Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] samba 3.0.14a works with ldapsam backend but not 3.5.10-125.el6
3 views
Skip to first unread message
Qing Chang
Aug 20, 2012, 11:13:04 AM8/20/12
to
we are migrating our standalone Samba sever (3.0.14a) on a Solaris 10 box to
an RHEL 6.3 box.
Testing shows that on Solaris 3.0.14a works with both the OpenLDAP server
we are currently using and the IPA2.2 server as LDAP backend. But 3.5.10-125.el6
on a RHEL 6.3 box does not work with either.
I can still map a share with 3.5 as owner of the shared directory, but secondary
group ownership does not appear to resolve properly. Below is an excerpt of
log.smbd, removed many noisy lines:
===== log.smbd for samba 3.5 =====
[2012/08/16 12:47:39.499996, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: qchang
[2012/08/16 12:47:39.528627, 3] passdb/pdb_ldap.c:5215(ldapsam_gid_to_sid)
ERROR: Got 0 entries for gid 201, expected one
[2012/08/16 12:47:39.822830, 4] auth/auth_sam.c:180(sam_account_ok)
sam_account_ok: Checking SMB password for user qchang
[2012/08/16 12:47:39.822931, 5] auth/auth_sam.c:162(logon_hours_ok)
logon_hours_ok: user qchang allowed to logon at this time (Thu Aug 16 16:47:39 2012 )
[2012/08/16 12:47:39.839645, 3] passdb/pdb_ldap.c:3057(ldapsam_enum_group_memberships)
primary group of [qchang] not found
[2012/08/16 12:47:39.840098, 5] auth/auth_util.c:649(make_server_info_sam)
make_server_info_sam: made server info for user qchang -> qchang
[2012/08/16 12:47:39.840196, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/08/16 12:47:39.840284, 3] auth/auth.c:265(check_ntlm_password)
check_ntlm_password: sam authentication for user [QChang] succeeded
[2012/08/16 12:47:39.840916, 5] auth/auth.c:291(check_ntlm_password)
check_ntlm_password: PAM Account for user [qchang] succeeded
[2012/08/16 12:47:39.840994, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [QChang] -> [QChang] -> [qchang] succeeded
[2012/08/16 12:47:39.841072, 5] auth/auth_util.c:2119(free_user_info)
attempting to free (and zero) a user_info structure
[2012/08/16 12:47:39.841148, 10] auth/auth_util.c:2123(free_user_info)
structure was created for QChang
[2012/08/16 12:47:39.846308, 4] passdb/pdb_ldap.c:2562(ldapsam_getgroup)
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))
[2012/08/16 12:47:39.852131, 3] auth/token_util.c:467(create_local_nt_token)
Failed to fetch domain sid for RESEARCH
[2012/08/16 12:47:39.875509, 10] auth/token_util.c:531(debug_nt_user_token)
NT user token of user S-1-5-21-3516781642-1962875130-3438800523-41232
contains 5 SIDs
SID[ 0]: S-1-5-21-3516781642-1962875130-3438800523-41232
SID[ 1]: S-1-1-0
SID[ 2]: S-1-5-2
SID[ 3]: S-1-5-11
SID[ 4]: S-1-22-1-20117
SE_PRIV 0x0 0x0 0x0 0x0
[2012/08/16 12:47:39.876009, 10] auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 20117
Primary group is 201 and contains 0 supplementary groups
[2012/08/16 12:47:39.876370, 3] smbd/password.c:282(register_existing_vuid)
register_existing_vuid: User name: qchang Real name: Qing Chang
[2012/08/16 12:47:39.876457, 3] smbd/password.c:292(register_existing_vuid)
register_existing_vuid: UNIX uid 20117 is UNIX user qchang, and will be vuid 100
[2012/08/16 12:47:39.877319, 3] smbd/password.c:223(register_homes_share)
Adding homes service for user 'qchang' using home directory: '/home2/qchang'
[2012/08/16 12:47:40.614903, 3] smbd/service.c:1070(make_connection_snum)
ws62203 connect to service IPC$ initially as user qchang (uid=20117, gid=201) (pid 6951)
=====
pdbedit -L has different output:
===== 3.0.14a =====
Trying to load: ldapsam:ldap://ipa1.sri.utoronto.ca
Attempting to find an passdb backend to match ldapsam:ldap://ipa1.sri.utoronto.ca (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OCTANE))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
ldapsam_setsampwent: 1507 entries in the base dc=sri,dc=utoronto,dc=ca
init_sam_from_ldap: Entry found for user: qchang
=====
===== 3.5.10-125.el6 =====
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
smbldap_search_paged: base => [dc=sri,dc=utoronto,dc=ca], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain
Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
=====
Here is the smb.conf related to LDAP for both 3.0.14a and 3.5.10-125.el6:
=====
security = user
ldap admin dn = "cn=Directory Manager"
ldap ssl = off
passdb backend = ldapsam:ldap://ipa1.sri.utoronto.ca
ldap delete dn = no
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap suffix = dc=sri,dc=utoronto,dc=ca
ldap passwd sync = Yes
=====
It appears to me that 3.5 tries to be a domain controller be default? Your advice is greatly
appreciated.
