[Samba] Debian Lenny - Samba 3.2.5 + OpenLDAP (slapd) 2.4.11
Henrik Dige Semark
hds at semark.dk
Wed Jan 27 14:32:28 MST 2010
My admin account is called Admin:
# pdbedit -Lv Admin
INFO: Current debug levels:
all: True/256
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
registry: False/0
doing parameter log file = /var/log/samba/%m.log
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter security = user
doing parameter encrypt passwords = true
doing parameter unix password sync = yes
doing parameter pam password change = yes
doing parameter obey pam restrictions = no
doing parameter passwd program = /usr/sbin/smbldap-passwd %u
doing parameter passwd chat = *Nyt kodeord* \n *Det nye kodeord skal være minimum 6 karaktere lange, og kan indeholde [0-9], [a-z] og [A-Z]* \n *Ny kode* %n\n *Tast koden igen* %n\n * Koden skiftet korrekt*
doing parameter printing = cups
doing parameter load printers = Yes
doing parameter printcap name = cups
doing parameter socket options = TCP_NODELAY
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_PDC
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SEMARKTEST))]
smbldap_search_ext: base => [dc=semark-testing,dc=dk], filter => [(&(objectClass=sambaDomain)(sambaDomainName=SEMARKTEST))], scope => [2]
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
The connection to the LDAP server was closed
smb_ldap_setup_connection: ldap://127.0.0.1
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://127.0.0.1 as "cn=admin,dc=semark-testing,dc=dk"
ldap_connect_system: successful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
The LDAP server is successfully connected
attribute sambaAlgorithmicRidBase does not exist
pdb backend ldapsam:ldap://127.0.0.1 has a valid init
Netbios name list:-
my_netbios_names[0]="PDC"
Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SEMARKTEST))]
smbldap_search_ext: base => [dc=semark-testing,dc=dk], filter => [(&(objectClass=sambaDomain)(sambaDomainName=SEMARKTEST))], scope => [2]
The connection to the LDAP server was closed
smb_ldap_setup_connection: ldap://127.0.0.1
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://127.0.0.1 as "cn=admin,dc=semark-testing,dc=dk"
ldap_connect_system: successful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
The LDAP server is successfully connected
attribute sambaAlgorithmicRidBase does not exist
pdb backend ldapsam:ldap://127.0.0.1 has a valid init
smbldap_search_ext: base => [dc=semark-testing,dc=dk], filter => [(&(uid=Admin)(objectclass=sambaSamAccount))], scope => [2]
smbldap_open: already connected to the LDAP server
init_sam_from_ldap: Entry found for user: Admin
pdb_set_username: setting username Admin, was
element 12 -> now SET
pdb_set_domain: setting domain SEMARKTEST, was
element 14 -> now DEFAULT
pdb_set_nt_username: setting nt username Admin, was
element 15 -> now SET
pdb_set_user_sid_from_string: setting user sid S-1-5-21-860714184-2299130787-2886737959-500
pdb_set_user_sid: setting user sid S-1-5-21-860714184-2299130787-2886737959-500
element 18 -> now SET
element 18: SET
element 21 -> now SET
element 5 -> now SET
element 6 -> now SET
element 7 -> now SET
element 9 -> now SET
element 10 -> now SET
attribute displayName does not exist
pdb_set_full_name: setting full name Admin, was
element 13 -> now SET
pdb_set_dir_drive: setting dir drive H:, was NULL
element 3 -> now SET
pdb_set_homedir: setting home dir \\192.168.1.182\Admin, was
element 1 -> now SET
attribute sambaLogonScript does not exist
pdb_set_logon_script: setting logon script scripts/logon.bat, was
element 4 -> now DEFAULT
pdb_set_profile_path: setting profile path \\192.168.1.182\profiles\Admin, was
element 2 -> now SET
attribute description does not exist
attribute sambaUserWorkstations does not exist
attribute sambaMungedDial does not exist
element 32 -> now SET
element 33 -> now SET
Opening cache file at /var/run/samba/gencache.tdb
Returning expired cache entry: key = ACCT_POL/password history, value = 0
, timeout = Wed Jan 27 22:26:56 2010
ldapsam_get_account_policy_from_ldap
smbldap_search_ext: base => [sambaDomainName=semarktest,dc=semark-testing,dc=dk], filter => [(objectclass=*)], scope => [0]
smbldap_open: already connected to the LDAP server
cache_account_policy_set: updating account pol cache
Adding cache entry with key = ACCT_POL/password history; value = 0
and timeout = Wed Jan 27 22:28:14 2010
(60 seconds ahead)
element 20 -> now SET
element 16 -> now SET
element 17 -> now SET
attribute sambaBadPasswordCount does not exist
attribute sambaBadPasswordTime does not exist
attribute sambaLogonHours does not exist
Opening cache file at /var/cache/samba/login_cache.tdb
Looking up login cache for user Admin
No cache entry found
No cache entry, bad count = 0, bad time = 0
element 35 -> now CHANGED
Unix username: Admin
NT username: Admin
Account Flags: [U ]
User SID: S-1-5-21-860714184-2299130787-2886737959-500
Finding user Admin
Trying _Get_Pwnam(), username as lowercase is admin
Trying _Get_Pwnam(), username as given is Admin
Trying _Get_Pwnam(), username as uppercase is ADMIN
Checking combinations of 0 uppercase letters in admin
Get_Pwnam_internals didn't find user [Admin]!
