[OpenIndiana-discuss] Could not setup LDAP for SAMBA

IVO GELOV (CRM) ivo at crm.walltopia.com
Mon Mar 5 21:00:25 UTC 2012 

On Mon, 05 Mar 2012 19:55:36 +0200, Jonathan Adams <t12nslookup at gmail.com> wrote:

> Samba with LDAP is a PITA ... and we use it ...
>
> First off, all users who want to use samba must have real uids on the
> system, which means that the host has to be an LDAP client.
>
> Second, since 3.0.24 if you're planning on being a domain server you
> need to get hold of the smb-ldap perl tools.
>
> have you remembered to run smbpasswd -W ?
>
> Jon
>

Yes, I have run "smbpasswd -w my-secret"
I do not intend to run SAMBA in a Windows domain - I just want a plain stupid workgroup
shares without poisoning the "/etc/passwd" and the likes.
I have the following file structure:

/masiv
    |
    +-- backup
         |
         +--- Sales
         |     |
         |     +--- Dealer_1
         |     |
         |     +--- Dealer_2
         |
         +--- Design
         |     |
         |     +--- Designer_1
         |     |
         |     +--- Designer_2
         |
         +--- Engineering
         |     |
         |     +--- Engineer_1
         |     |
         |     +--- Engineer_2
         |
         +--- Finance
               |
               +-- Accountant_1

I also have 2 local users - PERSON and BOSS, both have a primary group DEPART.
All directories below "/masiv/backup" are owned by PERSON:DEPART and have permissions 755.
In workgroup mode, SAMBA offers 2 kinds of security - "user" and "share".
In "user" mode, Windows client provides a username/password combination on the first access to SAMBA
and then this credential is used for all shares until the Windows is rebooted.
In "share" mode, Windows client provides a password each time it is trying to access a share - since
username is not provided, SAMBA chooses the first user with a matching password.

What I need is this:
1) each Windows customer should be able to map his own shared folder (I mean the share whose
    name is equal to the name of the customer) onto Windows drive letter Z: with write access, using his
    unique password;
2) departments` chiefs should be able to map the shared folder of their department onto Windows drive
    letter X: as read only, using the unique password of their department (so that the chief can see
    subfolders of his subordinates, but can not mess with their files);
3) customers should not be able to see contents of the shared folders of their colleagues;

I do not want to create a new local user in OpenIndiana for every new employee - instead, I prefer to
populate their profiles in a database. But using an SQL database seems too much for this simple task,
so I chose to use LDAP.
I want to have several dozens of VIRTUAL user accounts in LDAP - so that their password can be used
for authentication by SAMBA. But I only want to use the above 2 UNIX users (PERSON and BOSS) for filesystem
permissions. So I need to somehow map the password onto a UID through LDAP ....

As seen from this log file, SAMBA does not get "uidNumber" from LDAP records - but tries to find it through
the OS. And so the problem is - how to get the OS find UID of a specified LDAP posixAccount ?

--------------------- CUT ------------------------------
[2012/03/05 22:54:34.216956,  5] auth/token_util.c:525()
   NT user token: (NULL)
[2012/03/05 22:54:34.216989,  5] auth/token_util.c:551()
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2012/03/05 22:54:34.217034,  5] smbd/uid.c:369()
   change_to_root_user: now uid=(0,0) gid=(0,0)
[2012/03/05 22:54:34.217069,  4] smbd/reply.c:767()
   Client requested device type [?????] for share [ADMINISTRATION]
[2012/03/05 22:54:34.217106,  5] smbd/service.c:1227()
   making a connection to 'normal' service administration
[2012/03/05 22:54:34.217136,  3] lib/access.c:362()
   only_ipaddrs_in_list: list has non-ip address (192.168.2.)
[2012/03/05 22:54:34.217164,  3] lib/access.c:396()
   check_access: hostnames in host allow/deny list.
[2012/03/05 22:54:34.217199,  2] lib/access.c:406()
   Allowed connection from UNKNOWN (192.168.2.175)
[2012/03/05 22:54:34.217244,  5] lib/username.c:133()
   Finding user ADMINISTRATION
[2012/03/05 22:54:34.217272,  5] lib/username.c:77()
   Trying _Get_Pwnam(), username as lowercase is administration
[2012/03/05 22:54:34.217348,  5] lib/username.c:85()
   Trying _Get_Pwnam(), username as given is ADMINISTRATION
[2012/03/05 22:54:34.217418,  5] lib/username.c:104()
   Checking combinations of 0 uppercase letters in administration
[2012/03/05 22:54:34.217450,  5] lib/username.c:110()
   Get_Pwnam_internals didn't find user [ADMINISTRATION]!
[2012/03/05 22:54:34.217486, 10] smbd/password.c:475()
   user_in_list: checking user nobody in list
[2012/03/05 22:54:34.217513, 10] smbd/password.c:480()
   user_in_list: checking user |nobody| against |boss|
[2012/03/05 22:54:34.217552,  2] smbd/service.c:626()
   Invalid username/password for [ADMINISTRATION]
[2012/03/05 22:54:34.217582,  1] smbd/service.c:678()
   create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD
[2012/03/05 22:54:34.217621,  3] smbd/error.c:80()
   error packet at smbd/reply.c(776) cmd=117 (SMBtconX) NT_STATUS_WRONG_PASSWORD
--------------------- CUT ------------------------------

More information about the OpenIndiana-discuss mailing list