directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeffrey Reynolds" <>
Subject Re: ApacheDS and Samba
Date Thu, 14 Apr 2011 23:49:34 GMT

Ok, I apologize in advance for the long winded story here, but this might get a little lengthy.


First of all, thanks again Emmanuel for your response.  Here is a bit more of what I've done
and tried to do in depth.  Before posting I should have mentioned that the Samba and NIS schemas
were enabled.  Prior posts to the mailing list helped me with that months ago (its only been
just now that I've had time to revisit this little science experiment).  Anyway, I initially
added the AT to ou=attributes, but I had botched the OID and EQUALITY values.  They were just
corrected, and thanks for posting the information for that.  Afterwards, I added the AT to
the sambaDomain object class, restarted Directory Studio, and I could not add a sambaPwdHistoryLength
value to my domain object . in Directory Studio that is.


I opened up my other LDAP configuration manager, LDAP Account Manager (LAM), and I was able
to add the sambaPwdHistoryLength attribute to my domain without any issue.  Now when I open
Directory Studio back up, I can see the value there but it's in italics.  I cannot add a second
value, or add the attribute to a newly created domain.  Again, though, LAM seems to do this
without issue.  However, I tried to connect to Samba via LDAP, and still no success.  And
no there was no error indicating missing and ignored attributes.


It wasn't until I fired up Wireshark that I saw my real problem.  By the way, Wireshark is
one of the single best utilities for diagnosing network communication problems, my hats off
to those guys.  Anyway, I was watching the packet flow between Samba and LDAP, and after a
bit of this activity, I saw that Samba was in fact asking for my uid from the LDAP server.
 Samba uses two filters to ask for a user account, it filters users by "uid=user" and "objectclass=sambaSamAccount".
 Applying those two filters, it did not find "uid=user".


So used ldapsearch to do run my own search.  When I search for "uid=user", it came back without
issue, but adding the "objectClass=sambaSamAccount" filter it returned nothing.  I double
checked directory studio, and sure enough, uid=user has the "objectClass=sambaSamAccount"
attribute.  So I searched for any objects that had the "objectClass=sambaSamAccount" inside
my user group.  I found that both "uid=root" and "uid=nobody" had this attribute and were
returned by the search.  So I thought, what happens when I try to access Samba using the root
account?  I opened up Explorer, used the root account and password I set up during smbldap-populate,
and BLAM.  Access to the share.  I checked the Apache DS logs later and found references to
another missing and ignored attribute, "sambaMaxPwdAge", but now I believe that the missing
attributes were simply just red herrings.


So I'm left with two questions, why can't Apache DS add the new attribute but LAM can (both
use the same admin dn)?  And the big one, the $64,000 question, why does Apache DS return
2 uid's when search for "objectClass=sambaSamAccount", but doesn't return my user accounts,
when the "objectClass=sambaSamAccount" attribute is present in all of them?


A little more information, the root and nobody accounts were created when the smbldap-populate
command was run, and the user accounts were created with "smbldap-useradd -a user".  Here
is a print out of the information that ldapsearch returns for both accounts:


dn: uid=root,ou=People,dc=mydomain,dc=com

uid: root

sn: root


sambaAcctFlags: [U]

objectClass: organizationalPerson

objectClass: person

objectClass: posixAccount

objectClass: sambaSamAccount

objectClass: shadowAccount

objectClass: inetOrgPerson

objectClass: top

loginshell: /bin/false

cn: root

uidnumber: 0

homedirectory: /home/root

sambalogofftime: 2147483647


sambaPwdMustChange: 1306701193

shadowLastChange: 15078

gidnumber: 0

sambakickofftime: 2147483647

sambaprimarygroupsid: S-1-5-21-3758697847-7384960784-35657434567-512

sambaPwdLastSet: 1302813193

sambasid: S-1-5-21-3758697847-7384960784-35657434567-500


shadowMax: 45

sambalogontime: 0

gecos: Netbios Domain Administrator

sambapwdcanchange: 0



dn: uid=user, ou=People,dc=mydomain,dc=com

uid: user

sn: user

sambaNTPassword: XXX

sambaAcctFlags: [UX]

objectClass: organizationalPerson

objectClass: person

objectClass: posixAccount

objectClass: shadowAccount

objectClass: inetOrgPerson

objectClass: sambaSamAccount

objectClass: top

displayName: user

givenname: user

uidnumber: 30000

loginshell: /bin/bash

cn: user

homedirectory: /home/user

sambaLogoffTime: 2147483647


sambaPwdMustChange: 2147483647

shadowLastChange: 15078

gidnumber: 513

sambaKickoffTime: 2147483647

sambaPwdLastSet: 0

sambaPrimaryGroupSID: S-1-5-21-3758697847-7384960784-35657434567-513

sambaSID: S-1-5-21-3758697847-7384960784-35657434567-61000

sambaLMPassword: XXX

shadowMax: 45

sambaLogonTime: 0

gecos: System User

sambaPwdCanChange: 0


If anyone can shed some light on this I would be much obliged.  Thanks!

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message