Qing Chang
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
an RHEL 6.3 box.
Testing shows that on Solaris 3.0.14a works with both the OpenLDAP server
we are currently using and the IPA2.2 server as LDAP backend. But 3.5.10-125.el6
on a RHEL 6.3 box does not work with either.
I can still map a share with 3.5 as owner of the shared directory, but secondary
group ownership does not appear to resolve properly. Below is an excerpt of
log.smbd, removed many noisy lines:
===== log.smbd for samba 3.5 =====
[2012/08/16 12:47:39.499996, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: qchang
[2012/08/16 12:47:39.528627, 3] passdb/pdb_ldap.c:5215(ldapsam_gid_to_sid)
ERROR: Got 0 entries for gid 201, expected one
[2012/08/16 12:47:39.822830, 4] auth/auth_sam.c:180(sam_account_ok)
sam_account_ok: Checking SMB password for user qchang
[2012/08/16 12:47:39.822931, 5] auth/auth_sam.c:162(logon_hours_ok)
logon_hours_ok: user qchang allowed to logon at this time (Thu Aug 16 16:47:39 2012 )
[2012/08/16 12:47:39.839645, 3] passdb/pdb_ldap.c:3057(ldapsam_enum_group_memberships)
primary group of [qchang] not found
[2012/08/16 12:47:39.840098, 5] auth/auth_util.c:649(make_server_info_sam)
make_server_info_sam: made server info for user qchang -> qchang
[2012/08/16 12:47:39.840196, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/08/16 12:47:39.840284, 3] auth/auth.c:265(check_ntlm_password)
check_ntlm_password: sam authentication for user [QChang] succeeded
[2012/08/16 12:47:39.840916, 5] auth/auth.c:291(check_ntlm_password)
check_ntlm_password: PAM Account for user [qchang] succeeded
[2012/08/16 12:47:39.840994, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [QChang] -> [QChang] -> [qchang] succeeded
[2012/08/16 12:47:39.841072, 5] auth/auth_util.c:2119(free_user_info)
attempting to free (and zero) a user_info structure
[2012/08/16 12:47:39.841148, 10] auth/auth_util.c:2123(free_user_info)
structure was created for QChang
[2012/08/16 12:47:39.846308, 4] passdb/pdb_ldap.c:2562(ldapsam_getgroup)
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))
[2012/08/16 12:47:39.852131, 3] auth/token_util.c:467(create_local_nt_token)
Failed to fetch domain sid for RESEARCH
[2012/08/16 12:47:39.875509, 10] auth/token_util.c:531(debug_nt_user_token)
NT user token of user S-1-5-21-3516781642-1962875130-3438800523-41232
contains 5 SIDs
SID[ 0]: S-1-5-21-3516781642-1962875130-3438800523-41232
SID[ 1]: S-1-1-0
SID[ 2]: S-1-5-2
SID[ 3]: S-1-5-11
SID[ 4]: S-1-22-1-20117
SE_PRIV 0x0 0x0 0x0 0x0
[2012/08/16 12:47:39.876009, 10] auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 20117
Primary group is 201 and contains 0 supplementary groups
[2012/08/16 12:47:39.876370, 3] smbd/password.c:282(register_existing_vuid)
register_existing_vuid: User name: qchang Real name: Qing Chang
[2012/08/16 12:47:39.876457, 3] smbd/password.c:292(register_existing_vuid)
register_existing_vuid: UNIX uid 20117 is UNIX user qchang, and will be vuid 100
[2012/08/16 12:47:39.877319, 3] smbd/password.c:223(register_homes_share)
Adding homes service for user 'qchang' using home directory: '/home2/qchang'
[2012/08/16 12:47:40.614903, 3] smbd/service.c:1070(make_connection_snum)
