[Samba] My story installing Samba-LDAP PDC (it has a happy ending)

Vegeta Saiyajin lord.vegeta at ica.luz.ve
Thu Jan 15 16:23:42 GMT 2004 

On Thursday 15 January 2004 10:32, you wrote:
> Hello Vegeta,
>
> I've looked at your post at samba mailing list.
>
> Same as you are, I am having a nightmare making a windows 2000
> pro to logon to my domain.
>
> But unlike you, smbldap-tools worked fine-ish for me. They
> have populated the database with initial users,groups and
> created computer entry. The setup works fine for
> shares/workgroup. But I can't make it connect to my pdc. By
> the way, I am running Debian unstable with samba 3.0.1 and
> ldap 2.1.23.
>
> By following your experience, i've managed to resolve some of
> the issues while i was trying to logon to my domain.
>
> Initially, looking at the ldap logs, windows was trying to
> search for entries that where not found in the ldap. Like pid
> 501, which is ment to be a guest account, and few other
> things.
>
> But after correcting these issues, ldap finds all the entries,
> but still gives me Logon Failure: unknown username or bad
> password.

There are two solutions. 

One is to use
   ldap machine suffix = ou=People
instead of 
   ldap  machine suffix= ou=Computers
This will probably work.

A better solution that allows storing computer accounts in 
ou=Computers requires changing the ldap.conf file.
This is not a Samba file, but an OpenLdap file (I assume you are 
using OpenLDAP).

In the ldap.conf file of the LDAP server use:
scope sub
nss_base_passwd  dc=arhont,dc=com
nss_base_shadow  dc=arhont,dc=com

instead of the more traditional
scope one
nss_base_passwd  ou=People,dc=arhont,dc=com
nss_base_shadow  ou=People,dc=arhont,dc=com

The reason for the 
  "unknown username or bad password"
message is that Samba tries to find the machine as a "user" 
listed by NSS (as when you use "getent passwd").
When you have nss configured with "scope one"  and 
"nss_base_passwd ou=People,dc=arhont,dc=com" the only users samba 
sees are the accounts in ou=People (without looking any 
subtrees).

When you use "scope sub" and "nss_base_passwd dc=arhont,dc=com" 
samba can see all users in all subtrees of "dc=arhont,dc=com".

Regarding changes in the registry, they are not necessary in 
Samba 3.0.x. Some documentation I read talks about this, but 
only applies to Samba 2.2.x. I could join W2K machines to the 
domain without making any registry modifications.



>
> But looking at samba logs, I don't see any errors. This is the
> output of the slapd when I atempt to logon to domain:
>
> --------
> Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 ACCEPT from
> IP=192.168.77.7:38423 (IP=0.0.0.0:389)
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
> dn="cn=root,dc=arhont,dc=com" method=128
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
> dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 RESULT tag=97
> err=0 text= Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1
> SRCH
> base="dc=arhont,dc=com" scope=2
> filter="(&(objectClass=sambaDomain)(sambaDomainName=ARHONT))"
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SRCH
> attr=sambaDomainName sambaNextRid sambaNextUserRid
> sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH
> base="dc=arhont,dc=com" scope=2
> filter="(&(uid=root)(objectClass=sambaSamAccount))"
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet
> sambaPwdCanChange sambaPwdMustChange sambaLogonTime
> sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive
> sambaHomePath sambaLogonScript sambaProfilePath description
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID
> sambaLMPassword sambaNTPassword sambaDomainName objectClass
> sambaAcctFlags sambaMungedDial
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 closed
>
> -------
>
> and this is the example of my smb.conf
>
> #LDAP Support for samba 3+
> passdb backend          = ldapsam:ldap://whale.core.arhont.com
> ldap admin dn           = "cn=root,dc=arhont,dc=com"
> idmap backend           = ldap:ldap://whale.core.arhont.com
> ldap suffix             = dc=arhont,dc=com
> ldap machine suffix     = ou=computers
> ldap user suffix        = ou=users
>
> #ldap ssl       = off
> #ldap user suffix       = "ou=users,dc=arhont,dc=com"
>
> ##Default LDAP FILTER
> #ldap filter    = "(&(uid=%u)(objectClass=SambaSamAccount))"
> ldap filter     = "(uid=%u)"
>
> ldap delete dn          = no
> #ldap password sync     = yes
>
>
> In addition, you have mentioned that the win2k registry has to
> be changed. I've looked at the registry key on my workstation,
> and it was already 0, from the default install. Is it normal,
> as i've read in few places that it has to be changed. but my
> one was already 0 from the initial installation.

>
> Do you have any suggestions, what might be going wrong? I am
> already at my third day trying to integrate samba/ldap. What a
> nighmare!
>
> Thanks in advance for any help )

More information about the samba mailing list