[Samba] [Fwd: ldap + pdc + adding win2k clients...again(sigh)...argh]
IOhannes zmoelnig
zmoelnig at iem.at
Mon Jun 10 02:28:02 GMT 2002
hi !
i have a problem with ldap+pdc too, and since no one answered ingo's
request, i will try again.
this is my setting:
i want to maintain a central authentification for my small but mixed
(debian/linux vs w2k) network
i am using debian:samba-2.2.3a; compiled it with ldapsam enabled.
i am using openldap2-2.0.23; compiled it with TLS enabled
simple file-sharing works (at least, none of my users complained)
this is my problem:
whenever i try to join a machine i get the error "Der angegebene
Benutzer existiert nicht" (meaning: "the given user does not exist")
it took me years to understand, that the "user" is actually the machine
i want to join.
now this is how i tried to track the problem:
my configuration:
slapd.conf:
----{
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
TLSCertificateFile /etc/ldap/server.pem
TLSCertificateKeyFile /etc/ldap/server.pem
TLSCACertificateFile /etc/ldap/server.pem
schemacheck on
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
replogfile /var/lib/ldap/replog
loglevel 256
database ldbm
suffix "dc=iemnet"
directory "/var/lib/ldap"
lastmod on
rootdn "uid=Manager,ou=Administration,dc=iemnet"
rootpw xyz
index primaryGroupID eq
index rid eq
index uid eq
index uidNumber eq
index gidNumber eq
index cn pres,sub,eq
index objectClass eq
index default sub
access to attribute=userPassword attribute=lmPassword attribute=ntPassword
by dn="cn=admin,dc=iemnet" write
by dn="uid=Manager,ou=Administration,dc=iemnet" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=iemnet" write
by dn="uid=Manager,ou=Administration,dc=iemnet" write
by * read
}-----
the [global]-section of my samba.conf
----{
[global]
netbios name = iemusers
printing = cups
printcap name = cups
load printers = yes
# guest account = nobody
# invalid users = root
security = user
workgroup = IEM
server string = %h (Samba %v)
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
SO_RCVBUF=4096
encrypt passwords = true
wins support = yes
os level = 100
domain master = yes
local master = yes
preferred master = yes
domain logons = yes
logon path = \\%N\%U\.ntprofile
logon home = \\%N\%U\.ntprofile
logon drive = M:
logon script = logon.bat
domain admin group = @smbadm Manager
name resolve order = lmhosts host wins bcast
dns proxy = no
preserve case = yes
short preserve case = yes
unix password sync = true
passwd program = /usr/bin/passwd %u
passwd chat = *New\spassword:* %n\n *Re-enter\snew\spassword:* %n\n .
max log size = 1000
log level = 10
syslog only = no
syslog = 0;
ldap server = ldap.iemnet
ldap suffix = dc=iemnet
ldap admin dn = "uid=Manager,ou=Administration,dc=iemnet"
# ldap ssl = yes
# ldap port = 636
ldap ssl = no
ldap port = 389
}----
btw: there is no difference when if use "ldap ssl = yes" or "no"
i have set the password "xyz" with "smbpasswd -w xyz", and it says, that
it is stored in secrets.tdb.
i have a Manager-account with "uid: root" to join the w2k-machines.
this is in fact the same account as mentioned in slapd.conf and smb.conf
(i believe, that these need not be the same ???)
manager.ldif
----{
dn: uid=Manager,ou=Administration,dc=iemnet
objectClass: posixAccount
objectClass: sambaAccount
loginShell: /bin/sh
homeDirectory: /tmp
pwdLastSet: 1023376082
logonTime: 0
logoffTime: 0
kickoffTime: 0
pwdCanChange: 0
pwdMustChange: 0
displayName: Manager
rid: 500
primaryGroupID: 1001
acctFlags: [UX ]
cn: Manager
ntPassword: .......
lmPassword: .......
userPassword: {crypt}....
uidNumber: 0
gidNumber: 0
uid: root
}
note, that the effective uid is "root" while the headline says
"uid=Manager".
i have set the password of the Manager-account (root) to "xyz" (the same
as set with "smbpass -w" and that is given in the slapd.conf) with
"passwd" (i use pam_smbpass.so to sync unix and nt hashes; works perfectly)
i can log into the linux-machine that is running the samba-server (and
which imports the ldap-users) with "root" "xyz" as well as with "root"
"{localrootpasswd}". i think this is a security hole but i have not
found a way to avoid this (setting the Manager's login-shell to
/bin/false does not work) but i think this is a pam thing (and it
doesn't matter right now anyhow)
i can add entries to the ldap-tree with "ldapadd -x -D
"uid=Manager,ou=Administration,dc=iemnet" -w xyz -f template.ldif"
so i have all rights to write and read (i can also search the whole tree).
i cannot do this as a normal (unauthorized) user.
my ldap-entry for a sample-w2k-client is:
xenakis.ldif
---{
dn: uid=xenakis$,ou=Windows,ou=Hosts,dc=iemnet
objectClass: sambaAccount
objectClass: posixAccount
objectClass: ipHost
uidNumber: 20106
ipHostNumber: 192.168.7.106
gidNumber: 20000
homeDirectory: /tmp
loginShell: /bin/false
uid: xenakis$
pwdLastSet: 1023464353
logonTime: 0
logoffTime: 0
kickoffTime: 0
pwdCanChange: 0
pwdMustChange: 0
displayName: xenakis$
cn: xenakis$
rid: 20106
primaryGroupID: 3003
lmPassword: 71B669514F2A1F3AAAD3B435B51404EE
ntPassword: EAF65F7EC7EDFDBD2C2C59A951A459FD
acctFlags: [UW ]
}---
now, the error i get when joining the w2k-client appears everytime i
succesfully authenticate any(!) user.
i get the same error for my normal account "zmoelnig" "geheim" and for
"root" "xyz". so i guessed that the ACLs in the slapd.conf are somehow
wrong, but then i think not, since i can add ldap-entries from the
linux-console
if a matching posix-account (xenakis$) in the /etc/passwd exists on the
samba-server, and i create the samba-machine account with "smbpasswd -a
-w XENAKIS", i CAN join the domain (a sambaAccount entry is created in
the ldap-directory), but only sometimes!! (this seems to be not very
stable), but i do not want to do this, i want my w2k-clients to be
stored in the ldap-tree.
hope, some of you can point me into the right direction
mfg.ca.ser
IOhannes
PS:i have had some logfiles (syslog at ldap-server, log.nmbd at samba-server,
log.smbdc at samba.server) attached, but i think my message was rejected,
so i leave them out now
More information about the samba
mailing list