[Samba] can't join domain / smbldap-useradd -w machine not working
John H Terpstra
samba at primastasys.com
Mon Oct 25 16:29:29 GMT 2004
Hi,
Set in your nsswitch.conf file:
hosts: files wins dns
Then see if the name resolution problem persists. If it does you need to
clean up TCP/IP configuration.
Additionally, did you run the following?
smbldap-populate -a root
Did you set the root password using the following?
smbldap-passwd root
- John T.
---
John H Terpstra
Samba-Team
email: jht at samba.org
> -------- Original Message --------
> Subject: [Samba] can't join domain / smbldap-useradd -w machine not
> working
> From: "Tomasz Chmielewski" <mangoo at interia.pl>
> Date: Mon, October 25, 2004 6:24 am
> To: samba at lists.samba.org
>
> Hello,
>
> I'm trying to set up Samba + OpenLDAP as a PDC.
>
> I followed the instructions from chapter 6 in Samba-3 by Example, my
> system is SuSE 9.1.
>
> ldap, winbind, nmb and smb are running.
>
> testparm says my smb.conf file is OK.
>
> I set LDAP password using smbpasswd -w.
>
> There was a similar post a few days ago (smbldap-tools don't create
> machine account properly), but it didn't help me.
>
> When I try to join using net rpc (page 158 of Samba-3 by Example), I get
> this:
>
> # net rpc join -U Administrator%password
> Could not connect to server SERVER
> The username or password was not correct.
>
>
> This is what is logged with debugs 1-9 in smb.conf (same log with each
> debug):
>
> # cat /var/log/samba/log.192.168.0.109
> [2004/10/25 15:01:04, 0] rpc_server/srv_netlog_nt.c:get_md4pw(201)
> get_md4pw: Workstation SERVER$: no account in domain
>
>
> I get the same even when I add machine SERVER manually.
>
>
> I can find this machine manually using ldapsearch:
>
> # ldapsearch -x -b "dc=magista,dc=de" "(uid=SERVER$)"
> # extended LDIF
> #
> # LDAPv3
> # base <dc=magista,dc=de> with scope sub
> # filter: (uid=SERVER$)
> # requesting: ALL
> #
>
> # server$, Users, magista.de
> dn: uid=server$,ou=Users,dc=magista,dc=de
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> cn: server$
> sn: server$
> uid: server$
> uidNumber: 1004
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> These are my /etc/ldap.conf, /etc/nsswitch.conf,
> /etc/openldap/slapd.conf, /etc/samba/smb.conf and
> /etc/smbldap-tools/smbldap.conf, respectively:
>
> # cat /etc/ldap.conf
> SIZELIMIT 200
> TIMELIMIT 15
> DEREF never
>
> host 127.0.0.1
> base dc=magista,dc=de
> binddn cn=Manager,dc=magista,dc=de
> bindpw password
>
> pam_password exop
>
> nss_base_passwd ou=Users,dc=magista,dc=de?one
> nss_base_shadow ou=Users,dc=magista,dc=de?one
> nss_base_group ou=Groups,dc=magista,dc=de?one
>
>
> # cat /etc/nsswitch.conf |grep ldap
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
>
> # cat /etc/openldap/slapd.conf
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/samba3.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
>
> database ldbm
> suffix "dc=magista,dc=de"
> rootdn "cn=Manager,dc=magista,dc=de"
>
> # rootpw = not24get
> rootpw password
>
> directory /var/lib/ldap
>
> # Indices to maintain
> index objectClass eq
> index cn pres,sub,eq
> index sn pres,sub,eq
> index uid pres,sub,eq
> index displayName pres,sub,eq
> index uidNumber eq
> index gidNumber eq
> index memberUID eq
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index default sub
>
>
> # cat /etc/samba/smb.conf
> [global]
> unix charset = LOCALE
> workgroup = MAGISTA
> netbios name = SERVER
> interfaces = eth0, lo
> bind interfaces only = Yes
> passdb backend = ldapsam:ldap://127.0.0.1
> username map = /etc/samba/smbusers
