[Samba] Fedora Core2 / Samba / Ldap / smbldap-tools - No account in Domain.

Neil Marjoram n.marjoram at adastral.ucl.ac.uk
Fri Aug 20 10:22:00 GMT 2004


Sorry for the cross lists post, but my problem seems to involve several
areas, and one may be affecting the other.

Problem:
When logging on with a Windows XP client to the Samba domain I get the
error :

[2004/08/16 15:38:12, 0] rpc_server/srv_netlog_nt.c:get_md4pw(218)
  get_md4pw: Workstation ALDEBURGH$: no account in domain

Anyone got any ideas ? 

Heres what I have got most of the config files and logs, shout if you
need anything else.

I have completely reinstalled the samba server from scratch - it was a
RH9 box with the same problem. I am still using the same LDAP database.
The next thing I will do is wipe out LDAP database and start again with
the latest populate scripts if know one has an answer.

Many thanks,

Neil.

Software :
OS : Fedora Core 2
LDAP : Open Ldap 2.1.29-1
Samba : Samba 3.0.5-2
Samba Tools : smbldap-tools 0.8.5-1.1.fc2
NSS_LDAP : nss_ldap-217-1

I have used the Samba-OpenLdap Howto version 1.6 to setup the LDAP
server / ACL / Samba etc. Everything is identical to the Idealx setup,
except the the workstation accounts are in the same tree as the normal
users (as a previous suggestion and many other emails on newgroups) Also
one ACL is changed to let nssldap see the loginShell.

I know it's not Sign or Seal - Samba 3 doesn't need this reg hack in
place (it is in place anyway from a previous Samba 2 connection)


Fedora question -

When I configure the system to use ldap with authconfig I can't login it
says no such user. The fix for this is to change a line in
/etc/pam.d/system-auth to:
account [default=bad success=ok user_unknown=ignore service_err=ignore \
system_err=ignore authinfo_unavail=ignore] \
/lib/security/$ISA/pam_ldap.so

I got this from an old Redhat 9 bug - is this still not fixed ? And will
it affect the ldap search on the workstation in Samba? Looking at the
ldap log the nssldap user is part responsible for the workstation
search. (log below)

Here are my config files :

/etc/pam.d/system-auth
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
account     required      /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore \
system_err=ignore authinfo_unavail=ignore] \
/lib/security/$ISA/pam_ldap.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

/etc/samba/smb.conf :

[global]
        netbios name = BURY
        log file = /var/log/samba/%m.log
        load printers = yes
        socket address = xxx.xxx.xxx.xxx
        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
#LDAP
        passdb backend = ldapsam:ldap://server.adastral.ucl.ac.uk
        idmap backend = ldap:ldap://server.adastral.ucl.ac.uk
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
        ldap delete dn = Yes
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
        delete user from group script = /usr/local/sbin/smbldap-groupmod
-x "%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g" "%u"
        delete user script = /usr/local/sbin/smbldap-userdel "%u"
        delete group script = /usr/local/sbin/smbldap-groupdel "%g"
        ldap admin dn = cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk
        ldap suffix = dc=adastral,dc=ucl,dc=ac,dc=uk
        ldap group suffix = ou=Group
        ldap user suffix = ou=People
        ldap machine suffix = ou=People
        ldap idmap suffix = ou=Idmap
        ldap ssl = start tls
        ldap passwd sync = yes
#LDAP END
        logon drive = H:
        logon home = \\%L\%U
        logon path = \\%L\%U\profile
        logon script = common.bat
        obey pam restrictions = yes
        pam password change = yes
        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        domain master = no
        domain logons = yes
        encrypt passwords = yes
        passwd program = /usr/sbin/smbldap-passwd %u
        case sensitive = yes
        wins support = yes
        dns proxy = no
        writeable = yes
        server string = BDC Samba Server
        printing = cups
#       preferred master = Yes
        workgroup = adastral
        time server = yes
        os level = 33
        printcap name = /etc/printcap
#       security = user
        create mode = 740


/etc/ldap.conf


host xxx.xxx.xxx.xxx
base dc=adastral,dc=ucl,dc=ac,dc=uk
rootbinddn cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk
nss_base_passwd dc=adastral,dc=ucl,dc=ac,dc=uk?sub
nss_base_shadow dc=adastral,dc=ucl,dc=ac,dc=uk?sub
nss_base_group  ou=Group,dc=adastral,dc=ucl,dc=ac,dc=uk?one
ssl yes
pam_password md5

/etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/redhat/autofs.schema
schemacheck on
lastmod on
allow bind_v2
pidfile /var/run/slapd.pid
TLSCertificateFile /etc/openldap/ssl/servercrt.pem
TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
database        ldbm
suffix          "dc=adastral,dc=ucl,dc=ac,dc=uk"
rootdn          "cn=xxxxxxxx,dc=adastral,dc=ucl,dc=ac,dc=uk"
rootpw		xxxxxxxxxxxxxxxxxxxxxxxxxxx
directory       /export/ldap
mode 0600
index   objectClass,uidNumber,gidNumber                 eq
index   cn,sn,uid,displayName                           pres,sub,eq
index   memberUid,mail,givenname                        eq,subinitial
index   sambaSID,sambaPrimaryGroupSID,sambaDomainName   eq
replica host=replica.adastral.ucl.ac.uk:389
     suffix="dc=adastral,dc=ucl,dc=ac,dc=uk"
     binddn="cn=replica,dc=adastral,dc=ucl,dc=ac,dc=uk"
     credentials=xxxxxxxxxxxxxx
     bindmethod=simple
     tls=yes

access to dn=".*,dc=adastral,dc=ucl,dc=ac,dc=uk"
attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,loginShell
# loginshell added here because console login nssldap could not see it 
#so it wasn't set to users shell 
        by dn="cn=Manager,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by dn="cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by dn="cn=proxyuser,dc=adastral,dc=ucl,dc=ac,dc=uk" read
        by self write
        by anonymous auth
        by * none

access to
attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
        by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by * read

access to attrs=description,telephoneNumber
        by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by self write
        by * read

access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sam
baAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainNa
me,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
        by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by self read
        by * none

access to dn.base="dc=adastral,dc=ucl,dc=ac,dc=uk"
        by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by * none

access to dn="ou=People,dc=adastral,dc=ucl,dc=ac,dc=uk"
        by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by * none

access to dn="ou=Groups,dc=adastral,dc=ucl,dc=ac,dc=uk"
        by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
        by * none

access to dn=".*,dc=adastral,dc=ucl,dc=ac,dc=uk"
        by self write
        by * read

Heres the output from an ldapsearch for a workstation: (It's got a shell
and home dir so I could prove I could login at the unix prompt)

dn: uid=aldeburgh$,ou=People,dc=adastral,dc=ucl,dc=ac,dc=uk
uidNumber: 5022
sambaDomainName: ADASTRAL
sambaAcctFlags: [W          ]
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
gidNumber: 251
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
description: Computer Account
sambaPrimaryGroupSID: S-1-5-21-946251905-4084600911-3774255997-1503
sambaSID: S-1-5-21-946251905-4084600911-3774255997-11044
cn: aldeburgh$
displayName: aldeburgh$
uid: aldeburgh$
homeDirectory: /home/aldeburgh
loginShell: /bin/bash
sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxx
sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxx
sambaPwdLastSet: 1092735020
userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxx



Section from the slapd.log file when the workstation is searched.

Aug 20 11:19:45 ipswich slapd[24795]: conn=245 fd=25 ACCEPT from
IP=xxx.xxx.xxx.xxx:35052 (IP=0.0.0.0:389)
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=1 BIND
dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" method=128
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=1 BIND
dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" mech=SIMPLE ssf=0
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=1 RESULT tag=97 err=0
text=
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=2 SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(objectClass=sambaDomain)(sambaDomainName=ADASTRAL))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=2 SRCH
attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid
sambaSID sambaAlgorithmicRidBase objectClass
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=2 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=3 SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(sambaDomainName=ADASTRAL)(objectClass=sambaDomain))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=3 SRCH
attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid
sambaSID sambaAlgorithmicRidBase objectClass
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=3 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=4 ADD
dn="sambaDomainName=ADASTRAL,dc=adastral,dc=ucl,dc=ac,dc=uk"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=4 RESULT tag=105
err=68 text=
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=4 RESULT tag=105
err=68 text=
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=5 SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(sambaSID=S-1-5-21-946251905-4084600911-3774255997-501)(objectClass=sambaSamAccount))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=5 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=5 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 fd=44 ACCEPT from
IP=xxx.xxx.xxx.xxx:35053 (IP=0.0.0.0:636)
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=0 BIND
dn="cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk" method=128
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=0 BIND
dn="cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk" mech=SIMPLE ssf=0
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=0 RESULT tag=97 err=0
text=
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=1 SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(objectClass=posixAccount)(uid=nobody))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=2 SRCH
base="ou=Group,dc=adastral,dc=ucl,dc=ac,dc=uk" scope=1
filter="(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=uid=nobody,ou=people,dc=adastral,dc=ucl,dc=ac,dc=uk)))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=2 SRCH attr=gidNumber
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=2 SEARCH RESULT
tag=101 err=0 nentries=2 text=
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=6 SRCH
base="ou=Group,dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(objectClass=sambaGroupMapping)(gidNumber=99))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=6 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn
objectClass
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=6 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=7 SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(uid=ALDEBURGH$)(objectClass=sambaSamAccount))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=7 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=7 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=8 SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(uid=ALDEBURGH$)(objectClass=sambaSamAccount))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=8 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=8 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Aug 20 11:19:57 ipswich slapd[24795]: conn=245 fd=25 closed
Aug 20 11:19:57 ipswich slapd[24795]: conn=246 fd=44 closed




Thanks for all your time reading this email, I've gone grey (what left
of my hair) over this one. I know it's probably me, a typo or something,
but I just can't find it. To have rebuilt the server from scratch and
still have the error would point to the ldap server which I did not
rebuild. It was built from the populate scripts and with smbldap how to
1.5.

Neil

-- 
Neil Marjoram.
Systems Manager
University College London
Adastral Park Campus
Martlesham Heath
Ipswich
Suffolk
IP5 3RL

01473 663711



More information about the samba mailing list