[SOLVED] openLDAP/Samba authentication from XP issue

[erolleman]

I have openLDAP and SAMBA running on ubuntu server 7.10 . I have samba configured to use ldap as it's database back end. The problem is that when I am on the Windows XP machine and I try to join the samba domain or just try connect to the share with the username and password it just tells me that the username and password is incorrect... Could someone shed some light on this situation for me?

I'll post config files if necessary.

Thanks.

[promodus]

Try adding the machine first:

Code:

smbldap-useradd -w machine_name$

Then try joining the domain in the typical fashion on your XP setup.

[erolleman]

Thank you for the suggestion. Unfortunatly that didn't work. I didn't add the machine account to start with because I thought SAMBA would to it automatically, because of the " add machine script = /usr/sbin/smbldap-useradd -w %u " line added into the smb.conf file. If it helps you understand my issue a little bit more: I can't authenticate just to access a share either. The error I get from either trying to access a share or join the SAMBA domain is " Logon failure: unknown user name or bad password. ". I have linux authentication to openLDAP working fine. I can create a user then login with ssh or locally on the ubuntu server with that user, so I know that isn't the issue. The problem seems to be getting SAMBA to authenticate.

Any more insight?

[promodus]

Thank you for the suggestion. Unfortunatly that didn't work. I didn't add the machine account to start with because I thought SAMBA would to it automatically, because of the " add machine script = /usr/sbin/smbldap-useradd -w %u " line added into the smb.conf file.

Try that command and see if you have the object sambaSamAccount
and then check to see if you have sambaSID object. Without those two even if you are passing the the correct Username and Password, you will still get the user or password error joining a domain.

It may be an error in my samba configuration that my add machine script isn't doing this automatically. I have not investigated.

If it helps you understand my issue a little bit more: I can't authenticate just to access a share either. The error I get from either trying to access a share or join the SAMBA domain is " Logon failure: unknown user name or bad password. ".

What is your domain name?
How are you accessing the share?
I'm assuming you get a "connect to yourserver" where you specify the username and password. What are you putting in for the username?

I have linux authentication to openLDAP working fine. I can create
a user then login with ssh or locally on the ubuntu server with that user, so I know that isn't the issue. The problem seems to be getting SAMBA to authenticate.

PAM may be binding to LDAP fine.
Samba may not binding OR it is binding fine AND keep in mind that:
You will be accessing different attributes from different schemas in either authentication from a Linux host versus a Windows host.

Any more insight?

To solve your problem? Yes.
Some insight as to the account you're using to authenticate from your directory, your smb.conf configuration, and slapd.conf configuration.

Remove any password hashes as necessary.

[erolleman]

Okay, here's the dn entries exactly as they exist in both slapd and smb for my directory admin account:
slapd: rootdn "cn=diradmin,dc=test"
rootpw {SSHA}EnoWIMQNwMUslbzj+n5xLqiJG/9jjbv
smb: ldap admin dn = cn=diradmin,dc=test

I then ran " smbpasswd -w pass " to update the password into samba's secrets file (Yes the password I'm using is " pass ", it's a virtual test environment so it doesn't matter to me if you know the password).

The root account information as created by the smbldap-populate command is:
# root, users, test
dn: uid=root,ou=users,dc=test
cn: root
sn: root
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\ldap1\root
sambaHomeDrive: H:
sambaProfilePath: \\ldap1\profiles$\root
sambaPrimaryGroupSID: S-1-5-21-1895558073-422317946-2241188313-512
sambaSID: S-1-5-21-1895558073-422317946-2241188313-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: B267DF22CB945E3EAAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 36AA83BDCAB3C9FDAF321CA42A31C3FC
sambaPwdLastSet: 1214782117
sambaPwdMustChange: 1218670117
userPassword:: e1NTSEF9THJSVW5XQzlQUHBQZllJbmtJOXorckF6b2N0TFpEZz M=

(Password = " pass ")

Computer account ldap info created manually is:
# ldap-xp$, computers, test
dn: uid=ldap-xp$,ou=computers,dc=test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
cn: ldap-xp$
sn: ldap-xp$
uid: ldap-xp$
uidNumber: 10001
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

When I try to join the domain I used " root " and pass, I also tried " TEST\root " and " pass ". When I try to just access the shares I go " \\ldap1\netlogon\ " in the run command and it prompts me for username and password to which I try the same combos when trying to join to the domain with no success.

