[Samba] Samba-2.2.8a /LDAP can't join domain
_Chris McKeever_
tech-mail at prupref.com
Sun Jul 13 18:08:24 GMT 2003
make sure your ldap.conf is set like this, or it wont go searching the tree:
nss_base_passwd dc=domin,dc=com?sub
> -----Original Message-----
> From: PHELPS, SCOTT [mailto:SPHELPS at ridgways.com]
> Sent: Sunday, July 13, 2003 2:19 AM
> To: 'samba at lists.samba.org'
> Subject: Re: [Samba] Samba-2.2.8a /LDAP can't join domain
>
>
> On Sat, 2003-07-12 at 01:43, Chee Wai Yeung wrote:
> Hi,
> >
> > have you checked your smb logs? Is the smbd talking to
> > your ldap server as a start? Also try to check your
> > ldap logs to see if any searches were made to your
> > ldap server when the join took place. smbd should be
> > searching for something in the line of
> >
> > (&(uid=MYMACHINE$)(objectclass=sambaAccount))
> >
> > Hope this can help your troubleshooting.
> >
> > (PS: your LDIF entries looked ok)
> >
> > Chee Wai
> >
> Hooooorahhhh! I got it working! Although with one bug which
> I will list at the bottom of this email.
>
> I am posting how I fixed this for everyone in the future who
> runs into this problem.
>
> First I recompiled OpenLDAP with the --include-debug option
> (It won't log jack unless you do!) And set up slapd.conf to
> loglevel = -1.
> It's also a good idea to configure syslog to dump this to
> it's own file because it uses /var/log/messages by default.
>
> Second I started Samba and Slapd up and tried to join my new
> domain from a Windows XP laptop.
>
> Here's the (pertinent) output from my slapd.log.... sorry
> it's so long.
> I'll continue at the bottom......
>
>
>
> Jul 12 16:43:29 localhost slapd[11546]: ====>
> cache_find_entry_id( 8 )
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" (found) (1 tries)
> Jul 12 16:43:29 localhost slapd[11546]: <= id2entry_r( 8 )
> 0x80e96f8 (cache)
> Jul 12 16:43:29 localhost slapd[11546]: => test_filter
> Jul 12 16:43:29 localhost slapd[11546]: AND
> Jul 12 16:43:29 localhost slapd[11546]: => test_filter_and
> Jul 12 16:43:29 localhost slapd[11546]: => test_filter
> Jul 12 16:43:29 localhost slapd[11546]: EQUALITY
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> search access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
> Jul 12 16:43:29 localhost slapd[11546]: => test_filter
> Jul 12 16:43:29 localhost slapd[11546]: EQUALITY
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> search access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
> "objectClass" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
> Jul 12 16:43:29 localhost slapd[11546]: <= test_filter_and 6
> Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
> Jul 12 16:43:29 localhost slapd[11546]: => send_search_entry:
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> read access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "entry" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> read access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> read access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> read access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
> "pwdLastSet" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> read access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
> "pwdLastSet" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> read access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "logonTime"
> requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> read access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "logonTime"
> requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> read access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
> "logoffTime" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> read access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
> "logoffTime" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> read access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
> "kickoffTime" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed:
> read access to
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "cn" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: conn=10 op=1 ENTRY
> dn="uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
> Jul 12 16:43:29 localhost slapd[11546]: <= send_search_entry
> Jul 12 16:43:29 localhost slapd[11546]: ====>