pdb_get_group_sid: Failed to find Unix account for Admin
Primary Group SID: (NULL SID)
Full Name: Admin
Home Directory: \\192.168.1.182\Admin
HomeDir Drive: H:
Logon Script: scripts/logon.bat
Profile Path: \\192.168.1.182\profiles\Admin
Domain: SEMARKTEST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: man, 25 jan 2010 00:04:09 CET
Returning expired cache entry: key = ACCT_POL/minimum password age, value = 0
, timeout = Wed Jan 27 22:26:56 2010
ldapsam_get_account_policy_from_ldap
smbldap_search_ext: base => [sambaDomainName=semarktest,dc=semark-testing,dc=dk], filter => [(objectclass=*)], scope => [0]
smbldap_open: already connected to the LDAP server
cache_account_policy_set: updating account pol cache
Adding cache entry with key = ACCT_POL/minimum password age; value = 0
and timeout = Wed Jan 27 22:28:14 2010
(60 seconds ahead)
Password can change: man, 25 jan 2010 00:04:09 CET
Returning expired cache entry: key = ACCT_POL/maximum password age, value = 4294967295
, timeout = Wed Jan 27 22:26:56 2010
ldapsam_get_account_policy_from_ldap
smbldap_search_ext: base => [sambaDomainName=semarktest,dc=semark-testing,dc=dk], filter => [(objectclass=*)], scope => [0]
smbldap_open: already connected to the LDAP server
cache_account_policy_set: updating account pol cache
Adding cache entry with key = ACCT_POL/maximum password age; value = 4294967295
and timeout = Wed Jan 27 22:28:14 2010
(60 seconds ahead)
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
# net groupmap list | grep "Domain Admins"
Domain Admins (S-1-5-21-860714184-2299130787-2886737959-512) -> 512
My system is still not authorising against LDAP for UNIX login so not
sure that I can check groups
---
Med Venlig Hilsen / Best regards
Henrik Dige Semark
On 27-01-2010 22:22, Gaiseric Vandal wrote:
> Sorry, should be "Administrator"
>
>
> Verify the user exists in samba with " pdbedit -Lv Administrator"
>
> and that group mapping is setup.
>
> # net groupmap list | grep "Domain Admins"
> Domain Admins (S-1-5-21-xxxxx-512) -> Domain Admins
> #
>
> The unix group name (on the right side of the mapping) may not
> exactly match the windows name.
> You might have
>
> # net groupmap list | grep "Domain Admins"
> Domain Admins (S-1-5-21-xxxxx-512) -> Samba_Domain_Admins
> #
>
>
> Also verify that the Administrator is the correct groups
>
> #groups Administrator
> Domain Admins Domain Users ....
>
>
>
> I also had mappings for
> Domain Users
> Domain Computers
> Domain Guests
> Domain Controllers
>
>
>
> On 01/27/10 15:33, Henrik Dige Semark wrote:
>> I have just tried with "net join -U Admin" and I get the same error as
>> before.
>>
>> # net join -U Admin
>> Enter admin's password:
>> Could not connect to server PDC
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
>> [ ... ]
>> quality_candidates: id=0, first=0, last=0
>> Jan 27 21:32:11 hds-debian-virt slapd[1868]: bdb_search_candidates:
>> id=0 first=17 last=0
>> Jan 27 21:32:11 hds-debian-virt slapd[1868]: hdb_search: no candidates
>> Jan 27 21:32:11 hds-debian-virt slapd[1868]: send_ldap_result: conn=5
>> op=1146 p=3
>> Jan 27 21:32:11 hds-debian-virt slapd[1868]: send_ldap_result: err=0
>> matched="" text=""
>> Jan 27 21:32:11 hds-debian-virt slapd[1868]: send_ldap_response:
>> msgid=1147 tag=101 err=0
>>
>> ---
>> Med Venlig Hilsen / Best regards
>> Henrik Dige Semark
>>
>>
>> On 27-01-2010 21:06, Gaiseric Vandal wrote:
>>
>>> Try using "net ... -U Administrator" instead, since "root" is not
>>> by default a member of the domain admin group. This presumes you have
>>> created the Administrator account in samba, created the "domain
>>> admins" group and setup the approp group mapping for key groups
>>> (domain admins, domain users etc.)
