[Samba] Need help configuring Samba3/LDAP PDC
rwallace at thewallacepack.net
rwallace at thewallacepack.net
Wed Jun 9 20:45:54 GMT 2004
Aaron Ogden wrote:
>
> Hello all,
> I'm following along in chapter 6 of John Terpstra's "Samba 3 By
> Example" and I've got everything working great up until the point
> where I join the machine to the new domain (step 17 on page 155). The
> command *net rpc join -U Administrator* fails with the errors below.
>
> palpatine:/var/lib/samba/sbin # net -d 4 rpc join -U Administrator
> [2004/06/09 15:13:35, 3] param/loadparm.c:lp_load(3881)
> lp_load: refreshing parameters
> [2004/06/09 15:13:35, 3] param/loadparm.c:init_globals(1309)
> Initialising global parameters
> [2004/06/09 15:13:35, 3] param/params.c:pm_process(566)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2004/06/09 15:13:35, 3] param/loadparm.c:do_section(3379)
> Processing section "[global]"
> doing parameter unix charset = LOCALE
> doing parameter workgroup = GXT
> doing parameter netbios name = GXTPDC
> [2004/06/09 15:13:35, 4] param/loadparm.c:handle_netbios_name(2723)
> handle_netbios_name: set global_myname to: GXTPDC
> doing parameter interfaces = eth0, lo
> doing parameter bind interfaces only = Yes
> doing parameter passdb backend = ldapsam:ldap://ldap.gxt.com
> doing parameter username map = /etc/samba/smbusers
> doing parameter log level = 1
> doing parameter syslog = 0
> doing parameter log file = /var/log/samba/%m
> doing parameter max log size = 50
> doing parameter smb ports = 139 445
> doing parameter name resolve order = wins bcast hosts
> doing parameter time server = Yes
> doing parameter printcap name = CUPS
> doing parameter show add printer wizard = No
> doing parameter add user script =
> /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
> doing parameter delete user script =
> /var/lib/samba/sbin/smbldap-userdel.pl '%u'
> doing parameter add group script =
> /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
> doing parameter delete group script =
> /var/lib/samba/sbin/smbldap-groupdel.pl '%g'
> doing parameter add user to group script =
> /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
> doing parameter delete user from group script =
> /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
> doing parameter set primary group script =
> /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u'
> doing parameter add machine script =
> /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
> doing parameter shutdown script = /var/lib/samba/scripts/shutdown.sh
> doing parameter abort shutdown script = /sbin/shutdown -c
> doing parameter logon script = scripts\logon.bat
> doing parameter logon path = \\%L\profiles\%U
> doing parameter logon drive = X:
> doing parameter domain logons = Yes
> doing parameter preferred master = Yes
> doing parameter wins support = Yes
> doing parameter ldap suffix = dc=gxt,dc=com
> doing parameter ldap machine suffix = ou=people
> doing parameter ldap user suffix = ou=people
> doing parameter ldap group suffix = ou=groups
> doing parameter ldap idmap suffix = ou=idmap
> doing parameter ldap admin dn = cn=admin,dc=gxt,dc=com
> doing parameter idmap backend = ldap://ldap.gxt.com
> doing parameter idmap uid = 10000-20000
> doing parameter idmap gid = 10000-20000
> doing parameter map acl inherit = Yes
> doing parameter printing = cups
> doing parameter printer admin = Administrator
> [2004/06/09 15:13:35, 4] param/loadparm.c:lp_load(3913)
> pm_process() returned Yes
> [2004/06/09 15:13:35, 2] lib/interface.c:add_interface(79)
> added interface ip=172.17.0.240 bcast=172.17.3.255 nmask=255.255.252.0
> [2004/06/09 15:13:35, 2] lib/interface.c:add_interface(79)
> added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
> [2004/06/09 15:13:35, 3] libsmb/cliconnect.c:cli_start_connection(1373)
