[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anyone familiar with using samba as PDC with LDAP ?



I have no idea why the clients try to authenticate as "noody" (and I do not
think there is a setting for that in smb.conf) it does not make sense to me.

Oded

--
Geoffrey : "I have a feeling this is going to be the beginning of a
beautiful hatred."
 -- from "The Two Mrs. Carrolls"


----- Original Message -----
From: "guy keren" <choo@actcom.co.il>
To: "Oded Arbel" <oded@geek.co.il>
Cc: "Linux-IL Mailing list" <linux-il@cs.huji.ac.il>
Sent: Tuesday, November 06, 2001 2:50 AM
Subject: Re: Anyone familiar with using samba as PDC with LDAP ?


>
> out of this mess, let me ask a naive question - why do the clients try to
> authenticate as user 'nobody' ? ofcourse the passwords they supply are
> invalid for this user - unless you set up some password for 'nobody'
> (naah, i don't think you'd do such a thing).
>
> did you perhaps somehow tell samba to treat these users as user 'nobody',
> when accessing the server (i recall there's such an option in samba's
> configuration) ?
>
> guy
>
> On Tue, 6 Nov 2001, Oded Arbel wrote:
>
> > Date: Tue, 6 Nov 2001 02:33:13 +0200
> > From: Oded Arbel <oded@geek.co.il>
> > Cc: Linux-IL Mailing list <linux-il@cs.huji.ac.il>
> > Subject: Re: Anyone familiar with using samba as PDC with LDAP ?
> >
> > Ok, here goes nothing - like I said : I don't know which questions to
ask,
> > so I'll just describe generally what I've done and what isnt working :
> >
> > I installed slapd 2.0.4 and samba 2.2.2 (with patches as described
next),
> > and then configured both as described in the PDC-LDAP-HOWTO at UNAV :
> > http://www.unav.es/cti/ldap-smb-howto.html I went by the 2_2 HOW-TO, but
its
> > a bit mixed up, so I had to grab the schema from the TNG HOWTO (and
modify
> > it a bit) and the patches from the HEAD HOWTO (and apply them manually).
> > samba SRPM after patching (original was 2.2.2-1mdk from Mandrake cooker)
is
> > available, if you wish.
> > My LDAP db looks something like this :
> > top -+- People
> >    |   +-some users (as per HOWTO)
> >    |
> >    +- Computers
> >    |    +-some computers (as per HOWTO)
> >    +- Groups
> >         +-group 'users'
> >
> > all users are of objectClass posixAccout and sambaAccount (and something
> > else which I call outlookAccount and contains attributes that outlook
and
> > outlook express can import into their address book). all computers are
of
> > objectClass posixAccount.
> > nsswitch.conf is set to auth through ldap first and it works great using
and
> > kind of login (except samba).
> >
> > Clients are Windows XP and Windows 98se. I can't get nothing from the
98se.
> > with XP I can "join the domain" as user 'DOMAIN\username' and computer
> > 'computername', but when I reboot and try to login I it fails everytime.
> > both XP and 98 can't see shares on the PDC.
> > possibly this could be because the clients and the PDC aren't onthe same
> > subnet ? the clients are on a DHCP managed subnet at 192.168.1.0/24,
while
> > the PDC is on a static subnet at 192.168.0.0/24. the gateway between
both
> > nets is a WINS server set to be the domain browser and local master.
> >
> > I've set the debug level on samba as 10, and here's a snippet from the
> > samba's "computer log" while I tried to login to the domain from the XP
> > station (the log is huge - all for one login - and most of it is kind of
> > repeatetive, so I took just the lines that I though mightbe
interesting):
> > -----------------------
> > [2001/11/05 16:17:37, 3] smbd/reply.c:reply_sesssetup_and_X(855)
> > Domain=[]  NativeOS=[Windows 2002 2600] NativeLanMan=[Windows 2002 5.1]
> > [2001/11/05 16:17:37, 3] smbd/reply.c:reply_sesssetup_and_X(866)
> > sesssetupX:name=[]
> > [2001/11/05 16:17:37, 10] smbd/password.c:register_vuid(270)
> > register_vuid: (99,99) nobody nobody  guest=1
> > [2001/11/05 16:17:37, 3] smbd/sec_ctx.c:get_current_groups(167)
> > get_current_groups: uid 0 is in 1 groups: 99
> > [2001/11/05 16:17:37, 10] smbd/uid.c:uid_to_sid(388)
> > uid_to_sid: winbind lookup for uid 99 failed - trying local.
> > [2001/11/05 16:17:37, 10] smbd/uid.c:gid_to_sid(410)
> > gid_to_sid: winbind lookup for gid 99 failed - trying local.
> > [2001/11/05 16:17:37, 5] smbd/password.c:create_nt_token(236)
> > user token sid S-1-5-21-4248879381-248715484-209387121-1198
> > [2001/11/05 16:17:37, 3] smbd/password.c:register_vuid(307)
> > uid 99 registered to name nobody
> > [2001/11/05 16:17:37, 3] smbd/password.c:register_vuid(309)
> > Clearing default real name
> > [2001/11/05 16:17:37, 3] smbd/password.c:register_vuid(311)
> > User name: nobody     Real name: nobody
> > [2001/11/05 16:17:37, 10] lib/username.c:user_in_list(407)
