PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Samba OpenLdap



JackyD
05.05.05, 01:39
Halloechen zusammen.

ich habe ein problem mit meinen Samba/ldap server und zwar liegt das problem bei den freigaben. will ich mittels valid users den zugriff auf bestimmte ldap gruppen beschraenken, so wird beim mount gesagt AccessDiened und folgendes taucht im log auf:

[2005/05/05 01:34:34, 3] auth/auth_sam.c:check_sam_security(257)
check_sam_security: Couldn't find user 'toni' in passdb.
[2005/05/05 01:34:34, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [toni] -> [toni] FAILED with error NT_STATUS_NO_SUCH_USER
aber es gibt den nutzer und wenn ich bei vaild users diesen eintrage dann klappt es auch. hier noch meine smb.conf:

[global]
workgroup = ATHOME
server string = Samba %v auf %L(PDC)
Unix Charset = iso8859-15


log level = 3
log file = /var/log/samba/log.%m
max log size = 1000


add machine script = /usr/sbin/smbldap-useradd -w %u
add user script = /usr/sbin/smbldap-useradd -m %u
add group script = /usr/sbin/smbldap-groupadd -p %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g


logon script = /data/samba/netlogon/login.bat
logon path = \\%L\profiles\%a\%U
logon drive = u:


domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes


passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = "cn=Manager,dc=athome"
ldap delete dn = No
ldap filter = "(&(uid=%u)(ojectClass=sambaPrimaryGroupSID))"
ldap group suffix = "ou=Groups"
ldap machine suffix = "ou=Computers"
ldap passwd sync = Yes
ldap suffix = "dc=athome"
ldap ssl = no
ldap user suffix = "ou=Users"


[homes]
comment = user directories
path = /home/%U
valid users = %U
read only = No
create mask = 0770
directory mask = 0770
locking = no

[netlogon]
comment = NETLOGON service
path = /data/samba/netlogon
read only = No
guest ok = Yes

[profiles]
comment = profiles service
path = /data/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
browseable = no

[config]
comment = configuration path
path = /data
valid users = root
read only = No
create mask = 0775
directory mask = 0775
locking = No

[test]
comment = test
path = /tmp
valid users = @"Domain Users"
read only = No
create mask = 0775
directory mask = 0775
locking = No


vielleicht kann mir ja jemand helfen und mir sagen wo genau da mein fehler liegt.
habt dank schon mal im voraus.

bye jacky

emba
05.05.05, 20:41
deine angaben sind zwar nicht sehr präzise, aber versuchs doch mal mit DOMAIN\USERNAME bei valid users

greez

JackyD
06.05.05, 12:23
auch das habe ich schon versucht. und klappt auch nicht. ich nehme an er kann irgendwie die gruppen nicht finden.

was fuer angaben benoetigst du noch. gebe sie dir gerne.

mamue
06.05.05, 17:24
getent passwd toni
funktioniert?

mamue

JackyD
06.05.05, 22:43
ja funktioniert.

toni:x:1001:513:Toni Kleinert:/home/toni:/bin/bash

jacky

mamue
07.05.05, 11:43
Ok, den user toni gibt es doch hoffentlich nicht zufällig auch in der passwd, nehme ich an.
Setze doch mal in der slapd.conf den loglevel auf 256 oder 32 oder 288 (256+32), um die Anfragen, die an den ldap-server gehen mitzuprotokollieren.
In der /var/log/messages müsste dann auftauchen, wie nach "toni" gesucht wird. Mit dem dort ercheinenden Suchfilter müsstest Du den auch mit ldapsearch finden können.
:) Ich seh da gerade etwas:
ldap filter = "(&(uid=%u)(ojectClass=sambaPrimaryGroupSID))"
Es gibt keine objectClass "sambaPrimaryGroupSID", das ist ein Attribut!
Kann man den Filter nicht eigentlich komplett weg lassen? Defaultmässig ist das doch: (uid=%u). Das sollte reichen, ansonsten:
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))

HTH,
mamue

JackyD
07.05.05, 15:32
also den user toni gibt es in der passwd nicht sondern nur in ldap und suchen tut er ihn ja auch richtig. den kann mich normal über linux und windows mittels dieses nutzers anmelden nur er sucht irgendwie in den grupen nicht nach den nutzern.

