Hi,
I am facing issues with implementing samba user and group authentification using openldap. Is this the right place to ask?
-fuz
What are you having problems with? Is this a new installation or an existing system?
- Joe
-----Original Message----- From: fuzzy_4711 Sent: Tuesday, March 22, 2011 6:12 AM To: openldap-technical@openldap.org Subject: OpenLDAP / Samba integration
Hi,
I am facing issues with implementing samba user and group authentification using openldap. Is this the right place to ask?
-fuz
-------- Original - Text --------
What are you having problems with? Is this a new installation or an existing system?
It is an new installation on an opensuse 11.4. I have both services running on the same box: ldap and samba
When I try to connect using a smb client, the debug log ist stating "key expired". Before that I got an NT_USER_NOT_KNOW. But right now I remember that I added the Netbios-Statement in smb.conf and in that time the debug message changed from user not known to key expired. I do not want to use netbios if possible - it was just added as another try to get it running. Could it be that I have to
From my understanding one needs the samba3.schema because Windows
stores passwords different than unix does and there is no way to convert. Therefore you only need to set the 2 passwordNT/LM fields and the sambaSID - the passwords are taken from those NT/LM fields. Is that right?
The group matching will be done without any problems using the group value defined in posixAccount. Is that right or am I mistaken? So for example: If stefan has defined gidNumber 100, based on this information it will be possible to find out that in the config below stefan belongs to group users (based again on gidNumber and memberUiD). Right or wrong?
Here are the essentials of my configuration details for both services.
I do have dn: ou=Group,dc=xxxxx,dc=de dn: ou=People,dc=xxxxx,dc=de
also I have:
dn: uid=stefan,ou=People,dc=xxxxx,dc=de uid: stefan cn: stefan objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount shadowLastChange: 13572 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 632 gidNumber: 100 homeDirectory: /home/users/stefan structuralObjectClass: account entryUUID: 57264e20-2261-102c-9ecf-9fa815f26773 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20071108161351Z sambaSID: S-1-5-21-38098927-3018186934-2063245418 sambaLMPassword: c02717a286a249086de605daecb45436 sambaNTPassword: c02717a286a249086de605daecb45436 userPassword:: 1111111111111111111111111= = sambaPwdLastSet: 0 sambaPwdMustChange: 0 entryCSN: 20110321231822.373017Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321231822Z
Note: the sambaLMPassword and the sambaNTPassword values are created via a php script which first builds the md4-sum of the base password and after that does another binary transformation. I read this should be the format samba is expecting the value. Is that right or did I something wrong at this step?
-------------------------------------------------------------------------------- I have this definition also dn: cn=users,ou=Group,dc=xxxxx,dc=de objectClass: posixGroup objectClass: namedObject objectClass: top cn: users userPassword:: 1111111111111111 gidNumber: 100 memberUid: sadmin memberUid: stefan structuralObjectClass: namedObject entryUUID: 106c209a-226b-102c-9f4d-9fa815f26773 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20071108172328Z entryCSN: 20110321210104.815232Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321210104Z
---------------------------------------------------------------------
Also I do have that, which confuses me: Why does the root user only have the value sambaAcctFlags set? Where does this entry come from - I did not define it in my ldif import.
