[Samba] My story installing Samba-LDAP PDC (it has a happy ending)
Andrei Mikhailovsky
andrei at arhont.com
Fri Jan 16 11:53:12 GMT 2004
Hello again )
I have followed your suggestion. changed the ldap.conf so the nsswitch
will do sub search and changed the nss_passwd/group/shadow to search at
the root of the database. Still no luck.
When i look at the ldap logs, I can't seems to find entries for
searching machine names. Even though i've seen them once before now,
everytime I try to logon to my domain, i can't find any entries for
machine names. Here are the logs from ldap:
-------
Jan 16 11:42:56 whale slapd[1183]: conn=170 fd=24 ACCEPT from
IP=192.168.77.7:41475 (IP=0.0.0.0:389)
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=0 BIND
dn="cn=root,dc=arhont,dc=com" method=128
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=0 BIND
dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=0 RESULT tag=97 err=0 text=
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=1 SRCH
base="dc=arhont,dc=com" scope=2
filter="(&(objectClass=sambaDomain)(sambaDomainName=ARHONT))"
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=1 SRCH
attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid
sambaSID sambaAlgorithmicRidBase objectClass
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=2 SRCH
base="dc=arhont,dc=com" scope=2
filter="(&(sambaSID=S-1-5-21-3830420305-2497394645-3910713721-501)(objectClass=sambaSamAccount))"
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=2 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=2 SEARCH RESULT tag=101
err=0 nentries=0 text=
Jan 16 11:42:56 whale slapd[1183]: conn=171 fd=25 ACCEPT from
IP=127.0.0.1:41476 (IP=0.0.0.0:389)
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=0 BIND
dn="cn=root,dc=arhont,dc=com" method=128
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=0 BIND
dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=0 RESULT tag=97 err=0 text=
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=1 SRCH
base="dc=arhont,dc=com" scope=2 filter="(uid=nobody)"
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=2 SRCH
base="dc=arhont,dc=com" scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=uid=nobody,ou=users,dc=arhont,dc=com)))"
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=2 SRCH attr=cn
userPassword memberUid uniqueMember gidNumber
Jan 16 11:42:56 whale slapd[1183]: <= bdb_equality_candidates:
(uniqueMember) index_param failed (18)
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=3 SRCH
base="dc=arhont,dc=com" scope=2
filter="(&(objectClass=sambaGroupMapping)(gidNumber=65534))"
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=3 SRCH attr=gidNumber
sambaSID sambaGroupType description displayName cn objectClass
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=4 SRCH
base="dc=arhont,dc=com" scope=2
filter="(&(objectClass=sambaGroupMapping)(gidNumber=501))"
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=4 SRCH attr=gidNumber
sambaSID sambaGroupType description displayName cn objectClass
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan 16 11:42:57 whale slapd[1183]: conn=170 fd=24 closed
Jan 16 11:42:57 whale slapd[1183]: conn=171 fd=25 closed
--------
Is it normal that i can't see the search entries for machine name that i
try to connect to domain?
Thanks
Vegeta Saiyajin wrote:
> On Thursday 15 January 2004 10:32, you wrote:
>
>>Hello Vegeta,
>>
>>I've looked at your post at samba mailing list.
>>
>>Same as you are, I am having a nightmare making a windows 2000
>>pro to logon to my domain.
>>
>>But unlike you, smbldap-tools worked fine-ish for me. They
>>have populated the database with initial users,groups and
>>created computer entry. The setup works fine for
>>shares/workgroup. But I can't make it connect to my pdc. By
>>the way, I am running Debian unstable with samba 3.0.1 and
>>ldap 2.1.23.
>>
>>By following your experience, i've managed to resolve some of
>>the issues while i was trying to logon to my domain.
>>
>>Initially, looking at the ldap logs, windows was trying to
>>search for entries that where not found in the ldap. Like pid
>>501, which is ment to be a guest account, and few other
>>things.
>>
>>But after correcting these issues, ldap finds all the entries,
>>but still gives me Logon Failure: unknown username or bad
>>password.
>
>
> There are two solutions.
>
> One is to use
> ldap machine suffix = ou=People
> instead of
> ldap machine suffix= ou=Computers
> This will probably work.
