# LDAP -> SAMBA -> Fake Root



## Sotares (7. März 2005)

Hallo zusammen!

Wenn ich einen Windows Client an meine Samba Domäne hinzufügen möchte, bekomme ich  eine Fehlermeldung, dass der Username oder das Kennwort unbekannt ist.

Die authentifizierung von admin läuft über den LDAP welche gemäss Logfile auch scheinbar erfolgreich stattfindet:


```
[2005/03/07 13:22:22, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
  Returning domain sid for domain DEBIAN -> S-1-5-21-3913269775-3181398248-2826524576
[2005/03/07 13:22:22, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93)
  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
[2005/03/07 13:22:22, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
  Returning domain sid for domain DEBIAN -> S-1-5-21-3913269775-3181398248-2826524576
[2005/03/07 13:22:22, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required: 0x00000010)
[2005/03/07 13:22:22, 2] smbd/server.c:exit_server(571)
  Closing connections
[2005/03/07 13:22:22, 2] lib/smbldap.c:smbldap_search_domain_info(1373)
  Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DEBIAN))]
[2005/03/07 13:22:22, 2] lib/smbldap.c:smbldap_open_connection(692)
  smbldap_open_connection: connection opened
[2005/03/07 13:22:22, 2] smbd/reply.c:reply_special(235)
  netbios connect: name1=SAMBA           name2=SUNRISE-0000002
[2005/03/07 13:22:22, 2] smbd/reply.c:reply_special(242)
  netbios connect: local=samba remote=sunrise-0000002, name type = 0
[2005/03/07 13:22:22, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/03/07 13:22:22, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/03/07 13:22:22, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
  init_sam_from_ldap: Entry found for user: admin
[2005/03/07 13:22:22, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [admin] -> [admin] -> [admin] succeeded
[2005/03/07 13:22:23, 2] smbd/server.c:exit_server(571)
  Closing connections
```


smb.conf


```
[global]
   workgroup = DEBIAN
   netbios name = SAMBA
   server string = %h server (Samba %v)
   #log file = /var/log/samba/log.%m
   log level = 2
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = user
   encrypt passwords = true
   #passwd program = /usr/bin/passwd %u
   #passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
   socket options = TCP_NODELAY


local master = yes
os level = 255
domain master = yes
prefered master = yes
domain logons = yes


# LDAP
ldap passwd sync = Yes
passdb backend = ldapsam


#ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
#ldap filter = (&(objectclass=posixAccount)(uid=%u))
ldap admin dn = cn=admin,dc=my,dc=ldap
ldap suffix = dc=my,dc=ldap
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers

add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"


[cdrom]
   path = /cdrom
```


*Die Benutzer Accounts (posixAccount, sambaSamAccount Samba CD-ROM Freigabe) funktionieren tadellos.*



Anbei den LDIF Auszug aus dem Samba-Fake-Root


```
dn:uid=admin,ou=Users,dc=my,dc=ldap
uid: admin
givenName: admin
sn: admin
cn: admin admin
loginShell: /bin/bash
uidNumber: 999
gidNumber: 998
homeDirectory: /home/admin
shadowMin: -1
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: sambaSamAccount
sambaSID: S-1-5-21-3913269775-3181398248-2826524576-2998
sambaPrimaryGroupSID: S-1-5-21-3913269775-3181398248-2826524576-2997
displayName: admin admin
sambaPwdMustChange: 2147483647
sambaLMPassword: 5DE349F503BBA07CAAD3B435B51404EE
sambaNTPassword: E9FCEFF7358F2D3BBAC2B31841E874F2
sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000
 0000000000
sambaAcctFlags: [U          ]
sambaPwdCanChange: 1110199330
sambaPwdLastSet: 1110199330
userPassword: {SMD5}sIMm+Ufd/FeY+m9p6vm3amqapx8=
```


ldap.conf


```
host 127.0.0.1
base dc=my,dc=ldap

rootbinddn dc=my,dc=ldap

nss_base_passwd dc=my,dc=ldap?sub
nss_base_shadow dc=my,dc=ldap?sub
nss_base_group ou=Groups,dc=my,dc=ldap?one

nss_base_passwd ou=Users,dc=my,dc=ldap?one
nss_base_shadow ou=Users,dc=my,dc=ldap?one
nss_base_group ou=Groups,dc=my,dc=ldap?one

ssl no
pam_password md5
```


slapd.conf


```
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd.args
loglevel        0

modulepath      /usr/lib/ldap
moduleload      back_ldbm
backend         ldbm

database        ldbm

suffix            "dc=my,dc=ldap"
rootdn          "cn=admin,dc=my,dc=ldap"
rootpw          {SSHA}Jp7UhRBtBpd2R6tTXgzjUChZYrL2eOdc
directory       "/var/lib/ldap"
index           objectClass eq
lastmod         on
access to attribute=userPassword
        by dn="cn=admin,dc=my,dc=ldap" write
        by anonymous auth
        by self write
        by * none
access to dn.base="" by * read

access to *
        by dn="cn=admin,dc=my,dc=ldap" write
        by * read
```


/etc/pam.d/login


```
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
```

/etc/nssswitch.con


```
passwd:         files ldap
group:          files ldap
shadow:         files ldap
...
...
```

Das ACCES DENIED irritiert mich ein wenig, was ist damit gemeint?


```
[2005/03/07 13:22:22, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93)
  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
```



Irgendwo muss der Wurm drin sein  
Danke für die Hilfe

- Sotares


----------

