[Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ... - Samba

This is a discussion on [Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ... - Samba ; Hi all , I'm running Debian Etch . I just finished configuring SAMBA as PDC to authenticate against LDAP server which works. The system in question uses default debian etch packages. As My Linix/unix accounts can authenticate against it. The ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: [Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...

  1. [Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...

    Hi all ,
    I'm running Debian Etch . I just finished
    configuring SAMBA
    as PDC to authenticate against LDAP server which works.
    The system in question uses default debian etch packages.
    As My Linix/unix accounts can authenticate against it. The
    LDAP works.
    I Used the default shipped smbldap-populate script to
    setup SAMBA.
    Everything seems to work as Anonymous User or as
    user root.

    shark:/etc/samba# smbclient -L shark -N
    Anonymous login successful
    Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]

    Share name Type Comment
    --------- ---- -------
    netlogon Disk Network Logon Service
    knoppix Disk
    IPC$ IPC IPC Service (Samba Server
    3.0.24)
    Anonymous login successful
    Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]

    Server Comment
    --------- -------
    SHARK Samba Server 3.0.24


    Now when I try and login as normal user, which i have
    enabled
    with "smbldap-usermod -a yogesh"

    smbldap-usershow yogesh

    dn: uid=yogesh,ou=People,dc=biomax,dc=de
    uid: yogesh
    cn: yogesh
    objectClass:
    account,posixAccount,top,shadowAccount,sambaSamAcc ount
    userPassword: {MD5}.SOMELONGHASH ....
    shadowLastChange: 12900
    shadowMax: 10000
    loginShell: /bin/bash
    uidNumber: 668
    gidNumber: 100
    homeDirectory: /sk-home/yogesh
    sambaPwdLastSet: 0
    sambaLogonTime: 0
    sambaLogoffTime: 2147483647
    sambaKickoffTime: 2147483647
    sambaPwdCanChange: 0
    sambaPwdMustChange: 2147483647
    displayName: System User
    sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
    sambaAcctFlags: [UX ]

    -----

    Now when I try and connect I get the following failure .
    shark:/etc/samba# smbclient -L shark -U yogesh
    session setup failed: NT_STATUS_LOGON_FAILURE

    After Digging thru the logs I figuered that if I enter
    password using
    "smbldap-password" . It works.

    Now my Stupid questions ?
    I already have unix users working of LDAP, How can I
    automate the addition of remaining accounts with SAMBA ?

    Also whenever a unix user changes passwd samba password is
    not updated ?

    Any pointers will be of great help.

    Thanks in advace
    yogesh





    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  2. RE: [Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts...

    did you adjust you pam.d settings to accept MD5 password hashes.

    you can find some usefull tips in the Big samba howto
    http://www.google.nl/search?hl=nl&q=...o+debian&meta=
    this one also works for etch.

