bmachina | Bonjour à tous,
j'essaie de configurer un serveur SAMBA dont les utilisateurs sont géré par un annuaire LDAP (en l'occurrence OpenLDAP).
j'utilise:
- openSuse 10.3
- OpenLDAP 2.3.37
- smbldap-tools 0.9.4-3
- nss_ldap 257.2-2
- pam_ldap 184-49
j'ai fait une première configuration dans laquelle j'accédais à l'annuaire avec le compte Root DN. Avec cette config, tout fonctionnait à merveille. Pour des raisons évidentes de sécurité je souhaite faire une autre config dans laquelle j'utilise un compte cn=samba,ou=DSA,dc=effata,dc=ch pour les accès SAMBA à l'annuaire, et un autre compte cn=smbldap-tools,ou=DSA,dc=effata,dc=ch pour l'accès des scripts smbldap-tools à l'annuaire.
Je rencontre un problème lorsque j'exécute le script smbldap-populate dont le résultat est ci-dessous:
Code :
- smbldap-populate
- Populating LDAP directory for domain EFFATA.CH (S-1-5-21-918170500-1583366388-3599232829)
- (using builtin directory structure)
- entry dc=effata,dc=ch already exist.
- entry ou=Users,dc=effata,dc=ch already exist.
- entry ou=Groups,dc=effata,dc=ch already exist.
- entry ou=Computers,dc=effata,dc=ch already exist.
- entry ou=Idmap,dc=effata,dc=ch already exist.
- entry uid=root,ou=Users,dc=effata,dc=ch already exist.
- entry uid=nobody,ou=Users,dc=effata,dc=ch already exist.
- entry cn=Domain Admins,ou=Groups,dc=effata,dc=ch already exist.
- entry cn=Domain Users,ou=Groups,dc=effata,dc=ch already exist.
- entry cn=Domain Guests,ou=Groups,dc=effata,dc=ch already exist.
- entry cn=Domain Computers,ou=Groups,dc=effata,dc=ch already exist.
- entry cn=Administrators,ou=Groups,dc=effata,dc=ch already exist.
- entry cn=Account Operators,ou=Groups,dc=effata,dc=ch already exist.
- entry cn=Print Operators,ou=Groups,dc=effata,dc=ch already exist.
- entry cn=Backup Operators,ou=Groups,dc=effata,dc=ch already exist.
- entry cn=Replicators,ou=Groups,dc=effata,dc=ch already exist.
- entry sambaDomainName=EFFATA.CH,dc=effata,dc=ch already exist. Updating it...
- Please provide a password for the domain root:
- Changing UNIX and samba passwords for root
- New password:
- Retype new password:
- Failed to modify UNIX password: Insufficient access at /usr/sbin/smbldap-passwd line 285, <STDIN> l
|
Il semblerait donc que l'utilisateur cn=smbldap-tools,ou=DSA,dc=effata,dc=ch ne puisse modifier les mots de passes UNIX.
J'ai suivis scrupuleusement le tutoriel "The Linux Samba-OpenLDAP Howto (Revision : 20060710)". J'ai donc le fichier de configuration slapd.conf ci-dessous:
Code :
- #
- # See slapd.conf(5) for details on configuration options.
- # This file should NOT be world readable.
- #
- include /etc/openldap/schema/core.schema
- include /etc/openldap/schema/cosine.schema
- include /etc/openldap/schema/inetorgperson.schema
- include /etc/openldap/schema/yast.schema
- include /etc/openldap/schema/nis.schema
- include /etc/openldap/schema/samba3.schema
- # Define global ACLs to disable default read access.
- # Do not enable referrals until AFTER you have a working directory
- # service AND an understanding of referrals.
