[Samba-it] ldap e workstation

Piviul pluto at flanet.org
Tue May 25 17:15:01 MDT 2004 

Dunque, per ora ho accantonato tls (ho creato i certificati e li ho 
firmati ma poi non so come mai non riesco a farli funzionare... e se poi 
ce la faccio vi faccio sapere), con la speranza di non dover poi 
ricreare il database di ldap.
Così intanto sto provando a popolare ldap con qualche workstation 
aggiungendole al dominio.

Ho configurato smb.conf con gli script di idealx (per quanto riguarda le 
workstation ho inserito 'add machine script = 
/usr/local/sbin/smbldap-useradd -w "%u"') affinché si riescano ad 
inserire i computer account direttamente da client ma devo aver 
sbagliato ancora qualcosa poiché mi da un errore; NT fallisce dicendo: 
"Account computer non esistente o inaccessibile".

Ho guardato i log e senza che ve li invii integralmente vi seleziono 
quello che a naso mi sembra più significativo. Ecco che viene chiamato 
lo script di idealx useradd per la workstation pentium_pro
> [2004/05/25 16:09:45, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2229)
>   _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w "pentium_pro$"' gave 0
> [2004/05/25 16:09:45, 5] lib/username.c:Get_Pwnam(288)
>   Finding user pentium_pro$
> [2004/05/25 16:09:45, 5] lib/username.c:Get_Pwnam_internals(223)
>   Trying _Get_Pwnam(), username as lowercase is pentium_pro$
> [2004/05/25 16:09:45, 5] lib/username.c:Get_Pwnam_internals(251)
>   Get_Pwnam_internals did find user [pentium_pro$]!
e sembra quindi che riesca ad inserire la workstation in ldap. Poi dai 
log vedo che tenta di modificare la entry in ldap ma vedo che:
> [2004/05/25 16:09:45, 5] lib/smbldap.c:smbldap_modify(976)
>   smbldap_modify: dn => [uid=pentium_pro$,ou=WKS,dc=FLANET,dc=ORG]
> [2004/05/25 16:09:45, 2] passdb/pdb_ldap.c:ldapsam_add_sam_account(1639)
>   ldapsam_add_sam_account: added: uid == pentium_pro$ in the LDAP database
> [2004/05/25 16:09:45, 3] lib/util_seaccess.c:se_access_check(251)
> [2004/05/25 16:09:45, 3] lib/util_seaccess.c:se_access_check(252)
>   se_access_check: user sid is S-1-5-21-1883373938-1806556457-1046565767-2996
>   se_access_check: also S-1-5-21-1883373938-1806556457-1046565767-512
>   se_access_check: also S-1-1-0
>   se_access_check: also S-1-5-2
>   se_access_check: also S-1-5-11
> [2004/05/25 16:09:45, 5] lib/util_seaccess.c:se_access_check(315)
>   se_access_check: access (f07ff) denied.
> [2004/05/25 16:09:45, 4] rpc_server/srv_samr_nt.c:access_check_samr_object(87)
>   _samr_create_user: ACCESS should be DENIED  (requested: 0x000f07ff)
>   but overritten by euid == sec_initial_uid()
Quindi non sembra sia in grado di cambiare per accesso negato. E poi ancora:
> [2004/05/25 16:09:46, 3] groupdb/mapping.c:smb_set_primary_group(905)
>   smb_set_primary_group: Running the command `/usr/local/sbin/smbldap-usermod -g "Domain Users" "pentium_pro$"' gave 0
> [2004/05/25 16:09:46, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1390)
>   ldapsam_update_sam_account: user pentium_pro$ to be modified has dn: uid=pentium_pro$,ou=WKS,dc=FLANET,dc=ORG
> [2004/05/25 16:09:46, 2] passdb/pdb_ldap.c:init_ldap_from_sam(769)
>   init_ldap_from_sam: Setting entry for user: pentium_pro$
> [2004/05/25 16:09:46, 5] lib/smbldap.c:smbldap_modify(976)
>   smbldap_modify: dn => [uid=pentium_pro$,ou=WKS,dc=FLANET,dc=ORG]
> [2004/05/25 16:09:46, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1217)
>   ldapsam_modify_entry: Failed to modify user dn= uid=pentium_pro$,ou=WKS,dc=FLANET,dc=ORG with: No such attribute
>   	modify/delete: sambaPrimaryGroupSID: no such value
> [2004/05/25 16:09:46, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1417)
>   ldapsam_update_sam_account: failed to modify user with uid = pentium_pro$, error: modify/delete: sambaPrimaryGroupSID: no such value (Success)
> [2004/05/25 16:09:46, 5] rpc_parse/parse_prs.c:prs_debug(82)
>   000000 samr_io_r_set_userinfo 
> [2004/05/25 16:09:46, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
>       0000 status: NT_STATUS_ACCESS_DENIED
...ancora accesso negato. E poi quel sambaPrimaryGroupSID? bah!

e poi infine cancella la entry inserita
> [2004/05/25 16:09:46, 3] rpc_server/srv_samr_nt.c:smb_delete_user(3675)
>   smb_delete_user: Running the command `/usr/local/sbin/smbldap-userdel "pentium_pro$"' gave 0
> [2004/05/25 16:09:46, 3] passdb/pdb_ldap.c:ldapsam_delete_sam_account(1311)
>   ldapsam_delete_sam_account: Deleting user pentium_pro$ from LDAP.
> [2004/05/25 16:09:46, 5] lib/smbldap.c:smbldap_search(919)
>   smbldap_search: base => [dc=FLANET,dc=ORG], filter => [(&(uid=pentium_pro$)(objectclass=sambaSamAccount))], scope => [2]
> [2004/05/25 16:09:46, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(269)
>   ldapsam_delete_entry: Entry must exist exactly once!
> [2004/05/25 16:09:46, 5] rpc_server/srv_samr_nt.c:_samr_delete_dom_user(3722)
>   _samr_delete_dom_user:Failed to delete entry for user pentium_pro$.
ed effettivamente in ldap uid=pentium_pro$ non c'è anche se sembra che 
in qualche modo fallisca la cancellazione...

Bah!

Grazie mille a chiunque sia in grado di darmi una mano

Piviul

More information about the samba-it mailing list