    Louis

    >-----Oorspronkelijk bericht-----
    >Van: samba-bounces+belle=bazuin.nl@lists.samba.org
    >[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens yogi
    >Verzonden: zaterdag 17 mei 2008 19:29
    >Aan: samba@lists.samba.org
    >Onderwerp: [Samba] SAMBA PDC with LDAP backend syncing
    >unix/samba accounts ...
    >
    >Hi all ,
    > I'm running Debian Etch . I just finished
    >configuring SAMBA
    >as PDC to authenticate against LDAP server which works.
    >The system in question uses default debian etch packages.
    >As My Linix/unix accounts can authenticate against it. The
    >LDAP works.
    > I Used the default shipped smbldap-populate script to
    >setup SAMBA.
    > Everything seems to work as Anonymous User or as
    >user root.
    >
    >shark:/etc/samba# smbclient -L shark -N
    >Anonymous login successful
    >Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
    >
    > Share name Type Comment
    > --------- ---- -------
    > netlogon Disk Network Logon Service
    > knoppix Disk
    > IPC$ IPC IPC Service (Samba Server
    >3.0.24)
    >Anonymous login successful
    >Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
    >
    > Server Comment
    > --------- -------
    > SHARK Samba Server 3.0.24
    >
    >
    > Now when I try and login as normal user, which i have
    >enabled
    >with "smbldap-usermod -a yogesh"
    >
    >smbldap-usershow yogesh
    >
    >dn: uid=yogesh,ou=People,dc=biomax,dc=de
    >uid: yogesh
    >cn: yogesh
    >objectClass:
    >account,posixAccount,top,shadowAccount,sambaSamAcc ount
    >userPassword: {MD5}.SOMELONGHASH ....
    >shadowLastChange: 12900
    >shadowMax: 10000
    >loginShell: /bin/bash
    >uidNumber: 668
    >gidNumber: 100
    >homeDirectory: /sk-home/yogesh
    >sambaPwdLastSet: 0
    >sambaLogonTime: 0
    >sambaLogoffTime: 2147483647
    >sambaKickoffTime: 2147483647
    >sambaPwdCanChange: 0
    >sambaPwdMustChange: 2147483647
    >displayName: System User
    >sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
    >sambaAcctFlags: [UX ]
    >
    >-----
    >
    >Now when I try and connect I get the following failure .
    >shark:/etc/samba# smbclient -L shark -U yogesh
    >session setup failed: NT_STATUS_LOGON_FAILURE
    >
    >After Digging thru the logs I figuered that if I enter
    >password using
    >"smbldap-password" . It works.
    >
    >Now my Stupid questions ?
    >I already have unix users working of LDAP, How can I
    >automate the addition of remaining accounts with SAMBA ?
    >
    >Also whenever a unix user changes passwd samba password is
    >not updated ?
    >
    >Any pointers will be of great help.
    >
    >Thanks in advace
    >yogesh
    >
    >
    >
    >
    >
    >--
    >To unsubscribe from this list go to the following URL and read the
    >instructions: https://lists.samba.org/mailman/listinfo/samba
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  3. Re: [Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts...

    yogi escreveu:
    > Hi all ,
    > I'm running Debian Etch . I just finished
    > configuring SAMBA
    > as PDC to authenticate against LDAP server which works.
    > The system in question uses default debian etch packages.
    > As My Linix/unix accounts can authenticate against it. The
    > LDAP works.
    > I Used the default shipped smbldap-populate script to
    > setup SAMBA.
    >


    Good, this is the reason that it is there
    You will only not want to use if you have a reason, like it messing with
    your already populated base.

    > Everything seems to work as Anonymous User or as
    > user root.
    >
    > shark:/etc/samba# smbclient -L shark -N
    > Anonymous login successful
    > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
    >
    > Share name Type Comment
    > --------- ---- -------
    > netlogon Disk Network Logon Service
    > knoppix Disk
    > IPC$ IPC IPC Service (Samba Server
    > 3.0.24)
    > Anonymous login successful
    > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
    >
    > Server Comment
    > --------- -------
    > SHARK Samba Server 3.0.24
    >
    >
    > Now when I try and login as normal user, which i have
    > enabled
    > with "smbldap-usermod -a yogesh"
    >
    > smbldap-usershow yogesh
    >
    > dn: uid=yogesh,ou=People,dc=biomax,dc=de
    > uid: yogesh
    > cn: yogesh
    > objectClass:
    > account,posixAccount,top,shadowAccount,sambaSamAcc ount
    > userPassword: {MD5}.SOMELONGHASH ....
    > shadowLastChange: 12900
    > shadowMax: 10000
    > loginShell: /bin/bash
    > uidNumber: 668
    > gidNumber: 100
    > homeDirectory: /sk-home/yogesh
    > sambaPwdLastSet: 0
    > sambaLogonTime: 0
    > sambaLogoffTime: 2147483647
    > sambaKickoffTime: 2147483647
    > sambaPwdCanChange: 0
    > sambaPwdMustChange: 2147483647
    > displayName: System User
    > sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
    > sambaAcctFlags: [UX ]
    >
    > -----
    >
    > Now when I try and connect I get the following failure .
    > shark:/etc/samba# smbclient -L shark -U yogesh
    > session setup failed: NT_STATUS_LOGON_FAILURE
    >


    For me smbldap-usermod -a dont ask for a password, so your error appears
    to be the right behavior of the server, when you try to access the samba
    server with an account that have a posix password but don't have a samba
    password.
    If your posix password is hashed and it didn't asked for the password it
    cannot guess it and fill the NT and LM samba hashes.

