[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Anyone familiar with using samba as PDC with LDAP ?
- To: Oded Arbel <oded(at-nospam)geek.co.il>
- Subject: Re: Anyone familiar with using samba as PDC with LDAP ?
- From: guy keren <choo(at-nospam)actcom.co.il>
- Date: Tue, 6 Nov 2001 02:50:33 +0200 (EET)
- cc: Linux-IL Mailing list <linux-il(at-nospam)cs.huji.ac.il>
- In-Reply-To: <008e01c1665a$bed7fb80$0200a8c0@silver>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
out of this mess, let me ask a naive question - why do the clients try to
authenticate as user 'nobody' ? ofcourse the passwords they supply are
invalid for this user - unless you set up some password for 'nobody'
(naah, i don't think you'd do such a thing).
did you perhaps somehow tell samba to treat these users as user 'nobody',
when accessing the server (i recall there's such an option in samba's
configuration) ?
guy
On Tue, 6 Nov 2001, Oded Arbel wrote:
> Date: Tue, 6 Nov 2001 02:33:13 +0200
> From: Oded Arbel <oded@geek.co.il>
> Cc: Linux-IL Mailing list <linux-il@cs.huji.ac.il>
> Subject: Re: Anyone familiar with using samba as PDC with LDAP ?
>
> Ok, here goes nothing - like I said : I don't know which questions to ask,
> so I'll just describe generally what I've done and what isnt working :
>
> I installed slapd 2.0.4 and samba 2.2.2 (with patches as described next),
> and then configured both as described in the PDC-LDAP-HOWTO at UNAV :
> http://www.unav.es/cti/ldap-smb-howto.html I went by the 2_2 HOW-TO, but its
> a bit mixed up, so I had to grab the schema from the TNG HOWTO (and modify
> it a bit) and the patches from the HEAD HOWTO (and apply them manually).
> samba SRPM after patching (original was 2.2.2-1mdk from Mandrake cooker) is
> available, if you wish.
> My LDAP db looks something like this :
> top -+- People
> | +-some users (as per HOWTO)
> |
> +- Computers
> | +-some computers (as per HOWTO)
> +- Groups
> +-group 'users'
>
> all users are of objectClass posixAccout and sambaAccount (and something
> else which I call outlookAccount and contains attributes that outlook and
> outlook express can import into their address book). all computers are of
> objectClass posixAccount.
> nsswitch.conf is set to auth through ldap first and it works great using and
> kind of login (except samba).
>
> Clients are Windows XP and Windows 98se. I can't get nothing from the 98se.
> with XP I can "join the domain" as user 'DOMAIN\username' and computer
> 'computername', but when I reboot and try to login I it fails everytime.
> both XP and 98 can't see shares on the PDC.
> possibly this could be because the clients and the PDC aren't onthe same
> subnet ? the clients are on a DHCP managed subnet at 192.168.1.0/24, while
> the PDC is on a static subnet at 192.168.0.0/24. the gateway between both
> nets is a WINS server set to be the domain browser and local master.
>
> I've set the debug level on samba as 10, and here's a snippet from the
> samba's "computer log" while I tried to login to the domain from the XP
> station (the log is huge - all for one login - and most of it is kind of
> repeatetive, so I took just the lines that I though mightbe interesting):
> -----------------------
> [2001/11/05 16:17:37, 3] smbd/reply.c:reply_sesssetup_and_X(855)
> Domain=[] NativeOS=[Windows 2002 2600] NativeLanMan=[Windows 2002 5.1]
> [2001/11/05 16:17:37, 3] smbd/reply.c:reply_sesssetup_and_X(866)
> sesssetupX:name=[]
> [2001/11/05 16:17:37, 10] smbd/password.c:register_vuid(270)
> register_vuid: (99,99) nobody nobody guest=1
> [2001/11/05 16:17:37, 3] smbd/sec_ctx.c:get_current_groups(167)
> get_current_groups: uid 0 is in 1 groups: 99
> [2001/11/05 16:17:37, 10] smbd/uid.c:uid_to_sid(388)
> uid_to_sid: winbind lookup for uid 99 failed - trying local.
> [2001/11/05 16:17:37, 10] smbd/uid.c:gid_to_sid(410)
> gid_to_sid: winbind lookup for gid 99 failed - trying local.