[promodus]

If you are able to post the samba smb.conf and your ldap slapd.conf file I may have a better idea. I'm not sure if SAMBA is binding correctly or not.

It sounds like part of smbldap-tools is working, your ldap server is running. I'm not sure if the proper samba objects are properly put into your DIT

[erolleman]

SMB.CONF:

[global]
log level = 10
workgroup = TEST
netbios name = ldap1
server string = TEST Directory Server
wins support = yes
; wins server = w.x.y.z
dns proxy = nonames
name resolve order = wins bcast hosts lmhosts

#### Networking ####
; interfaces = 127.0.0.0/8 eth0
; bind interfaces only = true

#### Debugging/Accounting ####

log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0

####### Authentication #######

; security = user
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = yes
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd-p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
username map = /etc/samba/smbusers
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = no

; guest account = nobody
; unix password sync = no
passwd program = /usr/bin/passwd %u

passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *passwd:*password\supdated\ssuccessfully* .

; pam password change = no

########## Domains ###########

domain logons = yes
domain master = yes
preferred master = yes
os level = 35
logon path = \\ldap1\profiles$\%U
; logon path = \\%N\%U\profile
logon drive = H:
logon home = \\ldap1\%U
logon script = logon.bat

; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

ldap suffix = dc=test
ldap machine suffix = ou=computers,dc=test
ldap user suffix = ou=users,dc=test
ldap group suffix = ou=groups,dc=test
ldap idmap suffix = ou=idmap,dc=test
ldap admin dn = cn=diradmin,dc=test
ldap ssl = no
ldap passwd sync = Yes

############ Misc ############

; include = /home/samba/etc/smb.conf.%m
socket options = TCP_NODELAY
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
; domain master = auto
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
; winbind enum groups = yes
; winbind enum users = yes

#======================= Share Definitions =======================

[homes]
comment = Home Directories
browseable = no
valid users = %S
writable = yes
create mask = 0700
directory mask = 0700

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
writable = no
share modes = no

[profiles$]
comment = Users profiles
path = /home/samba/profiles
guest ok = no
browseable = no
create mask = 0600
directory mask = 0700
read only = no
profile acls = yes
valid users = %U
admin users = root @"Domain Admins"


SLAPD.CONF

# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema


pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel 8

# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

# 'backend' directive occurs
backend bdb
checkpoint 512 30

# 'database' directive occurs
database bdb

# The base of your directory in database #1
suffix "dc=test"

rootdn "cn=diradmin,dc=test"
rootpw {SSHA}EnoWIMQNwMUslbzj+n5xLqiJG/9jjbvN

directory "/var/lib/ldap"

dbconfig set_cachesize 0 20971520 0


dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1
index objectClass eq
index sn,uid,displayname pres,sub,eq
index sambaSIDList,uidNumber eq
index gidNumber,memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index cn,mail,givenname eq,subinitial
index default sub

lastmod on

# replogfile /var/lib/ldap/replog

access to attrs=userPassword,shadowLastChange,sambaNTPasswor d,sambaLMPassword
by dn="cn=diradmin,dc=test" write
by dn="uid=root,ou=users,dc=test" write
by anonymous auth
by self write
by * none

access to dn.base="" by * read

access to *
by dn="cn=diradmin,dc=test" write
by * read

[promodus]

access to attrs=userPassword,shadowLastChange,sambaNTPasswor d,sambaLMPassword

Is there a space in sambaNTPassword, just before the d?

[erolleman]

No there isn't. When I saw that space after I posted I checked, haha. Some wierd thingy the the post in the forum added.

[promodus]

encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = no

; guest account = nobody
; unix password sync = no
passwd program = /usr/bin/passwd %u

passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *passwd:*password\supdated\ssuccessfully* .

; pam password change = no

Two things I've noticed:

passdb backend = ldapsam:ldap://ip_or_dns_of_ldap1

/usr/sbin/smbldap-passwd %u