[OpenIndiana-discuss] Could not setup LDAP for SAMBA

Jonathan Adams t12nslookup at gmail.com
Tue Mar 6 10:01:21 UTC 2012 

ok, well thats relatively straight forward ...

you might want to do this in a zone on Solaris, if you're worried
about polluting the passwd file because each samba user _does_ need a
user on the system, if you do it in a zone then the zone can be an
LDAP client and you can disable all ssh, telnet and ftp access so that
people can only access their user partitions using samba.

after you have the zone as an LDAP client, you need to configure the
LDAP for samba and the smb.conf file.

If you are brave and know your way around LDAP you can do this
manually if you get the Samba LDAP Schema from the Samba source tar
file ( https://www.samba.org/samba/download/ ) and loading it into the
LDAP server.

the users you want to have access to the domain will need to have the
class of "posixAccount" and "sambaSamAccount" ... and you will need to
know your sambaSID ...

otherwise you can look to getting smbldap tools, written in perl (
http://gna.org/projects/smbldap-tools ) essential if you are planning
on having domain logons, or even look at other tools from
https://wiki.samba.org/index.php/Samba_&_LDAP

I'm a script'er so we have in house tools.

logging in to the first share for the first time is the hardest bit
... after that it is just setting up groups and access levels.

Jon

On 5 March 2012 21:00, IVO GELOV (CRM) <ivo at crm.walltopia.com> wrote:

> What I need is this:
> 1) each Windows customer should be able to map his own shared folder (I mean
> the share whose
>   name is equal to the name of the customer) onto Windows drive letter Z:
> with write access, using his
>   unique password;
> 2) departments` chiefs should be able to map the shared folder of their
> department onto Windows drive
>   letter X: as read only, using the unique password of their department (so
> that the chief can see
>   subfolders of his subordinates, but can not mess with their files);
> 3) customers should not be able to see contents of the shared folders of
> their colleagues;
>
> I do not want to create a new local user in OpenIndiana for every new
> employee - instead, I prefer to
> populate their profiles in a database. But using an SQL database seems too
> much for this simple task,
> so I chose to use LDAP.
> I want to have several dozens of VIRTUAL user accounts in LDAP - so that
> their password can be used
> for authentication by SAMBA. But I only want to use the above 2 UNIX users
> (PERSON and BOSS) for filesystem
> permissions. So I need to somehow map the password onto a UID through LDAP
> ....
>
> As seen from this log file, SAMBA does not get "uidNumber" from LDAP records
> - but tries to find it through
> the OS. And so the problem is - how to get the OS find UID of a specified
> LDAP posixAccount ?
>
> --------------------- CUT ------------------------------
> [2012/03/05 22:54:34.216956,  5] auth/token_util.c:525()
>  NT user token: (NULL)
> [2012/03/05 22:54:34.216989,  5] auth/token_util.c:551()
>  UNIX token of user 0
>  Primary group is 0 and contains 0 supplementary groups
> [2012/03/05 22:54:34.217034,  5] smbd/uid.c:369()
>  change_to_root_user: now uid=(0,0) gid=(0,0)
> [2012/03/05 22:54:34.217069,  4] smbd/reply.c:767()
>  Client requested device type [?????] for share [ADMINISTRATION]
> [2012/03/05 22:54:34.217106,  5] smbd/service.c:1227()
>  making a connection to 'normal' service administration
> [2012/03/05 22:54:34.217136,  3] lib/access.c:362()
>  only_ipaddrs_in_list: list has non-ip address (192.168.2.)
> [2012/03/05 22:54:34.217164,  3] lib/access.c:396()
>  check_access: hostnames in host allow/deny list.
> [2012/03/05 22:54:34.217199,  2] lib/access.c:406()
>  Allowed connection from UNKNOWN (192.168.2.175)
> [2012/03/05 22:54:34.217244,  5] lib/username.c:133()
>  Finding user ADMINISTRATION
> [2012/03/05 22:54:34.217272,  5] lib/username.c:77()
>  Trying _Get_Pwnam(), username as lowercase is administration
> [2012/03/05 22:54:34.217348,  5] lib/username.c:85()
>  Trying _Get_Pwnam(), username as given is ADMINISTRATION
> [2012/03/05 22:54:34.217418,  5] lib/username.c:104()
>  Checking combinations of 0 uppercase letters in administration
> [2012/03/05 22:54:34.217450,  5] lib/username.c:110()
>  Get_Pwnam_internals didn't find user [ADMINISTRATION]!
> [2012/03/05 22:54:34.217486, 10] smbd/password.c:475()
>  user_in_list: checking user nobody in list
> [2012/03/05 22:54:34.217513, 10] smbd/password.c:480()
>  user_in_list: checking user |nobody| against |boss|
> [2012/03/05 22:54:34.217552,  2] smbd/service.c:626()
>  Invalid username/password for [ADMINISTRATION]
> [2012/03/05 22:54:34.217582,  1] smbd/service.c:678()
>  create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD
> [2012/03/05 22:54:34.217621,  3] smbd/error.c:80()
>  error packet at smbd/reply.c(776) cmd=117 (SMBtconX)
> NT_STATUS_WRONG_PASSWORD
> --------------------- CUT ------------------------------
>
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss

More information about the OpenIndiana-discuss mailing list