ws62203 connect to service IPC$ initially as user qchang (uid=20117, gid=201) (pid 6951)
=====
pdbedit -L has different output:
===== 3.0.14a =====
Trying to load: ldapsam:ldap://ipa1.sri.utoronto.ca
Attempting to find an passdb backend to match ldapsam:ldap://ipa1.sri.utoronto.ca (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OCTANE))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
ldapsam_setsampwent: 1507 entries in the base dc=sri,dc=utoronto,dc=ca
init_sam_from_ldap: Entry found for user: qchang
=====
===== 3.5.10-125.el6 =====
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
smbldap_search_paged: base => [dc=sri,dc=utoronto,dc=ca], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain
Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
=====
Here is the smb.conf related to LDAP for both 3.0.14a and 3.5.10-125.el6:
=====
security = user
ldap admin dn = "cn=Directory Manager"
ldap ssl = off
passdb backend = ldapsam:ldap://ipa1.sri.utoronto.ca
ldap delete dn = no
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
ldap suffix = dc=sri,dc=utoronto,dc=ca
ldap passwd sync = Yes
=====
It appears to me that 3.5 tries to be a domain controller be default? Your advice is greatly
appreciated.
Qing Chang
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Qing Chang
Aug 20, 2012, 1:23:17 PM8/20/12
to
===== pdbedit -L -v qchang output for samba3.0.14 =====
init_sam_from_ldap: Entry found for user: qchang
Opening cache file at /usr/local/samba3014/var/locks/login_cache.tdb
Unix username: qchang
NT username: qchang
Account Flags: [U ]
User SID: S-1-5-21-3516781642-1962875130-3438800523-41232
Primary Group SID: S-1-5-21-1197990898-71428884-4196996049-513
Full Name: Qing Chang
Home Directory: \\octane\qchang
HomeDir Drive:
Logon Script:
Profile Path: \\octane\qchang\profile
Domain: OCTANE
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Mon, 18 Jan 2038 22:14:07 EST
Kickoff time: Mon, 18 Jan 2038 22:14:07 EST
Password last set: Tue, 14 Aug 2012 11:10:08 EST
Password can change: Thu, 03 Nov 2011 10:55:32 EST
Password must change: Mon, 18 Jan 2038 22:14:07 EST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
=====
===== pdb -L -v qchang output for samba 3.5 =====
init_sam_from_ldap: Entry found for user: qchang
ERROR: Got 0 entries for gid 201, expected one
ERROR: Got 0 entries for gid 201, expected one
ERROR: Got 0 entries for gid 201, expected one
Opening cache file at /var/lib/samba/login_cache.tdb
ERROR: Got 0 entries for gid 201, expected one
ERROR: Got 0 entries for gid 201, expected one
Unix username: qchang
NT username: qchang
Account Flags: [U ]
User SID: S-1-5-21-3516781642-1962875130-3438800523-41232
Primary Group SID: S-1-5-21-2087785539-322754622-381919433-513
Full Name: Qing Chang
Home Directory: \\smb2\qchang
HomeDir Drive:
Logon Script:
Profile Path: \\smb2\qchang\profile
Domain: SMB2
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Tue, 14 Aug 2012 11:10:08 EDT
Password can change: Tue, 14 Aug 2012 11:10:08 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
=====
TAKAHASHI Motonobu
Aug 21, 2012, 11:59:31 AM8/21/12
to
Have you explicitly set the RHEL box's SID same as Solaris box's?
