Archiv verlassen und diese Seite im Standarddesign anzeigen : dringend hilfe => samba 3 ldap
hier die log datei...
verstehe nicht warum das nicht funktioniert :-(
Aug 25 16:43:54 pluto slapd[3129]: conn=98 fd=20 ACCEPT from IP=192.168.1.243:33205 (IP=0.0.0.0:389)
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=0 BIND dn="cn=Manager,dc=setec,dc=at" method=128
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=0 BIND dn="cn=Manager,dc=setec,dc=at" mech=SIMPLE ssf=0
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=0 RESULT tag=97 err=0 text=
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=1 SRCH base="dc=setec,dc=at" scope=2 deref=0 filter="(&(objectClass=sambaDomain)(sambaDomainName=moonligh t))"
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=1 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=2 SRCH base="dc=setec,dc=at" scope=2 deref=0 filter="(&(uid=administrator)(objectClass=sambaSamAccount))"
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 25 16:43:54 pluto smbd[5945]: [2004/08/25 16:43:54, 0] auth/auth_sam.c:check_sam_security(260)
Aug 25 16:43:54 pluto smbd[5945]: check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=3 SRCH base="dc=setec,dc=at" scope=2 deref=0 filter="(&(sambaSID=s-1-5-21-1057942609-4175100039-3069117602-501)(objectClass=sambaSamAccount))"
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=3 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=4 SRCH base="ou=Groups,dc=setec,dc=at" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=65533))"
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=4 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=5 SRCH base="ou=Groups,dc=setec,dc=at" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=65534))"
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Aug 25 16:43:54 pluto slapd[3129]: conn=98 op=5 SEARCH RESULT tag=101 err=0 nentries=0 text=
Aug 25 16:43:55 pluto slapd[3129]: conn=98 fd=20 closed
daran scheint es zu scheitern
Aug 25 16:43:54 pluto smbd[5945]: [2004/08/25 16:43:54, 0] auth/auth_sam.c:check_sam_security(260)
Aug 25 16:43:54 pluto smbd[5945]: check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
????????????
hat jemand eine ahnng?
ich hab auch noch einen zweiten thread offen in dem meine samba.conf usw gepostet sind
die SambaSID vom Administrator im LDAP Verzeichnis von 2996 auf 501 am Ende geändert
die Fehlermeldung von der Ominösen checksam.c datei kommt noch immer - mit dem unterschied dass die letzte suchanfrage gelingt
wobei die authentifizierung trotzdem fehlschlägt :-(
Hier die Log Datei:
Aug 25 17:00:10 pluto slapd[3129]: conn=130 fd=20 ACCEPT from IP=192.168.1.243:33298 (IP=0.0.0.0:389)
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=0 BIND dn="cn=Manager,dc=setec,dc=at" method=128
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=0 BIND dn="cn=Manager,dc=setec,dc=at" mech=SIMPLE ssf=0
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=0 RESULT tag=97 err=0 text=
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=1 SRCH base="cn=Domain Admins,ou=Groups,dc=setec,dc=at" scope=0 deref=1 filter="(objectClass=*)"
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=1 SRCH attr=objectClass
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=2 SRCH base="cn=Domain Admins,ou=Groups,dc=setec,dc=at" scope=0 deref=0 filter="(objectClass=*)"
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=3 SRCH base="cn=Domain Admins,ou=Groups,dc=setec,dc=at" scope=0 deref=0 filter="(objectClass=*)"
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=3 SRCH attr=creatorsname createtimestamp modifiersname structuralObjectClass entryUUID modifytimestamp subschemaSubentry hasSubordinates +
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=4 SRCH base="cn=Domain Admins,ou=Groups,dc=setec,dc=at" scope=0 deref=0 filter="(objectClass=*)"
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=4 SRCH attr=dn
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=5 SRCH base="cn=Domain Admins,ou=Groups,dc=setec,dc=at" scope=1 deref=3 filter="(objectClass=*)"
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=5 SRCH attr=dn
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=5 SEARCH RESULT tag=101 err=0 nentries=0 text=
Aug 25 17:00:10 pluto slapd[3129]: conn=130 op=6 UNBIND
Aug 25 17:00:10 pluto slapd[3129]: conn=130 fd=20 closed
nur als kleiner hinweis: administrator != root
die domain joinst du immer als root (bzw. durch mappings auf root -> usermap)
außerdem: administratoren haben immer die GRID 512 (domain admins) - die SID (RID) ist hier irrelevant
greez
smb.conf =>
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2004/08/25 14:45:27
# Global parameters
[global]
unix charset = ISO8859-1
workgroup = MOONLIGHT
netbios name = PDC
server string = SETEC
interfaces = 192.168.1.243/255.255.255.0
bind interfaces only = Yes
client schannel = No
server schannel = No
map to guest = Bad User
passdb backend = ldapsam:ldap://192.168.1.243/
passwd program = /usr/local/sbin/smbldap-passwd %u
log level = 10
smb ports = 445 139 137
printcap cache time = 750
add user script = /usr/local/sbin/smbldap-useradd -m %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
logon path = \\%L\profiles\%U
logon drive = X:
logon home = \\%L\%U\.9xprofile
domain logons = yes
os level = 65
preferred master = yes
domain master = yes
wins support = Yes
ldap suffix = dc=setec,dc=at
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=Manager,dc=setec,dc=at
ldap ssl = no
ldap delete dn = Yes
ldap passwd sync = Yes
#admin users = root, Administrator
valid users = nobody, testuser1, root, Administrator, '@Domain Users', '@Domain Admins'