> cache_return_entry_r( 8 ): returned (0)
> Jul 12 16:43:29 localhost slapd[11500]: daemon: select:
> listen=6 active_threads=1 tvp=NULL
> Jul 12 16:43:29 localhost slapd[11546]: send_ldap_search_result 0::
> Jul 12 16:43:29 localhost slapd[11546]: send_ldap_response:
> msgid=2 tag=101 err=0
> Jul 12 16:43:29 localhost slapd[11546]: conn=10 op=1 SEARCH
> RESULT tag=101 err=0 text=
> Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on 1
> descriptors
> Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on:
> Jul 12 16:43:29 localhost slapd[11500]: 15r
> Jul 12 16:43:29 localhost slapd[11500]:
> Jul 12 16:43:29 localhost slapd[11500]: daemon: read activity on 15
> Jul 12 16:43:29 localhost slapd[11500]: connection_get(15)
> Jul 12 16:43:29 localhost slapd[11500]: connection_get(15):
> got connid=8
> Jul 12 16:43:29 localhost slapd[11500]: connection_read(15):
> checking for input on id=8
> Jul 12 16:43:29 localhost slapd[11500]: ber_get_next on fd 15
> failed errno=11 (Resource temporarily unavailable)
> Jul 12 16:43:29 localhost slapd[11543]: do_search
> Jul 12 16:43:29 localhost slapd[11543]: SRCH
> "ou=People,dc=MY_DOMAIN,dc=NET" 2 0
> Jul 12 16:43:29 localhost slapd[11543]: 1 0 0
> Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
> Jul 12 16:43:29 localhost slapd[11543]: AND
> Jul 12 16:43:29 localhost slapd[11543]: begin get_filter_list
> Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
> Jul 12 16:43:29 localhost slapd[11543]: EQUALITY
> Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
> Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
> Jul 12 16:43:29 localhost slapd[11543]: EQUALITY
> Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
> Jul 12 16:43:29 localhost slapd[11543]: end get_filter_list
> Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
> Jul 12 16:43:29 localhost slapd[11543]: filter:
> (&(objectClass=posixAccount)(uid=MY_COMPUTER$))
> Jul 12 16:43:29 localhost slapd[11543]: attrs:
> Jul 12 16:43:29 localhost slapd[11543]: uid
> Jul 12 16:43:29 localhost slapd[11543]: userPassword
> Jul 12 16:43:29 localhost slapd[11543]: uidNumber
> Jul 12 16:43:29 localhost slapd[11543]: gidNumber
> Jul 12 16:43:29 localhost slapd[11543]: cn
> Jul 12 16:43:29 localhost slapd[11543]: homeDirectory
> Jul 12 16:43:29 localhost slapd[11543]: loginShell
> Jul 12 16:43:29 localhost slapd[11543]: gecos
> Jul 12 16:43:29 localhost slapd[11543]: description
> Jul 12 16:43:29 localhost slapd[11543]: objectClass
> Jul 12 16:43:29 localhost slapd[11543]:
> Jul 12 16:43:29 localhost slapd[11543]: conn=8 op=6 SRCH
> base="ou=People,dc=MY_DOMAIN,dc=NET" scope=2
> filter="(&(objectClass=posixAccount)(uid=MY_COMPUTER$))"
> Jul 12 16:43:29 localhost slapd[11543]: => ldbm_back_search
> Jul 12 16:43:29 localhost slapd[11543]: dn2entry_r: dn:
> "OU=PEOPLE,DC=MY_DOMAIN,DC=NET"
> Jul 12 16:43:29 localhost slapd[11543]: => dn2id(
> "OU=PEOPLE,DC=MY_DOMAIN,DC=NET" )
> Jul 12 16:43:29 localhost slapd[11543]: ====>
> cache_find_entry_dn2id("OU=PEOPLE,DC=MY_DOMAIN,DC=NET"): 3 (1 tries)
> Jul 12 16:43:29 localhost slapd[11543]: <= dn2id 3 (in cache)
> Jul 12 16:43:29 localhost slapd[11543]: => id2entry_r( 3 )
> Jul 12 16:43:29 localhost slapd[11543]: ====>
> cache_find_entry_id( 3 ) "ou=People,dc=MY_DOMAIN,dc=net"
> (found) (1 tries)
> Jul 12 16:43:29 localhost slapd[11543]: <= id2entry_r( 3 )
> 0x80ea280 (cache)
> Jul 12 16:43:29 localhost slapd[11543]: search_candidates:
> base="OU=PEOPLE,DC=MY_DOMAIN,DC=NET" s=2 d=0
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]: AND
> Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa0
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]: DN SUBTREE
> Jul 12 16:43:29 localhost slapd[11543]: => dn2idl(
> "@OU=PEOPLE,DC=MY_DOMAIN,DC=NET" )
> Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open(
> "dn2id.dbb", 73, 600 )Jul 12 16:43:29 localhost slapd[11543]:
> <= ldbm_cache_open (cache 0)
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 4
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]: OR
> Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa1
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]: EQUALITY
> Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
> Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open(
> "objectClass.dbb", 73, 600 )
> Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 3)
