[Samba] cannot add machine account with ldapsam
Johannes Ullmann
j.ullmann at evva.com
Wed Sep 17 09:41:37 GMT 2003
Hello,
Im using samba-3.0.0rc4 with ldapsam.
adding users works fine but when i try to add a machine account i alway
get this error:
pdc:/usr/bin# pdbedit -v -a -m -u test_pc
ldapsam_modify_entry: Failed to add user dn=
uid=test_pc$,ou=Systems,dc=ovid,dc=evva,dc=com with: Object class violation
object class 'sambaSamAccount' requires attribute 'sambaSID'
ldapsam_add_sam_account: failed to modify/add user with uid = test_pc$
(dn = uid=test_pc$,ou=Systems,dc=ovid,dc=evva,dc=com)
Unable to add machine! (does it already exist?)
the same error message appears also in my ldap logfile:
Sep 17 10:55:21 ldap1 slapd[30889]: connection_get(23)
Sep 17 10:55:21 ldap1 slapd[30892]: do_add: ndn
(UID=TEST_PC$,OU=SYSTEMS,DC=OVID,DC=EVVA,DC=COM)
Sep 17 10:55:21 ldap1 slapd[30892]: ==> ldbm_back_add:
uid=test_pc$,ou=Systems,dc=ovid,dc=evva,dc=com
Sep 17 10:55:21 ldap1 slapd[30892]: Entry
(uid=test_pc$,ou=Systems,dc=ovid,dc=evva,dc=com): object class
'sambaSamAccount' requires attribute 'sambaSID'
Sep 17 10:55:21 ldap1 slapd[30892]: send_ldap_result: 65::object class
'sambaSamAccount' requires attribute 'sambaSID'
Sep 17 10:55:21 ldap1 slapd[30889]: connection_get(22)
Sep 17 10:55:21 ldap1 slapd[30889]: connection_get(23)
When i turn the schema check off in my slapd.conf then i'm able to add
machine accounts but they have no SID and so they don't work.
I think pdbedit or smbpasswd does not create a right ldap-entry.
I read in the lists archive that some others had the same problem
before, has anyone a solution for this?
I have attached the full logs and my conf files and a machine-account
ldif without a sid:
thanks
Johannes
-------------- next part --------------
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
lp_load: refreshing parameters
Initialising global parameters
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = samba
doing parameter server string = %h server (Samba %v)
doing parameter netbios name = pdc
handle_netbios_name: set global_myname to: PDC
doing parameter os level = 33
doing parameter wins support = yes
doing parameter dns proxy = no
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter security = user
doing parameter encrypt passwords = true
doing parameter obey pam restrictions = yes
doing parameter invalid users = root
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
doing parameter preferred master = yes
doing parameter domain master = yes
doing parameter local master = yes
doing parameter domain logons = yes
doing parameter logon path = \\%N\profiles\%u
doing parameter logon drive = H:
doing parameter logon home = \\homeserver\%u\winprofile
doing parameter logon script = logon.cmd
doing parameter ldap admin dn = "cn=admin,dc=ovid,dc=evva,dc=com"
doing parameter ldap ssl = off
doing parameter passdb backend = ldapsam:ldap://ldap1.ovid.evva.com, guest
doing parameter ldap delete dn = no
doing parameter ldap user suffix = "ou=People,dc=ovid,dc=evva,dc=com"
doing parameter ldap machine suffix = "ou=Systems,dc=ovid,dc=evva,dc=com"
doing parameter ldap suffix = "dc=ovid,dc=evva,dc=com"
doing parameter ldap passwd sync = yes
doing parameter preserve case = yes
doing parameter short preserve case = yes
doing parameter socket options = TCP_NODELAY
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_PDC
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Trying to load: ldapsam:ldap://ldap1.ovid.evva.com
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend guest
Successfully added passdb backend 'guest'
Attempting to find an passdb backend to match ldapsam:ldap://ldap1.ovid.evva.com (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBA))]
smbldap_search_suffix: searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBA))]
smbldap_open_connection: ldap://ldap1.ovid.evva.com
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://ldap1.ovid.evva.com as "cn=admin,dc=ovid,dc=evva,dc=com"
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesful connected
pdb backend ldapsam:ldap://ldap1.ovid.evva.com has a valid init
Trying to load: guest
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
Netbios name list:-
my_netbios_names[0]="PDC"
Trying to load: ldapsam:ldap://ldap1.ovid.evva.com
Attempting to find an passdb backend to match ldapsam:ldap://ldap1.ovid.evva.com (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBA))]
smbldap_search_suffix: searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBA))]
smbldap_open_connection: ldap://ldap1.ovid.evva.com
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://ldap1.ovid.evva.com as "cn=admin,dc=ovid,dc=evva,dc=com"