> [2001/11/05 16:17:37, 5] smbd/password.c:create_nt_token(236)
> user token sid S-1-5-21-4248879381-248715484-209387121-1198
> [2001/11/05 16:17:37, 3] smbd/password.c:register_vuid(307)
> uid 99 registered to name nobody
> [2001/11/05 16:17:37, 3] smbd/password.c:register_vuid(309)
> Clearing default real name
> [2001/11/05 16:17:37, 3] smbd/password.c:register_vuid(311)
> User name: nobody Real name: nobody
> [2001/11/05 16:17:37, 10] lib/username.c:user_in_list(407)
> user_in_list: checking user nobody in list
> [2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:ldap_open_connection(130)
> ldap_open_connection: connection opened
> [2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:ldap_connect_system(160)
> ldap_connect_system: succesful connection to the LDAP server
> [2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:ldap_search_one_user(172)
> ldap_search_one_user: searching
> for:[(&(uid=nobody)(objectclass=sambaAccount))]
> [2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:get_single_attribute(257)
> get_single_attribute: [uid] = [nobody]
> [2001/11/05 16:17:37, 2] passdb/pdb_ldap.c:init_sam_from_ldap(375)
> Entry found for user: nobody
> [2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(448)
> smb_password_ok: Checking SMB password for user nobody
> [2001/11/05 16:17:37, 5] smbd/password.c:smb_password_ok(462)
> smb_password_ok: challenge received
> [2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(472)
> smb_password_ok: Checking NT MD4 password
> [2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(477)
> smb_password_ok: NT MD4 password check failed
> [2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(492)
> smb_password_ok: Checking LM password
> [2001/11/05 16:17:37, 4] smbd/password.c:smb_password_ok(497)
> smb_password_ok: LM password check failed
> [2001/11/05 16:17:37, 2] smbd/password.c:pass_check_smb(576)
> pass_check_smb failed - invalid password for user [nobody]
> <now does this a few more times - look in the LDAP searches later>
> [2001/11/05 16:17:37, 5] smbd/uid.c:become_user(201)
> become_user uid=(0,99) gid=(0,99)
> [2001/11/05 16:17:37, 3] smbd/vfs.c:vfs_ChDir(658)
> vfs_ChDir to /var/tmp
> [2001/11/05 16:17:37, 3] smbd/service.c:make_connection(610)
> <client computer name> (192.168.1.253) connect to service IPC$ as user
> nobody (uid=99, gid=99) (pid 379)
> [2001/11/05 16:17:38, 5] smbd/uid.c:become_user(201)
> become_user uid=(0,99) gid=(0,99)
> [2001/11/05 16:17:38, 4] smbd/nttrans.c:nt_open_pipe(544)
> nt_open_pipe: Opening pipe \NETLOGON.
> [2001/11/05 16:17:38, 3] smbd/nttrans.c:nt_open_pipe(561)
> nt_open_pipe: Known pipe NETLOGON opening.
> [2001/11/05 16:17:38, 4] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(131)
> Open pipe requested NETLOGON (pipes_open=0)
> [2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:ldap_search_one_user(172)
> ldap_search_one_user: searching for:[(&(uid=<client computer
> name>$)(objectclass=sambaAccount))]
> [2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:get_single_attribute(257)
> get_single_attribute: [uid] = [<client computer name>$]
> [2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:init_sam_from_ldap(375)
> Entry found for user: <client computer name>$
> [2001/11/05 16:17:38, 2] passdb/pdb_ldap.c:get_single_attribute(261)
> get_single_attribute: [sambaDomain] = [NULL]
> <it then does loads of other stuff and then closes all connections and pipes
> and exits>
> -----------------
>
> the slapd log is much more interesting and contains searches with the
> following filters (each a different search):
> (&(objectClass=posixAccount)(uid=\5Cnobody))
> (&(objectClass=posixAccount)(uid=nobody))
> (&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=cn=nobody,ou=peo
> ple,<base dn I use>)))
> (&(uid=nobody)(objectClass=sambaAccount))
> (&(uid=nobody)(objectClass=sambaAccount))
> (&(uid=nobody)(objectClass=sambaAccount))
>
> (&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=cn=nobody,ou=peo
> ple,<base dn I use>)))
> (&(uid=<client computer name>$)(objectClass=sambaAccount))
> (&(objectClass=posixAccount)(uid=<client computer name>$))
>
> Like I said - the main thing I can tell about this is that it doesnt work. I
> don't even know what I'm doing wrong and what I'm doing right - its all such
> a mess : configuring openldap, building the schema, building the database,
> patching and compiling samba, configuring samba, configuring ntlogon,
> configuring the windows clients - any one of those could have gone wrong -
> possibly more then one. :-(
>
> Oded
>
> --
> I remember hearing precisely analogous complaint from the Oral
> Traditionalists
> when the Book People were trying to get their toe in the door.
> -- Philomath
--
guy
"For world domination - press 1,
or dial 0, and please hold, for the creator." -- nob o. dy
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il