[Samba-it] Creation of workstation account failed
Ros
nostradamus at libero.it
Thu May 4 10:46:01 MDT 2006
Ciao a tutti.
Ho installato samba+openldap su FreeBSD 6.0 e utilizzato smbldap-tools per inserire utenti e PC. Tutto fila liscio nella creazione dell'albero ldap e nel funzionamento di samba. In altre parole, i vari tool di smbldap (ad esempio smbldap-useradd) funzionano perfettamente. Quando però vado a fare il trust del dominio (net rpc join -U root) mi restituisce il seguente errore:
Creation of workstation account failed
Unable to join domain STUDIO.
Se attivo i log (net rpc join -d 2 -U root), mi dice:
[2006/05/04 10:35:59, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine <IP> pipe \lsarpc fnum 0x7409 bind request returned ok.
[2006/05/04 10:35:59, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine <IP> pipe \NETLOGON fnum 0x740a bind request returned ok.
[2006/05/04 10:35:59, 3] libsmb/trusts_util.c:just_change_the_password(57)
just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
[2006/05/04 10:35:59, 1] utils/net_rpc.c:run_rpc_command(169)
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Ogni volta che tento di accedere al dominio, prova a creare una workstation. Ho provato anche a crearla manualmente (con smbldap-useradd -w server1 [ho provato sia con il nome netbios, sia con il nome dell'host) ed effettivamente viene creata senza problemi: "ldapsearch -x" mi assicura che c'è, quindi nell'albero ldap viene veramente aggiunta (anche quando non lo faccio manualmente) Ma quando tento il join, l'errore rimane.
Non capisco se è un'errata configurazione di slapd.conf, smb.conf, o di un'errata compilazione dei sorgenti (o entrambi!).
Ringrazio chiunque mi darà una mano a risolvere il problema.
Il mio configure di openldap è:
env CPPFLAGS="-I/usr/local/BerkeleyDB.4.4/include " LDFLAGS="-L/usr/local/BerkeleyDB.4.4/lib" ./configure --enable-crypt --enable-ldap --enable-passwd --enable-lmpasswd --with-tls --with-threads
Il mio smb.conf
[global]
workgroup = STUDIO
netbios name = server1
password server = *
server string = Primary Domain Controller
## security = DOMAIN
passdb backend = ldapsam:ldap://127.0.0.1/
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*UNIX*password* %n\n *Enter*new*UNIX*password:* %n\n *Authentication*tokens*updated*successfully*
passwd chat debug = Yes
syslog = 0
encrypt passwords = yes
log file = /var/log/samba/log.%m
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/smbldap-useradd -a %u
add machine script = /usr/sbin/smbldap-useradd -w %u
logon drive = W:
logon home = \\%L\%U\.profile
domain logons = Yes
os level = 65
preferred master = auto
domain master = Yes
local master = yes
ldap admin dn = cn=root,dc=retelocale,dc=it
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=retelocale,dc=it
ldap ssl = no
ldap delete dn = no
ldap user suffix = ou=People
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /sbin/nologin
winbind separator = +
winbind use default domain = Yes
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum groups = yes
use spnego = no
admin users = root, Administrator
Il mio slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
schemacheck on
database bdb
suffix "dc=retelocale,dc=it"
rootdn "cn=root,dc=retelocale,dc=it"
rootpw <PASSWORD>
#z7Dl9l3htRgikqAgCJ9RVF9qDqlRu8XH
directory /var/openldap-data
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index default sub
## allow the "ldap admin dn" access, but deny everyone else
access to attrs=SambaLMPassword,SambaNTPassword
by dn="cn=root,ou=People,dc=retelocale,dc=it" write
by dn="cn=smbldap-tools,dc=retelocale,dc=it" write
by * none
# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=smbldap-tools,dc=retelocale,dc=it" write
by self write
by anonymous auth
by * none
access to *
by * read
# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
by dn="cn=smbldap-tools,dc=retelocale,dc=it" write
by dn="ou=domains,dc=retelocale,dc=it" write
by * read
More information about the samba-it
mailing list