[Samba] Samba-2.2.8a /LDAP can't join domain

PHELPS, SCOTT SPHELPS at ridgways.com
Sun Jul 13 07:18:44 GMT 2003


On Sat, 2003-07-12 at 01:43, Chee Wai Yeung wrote:
Hi,
> 
> have you checked your smb logs? Is the smbd talking to
> your ldap server as a start? Also try to check your
> ldap logs to see if any searches were made to your
> ldap server when the join took place. smbd should be
> searching for something in the line of
> 
> (&(uid=MYMACHINE$)(objectclass=sambaAccount))
> 
> Hope this can help your troubleshooting.
> 
> (PS: your LDIF entries looked ok)
> 
> Chee Wai
> 
Hooooorahhhh!  I got it working!  Although with one bug which I will list at the bottom of this email.  

I am posting how I fixed this for everyone in the future who runs into this problem.

First I recompiled OpenLDAP with the --include-debug option (It won't log jack unless you do!)  And set up slapd.conf to loglevel = -1.
It's also a good idea to configure syslog to dump this to it's own file because it uses /var/log/messages by default.

Second I started Samba and Slapd up and tried to join my new domain from a Windows XP laptop.

Here's the (pertinent) output from my slapd.log.... sorry it's so long.
I'll continue at the bottom......