- #referral ldap://root.openldap.org
- pidfile /var/run/slapd/slapd.pid
- argsfile /var/run/slapd/slapd.args
- # Load dynamic backend modules:
- modulepath /usr/lib/openldap/modules
- # moduleload back_ldap.la
- # moduleload back_meta.la
- # moduleload back_monitor.la
- # moduleload back_perl.la
- # Sample security restrictions
- # Require integrity protection (prevent hijacking)
- # Require 112-bit (3DES or better) encryption for updates
- # Require 63-bit encryption for simple bind
- # security ssf=1 update_ssf=112 simple_bind=64
- # Sample access control policy:
- # Root DSE: allow anyone to read it
- # Subschema (sub)entry DSE: allow anyone to read it
- # Other DSEs:
- # Allow self write access to user password
- # Allow anonymous users to authenticate
- # Allow read access to everything else
- # Directives needed to implement policy:
- # any users can authenticate and change his password
- access to attrs=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange
- by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
- by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
- by dn="cn=nssldap,ou=DSA,dc=effata,dc=ch" write
- by self write
- by anonymous auth
- by * none
- # some attributes need to be readable anonymously so that "id user" can answer correctly
- access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
- by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
- by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
- by * read
- # somme attributes can be writable by users them selves
- access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
- by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
- by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
- by self write
- by * read
- # some attributes need to be writable for samba
- access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
- by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
- by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
- by self read
- by * none
- # samba need to be able to create the samba domain account
- access to dn.base="dc=effata,dc=ch"
- by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
- by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
- by * none
- # samba need to be able to create new users accounts
- access to dn="ou=Users,dc=effata,dc=ch"
- by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
- by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
- by * none
- # samba need to be able to create new groups accounts
- access to dn="ou=Groups,dc=effata,dc=ch"
- by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
- by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
- by * none
- # samba need to be able to create new computers accounts
- access to dn="ou=Computers,dc=effata,dc=ch"
- by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
- by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
- by * none
- # this can be omitted but we let it stay because there could be other
- # branches in the directory
- access to *
- by self read
- by * none
- # if no access controls are present, the default policy
- # allows anyone and everyone to read anything but restricts
- # updates to rootdn. (e.g., "access to * by * read" )
- #
- # rootdn can always read and write EVERYTHING!
- #######################################################################
- # BDB database definitions
- #######################################################################
- loglevel 4095
- database bdb
- suffix "dc=effata,dc=ch"
- rootdn "cn=Manager,dc=effata,dc=ch"
- rootpw "{ssha}********"
- directory /var/lib/ldap/
- checkpoint 1024 5
- cachesize 10000
- index objectClass,uidNumber,gidNumber eq
- index member,mail eq,pres
- index cn,displayname,uid,sn,givenname sub,eq,pres