mit dem filter war mir auch aufgefallen ist auch schon wieder weg.und ja kann man weg lassen :)

aber ich werd das mit den log level noch machen und dir dann bescheid geben. und das log posten.

jacky

JackyD
08.05.05, 01:25
wie versprochen alles was das log her gibt.

log level 256

May 8 01:26:39 relict slapd[1210]: conn=1164 fd=47 ACCEPT from IP=127.0.0.1:34770 (IP=0.0.0.0:389)
May 8 01:26:39 relict slapd[1210]: conn=1164 op=0 BIND dn="cn=Manager,dc=athome" method=128
May 8 01:26:39 relict slapd[1210]: conn=1164 op=0 BIND dn="cn=Manager,dc=athome" mech=SIMPLE ssf=0
May 8 01:26:39 relict slapd[1210]: conn=1164 op=0 RESULT tag=97 err=0 text=
May 8 01:26:39 relict slapd[1210]: conn=1164 op=1 SRCH base="" scope=0 filter="(objectClass=*)"
May 8 01:26:39 relict slapd[1210]: conn=1164 op=1 SRCH attr=supportedControl
May 8 01:26:39 relict slapd[1210]: conn=1164 op=1 RESULT tag=101 err=0 text=
May 8 01:26:39 relict slapd[1210]: conn=1164 op=2 SRCH base="dc=athome" scope=2 filter="(&(uid=ROOT)(objectClass=sambaSamAccount))"
May 8 01:26:39 relict slapd[1210]: conn=1164 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLog
onTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
May 8 01:26:39 relict slapd[1210]: conn=1164 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 8 01:26:39 relict slapd[1210]: conn=1164 fd=47 closed

