[Samba-it] ldap e workstation
Piviul
pluto at flanet.org
Tue May 25 17:15:01 MDT 2004
Dunque, per ora ho accantonato tls (ho creato i certificati e li ho
firmati ma poi non so come mai non riesco a farli funzionare... e se poi
ce la faccio vi faccio sapere), con la speranza di non dover poi
ricreare il database di ldap.
Così intanto sto provando a popolare ldap con qualche workstation
aggiungendole al dominio.
Ho configurato smb.conf con gli script di idealx (per quanto riguarda le
workstation ho inserito 'add machine script =
/usr/local/sbin/smbldap-useradd -w "%u"') affinché si riescano ad
inserire i computer account direttamente da client ma devo aver
sbagliato ancora qualcosa poiché mi da un errore; NT fallisce dicendo:
"Account computer non esistente o inaccessibile".
Ho guardato i log e senza che ve li invii integralmente vi seleziono
quello che a naso mi sembra più significativo. Ecco che viene chiamato
lo script di idealx useradd per la workstation pentium_pro
> [2004/05/25 16:09:45, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2229)
> _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w "pentium_pro$"' gave 0
> [2004/05/25 16:09:45, 5] lib/username.c:Get_Pwnam(288)
> Finding user pentium_pro$
> [2004/05/25 16:09:45, 5] lib/username.c:Get_Pwnam_internals(223)
> Trying _Get_Pwnam(), username as lowercase is pentium_pro$
> [2004/05/25 16:09:45, 5] lib/username.c:Get_Pwnam_internals(251)
> Get_Pwnam_internals did find user [pentium_pro$]!
e sembra quindi che riesca ad inserire la workstation in ldap. Poi dai
log vedo che tenta di modificare la entry in ldap ma vedo che:
> [2004/05/25 16:09:45, 5] lib/smbldap.c:smbldap_modify(976)
> smbldap_modify: dn => [uid=pentium_pro$,ou=WKS,dc=FLANET,dc=ORG]
> [2004/05/25 16:09:45, 2] passdb/pdb_ldap.c:ldapsam_add_sam_account(1639)
> ldapsam_add_sam_account: added: uid == pentium_pro$ in the LDAP database
> [2004/05/25 16:09:45, 3] lib/util_seaccess.c:se_access_check(251)
> [2004/05/25 16:09:45, 3] lib/util_seaccess.c:se_access_check(252)
> se_access_check: user sid is S-1-5-21-1883373938-1806556457-1046565767-2996
> se_access_check: also S-1-5-21-1883373938-1806556457-1046565767-512
> se_access_check: also S-1-1-0
> se_access_check: also S-1-5-2
> se_access_check: also S-1-5-11
> [2004/05/25 16:09:45, 5] lib/util_seaccess.c:se_access_check(315)
> se_access_check: access (f07ff) denied.
> [2004/05/25 16:09:45, 4] rpc_server/srv_samr_nt.c:access_check_samr_object(87)
> _samr_create_user: ACCESS should be DENIED (requested: 0x000f07ff)
> but overritten by euid == sec_initial_uid()
Quindi non sembra sia in grado di cambiare per accesso negato. E poi ancora:
> [2004/05/25 16:09:46, 3] groupdb/mapping.c:smb_set_primary_group(905)
> smb_set_primary_group: Running the command `/usr/local/sbin/smbldap-usermod -g "Domain Users" "pentium_pro$"' gave 0
> [2004/05/25 16:09:46, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1390)
> ldapsam_update_sam_account: user pentium_pro$ to be modified has dn: uid=pentium_pro$,ou=WKS,dc=FLANET,dc=ORG
> [2004/05/25 16:09:46, 2] passdb/pdb_ldap.c:init_ldap_from_sam(769)
> init_ldap_from_sam: Setting entry for user: pentium_pro$
> [2004/05/25 16:09:46, 5] lib/smbldap.c:smbldap_modify(976)
> smbldap_modify: dn => [uid=pentium_pro$,ou=WKS,dc=FLANET,dc=ORG]
> [2004/05/25 16:09:46, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1217)
> ldapsam_modify_entry: Failed to modify user dn= uid=pentium_pro$,ou=WKS,dc=FLANET,dc=ORG with: No such attribute
> modify/delete: sambaPrimaryGroupSID: no such value
> [2004/05/25 16:09:46, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1417)
> ldapsam_update_sam_account: failed to modify user with uid = pentium_pro$, error: modify/delete: sambaPrimaryGroupSID: no such value (Success)
> [2004/05/25 16:09:46, 5] rpc_parse/parse_prs.c:prs_debug(82)
> 000000 samr_io_r_set_userinfo
> [2004/05/25 16:09:46, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
> 0000 status: NT_STATUS_ACCESS_DENIED
...ancora accesso negato. E poi quel sambaPrimaryGroupSID? bah!
e poi infine cancella la entry inserita
> [2004/05/25 16:09:46, 3] rpc_server/srv_samr_nt.c:smb_delete_user(3675)
> smb_delete_user: Running the command `/usr/local/sbin/smbldap-userdel "pentium_pro$"' gave 0
> [2004/05/25 16:09:46, 3] passdb/pdb_ldap.c:ldapsam_delete_sam_account(1311)
> ldapsam_delete_sam_account: Deleting user pentium_pro$ from LDAP.
> [2004/05/25 16:09:46, 5] lib/smbldap.c:smbldap_search(919)
> smbldap_search: base => [dc=FLANET,dc=ORG], filter => [(&(uid=pentium_pro$)(objectclass=sambaSamAccount))], scope => [2]
> [2004/05/25 16:09:46, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(269)
> ldapsam_delete_entry: Entry must exist exactly once!
> [2004/05/25 16:09:46, 5] rpc_server/srv_samr_nt.c:_samr_delete_dom_user(3722)
> _samr_delete_dom_user:Failed to delete entry for user pentium_pro$.
ed effettivamente in ldap uid=pentium_pro$ non c'è anche se sembra che
in qualche modo fallisca la cancellazione...
Bah!
Grazie mille a chiunque sia in grado di darmi una mano
Piviul
More information about the samba-it
mailing list