Debian Sarge com Samba 3.0.6-3 e openldap 2.1.30-3 - longo
Prezados da Lista,
Estou usando no Debian Sarge esquema de autenticação de rede Windows com
Samba 3.0.6-3 e OpenLdap 2.1.30-3.
Enquanto utilizava o Samba 3.0.5 tudo corria bem. Os usuários autenticavam e
tudo que configurei de mais complexo estava funcionando normalmente.
Quando dei o último apt-get upgrade a versão do Samba subiu para 3.0.6 e
tudo desandou. Como o schema muda de uma versão para outra atualizei o
schema corrigindo os erros no log do ldap.
Se cadastro uma máquina no samba tudo corre normalmente pelo Assistente do
Windows XP. Após o boot é que as coisas pioram.
O problema que surgiu foi que quando logo com o Windows XP na rede aparece o
seguinte erro:
"Não foi possível fazer logon no sistema. Verifique se o nome de usuário e o
domínio estão corretos e digite a senha novamente. As letras das senhas
devem ser digitadas levando-se em consideração maiúsculas e minúsculas."
Desconfiado do Samba desativei o ldap e loguei direto com usuários criados
diretamente no Samba. Desta vez o logon aconteceu com sucesso. Por isso me
restou desconfiar do openldap ou de algum parâmetro com faltou ser compilado
no Samba 3.0.6.
Na tentativa de logon o log do ldap me retorna:
Sep 13 17:43:26 localhost slapd[2679]: conn=75 op=10 SRCH
base="dc=empresa,dc=com,dc=br" scope=2
filter="(&(uid=TESTE4$)(objectClass=sambaSamAccount))"
Sep 13 17:43:26 localhost slapd[2679]: conn=75 op=10 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName
sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp
Sep 13 17:43:26 localhost slapd[2679]: conn=75 op=10 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 13 17:43:26 localhost slapd[2678]: conn=75 op=11 SRCH
base="dc=empresa,dc=com,dc=br" scope=2
filter="(&(uid=TESTE4$)(objectClass=sambaSamAccount))"
Sep 13 17:43:26 localhost slapd[2678]: conn=75 op=11 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName
sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp
Sep 13 17:43:26 localhost slapd[2678]: conn=75 op=11 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=12 SRCH
base="dc=empresa,dc=com,dc=br" scope=2
filter="(&(sambaSID=S-1-5-21-3961270634-907415745-1566956690-501)(objectClas
s=sambaSamAccount))"
Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=12 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName
sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp
Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=12 SEARCH RESULT tag=101
err=0 nentries=0 text=
Sep 13 17:43:26 localhost slapd[2679]: conn=76 op=7 SRCH
base="dc=empresa,dc=com,dc=br" scope=2
filter="(&(objectClass=posixAccount)(uid=nobody))"
Sep 13 17:43:26 localhost slapd[2679]: conn=76 op=7 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=8 SRCH
base="dc=conab,dc=gov,dc=br" scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=uid=nobo
dy,ou=matriz,dc=empresa,dc=com,dc=br)))"
Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=8 SRCH attr=gidNumber
Sep 13 17:43:26 localhost slapd[2678]: <= bdb_equality_candidates:
(uniqueMember) index_param failed (18)
Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=8 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=13 SRCH
base="dc=conab,dc=gov,dc=br" scope=2
filter="(&(uid=Administrator)(objectClass=sambaSamAccount))"
Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=13 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName
sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp
Sep 13 17:43:26 localhost slapd[2680]: conn=75 op=13 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 13 17:43:26 localhost slapd[2679]: conn=76 op=9 SRCH
base="dc=conab,dc=gov,dc=br" scope=2
filter="(&(objectClass=posixAccount)(uid=Administrator))"
Sep 13 17:43:26 localhost slapd[2679]: conn=76 op=9 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=10 SRCH
base="dc=conab,dc=gov,dc=br" scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=Administrator)(uniqueMember=u
id=administrator,ou=matriz,dc=empresa,dc=com,dc=br)))"
Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=10 SRCH attr=gidNumber
Sep 13 17:43:26 localhost slapd[2678]: <= bdb_equality_candidates:
(uniqueMember) index_param failed (18)
Sep 13 17:43:26 localhost slapd[2678]: conn=76 op=10 SEARCH RESULT tag=101
err=0 nentries=1 text=
Meu smb.conf está da seguinte forma:
[global]
workgroup = EMPRESA
netbios name = DFBSA58
server string = Samba Server %v
security = user
encrypt passwords = True
min passwd length = 6
obey pam restrictions = no
ldap passwd sync = Yes
log level = 256
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap admin dn = cn=admin,dc=empresa,dc=com,dc=br
ldap suffix = dc=empresa,dc=com,dc=br
ldap group suffix = ou=grupos
ldap user suffix = ou=matriz
ldap machine suffix = ou=maquinas
ldap idmap suffix = ou=Idmap
ldap ssl = no
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
# printers configuration
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
#guest account = nobody
#map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile
folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U "Domain Admins"
[printers]
comment = Network Printers
printer admin = @"Print Operators"
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
[print$]
path = /home/printers
guest ok = No
browseable = Yes
read only = Yes
valid users = @"Print Operators"
write list = @"Print Operators"
create mask = 0664
directory mask = 0775
[public]
comment = Repertoire public
path = /home/public
browseable = Yes
guest ok = Yes
read only = No
directory mask = 0775
create mask = 0664
Meu slapd.conf está assim:
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 256
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=empresa,dc=com,dc=br"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attribute=userPassword
by dn="cn=admin,dc=empresa,dc=com,dc=br" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=empresa,dc=com,dc=br" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=conab,dc=gov,dc=br" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
Alguém também enfrentou este problema usando o Sarge? Já pesquisei por novos
parâmetros de configuração e ainda não encontrei nenhuma novidade.
Agradeço desde já qualquer ajuda.
Gustavo
Reply to: