[OpenIndiana-discuss] Could not setup LDAP for SAMBA
IVO GELOV (CRM)
ivo at crm.walltopia.com
Mon Mar 5 21:00:25 UTC 2012
On Mon, 05 Mar 2012 19:55:36 +0200, Jonathan Adams <t12nslookup at gmail.com> wrote:
> Samba with LDAP is a PITA ... and we use it ...
>
> First off, all users who want to use samba must have real uids on the
> system, which means that the host has to be an LDAP client.
>
> Second, since 3.0.24 if you're planning on being a domain server you
> need to get hold of the smb-ldap perl tools.
>
> have you remembered to run smbpasswd -W ?
>
> Jon
>
Yes, I have run "smbpasswd -w my-secret"
I do not intend to run SAMBA in a Windows domain - I just want a plain stupid workgroup
shares without poisoning the "/etc/passwd" and the likes.
I have the following file structure:
/masiv
|
+-- backup
|
+--- Sales
| |
| +--- Dealer_1
| |
| +--- Dealer_2
|
+--- Design
| |
| +--- Designer_1
| |
| +--- Designer_2
|
+--- Engineering
| |
| +--- Engineer_1
| |
| +--- Engineer_2
|
+--- Finance
|
+-- Accountant_1
I also have 2 local users - PERSON and BOSS, both have a primary group DEPART.
All directories below "/masiv/backup" are owned by PERSON:DEPART and have permissions 755.
In workgroup mode, SAMBA offers 2 kinds of security - "user" and "share".
In "user" mode, Windows client provides a username/password combination on the first access to SAMBA
and then this credential is used for all shares until the Windows is rebooted.
In "share" mode, Windows client provides a password each time it is trying to access a share - since
username is not provided, SAMBA chooses the first user with a matching password.
What I need is this:
1) each Windows customer should be able to map his own shared folder (I mean the share whose
name is equal to the name of the customer) onto Windows drive letter Z: with write access, using his
unique password;
2) departments` chiefs should be able to map the shared folder of their department onto Windows drive
letter X: as read only, using the unique password of their department (so that the chief can see
subfolders of his subordinates, but can not mess with their files);
3) customers should not be able to see contents of the shared folders of their colleagues;
I do not want to create a new local user in OpenIndiana for every new employee - instead, I prefer to
populate their profiles in a database. But using an SQL database seems too much for this simple task,
so I chose to use LDAP.
I want to have several dozens of VIRTUAL user accounts in LDAP - so that their password can be used
for authentication by SAMBA. But I only want to use the above 2 UNIX users (PERSON and BOSS) for filesystem
permissions. So I need to somehow map the password onto a UID through LDAP ....
As seen from this log file, SAMBA does not get "uidNumber" from LDAP records - but tries to find it through
the OS. And so the problem is - how to get the OS find UID of a specified LDAP posixAccount ?
--------------------- CUT ------------------------------
[2012/03/05 22:54:34.216956, 5] auth/token_util.c:525()
NT user token: (NULL)
[2012/03/05 22:54:34.216989, 5] auth/token_util.c:551()
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2012/03/05 22:54:34.217034, 5] smbd/uid.c:369()
change_to_root_user: now uid=(0,0) gid=(0,0)
[2012/03/05 22:54:34.217069, 4] smbd/reply.c:767()
Client requested device type [?????] for share [ADMINISTRATION]
[2012/03/05 22:54:34.217106, 5] smbd/service.c:1227()
making a connection to 'normal' service administration
[2012/03/05 22:54:34.217136, 3] lib/access.c:362()
only_ipaddrs_in_list: list has non-ip address (192.168.2.)
[2012/03/05 22:54:34.217164, 3] lib/access.c:396()
check_access: hostnames in host allow/deny list.
[2012/03/05 22:54:34.217199, 2] lib/access.c:406()
Allowed connection from UNKNOWN (192.168.2.175)
[2012/03/05 22:54:34.217244, 5] lib/username.c:133()
Finding user ADMINISTRATION
[2012/03/05 22:54:34.217272, 5] lib/username.c:77()
Trying _Get_Pwnam(), username as lowercase is administration
[2012/03/05 22:54:34.217348, 5] lib/username.c:85()
Trying _Get_Pwnam(), username as given is ADMINISTRATION
[2012/03/05 22:54:34.217418, 5] lib/username.c:104()
Checking combinations of 0 uppercase letters in administration
[2012/03/05 22:54:34.217450, 5] lib/username.c:110()
Get_Pwnam_internals didn't find user [ADMINISTRATION]!
[2012/03/05 22:54:34.217486, 10] smbd/password.c:475()
user_in_list: checking user nobody in list
[2012/03/05 22:54:34.217513, 10] smbd/password.c:480()
user_in_list: checking user |nobody| against |boss|
[2012/03/05 22:54:34.217552, 2] smbd/service.c:626()
Invalid username/password for [ADMINISTRATION]
[2012/03/05 22:54:34.217582, 1] smbd/service.c:678()
create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD
[2012/03/05 22:54:34.217621, 3] smbd/error.c:80()
error packet at smbd/reply.c(776) cmd=117 (SMBtconX) NT_STATUS_WRONG_PASSWORD
--------------------- CUT ------------------------------
More information about the OpenIndiana-discuss
mailing list