check_sam_security: Couldn't find user 'ldapuser1' in passdb.

Status
Not open for further replies.
S

Sharath

Dabbler
Joined
Aug 28, 2017
Messages
12
Hi All,

Trying to get freenas work with standalone ldap server for user auth.
i have set up openldap and imported samba schema as well. The LDAP directory works perfectly fine ("getent passwd" lists all ldap users). i am able to view ldap users and groups in CIFS share permission settings as well. But when user with ldap account tries to access share with correct password, i am getting "Access Denied" response.

Below is from the samba log.
Code:
[2017/09/10 21:35:44.661536,  2] ../source3/param/loadparm.c:2686(lp_do_section)
  Processing section "[cifs_01]"
[2017/09/10 21:35:44.661967,  3] ../source3/param/loadparm.c:1586(lp_add_ipc)
  adding IPC service
[2017/09/10 21:35:44.662320,  2] ../source3/lib/smbldap.c:794(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2017/09/10 21:35:44.668273,  3] ../source3/lib/smbldap.c:1013(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2017/09/10 21:35:44.670295,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [MSTRI]\[ldapuser1]@[BLRESC0265] with the new password interface
[2017/09/10 21:35:44.670349,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [BLRCMSAMBA]\[ldapuser1]@[BLRESC0265]
[2017/09/10 21:35:44.672334,  3] ../source3/auth/check_samsec.c:400(check_sam_security)
  check_sam_security: Couldn't find user 'ldapuser1' in passdb.
[2017/09/10 21:35:44.672385,  3] ../source3/auth/auth_winbind.c:60(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [BLRCMSAMBA] was for this SAM.
[2017/09/10 21:35:44.672416,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [ldapuser1] -> [ldapuser1] FAILED with error NT_STATUS_NO_SUCH_USER
[2017/09/10 21:35:44.672453,  3] ../source3/auth/auth_util.c:1611(do_map_to_guest_server_info)
  No such user ldapuser1 [MSTRI] - using guest account
[2017/09/10 21:35:44.728793,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 10.187.120.126 (10.187.120.126)
[2017/09/10 21:35:44.728902,  3] ../source3/smbd/service.c:576(make_connection_snum)
  Connect path is '/tmp' for service [IPC$]
[2017/09/10 21:35:44.728961,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2017/09/10 21:35:44.728991,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2017/09/10 21:35:44.729205,  3] ../source3/smbd/service.c:822(make_connection_snum)
  blresc0265 (ipv4:10.187.120.126:53146) connect to service IPC$ initially as user nobody (uid=65534, gid=65534) (pid 99321)
[2017/09/10 21:35:44.788469,  3] ../source3/smbd/msdfs.c:1010(get_referred_path)
  get_referred_path: |cifs_01| in dfs path \blrcm-freenas\cifs_01 is not a dfs root.
[2017/09/10 21:35:44.788525,  3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:309
[2017/09/10 21:35:44.848700,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 10.187.120.126 (10.187.120.126)
[2017/09/10 21:35:44.848748,  2] ../source3/smbd/service.c:319(create_connection_session_info)
  guest user (from session setup) not permitted to access this share (cifs_01)
[2017/09/10 21:35:44.848790,  1] ../source3/smbd/service.c:502(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2017/09/10 21:35:44.848831,  3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_tcon.c:135


What should my next course of action should be? is this a samba config error or from ldap?
Kindly let me know if any more information is needed.
Any help is much appreciated!

Thanks,
Sharath TS
 
S

Sharath

Dabbler
Joined
Aug 28, 2017
Messages
12
Ok, i was able to solve this. below are my findings hoping it would help other.

  • In addition to importing samba schema into LDAP, the LDAP needs to have few other objectClass for the samba to work well with LDAP.
  1. SambaDomain with attribute (dn, sambaDomainName, sambaSID)
  2. sambaGroupMapping (in each ldap group) with attribute (sambaGroupType and sambaSID)
  3. sambaSamAccount (in each user) with attributes (sambaSID and sambaNTPassword)
once these were set in LDAP, i was able to mount cifs share with ldap user authentication.
 
Status
Not open for further replies.

Similar threads

Howard Swope
  • Locked
FreeNAS LDAP with FreeIPA
Replies
7
Views
8K
{mystery}{of}{time}
M
SteveBallantyne
  • Locked
Error changing AD permissions: NT_STATUS_INVALID_PARAMETER
Replies
4
Views
4K
SteveBallantyne
SteveBallantyne
A
  • Locked
FreeNAS CIFS with HYPER-V CORE
Replies
5
Views
2K
Alexandre Trevizoli
A
E
Intermittent FreeNAS/Samba/Windows domain permissions issues
Replies
4
Views
5K
Jonathan Correa Paiva
J
M
  • Locked
LDAP Authentification with Samba
Replies
2
Views
5K
Mouftik
M
Top