    If you don't know, your account need to end up with three hashes for the
    same password

    > After Digging thru the logs I figuered that if I enter
    > password using
    > "smbldap-password" . It works.
    >


    Ok, now you have defined your samba password, and it will be synced with
    the posix one, and everyone will be happy.

    > Now my Stupid questions ?
    > I already have unix users working of LDAP, How can I
    > automate the addition of remaining accounts with SAMBA ?
    >


    Well, as already said your script cannot guess the content of a hash to
    create another that samba needs (this is the purpose of hashes),
    normally people add the samba part (with smbldap-usermod), change the
    password to something else (with smbldap-passwd), mark the account to
    only allow the login if the password is changed (with smbldap-usermod -B
    1), then inform the user of the new password and ask to he to put his
    password back when he tries to login and receive automatically a window
    asking for that.

    It will be a process very likely as adding a new user.

    > Also whenever a unix user changes passwd samba password is
    > not updated ?
    >


    Well, this is a little more complicated, depends of how and were they
    are trying to do that, but normally posix tools don't know of the
    existence of samba hashes, anyway its possible to do that too, but you
    will need to be a little more specific. They are trying to do that using
    their own workstations that have Linux or trying to do that accessing
    the server shell?

    > Any pointers will be of great help.
    >
    > Thanks in advace
    > yogesh


    Appears that theres nothing wrong with your config, you just didn't
    understood what you need to do.


    Regards.

    Edmundo Valle Neto

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  4. Re: [Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts...

    yogi escreveu:
    > Hi all ,
    > I'm running Debian Etch . I just finished
    > configuring SAMBA
    > as PDC to authenticate against LDAP server which works.
    > The system in question uses default debian etch packages.
    > As My Linix/unix accounts can authenticate against it. The
    > LDAP works.
    > I Used the default shipped smbldap-populate script to
    > setup SAMBA.
    >


    Good, this is the reason that it is there
    You will only not want to use if you have a reason, like it messing with
    your already populated base.

    > Everything seems to work as Anonymous User or as
    > user root.
    >
    > shark:/etc/samba# smbclient -L shark -N
    > Anonymous login successful
    > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
    >
    > Share name Type Comment
    > --------- ---- -------
    > netlogon Disk Network Logon Service
    > knoppix Disk
    > IPC$ IPC IPC Service (Samba Server
    > 3.0.24)
    > Anonymous login successful
    > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
    >
    > Server Comment
    > --------- -------
    > SHARK Samba Server 3.0.24
    >
    >
    > Now when I try and login as normal user, which i have
    > enabled
    > with "smbldap-usermod -a yogesh"
    >
    > smbldap-usershow yogesh
    >
    > dn: uid=yogesh,ou=People,dc=biomax,dc=de
    > uid: yogesh
    > cn: yogesh
    > objectClass:
    > account,posixAccount,top,shadowAccount,sambaSamAcc ount
    > userPassword: {MD5}.SOMELONGHASH ....
    > shadowLastChange: 12900
    > shadowMax: 10000
    > loginShell: /bin/bash
    > uidNumber: 668
    > gidNumber: 100
    > homeDirectory: /sk-home/yogesh
    > sambaPwdLastSet: 0
    > sambaLogonTime: 0
    > sambaLogoffTime: 2147483647
    > sambaKickoffTime: 2147483647
    > sambaPwdCanChange: 0
    > sambaPwdMustChange: 2147483647
    > displayName: System User
    > sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
    > sambaAcctFlags: [UX ]
    >
    > -----
    >
    > Now when I try and connect I get the following failure .
    > shark:/etc/samba# smbclient -L shark -U yogesh
    > session setup failed: NT_STATUS_LOGON_FAILURE
    >


    For me smbldap-usermod -a dont ask for a password, so your error appears
    to be the right behavior of the server, when you try to access the samba
    server with an account that have a posix password but don't have a samba
    password.
    If your posix password is hashed and it didn't asked for the password it
    cannot guess it and fill the NT and LM samba hashes.

    If you don't know, your account need to end up with three hashes for the
    same password

    > After Digging thru the logs I figuered that if I enter
    > password using
    > "smbldap-password" . It works.
    >


    Ok, now you have defined your samba password, and it will be synced with
    the posix one, and everyone will be happy.

