Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Question(s) about user mapping
184 views
Skip to first unread message
Jon Yeargers
Jul 18, 2014, 12:40:01 PM7/18/14
to
I've setup samba4 to authenticate against a separate LDAP server. I can ssh to my server but attempts to login to a windows7 member server using the ldap domain are not working.
Relevant errors:
[2014/07/18 06:46:28.177400, 3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send) auth_check_password_send: Checking password for unmapped user [ldapdom]\[user]@[win7host] auth_check_password_send: mapped user is: [sambadom]\[user]@[win7host]
[2014/07/18 06:46:28.178098, 3] ../source4/auth/ntlm/auth_sam.c:61(authsam_search_account) sam_search_user: Couldn't find user [user] in samdb, under C=dom,DC=server,DC=edu
[2014/07/18 06:46:28.178184, 2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) auth_check_password_recv: sam_ignoredomain authentication for user [sambadom\user] FAILED with error NT_STATUS_NO_SUCH_USER
It appears that some manner of user id mapping is being searched for. What I really want is for it to preserve and use the domain that was passed in rather than substituting it.
CentOS 6.4 x64
Samba 4.1.0
Sssd 1.9.2
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Relevant errors:
[2014/07/18 06:46:28.177400, 3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send) auth_check_password_send: Checking password for unmapped user [ldapdom]\[user]@[win7host] auth_check_password_send: mapped user is: [sambadom]\[user]@[win7host]
[2014/07/18 06:46:28.178098, 3] ../source4/auth/ntlm/auth_sam.c:61(authsam_search_account) sam_search_user: Couldn't find user [user] in samdb, under C=dom,DC=server,DC=edu
[2014/07/18 06:46:28.178184, 2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) auth_check_password_recv: sam_ignoredomain authentication for user [sambadom\user] FAILED with error NT_STATUS_NO_SUCH_USER
It appears that some manner of user id mapping is being searched for. What I really want is for it to preserve and use the domain that was passed in rather than substituting it.
CentOS 6.4 x64
Samba 4.1.0
Sssd 1.9.2
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Jul 18, 2014, 1:00:02 PM7/18/14
to
On 18/07/14 17:14, Jon Yeargers wrote:
> I've setup samba4 to authenticate against a separate LDAP server. I can ssh to my server but attempts to login to a windows7 member server using the ldap domain are not working.
>
> Relevant errors:
>
> [2014/07/18 06:46:28.177400, 3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send) auth_check_password_send: Checking password for unmapped user [ldapdom]\[user]@[win7host] auth_check_password_send: mapped user is: [sambadom]\[user]@[win7host]
>
> [2014/07/18 06:46:28.178098, 3] ../source4/auth/ntlm/auth_sam.c:61(authsam_search_account) sam_search_user: Couldn't find user [user] in samdb, under C=dom,DC=server,DC=edu
>
> [2014/07/18 06:46:28.178184, 2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) auth_check_password_recv: sam_ignoredomain authentication for user [sambadom\user] FAILED with error NT_STATUS_NO_SUCH_USER
>
>
> It appears that some manner of user id mapping is being searched for. What I really want is for it to preserve and use the domain that was passed in rather than substituting it.
>
> CentOS 6.4 x64
> Samba 4.1.0
> Sssd 1.9.2
Hi, I think that you are going to have to give us some more info here,
> I've setup samba4 to authenticate against a separate LDAP server. I can ssh to my server but attempts to login to a windows7 member server using the ldap domain are not working.
>
> Relevant errors:
>
> [2014/07/18 06:46:28.177400, 3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send) auth_check_password_send: Checking password for unmapped user [ldapdom]\[user]@[win7host] auth_check_password_send: mapped user is: [sambadom]\[user]@[win7host]
>
> [2014/07/18 06:46:28.178098, 3] ../source4/auth/ntlm/auth_sam.c:61(authsam_search_account) sam_search_user: Couldn't find user [user] in samdb, under C=dom,DC=server,DC=edu
>
> [2014/07/18 06:46:28.178184, 2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv) auth_check_password_recv: sam_ignoredomain authentication for user [sambadom\user] FAILED with error NT_STATUS_NO_SUCH_USER
>
>
> It appears that some manner of user id mapping is being searched for. What I really want is for it to preserve and use the domain that was passed in rather than substituting it.
>
> CentOS 6.4 x64
> Samba 4.1.0
> Sssd 1.9.2
smb.conf etc
Rowland
Jon Yeargers
Jul 18, 2014, 2:50:01 PM7/18/14
to
(apologies)
# Global parameters
[global]
workgroup = BME
realm = DOMAIN.EDU
netbios name = BEANBAG
encrypt passwords = yes
log level = 5
server role = active directory domain controller
dns forwarder = 137.10.10.10
idmap_ldb:use rfc2307 = yes
map untrusted to domain = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.edu/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
What other configs are relevant here?
