On Mon, 05 Mar 2012 19:55:36 +0200, Jonathan Adams <[email protected]>
wrote:
Samba with LDAP is a PITA ... and we use it ...
First off, all users who want to use samba must have real uids on the
system, which means that the host has to be an LDAP client.
Second, since 3.0.24 if you're planning on being a domain server you
need to get hold of the smb-ldap perl tools.
have you remembered to run smbpasswd -W ?
Jon
Yes, I have run "smbpasswd -w my-secret"
I do not intend to run SAMBA in a Windows domain - I just want a plain stupid
workgroup
shares without poisoning the "/etc/passwd" and the likes.
I have the following file structure:
/masiv
|
+-- backup
|
+--- Sales
| |
| +--- Dealer_1
| |
| +--- Dealer_2
|
+--- Design
| |
| +--- Designer_1
| |
| +--- Designer_2
|
+--- Engineering
| |
| +--- Engineer_1
| |
| +--- Engineer_2
|
+--- Finance
|
+-- Accountant_1
I also have 2 local users - PERSON and BOSS, both have a primary group DEPART.
All directories below "/masiv/backup" are owned by PERSON:DEPART and have
permissions 755.
In workgroup mode, SAMBA offers 2 kinds of security - "user" and "share".
In "user" mode, Windows client provides a username/password combination on the
first access to SAMBA
and then this credential is used for all shares until the Windows is rebooted.
In "share" mode, Windows client provides a password each time it is trying to
access a share - since
username is not provided, SAMBA chooses the first user with a matching password.
What I need is this:
1) each Windows customer should be able to map his own shared folder (I mean
the share whose
name is equal to the name of the customer) onto Windows drive letter Z: with
write access, using his
unique password;
2) departments` chiefs should be able to map the shared folder of their
department onto Windows drive
letter X: as read only, using the unique password of their department (so
that the chief can see
subfolders of his subordinates, but can not mess with their files);
3) customers should not be able to see contents of the shared folders of their
colleagues;
I do not want to create a new local user in OpenIndiana for every new employee
- instead, I prefer to
populate their profiles in a database. But using an SQL database seems too much
for this simple task,
so I chose to use LDAP.
I want to have several dozens of VIRTUAL user accounts in LDAP - so that their
password can be used
for authentication by SAMBA. But I only want to use the above 2 UNIX users
(PERSON and BOSS) for filesystem
permissions. So I need to somehow map the password onto a UID through LDAP ....
As seen from this log file, SAMBA does not get "uidNumber" from LDAP records -
but tries to find it through
the OS. And so the problem is - how to get the OS find UID of a specified LDAP
posixAccount ?
--------------------- CUT ------------------------------
[2012/03/05 22:54:34.216956, 5] auth/token_util.c:525()
NT user token: (NULL)
[2012/03/05 22:54:34.216989, 5] auth/token_util.c:551()
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2012/03/05 22:54:34.217034, 5] smbd/uid.c:369()
change_to_root_user: now uid=(0,0) gid=(0,0)
[2012/03/05 22:54:34.217069, 4] smbd/reply.c:767()
Client requested device type [?????] for share [ADMINISTRATION]
[2012/03/05 22:54:34.217106, 5] smbd/service.c:1227()
making a connection to 'normal' service administration
[2012/03/05 22:54:34.217136, 3] lib/access.c:362()
only_ipaddrs_in_list: list has non-ip address (192.168.2.)
[2012/03/05 22:54:34.217164, 3] lib/access.c:396()
check_access: hostnames in host allow/deny list.
[2012/03/05 22:54:34.217199, 2] lib/access.c:406()
Allowed connection from UNKNOWN (192.168.2.175)
[2012/03/05 22:54:34.217244, 5] lib/username.c:133()
Finding user ADMINISTRATION
[2012/03/05 22:54:34.217272, 5] lib/username.c:77()
Trying _Get_Pwnam(), username as lowercase is administration
[2012/03/05 22:54:34.217348, 5] lib/username.c:85()
Trying _Get_Pwnam(), username as given is ADMINISTRATION
[2012/03/05 22:54:34.217418, 5] lib/username.c:104()
Checking combinations of 0 uppercase letters in administration
[2012/03/05 22:54:34.217450, 5] lib/username.c:110()
Get_Pwnam_internals didn't find user [ADMINISTRATION]!
[2012/03/05 22:54:34.217486, 10] smbd/password.c:475()
user_in_list: checking user nobody in list
[2012/03/05 22:54:34.217513, 10] smbd/password.c:480()
user_in_list: checking user |nobody| against |boss|
[2012/03/05 22:54:34.217552, 2] smbd/service.c:626()
Invalid username/password for [ADMINISTRATION]
[2012/03/05 22:54:34.217582, 1] smbd/service.c:678()
create_connection_server_info failed: NT_STATUS_WRONG_PASSWORD
[2012/03/05 22:54:34.217621, 3] smbd/error.c:80()
error packet at smbd/reply.c(776) cmd=117 (SMBtconX) NT_STATUS_WRONG_PASSWORD
--------------------- CUT ------------------------------
_______________________________________________
OpenIndiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss
