Diese Website existiert nur weil wir Werbung mit AdSense ausliefern.
Bitte den AdBlocker daher auf dieser Website ausschalten! Danke.

LDAP Benutzerauthetifizierung schlägt !?manchmal!? fehl

Alles rund um das Internet, Internet-Anwendungen (E-Mail, Surfen, Cloud usw.) und das Einrichten von Netzwerken einschl. VPN unter Linux

Moderator: Moderatoren

Antworten
raffael.schmid
Newbie
Newbie
Beiträge: 4
Registriert: 9. Aug 2005, 20:23

LDAP Benutzerauthetifizierung schlägt !?manchmal!? fehl

Beitrag von raffael.schmid »

Hallo,

Ich habe nun während zwei Tagen einen Samba Server mit LDAP aufgesetzt. Nun komme ich aber nicht mehr weiter:

Ich habe zwei Benutzer (raffi,tester) und root angelegt.
Wenn ich mich von W2K auf den Server verbinde, kann ich mich mit raffi authentifizieren, mit tester aber nicht. Den Rechner der Domain hinzufügen funktioniert auch nicht (mit root).

Auszug des logfiles (loglevel 2) als raffi:

Code: Alles auswählen

[2005/09/21 08:19:49, 0] lib/util_sock.c:get_peer_addr(1150)
  getpeername failed. Error was Transport endpoint is not connected
[2005/09/21 08:19:49, 0] lib/util_sock.c:read_socket_data(384)
  read_socket_data: recv failure for 4. Error = Connection reset by peer
[2005/09/21 08:19:49, 2] smbd/server.c:exit_server(609)
  Closing connections
[2005/09/21 08:19:49, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/09/21 08:19:49, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/09/21 08:19:49, 2] lib/smbldap.c:smbldap_open_connection(692)
  smbldap_open_connection: connection opened
[2005/09/21 08:19:49, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: raffi
[2005/09/21 08:19:49, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1971)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  (No such object)
[2005/09/21 08:19:49, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1971)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  (No such object)
[2005/09/21 08:19:49, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1971)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  (No such object)
[2005/09/21 08:19:49, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [raffi] -> [raffi] -> [raffi] succeeded
[2005/09/21 09:10:48, 2] smbd/server.c:exit_server(609)
  Closing connections
Auszug des logfiles (loglevel 2) als tester:

Code: Alles auswählen

[2005/09/21 09:13:09, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/09/21 09:13:09, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/09/21 09:13:09, 2] lib/smbldap.c:smbldap_open_connection(692)
  smbldap_open_connection: connection opened
[2005/09/21 09:13:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: tester
[2005/09/21 09:13:09, 1] auth/auth_util.c:make_server_info_sam(840)
  User tester in passdb, but getpwnam() fails!
[2005/09/21 09:13:09, 0] auth/auth_sam.c:check_sam_security(324)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
[2005/09/21 09:13:09, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [tester] -> [tester] FAILED with error NT_STATUS_NO_SUCH_USER
[2005/09/21 09:13:09, 2] smbd/server.c:exit_server(609)
  Closing connections
smb.conf:

Code: Alles auswählen

[global]
   netbios name       = fileserver
   workgroup          = YUX
   server string      = fileserver Rules the World
   encrypt passwords  = true
   unix password sync = false
   security           = user

   log file           = /var/log/samba/log
   log level          = 2
   max log size       = 0

   socket options     = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   domain logons      = true
   os level           = 254
   preferred master   = true
   local master       = true
   domain master      = true
   dns proxy          = true
   wins support       = true

   logon path         = \\fileserver\profiles\%u
   logon drive        = U:
   logon home         = \\fileserver\%u
   logon script       = logon.cmd

   null passwords = no
   hide unreadable = yes
   hide dot files = yes

   ldap passwd sync = yes
   passdb backend = ldapsam:ldap://127.0.0.1:389

   ldap suffix        = ou=Users,dc=yux
   ldap group suffix  = ou=Groups,dc=yux
   ldap machine suffix= ou=Workstations,dc=yux
   ldap admin dn      = cn=root,dc=yux

   add machine script = /usr/sbin/smbldap-useradd -w "%u"
   add user script = /usr/sbin/smbldap-useradd -m "%u"
   ldap delete dn = Yes
   add group script = /usr/sbin/smbldap-groupadd -p "%g"
   add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
   delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
   set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

[homes]
   comment        = Home Directories
   valid users    = %S
   read only      = false
   create mask    = 0600
   directory mask = 0700
   browseable     = false

[netlogon]
   comment     = Network Logon Service
   path        = /usr/local/var/samba/netlogon
   writable    = no

[profiles]
   path           = /usr/local/var/samba/profiles
   writeable      = true
   browseable     = false
   create mode    = 0600
   directory mode = 0700
/etc/openldap/sldap.conf:

Code: Alles auswählen

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/rfc2307bis.schema
include         /etc/openldap/schema/yast.schema
include         /etc/openldap/schema/samba.schema
#include                /etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

# Load dynamic backend modules:
modulepath      /usr/lib/openldap/modules
# moduleload    back_ldap.la
# moduleload    back_meta.la
# moduleload    back_monitor.la
# moduleload    back_perl.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access to user password
#               Allow anonymous users to authenticate
#               Allow read access to everything else
#       Directives needed to implement policy:
access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

#access to attr=userPassword,userPKCS12
#        by self write
#        by * auth

#access to attr=shadowLastChange
#        by self write
#        by * read

#access to *
#        by * read

access to attr=userPassword
        by dn="cn=root,dc=yux" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="cn=root,dc=yux" write
        by * read

#access to dn=".*,ou=Roaming,dc=yux"
#       by dn="cn=root,dc=yux" write
#       by dnattr=owner write


database ldbm
suffix  "dc=yux"
lastmod on
directory       /var/lib/ldap
index   objectClass     eq


# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

#database       bdb
#checkpoint      1024    5
#cachesize       10000
#suffix         "dc=yux"
rootdn          "cn=root,dc=yux"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          admin11
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
#directory      /var/lib/ldap
# Indices to maintain
#index  objectClass     eq

In den Logs sehe ich "User tester in passdb, but getpwnam() fails!"
Was soll das??

von Mac oder Linux (SuSE 9.3 getestet) kann ich mich problemlos per LDAP authentifizieren.

Das System ist ein SuSE 9.3, Samba Version 3.0.13-1.1-SUSE, openldap slapd 2.2.23

Wie kann ich mich nun von Windows aus einloggen und den Rechner in die Domäne einbinden?

Vielen Dank schon im Vorraus

Grüsse

rs
raffael.schmid
Newbie
Newbie
Beiträge: 4
Registriert: 9. Aug 2005, 20:23

gelöst

Beitrag von raffael.schmid »

ok, hat sich erledigt...

Wichtig ist dieser Teil in der smb.conf:

Code: Alles auswählen

   ldap suffix        = dc=yux
   ldap user suffix   = ou=Users,dc=yux
   ldap group suffix  = ou=Groups,dc=yux
   ldap machine suffix= ou=Workstations,dc=yux
   ldap admin dn      = cn=root,dc=yux
ich hatte "ldap user suffix" nicht eingetragen.....

Vielen Dank für die Antworten;-)

grüsse

rs
Antworten