Sotares
Mitglied
Hallo zusammen!
Wenn ich einen Windows Client an meine Samba Domäne hinzufügen möchte, bekomme ich eine Fehlermeldung, dass der Username oder das Kennwort unbekannt ist.
Die authentifizierung von admin läuft über den LDAP welche gemäss Logfile auch scheinbar erfolgreich stattfindet:
smb.conf
Die Benutzer Accounts (posixAccount, sambaSamAccount Samba CD-ROM Freigabe) funktionieren tadellos.
Anbei den LDIF Auszug aus dem Samba-Fake-Root
ldap.conf
slapd.conf
/etc/pam.d/login
/etc/nssswitch.con
Das ACCES DENIED irritiert mich ein wenig, was ist damit gemeint?
Irgendwo muss der Wurm drin sein
Danke für die Hilfe
- Sotares
Wenn ich einen Windows Client an meine Samba Domäne hinzufügen möchte, bekomme ich eine Fehlermeldung, dass der Username oder das Kennwort unbekannt ist.
Die authentifizierung von admin läuft über den LDAP welche gemäss Logfile auch scheinbar erfolgreich stattfindet:
Code:
[2005/03/07 13:22:22, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
Returning domain sid for domain DEBIAN -> S-1-5-21-3913269775-3181398248-2826524576
[2005/03/07 13:22:22, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2005/03/07 13:22:22, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
Returning domain sid for domain DEBIAN -> S-1-5-21-3913269775-3181398248-2826524576
[2005/03/07 13:22:22, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_create_user: ACCESS DENIED (granted: 0x00000201; required: 0x00000010)
[2005/03/07 13:22:22, 2] smbd/server.c:exit_server(571)
Closing connections
[2005/03/07 13:22:22, 2] lib/smbldap.c:smbldap_search_domain_info(1373)
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DEBIAN))]
[2005/03/07 13:22:22, 2] lib/smbldap.c:smbldap_open_connection(692)
smbldap_open_connection: connection opened
[2005/03/07 13:22:22, 2] smbd/reply.c:reply_special(235)
netbios connect: name1=SAMBA name2=SUNRISE-0000002
[2005/03/07 13:22:22, 2] smbd/reply.c:reply_special(242)
netbios connect: local=samba remote=sunrise-0000002, name type = 0
[2005/03/07 13:22:22, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/03/07 13:22:22, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/03/07 13:22:22, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
init_sam_from_ldap: Entry found for user: admin
[2005/03/07 13:22:22, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [admin] -> [admin] -> [admin] succeeded
[2005/03/07 13:22:23, 2] smbd/server.c:exit_server(571)
Closing connections
smb.conf
Code:
[global]
workgroup = DEBIAN
netbios name = SAMBA
server string = %h server (Samba %v)
#log file = /var/log/samba/log.%m
log level = 2
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
#passwd program = /usr/bin/passwd %u
#passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
socket options = TCP_NODELAY
local master = yes
os level = 255
domain master = yes
prefered master = yes
domain logons = yes
# LDAP
ldap passwd sync = Yes
passdb backend = ldapsam
#ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
#ldap filter = (&(objectclass=posixAccount)(uid=%u))
ldap admin dn = cn=admin,dc=my,dc=ldap
ldap suffix = dc=my,dc=ldap
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
[cdrom]
path = /cdrom
Die Benutzer Accounts (posixAccount, sambaSamAccount Samba CD-ROM Freigabe) funktionieren tadellos.
Anbei den LDIF Auszug aus dem Samba-Fake-Root
Code:
dn:uid=admin,ou=Users,dc=my,dc=ldap
uid: admin
givenName: admin
sn: admin
cn: admin admin
loginShell: /bin/bash
uidNumber: 999
gidNumber: 998
homeDirectory: /home/admin
shadowMin: -1
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: sambaSamAccount
sambaSID: S-1-5-21-3913269775-3181398248-2826524576-2998
sambaPrimaryGroupSID: S-1-5-21-3913269775-3181398248-2826524576-2997
displayName: admin admin
sambaPwdMustChange: 2147483647
sambaLMPassword: 5DE349F503BBA07CAAD3B435B51404EE
sambaNTPassword: E9FCEFF7358F2D3BBAC2B31841E874F2
sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000
0000000000
sambaAcctFlags: [U ]
sambaPwdCanChange: 1110199330
sambaPwdLastSet: 1110199330
userPassword: {SMD5}sIMm+Ufd/FeY+m9p6vm3amqapx8=
ldap.conf
Code:
host 127.0.0.1
base dc=my,dc=ldap
rootbinddn dc=my,dc=ldap
nss_base_passwd dc=my,dc=ldap?sub
nss_base_shadow dc=my,dc=ldap?sub
nss_base_group ou=Groups,dc=my,dc=ldap?one
nss_base_passwd ou=Users,dc=my,dc=ldap?one
nss_base_shadow ou=Users,dc=my,dc=ldap?one
nss_base_group ou=Groups,dc=my,dc=ldap?one
ssl no
pam_password md5
slapd.conf
Code:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_ldbm
backend ldbm
database ldbm
suffix "dc=my,dc=ldap"
rootdn "cn=admin,dc=my,dc=ldap"
rootpw {SSHA}Jp7UhRBtBpd2R6tTXgzjUChZYrL2eOdc
directory "/var/lib/ldap"
index objectClass eq
lastmod on
access to attribute=userPassword
by dn="cn=admin,dc=my,dc=ldap" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=my,dc=ldap" write
by * read
/etc/pam.d/login
Code:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
/etc/nssswitch.con
Code:
passwd: files ldap
group: files ldap
shadow: files ldap
...
...
Das ACCES DENIED irritiert mich ein wenig, was ist damit gemeint?
Code:
[2005/03/07 13:22:22, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
Irgendwo muss der Wurm drin sein
Danke für die Hilfe
- Sotares