You will do this with "get|set localsid" command.
From: Qing Chang <qch...@sri.utoronto.ca>
Date: Mon, 20 Aug 2012 13:23:17 -0400
> we are migrating our standalone Samba sever (3.0.14a) on a Solaris
> 10 box to an RHEL 6.3 box.
>
> Testing shows that on Solaris 3.0.14a works with both the OpenLDAP
> server we are currently using and the IPA2.2 server as LDAP
> backend. But 3.5.10-125.el6 on a RHEL 6.3 box does not work with
> either.
(snip)
---
TAKAHASHI Motonobu <mo...@monyo.com>
You will do this with "get|set localsid" command.
From: Qing Chang <qch...@sri.utoronto.ca>
Date: Mon, 20 Aug 2012 13:23:17 -0400
> we are migrating our standalone Samba sever (3.0.14a) on a Solaris
> 10 box to an RHEL 6.3 box.
>
> Testing shows that on Solaris 3.0.14a works with both the OpenLDAP
> server we are currently using and the IPA2.2 server as LDAP
> backend. But 3.5.10-125.el6 on a RHEL 6.3 box does not work with
> either.
TAKAHASHI Motonobu <mo...@monyo.com>
Qing Chang
Aug 22, 2012, 9:42:21 AM8/22/12
to
On 21/08/2012 11:59 AM, TAKAHASHI Motonobu wrote:
> Have you explicitly set the RHEL box's SID same as Solaris box's?
> You will do this with "get|set localsid" command.
[root@smb3 samba]# net setlocalsid S-1-5-21-1197990898-71428884-4196996049
[2012/08/22 09:02:13.228237, 0] lib/interface.c:542(load_interfaces)
WARNING: no network interfaces found
The point here is that 3.0.14a never bothered to check if a user'd SID belongs to
the domain. It just simply sees the user and report:
init_sam_from_ldap: Entry found for user: qchang
belong to its domain, although I only set it up as a STANDALONE server:
sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain
Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
authenticating againt a matching uid to Windows username on the samba server (which
uses LDAP), and then using the uid and gid(s) to provide shared resources, which is the
behavior observed with 3.0.14a, but not with 3.5.10-125.el6.
In fact, SID never matters with 3.0.14a, I have populated all users with the same SIDs and
3.0.14a has been serving shares for years.
Dale Schroeder
Aug 22, 2012, 1:15:20 PM8/22/12
to
If you add to [global] "map untrusted to domain = Yes", does it work then?
From 3.4.0 release notes:
Authentication Changes
======================
Previously, when Samba was a domain member and a client was connecting using an
untrusted domain name, such as BOGUS\user smbd would remap the untrusted
domain to the primary domain smbd was a member of and attempt authentication
using that DOMAIN\user name. This differed from how a Windows member server
would behave. Now, smbd will replace the BOGUS name with it's SAM name. In
the case where smbd is acting as a PDC this will be DOMAIN\user. In the case
where smbd is acting as a domain member server this will be WORKSTATION\user.
Thus, smbd will never assume that an incoming user name which is not qualified
with the same primary domain, is part of smbd's primary domain.
While this behavior matches Windows, it may break some workflows which depended
on smbd to always pass through bogus names to the DC for verification. A new
parameter "map untrusted to domain" can be enabled to revert to the legacy
behavior.
Dale
From 3.4.0 release notes:
Authentication Changes
======================
Previously, when Samba was a domain member and a client was connecting using an
untrusted domain name, such as BOGUS\user smbd would remap the untrusted
domain to the primary domain smbd was a member of and attempt authentication
using that DOMAIN\user name. This differed from how a Windows member server
would behave. Now, smbd will replace the BOGUS name with it's SAM name. In
the case where smbd is acting as a PDC this will be DOMAIN\user. In the case
where smbd is acting as a domain member server this will be WORKSTATION\user.
