[Samba] My story installing Samba-LDAP PDC (it has a happy ending)

Andrei Mikhailovsky andrei at arhont.com
Fri Jan 16 11:53:12 GMT 2004 

Hello again )

I have followed your suggestion. changed the ldap.conf so the nsswitch 
will do sub search and changed the nss_passwd/group/shadow to search at 
the root of the database. Still no luck.

When i look at the ldap logs, I can't seems to find entries for 
searching machine names. Even though i've seen them once before now, 
everytime I try to logon to my domain, i can't find any entries for 
machine names. Here are the logs from ldap:

-------
Jan 16 11:42:56 whale slapd[1183]: conn=170 fd=24 ACCEPT from 
IP=192.168.77.7:41475 (IP=0.0.0.0:389)
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=0 BIND 
dn="cn=root,dc=arhont,dc=com" method=128
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=0 BIND 
dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=0 RESULT tag=97 err=0 text=
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=1 SRCH 
base="dc=arhont,dc=com" scope=2 
filter="(&(objectClass=sambaDomain)(sambaDomainName=ARHONT))"
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=1 SRCH 
attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid 
sambaSID sambaAlgorithmicRidBase objectClass
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=1 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=2 SRCH 
base="dc=arhont,dc=com" scope=2 
filter="(&(sambaSID=S-1-5-21-3830420305-2497394645-3910713721-501)(objectClass=sambaSamAccount))"
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=2 SRCH attr=uid uidNumber 
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange 
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn 
displayName sambaHomeDrive sambaHomePath sambaLogonScript 
sambaProfilePath description sambaUserWorkstations sambaSID 
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName 
objectClass sambaAcctFlags sambaMungedDial
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=2 SEARCH RESULT tag=101 
err=0 nentries=0 text=
Jan 16 11:42:56 whale slapd[1183]: conn=171 fd=25 ACCEPT from 
IP=127.0.0.1:41476 (IP=0.0.0.0:389)
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=0 BIND 
dn="cn=root,dc=arhont,dc=com" method=128
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=0 BIND 
dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=0 RESULT tag=97 err=0 text=
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=1 SRCH 
base="dc=arhont,dc=com" scope=2 filter="(uid=nobody)"
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=1 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=2 SRCH 
base="dc=arhont,dc=com" scope=2 
filter="(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=uid=nobody,ou=users,dc=arhont,dc=com)))"
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=2 SRCH attr=cn 
userPassword memberUid uniqueMember gidNumber
Jan 16 11:42:56 whale slapd[1183]: <= bdb_equality_candidates: 
(uniqueMember) index_param failed (18)
Jan 16 11:42:56 whale slapd[1183]: conn=171 op=2 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=3 SRCH 
base="dc=arhont,dc=com" scope=2 
filter="(&(objectClass=sambaGroupMapping)(gidNumber=65534))"
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=3 SRCH attr=gidNumber 
sambaSID sambaGroupType description displayName cn objectClass
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=3 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=4 SRCH 
base="dc=arhont,dc=com" scope=2 
filter="(&(objectClass=sambaGroupMapping)(gidNumber=501))"
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=4 SRCH attr=gidNumber 
sambaSID sambaGroupType description displayName cn objectClass
Jan 16 11:42:56 whale slapd[1183]: conn=170 op=4 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Jan 16 11:42:57 whale slapd[1183]: conn=170 fd=24 closed
Jan 16 11:42:57 whale slapd[1183]: conn=171 fd=25 closed

--------
Is it normal that i can't see the search entries for machine name that i 
try to connect to domain?

