[Samba] Can't join machines to a Samba PDC using LDAP
Mark Coetser
mark at thummb.com
Mon Aug 8 13:25:13 GMT 2005
Hi David
Did you configure smbldap.conf and smbldap_bind.conf for smbldap-tools, did
you run smbldap-populate ?
If the above is fine, then add the following line to your global section of
smb.conf and use administrator to log the machine into the domain.
Thank you,
Mark Adrian Coetser
mark at bwbtrading.co.za, mark at thummb.com
http://www.bwbtrading.co.za http://www.thummb.com
cel: +27 83 296 1199
tel: +27 11 334 7779
-----Original Message-----
From: samba-bounces+mark=thummb.com at lists.samba.org
[mailto:samba-bounces+mark=thummb.com at lists.samba.org] On Behalf Of David
Krider
Sent: 08 August 2005 03:01 PM
To: samba at lists.samba.org
Subject: [Samba] Can't join machines to a Samba PDC using LDAP
I've been trying to do this for days, and I think I'm really close. It's
become one of those so-close-yet-so-far sorts of things. I'm running
Gentoo -- all sync'ed up and current as of a week ago -- with the
following package versions:
openldap-2.1.30-r5
pam_ldap-178-r1
nss_ldap-239-r1
smbldap-tools-0.9.1-r1
phpldapadmin-0.9.5 (very cool, I must say!)
samba-3.0.14a-r2
I've been following the ideal.org howto as closely as I can, but from
what I've google'd since having my problem, I guess it's a little out of
date. Apparently, you do NOT have to join machines to the domain using a
uid 0 account. However, I don't really care about that; I just want to
get it joined. Specifically, I'm trying to join a Win2K (fully patched)
client to the domain.]
The error I'm getting seems like it ought to be solvable, but I haven't
seen it anywhere on the net, though I've seen one pretty close (full log
below):
smbd[20039]: _samr_create_user: Running the command `/usr/sbin/smbldap-u
seradd -w "defiant$"' gave 1
It's clear from "slapd[13182]: conn=999 op=2 RESULT tag=103 err=8
text=modifications requir
e authentication" that I'm not getting logged into the ldap server.
Unfortunately, I don't know how or what to get more logging on to be
able to get any more information. I can use phpldapadmin to triple check
that the password I'm using for root is what's in openldap (and is
different from the root account in /etc/passwd).
There's always another error message in my logs with each attempt, but I
have no idea where it's coming from, and I don't know if it has anything
to do with anything:
rc-scripts: /sbin/runscript.sh: must be root to run init scripts
If I create the machine account with `smbldap-useradd -w' (to try to
join the machine in two steps like can be done in a Windows-only
environment), I get errors in the log about not being able to access the
ldap directory unless root. The stupid part is that I *am* trying to
join the machine as root. (From what I've read, this is a bug. Since I
don't have to have this functionality, I'm not worrying about it.)
Thanks for whatever help anyone can give. It's not like I'm a noob here.
I've run a smbpasswd-backend'ed domain at another site for many years
now. It's just that I'm trying to get everything tied together on my
development machines now, and I'm having no luck. I've already put about
20 hours of research into this, and I just don't know what else to try
(except to wait for the next version of Samba to hit the portage tree).
Regards,
dk
Here's slapd.conf:
----------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
checkpoint 32 30 # <kbyte> <min>
suffix "dc=starfleet,dc=mil"
rootdn "cn=Manager,dc=starfleet,dc=mil"
rootpw secret
directory /var/lib/openldap-data
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
Here's (the main section of) smb.conf:
-----------------
[global]
workgroup = STARFLEET
server string = Excelsior
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
log level = 9
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = startup.bat
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Manager,dc=starfleet,dc=mil
ldap delete dn = Yes
ldap filter =
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=starfleet,dc=mil
ldap user suffix = ou=Users
ldap idmap suffix = ou=Users
#enable privileges = Yes
Full log:
------------------------
Aug 8 07:32:08 excelsior slapd[13181]: conn=998 fd=29 ACCEPT from
IP=127.0.0.1:53428 (IP=0.0.0.0:38
9)
Aug 8 07:32:08 excelsior slapd[13186]: conn=998 op=0 BIND
dn="cn=Manager,dc=starfleet,dc=mil" metho
d=128
Aug 8 07:32:08 excelsior slapd[13186]: conn=998 op=0 BIND
dn="cn=Manager,dc=starfleet,dc=mil" mech=
SIMPLE ssf=0
Aug 8 07:32:08 excelsior slapd[13186]: conn=998 op=0 RESULT tag=97
err=0 text=
Aug 8 07:32:08 excelsior slapd[13182]: conn=998 op=1 SRCH base=""
scope=0 filter="(objectClass=*)"
Aug 8 07:32:08 excelsior slapd[13182]: conn=998 op=1 SRCH
attr=supportedControl
Aug 8 07:32:08 excelsior slapd[13182]: conn=998 op=1 RESULT tag=101
err=0 text=
Aug 8 07:32:08 excelsior slapd[13185]: conn=998 op=2 SRCH
base="dc=starfleet,dc=mil" scope=2 filter
="(&(objectClass=sambaSamAccount))"
Aug 8 07:32:08 excelsior slapd[13185]: conn=998 op=2 SRCH attr=uid
uidNumber gidNumber homeDirector
y sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTi
me cn displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUs
erWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectC
lass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp
Aug 8 07:32:08 excelsior slapd[13185]: conn=998 op=2 SEARCH RESULT
tag=101 err=0 nentries=2 text=
Aug 8 07:32:09 excelsior slapd[13186]: conn=998 op=3 SRCH
base="dc=starfleet,dc=mil" scope=2 filter
="(&(objectClass=sambaSamAccount))"
Aug 8 07:32:09 excelsior slapd[13186]: conn=998 op=3 SRCH attr=uid
uidNumber gidNumber homeDirector
y sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTi
me cn displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUs
erWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectC
lass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp
Aug 8 07:32:09 excelsior slapd[13186]: conn=998 op=3 SEARCH RESULT
tag=101 err=0 nentries=2 text=
Aug 8 07:32:09 excelsior slapd[13182]: conn=582 op=1163 SRCH
base="ou=Users,dc=starfleet,dc=mil" sc
ope=1 filter="(&(objectClass=posixAccount)(uid=defiant$))"
Aug 8 07:32:09 excelsior slapd[13182]: conn=582 op=1163 SRCH attr=uid
userPassword uidNumber gidNum
ber cn homeDirectory loginShell gecos description objectClass
Aug 8 07:32:09 excelsior slapd[13182]: conn=582 op=1163 SEARCH RESULT
tag=101 err=0 nentries=0 text
=
Aug 8 07:32:09 excelsior slapd[13185]: conn=582 op=1164 SRCH
base="ou=Computers,dc=starfleet,dc=mil
" scope=1 filter="(&(objectClass=posixAccount)(uid=defiant$))"
Aug 8 07:32:09 excelsior slapd[13185]: conn=582 op=1164 SRCH attr=uid
userPassword uidNumber gidNum
ber cn homeDirectory loginShell gecos description objectClass
Aug 8 07:32:09 excelsior slapd[13185]: conn=582 op=1164 SEARCH RESULT
tag=101 err=0 nentries=0 text
=
Aug 8 07:32:09 excelsior slapd[13186]: conn=582 op=1165 SRCH
base="ou=Users,dc=starfleet,dc=mil" sc
ope=1 filter="(&(objectClass=posixAccount)(uid=DEFIANT$))"
Aug 8 07:32:09 excelsior slapd[13186]: conn=582 op=1165 SRCH attr=uid
userPassword uidNumber gidNum
ber cn homeDirectory loginShell gecos description objectClass
Aug 8 07:32:09 excelsior slapd[13186]: conn=582 op=1165 SEARCH RESULT
tag=101 err=0 nentries=0 text
=
Aug 8 07:32:09 excelsior slapd[13186]: conn=582 op=1165 SRCH attr=uid
userPassword uidNumber gidNum
ber cn homeDirectory loginShell gecos description objectClass
Aug 8 07:32:09 excelsior slapd[13186]: conn=582 op=1165 SEARCH RESULT
tag=101 err=0 nentries=0 text
=
Aug 8 07:32:09 excelsior slapd[13182]: conn=582 op=1166 SRCH
base="ou=Computers,dc=starfleet,dc=mil
" scope=1 filter="(&(objectClass=posixAccount)(uid=DEFIANT$))"
Aug 8 07:32:09 excelsior slapd[13182]: conn=582 op=1166 SRCH attr=uid
userPassword uidNumber gidNum
ber cn homeDirectory loginShell gecos description objectClass
Aug 8 07:32:09 excelsior slapd[13182]: conn=582 op=1166 SEARCH RESULT
tag=101 err=0 nentries=0 text
=
Aug 8 07:32:10 excelsior slapd[13181]: conn=999 fd=30 ACCEPT from
IP=127.0.0.1:53429 (IP=0.0.0.0:38
9)
Aug 8 07:32:10 excelsior rc-scripts: /sbin/runscript.sh: must be root
to run init scripts
Aug 8 07:32:10 excelsior slapd[13185]: conn=999 op=0 SRCH
base="dc=starfleet,dc=mil" scope=2 filter
="(&(objectClass=posixAccount)(uid=defiant$))"
Aug 8 07:32:10 excelsior slapd[13185]: conn=999 op=0 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Aug 8 07:32:10 excelsior slapd[13186]: conn=999 op=1 SRCH
base="sambaDomainName=STARFLEET,dc=starfl
eet,dc=mil" scope=0 filter="(objectClass=sambaUnixIdPool)"
Aug 8 07:32:10 excelsior slapd[13186]: conn=999 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Aug 8 07:32:10 excelsior slapd[13182]: conn=999 op=2 MOD
dn="sambaDomainName=STARFLEET,dc=starfleet
,dc=mil"
Aug 8 07:32:10 excelsior slapd[13182]: conn=999 op=2 MOD attr=uidNumber
Aug 8 07:32:10 excelsior slapd[13182]: conn=999 op=2 RESULT tag=103
err=8 text=modifications requir
e authentication
Aug 8 07:32:10 excelsior slapd[13181]: conn=999 fd=30 closed
Aug 8 07:32:10 excelsior smbd[20039]: [2005/08/08 07:32:10, 0]
rpc_server/srv_samr_nt.c:_samr_creat
e_user(2324)
Aug 8 07:32:10 excelsior smbd[20039]: _samr_create_user: Running the
command `/usr/sbin/smbldap-u
seradd -w "defiant$"' gave 1
Aug 8 07:32:10 excelsior slapd[13181]: conn=998 fd=29 closed
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list