[Samba] Samba + LDAP = Misery
John Peak
jpeak at yahoo.com
Tue Feb 11 03:32:01 GMT 2003
I have been working on this for weeks now and feel like I am at a dead-end.
I am using Samba 3.0 (Head) and OpenLDAP (2.0) and smbldap-tools 0.7 and
cannot join either a Linux machine or Windows 2000 machine to the domain.
If any of you have some ideas they would be much appreciated.
Highlights:
- I have a root defined (UID and GID of 0).
- Trying to join the domain will successfully add my machine to the LDAP
database.
- I have my users defined and can successfully login to view shares from
either a windows or Linux machine.
- When trying to join domain I use root as the account with permission to
join domain. The log appears to indicate that root is succesfully
validated.
Bottomw Line:
- Whenver I try to join I always get NT_STATUS_ACCESS_DENIED. More details
and log messages below.
smb.conf
======
[global]
workgroup = ELUCIDATION
netbios name = Boo
server string = %h server (Samba %v)
security = user
obey pam restrictions = Yes
guest account = guest
#passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
passwd program = /usr/local/sbin/smbldap-passwd.pl %u
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
unix password sync = No
encrypt passwords = Yes
log level = 5
log file = /var/log/samba/%m.log
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = Yes
logon script = startup.bat
os level = 80
preferred master = Yes
domain master = Yes
local master = Yes
dns proxy = No
wins support = Yes
ldap suffix = dc=ELUCIDATION
ldap machine suffix = dc=ELUCIDATION
ldap user suffix = dc=ELUCIDATION
ldap admin dn = cn=Manager,dc=ELUCIDATION
ldap ssl = No
printing = lprng
add user script = /usr/local/sbin/smbldap-useradd.pl -m -a %u
add machine script = /usr/local/sbin/smbldap-useradd.pl -w %u
panic action = /usr/share/samba/panic-action %d
#invalid users = root
admin users = root administrator
hosts allow = 192.168.1.0/255.255.255.0
logon drive = H:
logon home = \\boo\profiles\%u
Attempt to join domain from anther Linux box
===============================
asa:~# smbpasswd -j elucidation -r boo
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
cli_nt_setup_creds: auth2 challenge failed
modify_trust_password: unable to setup the PDC credentials to machine BOO.
Error was : NT_STATUS_ACCESS_DENIED.
2003/02/10 21:57:01 : change_trust_account_password: Failed to change
password for domain ELUCIDATION.
Unable to join domain ELUCIDATION.
Log results try to join from another Linux box
===============================
[2003/02/10 22:02:10, 2] passdb/pdb_ldap.c:init_sam_from_ldap(953)
Entry found for user: asa$
[2003/02/10 22:02:10, 2] passdb/pdb_ldap.c:init_sam_from_ldap(990)
init_sam_from_ldap: User [asa$] does not exist via system getpwnam!
[2003/02/10 22:02:10, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1581)
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'ASA$'!
[2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam(288)
Finding user ASA$
[2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(223)
Trying _Get_Pwnam(), username as lowercase is asa$
[2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(230)
Trying _Get_Pwnam(), username as given is ASA$
[2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(247)
Checking combinations of 0 uppercase letters in asa$
[2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(251)
Get_Pwnam_internals didn't find user [ASA$]!
[2003/02/10 22:02:10, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (1001, 1001) - sec_ctx_stack_ndx = 0
[2003/02/10 22:02:10, 0] rpc_server/srv_netlog_nt.c:get_md4pw(201)
get_md4pw: Workstation ASA$: no account in domain
[2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_debug(81)
000000 net_io_r_auth_2
[2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
0000 data: cc f3 ff bf 84 83 2c 08
[2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_uint32(592)
0008 neg_flags: 000001ff
[2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_ntstatus(622)
000c status: NT_STATUS_ACCESS_DENIED
Log Results Attempting to Join Domain from Windows 2000
========================================
[2003/02/10 22:06:33, 4] rpc_server/srv_pipe.c:api_rpcTNP(1340)
api_rpcTNP: NETLOGON op 0x5 - api_rpcTNP: rpc command: NET_AUTH
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_debug(81)
000000 net_io_q_auth
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
0000 undoc_buffer: 00119f60
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
0004 uni_max_len: 00000006
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
0008 undoc : 00000000
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
000c uni_str_len: 00000006
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
0010 buffer : \.\.B.O.O...
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
001c uni_max_len: 00000006
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
0020 undoc : 00000000
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
0024 uni_str_len: 00000006
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
0028 buffer : J.O.H.N.$...
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint16(563)
0034 sec_chan: 0002
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
0038 uni_max_len: 00000005
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
003c undoc : 00000000
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
0040 uni_str_len: 00000005
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
0044 buffer : J.O.H.N...
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
004e data: 19 60 39 05 08 91 3a 58
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_debug(81)
000000 net_io_r_auth
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
0000 data: d0 f3 ff bf bc 2f 2d 08
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_ntstatus(622)
0008 status: NT_STATUS_ACCESS_DENIED
More information about the samba
mailing list