Thanks


Vegeta Saiyajin wrote:
> On Thursday 15 January 2004 10:32, you wrote:
> 
>>Hello Vegeta,
>>
>>I've looked at your post at samba mailing list.
>>
>>Same as you are, I am having a nightmare making a windows 2000
>>pro to logon to my domain.
>>
>>But unlike you, smbldap-tools worked fine-ish for me. They
>>have populated the database with initial users,groups and
>>created computer entry. The setup works fine for
>>shares/workgroup. But I can't make it connect to my pdc. By
>>the way, I am running Debian unstable with samba 3.0.1 and
>>ldap 2.1.23.
>>
>>By following your experience, i've managed to resolve some of
>>the issues while i was trying to logon to my domain.
>>
>>Initially, looking at the ldap logs, windows was trying to
>>search for entries that where not found in the ldap. Like pid
>>501, which is ment to be a guest account, and few other
>>things.
>>
>>But after correcting these issues, ldap finds all the entries,
>>but still gives me Logon Failure: unknown username or bad
>>password.
> 
> 
> There are two solutions. 
> 
> One is to use
>    ldap machine suffix = ou=People
> instead of 
>    ldap  machine suffix= ou=Computers
> This will probably work.
> 
> A better solution that allows storing computer accounts in 
> ou=Computers requires changing the ldap.conf file.
> This is not a Samba file, but an OpenLdap file (I assume you are 
> using OpenLDAP).
> 
> In the ldap.conf file of the LDAP server use:
> scope sub
> nss_base_passwd  dc=arhont,dc=com
> nss_base_shadow  dc=arhont,dc=com
> 
> instead of the more traditional
> scope one
> nss_base_passwd  ou=People,dc=arhont,dc=com
> nss_base_shadow  ou=People,dc=arhont,dc=com
> 
> The reason for the 
>   "unknown username or bad password"
> message is that Samba tries to find the machine as a "user" 
> listed by NSS (as when you use "getent passwd").
> When you have nss configured with "scope one"  and 
> "nss_base_passwd ou=People,dc=arhont,dc=com" the only users samba 
> sees are the accounts in ou=People (without looking any 
> subtrees).
> 
> When you use "scope sub" and "nss_base_passwd dc=arhont,dc=com" 
> samba can see all users in all subtrees of "dc=arhont,dc=com".
> 
> Regarding changes in the registry, they are not necessary in 
> Samba 3.0.x. Some documentation I read talks about this, but 
> only applies to Samba 2.2.x. I could join W2K machines to the 
> domain without making any registry modifications.
> 
> 
> 
> 
>>But looking at samba logs, I don't see any errors. This is the
>>output of the slapd when I atempt to logon to domain:
>>
>>--------
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 ACCEPT from
>>IP=192.168.77.7:38423 (IP=0.0.0.0:389)
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
>>dn="cn=root,dc=arhont,dc=com" method=128
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
>>dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 RESULT tag=97
>>err=0 text= Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1
>>SRCH
>>base="dc=arhont,dc=com" scope=2
>>filter="(&(objectClass=sambaDomain)(sambaDomainName=ARHONT))"
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SRCH
>>attr=sambaDomainName sambaNextRid sambaNextUserRid
>>sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SEARCH RESULT
>>tag=101 err=0 nentries=1 text=
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH
>>base="dc=arhont,dc=com" scope=2
>>filter="(&(uid=root)(objectClass=sambaSamAccount))"
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH attr=uid
>>uidNumber gidNumber homeDirectory sambaPwdLastSet
>>sambaPwdCanChange sambaPwdMustChange sambaLogonTime
>>sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive
>>sambaHomePath sambaLogonScript sambaProfilePath description
>>sambaUserWorkstations sambaSID sambaPrimaryGroupSID
>>sambaLMPassword sambaNTPassword sambaDomainName objectClass
>>sambaAcctFlags sambaMungedDial
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SEARCH RESULT
>>tag=101 err=0 nentries=1 text=
>>Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 closed
>>
>>-------
>>
>>and this is the example of my smb.conf
>>
>>#LDAP Support for samba 3+
>>passdb backend          = ldapsam:ldap://whale.core.arhont.com
>>ldap admin dn           = "cn=root,dc=arhont,dc=com"
>>idmap backend           = ldap:ldap://whale.core.arhont.com
>>ldap suffix             = dc=arhont,dc=com
>>ldap machine suffix     = ou=computers
>>ldap user suffix        = ou=users
>>
>>#ldap ssl       = off
>>#ldap user suffix       = "ou=users,dc=arhont,dc=com"
>>
>>##Default LDAP FILTER
>>#ldap filter    = "(&(uid=%u)(objectClass=SambaSamAccount))"
>>ldap filter     = "(uid=%u)"
>>
>>ldap delete dn          = no
>>#ldap password sync     = yes
>>
>>
>>In addition, you have mentioned that the win2k registry has to
>>be changed. I've looked at the registry key on my workstation,
>>and it was already 0, from the default install. Is it normal,
>>as i've read in few places that it has to be changed. but my
>>one was already 0 from the initial installation.
> 
> 
>>Do you have any suggestions, what might be going wrong? I am
>>already at my third day trying to integrate samba/ldap. What a
>>nighmare!
>>
>>Thanks in advance for any help )
> 
> 
> 

-- 
Andrei Mikhailovsky
Financial Director
Arhont Ltd

Web: http://www.arhont.com
Tel: +44 (0)870 4431337
Fax: +44 (0)1454 201200
PGP: Key ID - 0xFF67A4F4
PGP: Server - gpg.arhont.com

More information about the samba mailing list