[lugm.org] Openldap and Samba issue

Avinash Meetoo avinash at noulakaz.net
Thu Jul 8 05:14:15 UTC 2010 

Dear all,

A friend of mine, Bernard Auguste (bauguste at aclmauritius.com), is
having some problems setting up openldap and samba. Anyone can offer
some insight on what is happening (feel free to contact Bernard
directly if you have a solution.)

---------- Forwarded message ----------
From: Bernard Auguste <bauguste at aclmauritius.com>

I have a server called labo where I have setup openldap but I have an
issue.Grateful if you could help.

Please see details

Ldap server has been set up and service is up and running (file:slapd.conf)
User has been successfully added through an ldif file with ldapadd
User was successfully created. User entry is found with ldapsearch and slapcat
User successfully changed password with ldappasswd
User can successfully log in with credentials in his particular
account where ldap server is running (with ldap as password backend)
Samba is working correctly. Shares can be seen on server and accessed
from client PC with user credentials.
Workstation was created with samba utility -> smbpasswd -a -m workstation$
Client PC successfully joined domain where samba running as a PDC.

          Issue

User cannot authenticate with his credentials on client PC when using
ldap as the password backend.
Windows logon message says "The system could not log you on.  Make
sure the username and domain are correct..."
However, if smbpasswd is used as password backend in samba server and
user authentication sources is changed to smbpasswd, user is able to
successfully authenticate from client PC with credentials.
How to make user(client) authenticate successfully with ldap server
with ldap as the password backend?

Thanks in advance
Regards
Bernard


--
avinash at noulakaz.net - http://www.noulakaz.net/ - (230) 493-9394

Those who fail to understand C++ are doomed to reimplement it. Better. [Jez]
-------------- next part --------------
dn:uid=ba,ou=group,dc=labomauritius,dc=com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: ba
uidNumber: 10010
gidNumber: 100
cn: Bernard Auguste
givenName: bernard
sn: Auguste
homeDirectory: /home/bernard
loginShell: /bin/bash
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowMin: 0
shadowLastChange: 12609
-------------- next part --------------
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2009-09-05
[global]
	netbios name = labo1
	workgroup = laboadmin
	interfaces = 176.16.1.1/255.255.0.0
	hosts allow = 176.16.1.2
	printing = cups
	printcap name = cups
	printcap cache time = 750
	cups options = raw
	map to guest = Bad User
	include = /etc/samba/dhcp.conf
#	
	obey pam restrictions = Yes
	logon script = scripts\logon.bat
	logon path = \\%L\profiles\%U
	logon home = \\%L\%U
	logon drive = H:
	usershare allow guests = Yes
	wins support = Yes
	passdb backend = ldapsam:ldap://176.16.1.1
	username map = /etc/samba/smbusers
#Path to IDEALX scripts
####################################
#	add user script = /usr/local/sbin/smbldap-useradd -m %u
#	delete user script = /usr/local/sbin/smbldap-userdel %u
#	add group script = /usr/local/sbin/smbldap-groupadd -p %g
#	delete group script = /usr/local/sbin/smbldap-groupdel %g
#	add user to group script = /usr/local/sbin/smbldap-groupmod -m %g %u
#	delete user from group script = /usr/local/sbin/smbldap-groupmod -x %g %u
#	set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
#	add machine script = /usr/local/sbin/smbldap-useradd -w %u

####################################

	usershare max shares = 100
	domain logons = Yes
	domain master = Yes
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
	show add printer wizard = yes
	security = user
	local master = Yes
	os level = 44
	preferred master = Yes
	ldap admin dn = cn=Administrator,dc=labomauritius,dc=com
	ldap group suffix = ou=group
	ldap idmap suffix = ou=Idmap
	ldap machine suffix = ou=Machines
	ldap passwd sync = Yes
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	ldap ssl = No
	ldap suffix = dc=labomauritius,dc=com
	ldap user suffix = ou=group
# Defining logging faclity
########################################
	log level = 2
	log file = /var/log/samba/%m.log
# Virus scanning Definition
#######################################
	vfs object = vscan-clamav
	vfs objects = vscan-clamav
	ldap delete dn = No
	ldap replication sleep = 1000
	ldap timeout = 5
	idmap backend = ldap:ldap://176.16.1.1

[homes]
	comment = Home Directories
	valid users = %S
#	valid users = %S, %D%w%S
	browseable = No
	read only = No
#	inherit acls = Yes
[profiles]
	comment = Roaming Profiles
	path = /var/lib/samba/profiles
	read only = No
	browsable = No
	force user = %U
	valid users = %U "Domain Admins"
	profile acls = Yes
	store dos attributes = Yes
	create mask = 0600
	directory mask = 0700

[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/
[groups]
	comment = All groups
	path = /home/groups
	read only = No
	inherit acls = Yes
[printers]
	comment = All Printers
#	path = /var/tmp
	path = /var/spool/samba
	printer admin = @"Print Operators"
	read only = Yes
	guest ok = Yes
	printable = Yes
#	create mask = 0600
	browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	guest ok = No
	browseable = Yes
	read only = Yes
	valid users = @"Print Operators"
	write list = @"Print Operators"
#	force group = ntadmin
	create mask = 0664
	directory mask = 0775
[sharedir]
	comment = data
	path = /sharedir/data
	read only = no
	guest ok = Yes
	create mask = 0777
	directory mask = 0777
	browseable = Yes
#Defining arbritary share resource
[share]
	comment = data share
	path = /opt/stuff
	valid users = %U

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	write list = root
	guest ok = Yes
	browseable = No

[jino]
	comment = Jino's home folder
	inherit acls = Yes
	path = /home/jino/
	read only = No
         
-------------- next part --------------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/rfc2307bis.schema
include		/etc/openldap/schema/yast.schema
include		/etc/openldap/schema/dnszone.schema
include		/etc/openldap/schema/samba3.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/var/run/slapd/slapd.pid
argsfile	/var/run/slapd/slapd.args

# Load dynamic backend modules:
modulepath	/usr/lib/openldap/modules
# moduleload	back_ldap.la
# moduleload	back_meta.la
# moduleload	back_monitor.la
# moduleload	back_perl.la

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access to user password
#               Allow anonymous users to authenticate
#               Allow read access to everything else
#       Directives needed to implement policy:
## Yast2 samba hack ACL
## allow the "ldap admin dn" access, but deny everyone else
access to attrs=SambaLMPassword,SambaNTPassword
    by dn="cn=Administrator,dc=labomauritius,dc=com" write
    by * none
## Yast2 samba hack ACL done
access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

access to *
        by * read

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

loglevel 8
database bdb
suffix "dc=labomauritius,dc=com"
rootdn "cn=Administrator,dc=labomauritius,dc=com"
rootpw "123456"
directory /var/lib/ldap/
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
database bdb
suffix "dc=labo2,dc=com"
rootdn "cn=manager,dc=labo2,dc=com"
rootpw "12345678"
directory /var/lib/ldap/dc=labo2_dc=com
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres

More information about the Discuss mailing list