[Samba-it] Creation of workstation account failed

Ros nostradamus at libero.it
Thu May 4 10:46:01 MDT 2006 

Ciao a tutti. 
Ho installato samba+openldap su FreeBSD 6.0 e utilizzato smbldap-tools per inserire utenti e PC. Tutto fila liscio nella creazione dell'albero ldap e nel funzionamento di samba. In altre parole, i vari tool di smbldap (ad esempio smbldap-useradd) funzionano perfettamente. Quando però vado a fare il trust del dominio (net rpc join -U root) mi restituisce il seguente errore:

Creation of workstation account failed
Unable to join domain STUDIO.

Se attivo i log (net rpc join -d 2 -U root), mi dice:
[2006/05/04 10:35:59, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine <IP> pipe \lsarpc fnum 0x7409 bind request returned ok.
[2006/05/04 10:35:59, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine <IP> pipe \NETLOGON fnum 0x740a bind request returned ok.
[2006/05/04 10:35:59, 3] libsmb/trusts_util.c:just_change_the_password(57)
  just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
[2006/05/04 10:35:59, 1] utils/net_rpc.c:run_rpc_command(169)
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)


Ogni volta che tento di accedere al dominio, prova a creare una workstation. Ho provato anche a crearla manualmente (con smbldap-useradd -w server1 [ho provato sia con il nome netbios, sia con il nome dell'host) ed effettivamente viene creata senza problemi: "ldapsearch -x" mi assicura che c'è, quindi nell'albero ldap viene veramente aggiunta (anche quando non lo faccio manualmente) Ma quando tento il join, l'errore rimane.

Non capisco se è un'errata configurazione di slapd.conf, smb.conf, o di un'errata compilazione dei sorgenti (o entrambi!).

Ringrazio chiunque mi darà una mano a risolvere il problema.

Il mio configure di openldap è: 

env CPPFLAGS="-I/usr/local/BerkeleyDB.4.4/include " LDFLAGS="-L/usr/local/BerkeleyDB.4.4/lib" ./configure --enable-crypt --enable-ldap --enable-passwd --enable-lmpasswd --with-tls --with-threads 

Il mio smb.conf

[global]
	workgroup = STUDIO
	netbios name = server1
	password server = *
	server string = Primary Domain Controller
##	security = DOMAIN
	passdb backend = ldapsam:ldap://127.0.0.1/
	passwd program = /usr/sbin/smbldap-passwd %u
	passwd chat = *New*UNIX*password* %n\n *Enter*new*UNIX*password:* %n\n *Authentication*tokens*updated*successfully*
	passwd chat debug = Yes
	syslog = 0
	encrypt passwords = yes
	log file = /var/log/samba/log.%m
	max log size = 1000
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	add user script = /usr/sbin/smbldap-useradd -a %u
	add machine script = /usr/sbin/smbldap-useradd -w %u
	logon drive = W:
	logon home = \\%L\%U\.profile
	domain logons = Yes
	os level = 65
	preferred master = auto
	domain master = Yes
	local master = yes
	ldap admin dn = cn=root,dc=retelocale,dc=it
	ldap group suffix = ou=Groups
	ldap machine suffix = ou=Computers
	ldap passwd sync = Yes
	ldap suffix = dc=retelocale,dc=it
	ldap ssl = no
	ldap delete dn = no
	ldap user suffix = ou=People
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	template shell = /sbin/nologin
	winbind separator = +
	winbind use default domain = Yes
	winbind enum users = yes

	winbind uid = 10000-20000
	winbind gid = 10000-20000
	winbind enum groups = yes
	
	use spnego = no
	admin users = root, Administrator




Il mio slapd.conf

include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/nis.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema
include		/usr/local/etc/openldap/schema/samba.schema

pidfile		/var/run/slapd.pid
argsfile	/var/run/slapd.args
schemacheck on

database	bdb
suffix		"dc=retelocale,dc=it"
rootdn		"cn=root,dc=retelocale,dc=it"
rootpw 		<PASSWORD>
#z7Dl9l3htRgikqAgCJ9RVF9qDqlRu8XH
directory	/var/openldap-data

index      objectClass,uidNumber,gidNumber                  eq
index      cn,sn,uid,displayName                            pres,sub,eq
index      memberUid,mail,givenname                 eq,subinitial
index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq
index default sub


## allow the "ldap admin dn" access, but deny everyone else
access  to attrs=SambaLMPassword,SambaNTPassword
	by dn="cn=root,ou=People,dc=retelocale,dc=it" write
      by dn="cn=smbldap-tools,dc=retelocale,dc=it" write
	by * none
# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
      by dn="cn=smbldap-tools,dc=retelocale,dc=it" write
	by self write
	by anonymous auth
	by * none
access to *
	by * read	

# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
      by dn="cn=smbldap-tools,dc=retelocale,dc=it" write
      by dn="ou=domains,dc=retelocale,dc=it" write
      by * read

More information about the samba-it mailing list