[Samba] Can't add machine account with 3.0.0; ldapsam backend
Ronny Adsetts
ronny.adsetts at amazinginternet.com
Fri Oct 10 18:02:06 GMT 2003
Hi,
Please cc me on any replies as I'm not subscribed.
First, I've seen reference to this problem on the list but no solution, eg.:
http://marc.theaimsgroup.com/?l=samba&m=106032316504352&w=2
Platform is:
# uname -a
Linux allanon 2.4.21-xfs-aihplc3 #1 SMP Thu Aug 21 15:50:27 BST 2003
i686 unknown
Debian woody. Samba is 3.0.0final-1 from Debian unstable complied for
woody. Some other non-woody backports such as OpenLDAP, libacl, etc.
I was using beta1 previously which didn't have this problem, ie., I
could join machines to the domain, both win(NT|2k) and Linux, by
providing appropriate credentials without first adding a system account.
Config and -D 10 debug output attached.
So, adding a machine account from the samba 3.0.0 PDC machine using
pdbedit gives:
# pdbedit -v -a -m -u tardis
ldapsam_modify_entry: Failed to add user dn=
uid=tardis$,ou=Machines,dc=amazing-internet,dc=net with: Object class
violation
object class 'sambaSamAccount' requires attribute 'sambaSID'
ldapsam_add_sam_account: failed to modify/add user with uid = tardis$
(dn = uid=tardis$,ou=Machines,dc=amazing-internet,dc=net)
Unable to add machine! (does it already exist?)
And using net join on a Linux box not in the domain, tardis, gives:
# net join -S allanon -U admin -d 3
[2003/10/10 18:53:05, 3] param/loadparm.c:lp_load(3925)
lp_load: refreshing parameters
[2003/10/10 18:53:05, 3] param/loadparm.c:init_globals(1311)
Initialising global parameters
[2003/10/10 18:53:06, 3] param/params.c:pm_process(566)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2003/10/10 18:53:06, 3] param/loadparm.c:do_section(3428)
Processing section "[global]"
[2003/10/10 18:53:06, 2] lib/interface.c:add_interface(79)
added interface ip=172.16.1.17 bcast=172.16.1.255 nmask=255.255.255.0
admin password:
[2003/10/10 18:53:10, 3] libads/ldap.c:ads_connect(218)
Connected to LDAP server 172.16.1.16
[2003/10/10 18:53:10, 1] libads/ldap.c:ads_connect(222)
Failed to get ldap server info
[2003/10/10 18:53:10, 1] utils/net_ads.c:ads_startup(181)
ads_connect: No results returned
[2003/10/10 18:53:10, 3] libsmb/cliconnect.c:cli_start_connection(1290)
Connecting to host=allanon
[2003/10/10 18:53:10, 3] lib/util_sock.c:open_socket_out(690)
Connecting to 172.16.1.16 at port 445
[2003/10/10 18:53:10, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(283)
cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2003/10/10 18:53:10, 3] libsmb/trusts_util.c:just_change_the_password(43)
just_change_the_password: unable to setup creds
(NT_STATUS_ACCESS_DENIED)!
[2003/10/10 18:53:10, 1] utils/net_rpc.c:run_rpc_command(152)
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
[2003/10/10 18:53:10, 3] libsmb/cliconnect.c:cli_start_connection(1290)
Connecting to host=allanon
[2003/10/10 18:53:10, 3] lib/util_sock.c:open_socket_out(690)
Connecting to 172.16.1.16 at port 445
[2003/10/10 18:53:10, 2] libsmb/cliconnect.c:cli_session_setup_spnego(635)
Doing spnego session setup (blob length=58)
[2003/10/10 18:53:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660)
got OID=1 3 6 1 4 1 311 2 2 10
[2003/10/10 18:53:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(667)
got principal=NONE
[2003/10/10 18:53:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(469)
Got challenge flags:
[2003/10/10 18:53:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(33)
Got NTLMSSP neg_flags=0x20810205
[2003/10/10 18:53:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(518)
NTLMSSP: Set final flags:
[2003/10/10 18:53:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(33)
Got NTLMSSP neg_flags=0x20000215
[2003/10/10 18:53:10, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(186)
lsa_io_sec_qos: length c does not match size 8
Create of workstation account failed
Unable to join domain PERN.
[2003/10/10 18:53:11, 2] utils/net.c:main(758)
return code = 1
net join -d 10 output available directly on request - it's 180Kb.
I'm at a loss to explain this. It worked prior to the upgrade. Any ideas?