Thus, smbd will never assume that an incoming user name which is not qualified
with the same primary domain, is part of smbd's primary domain.
While this behavior matches Windows, it may break some workflows which depended
on smbd to always pass through bogus names to the DC for verification. A new
parameter "map untrusted to domain" can be enabled to revert to the legacy
behavior.
Dale
Qing Chang
Aug 22, 2012, 2:59:01 PM8/22/12
to
On 22/08/2012 1:15 PM, Dale Schroeder wrote:
> If you add to [global] "map untrusted to domain = Yes", does it work then?
>
> From 3.4.0 release notes:
>
> Authentication Changes
> ======================
>
> Previously, when Samba was a domain member and a client was connecting using an
> untrusted domain name, such as BOGUS\user smbd would remap the untrusted
> domain to the primary domain smbd was a member of and attempt authentication
> using that DOMAIN\user name. This differed from how a Windows member server
> would behave. Now, smbd will replace the BOGUS name with it's SAM name. In
> the case where smbd is acting as a PDC this will be DOMAIN\user. In the case
> where smbd is acting as a domain member server this will be WORKSTATION\user.
> Thus, smbd will never assume that an incoming user name which is not qualified
> with the same primary domain, is part of smbd's primary domain.
>
> While this behavior matches Windows, it may break some workflows which depended
> on smbd to always pass through bogus names to the DC for verification. A new
> parameter "map untrusted to domain" can be enabled to revert to the legacy
> behavior.
>
> Dale
>
>
But putting that entry in did not change anything.
Qing
Qing Chang
Senior Systems Administrator
M6-624 Research Computing
Sunnybrook Health Sciences Centre
2075 Bayview Ave.
Toronto, Ontario, M4N 3M5
(416) 480-6100 x3263
qch...@sri.utoronto.ca
------------------
Qing Chang
Sep 4, 2012, 3:59:25 PM9/4/12
to
=====
If I understand right, as a STANDALONE server, Samba should only care about finding and
authenticating againt a matching uid to Windows username on the samba server (which
uses LDAP), and then using the uid and gid(s) to provide shared resources, which is the
behavior observed with 3.0.14a, but not with 3.5.10-125.el6.
In fact, SID never matters with 3.0.14a, I have populated all users with the same SIDs and
3.0.14a has been serving shares for years.
Thank you very much!
authenticating againt a matching uid to Windows username on the samba server (which
uses LDAP), and then using the uid and gid(s) to provide shared resources, which is the
behavior observed with 3.0.14a, but not with 3.5.10-125.el6.
In fact, SID never matters with 3.0.14a, I have populated all users with the same SIDs and
3.0.14a has been serving shares for years.
Qing
Volker Lendecke
Sep 4, 2012, 4:03:47 PM9/4/12
to
On Tue, Sep 04, 2012 at 03:59:25PM -0400, Qing Chang wrote:
> If I understand right, as a STANDALONE server, Samba should only care about finding and
> authenticating againt a matching uid to Windows username on the samba server (which
> uses LDAP), and then using the uid and gid(s) to provide shared resources, which is the
> behavior observed with 3.0.14a, but not with 3.5.10-125.el6.
>
> In fact, SID never matters with 3.0.14a, I have populated all users with the same SIDs and
> 3.0.14a has been serving shares for years.
Well, Samba has moved on to put more emphasis on SIDs. If
> If I understand right, as a STANDALONE server, Samba should only care about finding and
> authenticating againt a matching uid to Windows username on the samba server (which
> uses LDAP), and then using the uid and gid(s) to provide shared resources, which is the
> behavior observed with 3.0.14a, but not with 3.5.10-125.el6.
>
> In fact, SID never matters with 3.0.14a, I have populated all users with the same SIDs and
> 3.0.14a has been serving shares for years.
that does not match your requirements, you should better
stick with 3.0.14a and find someone from
http://samba.org/samba/support to maintain it for you.
With best regards,
Volker Lendecke
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kon...@sernet.de
0 new messages