[Samba] Can anyone comment on my setup?

SUPHAKIT CHAMWUTHIPRICHA suphakit at gmx.com
Wed Mar 4 23:34:37 GMT 2009 

Hi guys,
Can anyone comment on my setup steps?
I follow instructions from many Howto's website,the below steps worked
well until yesterday.
It suddenly refused WindowsXp machine to join domain by giving the error
"The following error occurs....Access denied"

CENTOS 5.1 + fedora-ds-dsgw-1.1.1-1.fc6 + samba-client-3.0.25b-0.el5.4
fedora-idm-console-1.1.1-1.fc6
fedora-ds-base-1.1.3-2.fc6
fedora-ds-console-1.1.2-1.fc6
fedora-ds-admin-1.1.6-1.fc6
fedora-ds-1.1.2-1.fc6
fedora-ds-admin-console-1.1.2-1.fc6

Fedora directory server on this server is to be act as a slave for local
ldap authentication which receive ldap account update from Master Fedora
director server in other location.

=====================================================================
1.

/etc/hosts

127.0.0.1 centserver centserver.abc.com
192.168.1.1 centserver centserver.abc.com

1.1 Reboot computer
=====================================================================
2. Install Fedora-ds

Set up the new directory server and admin server

2.1 /usr/sbin/setup-ds-admin.pl

<<screen dump>>
>>
>>==============================================================================
>>This program will set up the Fedora Directory and Administration Servers.
>>
>>
>>Would you like to continue with set up? [yes]: yes
>>
>>Do you agree to the license terms? [no]: yes
>>
>>
>>Would you like to continue? [no]: yes
>>
>>
>>Choose a setup type [2]: 2
>>
>>
>>Computer name [centserver.riderman.co.th]: centserver.abc.com
>>
>>
>>System User [nobody]: ldap
>>
>>
>>System Group [nobody]: ldap
>>Do you want to register this software with an existing
>>configuration directory server? [no]:
>>
>>
>>administrator ID [admin]: csadmin
>>Password: csadminpassword
>>Password (confirm): csadminpassword
>>
>>
>>Administration Domain [abc.com]: abc.com
>>
>>Directory server network port [389]: 389
>>
>>
>>Directory server identifier [centserver]: centserver
>>
>>
>>Suffix [dc=riderman, dc=com]: dc=riderman, dc=com
>>
>>
>>Directory Manager DN [cn=Directory Manager]: cn=Directory Manager
>>Password: ldapadminpassword
>>Password (confirm): ldapadminpassword
>>
>>
>>Administration port [9830]: 22137
>>
>>==============================================================================
>>The interactive phase is complete. The script will now set up your
>>servers. Enter No or go Back if you want to change something.
>>
>>Are you ready to set up your servers? [yes]:
>>Creating directory server . . .
>>Your new DS instance 'centserver' was successfully created.
>>Creating the configuration directory server . . .
>>Beginning Admin Server creation . . .
>>Creating Admin Server files and directories . . .
>>Updating adm.conf . . .
>>Updating admpw . . .
>>Registering admin server with the configuration directory server . . .
>>Updating adm.conf with information from configuration directory server
. . .
>>Updating the configuration for the httpd engine . . .
>>Starting admin server . . .
>>output: httpd.worker: Could not reliably determine the server's fully
qualified domain name, using 127.0.0.1 for ServerName
>>The admin server was successfully started.
>>Admin server was successfully created, configured, and started.
>>Exiting . . .
>>Log file is '/tmp/setupOYDg5L.log'
>>
>>
<<screen dump>>


=====================================================================

3. Import samba.schema into FDS

3.1 Copy file 61samba.ldif to /etc/dirsrv/schema and
/etc/dirsrv/slapd-centserver/schema

3.2 service dirsrv restart

=====================================================================

4. Modify file migrate_common.ph

/usr/share/openldap/migration/migrate_common.ph

4.1 Search for the following OrganizationalUnit :

$NAMINGCONTEXT{'group'} = "ou=Group";

4.2 Modify as shown below:

$NAMINGCONTEXT{'group'} = "ou=Groups";

4.3 Modify section Default DNS domain

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "riderman.com";

4.4 Modify section Defaut base

# Default base
$DEFAULT_BASE = "dc=riderman,dc=com";

4.5 Modify EXTENDED_SCHEMA

$EXTENDED_SCHEMA = 1;