>
> A better solution that allows storing computer accounts in
> ou=Computers requires changing the ldap.conf file.
> This is not a Samba file, but an OpenLdap file (I assume you are
> using OpenLDAP).
>
> In the ldap.conf file of the LDAP server use:
> scope sub
> nss_base_passwd dc=arhont,dc=com
> nss_base_shadow dc=arhont,dc=com
>
> instead of the more traditional
> scope one
> nss_base_passwd ou=People,dc=arhont,dc=com
> nss_base_shadow ou=People,dc=arhont,dc=com
>
> The reason for the
> "unknown username or bad password"
> message is that Samba tries to find the machine as a "user"
> listed by NSS (as when you use "getent passwd").
> When you have nss configured with "scope one" and
> "nss_base_passwd ou=People,dc=arhont,dc=com" the only users samba
> sees are the accounts in ou=People (without looking any
> subtrees).
>
> When you use "scope sub" and "nss_base_passwd dc=arhont,dc=com"
> samba can see all users in all subtrees of "dc=arhont,dc=com".
>
> Regarding changes in the registry, they are not necessary in
> Samba 3.0.x. Some documentation I read talks about this, but
> only applies to Samba 2.2.x. I could join W2K machines to the
> domain without making any registry modifications.
>
>
>
>
>>But looking at samba logs, I don't see any errors. This is the
>>output of the slapd when I atempt to logon to domain:
>>
>>--------
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 ACCEPT from
>>IP=192.168.77.7:38423 (IP=0.0.0.0:389)
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
>>dn="cn=root,dc=arhont,dc=com" method=128
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
>>dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 RESULT tag=97
>>err=0 text= Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1
>>SRCH
>>base="dc=arhont,dc=com" scope=2
>>filter="(&(objectClass=sambaDomain)(sambaDomainName=ARHONT))"
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SRCH
>>attr=sambaDomainName sambaNextRid sambaNextUserRid
>>sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SEARCH RESULT
>>tag=101 err=0 nentries=1 text=
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH
>>base="dc=arhont,dc=com" scope=2
>>filter="(&(uid=root)(objectClass=sambaSamAccount))"
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH attr=uid
>>uidNumber gidNumber homeDirectory sambaPwdLastSet
>>sambaPwdCanChange sambaPwdMustChange sambaLogonTime
>>sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive
>>sambaHomePath sambaLogonScript sambaProfilePath description
>>sambaUserWorkstations sambaSID sambaPrimaryGroupSID
>>sambaLMPassword sambaNTPassword sambaDomainName objectClass
>>sambaAcctFlags sambaMungedDial
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SEARCH RESULT
>>tag=101 err=0 nentries=1 text=
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 closed
>>
>>-------
>>
>>and this is the example of my smb.conf
>>
>>#LDAP Support for samba 3+
>>passdb backend = ldapsam:ldap://whale.core.arhont.com
>>ldap admin dn = "cn=root,dc=arhont,dc=com"
>>idmap backend = ldap:ldap://whale.core.arhont.com
>>ldap suffix = dc=arhont,dc=com
>>ldap machine suffix = ou=computers
>>ldap user suffix = ou=users
>>
>>#ldap ssl = off
>>#ldap user suffix = "ou=users,dc=arhont,dc=com"
>>
>>##Default LDAP FILTER
>>#ldap filter = "(&(uid=%u)(objectClass=SambaSamAccount))"
>>ldap filter = "(uid=%u)"
>>
>>ldap delete dn = no
>>#ldap password sync = yes
>>
>>
>>In addition, you have mentioned that the win2k registry has to
>>be changed. I've looked at the registry key on my workstation,
>>and it was already 0, from the default install. Is it normal,
>>as i've read in few places that it has to be changed. but my
>>one was already 0 from the initial installation.
>
>
>>Do you have any suggestions, what might be going wrong? I am
>>already at my third day trying to integrate samba/ldap. What a
>>nighmare!
>>
>>Thanks in advance for any help )
>
>
>
--
Andrei Mikhailovsky
Financial Director
Arhont Ltd
Web: http://www.arhont.com
Tel: +44 (0)870 4431337
Fax: +44 (0)1454 201200
PGP: Key ID - 0xFF67A4F4
PGP: Server - gpg.arhont.com
More information about the samba
mailing list