[Samba] can't join domain / smbldap-useradd -w machine not working

Tomasz Chmielewski mangoo at interia.pl
Mon Oct 25 13:24:54 GMT 2004 

Hello,

I'm trying to set up Samba + OpenLDAP as a PDC.

I followed the instructions from chapter 6 in Samba-3 by Example, my 
system is SuSE 9.1.

ldap, winbind, nmb and smb are running.

testparm says my smb.conf file is OK.

I set LDAP password using smbpasswd -w.

There was a similar post a few days ago (smbldap-tools don't create 
machine account properly), but it didn't help me.

When I try to join using net rpc (page 158 of Samba-3 by Example), I get 
this:

# net rpc join -U Administrator%password
Could not connect to server SERVER
The username or password was not correct.


This is what is logged with debugs 1-9 in smb.conf (same log with each 
debug):

# cat /var/log/samba/log.192.168.0.109
[2004/10/25 15:01:04, 0] rpc_server/srv_netlog_nt.c:get_md4pw(201)
   get_md4pw: Workstation SERVER$: no account in domain


I get the same even when I add machine SERVER manually.


I can find this machine manually using ldapsearch:

# ldapsearch -x -b "dc=magista,dc=de" "(uid=SERVER$)"
# extended LDIF
#
# LDAPv3
# base <dc=magista,dc=de> with scope sub
# filter: (uid=SERVER$)
# requesting: ALL
#

# server$, Users, magista.de
dn: uid=server$,ou=Users,dc=magista,dc=de
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
cn: server$
sn: server$
uid: server$
uidNumber: 1004
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


These are my /etc/ldap.conf, /etc/nsswitch.conf, 
/etc/openldap/slapd.conf, /etc/samba/smb.conf and 
/etc/smbldap-tools/smbldap.conf, respectively:

# cat /etc/ldap.conf
SIZELIMIT       200
TIMELIMIT       15
DEREF           never

host 127.0.0.1
base dc=magista,dc=de
binddn cn=Manager,dc=magista,dc=de
bindpw password

pam_password exop

nss_base_passwd         ou=Users,dc=magista,dc=de?one
nss_base_shadow         ou=Users,dc=magista,dc=de?one
nss_base_group          ou=Groups,dc=magista,dc=de?one


# cat /etc/nsswitch.conf |grep ldap
passwd: files ldap
shadow: files ldap
group:  files ldap


# cat /etc/openldap/slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba3.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

database        ldbm
suffix          "dc=magista,dc=de"
rootdn          "cn=Manager,dc=magista,dc=de"

# rootpw = not24get
rootpw          password

directory       /var/lib/ldap

# Indices to maintain
index objectClass           eq
index cn                    pres,sub,eq
index sn                    pres,sub,eq
index uid                   pres,sub,eq
index displayName           pres,sub,eq
index uidNumber             eq
index gidNumber             eq
index memberUID             eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub


# cat /etc/samba/smb.conf
[global]
unix charset = LOCALE
workgroup = MAGISTA
netbios name = SERVER
interfaces = eth0, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers

log level = 9
syslog = 0
log file = /var/log/samba/log.%m
max log size = 50

smb ports = 139 445

name resolve order = wins bcast hosts

time server = Yes

#printcap name = CUPS
#show add printer wizard = No

add user script = /usr/local/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/local/sbin/smbldap-userdel '%u'
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' 
'%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'

logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:

domain logons = Yes
preferred master = Yes
wins support = Yes

ldap suffix = dc=magista,dc=de
ldap machine suffix = ou=Users
ldap user suffix = ou=Users
ldap group suffix = ou=Groups

ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=magista,dc=de
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes
#printing = cups
#printer admin = Administrator, chrisr

[homes]
   comment = Home Directories
   browseable = no
   writeable = yes

[profiles]
   path = /home/samba/profiles
   writeable = yes
   browseable = no
   create mask = 0600
   directory mask = 0700

[netlogon]
   comment = Network Logon Service
   path = /home/netlogon
   read only = yes
   browseable = no
   write list = tom

[unattended]
   comment = Installation Sources
   path = /home/unattended
   read only = yes
   browseable = no
   valid users = unattended


# cat /etc/smbldap-tools/smbldap.conf
# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.14 2004/06/25 20:57:51 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

#  Purpose :
#       . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID
# to obtain this number do: net getlocalsid
#SID="S-1-5-21-1911238739-97561441-2706018148"
SID="S-1-5-21-1517566737-222097662-23938227"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"

# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="none"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=magista,dc=de"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=Users,${suffix}"

# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="99"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
userSmbHome="\\Server\homes\%U"

# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
userProfile="\\Server\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="X:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.cmd"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="magista.de"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in 
smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"





----------------------------------------------------------------------
Startuj z INTERIA.PL!!! >>> http://link.interia.pl/f1837

More information about the samba mailing list