[Samba-it] Problema join Samba domain member server su PDC Samba

gianni mazzini maxione4 at yahoo.it
Sun Mar 16 08:46:38 MDT 2008 

Sto tentando di fare il join di diversi DMS (domain member server) Samba ad un PDC Debian stable (Etch) con samba 3.0.24 e autenticazione basata su LDAP.

Il PDC funziona correttamente da mesi, ho qualche client WinXP e qualche utente con roaming profile su windows, sia PAM che nss-ldap sono configurati, perchè getent passwd mi dà i risultati giusti, e faccio login su client linux con utenti non locali.

I problemi nascono facendo il join di DMS con Samba di varie versioni, persino con una 3.0.24 (analoga a quella del server): in questo caso ho risolto seguendo le indicazioni trovate nel seguente indirizzo: http://lists.xsec.it/pipermail/samba-it/2007-August/007166.html

Però lo stesso trucco non funziona con un DMS con samba 3.0.28 (Debian Lenny testing) nè con Ubuntu 7.10 (samba 3.0.25).

Per ora considero solo samba 3.0.28 su debian lenny (testing):
il PDC è 192.168.123.100 e il DMS è 192.168.123.224 (nome netbios virtual-gdm)
ecco la configurazione del DMS:
#======================= Global Settings =======================

[global]

   workgroup = ENIGMA
   server string = %h
   wins server = 192.168.123.100
   dns proxy = no
   name resolve order = wins host bcast

   ldap admin dn = cn=admin,dc=ENIGMA
   ldap suffix = dc=ENIGMA
   ldap group suffix = ou=Groups
   ldap user suffix = ou=Users
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Idmap
   ldap passwd sync = Yes

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

####### Authentication #######
   security = domain
   encrypt passwords = true
   passdb backend = tdbsam           <------- Qui non so se commentare, ma su samba 3.0.24 non dà problemi
   obey pam restrictions = yes
;   guest account = nobody
   invalid users = root

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
   socket options = TCP_NODELAY
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------

Il tentativo di fare join:

virtual-gdm:~# net rpc join -Uroot
Password:
Creation of workstation account failed
Unable to join domain ENIGMA.

*****************************************

log.192.168.123.224

[2008/03/16 15:07:19, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:07:19, 2] lib/smbldap.c:smbldap_open_connection(788)
  smbldap_open_connection: connection opened
[2008/03/16 15:07:19, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:07:19, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:07:19, 2] smbd/reply.c:reply_tcon_and_X(711)
  Serving IPC$ as a Dfs root
[2008/03/16 15:07:19, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
  get_md4pw: Workstation VIRTUAL-GDM$: no account in domain
[2008/03/16 15:07:19, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
  _net_auth2: failed to get machine password for account VIRTUAL-GDM$: NT_STATUS
_ACCESS_DENIED
[2008/03/16 15:07:21, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)

*****************************************

log.virtual-gdm

[2008/03/16 15:07:21, 2] lib/smbldap.c:smbldap_open_connection(788)
  smbldap_open_connection: connection opened
[2008/03/16 15:07:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
  init_sam_from_ldap: Entry found for user: root
[2008/03/16 15:07:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:07:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 512
[2008/03/16 15:07:21, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [root] -> [root] -> [root] succe
eded
[2008/03/16 15:07:21, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:07:21, 2] smbd/reply.c:reply_tcon_and_X(711)
  Serving IPC$ as a Dfs root

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Questo è ciò che ottengo usando il trucco di creazione manuale della macchina
Sul PDC:
Etch-Loft:~# smbldap-useradd -w virtual-gdm 
Cannot confirm uidNumber 1050 is free: checking for the next one

il comando slapcat restituisce:

dn: uid=virtual-gdm$,ou=Computers,dc=Enigma
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
cn: virtual-gdm$
sn: virtual-gdm$
uid: virtual-gdm$
uidNumber: 1050
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
structuralObjectClass: inetOrgPerson
entryUUID: e9b720f4-87ae-102c-8c19-2fc384f3bddf
creatorsName: cn=syncuser,dc=ENIGMA
createTimestamp: 20080316141336Z
entryCSN: 20080316141336Z#000002#00#000000
modifiersName: cn=syncuser,dc=ENIGMA
modifyTimestamp: 20080316141336Z

Sul client:
virtual-gdm:~# net rpc password virtual-gdm$ virtual-gdm -Uroot -SnomedelPDC
Password:
virtual-gdm:~# net rpc oldjoin
Failed to join domain
virtual-gdm:~# 

*****************************************

less log.192.168.123.224
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:25, 2] lib/smbldap.c:smbldap_open_connection(788)
  smbldap_open_connection: connection opened
[2008/03/16 15:16:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:25, 2] smbd/reply.c:reply_tcon_and_X(711)
  Serving IPC$ as a Dfs root
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:25, 2] lib/smbldap.c:smbldap_open_connection(788)
  smbldap_open_connection: connection opened
[2008/03/16 15:16:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:25, 2] smbd/reply.c:reply_tcon_and_X(711)
  Serving IPC$ as a Dfs root
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:25, 2] lib/smbldap.c:smbldap_open_connection(788)
  smbldap_open_connection: connection opened
[2008/03/16 15:16:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:25, 2] smbd/reply.c:reply_tcon_and_X(711)
  Serving IPC$ as a Dfs root
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:25, 2] lib/smbldap.c:smbldap_open_connection(788)
  smbldap_open_connection: connection opened
[2008/03/16 15:16:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:25, 2] smbd/reply.c:reply_tcon_and_X(711)
  Serving IPC$ as a Dfs root
[2008/03/16 15:16:39, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:44, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:44, 2] lib/smbldap.c:smbldap_open_connection(788)
  smbldap_open_connection: connection opened
[2008/03/16 15:16:44, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:44, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:44, 2] smbd/reply.c:reply_tcon_and_X(711)
  Serving IPC$ as a Dfs root
[2008/03/16 15:16:44, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
  get_md4pw: Workstation VIRTUAL-GDM$: no account in domain
[2008/03/16 15:16:44, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
  _net_auth2: failed to get machine password for account VIRTUAL-GDM$: NT_STATUS_ACCESS_DENIED

*****************************************

 less log.virtual-gdm

[2008/03/16 15:16:39, 2] lib/smbldap.c:smbldap_open_connection(788)
  smbldap_open_connection: connection opened
[2008/03/16 15:16:39, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
  init_sam_from_ldap: Entry found for user: root
[2008/03/16 15:16:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 512
[2008/03/16 15:16:39, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [root] -> [root] -> [root] succeeded
[2008/03/16 15:16:39, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.123.224)
[2008/03/16 15:16:39, 2] smbd/reply.c:reply_tcon_and_X(711)
  Serving IPC$ as a Dfs root

Che posso fare ?




      Inviato da Yahoo! Mail.
Il servizio di posta con lo spazio illimitato.
http://it.docs.yahoo.com/mail/overview/index.html

More information about the samba-it mailing list