=====================================================================

5. Samba Setup

5.1 /etc/samba/smb.conf

[global]
server string = Linux Domain Controller
workgroup = ridermangrp
security = user
passdb backend = ldapsam:ldap://centserver.abc.com
ldap admin dn = cn=Directory Manager
ldap suffix = dc=riderman,dc=com
ldap user suffix = ou=People
ldap machine suffix = ou=People
ldap group suffix = ou=Groups

add user script =
/usr/share/doc/samba-3.0.28/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m "%u"
add machine script =
/usr/share/doc/samba-3.0.28/LDAP/smbldap-tools-0.9.2/smbldap-useradd -t
5 -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
add user to group script =
/usr/share/doc/samba-3.0.28/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -m
"%u" "%g"
delete user from group script =
/usr/share/doc/samba-3.0.28/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -x
"%u" "%g"
set primary group script =
/usr/share/doc/samba-3.0.28/LDAP/smbldap-tools-0.9.2/smbldap-usermod -g
"%g" "%u"

log file = /var/log/%m.log
socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY
os level = 33
domain logons = yes
domain master = yes
local master = yes
preferred master = yes
wins support = yes

logon home =
logon path =
logon drive =

template shell = /bin/false
winbind use default domain = no
enable privileges = yes
logon script = mapdrivectrl.bat
nt acl support = yes
map acl inherit = yes
[netlogon]
path = /var/lib/samba/netlogon/scripts
read only = yes
browsable = no

[share02]
security mask = 0777
force security mode = 0
directory security mask = 0777
force directory security mode = 0
force directory mode = 0777
force create mode = 0777
nt acl support = yes
writeable = yes
valid users = @"Domain Admins",@"Domain Computers",@"Domain
Users", at Domain_Admins, at Domain_Users
path = /share02

[share01]
nt acl support = yes
writeable = yes
valid users = @"Domain Admins",@"Domain Computers",@"Domain
Users", at Domain_Admins, at Domain_Users
path = /share01
inherit acls = yes
inherit permissions = yes
oplocks = yes
level2 oplocks = yes
share modes = yes
veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/

5.2 testparm

<<screen dump>>
>>
>>Load smb config files from /etc/samba/smb.conf
>>Processing section "[netlogon]"
>>Processing section "[profiles]"
>>Processing section "[homes]"
>>Loaded services file OK.
>>Server role: ROLE_DOMAIN_PDC
<<screen dump>>


5.3

mkdir -p /var/lib/samba
mkdir /var/lib/samba/{netlogon,profiles}
chown root:root -R /var/lib/samba
chmod 0755 /var/lib/samba/netlogon
chmod 1755 /var/lib/samba/profiles
mkdir /var/lib/samba/netlogon/scripts

5.4 Add Samba admin password
smbpasswd -w ldapadminpassword

5.5 Restart Samba service
service smb restart
=====================================================================
6. Restart Directory server service
service dirsrv restart
=====================================================================
7. Change LocalSID number
net setlocalsid S-1-5-21-231587965-5978642536-3325898745

7.1 Check if LocalSID number is changed as desired
net getlocalsid

<<screen dump>>
>>
>>SID for domain centserver is: S-1-5-21-231587965-5978642536-3325898745
>>
<<screen dump>>

=====================================================================
8. Import Samba Domain, Groups and Samba Admin account into Directory server

8.1 Copy three .ldif files to /root/Desktop:
sambaDomain.ldif
sambaGroups.ldif
sambaAdmin.ldif

8.2 Import sambaDomain.ldif to FDS

/usr/lib/dirsrv/slapd-centserver/ldif2ldap "cn=Directory manager"
ldapadminpassword /root/Desktop/sambaDomain.ldif

8.3 Import sambaGroups.ldif to FDS

/usr/lib/dirsrv/slapd-centserver/ldif2ldap "cn=Directory manager"
ldapadminpassword /root/Desktop/sambaGroups.ldif

8.4 Import sambaAdmin.ldif to FDS

/usr/lib/dirsrv/slapd-centserver/ldif2ldap "cn=Directory manager"
ldapadminpassword /root/Desktop/sambaAdmin.ldif

=====================================================================
9. Create Unix Group as follows

groupadd -g 2512 Domain_Admins
groupadd -g 2513 Domain_Users
groupadd -g 2514 Domain_Guests
groupadd -g 2515 Domain_Computers
=====================================================================
10. Group mapping

net groupmap add rid=2512 ntgroup='Domain Admins' unixgroup='Domain_Admins'
net groupmap add rid=2513 ntgroup='Domain Users' unixgroup='Domain_Users'
net groupmap add rid=2514 ntgroup='Domain Guests' unixgroup='Domain_Guests'
net groupmap add rid=2515 ntgroup='Domain Computers'
unixgroup='Domain_Computers'
=====================================================================
11. Config PAM

