUSINESS]\[lucas]@[MYWINDOWSBOX] with the new password interface
[2012/10/19 13:05:22.449759, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is: [SAMBASERVER]\[lucas]@[MYWINDOWSBOX]
[2012/10/19 13:05:22.449773, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/10/19 13:05:22.449783, 3] smbd/uid.c:429(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/10/19 13:05:22.449791, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/10/19 13:05:22.449922, 2] lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2012/10/19 13:05:23.001517, 3] lib/smbldap.c:1166(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2012/10/19 13:05:23.007713, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/10/19 13:05:23.007733, 3] auth/auth_sam.c:399(check_sam_security)
check_sam_security: Couldn't find user 'lucas' in passdb.
[2012/10/19 13:05:23.007743, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [lucas] -> [lucas] FAILED with error NT_STATUS_NO_SUCH_USER
[2012/10/19 13:05:23.007760, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/10/19 13:05:23.010469, 3] smbd/process.c:1489(process_smb)
Transaction 3 of length 142 (0 toread)
<...snip...>
/etc/samba/smb.conf
file follows:
[global]
dos charset = 850
unix charset = LOCALE
workgroup = BUSINESS
netbios name = SAMBASERVER
bind interfaces only = true
interfaces = lo eth0 eth1
smb ports = 139
hosts deny = All
hosts allow = 192.168.78. 192.168.255. 127.0.0.1 10.149.122. 192.168.0.
name resolve order = wins bcast hosts
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
domain logons = No
wins support = Yes
wins proxy = No
client ntlmv2 auth = Yes
lanman auth = Yes
ntlm auth = Yes
dns proxy = Yes
time server = Yes
security = user
encrypt passwords = Yes
obey pam restrictions = Yes
ldap password sync = Yes
unix password sync = Yes
passdb backend = ldapsam:"ldap://192.168.78.206"
ldap ssl = off
ldap admin dn = uid=root,ou=Users,dc=business,dc=intranet
ldap suffix =
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap delete dn = Yes
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -W -t5 "%u"
idmap backend = ldap:"ldap://192.168.78.206"
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
load printers = No
printcap name = /dev/null
map acl inherit = Yes
map untrusted to domain = Yes
enable privileges = Yes
veto files = /lost+found/ /publicftp/
So, \\SAMBASERVER
says he couldn't find my user, but I can see it by getent passwd
. What I can do in order to SAMBASERVER
see and authenticate my user?
Thanks in advance!
© Server Fault or respective owner