log level 288

May 8 01:30:14 relict slapd[6506]: conn=2 fd=14 ACCEPT from IP=127.0.0.1:34783 (IP=0.0.0.0:389)
May 8 01:30:14 relict slapd[6506]: conn=2 op=0 BIND dn="cn=Manager,dc=athome" method=128
May 8 01:30:14 relict slapd[6506]: conn=2 op=0 BIND dn="cn=Manager,dc=athome" mech=SIMPLE ssf=0
May 8 01:30:14 relict slapd[6506]: conn=2 op=0 RESULT tag=97 err=0 text=
May 8 01:30:14 relict slapd[6506]: do_search: invalid dn ("ou=Groups","dc=athome")
May 8 01:30:14 relict slapd[6506]: conn=2 op=1 RESULT tag=101 err=34 text=invalid DN
May 8 01:30:14 relict winbindd[1605]: [2005/05/08 01:30:14, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1982)
May 8 01:30:14 relict winbindd[1605]: ldapsam_search_one_group: Problem during the LDAP search: LDAP error: invalid DN (Invalid DN syntax)
May 8 01:30:14 relict winbindd[1605]: ldapsam_search_one_group: Query was: "ou=Groups","dc=athome", (&(objectClass=sambaGroupMapping)(|(displayName=root )(cn=root)))
May 8 01:30:14 relict slapd[6506]: conn=1 fd=10 closed
May 8 01:30:28 relict slapd[6506]: conn=3 fd=10 ACCEPT from IP=127.0.0.1:34784 (IP=0.0.0.0:389)
May 8 01:30:28 relict slapd[6506]: conn=3 op=0 BIND dn="cn=Manager,dc=athome" method=128
May 8 01:30:28 relict slapd[6506]: conn=3 op=0 BIND dn="cn=Manager,dc=athome" mech=SIMPLE ssf=0
May 8 01:30:28 relict slapd[6506]: conn=3 op=0 RESULT tag=97 err=0 text=
May 8 01:30:28 relict slapd[6506]: begin get_filter
May 8 01:30:28 relict slapd[6506]: PRESENT
May 8 01:30:28 relict slapd[6506]: end get_filter 0
May 8 01:30:28 relict slapd[6506]: conn=3 op=1 SRCH base="" scope=0 filter="(objectClass=*)"
May 8 01:30:28 relict slapd[6506]: conn=3 op=1 SRCH attr=supportedControl
May 8 01:30:28 relict slapd[6506]: => test_filter
May 8 01:30:28 relict slapd[6506]: PRESENT
May 8 01:30:28 relict slapd[6506]: <= test_filter 6
May 8 01:30:28 relict slapd[6506]: conn=3 op=1 RESULT tag=101 err=0 text=
May 8 01:30:28 relict slapd[6506]: begin get_filter
May 8 01:30:28 relict slapd[6506]: AND
May 8 01:30:28 relict slapd[6506]: begin get_filter_list
May 8 01:30:28 relict slapd[6506]: begin get_filter
May 8 01:30:28 relict slapd[6506]: EQUALITY
May 8 01:30:28 relict slapd[6506]: end get_filter 0
May 8 01:30:28 relict slapd[6506]: begin get_filter
May 8 01:30:28 relict slapd[6506]: EQUALITY
May 8 01:30:28 relict slapd[6506]: end get_filter 0
May 8 01:30:28 relict slapd[6506]: end get_filter_list
May 8 01:30:28 relict slapd[6506]: end get_filter 0
May 8 01:30:28 relict slapd[6506]: conn=3 op=2 SRCH base="dc=athome" scope=2 filter="(&(uid=ROOT)(objectClass=sambaSamAccount))"
May 8 01:30:28 relict slapd[6506]: conn=3 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
May 8 01:30:28 relict slapd[6506]: => bdb_filter_candidates
May 8 01:30:28 relict slapd[6506]: ^IAND
May 8 01:30:28 relict slapd[6506]: => bdb_list_candidates 0xa0
May 8 01:30:28 relict slapd[6506]: => bdb_filter_candidates
May 8 01:30:28 relict slapd[6506]: ^IDN SUBTREE
May 8 01:30:28 relict slapd[6506]: <= bdb_filter_candidates: id=-1 first=1 last=97
May 8 01:30:28 relict slapd[6506]: => bdb_filter_candidates
May 8 01:30:28 relict slapd[6506]: ^IOR
May 8 01:30:28 relict slapd[6506]: => bdb_list_candidates 0xa1
May 8 01:30:28 relict slapd[6506]: => bdb_filter_candidates
May 8 01:30:28 relict slapd[6506]: ^IEQUALITY
May 8 01:30:28 relict slapd[6506]: <= bdb_filter_candidates: id=0 first=0 last=0
May 8 01:30:28 relict slapd[6506]: => bdb_filter_candidates
May 8 01:30:28 relict slapd[6506]: ^IAND
May 8 01:30:28 relict slapd[6506]: => bdb_list_candidates 0xa0
May 8 01:30:28 relict slapd[6506]: => bdb_filter_candidates
May 8 01:30:28 relict slapd[6506]: ^IEQUALITY
May 8 01:30:28 relict slapd[6506]: <= bdb_filter_candidates: id=1 first=20 last=20
May 8 01:30:28 relict slapd[6506]: => bdb_filter_candidates
May 8 01:30:28 relict slapd[6506]: ^IEQUALITY
May 8 01:30:28 relict slapd[6506]: <= bdb_filter_candidates: id=19 first=17 last=97
May 8 01:30:28 relict slapd[6506]: <= bdb_list_candidates: id=1 first=20 last=20
May 8 01:30:28 relict slapd[6506]: <= bdb_filter_candidates: id=1 first=20 last=20
May 8 01:30:28 relict slapd[6506]: <= bdb_list_candidates: id=1 first=20 last=20
May 8 01:30:28 relict slapd[6506]: <= bdb_filter_candidates: id=1 first=20 last=20
May 8 01:30:28 relict slapd[6506]: <= bdb_list_candidates: id=1 first=20 last=20
May 8 01:30:28 relict slapd[6506]: <= bdb_filter_candidates: id=1 first=20 last=20
May 8 01:30:28 relict slapd[6506]: => test_filter
May 8 01:30:28 relict slapd[6506]: AND
May 8 01:30:28 relict slapd[6506]: => test_filter_and
May 8 01:30:28 relict slapd[6506]: => test_filter
May 8 01:30:28 relict slapd[6506]: EQUALITY
May May 8 01:30:28 relict slapd[6506]: => test_filter
May 8 01:30:28 relict slapd[6506]: EQUALITY
May 8 01:30:28 relict slapd[6506]: <= test_filter 6
May 8 01:30:28 relict slapd[6506]: <= test_filter_and 6
May 8 01:30:28 relict slapd[6506]: <= test_filter 6
May 8 01:30:28 relict slapd[6506]: conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 8 01:30:28 relict slapd[6506]: conn=3 fd=10 closed 8 01:30:28 relict slapd[6506]: <= test_filter 6


siehst du meinen denk fehler?

jacky