11.1 Edit ldap.conf in /etc/openldap/ldap.conf

<<screen dump>>
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://192.168.1.1:389/
BASE dc=riderman,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

<<screen dump>>

11.2 /etc/ldap.conf


<<screen dump>>

# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# The man pages for this file are nss_ldap(5) and pam_ldap(5)
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host

# The distinguished name of the search base.
base dc=riderman,dc=com

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30
timelimit 120

# Bind/connect timelimit
#bind_timelimit 30
bind_timelimit 120

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change
your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=example,dc=com?one
#nss_base_shadow ou=People,dc=example,dc=com?one
#nss_base_group ou=Group,dc=example,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one

# Just assume that there are no supplemental groups for these named users
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
uri ldap://centserver.abc.com:389/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5





12.authconfig-tui

Mark at the position shown below:
?????????????????? Authentication Configuration ???????????????????
?
? User Information Authentication
? [*] Cache Information [*] Use MD5 Passwords
? [ ] Use Hesiod [*] Use Shadow Passwords
? [*] Use LDAP [*] Use LDAP Authentication
? [ ] Use NIS [ ] Use Kerberos
? [ ] Use Winbind [ ] Use SMB Authentication
? [ ] Use Winbind Authentication
? [ ] Local authorization is sufficient
?
? ?????????? ????????
? ? Cancel ? ? Next ?
? ?????????? ????????
?
?
???????????????????????????????????????????????????????????????????

12.1 Enter Server address and Base DN as shown below:


??????????????????? LDAP Settings ???????????????????
?
? [ ] Use TLS
? Server: ldap://192.168.1.1:389/_________________
? Base DN: dc=riderman,dc=com___________________
?
? ???????? ??????
? ? Back ? ? Ok ?
? ???????? ??????
?
?
???????????????????????????????????????????????


13. Edit sys-auth file

/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok likeauth
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so md5 shadow nullok use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_ldap.so



=====================================================================================================================================

14. Before Join Windows user to PDC

14.1 Install LAM (Ldap Account Manager) http://lam.sourceforge.net on
domain control machine

service httpd restart

14.2 Open Web browser type address "http://127.0.0.1/lamlocal"

14.3 Add Domain user into Ldap directory by LAM web interface.

14.4 Computer name(machine name) of Windows must be added to Ldap
directory as a "Host" in LAM webinterface.
otherwise joining a machine to the domain will be failed.
=====================================================================
15. Reboot server machine and make sure to start all smb,drsrv and httpd
service

16. Test join domain from Windows machine

=====================================================================



These are the error messages when I tried to join machine name "test1"

[root at centserver /var/log/samba]# vim /var/log/test1.log

[2009/03/04 13:34:59, 0]
passdb/secrets.c:secrets_restore_schannel_session_info(1193)
secrets_restore_schannel_session_info: Failed to find entry with key
SECRETS/SCHANNEL/TEST1
[2009/03/04 13:34:59, 0] rpc_server/srv_pipe.c:pipe_schannel_auth_bind(1333)
pipe_schannel_auth_bind: Attempt to bind using schannel without
successful serverauth2
[2009/03/04 13:34:59, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
_net_auth2: creds_server_check failed. Rejecting auth request from
client TEST1 machine account TEST1$
[2009/03/04 13:36:31, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
_net_auth2: creds_server_check failed. Rejecting auth request from
client TEST1 machine account TEST1$
[2009/03/04 14:29:06, 1] smbd/service.c:make_connection_snum(1033)
test1 (192.168.1.254) connect to service filearea02 initially as user
bkk.tom (uid=53, gid=2512) (pid 9618)
[2009/03/04 14:29:45, 1] smbd/service.c:close_cnum(1230)
test1 (192.168.1.254) closed connection to service filearea02
[2009/03/04 14:53:47, 0] lib/util_sock.c:read_data(534)
read_data: read failure for 4 bytes to client 192.168.1.254. Error = No
route to host
[2009/03/04 16:43:59, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
_net_auth2: creds_server_check failed. Rejecting auth request from
client TEST1 machine account TEST1$
[2009/03/04 16:44:51, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
_net_auth2: creds_server_check failed. Rejecting auth request from
client TEST1 machine account TEST1$
[2009/03/04 17:12:16, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
_net_auth2: creds_server_check failed. Rejecting auth request from
client TEST1 machine account TEST1$
[2009/03/04 17:24:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
_net_auth2: creds_server_check failed. Rejecting auth request from
client TEST1 machine account TEST1$
[2009/03/04 17:32:05, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
_net_auth2: creds_server_check failed. Rejecting auth request from
client TEST1 machine account TEST1$


Thank you & Best Regards,
Tom

More information about the samba mailing list