# Global parameters
[global]
workgroup = BME
realm = DOMAIN.EDU
netbios name = BEANBAG
encrypt passwords = yes
log level = 5
server role = active directory domain controller
dns forwarder = 137.10.10.10
idmap_ldb:use rfc2307 = yes
map untrusted to domain = Yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.edu/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
What other configs are relevant here?
Rowland Penny
Jul 18, 2014, 3:00:03 PM7/18/14
to
server' yet now you post that your samba4 server is running as an AD DC,
I was expecting that you were running samba4 as an NT style PDC.
Have you joined the windows machines to your AD DC ??
Rowland Penny
Jul 18, 2014, 3:20:02 PM7/18/14
to
On 18/07/14 19:59, Jon Yeargers wrote:
> When I attempt to put 'security = ADS' in here the samba service won't start. Is this what you are referring to?
To get the smb.conf you posted, you must have run 'samba-tool domain
provision' with various options, ergo you are now running an AD DC, you
cannot add 'security = ADS', this belongs only on a client or member server.
>
> This system is the PDC (beanbag). This system is running sssd to authenticate against a separate LDAP server. I can ssh to the machine using accounts from the LDAP machine. I just can't use windows logins in the same manner.
Have you joined ANY machines to your new AD DC ? if not, then don't,
until you decide where you want to end up.
If you have joined any machines, then there is no going back without
re-installing those windows machines.
You need to decide what you want, if you decide to use the AD DC, then
your clients will authenticate to this, an AD DC does not authenticate
to anything, it is the authenticator!
You can run samba4 just like samba3 i.e. in what is know as 'classic' mode.
So having said all that, where do you need to be from here ?? just what
are you trying to attain ??
Rowland
>
> It's clear that I've done something incorrectly here. Hopefully it's obvious to someone on this list.
> When I attempt to put 'security = ADS' in here the samba service won't start. Is this what you are referring to?
To get the smb.conf you posted, you must have run 'samba-tool domain
provision' with various options, ergo you are now running an AD DC, you
cannot add 'security = ADS', this belongs only on a client or member server.
>
> This system is the PDC (beanbag). This system is running sssd to authenticate against a separate LDAP server. I can ssh to the machine using accounts from the LDAP machine. I just can't use windows logins in the same manner.
Have you joined ANY machines to your new AD DC ? if not, then don't,
until you decide where you want to end up.
If you have joined any machines, then there is no going back without
re-installing those windows machines.
You need to decide what you want, if you decide to use the AD DC, then
your clients will authenticate to this, an AD DC does not authenticate
to anything, it is the authenticator!
You can run samba4 just like samba3 i.e. in what is know as 'classic' mode.
So having said all that, where do you need to be from here ?? just what
are you trying to attain ??
Rowland
>
> It's clear that I've done something incorrectly here. Hopefully it's obvious to someone on this list.
Jon Yeargers
Jul 18, 2014, 4:20:02 PM7/18/14
to
So there isn't a way for samba to use SSSD to authenticate?
Yes, there are machines joined to the domain. What's the issue with un-joining them?
Yes, there are machines joined to the domain. What's the issue with un-joining them?
steve
Jul 18, 2014, 5:20:03 PM7/18/14
to
On Fri, 2014-07-18 at 20:12 +0000, Jon Yeargers wrote:
> So there isn't a way for samba to use SSSD to authenticate?
>
Yes, it is easy to configure sssd to authenticate both internally to the
> So there isn't a way for samba to use SSSD to authenticate?
>
AD LDAP and on a user login level via Kerberos. sssd ships with a full
set of PAM modules Many distros set the latter up automatically when you
install sssd. When or after you join the domain, samba can also set up a
suitable keytab for sssd to use for the former.
HTH,
Steve
Rowland Penny
Jul 18, 2014, 5:50:03 PM7/18/14
to
On 18/07/14 21:12, Jon Yeargers wrote:
> So there isn't a way for samba to use SSSD to authenticate?
The samba AD DC can use sssd, but it will authenticate users held in AD
> So there isn't a way for samba to use SSSD to authenticate?
not your other LDAP machine.
>
> Yes, there are machines joined to the domain. What's the issue with un-joining them?
OH dear, if you join a machine to the AD domain, you can never go back
> Yes, there are machines joined to the domain. What's the issue with un-joining them?
to an NT4 style domain, without totally re-installing windows.
Rowland
0 new messages