[Samba] Samba + LDAP = Misery
Pouchoulon Jean-Marc
jean-marc.pouchoulon at ac-montpellier.fr
Wed Feb 12 06:46:39 GMT 2003
Beware of having machine account$ in /etc/passwd and ldap database.
( the problem seems to be in /etc/passwd )
Other difference I can see is
I do not use 227a syntax for ldap setting but 302alpha.
Hope this help
---- Messages d´origine ----
De: "John Peak" <jpeak at yahoo.com>
Date: Mardi, Février 11, 2003 4:32 am
Objet: [Samba] Samba + LDAP = Misery
> I have been working on this for weeks now and feel like I am at a
> dead-end.
> I am using Samba 3.0 (Head) and OpenLDAP (2.0) and smbldap-tools
> 0.7 and
> cannot join either a Linux machine or Windows 2000 machine to the
> domain.If any of you have some ideas they would be much appreciated.
>
> Highlights:
> - I have a root defined (UID and GID of 0).
> - Trying to join the domain will successfully add my machine to
> the LDAP
> database.
> - I have my users defined and can successfully login to view
> shares from
> either a windows or Linux machine.
> - When trying to join domain I use root as the account with
> permission to
> join domain. The log appears to indicate that root is succesfully
> validated.
>
> Bottomw Line:
> - Whenver I try to join I always get NT_STATUS_ACCESS_DENIED.
> More details
> and log messages below.
>
> smb.conf
> ======
> [global]
> workgroup = ELUCIDATION
> netbios name = Boo
> server string = %h server (Samba %v)
> security = user
> obey pam restrictions = Yes
> guest account = guest
> #passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
> passwd program = /usr/local/sbin/smbldap-passwd.pl %u
> passwd chat = *new*password* %n\n *new*password* %n\n
> *successfully* unix password sync = No
> encrypt passwords = Yes
> log level = 5
> log file = /var/log/samba/%m.log
> max log size = 1000
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> domain logons = Yes
> logon script = startup.bat
> os level = 80
> preferred master = Yes
> domain master = Yes
> local master = Yes
> dns proxy = No
> wins support = Yes
> ldap suffix = dc=ELUCIDATION
> ldap machine suffix = dc=ELUCIDATION
> ldap user suffix = dc=ELUCIDATION
> ldap admin dn = cn=Manager,dc=ELUCIDATION
> ldap ssl = No
> printing = lprng
> add user script = /usr/local/sbin/smbldap-useradd.pl -m -a %u
> add machine script = /usr/local/sbin/smbldap-useradd.pl -w %u
> panic action = /usr/share/samba/panic-action %d
> #invalid users = root
> admin users = root administrator
> hosts allow = 192.168.1.0/255.255.255.0
> logon drive = H:
> logon home = \\boo\profiles\%u
>
>
> Attempt to join domain from anther Linux box
> ===============================
> asa:~# smbpasswd -j elucidation -r boo
> cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
> cli_nt_setup_creds: auth2 challenge failed
> modify_trust_password: unable to setup the PDC credentials to
> machine BOO.
> Error was : NT_STATUS_ACCESS_DENIED.
> 2003/02/10 21:57:01 : change_trust_account_password: Failed to change
> password for domain ELUCIDATION.
> Unable to join domain ELUCIDATION.
>
> Log results try to join from another Linux box
> ===============================
> [2003/02/10 22:02:10, 2] passdb/pdb_ldap.c:init_sam_from_ldap(953)
> Entry found for user: asa$
> [2003/02/10 22:02:10, 2] passdb/pdb_ldap.c:init_sam_from_ldap(990)
> init_sam_from_ldap: User [asa$] does not exist via system getpwnam!
> [2003/02/10 22:02:10, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1581)
> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'ASA$'!
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam(288)
> Finding user ASA$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(223)
> Trying _Get_Pwnam(), username as lowercase is asa$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(230)
> Trying _Get_Pwnam(), username as given is ASA$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(247)
> Checking combinations of 0 uppercase letters in asa$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(251)
> Get_Pwnam_internals didn't find user [ASA$]!
> [2003/02/10 22:02:10, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (1001, 1001) - sec_ctx_stack_ndx = 0
> [2003/02/10 22:02:10, 0] rpc_server/srv_netlog_nt.c:get_md4pw(201)
> get_md4pw: Workstation ASA$: no account in domain
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_debug(81)
> 000000 net_io_r_auth_2
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
> 0000 data: cc f3 ff bf 84 83 2c 08
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_uint32(592)
> 0008 neg_flags: 000001ff
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_ntstatus(622)
> 000c status: NT_STATUS_ACCESS_DENIED
>
> Log Results Attempting to Join Domain from Windows 2000
> ========================================
> [2003/02/10 22:06:33, 4] rpc_server/srv_pipe.c:api_rpcTNP(1340)
> api_rpcTNP: NETLOGON op 0x5 - api_rpcTNP: rpc command: NET_AUTH
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_debug(81)
> 000000 net_io_q_auth
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
> 0000 undoc_buffer: 00119f60
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
> 0004 uni_max_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
> 0008 undoc : 00000000
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
> 000c uni_str_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
> 0010 buffer : \.\.B.O.O...
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
> 001c uni_max_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
> 0020 undoc : 00000000
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
> 0024 uni_str_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
> 0028 buffer : J.O.H.N.$...
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint16(563)
> 0034 sec_chan: 0002
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
> 0038 uni_max_len: 00000005
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
> 003c undoc : 00000000
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
> 0040 uni_str_len: 00000005
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
> 0044 buffer : J.O.H.N...
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
> 004e data: 19 60 39 05 08 91 3a 58
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_debug(81)
> 000000 net_io_r_auth
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
> 0000 data: d0 f3 ff bf bc 2f 2d 08
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_ntstatus(622)
> 0008 status: NT_STATUS_ACCESS_DENIED
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list