Ronny
--
Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com
-------------- next part --------------
allanon:~# pdbedit -v -a -m -u tardis -d 10 &> pdbedit.txt
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
lp_load: refreshing parameters
Initialising global parameters
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter interfaces = eth0 127.0.0.1
doing parameter bind interfaces only = yes
doing parameter display charset = ISO8859-15
doing parameter unix charset = ISO8859-15
doing parameter workgroup = PERN
doing parameter server string = %h server (Samba %v)
doing parameter obey pam restrictions = No
doing parameter passdb backend = ldapsam:ldap://allanon.amazing-internet.net/
doing parameter ldap passwd sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
doing parameter syslog = 0
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logon script = scripts\%U.bat
doing parameter logon path = \\jettero\profiles\%U
doing parameter logon home = \\jettero\%U\profile
doing parameter logon drive = h:
doing parameter domain logons = Yes
doing parameter dns proxy = Yes
doing parameter wins support = Yes
doing parameter ldap suffix = dc=amazing-internet,dc=net
doing parameter ldap machine suffix = ou=Machines
doing parameter ldap user suffix = ou=People
doing parameter ldap group suffix = ou=Group
doing parameter ldap idmap suffix = ou=IDMap
doing parameter ldap admin dn = cn=admin,dc=amazing-internet,dc=net
doing parameter ldap ssl = start tls
doing parameter utmp = Yes
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter idmap backend = ldap:ldap://allanon.amazing-internet.net/
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter profile acls = Yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_PDC
Trying to load: ldapsam:ldap://allanon.amazing-internet.net/
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend guest
Successfully added passdb backend 'guest'
Attempting to find an passdb backend to match ldapsam:ldap://allanon.amazing-internet.net/ (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=PERN))]
smbldap_search_suffix: searching for:[(&(objectClass=sambaDomain)(sambaDomainName=PERN))]
smbldap_open_connection: ldap://allanon.amazing-internet.net/
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://allanon.amazing-internet.net/ as "cn=admin,dc=amazing-internet,dc=net"
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesful connected
pdb backend ldapsam:ldap://allanon.amazing-internet.net/ has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
Netbios name list:-
my_netbios_names[0]="ALLANON"
Trying to load: ldapsam:ldap://allanon.amazing-internet.net/
Attempting to find an passdb backend to match ldapsam:ldap://allanon.amazing-internet.net/ (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=PERN))]
smbldap_search_suffix: searching for:[(&(objectClass=sambaDomain)(sambaDomainName=PERN))]
smbldap_open_connection: ldap://allanon.amazing-internet.net/
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://allanon.amazing-internet.net/ as "cn=admin,dc=amazing-internet,dc=net"
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesful connected
pdb backend ldapsam:ldap://allanon.amazing-internet.net/ has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
account_policy_get: maximum password age:-1
account_policy_get: minimum password age:0
pdb_set_username: setting username tardis$, was
pdb_set_group_sid: setting group sid S-1-5-21-2620758496-3919074717-1561781800-515
pdb_set_group_sid_from_rid:
setting group sid S-1-5-21-2620758496-3919074717-1561781800-515 from rid 515
smbldap_search_suffix: searching for:[(&(uid=tardis$)(objectclass=sambaSamAccount))]
smbldap_search_suffix: searching for:[(uid=tardis$)]
smbldap_search_suffix: searching for:[(&(sambaSID=S-0-0)(|(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))]
ldapsam_add_sam_account: Adding new user
init_ldap_from_sam: Setting entry for user: tardis$
ldapsam_modify_entry: Failed to add user dn= uid=tardis$,ou=Machines,dc=amazing-internet,dc=net with: Object class violation
object class 'sambaSamAccount' requires attribute 'sambaSID'
ldapsam_add_sam_account: failed to modify/add user with uid = tardis$ (dn = uid=tardis$,ou=Machines,dc=amazing-internet,dc=net)
Unable to add machine! (does it already exist?)
-------------- next part --------------
# Global parameters
[global]
interfaces = eth0 127.0.0.1
bind interfaces only = yes
display charset = ISO8859-15
unix charset = ISO8859-15
workgroup = PERN
server string = %h server (Samba %v)
# obey pam restrictions = Yes
passdb backend = ldapsam:ldap://allanon.amazing-internet.net/
ldap passwd sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
syslog = 0
log file = /var/log/samba/log.%m
# log level = 3
max log size = 1000
logon script = scripts\%U.bat
logon path = \\jettero\profiles\%U
logon home = \\jettero\%U\profile
logon drive = h:
domain logons = Yes
dns proxy = Yes
wins support = Yes
ldap suffix = dc=amazing-internet,dc=net
ldap machine suffix = ou=Machines
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=IDMap
ldap admin dn = cn=admin,dc=amazing-internet,dc=net
ldap ssl = start tls
utmp = Yes
panic action = /usr/share/samba/panic-action %d
idmap backend = ldap:ldap://allanon.amazing-internet.net/
idmap uid = 10000-20000
idmap gid = 10000-20000
# invalid users = root
profile acls = Yes
[netlogon]
comment = The domain logon service
path = /home/netlogon
write list = ntadmin
create mask = 0664
directory mask = 0775
force directory mode = 02000
guest ok = Yes
browseable = No
locking = No
More information about the samba
mailing list