printer admin = @ntadmin, root, administrator
cups options = raw
map archive = No
store dos attributes = Yes
#security = user
encrypt passwords = yes
local master = yes
idmap uid = 15000-20000
idmap gid = 15000-20000
#winbind separator = +
[homes]
comment = Home Directories
path = /home/%U
valid users = %U
browseable = yes
guest ok = no
printable = no
[profiles]
comment = Network Profiles Service
path = /home/samba/profiles
valid users = %U, '@Domain Admins'
force user = %U
read only = No
create mask = 0600
directory mask = 0700
profile acls = Yes
csc policy = disable
browseable = yes
guest ok = no
printable = no
[netlogon]
path = /home/samba/netlogon
write list = ntadmin
guest ok = yes
browseable = yes
printable = no
[users]
comment = All users
path = /home
read only = No
inherit permissions = Yes
veto files = /aquota.user/groups/shares/
browseable = yes
guest ok = no
printable = no
[groups]
comment = All groups
path = /home/groups
read only = No
inherit permissions = Yes
browseable = yes
guest ok = no
printable = no
[pdf]
comment = PDF creator
path = /var/tmp
create mask = 0600
printable = yes
browseable = yes
guest ok = no
[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = yes
browseable = no
guest ok = no
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775
browseable = yes
guest ok = no
printable = no
[ldap]
path = /home/ldap
read only = No
guest ok = yes
browseable = yes
printable = no
slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
#access to dn.base=""
# by * read
#access to dn.base="cn=Subschema"
# by * read
#access to attr=userPassword,userPKCS12
# by self write
# by * auth
#access to attr=shadowLastChange
# by self write
# by * read
access to *
by * read
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
################################################## #####################
# bdb database definitions
################################################## #####################
database ldbm
checkpoint 1024 5
cachesize 10000
suffix "dc=setec,dc=at"
rootdn "cn=Manager,dc=setec,dc=at"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw xxx
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
ldap.conf =>
#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#
# Your LDAP server. Must be resolvable without using LDAP.
host 192.168.1.243
# The distinguished name of the search base.
base dc=setec,dc=at
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=Manager,dc=setec,dc=at
# The credentials to bind with.
# Optional: default is no credential.
#bindpw XXX
# The port.
# Optional: default is 389.
port 389
# The search scope.
#scope sub
#scope one
#scope base
nss_base_passwd dc=setec,dc=at?sub
nss_base_shadow dc=setec,dc=at?sub
nss_base_group ou=Groups,dc=setec,dc=at?one
pam_password md5
ssl No
nsswitch.conf =>
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the /var/db databases
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#
# passwd: files nis
# shadow: files nis
# group: files nis
passwd: files ldap
shadow: files ldap
group: files ldap
#passwd_compat: ldap
#group_compat: ldap
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
/etc/pam.d/login
#%PAM-1.0
auth requisite pam_unix2.so nullok #set_secrpc
auth sufficient pam_ldap.so
auth required pam_securetty.so
auth required pam_nologin.so
#auth required pam_homecheck.so
auth required pam_env.so
auth required pam_mail.so
account sufficient pam_ldap.so
account required pam_unix2.so
password sufficient pam_ldap.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session sufficient pam_ldap.so
session required pam_unix2.so none # debug or trace
session required pam_limits.so
/etc/pam.d/passwd =>
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_unix2.so nullok
account sufficient pam_ldap.so
account required pam_unix2.so
password sufficient pam_ldap.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session sufficient pam_ldap.so
#password required pam_make.so /var/yp
session required pam_unix2.so
Unix username: Administrator
NT username: Administrator
Account Flags: [U ]
User SID: S-1-5-21-1057942609-4175100039-3069117602-2996
Primary Group SID: S-1-5-21-1057942609-4175100039-3069117602-512
Full Name: Administrator
Home Directory: \\PDCSETEC\home\Administrator
HomeDir Drive: X:
Logon Script:
Profile Path: \\PDCSETEC\profiles\Administrator\
Domain: MOONLIGHT
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Fr, 13 Dez 1901 21:45:51 GMT
Kickoff time: Fr, 13 Dez 1901 21:45:51 GMT
Password last set: Mi, 25 Aug 2004 15:47:42 GMT
Password can change: 0
Password must change: Sa, 09 Okt 2004 15:47:42 GMT
Last bad password : 0
Bad password count : 0
Unix username: nobody
NT username: nobody
Account Flags: [NU ]
User SID: S-1-5-21-1057942609-4175100039-3069117602-501
Primary Group SID: S-1-5-21-1057942609-4175100039-3069117602-513
Full Name: nobody
Home Directory: \\PDCSETEC\home\nobody
HomeDir Drive: X:
Logon Script:
Profile Path: \\PDCSETEC\profiles\nobody
Domain: MOONLIGHT
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Fr, 13 Dez 1901 21:45:51 GMT
Kickoff time: Fr, 13 Dez 1901 21:45:51 GMT
Password last set: 0
Password can change: 0
Password must change: Fr, 13 Dez 1901 21:45:51 GMT
Last bad password : 0
Bad password count : 0
mir ist es auch nicht möglich mit ssh testuser@host zu verbinden...
passwort wird ebenfalls nicht akzeptiert
wormy, tut mir leid
das thema hatten wir schon tausendmal
es gibt sogar ein wicky dazu und die docs der samba entwickler sind mehr als ausreichend dazu
evtl. erbarmt sich aber doch einer deine riesen texte zu lesen
greez
Powered by vBulletin® Version 4.2.5 Copyright ©2024 Adduco Digital e.K. und vBulletin Solutions, Inc. Alle Rechte vorbehalten.