[Samba] Problem to logon after join LDAP/SAMBA domain

Louis van Belle louis at van-belle.nl
Tue Aug 2 08:07:48 GMT 2005 

Hi Felipe, 

first if you want you can write to me in you native language ;-) 
ik can read almost every language.

samba gives you a default SID, this one is used. ( net getlocalsid )
but if you want a other you can set a new SID 	 ( net setlocalsid sid)

the problem you have is that your workstations are created with a different
sid then your domain sid is. the easiest way to fix this is keep your domain
sid.
so first change the smbldap.conf , add the correcte sid. ( found with net
getlocalsid ) 

export your database, en find in the ldiff wrong sid's , change them to the
corrected.
remove all the good entrys out of this file. 
backup your ldap and samba database.

delete the corrected objects out of the ldap database and import the
corrected again.
that should do it.

Let me know if it worked.

Louis


>-----Oorspronkelijk bericht-----
>Van: Felipe [mailto:felipe.piccirilo at gmail.com] 
>Verzonden: maandag 1 augustus 2005 21:46
>Aan: Louis van Belle
>Onderwerp: Re: [Samba] Problem to logon after join LDAP/SAMBA domain
>
>Thanks again for the tips, Louis
>
>But there's one thing I didn't understand and I would aprecciate if
>you could help me: How samba define the domain SID? I can set one SID
>by myself?
>
>If you have any how-to or faq where I could learn something more about
>it, I would aprecciate it very much too!
>
>thanks in advance!
>
>by the way, sorry about any mistake in my english.. it's not 
>my native language.
>
>2005/8/1, Louis van Belle <louis at van-belle.nl>:
>> Hi Felipe,
>> 
>> First great you found it.
>> 
>> just type net on the console en see the output, there is
>> something like this:
>> 
>> net setlocalsid SID   "to set the local domain SID"
>> 
>> This is how i fixed it, ( had simular problem here )
>> 
>> make a export of the ldap database.
>> I used ldapadmin and phpldapadmin, just pick one you like.
>> 
>> do a net getlocalsid, and set this in smbldap.conf
>> 
>> delete your database.
>> 
>> i used notepad++ (very cool editor) to change the incorrected entrys
>> 
>> import your database again.
>> 
>> i you use debian, you can also backup
>> 
>> /var/lib/ldap
>> /var/lib/samba
>> 
>> then if something goes wrong, just stop samba and ldap , 
>copy these backuped
>> files
>> back and your back in 1ste state.
>> 
>> goodluck,
>> 
>> and my advice , make that backup of /var/lib/ldap and samba
>> i did need it. ;-)
>> 
>> Greetz
>> 
>> Louis
>> 
>> 
>> >-----Oorspronkelijk bericht-----
>> >Van: Felipe [mailto:felipe.piccirilo at gmail.com]
>> >Verzonden: maandag 1 augustus 2005 14:50
>> >Aan: Louis van Belle
>> >CC: Samba users-list
>> >Onderwerp: Re: [Samba] Problem to logon after join LDAP/SAMBA domain
>> >
>> >Hi Louis and all list..
>> >
>> >Thanks for all the tips, but I think I figured out what was
>> >the problem...
>> >I'm having some problems with the SID of the samba and 
>LDAP, I try to
>> >set it manually but I'm not sure of how it works, I just know that
>> >when I perform "net getlocalsid", the SID I get was different of the
>> >one in the file smbldap.conf (from smbldap-tools) and when a
>> >workstation joined to a domain, it seems that it loose the trust
>> >relationship and you can't logon with this workstation.
>> >
>> >Do you or anyone in the list know if I can change this SID and then
>> >build my domain without any problem? If yes, where I should set the
>> >SID beyond the smbldap.conf and "net setlocalsid SID"  
>before populate
>> >my domain?
>> >
>> >thanks in advance.
>> >
>> >regards
>> >Felipe.
>> >2005/7/29, Louis van Belle <louis at van-belle.nl>:
>> >> Have you tried this register hacks already.
>> >>
>> >> /snap cut here.
>> >> REGEDIT4
>> >>
>> >>
>> >;--------------------------------------------------------------
>> >-----------
>> >> ; do not roam the following folders
>> >>
>> >> [HKEY_CURRENT_USER\Software\Microsoft\Windows
>> >NT\CurrentVersion\Winlogon]
>> >> "ExcludeProfileDirs"="Temporary Internet Files;History;Temp"
>> >>
>> >>
