[Samba] can't join domain / smbldap-useradd -w machine not working
Tomasz Chmielewski
mangoo at interia.pl
Mon Oct 25 13:24:54 GMT 2004
Hello,
I'm trying to set up Samba + OpenLDAP as a PDC.
I followed the instructions from chapter 6 in Samba-3 by Example, my
system is SuSE 9.1.
ldap, winbind, nmb and smb are running.
testparm says my smb.conf file is OK.
I set LDAP password using smbpasswd -w.
There was a similar post a few days ago (smbldap-tools don't create
machine account properly), but it didn't help me.
When I try to join using net rpc (page 158 of Samba-3 by Example), I get
this:
# net rpc join -U Administrator%password
Could not connect to server SERVER
The username or password was not correct.
This is what is logged with debugs 1-9 in smb.conf (same log with each
debug):
# cat /var/log/samba/log.192.168.0.109
[2004/10/25 15:01:04, 0] rpc_server/srv_netlog_nt.c:get_md4pw(201)
get_md4pw: Workstation SERVER$: no account in domain
I get the same even when I add machine SERVER manually.
I can find this machine manually using ldapsearch:
# ldapsearch -x -b "dc=magista,dc=de" "(uid=SERVER$)"
# extended LDIF
#
# LDAPv3
# base <dc=magista,dc=de> with scope sub
# filter: (uid=SERVER$)
# requesting: ALL
#
# server$, Users, magista.de
dn: uid=server$,ou=Users,dc=magista,dc=de
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
cn: server$
sn: server$
uid: server$
uidNumber: 1004
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
These are my /etc/ldap.conf, /etc/nsswitch.conf,
/etc/openldap/slapd.conf, /etc/samba/smb.conf and
/etc/smbldap-tools/smbldap.conf, respectively:
# cat /etc/ldap.conf
SIZELIMIT 200
TIMELIMIT 15
DEREF never
host 127.0.0.1
base dc=magista,dc=de
binddn cn=Manager,dc=magista,dc=de
bindpw password
pam_password exop
nss_base_passwd ou=Users,dc=magista,dc=de?one
nss_base_shadow ou=Users,dc=magista,dc=de?one
nss_base_group ou=Groups,dc=magista,dc=de?one
# cat /etc/nsswitch.conf |grep ldap
passwd: files ldap
shadow: files ldap
group: files ldap
# cat /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
database ldbm
suffix "dc=magista,dc=de"
rootdn "cn=Manager,dc=magista,dc=de"
# rootpw = not24get
rootpw password
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
# cat /etc/samba/smb.conf
[global]
unix charset = LOCALE
workgroup = MAGISTA
netbios name = SERVER
interfaces = eth0, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
log level = 9
syslog = 0
log file = /var/log/samba/log.%m
max log size = 50
smb ports = 139 445
name resolve order = wins bcast hosts
time server = Yes
#printcap name = CUPS
#show add printer wizard = No
add user script = /usr/local/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/local/sbin/smbldap-userdel '%u'
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u'
'%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
ldap suffix = dc=magista,dc=de
ldap machine suffix = ou=Users
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=magista,dc=de
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes
#printing = cups
#printer admin = Administrator, chrisr
[homes]
comment = Home Directories
browseable = no
writeable = yes
[profiles]
path = /home/samba/profiles
writeable = yes
browseable = no
create mask = 0600
directory mask = 0700
[netlogon]
comment = Network Logon Service
path = /home/netlogon
read only = yes
browseable = no
write list = tom
[unattended]
comment = Installation Sources
path = /home/unattended
read only = yes
browseable = no
valid users = unattended
# cat /etc/smbldap-tools/smbldap.conf
# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.14 2004/06/25 20:57:51 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID
# to obtain this number do: net getlocalsid
#SID="S-1-5-21-1911238739-97561441-2706018148"
SID="S-1-5-21-1517566737-222097662-23938227"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"
# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="none"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=magista,dc=de"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=Users,${suffix}"
# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="99"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
userSmbHome="\\Server\homes\%U"
# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
userProfile="\\Server\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="X:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.cmd"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="magista.de"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in
smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
----------------------------------------------------------------------
Startuj z INTERIA.PL!!! >>> http://link.interia.pl/f1837
More information about the samba
mailing list