LDAP-SAM and Samba 2.2
Erik Persson
erik at roxen.com
Mon Dec 3 10:05:15 GMT 2001
On Sat, 1 Dec 2001, Erik Persson wrote:
> On Fri, 30 Nov 2001, David Highley wrote:
>
> > "Erik Persson wrote:"
> > >
> > > Hi!
> > >
> > > I am experimenting with the PDC features of Samba 2.2 with the LDAP SAM
> > > backend. This is going fairly well, except eny attempt to join the domain
> > > fails due to some confusion within smbd concerning what the RID for the
> > > workstation account should be.
> >
> > There was a posting in the last couple of days that indicated that
> > cvs patches were needed to get Samba 2.2.2 to operate with LDAP.
Now I'm starting to get desperate. If there is anybody out there who has
any clue on what might be wrong, please let me know.
So now I have fetched the SAMBA_2_2 branch from cvs (the LDAP parts in 3.0
won't compile) and have still no luck getting a client to join the domain.
As far as I can see, this happens:
* Client requests to join domain and supplies root login and password
* Samba creates initial machine account data with my script. The script
creates an account with basic sambaAccoun, posixAccount and
shadowAccount properties so that the user also instantly created in the
Unix context.
* Samba adds lmPassword, ntPassword, rid, primaryGroupID and more in LDAP.
rid and primaryGroupID values seem to be correctly calculated
(15000/15001 for a uidNumber/gidNumber of 7000/7000).
* By now, I cannot make out anything definitive from the log (debuglevel
3), but the client thinks at last that it has joined the domain.
Observations:
* The lmPassword and ntPassword LDAP attributes contain suspicious data
after the join operation. If the initial passwords for "roadrunner$" was
DC12FFA682C3844D2E87078C29EC8618:63911FAC3D75FECB66C48A17A30C5F9D, samba
changes them to
0029170800000000002E1E388B7B9D9B:0000000100000002002DF49000000000 during
the join operation. What's with all the zeroes?
* If i don't set acctFlags within the "add user script" script to
[W ], samba will set acctFlags to [DW ]. Is this a good
thing or a bad thing.
* I use PADL nss_ldap and pam_ldap to import LDAP users and groups to the
operating system. The operating system in question i Solaris 8.
Questions:
* How is the password generated that is used to generate the final lm/nt
hashes for the machine account? Where in the Samba code does this
happen?
* What value for "debug level" should I use to get information that might
lead me to a solution?
Any thoughts will be greatly appreciated,
/Erik
--
Erik Persson, System Manager <erik at roxen.com>
Roxen Internet Software Voice: +46 13 376817
More information about the samba-ntdom
mailing list