[Samba] Samba + LDAP = Misery

Pouchoulon Jean-Marc jean-marc.pouchoulon at ac-montpellier.fr
Wed Feb 12 06:46:39 GMT 2003 

Beware of having machine account$ in /etc/passwd and ldap database.
( the problem seems to be in /etc/passwd )
Other difference I can see is 
I do not use 227a syntax for ldap setting but 302alpha. 
Hope this help




---- Messages d´origine ----
De: "John Peak" <jpeak at yahoo.com>
Date: Mardi, F&eacute;vrier 11, 2003 4:32 am
Objet: [Samba] Samba + LDAP = Misery

> I have been working on this for weeks now and feel like I am at a 
> dead-end.
> I am using Samba 3.0 (Head) and OpenLDAP (2.0) and smbldap-tools 
> 0.7 and
> cannot join either a Linux machine or Windows 2000 machine to the 
> domain.If any of you have some ideas they would be much appreciated.
> 
> Highlights:
> - I have a root defined (UID and GID of 0).
> - Trying to join the domain will successfully add my machine to 
> the LDAP
> database.
> - I have my users defined and can successfully login to view 
> shares from
> either a windows or Linux machine.
> - When trying to join domain I use root as the account with 
> permission to
> join domain.  The log appears to indicate that root is succesfully
> validated.
> 
> Bottomw Line:
> - Whenver I try to join I always get NT_STATUS_ACCESS_DENIED.  
> More details
> and log messages below.
> 
> smb.conf
> ======
> [global]
>        workgroup = ELUCIDATION
>        netbios name = Boo
>        server string = %h server (Samba %v)
>        security = user
>        obey pam restrictions = Yes
>        guest account = guest
>        #passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
>        passwd program = /usr/local/sbin/smbldap-passwd.pl %u
>        passwd chat = *new*password* %n\n *new*password* %n\n 
> *successfully*        unix password sync = No
>        encrypt passwords = Yes
>        log level = 5
>        log file = /var/log/samba/%m.log
>        max log size = 1000
>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>        domain logons = Yes
>        logon script = startup.bat
>        os level = 80
>        preferred master = Yes
>        domain master = Yes
>        local master = Yes
>        dns proxy = No
>        wins support = Yes
>        ldap suffix = dc=ELUCIDATION
>        ldap machine suffix = dc=ELUCIDATION
>        ldap user suffix = dc=ELUCIDATION
>        ldap admin dn = cn=Manager,dc=ELUCIDATION
>        ldap ssl = No
>        printing = lprng
>        add user script = /usr/local/sbin/smbldap-useradd.pl -m -a %u
>        add machine script = /usr/local/sbin/smbldap-useradd.pl -w %u
>        panic action = /usr/share/samba/panic-action %d
>        #invalid users = root
>        admin users = root administrator
>        hosts allow = 192.168.1.0/255.255.255.0
>        logon drive = H:
>        logon home = \\boo\profiles\%u
> 
> 
> Attempt to join domain from anther Linux box
> ===============================
> asa:~# smbpasswd -j elucidation -r boo
> cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
> cli_nt_setup_creds: auth2 challenge failed
> modify_trust_password: unable to setup the PDC credentials to 
> machine BOO.
> Error was : NT_STATUS_ACCESS_DENIED.
> 2003/02/10 21:57:01 : change_trust_account_password: Failed to change
> password for domain ELUCIDATION.
> Unable to join domain ELUCIDATION.
> 
> Log results try to join from another Linux box
> ===============================
> [2003/02/10 22:02:10, 2] passdb/pdb_ldap.c:init_sam_from_ldap(953)
>  Entry found for user: asa$
> [2003/02/10 22:02:10, 2] passdb/pdb_ldap.c:init_sam_from_ldap(990)
>  init_sam_from_ldap: User [asa$] does not exist via system getpwnam!
> [2003/02/10 22:02:10, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1581)
>  ldapsam_getsampwnam: init_sam_from_ldap failed for user 'ASA$'!
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam(288)
>  Finding user ASA$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(223)
>  Trying _Get_Pwnam(), username as lowercase is asa$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(230)
>  Trying _Get_Pwnam(), username as given is ASA$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(247)
>  Checking combinations of 0 uppercase letters in asa$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(251)
>  Get_Pwnam_internals didn't find user [ASA$]!
> [2003/02/10 22:02:10, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>  pop_sec_ctx (1001, 1001) - sec_ctx_stack_ndx = 0
> [2003/02/10 22:02:10, 0] rpc_server/srv_netlog_nt.c:get_md4pw(201)
>  get_md4pw: Workstation ASA$: no account in domain
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_debug(81)
>  000000 net_io_r_auth_2
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
>          0000 data: cc f3 ff bf 84 83 2c 08
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>          0008 neg_flags: 000001ff
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_ntstatus(622)
>      000c status: NT_STATUS_ACCESS_DENIED
> 
> Log Results Attempting to Join Domain from Windows 2000
> ========================================
> [2003/02/10 22:06:33, 4] rpc_server/srv_pipe.c:api_rpcTNP(1340)
>  api_rpcTNP: NETLOGON op 0x5 - api_rpcTNP: rpc command: NET_AUTH
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_debug(81)
>  000000 net_io_q_auth
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>          0000 undoc_buffer: 00119f60
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0004 uni_max_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0008 undoc      : 00000000
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              000c uni_str_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
>              0010 buffer     : \.\.B.O.O...
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              001c uni_max_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0020 undoc      : 00000000
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0024 uni_str_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
>              0028 buffer     : J.O.H.N.$...
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint16(563)
>          0034 sec_chan: 0002
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0038 uni_max_len: 00000005
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              003c undoc      : 00000000
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0040 uni_str_len: 00000005
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
>              0044 buffer     : J.O.H.N...
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
>          004e data: 19 60 39 05 08 91 3a 58
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_debug(81)
>  000000 net_io_r_auth
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
>          0000 data: d0 f3 ff bf bc 2f 2d 08
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_ntstatus(622)
>      0008 status: NT_STATUS_ACCESS_DENIED
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list