[Samba] [Fwd: ldap + pdc + adding win2k clients...again(sigh)...argh]

IOhannes zmoelnig zmoelnig at iem.at
Mon Jun 10 02:28:02 GMT 2002

hi !

i have a problem with ldap+pdc too, and since no one answered ingo's
request, i will try again.

this is my setting:
i want to maintain a central authentification for my small but mixed
(debian/linux vs w2k) network
i am using debian:samba-2.2.3a; compiled it with ldapsam enabled.
i am using openldap2-2.0.23; compiled it with TLS enabled
simple file-sharing works (at least, none of my users complained)

this is my problem:
whenever i try to join a machine i get the error "Der angegebene
Benutzer existiert nicht" (meaning: "the given user does not exist")
it took me years to understand, that the "user" is actually the machine
i want to join.

now this is how i tried to track the problem:
my configuration:

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

TLSCertificateFile      /etc/ldap/server.pem
TLSCertificateKeyFile   /etc/ldap/server.pem
TLSCACertificateFile    /etc/ldap/server.pem

schemacheck     on

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
replogfile      /var/lib/ldap/replog
loglevel        256
database        ldbm

suffix          "dc=iemnet"

directory       "/var/lib/ldap"
lastmod on
rootdn  "uid=Manager,ou=Administration,dc=iemnet"
rootpw  xyz

index    primaryGroupID     eq
index    rid                eq
index    uid                eq
index    uidNumber          eq
index    gidNumber          eq
index    cn                 pres,sub,eq
index    objectClass        eq
index    default            sub

access to attribute=userPassword attribute=lmPassword attribute=ntPassword
           by dn="cn=admin,dc=iemnet" write
           by dn="uid=Manager,ou=Administration,dc=iemnet" write
           by anonymous auth
           by self write
           by * none

access to *
           by dn="cn=admin,dc=iemnet" write
           by dn="uid=Manager,ou=Administration,dc=iemnet" write
           by * read


the [global]-section of my samba.conf
      netbios name = iemusers
      printing = cups
      printcap name = cups
      load printers = yes

#   guest account = nobody
#   invalid users = root

      security = user
      workgroup = IEM

      server string = %h (Samba %v)

      socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096

      encrypt passwords = true

      wins support = yes

      os level = 100
      domain master = yes
      local master = yes
      preferred master = yes

      domain logons = yes
      logon path = \\%N\%U\.ntprofile
      logon home = \\%N\%U\.ntprofile
      logon drive = M:
      logon script = logon.bat

      domain admin group = @smbadm Manager

      name resolve order = lmhosts host wins bcast
      dns proxy = no

      preserve case = yes
      short preserve case = yes

      unix password sync = true

      passwd program = /usr/bin/passwd %u
      passwd chat = *New\spassword:* %n\n *Re-enter\snew\spassword:* %n\n .

      max log size = 1000
      log level = 10
      syslog only = no
      syslog = 0;

      ldap server = ldap.iemnet
      ldap suffix = dc=iemnet
      ldap admin dn = "uid=Manager,ou=Administration,dc=iemnet"
#   ldap ssl = yes
#   ldap port = 636
      ldap ssl = no
      ldap port = 389
btw: there is no difference when if use "ldap ssl = yes" or "no"

i have set the password "xyz" with "smbpasswd -w xyz", and it says, that
it is stored in secrets.tdb.

i have a Manager-account with "uid: root" to join the w2k-machines.
this is in fact the same account as mentioned in slapd.conf and smb.conf
(i believe, that these need not be the same ???)

dn: uid=Manager,ou=Administration,dc=iemnet
	objectClass: posixAccount
	objectClass: sambaAccount
	loginShell: /bin/sh
	homeDirectory: /tmp
	pwdLastSet: 1023376082
	logonTime: 0
	logoffTime: 0
	kickoffTime: 0
	pwdCanChange: 0
	pwdMustChange: 0
	displayName: Manager
	rid: 500
	primaryGroupID: 1001
	acctFlags: [UX         ]
	cn: Manager
	ntPassword: .......
	lmPassword: .......
	userPassword: {crypt}....
	uidNumber: 0
	gidNumber: 0
	uid: root

note, that the effective uid is "root" while the headline says

i have set the password of the Manager-account (root) to "xyz" (the same
as set with "smbpass -w" and that is given in the slapd.conf) with
"passwd" (i use pam_smbpass.so to sync unix and nt hashes; works perfectly)

i can log into the linux-machine that is running the samba-server (and
which imports the ldap-users) with "root" "xyz" as well as with "root"
"{localrootpasswd}". i think this is a security hole but i have not
found a way to avoid this (setting the Manager's login-shell to
/bin/false does not work) but i think this is a pam thing (and it
doesn't matter right now anyhow)

i can add entries to the ldap-tree with "ldapadd -x -D
"uid=Manager,ou=Administration,dc=iemnet" -w xyz -f template.ldif"
so i have all rights to write and read (i can also search the whole tree).
i cannot do this as a normal (unauthorized) user.

my ldap-entry for a sample-w2k-client is:
dn: uid=xenakis$,ou=Windows,ou=Hosts,dc=iemnet
	objectClass: sambaAccount
	objectClass: posixAccount
	objectClass: ipHost
	uidNumber: 20106
	gidNumber: 20000
	homeDirectory: /tmp
	loginShell: /bin/false
	uid: xenakis$
	pwdLastSet: 1023464353
	logonTime: 0
	logoffTime: 0
	kickoffTime: 0
	pwdCanChange: 0
	pwdMustChange: 0
	displayName: xenakis$
	cn: xenakis$
	rid: 20106
	primaryGroupID: 3003
	lmPassword: 71B669514F2A1F3AAAD3B435B51404EE
	ntPassword: EAF65F7EC7EDFDBD2C2C59A951A459FD
	acctFlags: [UW         ]

now, the error i get when joining the w2k-client appears everytime i
succesfully authenticate any(!) user.
i get the same error for my normal account "zmoelnig" "geheim" and for
"root" "xyz". so i guessed that the ACLs in the slapd.conf are somehow
wrong, but then i think not, since i can add ldap-entries from the

if a matching posix-account (xenakis$) in the /etc/passwd exists on the
samba-server, and i create the samba-machine account with "smbpasswd -a
-w XENAKIS", i CAN join the domain (a sambaAccount entry is created in
the ldap-directory), but only sometimes!! (this seems to be not very
stable), but i do not want to do this, i want my w2k-clients to be
stored in the ldap-tree.

hope, some of you can point me into the right direction


PS:i have had some logfiles (syslog at ldap-server, log.nmbd at samba-server, 
log.smbdc at samba.server) attached, but i think my message was rejected, 
so i leave them out now

More information about the samba mailing list