Jul 12 16:43:29 localhost slapd[11546]: ====> cache_find_entry_id( 8 ) "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" (found) (1 tries)
Jul 12 16:43:29 localhost slapd[11546]: <= id2entry_r( 8 ) 0x80e96f8 (cache)
Jul 12 16:43:29 localhost slapd[11546]: => test_filter
Jul 12 16:43:29 localhost slapd[11546]:     AND
Jul 12 16:43:29 localhost slapd[11546]: => test_filter_and
Jul 12 16:43:29 localhost slapd[11546]: => test_filter
Jul 12 16:43:29 localhost slapd[11546]:     EQUALITY
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: search access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
Jul 12 16:43:29 localhost slapd[11546]: => test_filter
Jul 12 16:43:29 localhost slapd[11546]:     EQUALITY
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: search access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "objectClass" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
Jul 12 16:43:29 localhost slapd[11546]: <= test_filter_and 6
Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
Jul 12 16:43:29 localhost slapd[11546]: => send_search_entry: "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "entry" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "pwdLastSet" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "pwdLastSet" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "logonTime" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "logonTime" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "logoffTime" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "logoffTime" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "kickoffTime" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "cn" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: conn=10 op=1 ENTRY dn="uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
Jul 12 16:43:29 localhost slapd[11546]: <= send_search_entry
Jul 12 16:43:29 localhost slapd[11546]: ====> cache_return_entry_r( 8 ): returned (0)
Jul 12 16:43:29 localhost slapd[11500]: daemon: select: listen=6 active_threads=1 tvp=NULL
Jul 12 16:43:29 localhost slapd[11546]: send_ldap_search_result 0::
Jul 12 16:43:29 localhost slapd[11546]: send_ldap_response: msgid=2 tag=101 err=0
Jul 12 16:43:29 localhost slapd[11546]: conn=10 op=1 SEARCH RESULT tag=101 err=0 text=
Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on 1 descriptors
Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on:
Jul 12 16:43:29 localhost slapd[11500]:  15r
Jul 12 16:43:29 localhost slapd[11500]:
Jul 12 16:43:29 localhost slapd[11500]: daemon: read activity on 15
Jul 12 16:43:29 localhost slapd[11500]: connection_get(15)
Jul 12 16:43:29 localhost slapd[11500]: connection_get(15): got connid=8
Jul 12 16:43:29 localhost slapd[11500]: connection_read(15): checking for input on id=8
Jul 12 16:43:29 localhost slapd[11500]: ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
Jul 12 16:43:29 localhost slapd[11543]: do_search
Jul 12 16:43:29 localhost slapd[11543]: SRCH "ou=People,dc=MY_DOMAIN,dc=NET" 2 0
Jul 12 16:43:29 localhost slapd[11543]:     1 0 0
Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
Jul 12 16:43:29 localhost slapd[11543]: AND
Jul 12 16:43:29 localhost slapd[11543]: begin get_filter_list
Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
Jul 12 16:43:29 localhost slapd[11543]: EQUALITY
Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
Jul 12 16:43:29 localhost slapd[11543]: EQUALITY
Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
Jul 12 16:43:29 localhost slapd[11543]: end get_filter_list
Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
Jul 12 16:43:29 localhost slapd[11543]:     filter: (&(objectClass=posixAccount)(uid=MY_COMPUTER$))
Jul 12 16:43:29 localhost slapd[11543]:     attrs:
Jul 12 16:43:29 localhost slapd[11543]:  uid
Jul 12 16:43:29 localhost slapd[11543]:  userPassword
Jul 12 16:43:29 localhost slapd[11543]:  uidNumber
Jul 12 16:43:29 localhost slapd[11543]:  gidNumber
Jul 12 16:43:29 localhost slapd[11543]:  cn
Jul 12 16:43:29 localhost slapd[11543]:  homeDirectory
Jul 12 16:43:29 localhost slapd[11543]:  loginShell
Jul 12 16:43:29 localhost slapd[11543]:  gecos
Jul 12 16:43:29 localhost slapd[11543]:  description
Jul 12 16:43:29 localhost slapd[11543]:  objectClass
Jul 12 16:43:29 localhost slapd[11543]:
Jul 12 16:43:29 localhost slapd[11543]: conn=8 op=6 SRCH base="ou=People,dc=MY_DOMAIN,dc=NET" scope=2 filter="(&(objectClass=posixAccount)(uid=MY_COMPUTER$))"
Jul 12 16:43:29 localhost slapd[11543]: => ldbm_back_search
Jul 12 16:43:29 localhost slapd[11543]: dn2entry_r: dn: "OU=PEOPLE,DC=MY_DOMAIN,DC=NET"
Jul 12 16:43:29 localhost slapd[11543]: => dn2id( "OU=PEOPLE,DC=MY_DOMAIN,DC=NET" )
Jul 12 16:43:29 localhost slapd[11543]: ====> cache_find_entry_dn2id("OU=PEOPLE,DC=MY_DOMAIN,DC=NET"): 3 (1 tries)
Jul 12 16:43:29 localhost slapd[11543]: <= dn2id 3 (in cache)
Jul 12 16:43:29 localhost slapd[11543]: => id2entry_r( 3 )
Jul 12 16:43:29 localhost slapd[11543]: ====> cache_find_entry_id( 3 ) "ou=People,dc=MY_DOMAIN,dc=net" (found) (1 tries)
Jul 12 16:43:29 localhost slapd[11543]: <= id2entry_r( 3 ) 0x80ea280 (cache)
Jul 12 16:43:29 localhost slapd[11543]: search_candidates: base="OU=PEOPLE,DC=MY_DOMAIN,DC=NET" s=2 d=0
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         AND
Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa0
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         DN SUBTREE
Jul 12 16:43:29 localhost slapd[11543]: => dn2idl( "@OU=PEOPLE,DC=MY_DOMAIN,DC=NET" )
Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open( "dn2id.dbb", 73, 600 )Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 0)
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 4
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         OR
Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa1
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         EQUALITY
Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open( "objectClass.dbb", 73, 600 )
Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 3)
Jul 12 16:43:29 localhost slapd[11543]: => key_read
Jul 12 16:43:29 localhost slapd[11543]: <= index_read 0 candidates
Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates NULL
Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 0
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 0
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         AND
Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa0
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         EQUALITY
Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open( "objectClass.dbb", 73, 600 )
Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 3)
Jul 12 16:43:29 localhost slapd[11543]: => key_read
Jul 12 16:43:29 localhost slapd[11543]: <= index_read 4 candidates
Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 4
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 4
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         EQUALITY
Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open( "uid.dbb", 73, 600 )
Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 4)
Jul 12 16:43:29 localhost slapd[11543]: => key_read
Jul 12 16:43:29 localhost slapd[11543]: <= index_read 1 candidates
Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 0
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 0
Jul 12 16:43:29 localhost slapd[11500]: daemon: select: listen=6 active_threads=1 tvp=NULL
Jul 12 16:43:29 localhost slapd[11543]: ====> cache_return_entry_r( 3 ): returned (0)
Jul 12 16:43:29 localhost slapd[11543]: ldbm_search: no candidates
Jul 12 16:43:29 localhost slapd[11543]: send_ldap_search_result 0::
Jul 12 16:43:29 localhost slapd[11543]: send_ldap_response: msgid=7 tag=101 err=0
Jul 12 16:43:29 localhost slapd[11543]: conn=8 op=6 SEARCH RESULT tag=101 err=0 text=
Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on 1 descriptors
Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on:
Jul 12 16:43:29 localhost slapd[11500]:  17r
Jul 12 16:43:29 localhost slapd[11500]:
Jul 12 16:43:29 localhost slapd[11500]: daemon: read activity on 17
Jul 12 16:43:29 localhost slapd[11500]: connection_get(17)
Jul 12 16:43:29 localhost slapd[11500]: connection_get(17): got connid=10
Jul 12 16:43:29 localhost slapd[11500]: connection_read(17): checking for input on id=10
Jul 12 16:43:29 localhost slapd[11500]: ber_get_next on fd 17 failed errno=0 (Success)
Jul 12 16:43:29 localhost slapd[11500]: connection_read(17): input error=-2 id=10, closing.
Jul 12 16:43:29 localhost slapd[11500]: connection_closing: readying conn=10 sd=17 for close
Jul 12 16:43:29 localhost slapd[11500]: connection_close: deferring conn=10 sd=17
Jul 12 16:43:29 localhost slapd[11542]: do_unbind
Jul 12 16:43:29 localhost slapd[11542]: conn=10 op=2 UNBIND
Jul 12 16:43:29 localhost slapd[11542]: connection_resched: attempting closing conn=10 sd=17
Jul 12 16:43:29 localhost slapd[11542]: connection_close: conn=10 sd=17
Jul 12 16:43:29 localhost slapd[11542]: daemon: removing 17
Jul 12 16:43:29 localhost slapd[11542]: conn=-1 fd=17 closed
Well, as you can see, the problem was that Samba was looking for MY_COMPUTER$ in ou=People.  So I took MY_COMPUTER$ out of ou=Machines and put it in ou=People.  Then when I attempeted to join MY_DOMAIN i got the friendly "Welcome to the MY_DOMAIN Domain!"  Yay!

No the issue is this.  I want my Machines in there own OU.  What piece am I missing here to make Samba work with an Account in Machines only?

My Machine account is in my previous email so here is my /etc/ldap.conf:
# ldap.conf
host 127.0.0.1
base dc=MY_DOMAIN,dc=NET

rootbinddn cn=manager,dc=MY_DOMAIN,dc=NET

pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
pam_password md5

nss_base_passwd         ou=People,dc=MY_DOMAIN,dc=NET?sub
nss_base_shadow         ou=People,dc=MY_DOMAIN,dc=NET?sub
nss_base_group          ou=Group,dc=MY_DOMAIN,dc=NET?one

P.S.  I suspect I need to change shadow, but how?  Can somebody explain what one and sub mean and how this ties to nss?

Thanks!

-- Scott Phelps




More information about the samba mailing list