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesful connected
pdb backend ldapsam:ldap://ldap1.ovid.evva.com has a valid init
Trying to load: guest
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
account_policy_get: maximum password age:-1
account_policy_get: minimum password age:0
pdb_set_username: setting username test_pc$, was
pdb_set_group_sid: setting group sid S-1-5-21-1593997865-1707716320-546860595-515
pdb_set_group_sid_from_rid:
setting group sid S-1-5-21-1593997865-1707716320-546860595-515 from rid 515
smbldap_search_suffix: searching for:[(&(uid=test_pc$)(objectclass=sambaSamAccount))]
smbldap_search_suffix: searching for:[(uid=test_pc$)]
smbldap_search_suffix: searching for:[(&(sambaSID=S-0-0)(|(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))]
ldapsam_add_sam_account: Adding new user
init_ldap_from_sam: Setting entry for user: test_pc$
ldapsam_modify_entry: Failed to add user dn= uid=test_pc$,ou=Systems,dc=ovid,dc=evva,dc=com with: Object class violation
object class 'sambaSamAccount' requires attribute 'sambaSID'
ldapsam_add_sam_account: failed to modify/add user with uid = test_pc$ (dn = uid=test_pc$,ou=Systems,dc=ovid,dc=evva,dc=com)
-------------- next part --------------
dn: uid=ksc$, ou=Systems, dc=ovid,dc=evva,dc=com
sambaPwdLastSet: 1063724193
sambaAcctFlags: [W ]
sambaPwdMustChange: 2147483647
objectClass: sambaSamAccount
objectClass: account
uid: ksc$
sambaPwdCanChange: 1063724193
sambaNTPassword: D976DD0394F9D034E9D66E1F429B4ED1
sambaPrimaryGroupSID: S-1-5-21-1593997865-1707716320-546860595-515
sambaLMPassword: 044435E2B91B17E3AAD3B435B51404EE
-------------- next part --------------
# This is the main ldapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
#schemacheck off
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Where to store the replica logs
replogfile /var/lib/ldap/replog
# Read slapd.conf(5) for possible values
loglevel 4
#######################################################################
# ldbm database definitions
#######################################################################
# The backend type, ldbm, is the default standard
database ldbm
# The base of your directory
suffix "dc=ovid,dc=evva,dc=com"
# Where the database file are physically stored
directory "/var/lib/ldap"
# Indexing options
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
## required to support pdb_getsampwnam
index uid pres,sub,eq
## required to support pdb_getsambapwrid()
index displayName pres,sub,eq
## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
# Save the time that the entry gets modified
lastmod on
rootdn "cn=admin,dc=ovid,dc=evva,dc=com"
rootpw ovid
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attribute=userPassword
by dn="" write
by anonymous auth
by self write
by * none
access to dn=".*,uid=([^,]+),ou=People,dc=ovid,dc=evva,dc=com"
by dn="uid=$1,ou=People,dc=ovid,dc=evva,dc=com" write
access to *
by self write
by * read
# The admin dn has full write access
access to *
by dn="" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="" write
# by dnattr=owner write
## allow the "ldap admin dn" access, but deny everyone else
#access to attrs=lmPassword,ntPassword
# by dn="cn=admin,ou=People,dc=ovid,dc=evva,dc=com" write
# by * none
-------------- next part --------------
Sep 17 11:01:00 ldap1 slapd[30889]: connection_get(22)
Sep 17 11:01:00 ldap1 slapd[31273]: ==> ldbm_back_bind: dn: cn=admin,dc=ovid,dc=evva,dc=com
Sep 17 11:01:00 ldap1 slapd[31273]: send_ldap_result: 0::
Sep 17 11:01:00 ldap1 slapd[30889]: connection_get(22)
Sep 17 11:01:00 ldap1 slapd[30892]: SRCH "dc=ovid,dc=evva,dc=com" 2 0
Sep 17 11:01:00 ldap1 slapd[30892]: 0 0 0
Sep 17 11:01:00 ldap1 slapd[30892]: filter: (&(objectClass=sambaDomain)(sambaDomainName=SAMBA))
Sep 17 11:01:00 ldap1 slapd[30892]: attrs:
Sep 17 11:01:00 ldap1 slapd[30892]: sambaDomainName
Sep 17 11:01:00 ldap1 slapd[30892]: sambaNextRid
Sep 17 11:01:00 ldap1 slapd[30892]: sambaNextUserRid
Sep 17 11:01:00 ldap1 slapd[30892]: sambaNextGroupRid
Sep 17 11:01:00 ldap1 slapd[30892]: sambaSID
Sep 17 11:01:00 ldap1 slapd[30892]: sambaAlgorithmicRidBase
Sep 17 11:01:00 ldap1 slapd[30892]: objectClass
Sep 17 11:01:00 ldap1 slapd[30892]:
Sep 17 11:01:00 ldap1 slapd[30889]: connection_get(23)
Sep 17 11:01:00 ldap1 slapd[30890]: ==> ldbm_back_bind: dn: cn=admin,dc=ovid,dc=evva,dc=com
Sep 17 11:01:00 ldap1 slapd[30890]: send_ldap_result: 0::
Sep 17 11:01:00 ldap1 slapd[30889]: connection_get(23)
Sep 17 11:01:00 ldap1 slapd[31273]: SRCH "dc=ovid,dc=evva,dc=com" 2 0
Sep 17 11:01:00 ldap1 slapd[31273]: 0 0 0
Sep 17 11:01:00 ldap1 slapd[31273]: filter: (&am