>
> log level = 9
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 50
>
> smb ports = 139 445
>
> name resolve order = wins bcast hosts
>
> time server = Yes
>
> #printcap name = CUPS
> #show add printer wizard = No
>
> add user script = /usr/local/sbin/smbldap-useradd -a -m '%u'
> delete user script = /usr/local/sbin/smbldap-userdel '%u'
> add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/local/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
> delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u'
> '%g'
> set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
> add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
>
> logon script = scripts\logon.bat
> logon path = \\%L\profiles\%U
> logon drive = X:
>
> domain logons = Yes
> preferred master = Yes
> wins support = Yes
>
> ldap suffix = dc=magista,dc=de
> ldap machine suffix = ou=Users
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
>
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=magista,dc=de
> idmap backend = ldap:ldap://127.0.0.1
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> map acl inherit = Yes
> #printing = cups
> #printer admin = Administrator, chrisr
>
> [homes]
> comment = Home Directories
> browseable = no
> writeable = yes
>
> [profiles]
> path = /home/samba/profiles
> writeable = yes
> browseable = no
> create mask = 0600
> directory mask = 0700
>
> [netlogon]
> comment = Network Logon Service
> path = /home/netlogon
> read only = yes
> browseable = no
> write list = tom
>
> [unattended]
> comment = Installation Sources
> path = /home/unattended
> read only = yes
> browseable = no
> valid users = unattended
>
>
> # cat /etc/smbldap-tools/smbldap.conf
> # $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
> # $Id: smbldap.conf,v 1.14 2004/06/25 20:57:51 jtournier Exp $
> #
> # smbldap-tools.conf : Q & D configuration file for smbldap-tools
>
> # This code was developped by IDEALX (http://IDEALX.org/) and
> # contributors (their names can be found in the CONTRIBUTORS file).
> #
> # Copyright (C) 2001-2002 IDEALX
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of the GNU General Public License
> # as published by the Free Software Foundation; either version 2
> # of the License, or (at your option) any later version.
> #
> # This program is distributed in the hope that it will be useful,
> # but WITHOUT ANY WARRANTY; without even the implied warranty of
> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> # GNU General Public License for more details.
> #
> # You should have received a copy of the GNU General Public License
> # along with this program; if not, write to the Free Software
> # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
> # USA.
>
> # Purpose :
> # . be the configuration file for all smbldap-tools scripts
>
> ##############################################################################
> #
> # General Configuration
> #
> ##############################################################################
>
> # Put your own SID
> # to obtain this number do: net getlocalsid
> #SID="S-1-5-21-1911238739-97561441-2706018148"
> SID="S-1-5-21-1517566737-222097662-23938227"
>
> ##############################################################################
> #
> # LDAP Configuration
> #
> ##############################################################################
>
> # Notes: to use to dual ldap servers backend for Samba, you must patch
> # Samba with the dual-head patch from IDEALX. If not using this patch
> # just use the same server for slaveLDAP and masterLDAP.