> Connecting to host=GXTPDC
> [2004/06/09 15:13:35, 3] lib/util_sock.c:open_socket_out(735)
> Connecting to 172.17.0.240 at port 445
> [2004/06/09 15:13:35, 4] lib/time.c:get_serverzone(122)
> Serverzone is 18000
> [2004/06/09 15:13:35, 4] rpc_client/cli_netlogon.c:cli_net_req_chal(45)
> cli_net_req_chal: LSA Request Challenge from GXTPDC to GXTPDC:
> 1F9217647828E59B
> [2004/06/09 15:13:35, 4] libsmb/credentials.c:cred_session_key(59)
> cred_session_key
> [2004/06/09 15:13:35, 4] libsmb/credentials.c:cred_create(90)
> cred_create
> [2004/06/09 15:13:35, 4] rpc_client/cli_netlogon.c:cli_net_auth2(102)
> cli_net_auth2: srv:\\GXTPDC acct:GXTPDC$ sc:6 mc: GXTPDC chal
> B3BA8E48EB059670 neg: 400701ff
> [2004/06/09 15:13:35, 3]
> rpc_client/cli_netlogon.c:cli_nt_setup_creds(283)
> cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
> [2004/06/09 15:13:35, 3]
> libsmb/trusts_util.c:just_change_the_password(43)
> just_change_the_password: unable to setup creds
> (NT_STATUS_ACCESS_DENIED)!
> [2004/06/09 15:13:35, 1] utils/net_rpc.c:run_rpc_command(141)
> rpc command function failed! (NT_STATUS_ACCESS_DENIED)
> Password:
> [2004/06/09 15:14:11, 3] libsmb/cliconnect.c:cli_start_connection(1373)
> Connecting to host=GXTPDC
> [2004/06/09 15:14:11, 3] lib/util_sock.c:open_socket_out(735)
> Connecting to 172.17.0.240 at port 445
> [2004/06/09 15:14:11, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(705)
> Doing spnego session setup (blob length=58)
> [2004/06/09 15:14:11, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(730)
> got OID=1 3 6 1 4 1 311 2 2 10
> [2004/06/09 15:14:11, 3]
> libsmb/cliconnect.c:cli_session_setup_spnego(737)
> got principal=NONE
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
> Got challenge flags:
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60890215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_NTLM2
> NTLMSSP_CHAL_TARGET_INFO
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
> NTLMSSP: Set final flags:
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60080215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_NTLM2
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60080215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_NTLM2
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2004/06/09 15:14:11, 3] libsmb/cliconnect.c:cli_session_setup(854)
> SPNEGO login failed: Logon failure
> [2004/06/09 15:14:11, 1] libsmb/cliconnect.c:cli_full_connection(1461)
> failed session setup with NT_STATUS_LOGON_FAILURE
> Could not connect to server GXTPDC
> The username or password was not correct.
> [2004/06/09 15:14:11, 2] utils/net.c:main(792)
> return code = 1
>
> I've already set Administrator's password with *smbpasswd *and
> *smbldap-password.pl *but I still cannot authenticate. Anonymous
> access (e.g. *smbclient -L localhost -U%*) works fine so it seems that
> there is something wrong with the LDAP SAM. I am using the same LDAP
> directory to authenticate linux clients and provide autofs maps and
> everything is working fine... except for Samba. Has anyone else
> encountered this problem? Tridge, Terpstra, Allison, are you out there?
>
> I have torn down the LDAP/Samba stack several times and rebuilt it
> from scratch. I get the same behavior every time.
> I am running on SuSE 9.1 using openldap 2.2.6 and samba 3.0.4 (SuSE
> packages). Thanks in advance!
>
> --aaron
>
>
Have you checked the logging on OpenLDAP? I'd set the loglevel to 488
and look at the queries samba is doing. If you have "root =
administrator admin" in your smbusers file then samba will look for an
ldap entry with uid=root. grep the ldap log file for that and comment
out that line in smbusers if that seems to be the case.
Rich
More information about the samba
mailing list