[Samba-it] Problema join Samba domain member server su PDC Samba
gianni mazzini
maxione4 at yahoo.it
Sun Mar 16 08:46:38 MDT 2008
Sto tentando di fare il join di diversi DMS (domain member server) Samba ad un PDC Debian stable (Etch) con samba 3.0.24 e autenticazione basata su LDAP.
Il PDC funziona correttamente da mesi, ho qualche client WinXP e qualche utente con roaming profile su windows, sia PAM che nss-ldap sono configurati, perchè getent passwd mi dà i risultati giusti, e faccio login su client linux con utenti non locali.
I problemi nascono facendo il join di DMS con Samba di varie versioni, persino con una 3.0.24 (analoga a quella del server): in questo caso ho risolto seguendo le indicazioni trovate nel seguente indirizzo: http://lists.xsec.it/pipermail/samba-it/2007-August/007166.html
Però lo stesso trucco non funziona con un DMS con samba 3.0.28 (Debian Lenny testing) nè con Ubuntu 7.10 (samba 3.0.25).
Per ora considero solo samba 3.0.28 su debian lenny (testing):
il PDC è 192.168.123.100 e il DMS è 192.168.123.224 (nome netbios virtual-gdm)
ecco la configurazione del DMS:
#======================= Global Settings =======================
[global]
workgroup = ENIGMA
server string = %h
wins server = 192.168.123.100
dns proxy = no
name resolve order = wins host bcast
ldap admin dn = cn=admin,dc=ENIGMA
ldap suffix = dc=ENIGMA
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap passwd sync = Yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
security = domain
encrypt passwords = true
passdb backend = tdbsam <------- Qui non so se commentare, ma su samba 3.0.24 non dà problemi
obey pam restrictions = yes
; guest account = nobody
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
socket options = TCP_NODELAY
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
Il tentativo di fare join:
virtual-gdm:~# net rpc join -Uroot
Password:
Creation of workstation account failed
Unable to join domain ENIGMA.
*****************************************
log.192.168.123.224
[2008/03/16 15:07:19, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:07:19, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2008/03/16 15:07:19, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:07:19, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:07:19, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
[2008/03/16 15:07:19, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
get_md4pw: Workstation VIRTUAL-GDM$: no account in domain
[2008/03/16 15:07:19, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
_net_auth2: failed to get machine password for account VIRTUAL-GDM$: NT_STATUS
_ACCESS_DENIED
[2008/03/16 15:07:21, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
*****************************************
log.virtual-gdm
[2008/03/16 15:07:21, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2008/03/16 15:07:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
init_sam_from_ldap: Entry found for user: root
[2008/03/16 15:07:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:07:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 512
[2008/03/16 15:07:21, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [root] -> [root] -> [root] succe
eded
[2008/03/16 15:07:21, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:07:21, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Questo è ciò che ottengo usando il trucco di creazione manuale della macchina
Sul PDC:
Etch-Loft:~# smbldap-useradd -w virtual-gdm
Cannot confirm uidNumber 1050 is free: checking for the next one
il comando slapcat restituisce:
dn: uid=virtual-gdm$,ou=Computers,dc=Enigma
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
cn: virtual-gdm$
sn: virtual-gdm$
uid: virtual-gdm$
uidNumber: 1050
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
structuralObjectClass: inetOrgPerson
entryUUID: e9b720f4-87ae-102c-8c19-2fc384f3bddf
creatorsName: cn=syncuser,dc=ENIGMA
createTimestamp: 20080316141336Z
entryCSN: 20080316141336Z#000002#00#000000
modifiersName: cn=syncuser,dc=ENIGMA
modifyTimestamp: 20080316141336Z
Sul client:
virtual-gdm:~# net rpc password virtual-gdm$ virtual-gdm -Uroot -SnomedelPDC
Password:
virtual-gdm:~# net rpc oldjoin
Failed to join domain
virtual-gdm:~#
*****************************************
less log.192.168.123.224
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:25, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2008/03/16 15:16:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:25, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:25, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2008/03/16 15:16:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:25, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:25, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2008/03/16 15:16:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:25, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:25, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2008/03/16 15:16:25, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:25, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:25, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
[2008/03/16 15:16:39, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:44, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:44, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2008/03/16 15:16:44, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:44, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:44, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
[2008/03/16 15:16:44, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
get_md4pw: Workstation VIRTUAL-GDM$: no account in domain
[2008/03/16 15:16:44, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
_net_auth2: failed to get machine password for account VIRTUAL-GDM$: NT_STATUS_ACCESS_DENIED
*****************************************
less log.virtual-gdm
[2008/03/16 15:16:39, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2008/03/16 15:16:39, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
init_sam_from_ldap: Entry found for user: root
[2008/03/16 15:16:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2008/03/16 15:16:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 512
[2008/03/16 15:16:39, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded
[2008/03/16 15:16:39, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.123.224)
[2008/03/16 15:16:39, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
Che posso fare ?
Inviato da Yahoo! Mail.
Il servizio di posta con lo spazio illimitato.
http://it.docs.yahoo.com/mail/overview/index.html
More information about the samba-it
mailing list