- index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
|
Comme vous pouvez le constater, j'ai activé les logs du serveur LDAP afin d'en savoir un peu plus sur l'erreur. Voici un extrait qui me parraissait intéressant:
Code :
- conn=7 op=4 MOD dn="uid=root,ou=Users,dc=effata,dc=ch"
- Oct 19 02:34:16 server slapd[18723]: conn=7 op=4 MOD attr=userPassword shadowLastChange shadowMax
- Oct 19 02:34:16 server slapd[18723]: bdb_dn2entry("uid=root,ou=users,dc=effata,dc=ch" )
- Oct 19 02:34:16 server slapd[18723]: bdb_modify: uid=root,ou=Users,dc=effata,dc=ch
- Oct 19 02:34:16 server slapd[18723]: bdb_dn2entry("uid=root,ou=users,dc=effata,dc=ch" )
- Oct 19 02:34:16 server slapd[18723]: bdb_modify_internal: 0x00000006: uid=root,ou=Users,dc=effata,dc=ch
- Oct 19 02:34:16 server slapd[18723]: => access_allowed: delete access to "uid=root,ou=Users,dc=effata,dc=ch" "userPassword" requested
- Oct 19 02:34:16 server slapd[18723]: => acl_get: [1] attr userPassword
- Oct 19 02:34:16 server slapd[18723]: access_allowed: no res from state (userPassword)
- Oct 19 02:34:16 server slapd[18723]: => acl_mask: access to entry "uid=root,ou=Users,dc=effata,dc=ch", attr "userPassword" requested
- Oct 19 02:34:16 server slapd[18723]: => acl_mask: to all values by "cn=smbldap-tools,ou=dsa,dc=effata,dc=ch", (=0)
- Oct 19 02:34:16 server slapd[18723]: <= check a_dn_pat: cn=samba,ou=dsa,dc=effata,dc=ch
- Oct 19 02:34:16 server slapd[18723]: <= check a_dn_pat: cn=smbldap-tools,ou=dsa,dc=effata,dc=ch
- Oct 19 02:34:16 server slapd[18723]: <= acl_mask: [2] applying write(=wrscxd) (stop)
- Oct 19 02:34:16 server slapd[18723]: <= acl_mask: [2] mask: write(=wrscxd)
- Oct 19 02:34:16 server slapd[18723]: => access_allowed: delete access granted by write(=wrscxd)
- Oct 19 02:34:16 server slapd[18723]: => access_allowed: delete access to "uid=root,ou=Users,dc=effata,dc=ch" "shadowLastChange" requested
- Oct 19 02:34:16 server slapd[18723]: => dn: [5] dc=effata,dc=ch
- Oct 19 02:34:16 server slapd[18723]: => dn: [6] ou=users,dc=effata,dc=ch
- Oct 19 02:34:16 server slapd[18723]: => dn: [7] ou=groups,dc=effata,dc=ch
- Oct 19 02:34:16 server slapd[18723]: => dn: [8] ou=computers,dc=effata,dc=ch
- Oct 19 02:34:16 server slapd[18723]: => acl_get: [9] attr shadowLastChange
- Oct 19 02:34:16 server slapd[18723]: access_allowed: no res from state (shadowLastChange)
- Oct 19 02:34:16 server slapd[18723]: => acl_mask: access to entry "uid=root,ou=Users,dc=effata,dc=ch", attr "shadowLastChange" requested
- Oct 19 02:34:16 server slapd[18723]: => acl_mask: to all values by "cn=smbldap-tools,ou=dsa,dc=effata,dc=ch", (=0)
- Oct 19 02:34:16 server slapd[18723]: <= check a_dn_pat: self
- Oct 19 02:34:16 server slapd[18723]: <= check a_dn_pat: *
- Oct 19 02:34:16 server slapd[18723]: <= acl_mask: [2] applying none(=0) (stop)
- Oct 19 02:34:16 server slapd[18723]: <= acl_mask: [2] mask: none(=0)
- Oct 19 02:34:16 server slapd[18723]: => access_allowed: delete access denied by none(=0)
- Oct 19 02:34:16 server slapd[18723]: bdb_modify: modify failed (50)
- Oct 19 02:34:16 server slapd[18723]: send_ldap_result: conn=7 op=4 p=3
- Oct 19 02:34:16 server slapd[18723]: send_ldap_result: err=50 matched="" text=""
- Oct 19 02:34:16 server slapd[18723]: send_ldap_response: msgid=5 tag=103 err=50
- Oct 19 02:34:16 server slapd[18723]: conn=7 op=4 RESULT tag=103 err=50 text=
- Oct 19 02:34:16 server slapd[18723]: daemon: activity on 1 descriptor
- Oct 19 02:34:16 server slapd[18723]: daemon: activity on:
- Oct 19 02:34:16 server slapd[18723]: 22r
|
"access_allowed: delete access denied by none(=0)" ceci singifie que le script ne s'est pas authentifié en tant que cn=smbldap-tools,ou=DSA,dc=effata,dc=ch ?
J'ai un peu de peine à interpréter ce fichier log.... si quelqu'un peut m'aider...
Merci d'avance ! |
FORUM HardWare.fr
