[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Anyone familiar with using samba as PDC with LDAP ?
- Subject: Re: Anyone familiar with using samba as PDC with LDAP ?
- From: "Oded Arbel" <oded(at-nospam)geek.co.il>
- Date: Tue, 6 Nov 2001 02:33:13 +0200
- Cc: "Linux-IL Mailing list" <linux-il(at-nospam)cs.huji.ac.il>
- References: <Pine.LNX.4.21.0111051713000.11615-100000@zivan.tcltek.co.il> <3BE6F1D5.D7885BF8@philipson.co.il>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Ok, here goes nothing - like I said : I don't know which questions to ask,
so I'll just describe generally what I've done and what isnt working :
I installed slapd 2.0.4 and samba 2.2.2 (with patches as described next),
and then configured both as described in the PDC-LDAP-HOWTO at UNAV :
http://www.unav.es/cti/ldap-smb-howto.html I went by the 2_2 HOW-TO, but its
a bit mixed up, so I had to grab the schema from the TNG HOWTO (and modify
it a bit) and the patches from the HEAD HOWTO (and apply them manually).
samba SRPM after patching (original was 2.2.2-1mdk from Mandrake cooker) is
available, if you wish.
My LDAP db looks something like this :
top -+- People
| +-some users (as per HOWTO)
|
+- Computers
| +-some computers (as per HOWTO)
+- Groups
+-group 'users'
all users are of objectClass posixAccout and sambaAccount (and something
else which I call outlookAccount and contains attributes that outlook and
outlook express can import into their address book). all computers are of
objectClass posixAccount.
nsswitch.conf is set to auth through ldap first and it works great using and
kind of login (except samba).
Clients are Windows XP and Windows 98se. I can't get nothing from the 98se.
with XP I can "join the domain" as user 'DOMAIN\username' and computer
'computername', but when I reboot and try to login I it fails everytime.
both XP and 98 can't see shares on the PDC.
possibly this could be because the clients and the PDC aren't on the same
subnet ? the clients are on a DHCP managed subnet at 192.168.1.0/24, while
the PDC is on a static subnet at 192.168.0.0/24. the gateway between both
nets is a WINS server set to be the domain browser and local master.
I've set the debug level on samba as 10, and here's a snippet from the
samba's "computer log" while I tried to login to the domain from the XP
station (the log is huge - all for one login - and most of it is kind of
repeatetive, so I took just the lines that I though might be interesting):
-----------------------
[2001/11/05 16:17:37, 3] smbd/reply.c:reply_sesssetup_and_X(855)
Domain=[] NativeOS=[Windows 2002 2600] NativeLanMan=[Windows 2002 5.1]
[2001/11/05 16:17:37, 3] smbd/reply.c:reply_sesssetup_and_X(866)
sesssetupX:name=[]
[2001/11/05 16:17:37, 10] smbd/password.c:register_vuid(270)
register_vuid: (99,99) nobody nobody guest=1
[2001/11/05 16:17:37, 3] smbd/sec_ctx.c:get_current_groups(167)
get_current_groups: uid 0 is in 1 groups: 99
[2001/11/05 16:17:37, 10] smbd/uid.c:uid_to_sid(388)
uid_to_sid: winbind lookup for uid 99 failed - trying local.
[2001/11/05 16:17:37, 10] smbd/uid.c:gid_to_sid(410)
gid_to_sid: winbind lookup for gid 99 failed - trying local.