>>>
>>>
>>>
>>>
>>> On 01/27/10 14:23, Henrik Dige Semark wrote:
>>>
>>>> Dos the PDC have to join the domain also?
>>>>
>>>> When I try to join my PDC to its domain with "net join" I get the
>>>> following error.
>>>>
>>>> Enter root's password:
>>>> Could not connect to server PDC
>>>> The username or password was not correct.
>>>> Connection failed: NT_STATUS_LOGON_FAILURE
>>>>
>>>>
>>>> The netbios name for my PDC is pdc.semarktest.dk I guess that way it
>>>> tells my that is can't connect to server PDC
>>>> I have checked that pdc is in the name server (nameserver is on
>>>> 127.0.0.1)
>>>>
>>>> # host pdc
>>>> pdc.semarktest.dk has address 192.168.1.182
>>>>
>>>> Is there something I'm missing?
>>>>
>>>> Log dump from net join command:
>>>>
>>>> # tail -200 /var/log/syslog | grep slapd
>>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_get(22): got
>>>> connid=15
>>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_read(22):
>>>> checking for input on id=15
>>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: conn=15 op=2 do_search
>>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]:>>>
>>>> dnPrettyNormal:<sambaDomainName=SEMARKTEST,sambaDomainName=semarktest,dc=semark-testing,dc=dk>
>>>>
>>>> [ ... ]
>>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_closing:
>>>> readying conn=15 sd=22 for close
>>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_close:
>>>> conn=15 sd=22
>>>>
>>>> ---
>>>> Med Venlig Hilsen / Best regards
>>>> Henrik Dige Semark
>>>>
>>>>
>>>> On 26-01-2010 22:42, Dale Schroeder wrote:
>>>>
>>>>
>>>>> Henrik,
>>>>>
>>>>> I saw that another user wanted you to make sure that the PDC was
>>>>> added
>>>>> to the domain, and he is correct.
>>>>> If it is still not working after adding the PDC to the domain,
>>>>> consider changing the add machine script to this:
>>>>>
>>>>> add machine script = /usr/sbin/smbldap-useradd -i -w '%u'
>>>>>
>>>>> I ran into this problem with Samba 3.4.3 on Debian Squeeze, and that
>>>>> is what fixed the issue.
>>>>>
>>>>> Dale
>>>>>
>>>>>
>>>>> On 01/25/2010 3:23 PM, Henrik Dige Semark wrote:
>>>>>
>>>>>
>>>>>> I have a serous problem.
>>>>>>
>>>>>> I have for some time now tried to get an SAMBA based Domain
>>>>>> Controller
>>>>>> working.
>>>>>> I have tried with OpenLDAP and tdbsam as backend, but I get the same
>>>>>> error every time.
>>>>>>
>>>>>> I wood prefer to use LDAP as my backend.
>>>>>> I have read tons of how-to SAMBA + LDAP, but non of the seams to
>>>>>> work
>>>>>> for my, is there someone that maybe can see what I have done rung in
>>>>>> my config.?
>>>>>>
>>>>>> I have attached my samba conf and LDAP conf.
>>>>>>
>>>>>> Samba is connected to OpenLDAP, and LDAP is running fine.
>>>>>> But when I try to join my Windows XP Pro SP3 I takes about one
>>>>>> Min and
>>>>>> it tells my that Username and/or Password maybe rung, ore not
>>>>>> existing.
>>>>>>
>>>>>> There is no doubt that Samba and Ldap is talking together (samba
>>>>>> have
>>>>>> updated the SID and RID's), cause when I try to join the domain LDAP
>>>>>> is activated, but the return value is somehow disappearing on the
>>>>>> way
>>>>>> back to my client
>>>>>>
>>>>>> I have some wireshark dump that I can provide if its necessary.
>>>>>> I can provide LOGS, DUMPS, and everything needed if its necessary.
>>>>>>
>>>>>> System info:
>>>>>> Clean installed Debian Lenny (5.0.3)
>>>>>> Clean installed Samba 3.2.5 + Winbind 3.2.5
>>>>>> Clean installed OpenLDAP 2.4.11 (slapd)
>>>>>> Debian default smbldap-tools (smbldap-populate is working and have
>>>>>> populated LDAP without problems)
>>>>>> if there is something I have forgotten please just ask for it, I'm
>>>>>> close to be desperate.!
>>>>>>
>>>>>> ---
>>>>>> Med Venlig Hilsen / Best regards
>>>>>> Henrik Dige Semark
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>
>
More information about the samba
mailing list