Samba and pam_ldap [SOLVED]

[Merlin8000]

Greetings all,

I have a 2004.3 Gentoo box. I've successfully set it up with OpenLDAP, pam_ldap, and nss_ldap using the gentoo ldap howto. I have emerged samba and would like for it to authenticate users using pam_ldap. I am having trouble with this setup.

I am using
Samba 3.0.10
OpenLDAP 2.1.30-r2
pam_ldap 171
nss_ldap 226
kernel 2.6.10-hardened-r3


When I try to login with smbclient I get

Code: Select all

myuser@myserver ~ $ smbclient \\\\localhost\\myshare\$
Password:
Domain=[MYSERVER] OS=[Unix] Server=[Samba 3.0.10]
tree connect failed: NT_STATUS_LOGON_FAILURE

with the server logs I get

Code: Select all

myserver ~ # tail -f /var/log/everything/current /var/log/samba/*
==> /var/log/everything/current <==
Feb 17 15:01:37 [smbd] [2005/02/17 15:01:37, 0] smbd/service.c:make_connection_snum(570)_
Feb 17 15:01:37 [smbd] Can't become connected user!_

==> /var/log/samba/log.myserver <==
[2005/02/17 15:01:37, 0] smbd/service.c:make_connection_snum(570)
  Can't become connected user!

here is the output from testparm

Code: Select all

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[Myshare$]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = MYWORKGROUP
        server string = Samba Server %v
        map to guest = Bad User
        smb passwd file = /etc/samba/private/smbpasswd
        passdb backend = ldapsam_compat:ldap://ldap.mydomain.net, smbpasswd, guest
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'
        delete user script = /usr/share/samba/scripts/smbldap-userdel.pl '%u'
        add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g' && /usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print $2}'
        delete group script = /usr/share/samba/scripts/smbldap-userdel.pl '%g'
        add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl -m '%u' '%g'
        delete user from group script = /usr/share/samba/scripts/smbldap-groupmod.pl -x '%u' '%g'
        set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -g '%g' '%u'
        dns proxy = No
        ldap admin dn = cn=Manager,dc=mydomain,dc=net
        ldap group suffix = ou=Group
        ldap machine suffix = ou=Hosts
        ldap suffix = dc=mydomain,dc=net
        ldap ssl = no
        ldap user suffix = ou=People

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[myshare$]
        comment = Publicly accessible files -writable-
        path = /var/myshare
        valid users = myuser
        read list = myuser
        write list = myuser
        force group = mygroup
        read only = No
        directory mask = 0770
        guest ok = Yes
        fstype = Samba

any ideas?

[UberLord]

I have emerged samba and would like for it to authenticate users using pam_ldap. I am having trouble with this setup.

...

any ideas?

If you use want to auth samba against pam_ldap then remove all ldap refs from your samba config and set it up as if there was no ldap - pam takes care of ldap.

However, if you want samba to bypass pam (which is probably a better idea) and auth directly against ldap, then leave your ldap refs in.

The only thing that I can see is wrong after a quick look is your ldap ref - here's a working one

Code: Select all

passdb backend = ldapsam:ldap://ldap.mydomain.net

So if it's not in ldap - or ldap isn't available - then they don't get in.

[Merlin8000]

If you use want to auth samba against pam_ldap then remove all ldap refs from your samba config and set it up as if there was no ldap - pam takes care of ldap.

However, if you want samba to bypass pam (which is probably a better idea) and auth directly against ldap, then leave your ldap refs in.

The only thing that I can see is wrong after a quick look is your ldap ref - here's a working one

Code: Select all

passdb backend = ldapsam:ldap://ldap.mydomain.net

So if it's not in ldap - or ldap isn't available - then they don't get in.

I'm thinking I'd rather authenticate directly with my ldap server than go through pam_ldap, it just feels more straight-forward.

Changing the passdb backend didn't seem to have any effect, any idea what "Can't become connected user!" means?

[Merlin8000]

Well i've been tinkering with the samba configuration and found that removing the valid users line allowed me to connect through both smbclient and a windowsxp workstation.
unfortunately, this was with guest access on.

When I connect with smbclient \\\\localhost\\myshare\$ -U myuser I get prompted for a password and only the correct password will allow me in.
When I connect using guest ok = yes for myshare, the samba log shows this:

Code: Select all

[2005/02/18 12:04:02, 1] smbd/service.c:make_connection_snum(648)
  myserver (127.0.0.1) connect to service Myshare$ initially as user nobody (uid=65534, gid=1000) (pid 15166)

but then for some reason I get dropped back to guest access. If I use guest ok = no in the share definition then i get NT_STATUS_ACCESS_DENIED from smbclient.

I am also unable to connect to the [homes] share, I get NT_STATUS_ACCESS_DENIED here as well...I would think it's safe to assume that it's for the same reason.

progress...

[Merlin8000]

Well I've done more reading on this subject, and tinkering....probably more tinkering than real reading.

The fix was enabling my user for use with samba.

So first I added the sambaSamAccount objectClass to my user, after that point I got logon failures with or without valid passwords, so I used smbpasswd myuser and I was able to auth and map network drives.