[2001/11/05 16:17:37, 5] smbd/password.c:create_nt_token(236)
user token sid S-1-5-21-4248879381-248715484-209387121-1198
[2001/11/05 16:17:37, 3] smbd/password.c:register_vuid(307)
uid 99 registered to name nobody
[2001/11/05 16:17:37, 3] smbd/password.c:register_vuid(309)
Clearing default real name
[2001/11/05 16:17:37, 3] smbd/password.c:register_vuid(311)
User name: nobody Real name: nobody
[2001/11/05 16:17:37, 10] lib/username.c:user_in_list(407)
user_in_list: checking user nobody in list
[2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:ldap_open_connection(130)
ldap_open_connection: connection opened
[2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:ldap_connect_system(160)
ldap_connect_system: succesful connection to the LDAP server
[2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:ldap_search_one_user(172)
ldap_search_one_user: searching
for:[(&(uid=nobody)(objectclass=sambaAccount))]
[2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:get_single_attribute(257)
get_single_attribute: [uid] = [nobody]
[2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:init_sam_from_ldap(375)
Entry found for user: nobody
[2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(448)
smb_password_ok: Checking SMB password for user nobody
[2001/11/05 16:17:37, 5] smbd/password.c:smb_password_ok(462)
smb_password_ok: challenge received
[2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(472)
smb_password_ok: Checking NT MD4 password
[2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(477)
smb_password_ok: NT MD4 password check failed
[2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(492)
smb_password_ok: Checking LM password
[2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(497)
smb_password_ok: LM password check failed
[2001/11/05 16:17:37, 2] smbd/password.c:pass_check_smb(576)
pass_check_smb failed - invalid password for user [nobody]
<now does this a few more times - look in the LDAP searches later>
[2001/11/05 16:17:37, 5] smbd/uid.c:become_user(201)
become_user uid=(0,99) gid=(0,99)
[2001/11/05 16:17:37, 3] smbd/vfs.c:vfs_ChDir(658)
vfs_ChDir to /var/tmp
[2001/11/05 16:17:37, 3] smbd/service.c:make_connection(610)
<client computer name> (192.168.1.253) connect to service IPC$ as user
nobody (uid=99, gid=99) (pid 379)
[2001/11/05 16:17:38, 5] smbd/uid.c:become_user(201)
become_user uid=(0,99) gid=(0,99)
[2001/11/05 16:17:38, 4] smbd/nttrans.c:nt_open_pipe(544)
nt_open_pipe: Opening pipe \NETLOGON.
[2001/11/05 16:17:38, 3] smbd/nttrans.c:nt_open_pipe(561)
nt_open_pipe: Known pipe NETLOGON opening.
[2001/11/05 16:17:38, 4] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(131)
Open pipe requested NETLOGON (pipes_open=0)
[2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:ldap_search_one_user(172)
ldap_search_one_user: searching for:[(&(uid=<client computer
name>$)(objectclass=sambaAccount))]
[2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:get_single_attribute(257)
get_single_attribute: [uid] = [<client computer name>$]
[2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:init_sam_from_ldap(375)
Entry found for user: <client computer name>$
[2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:get_single_attribute(261)
get_single_attribute: [sambaDomain] = [NULL]
<it then does loads of other stuff and then closes all connections and pipes
and exits>
-----------------
the slapd log is much more interesting and contains searches with the
following filters (each a different search):
(&(objectClass=posixAccount)(uid=\5Cnobody))
(&(objectClass=posixAccount)(uid=nobody))
(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=cn=nobody,ou=peo
ple,<base dn I use>)))
(&(uid=nobody)(objectClass=sambaAccount))
(&(uid=nobody)(objectClass=sambaAccount))
(&(uid=nobody)(objectClass=sambaAccount))
(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=cn=nobody,ou=peo
ple,<base dn I use>)))
(&(uid=<client computer name>$)(objectClass=sambaAccount))
(&(objectClass=posixAccount)(uid=<client computer name>$))
Like I said - the main thing I can tell about this is that it doesnt work. I
don't even know what I'm doing wrong and what I'm doing right - its all such
a mess : configuring openldap, building the schema, building the database,
patching and compiling samba, configuring samba, configuring ntlogon,
configuring the windows clients - any one of those could have gone wrong -
possibly more then one. :-(
Oded
--
I remember hearing precisely analogous complaint from the Oral
Traditionalists
when the Book People were trying to get their toe in the door.
-- Philomath
----- Original Message -----
From: "Gavrie Philipson" <gavrie@philipson.co.il>
To: "Jonathan Ben-Avraham" <benavrhm@tkos.co.il>
Cc: "Oded Arbel" <odeda-linux-il@betalfa.org.il>; "Linux-IL Mailing list"
<linux-il@cs.huji.ac.il>
Sent: Monday, November 05, 2001 10:08 PM
Subject: Re: Anyone familiar with using samba as PDC with LDAP ?
> Jonathan Ben-Avraham wrote:
> >
> > On Mon, 5 Nov 2001, Oded Arbel wrote:
> >
> > >
> > > Or just as a regular PDC ?
> > > I need a lot of help with configuring a Samba server as PDC, and I
don't
> > > know what questions to ask, so I would appreciate it if I could
contact
> > > someone (preferably by phone) about Samba PDC in general and LDAP in
> > > particular.
> [...]
> > Hi Oded,
> > Please do this through the list, not by phone. I have the exact same
> > question and I am sure that others do too.
> [...]
>
> I'm very interested, too. I'm using Samba as a PDC (the Samba docs
> describe everything needed), and am soon going to try moving it to LDAP.
>
> -- Gavrie.
>
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il