dn: uid=root,ou=People,dc=xxxxx,dc=de uid: root sambaSID: S-1-5-21-38098927-3018186934-2063245418-1000 displayName: root sambaPwdCanChange: 1300747942 sambaNTPassword: 111111111111111111 sambaPwdLastSet: 1300747942 sambaAcctFlags: [U ] objectClass: sambaSamAccount objectClass: account structuralObjectClass: account entryUUID: a0626f44-e859-102f-8432-f5e997da80c3 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20110321225222Z entryCSN: 20110321225222.093965Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321225222Z
This is my slapd.conf:
ldapnix:~ # cat /etc/openldap/slapd.conf | grep -vi "^#" include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args access to dn.base="" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read database bdb monitoring on suffix "dc=xxxxx,dc=de" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=xxxxx,dc=de" rootpw secret directory /var/lib/ldap index objectClass eq
------------------------------------------------------------------------- This is my smb.conf:
[global] unix charset = UTF-8 workgroup = PRIVAT interfaces = 192.168.1.46 update encrypted = Yes map to guest = Bad User root directory = / #username map = /etc/samba/smbusers
# Logging - 5000 KB, Samba behält eine .old-Datei log level = 3 max log size = 5000
printcap name = cups logon path = \%L\profiles.msprofile logon drive = P: logon home = \%L%U.9xprofile domain master = No ldap ssl = Off idmap uid = 10000-20000 idmap gid = 10000-20000 printer admin = @ntadmin, root, administrator ldap admin dn = cn=Manager,dc=xxxxx,dc=de passdb backend = ldapsam:ldap://ldap.privat.xxxxx.de/ ldapsam:trusted = yes ldapsam:editposix = yes ldap debug level = 1 ldap user suffix = ou=People #ldap group suffix = ou=Groups ldap group suffix = ou=Group ldap machine suffix = ou=Computers ldap suffix = dc=xxxxx,dc=de wins support = No add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$ domain logons = No ldap idmap suffix = ou=Idmap ldap passwd sync = No netbios name = LDAPNIX security = user wins server =
I do have a share definition like that:
[users] comment = All users path = /home/users valid users = @users, @susers, root read only = No inherit permissions = Yes
I added the password for the "cn=Manager,dc=xxxxx,dc=de" using smbpasswd -w secret The tdbdump /etc/samba/secrets.tdb command shows thoses entries: key(53) = "SECRETS/LDAP_BIND_PW/cn=Manager,dc=xxxxx,dc=de" data(7) = "secret\00" } { key(21) = "SECRETS/SID/PRIVAT" data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00\EFWE\02\B6\E0\E5\B3j\A0\FAz\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00" } { key(19) = "SECRETS/SID/LDAPNIX" data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00\EFWE\02\B6\E0\E5\B3j\A0\FAz\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00" }
I get this output also: ldapnix:~ # net getlocalsid SID der Domäne LDAPNIX ist: S-1-5-21-38098927-3018186934-2063245418
I really like to understand. If you guide me what to do and it would make sense I would also set it up from scratch to understand what is going on. But I do not want to use libs or "special" scripts which will hide the process without the chance to understand.
Thanks for your help.
-fuz
-------- Original - Text --------
What are you having problems with? Is this a new installation or an existing system?
It is an new installation on an opensuse 11.4. I have both services running on the same box: ldap and samba
When I try to connect using a smb client, the debug log ist stating "key expired". Before that I got an NT_USER_NOT_KNOW. But right now I remember that I added the Netbios-Statement in smb.conf and in that time the debug message changed from user not known to key expired. I do not want to use netbios if possible - it was just added as another try to get it running. Could it be that I have to
From my understanding one needs the samba3.schema because Windows
stores passwords different than unix does and there is no way to convert. Therefore you only need to set the 2 passwordNT/LM fields and the sambaSID - the passwords are taken from those NT/LM fields. Is that right?
The group matching will be done without any problems using the group value defined in posixAccount. Is that right or am I mistaken? So for example: If stefan has defined gidNumber 100, based on this information it will be possible to find out that in the config below stefan belongs to group users (based again on gidNumber and memberUiD). Right or wrong?
Here are the essentials of my configuration details for both services.
I do have dn: ou=Group,dc=xxxxx,dc=de dn: ou=People,dc=xxxxx,dc=de
also I have:
dn: uid=stefan,ou=People,dc=xxxxx,dc=de uid: stefan cn: stefan objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount shadowLastChange: 13572 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 632 gidNumber: 100 homeDirectory: /home/users/stefan structuralObjectClass: account entryUUID: 57264e20-2261-102c-9ecf-9fa815f26773 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20071108161351Z sambaSID: S-1-5-21-38098927-3018186934-2063245418 sambaLMPassword: c02717a286a249086de605daecb45436 sambaNTPassword: c02717a286a249086de605daecb45436 userPassword:: 1111111111111111111111111= = sambaPwdLastSet: 0 sambaPwdMustChange: 0 entryCSN: 20110321231822.373017Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321231822Z
Note: the sambaLMPassword and the sambaNTPassword values are created via a php script which first builds the md4-sum of the base password and after that does another binary transformation. I read this should be the format samba is expecting the value. Is that right or did I something wrong at this step?
-------------------------------------------------------------------------------- I have this definition also dn: cn=users,ou=Group,dc=xxxxx,dc=de objectClass: posixGroup objectClass: namedObject objectClass: top cn: users userPassword:: 1111111111111111 gidNumber: 100 memberUid: sadmin memberUid: stefan structuralObjectClass: namedObject entryUUID: 106c209a-226b-102c-9f4d-9fa815f26773 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20071108172328Z entryCSN: 20110321210104.815232Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321210104Z
---------------------------------------------------------------------
Also I do have that, which confuses me: Why does the root user only have the value sambaAcctFlags set? Where does this entry come from - I did not define it in my ldif import.
dn: uid=root,ou=People,dc=xxxxx,dc=de uid: root sambaSID: S-1-5-21-38098927-3018186934-2063245418-1000 displayName: root sambaPwdCanChange: 1300747942 sambaNTPassword: 111111111111111111 sambaPwdLastSet: 1300747942 sambaAcctFlags: [U ] objectClass: sambaSamAccount objectClass: account structuralObjectClass: account entryUUID: a0626f44-e859-102f-8432-f5e997da80c3 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20110321225222Z entryCSN: 20110321225222.093965Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321225222Z
This is my slapd.conf:
ldapnix:~ # cat /etc/openldap/slapd.conf | grep -vi "^#" include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args access to dn.base="" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read database bdb monitoring on suffix "dc=xxxxx,dc=de" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=xxxxx,dc=de" rootpw secret directory /var/lib/ldap index objectClass eq
------------------------------------------------------------------------- This is my smb.conf:
[global] unix charset = UTF-8 workgroup = PRIVAT interfaces = 192.168.1.46 update encrypted = Yes map to guest = Bad User root directory = / #username map = /etc/samba/smbusers # Logging - 5000 KB, Samba behält eine .old-Datei log level = 3 max log size = 5000 printcap name = cups logon path = \%L\profiles.msprofile logon drive = P: logon home = \%L%U.9xprofile domain master = No ldap ssl = Off idmap uid = 10000-20000 idmap gid = 10000-20000 printer admin = @ntadmin, root, administrator ldap admin dn = cn=Manager,dc=xxxxx,dc=de passdb backend = ldapsam:ldap://ldap.privat.xxxxx.de/ ldapsam:trusted = yes ldapsam:editposix = yes ldap debug level = 1 ldap user suffix = ou=People #ldap group suffix = ou=Groups ldap group suffix = ou=Group ldap machine suffix = ou=Computers ldap suffix = dc=xxxxx,dc=de wins support = No add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$ domain logons = No ldap idmap suffix = ou=Idmap ldap passwd sync = No netbios name = LDAPNIX security = user wins server =
I do have a share definition like that:
[users] comment = All users path = /home/users valid users = @users, @susers, root read only = No inherit permissions = Yes
I added the password for the "cn=Manager,dc=xxxxx,dc=de" using smbpasswd -w secret The tdbdump /etc/samba/secrets.tdb command shows thoses entries: key(53) = "SECRETS/LDAP_BIND_PW/cn=Manager,dc=xxxxx,dc=de" data(7) = "secret\00" } { key(21) = "SECRETS/SID/PRIVAT" data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00\EFWE\02\B6\E0\E5\B3j\A0\FAz\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00" } { key(19) = "SECRETS/SID/LDAPNIX" data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00\EFWE\02\B6\E0\E5\B3j\A0\FAz\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00" }
I get this output also: ldapnix:~ # net getlocalsid SID der Domäne LDAPNIX ist: S-1-5-21-38098927-3018186934-2063245418
I really like to understand. If you guide me what to do and it would make sense I would also set it up from scratch to understand what is going on. But I do not want to use libs or "special" scripts which will hide the process without the chance to understand.