> # Those two servers declarations can also be used when you have
> # . one master LDAP server where all writing operations must be done
> # . one slave LDAP server where all reading operations must be done
> # (typically a replication directory)
>
> # Ex: slaveLDAP=127.0.0.1
> slaveLDAP="127.0.0.1"
> slavePort="389"
>
> # Master LDAP : needed for write operations
> # Ex: masterLDAP=127.0.0.1
> masterLDAP="127.0.0.1"
> masterPort="389"
>
> # Use TLS for LDAP
> # If set to 1, this option will use start_tls for connection
> # (you should also used the port 389)
> ldapTLS="0"
>
> # How to verify the server's certificate (none, optional or require)
> # see "man Net::LDAP" in start_tls section for more details
> verify="none"
>
> # CA certificate
> # see "man Net::LDAP" in start_tls section for more details
> cafile="/etc/smbldap-tools/ca.pem"
>
> # certificate to use to connect to the ldap server
> # see "man Net::LDAP" in start_tls section for more details
> clientcert="/etc/smbldap-tools/smbldap-tools.pem"
>
> # key certificate to use to connect to the ldap server
> # see "man Net::LDAP" in start_tls section for more details
> clientkey="/etc/smbldap-tools/smbldap-tools.key"
>
> # LDAP Suffix
> # Ex: suffix=dc=IDEALX,dc=ORG
> suffix="dc=magista,dc=de"
>
> # Where are stored Users
> # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
> usersdn="ou=Users,$"
>
> # Where are stored Computers
> # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
> computersdn="ou=Users,$"
>
> # Where are stored Groups
> # Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
> groupsdn="ou=Groups,$"
>
> # Where are stored Idmap entries (used if samba is a domain member server)
> # Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
> idmapdn="ou=Idmap,$"
>
> # Where to store next uidNumber and gidNumber available
> sambaUnixIdPooldn="cn=NextFreeUnixId,$"
>
> # Default scope Used
> scope="sub"
>
> # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
> hash_encrypt="SSHA"
>
> # if hash_encrypt is set to CRYPT, you may set a salt format.
> # default is "%s", but many systems will generate MD5 hashed
> # passwords if you use "$1$%.8s". This parameter is optional!
> crypt_salt_format="%s"
>
> ##############################################################################
> #
> # Unix Accounts Configuration
> #
> ##############################################################################
>
> # Login defs
> # Default Login Shell
> # Ex: userLoginShell="/bin/bash"
> userLoginShell="/bin/bash"
>
> # Home directory
> # Ex: userHome="/home/%U"
> userHome="/home/%U"
>
> # Gecos
> userGecos="System User"
>
> # Default User (POSIX and Samba) GID
> defaultUserGid="513"
>
> # Default Computer (Samba) GID
> defaultComputerGid="515"
>
> # Skel dir
> skeletonDir="/etc/skel"
>
> # Default password validation time (time in days) Comment the next line if
> # you don't want password to be enable for defaultMaxPasswordAge days (be
> # careful to the sambaPwdMustChange attribute's value)
> defaultMaxPasswordAge="99"
>
> ##############################################################################
> #
> # SAMBA Configuration
> #
> ##############################################################################
>
> # The UNC path to home drives location (%U username substitution)
> # Ex: \\My-PDC-netbios-name\homes\%U
> # Just set it to a null string if you want to use the smb.conf 'logon home'
> # directive and/or disable roaming profiles
> userSmbHome="\\Server\homes\%U"
>
> # The UNC path to profiles locations (%U username substitution)
> # Ex: \\My-PDC-netbios-name\profiles\%U
> # Just set it to a null string if you want to use the smb.conf 'logon path'
> # directive and/or disable roaming profiles
> userProfile="\\Server\profiles\%U"
>
> # The default Home Drive Letter mapping
> # (will be automatically mapped at logon time if home directory exist)
> # Ex: H: for H:
> userHomeDrive="X:"
>
> # The default user netlogon script name (%U username substitution)
> # if not used, will be automatically username.cmd
> # make sure script file is edited under dos
> # Ex: %U.cmd
> # userScript="startup.cmd" # make sure script file is edited under dos
> userScript="%U.cmd"
>
> # Domain appended to the users "mail"-attribute
> # when smbldap-useradd -M is used
> mailDomain="magista.de"
>
> ##############################################################################
> #
> # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
> #
> ##############################################################################
>
> # Allows not to use smbpasswd (if with_smbpasswd == 0 in
> smbldap_conf.pm) but
> # prefer Crypt::SmbHash library
> with_smbpasswd="0"
> smbpasswd="/usr/bin/smbpasswd"
>
>
>
>
>
> ----------------------------------------------------------------------
> Startuj z INTERIA.PL!!! >>> http://link.interia.pl/f1837
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list