> > user_in_list: checking user nobody in list
> > [2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:ldap_open_connection(130)
> > ldap_open_connection: connection opened
> > [2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:ldap_connect_system(160)
> > ldap_connect_system: succesful connection to the LDAP server
> > [2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:ldap_search_one_user(172)
> > ldap_search_one_user: searching
> > for:[(&(uid=nobody)(objectclass=sambaAccount))]
> > [2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:get_single_attribute(257)
> > get_single_attribute: [uid] = [nobody]
> > [2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:init_sam_from_ldap(375)
> > Entry found for user: nobody
> > [2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(448)
> > smb_password_ok: Checking SMB password for user nobody
> > [2001/11/05 16:17:37, 5] smbd/password.c:smb_password_ok(462)
> > smb_password_ok: challenge received
> > [2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(472)
> > smb_password_ok: Checking NT MD4 password
> > [2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(477)
> > smb_password_ok: NT MD4 password check failed
> > [2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(492)
> > smb_password_ok: Checking LM password
> > [2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(497)
> > smb_password_ok: LM password check failed
> > [2001/11/05 16:17:37, 2] smbd/password.c:pass_check_smb(576)
> > pass_check_smb failed - invalid password for user [nobody]
> > <now does this a few more times - look in the LDAP searches later>
> > [2001/11/05 16:17:37, 5] smbd/uid.c:become_user(201)
> > become_user uid=(0,99) gid=(0,99)
> > [2001/11/05 16:17:37, 3] smbd/vfs.c:vfs_ChDir(658)
> > vfs_ChDir to /var/tmp
> > [2001/11/05 16:17:37, 3] smbd/service.c:make_connection(610)
> > <client computer name> (192.168.1.253) connect to service IPC$ as user
> > nobody (uid=99, gid=99) (pid 379)
> > [2001/11/05 16:17:38, 5] smbd/uid.c:become_user(201)
> > become_user uid=(0,99) gid=(0,99)
> > [2001/11/05 16:17:38, 4] smbd/nttrans.c:nt_open_pipe(544)
> > nt_open_pipe: Opening pipe \NETLOGON.
> > [2001/11/05 16:17:38, 3] smbd/nttrans.c:nt_open_pipe(561)
> > nt_open_pipe: Known pipe NETLOGON opening.
> > [2001/11/05 16:17:38, 4] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(131)
> > Open pipe requested NETLOGON (pipes_open=0)
> > [2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:ldap_search_one_user(172)
> > ldap_search_one_user: searching for:[(&(uid=<client computer
> > name>$)(objectclass=sambaAccount))]
> > [2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:get_single_attribute(257)
> > get_single_attribute: [uid] = [<client computer name>$]
> > [2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:init_sam_from_ldap(375)
> > Entry found for user: <client computer name>$
> > [2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:get_single_attribute(261)
> > get_single_attribute: [sambaDomain] = [NULL]
> > <it then does loads of other stuff and then closes all connections and
pipes
> > and exits>
> > -----------------
> >
> > the slapd log is much more interesting and contains searches with the
> > following filters (each a different search):
> >  (&(objectClass=posixAccount)(uid=\5Cnobody))
> > (&(objectClass=posixAccount)(uid=nobody))
> >
(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=cn=nobody,ou=peo
> > ple,<base dn I use>)))
> > (&(uid=nobody)(objectClass=sambaAccount))
> > (&(uid=nobody)(objectClass=sambaAccount))
> > (&(uid=nobody)(objectClass=sambaAccount))
> >
> >
(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=cn=nobody,ou=peo
> > ple,<base dn I use>)))
> > (&(uid=<client computer name>$)(objectClass=sambaAccount))
> > (&(objectClass=posixAccount)(uid=<client computer name>$))
> >
> > Like I said - the main thing I can tell about this is that it doesnt
work. I
> > don't even know what I'm doing wrong and what I'm doing right - its all
such
> > a mess : configuring openldap, building the schema, building the
database,
> > patching and compiling samba, configuring samba, configuring ntlogon,
> > configuring the windows clients - any one of those could have gone
wrong -
> > possibly more then one. :-(
> >
> > Oded
> >
> > --
> > I remember hearing precisely analogous complaint from the Oral
> > Traditionalists
> > when the Book People were trying to get their toe in the door.
> >  -- Philomath
>
> --
> guy
>
> "For world domination - press 1,
>  or dial 0, and please hold, for the creator." -- nob o. dy
>
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>
>


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il