> Jul 12 16:43:29 localhost slapd[11543]: => key_read
> Jul 12 16:43:29 localhost slapd[11543]: <= index_read 0 candidates
> Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates NULL
> Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 0
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 0
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]: AND
> Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa0
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]: EQUALITY
> Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
> Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open(
> "objectClass.dbb", 73, 600 )
> Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 3)
> Jul 12 16:43:29 localhost slapd[11543]: => key_read
> Jul 12 16:43:29 localhost slapd[11543]: <= index_read 4 candidates
> Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 4
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 4
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]: EQUALITY
> Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
> Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open(
> "uid.dbb", 73, 600 )
> Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 4)
> Jul 12 16:43:29 localhost slapd[11543]: => key_read
> Jul 12 16:43:29 localhost slapd[11543]: <= index_read 1 candidates
> Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 0
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 0
> Jul 12 16:43:29 localhost slapd[11500]: daemon: select:
> listen=6 active_threads=1 tvp=NULL
> Jul 12 16:43:29 localhost slapd[11543]: ====>
> cache_return_entry_r( 3 ): returned (0)
> Jul 12 16:43:29 localhost slapd[11543]: ldbm_search: no candidates
> Jul 12 16:43:29 localhost slapd[11543]: send_ldap_search_result 0::
> Jul 12 16:43:29 localhost slapd[11543]: send_ldap_response:
> msgid=7 tag=101 err=0
> Jul 12 16:43:29 localhost slapd[11543]: conn=8 op=6 SEARCH
> RESULT tag=101 err=0 text=
> Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on 1
> descriptors
> Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on:
> Jul 12 16:43:29 localhost slapd[11500]: 17r
> Jul 12 16:43:29 localhost slapd[11500]:
> Jul 12 16:43:29 localhost slapd[11500]: daemon: read activity on 17
> Jul 12 16:43:29 localhost slapd[11500]: connection_get(17)
> Jul 12 16:43:29 localhost slapd[11500]: connection_get(17):
> got connid=10
> Jul 12 16:43:29 localhost slapd[11500]: connection_read(17):
> checking for input on id=10
> Jul 12 16:43:29 localhost slapd[11500]: ber_get_next on fd 17
> failed errno=0 (Success)
> Jul 12 16:43:29 localhost slapd[11500]: connection_read(17):
> input error=-2 id=10, closing.
> Jul 12 16:43:29 localhost slapd[11500]: connection_closing:
> readying conn=10 sd=17 for close
> Jul 12 16:43:29 localhost slapd[11500]: connection_close:
> deferring conn=10 sd=17
> Jul 12 16:43:29 localhost slapd[11542]: do_unbind
> Jul 12 16:43:29 localhost slapd[11542]: conn=10 op=2 UNBIND
> Jul 12 16:43:29 localhost slapd[11542]: connection_resched:
> attempting closing conn=10 sd=17
> Jul 12 16:43:29 localhost slapd[11542]: connection_close:
> conn=10 sd=17
> Jul 12 16:43:29 localhost slapd[11542]: daemon: removing 17
> Jul 12 16:43:29 localhost slapd[11542]: conn=-1 fd=17 closed
> Well, as you can see, the problem was that Samba was looking
> for MY_COMPUTER$ in ou=People. So I took MY_COMPUTER$ out of
> ou=Machines and put it in ou=People. Then when I attempeted
> to join MY_DOMAIN i got the friendly "Welcome to the
> MY_DOMAIN Domain!" Yay!
>
> No the issue is this. I want my Machines in there own OU.
> What piece am I missing here to make Samba work with an
> Account in Machines only?
>
> My Machine account is in my previous email so here is my
> /etc/ldap.conf:
> # ldap.conf
> host 127.0.0.1
> base dc=MY_DOMAIN,dc=NET
>
> rootbinddn cn=manager,dc=MY_DOMAIN,dc=NET
>
> pam_filter objectclass=posixaccount
> pam_login_attribute uid
> pam_member_attribute gid
> pam_password md5
>
> nss_base_passwd ou=People,dc=MY_DOMAIN,dc=NET?sub
> nss_base_shadow ou=People,dc=MY_DOMAIN,dc=NET?sub
> nss_base_group ou=Group,dc=MY_DOMAIN,dc=NET?one
>
> P.S. I suspect I need to change shadow, but how? Can
> somebody explain what one and sub mean and how this ties to nss?
>
> Thanks!
>
> -- Scott Phelps
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list