Results 1 to 8 of 8

Thread: Samba/LDAP issues

  1. #1
    Join Date
    Apr 2010
    Beans
    90

    Exclamation Samba/LDAP issues

    I'm fixing an issue with Samba not being able to authenticate with LDAP. Samba externally authenticates with an OpenLDAP server. When I create a user on LDAP and then go into the samba server and run $ getent passwd, I see the user there. Even though the user appears samba is still not letting that user authenticate. This is what I'm seeing in one of the samba log files. I've been working on this for two days and I'm not quite sure how to resolve this.

    Code:
    ==> log.workstation <==
    [2013/03/28 16:48:17.417727,  0] auth/auth_sam.c:493(check_sam_security)
      check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
    [2013/03/28 16:48:17.548388,  0] smbd/map_username.c:140(map_username)
      can't open username map /etc/samba/smbusers. Error No such file or directory
    [2013/03/28 16:48:17.549368,  0] passdb/pdb_get_set.c:212(pdb_get_group_sid)
      pdb_get_group_sid: Failed to find Unix account for batman
    [2013/03/28 16:48:17.549524,  1] auth/auth_util.c:580(make_server_info_sam)
      User batman in passdb, but getpwnam() fails!
    [2013/03/28 16:48:17.549557,  0] auth/auth_sam.c:493(check_sam_security)
      check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'

  2. #2
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Samba/LDAP issues

    Are you using Samba 3 or Samba 4?

    If it is Samba 3 then I'll bet you need to add the user to the smbpasswd database like this
    Code:
    smbpasswd -a <username>
    ... You can see who is in the database with this
    Code:
    sudo pdbedit -L
    I have no Samba 4 experience, but I believe this is all handled internally in LDAP as there is no smbpasswd per se.
    -BAB1

  3. #3
    Join Date
    Apr 2010
    Beans
    90

    Re: Samba/LDAP issues

    I went onto the LDAP server and ran:
    Code:
    smbpasswd -a someuser
    Then I went onto the samba fileshare server and ran:
    Code:
    sudo pdbedit -L
    I'm seeing a bunch of this:
    Code:
    sid S-1-5-21-1713727836-2215038221-1160323130-3062 does not belong to our domain
    sid S-1-5-21-3060199750-4236102679-2651694663-1002 does not belong to our domain
    sid S-1-5-21-1713727836-2215038221-1160323130-3072 does not belong to our domain
    sid S-1-5-21-3060199750-4236102679-2651694663-1003 does not belong to our domain

    Now on the samba server when I run:
    Code:
    sudo getent group
    I see all the groups come in from LDAP.

    When I run:
    Code:
    sudo getent passwd
    I see all the users coming in, even the new ones I created briefly on the LDAP server.

  4. #4
    Join Date
    Sep 2010
    Location
    Indian Capital City
    Beans
    886
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Samba/LDAP issues

    What does following return on Samba server ?
    Code:
    testparm -s
    When you have eliminated the impossible, whatever remains, however improbable, must be the truth !!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Mark it [SOLVED] if the issue has been resolved

  5. #5
    Join Date
    Apr 2010
    Beans
    90

    Re: Samba/LDAP issues

    Code:
    Load smb config files from /etc/samba/smb.conf
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    Processing section "[OR-Fileshare]"
    Global parameter encrypt passwords found in service section!
    Global parameter unix password sync found in service section!
    Global parameter passwd program found in service section!
    Global parameter passwd chat found in service section!
    Global parameter pam password change found in service section!
    Global parameter map to guest found in service section!
    Global parameter domain logons found in service section!
    Global parameter usershare allow guests found in service section!
    Processing section "[printers]"
    Loaded services file OK.
    Server role: ROLE_STANDALONE
    [global]
        workgroup = OR
        server string = %h server (Samba, Ubuntu)
        passdb backend = ldapsam:ldap://10.12.10.4
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        add user script = /usr/sbin/smbldap-useradd -m '%u'
        add machine script = /usr/sbin/smbldap-useradd -w '%u'
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=admin,dc=mainoffice,dc=net
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap passwd sync = yes
        ldap suffix = dc=mainoffice,dc=net
        ldap ssl = no
        ldap user suffix = ou=People
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
    
    
    [OH-Fileshare]
        comment = OR Fileshare
        path = /srv/fileshare
        read only = No
        create mask = 0775
        force create mode = 0775
        force security mode = 0775
        directory mask = 0775
        force directory mode = 0775
        force directory security mode = 0775
    
    
    [printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        print ok = Yes
        browseable = No
    Last edited by sdmike6; April 8th, 2013 at 04:04 PM.

  6. #6
    Join Date
    Sep 2010
    Location
    Indian Capital City
    Beans
    886
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Samba/LDAP issues

    I am asking a dumb question.
    Did you carry out the steps for adding samba schema on LDAP server and additional steps required for configuring samba with LDAP as authentication backend(smbpasswd -W, net getlocalsid etc) ?
    When you have eliminated the impossible, whatever remains, however improbable, must be the truth !!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Mark it [SOLVED] if the issue has been resolved

  7. #7
    Join Date
    Apr 2010
    Beans
    90

    Re: Samba/LDAP issues

    Originally there was a server running samba on Ubuntu 11.04 that was authenticating externally with LDAP. The servers hardware needed to be replaced so everything has been migrated over to a new server running Ubuntu 12.04.

    So adding samba schema on LDAP server and additional steps required for configuring samba with LDAP for authentication backend has already been done. (smbpasswd -W, net getlocalsid etc) ?

    I've already run smbpasswd -W on the new server and net getlocalsid is:
    SID for domain VAULT is: S-1-5-21-3824860550-1351888951-1520703921

  8. #8
    Join Date
    Sep 2010
    Location
    Indian Capital City
    Beans
    886
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Samba/LDAP issues

    Ok, if that's the case, then simply increase the samba log level
    Code:
    sudo smbcontrol smbd debug 10
    Clean the existing log file for samba. Try user access
    Code:
    smbclient -L localhost -U<username>%<password>
    and let if fail.
    Then check samba log file for the error reported

    May want to revert log level after this activity
    When you have eliminated the impossible, whatever remains, however improbable, must be the truth !!
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Mark it [SOLVED] if the issue has been resolved

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •