[Samba] Problem to logon after join LDAP/SAMBA domain

Louis van Belle louis at van-belle.nl
Tue Aug 2 13:43:05 GMT 2005 

hi Felipe,

Yes, i can read portugese, espanol, english, dutch, chinese, japanise :D 
how, http://translation.langenberg.com/  ;-) 
just a tip, just translate it.
Sometimes i translate japanise or chinese back to english for some howto's
and it works pretty good.

For your problem, i know what you did, your bigest problem was that when you
created
the computer account in ldap it was created with the wrong sid.
it not about the wright way, it about getting it to work and understanding
it.
And as i see your getting the hang of it. 

So great, and if nobody was helping you then whats open-source about,
and if you was really bothering me, i wouldn't answere, 
but i have a very relaxed job, and other people were helping me too.
so if very body would be helping everybody then we can make samba 
much greater.

Louis



>-----Oorspronkelijk bericht-----
>Van: Felipe [mailto:felipe.piccirilo at gmail.com] 
>Verzonden: dinsdag 2 augustus 2005 15:19
>Aan: Louis van Belle
>Onderwerp: Re: [Samba] Problem to logon after join LDAP/SAMBA domain
>
>Hi Louis, so you can read in portuguese too? Where are you from?
>
>Well.. I was doing the following:
>
>- set netlocalsid SID
>- change the SID in the smbldap.conf with the SID from the net 
>getlocalsid.
>- populate the ldap database with smbldap-populate
>- join the server to the domain with "net join". 
>
>At this point, all the SID's was the same when I perform slapcat, I
>could see the entries with the same SID as it should be.
>
>So, when I join any workstation to the domain, it has been created
>with a SID that was not the one I set with the ¨net setlocalsid" and
>even the one in the smbldap.conf (remembering that "net getlocalsid"
>and smbldap.conf have the same SID), and I don't know why it happens.
>For instance:
>[root at srvesdn01 /]# net getlocalsid
>SID for domain SRVESDN01 is: S-1-5-21-4096754390-2050528769-3303486895
>
>[root at srvesdn01 /tmp]# grep SID 
>/etc/opt/IDEALX/smbldap-tools/smbldap.conf
># Put your own SID
>SID="S-1-5-21-4096754390-2050528769-3303486895"
>
>[root at srvesdn01 /tmp]# slapcat
>dn: uid=tec01$,ou=Computers,dc=bluepex,dc=com
>objectClass: top
>objectClass: inetOrgPerson
>objectClass: posixAccount
>objectClass: sambaSamAccount
>cn: tec01$
>sn: tec01$
>uid: tec01$
>uidNumber: 1006
>gidNumber: 515
>homeDirectory: /dev/null
>loginShell: /bin/false
>description: Computer
>gecos: Computer
>structuralObjectClass: inetOrgPerson
>entryUUID: 450be4a6-979a-1029-9dcc-e8eb1c4c798d
>creatorsName: cn=admin,dc=bluepex,dc=com
>createTimestamp: 20050802121115Z
>sambaSID: S-1-5-21-1037110515-2276738207-3769059760-3012
>sambaPrimaryGroupSID: S-1-5-21-4096754390-2050528769-3303486895-515
>displayName: TEC01$
>sambaPwdCanChange: 1122984675
>sambaPwdMustChange: 2147483647
>sambaNTPassword: F5AA9B9B4736F184C63E2DFFAAD2A45C
>sambaPwdLastSet: 1122984675
>sambaAcctFlags: [W          ]
>entryCSN: 20050802121115Z#000004#00#000000
>modifiersName: cn=admin,dc=bluepex,dc=com
>modifyTimestamp: 20050802121115Z
>
>
>The only way I made the things work, was when I joined one of my
>workstations to the domain and I get the sambaSID that the workstation
>was created in the ldap and set this sambaSID in my smldap.conf and in
>"net setlocalsid" and then repopulate the database with this SID. This
>way, everything worked.
>
>So now I have in my smbldap.conf:
>SID="S-1-5-21-1037110515-2276738207-3769059760"
>
>and in my net getlocalsid:
>SID for domain SRVESDN01 is: S-1-5-21-1037110515-2276738207-3769059760
>
>and in the slapcat of my workstation:
>sambaSID: S-1-5-21-1037110515-2276738207-3769059760-3012
>sambaPrimaryGroupSID: S-1-5-21-1037110515-2276738207-3769059760-515
>
>It seems that when I join a workstation, them are getting a SID by
>them self and not using the same of the "net getlocalsid" or
>smbldap.conf.
>
>Do you understand what I did? I think that it hasn't to be this way,
>but was the only way that it worked. And now I'm using two servers,
>one as a master ldap and PDC and other as replica and everything work.
>
>What do you think?
>
>well, thanks very much again for attention and sorry about bothering
>you so much! :)
>
>best regards,
>
>
>2005/8/2, Louis van Belle <louis at van-belle.nl>:
>> Hi Felipe,
>> 
>> first if you want you can write to me in you native language ;-)
>> ik can read almost every language.
>> 
>> samba gives you a default SID, this one is used. ( net getlocalsid )
>> but if you want a other you can set a new SID    ( net 
>setlocalsid sid)
>> 
>> the problem you have is that your workstations are created 
>with a different
>> sid then your domain sid is. the easiest way to fix this is 
>keep your domain
>> sid.
>> so first change the smbldap.conf , add the correcte sid. ( 
>found with net
>> getlocalsid )
>> 
>> export your database, en find in the ldiff wrong sid's , 
>change them to the
>> corrected.
>> remove all the good entrys out of this file.
>> backup your ldap and samba database.
>> 
>> delete the corrected objects out of the ldap database and import the
>> corrected again.
>> that should do it.
>> 
>> Let me know if it worked.
>> 
>> Louis
>> 
>> 
>> >-----Oorspronkelijk bericht-----
>> >Van: Felipe [mailto:felipe.piccirilo at gmail.com]
>> >Verzonden: maandag 1 augustus 2005 21:46
>> >Aan: Louis van Belle
>> >Onderwerp: Re: [Samba] Problem to logon after join LDAP/SAMBA domain
>> >
>> >Thanks again for the tips, Louis
>> >
>> >But there's one thing I didn't understand and I would aprecciate if
>> >you could help me: How samba define the domain SID? I can 
>set one SID
>> >by myself?
>> >
>> >If you have any how-to or faq where I could learn something 
>more about
>> >it, I would aprecciate it very much too!
>> >
>> >thanks in advance!
>> >
>> >by the way, sorry about any mistake in my english.. it's not
>> >my native language.
>> >
>> >2005/8/1, Louis van Belle <louis at van-belle.nl>:
>> >> Hi Felipe,
>> >>
>> >> First great you found it.
>> >>
>> >> just type net on the console en see the output, there is
>> >> something like this:
>> >>
>> >> net setlocalsid SID   "to set the local domain SID"
>> >>
>> >> This is how i fixed it, ( had simular problem here )
>> >>
>> >> make a export of the ldap database.
>> >> I used ldapadmin and phpldapadmin, just pick one you like.
>> >>
>> >> do a net getlocalsid, and set this in smbldap.conf
>> >>
>> >> delete your database.
>> >>
>> >> i used notepad++ (very cool editor) to change the 
>incorrected entrys
>> >>
>> >> import your database again.
>> >>
>> >> i you use debian, you can also backup
>> >>
>> >> /var/lib/ldap
>> >> /var/lib/samba
>> >>
>> >> then if something goes wrong, just stop samba and ldap ,
>> >copy these backuped
>> >> files
>> >> back and your back in 1ste state.
>> >>
>> >> goodluck,
>> >>
>> >> and my advice , make that backup of /var/lib/ldap and samba
>> >> i did need it. ;-)
>> >>
>> >> Greetz
>> >>
>> >> Louis
>> >>
>> >>
>> >> >-----Oorspronkelijk bericht-----
>> >> >Van: Felipe [mailto:felipe.piccirilo at gmail.com]
>> >> >Verzonden: maandag 1 augustus 2005 14:50
>> >> >Aan: Louis van Belle
>> >> >CC: Samba users-list
>> >> >Onderwerp: Re: [Samba] Problem to logon after join 
>LDAP/SAMBA domain
>> >> >
>> >> >Hi Louis and all list..
>> >> >
>> >> >Thanks for all the tips, but I think I figured out what was
>> >> >the problem...
>> >> >I'm having some problems with the SID of the samba and
>> >LDAP, I try to
>> >> >set it manually but I'm not sure of how it works, I just 
>know that
>> >> >when I perform "net getlocalsid", the SID I get was 
>different of the
>> >> >one in the file smbldap.conf (from smbldap-tools) and when a
>> >> >workstation joined to a domain, it seems that it loose the trust
>> >> >relationship and you can't logon with this workstation.
>> >> >
>> >> >Do you or anyone in the list know if I can change this 
>SID and then
>> >> >build my domain without any problem? If yes, where I 
>should set the
>> >> >SID beyond the smbldap.conf and "net setlocalsid SID"
>> >before populate
>> >> >my domain?
>> >> >
>> >> >thanks in advance.
>> >> >
>> >> >regards
>> >> >Felipe.
>> >> >2005/7/29, Louis van Belle <louis at van-belle.nl>:
>> >> >> Have you tried this register hacks already.
>> >> >>
>> >> >> /snap cut here.
>> >> >> REGEDIT4
>> >> >>
>> >> >>
>> >> >;--------------------------------------------------------------
>> >> >-----------
>> >> >> ; do not roam the following folders
>> >> >>
>> >> >> [HKEY_CURRENT_USER\Software\Microsoft\Windows
>> >> >NT\CurrentVersion\Winlogon]
>> >> >> "ExcludeProfileDirs"="Temporary Internet Files;History;Temp"
>> >> >>
>> >> >>
>> >> >;--------------------------------------------------------------
>> >> >-----------
>> >> >> ; force Windows XP Professional clients to accept 
>Samba as a PDC
>> >> >>
>> >> >[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\
>> >> >Parameters]
>> >> >> "requiresignorseal"=dword:00000000
>> >> >> "signsecurechannel"=dword:00000000
>> >> >>
>> >> >>
>> >> >;--------------------------------------------------------------
>> >> >-----------
>> >> >> ; Do not check for user ownership of Roaming Profile Folders
>> >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
>> >> >> "CompatibleRUPSecurity"=dword:00000001
>> >> >> /snap end.
>> >> >>
>> >> >>
>> >> >>
>> >> >> >-----Oorspronkelijk bericht-----
>> >> >> >Van: Felipe [mailto:felipe.piccirilo at gmail.com]
>> >> >> >Verzonden: vrijdag 29 juli 2005 15:14
>> >> >> >Aan: Louis van Belle
>> >> >> >Onderwerp: Re: [Samba] Problem to logon after join
>> >LDAP/SAMBA domain
>> >> >> >
>> >> >> >Thanks Louis, but unfortunately no... it didn't work..
>> >it seems that
>> >> >> >the Samba isn't getting the user and pass or the 
>windows XP isn't
>> >> >> >sending in the right way because in the log.workstation
>> >> >file the last
>> >> >> >line is:
>> >> >> >
>> >> >> >2005/07/29 10:01:39, 3]
>> >> >> >smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>> >> >> >  Doing spnego session setup
>> >> >> >[2005/07/29 10:01:39, 3]
>> >> >> >smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>> >> >> >  NativeOS=[Windows 2002 Service Pack 2 2600]
>> >NativeLanMan=[Windows
>> >> >> >2002 5.1] PrimaryDomain=[]
>> >> >> >[2005/07/29 10:01:39, 3]
>> >libsmb/ntlmssp.c:ntlmssp_server_auth(606)
>> >> >> >  Got user=[] domain=[] workstation=[TEC01] len1=1 len2=0
>> >> >> >
>> >> >> >other ideas?
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >2005/7/29, Louis van Belle <louis at van-belle.nl>:
>> >> >> >> I think you have to do this on the console
>> >> >> >>
>> >> >> >> 1 set the password again for the user.          => reset
>> >> >the password
>> >> >> >> 2 smbldap-usermod -J username                           =>
>> >> >> >enable the user
>> >> >> >>
>> >> >> >> somethimes users are disabled, you can check this with the
>> >> >> >usrmgr.exe from
>> >> >> >> the nt tools
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> >-----Oorspronkelijk bericht-----
>> >> >> >> >Van: samba-bounces+louis=van-belle.nl at lists.samba.org
>> >> >> >> >[mailto:samba-bounces+louis=van-belle.nl at lists.samba.org]
>> >> >> >Namens Felipe
>> >> >> >> >Verzonden: vrijdag 29 juli 2005 14:22
>> >> >> >> >Aan: Samba users-list
>> >> >> >> >Onderwerp: [Samba] Problem to logon after join
>> >LDAP/SAMBA domain
>> >> >> >> >
>> >> >> >> >Hi all,
>> >> >> >> >
>> >> >> >> >I'm using SAMBA with LDAP as my PDC but after I join a
>> >> >workstations
>> >> >> >> >Windows XP to the domain, I can't authenticate any
>> >user with this
>> >> >> >> >workstation, It gives the fallowing error when I press
>> >> >ctrl+alt+del
>> >> >> >> >and try to logon:
>> >> >> >> >
>> >> >> >> >"The system can't authenticate the user. Check if 
>the user and
>> >> >> >> >password is correct then retype them press ok" etc.....
>> >> >> >> >
>> >> >> >> >In the server, I can see the workstation in Ldap
>> >> >database, in getent
>> >> >> >> >passwd. The users I try to logon works when I authenticate
>> >> >> >in ftp, ssh
>> >> >> >> >and other several services when I use the same workstation
>> >> >> >as a local
>> >> >> >> >machine.
>> >> >> >> >
>> >> >> >> >I'm using:
>> >> >> >> >samba-3.0.14
>> >> >> >> >pam_ldap-178-1
>> >> >> >> >openldap-devel-2.2.17-1
>> >> >> >> >nss_ldap-238-1
>> >> >> >> >smbldap-tools-0.8.8-1
>> >> >> >> >openldap-2.2.17-1
>> >> >> >> >
>> >> >> >> >Someone know what is going on? Is there any problem with
>> >> >> >> >windows or with me?
>> >> >> >> >
>> >> >> >> >best regards,
>> >> >> >> >--
>> >> >> >> >To unsubscribe from this list go to the following URL
>> >> >and read the
>> >> >> >> >instructions:  
>https://lists.samba.org/mailman/listinfo/samba
>> >> >> >> >
>> >> >> >>
>> >> >> >> --
>> >> >> >> To unsubscribe from this list go to the following URL
>> >and read the
>> >> >> >> instructions:  
>https://lists.samba.org/mailman/listinfo/samba
>> >> >> >>
>> >> >> >
>> >> >>
>> >> >> --
>> >> >> To unsubscribe from this list go to the following URL 
>and read the
>> >> >> instructions:  https://lists.samba.org/mailman/listinfo/samba
>> >> >>
>> >> >
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions:  https://lists.samba.org/mailman/listinfo/samba
>> >>
>> >
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>

More information about the samba mailing list