Samba with remote LDAP authentication doesn`t see users properly

authentication samba openldap

6,203

I discovered what was wrong. I just put this configuration:

ldap admin dn = uid=root,ou=Users,dc=business,dc=intranet

and did a service smb restart and I was able to see all users through smbldap-userlist. The authentication worked fine as well.

6,203

joey dinopol

Updated on September 18, 2022

Comments

joey dinopol over 1 year

I'm trying to setup a samba server authenticated by a remote LDAP server, and I'm having some problems that I can't figure how to solve.

I was able to make an getent passwd at samba server and I could see all users at ldapserver, but when I tried to access \\SAMBASERVER at my windows box I had this at the /var/log/samba/log.mywindowsbox:

<...snip...>
[2012/10/19 13:05:22.449684,  2] smbd/sesssetup.c:1413(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/10/19 13:05:22.449692,  3] smbd/sesssetup.c:1212(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2012/10/19 13:05:22.449701,  3] smbd/sesssetup.c:1254(reply_sesssetup_and_X_spnego)
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/10/19 13:05:22.449717,  3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
  Got user=[lucas] domain=[BUSINESS] workstation=[MYWINDOWSBOX] len1=24 len2=24
[2012/10/19 13:05:22.449747,  3] auth/auth.c:216(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [BUSINESS]\[lucas]@[MYWINDOWSBOX] with the new password interface
[2012/10/19 13:05:22.449759,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: [SAMBASERVER]\[lucas]@[MYWINDOWSBOX]
[2012/10/19 13:05:22.449773,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/10/19 13:05:22.449783,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/10/19 13:05:22.449791,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/10/19 13:05:22.449922,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2012/10/19 13:05:23.001517,  3] lib/smbldap.c:1166(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2012/10/19 13:05:23.007713,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/10/19 13:05:23.007733,  3] auth/auth_sam.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'lucas' in passdb.
[2012/10/19 13:05:23.007743,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [lucas] -> [lucas] FAILED with error NT_STATUS_NO_SUCH_USER
[2012/10/19 13:05:23.007760,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/10/19 13:05:23.010469,  3] smbd/process.c:1489(process_smb)
  Transaction 3 of length 142 (0 toread)
<...snip...>

/etc/samba/smb.conf file follows:

[global]
dos charset = 850
unix charset = LOCALE

workgroup = BUSINESS
netbios name = SAMBASERVER

bind interfaces only = true
interfaces = lo eth0 eth1
smb ports = 139
hosts deny = All
hosts allow = 192.168.78. 192.168.255. 127.0.0.1 10.149.122. 192.168.0.
name resolve order = wins bcast hosts

log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000 

domain logons = No
wins support = Yes
wins proxy = No
client ntlmv2 auth = Yes
lanman auth = Yes
ntlm auth = Yes
dns proxy = Yes
time server = Yes

security = user
encrypt passwords = Yes
obey pam restrictions = Yes
ldap password sync = Yes
unix password sync = Yes

passdb backend = ldapsam:"ldap://192.168.78.206"
ldap ssl = off
ldap admin dn = uid=root,ou=Users,dc=business,dc=intranet

ldap suffix =
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap delete dn = Yes


add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -W -t5 "%u"

idmap backend = ldap:"ldap://192.168.78.206"
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431

load printers = No
printcap name = /dev/null

map acl inherit = Yes
map untrusted to domain = Yes
enable privileges = Yes

veto files = /lost+found/ /publicftp/

So, \\SAMBASERVER says he couldn't find my user, but I can see it by getent passwd . What I can do in order to SAMBASERVER see and authenticate my user?

Thanks in advance!

joey dinopol over 11 years

I don't have yet the answer for this problem... could anyone help me, please? If anyone thinks my question is difficult to understand, please write me, I'll try to clarify a little bit more.