Hab' mir kürzlich nen LDAP Server eingerichtet, der die Samba- und Unix-Accounts aufnehmen soll.
Hab dazu diese Howto benutzt: http://howto.hopto.org/HowTos/Samba/Smb ... wTo/040000
Hänge aber Leider fest. Ich bekomme die pam Authentifizierung einfach nicht hin.
Dazu eine Grundsatzfrage:
Wie ist das jetzt mit dem Passwort Hash. Bei der DebianInstallation habe ich crypt angegeben. muss ich des für LDAP jetzt auch verwenden oder nur in pam_ldap.conf "pam_password crypt" eintragen oder kann ich auch SSHA hernehmen?
Am besten ich poste mal meine Konfigs und Logs:
pam_ldap.conf:
Code: Alles auswählen
host 127.0.0.1
base dc=home,dc=de
ldap_version 3
rootbinddn cn=Manager,dc=home,dc=de
pam_password exop
Code: Alles auswählen
host 127.0.0.1
base dc=home,dc=de
rootbinddn cn=Manager,dc=home,dc=de
pam_password exop
nss_base_passwd ou=Users,dc=home,dc=de?sub
nss_base_shadow ou=Users,dc=home,dc=de?sub
nss_base_group ou=Groups,dc=home,dc=de?sub
ssl no
Code: Alles auswählen
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 256
modulepath /usr/lib/ldap
moduleload back_bdb
backend bdb
database bdb
suffix "dc=home,dc=de"
rootdn "cn=Manager,dc=home,dc=de"
rootpw {SSHA}secret
directory "/var/lib/ldap"
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
Code: Alles auswählen
SID=<Die Ausgabe von NET getlocalsid>
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="require"
cafile="/etc/smbldap-tools/ca.pem"
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
clientkey="/etc/smbldap-tools/smbldap-tools.key"
suffix="dc=home,dc=de"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=TUX,${suffix}"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="99"
userSmbHome="\\SAMBASERV\homes\%U"
userProfile="\\SAMBASERV\profiles\%U"
userHomeDrive="X:"
userScript="%U.cmd"
mailDomain="ich.de"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
Code: Alles auswählen
dn: uid=sambauser,ou=Users,dc=home,dc=de
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: sambauser
sn: sambauser
uid: sambauser
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/sambauser
loginShell: /bin/bash
gecos: System User
description: System User
userPassword: {SSHA}secretuser
Code: Alles auswählen
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth required pam_env.so
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
syslog:
Code: Alles auswählen
Jun 4 16:49:40 server slapd[9140]: conn=1 fd=11 ACCEPT from IP=127.0.0.1:3079 (IP=0.0.0.0:389)
Jun 4 16:49:40 server slapd[9143]: conn=1 op=0 BIND dn="cn=Manager,dc=home,dc=de" method=128
Jun 4 16:49:40 server slapd[9143]: conn=1 op=0 BIND dn="cn=Manager,dc=home,dc=de" mech=SIMPLE ssf=0
Jun 4 16:49:40 server slapd[9143]: conn=1 op=0 RESULT tag=97 err=0 text=
Jun 4 16:49:40 server slapd[9143]: conn=1 op=1 SRCH base="ou=Users,dc=home,dc=de" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=sambauser))"
Jun 4 16:49:40 server slapd[9143]: conn=1 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jun 4 16:49:40 server slapd[9143]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 4 16:49:40 server slapd[9143]: conn=1 op=2 SRCH base="ou=Users,dc=home,dc=de" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=sambauser))"
Jun 4 16:49:40 server slapd[9143]: conn=1 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jun 4 16:49:40 server slapd[9143]: conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 4 16:49:40 server slapd[9143]: conn=1 op=3 SRCH base="ou=Users,dc=home,dc=de" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=sambauser))"
Jun 4 16:49:40 server slapd[9143]: conn=1 op=3 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag
Jun 4 16:49:40 server slapd[9143]: conn=1 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 4 16:49:42 server slapd[9143]: conn=1 op=4 SRCH base="ou=Users,dc=home,dc=de" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=sambauser))"
Jun 4 16:49:42 server slapd[9143]: conn=1 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jun 4 16:49:42 server slapd[9143]: conn=1 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 4 16:49:42 server slapd[9143]: conn=1 op=5 SRCH base="ou=Users,dc=home,dc=de" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=sambauser))"
Jun 4 16:49:42 server slapd[9143]: conn=1 op=5 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag
Jun 4 16:49:42 server slapd[9143]: conn=1 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 4 16:49:42 server slapd[9140]: conn=2 fd=15 ACCEPT from IP=127.0.0.1:3080 (IP=0.0.0.0:389)
Jun 4 16:49:42 server slapd[9143]: conn=2 op=0 BIND dn="cn=Manager,dc=home,dc=de" method=128
Jun 4 16:49:42 server slapd[9143]: conn=2 op=0 BIND dn="cn=Manager,dc=home,dc=de" mech=SIMPLE ssf=0
Jun 4 16:49:42 server slapd[9143]: conn=2 op=0 RESULT tag=97 err=0 text=
Jun 4 16:49:42 server slapd[9143]: conn=2 op=1 SRCH base="dc=home,dc=de" scope=2 deref=0 filter="(uid=sambauser)"
Jun 4 16:49:42 server slapd[9143]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 4 16:49:42 server slapd[9143]: conn=2 op=2 BIND anonymous mech=implicit ssf=0
Jun 4 16:49:42 server slapd[9143]: conn=2 op=2 BIND dn="uid=sambauser,ou=Users,dc=home,dc=de" method=128
Jun 4 16:49:42 server slapd[9143]: conn=2 op=2 RESULT tag=97 err=49 text=
Jun 4 16:49:42 server slapd[9143]: conn=2 op=3 BIND dn="cn=Manager,dc=home,dc=de" method=128
Jun 4 16:49:42 server slapd[9143]: conn=2 op=3 BIND dn="cn=Manager,dc=home,dc=de" mech=SIMPLE ssf=0
Jun 4 16:49:42 server slapd[9143]: conn=2 op=3 RESULT tag=97 err=0 text=
Jun 4 16:49:45 server slapd[9143]: conn=1 op=6 SRCH base="ou=Users,dc=home,dc=de" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=sambauser))"
Jun 4 16:49:45 server slapd[9143]: conn=1 op=6 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jun 4 16:49:45 server slapd[9143]: conn=1 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
Code: Alles auswählen
Jun 4 16:49:42 server login[9093]: (pam_unix) check pass; user unknown
Jun 4 16:49:42 server login[9093]: (pam_unix) authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Jun 4 16:49:42 server login[9093]: pam_ldap: error trying to bind as user "uid=sambauser,ou=Users,dc=home,dc=de" (Invalid credentials)
Jun 4 16:49:45 server login[9093]: FAILED LOGIN (1) on `tty2' FOR `sambauser', Authentication failure