Thanks for your help.
-fuz
On Tuesday, 22 March 2011 16:42:11 fuzzy_4711 wrote:
-------- Original - Text --------
What are you having problems with? Is this a new installation or an existing system?
It is an new installation on an opensuse 11.4. I have both services running on the same box: ldap and samba
When I try to connect using a smb client,
Can you be more specific? Of course, testing with client may be premature if you haven't tested with pdbedit or 'smbpasswd username' or similar.
the debug log ist stating "key expired". Before that I got an NT_USER_NOT_KNOW.
I don't believe that is actually a valid error, and with 'map to guest = Bad User' you shouldn't get anything similar, please provide *actual* error.
But right now I remember that I added the Netbios-Statement in smb.conf and in that time the debug message changed from user not known to key expired. I do not want to use netbios if possible - it was just added as another try to get it running. Could it be that I have to
From my understanding one needs the samba3.schema because Windows
stores passwords different than unix does and there is no way to convert. Therefore you only need to set the 2 passwordNT/LM fields and the sambaSID - the passwords are taken from those NT/LM fields. Is that right?
The group matching will be done without any problems using the group value defined in posixAccount. Is that right or am I mistaken? So for example: If stefan has defined gidNumber 100, based on this information it will be possible to find out that in the config below stefan belongs to group users (based again on gidNumber and memberUiD). Right or wrong?
Upstream samba doesn't seem to support use of rfc2307bis groups with ldapsam:trusted = yes. But, lets not worry about groups yet, if you can't authenticate a user.
Here are the essentials of my configuration details for both services.
I do have dn: ou=Group,dc=xxxxx,dc=de dn: ou=People,dc=xxxxx,dc=de
also I have:
dn: uid=stefan,ou=People,dc=xxxxx,dc=de uid: stefan cn: stefan objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount shadowLastChange: 13572 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 632 gidNumber: 100 homeDirectory: /home/users/stefan structuralObjectClass: account entryUUID: 57264e20-2261-102c-9ecf-9fa815f26773 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20071108161351Z sambaSID: S-1-5-21-38098927-3018186934-2063245418
This looks like a domain sid, not a user sid. Of course, pdbedit should tell you that ...
How did you create this user? Note that 'smbpasswd -a stefan' should have been able to do it, and would have done it correctly.
sambaLMPassword: c02717a286a249086de605daecb45436 sambaNTPassword: c02717a286a249086de605daecb45436 userPassword:: 1111111111111111111111111= = sambaPwdLastSet: 0 sambaPwdMustChange: 0 entryCSN: 20110321231822.373017Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321231822Z
Note: the sambaLMPassword and the sambaNTPassword values are created via a php script which first builds the md4-sum of the base password and after that does another binary transformation. I read this should be the format samba is expecting the value. Is that right or did I something wrong at this step?
Well, I would exclude software that you may not know works, e.g. use 'smbpasswd username' to set the passwords ...
----- I have this definition also dn: cn=users,ou=Group,dc=xxxxx,dc=de objectClass: posixGroup objectClass: namedObject objectClass: top cn: users userPassword:: 1111111111111111 gidNumber: 100 memberUid: sadmin memberUid: stefan structuralObjectClass: namedObject entryUUID: 106c209a-226b-102c-9f4d-9fa815f26773 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20071108172328Z entryCSN: 20110321210104.815232Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321210104Z
Also I do have that, which confuses me: Why does the root user only have the value sambaAcctFlags set? Where does this entry come from - I did not define it in my ldif import.
dn: uid=root,ou=People,dc=xxxxx,dc=de uid: root sambaSID: S-1-5-21-38098927-3018186934-2063245418-1000 displayName: root sambaPwdCanChange: 1300747942 sambaNTPassword: 111111111111111111 sambaPwdLastSet: 1300747942 sambaAcctFlags: [U ] objectClass: sambaSamAccount objectClass: account structuralObjectClass: account entryUUID: a0626f44-e859-102f-8432-f5e997da80c3 creatorsName: cn=Manager,dc=xxxxx,dc=de createTimestamp: 20110321225222Z
Maybe you can tell us what you did at this time ^^^ ?
entryCSN: 20110321225222.093965Z#000000#000#000000 modifiersName: cn=Manager,dc=xxxxx,dc=de modifyTimestamp: 20110321225222Z
This is my slapd.conf:
ldapnix:~ # cat /etc/openldap/slapd.conf | grep -vi "^#" include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args access to dn.base="" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read database bdb monitoring on suffix "dc=xxxxx,dc=de" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=xxxxx,dc=de" rootpw secret directory /var/lib/ldap index objectClass eq
You will at minimum need more indexes ...
This is my smb.conf:
[global] unix charset = UTF-8 workgroup = PRIVAT interfaces = 192.168.1.46 update encrypted = Yes map to guest = Bad User root directory = / #username map = /etc/samba/smbusers # Logging - 5000 KB, Samba behält eine .old-Datei log level = 3 max log size = 5000 printcap name = cups logon path = \%L\profiles.msprofile logon drive = P: logon home = \%L%U.9xprofile domain master = No ldap ssl = Off idmap uid = 10000-20000 idmap gid = 10000-20000 printer admin = @ntadmin, root, administrator ldap admin dn = cn=Manager,dc=xxxxx,dc=de passdb backend = ldapsam:ldap://ldap.privat.xxxxx.de/ ldapsam:trusted = yes ldapsam:editposix = yes ldap debug level = 1 ldap user suffix = ou=People #ldap group suffix = ou=Groups ldap group suffix = ou=Group ldap machine suffix = ou=Computers ldap suffix = dc=xxxxx,dc=de wins support = No add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$ domain logons = No ldap idmap suffix = ou=Idmap ldap passwd sync = No netbios name = LDAPNIX security = user wins server =
I do have a share definition like that:
[users] comment = All users path = /home/users valid users = @users, @susers, root read only = No inherit permissions = Yes
I added the password for the "cn=Manager,dc=xxxxx,dc=de" using smbpasswd -w secret
What does 'pdbedit -L' say?
If it doesn't list any users, maybe run 'pdbedit -d10 -L', or 'pdbedit -d10 -L stefan'. If you can't see a problem here, the LDAP server's logs (at, or including level 256 or 'stats') would be useful.
I get this output also: ldapnix:~ # net getlocalsid SID der Domäne LDAPNIX ist: S-1-5-21-38098927-3018186934-2063245418
I really like to understand. If you guide me what to do and it would make sense I would also set it up from scratch to understand what is going on. But I do not want to use libs or "special" scripts
You could of course use standard utilities (such as smbpasswd, pdbedit etc.) instead of your own scripts, which may get things wrong ...
which will hide the process without the chance to understand.
Thanks for your help.
Notice how almost none of my questions have *anything* to do with OpenLDAP yet?
Regards, Buchan
The samba aspects (e.g. anything about a SID) belong on the samba mailing lists IMHO.
OpenLDAP configuration, use of OpenLDAP utilities, ACLs for samba to use would be on-topic.
The grey area would be LDAP aspects in the smb.conf file or similar.
Regards, Buchan
----- "fuzzy_4711" fuzzy_4711@gmx.de wrote:
Hi,
I am facing issues with implementing samba user and group authentification using openldap. Is this the right place to ask?
-fuz
On 03/22/2011 04:12 AM, fuzzy_4711 wrote:
Hi,
I am facing issues with implementing samba user and group authentification using openldap. Is this the right place to ask?
-fuz
Probably my howto can help you, it is in spanish, I guess you can follow the examples.
http://tuxjm.net/docs/Configurar_Servidor_Controlador_de_Dominio_con_Samba_y...
Best regards.
Le 22/03/2011 11:12, fuzzy_4711 a écrit :
Hi,
I am facing issues with implementing samba user and group authentification using openldap. Is this the right place to ask?
-fuz
openldap-technical@openldap.org
-
Buchan Milne -
fuzzy_4711 -
Joe -
Jorge Armando Medina -
olivier morel