    > Now my Stupid questions ?
    > I already have unix users working of LDAP, How can I
    > automate the addition of remaining accounts with SAMBA ?
    >


    Well, as already said your script cannot guess the content of a hash to
    create another that samba needs (this is the purpose of hashes),
    normally people add the samba part (with smbldap-usermod), change the
    password to something else (with smbldap-passwd), mark the account to
    only allow the login if the password is changed (with smbldap-usermod -B
    1), then inform the user of the new password and ask to he to put his
    password back when he tries to login and receive automatically a window
    asking for that.

    It will be a process very likely as adding a new user.

    > Also whenever a unix user changes passwd samba password is
    > not updated ?
    >


    Well, this is a little more complicated, depends of how and were they
    are trying to do that, but normally posix tools don't know of the
    existence of samba hashes, anyway its possible to do that too, but you
    will need to be a little more specific. They are trying to do that using
    their own workstations that have Linux or trying to do that accessing
    the server shell?

    > Any pointers will be of great help.
    >
    > Thanks in advace
    > yogesh


    Appears that theres nothing wrong with your config, you just didn't
    understood what you need to do.


    Regards.

    Edmundo Valle Neto


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  5. Re: [Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts...

    do the samba accounts already exist in another format such as smbpasswd
    or tdbsam? if so, use pdbedit -i smbpasswd:/etc/samba/smbpasswd (dunno
    what the command is for tdbsam though)

    to have samba and unix passwords changed at the same time, use ldap
    password sync = yes in smb.conf and when a user in windows hits
    ctrl-alt-del and clicks on change password, it will change both at the
    same time.

    yogi wrote:
    > Hi all ,
    > I'm running Debian Etch . I just finished
    > configuring SAMBA
    > as PDC to authenticate against LDAP server which works.
    > The system in question uses default debian etch packages.
    > As My Linix/unix accounts can authenticate against it. The
    > LDAP works.
    > I Used the default shipped smbldap-populate script to
    > setup SAMBA.
    > Everything seems to work as Anonymous User or as
    > user root.
    >
    > shark:/etc/samba# smbclient -L shark -N
    > Anonymous login successful
    > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
    >
    > Share name Type Comment
    > --------- ---- -------
    > netlogon Disk Network Logon Service
    > knoppix Disk
    > IPC$ IPC IPC Service (Samba Server
    > 3.0.24)
    > Anonymous login successful
    > Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
    >
    > Server Comment
    > --------- -------
    > SHARK Samba Server 3.0.24
    >
    >
    > Now when I try and login as normal user, which i have
    > enabled
    > with "smbldap-usermod -a yogesh"
    >
    > smbldap-usershow yogesh
    >
    > dn: uid=yogesh,ou=People,dc=biomax,dc=de
    > uid: yogesh
    > cn: yogesh
    > objectClass:
    > account,posixAccount,top,shadowAccount,sambaSamAcc ount
    > userPassword: {MD5}.SOMELONGHASH ....
    > shadowLastChange: 12900
    > shadowMax: 10000
    > loginShell: /bin/bash
    > uidNumber: 668
    > gidNumber: 100
    > homeDirectory: /sk-home/yogesh
    > sambaPwdLastSet: 0
    > sambaLogonTime: 0
    > sambaLogoffTime: 2147483647
    > sambaKickoffTime: 2147483647
    > sambaPwdCanChange: 0
    > sambaPwdMustChange: 2147483647
    > displayName: System User
    > sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
    > sambaAcctFlags: [UX ]
    >
    > -----
    >
    > Now when I try and connect I get the following failure .
    > shark:/etc/samba# smbclient -L shark -U yogesh
    > session setup failed: NT_STATUS_LOGON_FAILURE
    >
    > After Digging thru the logs I figuered that if I enter
    > password using
    > "smbldap-password" . It works.
    >
    > Now my Stupid questions ?
    > I already have unix users working of LDAP, How can I
    > automate the addition of remaining accounts with SAMBA ?
    >
    > Also whenever a unix user changes passwd samba password is
    > not updated ?
    >
    > Any pointers will be of great help.
    >
    > Thanks in advace
    > yogesh
    >
    >
    >
    >
    >
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


+ Reply to Thread