>> >;--------------------------------------------------------------
>> >-----------
>> >> ; force Windows XP Professional clients to accept Samba as a PDC
>> >>
>> >[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\
>> >Parameters]
>> >> "requiresignorseal"=dword:00000000
>> >> "signsecurechannel"=dword:00000000
>> >>
>> >>
>> >;--------------------------------------------------------------
>> >-----------
>> >> ; Do not check for user ownership of Roaming Profile Folders
>> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
>> >> "CompatibleRUPSecurity"=dword:00000001
>> >> /snap end.
>> >>
>> >>
>> >>
>> >> >-----Oorspronkelijk bericht-----
>> >> >Van: Felipe [mailto:felipe.piccirilo at gmail.com]
>> >> >Verzonden: vrijdag 29 juli 2005 15:14
>> >> >Aan: Louis van Belle
>> >> >Onderwerp: Re: [Samba] Problem to logon after join 
>LDAP/SAMBA domain
>> >> >
>> >> >Thanks Louis, but unfortunately no... it didn't work.. 
>it seems that
>> >> >the Samba isn't getting the user and pass or the windows XP isn't
>> >> >sending in the right way because in the log.workstation
>> >file the last
>> >> >line is:
>> >> >
>> >> >2005/07/29 10:01:39, 3]
>> >> >smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>> >> >  Doing spnego session setup
>> >> >[2005/07/29 10:01:39, 3]
>> >> >smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>> >> >  NativeOS=[Windows 2002 Service Pack 2 2600] 
>NativeLanMan=[Windows
>> >> >2002 5.1] PrimaryDomain=[]
>> >> >[2005/07/29 10:01:39, 3] 
>libsmb/ntlmssp.c:ntlmssp_server_auth(606)
>> >> >  Got user=[] domain=[] workstation=[TEC01] len1=1 len2=0
>> >> >
>> >> >other ideas?
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >2005/7/29, Louis van Belle <louis at van-belle.nl>:
>> >> >> I think you have to do this on the console
>> >> >>
>> >> >> 1 set the password again for the user.          => reset
>> >the password
>> >> >> 2 smbldap-usermod -J username                           =>
>> >> >enable the user
>> >> >>
>> >> >> somethimes users are disabled, you can check this with the
>> >> >usrmgr.exe from
>> >> >> the nt tools
>> >> >>
>> >> >>
>> >> >>
>> >> >> >-----Oorspronkelijk bericht-----
>> >> >> >Van: samba-bounces+louis=van-belle.nl at lists.samba.org
>> >> >> >[mailto:samba-bounces+louis=van-belle.nl at lists.samba.org]
>> >> >Namens Felipe
>> >> >> >Verzonden: vrijdag 29 juli 2005 14:22
>> >> >> >Aan: Samba users-list
>> >> >> >Onderwerp: [Samba] Problem to logon after join 
>LDAP/SAMBA domain
>> >> >> >
>> >> >> >Hi all,
>> >> >> >
>> >> >> >I'm using SAMBA with LDAP as my PDC but after I join a
>> >workstations
>> >> >> >Windows XP to the domain, I can't authenticate any 
>user with this
>> >> >> >workstation, It gives the fallowing error when I press
>> >ctrl+alt+del
>> >> >> >and try to logon:
>> >> >> >
>> >> >> >"The system can't authenticate the user. Check if the user and
>> >> >> >password is correct then retype them press ok" etc.....
>> >> >> >
>> >> >> >In the server, I can see the workstation in Ldap
>> >database, in getent
>> >> >> >passwd. The users I try to logon works when I authenticate
>> >> >in ftp, ssh
>> >> >> >and other several services when I use the same workstation
>> >> >as a local
>> >> >> >machine.
>> >> >> >
>> >> >> >I'm using:
>> >> >> >samba-3.0.14
>> >> >> >pam_ldap-178-1
>> >> >> >openldap-devel-2.2.17-1
>> >> >> >nss_ldap-238-1
>> >> >> >smbldap-tools-0.8.8-1
>> >> >> >openldap-2.2.17-1
>> >> >> >
>> >> >> >Someone know what is going on? Is there any problem with
>> >> >> >windows or with me?
>> >> >> >
>> >> >> >best regards,
>> >> >> >--
>> >> >> >To unsubscribe from this list go to the following URL
>> >and read the
>> >> >> >instructions:  https://lists.samba.org/mailman/listinfo/samba
>> >> >> >
>> >> >>
>> >> >> --
>> >> >> To unsubscribe from this list go to the following URL 
>and read the
>> >> >> instructions:  https://lists.samba.org/mailman/listinfo/samba
>> >> >>
>> >> >
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions:  https://lists.samba.org/mailman/listinfo/samba
>> >>
>> >
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>

More information about the samba mailing list