[Samba] Adding machine to domain fails - check permissions? (ldap)
Joachim Kieferle
joakie at fab.fh-wiesbaden.de
Fri Aug 12 08:36:08 GMT 2005
Dear Eduard,
as far as I understang JHT in his "Samba by example" in chapter 5,
computers are treated like users. So what worked with me and SuSE9.3 was:
1. in smb.conf
ldap machine suffix = ou=Users
2. in smbldap.conf
computersdn="ou=Users,${suffix}"
Best
Joachim
Eduard Witteveen wrote:
> Dear list,
>
> Whe i trying to add a machine to the domain(ldap/pdc) i get the
> following error:
>
>> Error: modifications require authentication at
>> /usr/share/perl5/smbldap_tools.pm line 891, <DATA> line 283.
>> [2005/08/11 16:46:54, 0]
>> rpc_server/srv_samr_nt.c:_samr_create_user(2324)
>> _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
>> "eduard-laptop$"' gave 127
>
>
> Since i used the user Administrator, i login from the windows-machine
> on the linux-computer running samba with the username Administrator
> (account which is stored inside ldap), i *can* run the command
> succesfull. (this user is actually root since i changed the gidnumber
> and the uidnumber both to 0)
>
> But when this machine has been added manually to the ldap-database, i
> still cannot join the domain and samba puts information like the
> following in the log:
>
>> [2005/08/11 17:05:07, 0] lib/smbldap.c:smbldap_open(882)
>> smbldap_open: cannot access LDAP when not root..
>> .....
>> [2005/08/11 17:05:22, 0] lib/smbldap.c:smbldap_search_suffix(1176)
>> smbldap_search_suffix: Problem during the LDAP search: (Timed out)
>> [2005/08/11 17:05:22, 0]
>> rpc_server/srv_samr_nt.c:_samr_create_user(2350)
>> could not add user/computer eduard-laptop$ to passdb. Check
>> permissions?
>
>
> I've attached the smb.conf for completeness. Furthermore, im running
> Version 3.0.14a-Ubuntu
>
> Please let me know, how i can let samba execute the "add machine
> script" successfull
>
>------------------------------------------------------------------------
>
># Global parameters
>[global]
> workgroup = hawarit
> netbios name = pdc
> enable privileges = yes
># interfaces = 192.168.5.11
> username map = /etc/samba/smbusers
> server string = Samba Server %v
> security = user
> encrypt passwords = true
># min passwd length = 3
> min print space = 3
> obey pam restrictions = No
> #unix password sync = Yes
> #passwd program = /usr/sbin/smbldap-passwd -u %u
> #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
> ldap passwd sync = Yes
> log level = 0
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 100000
> time server = Yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> mangling method = hash2
> Dos charset = 850
> Unix charset = ISO8859-1
>
> logon script = logon.bat
> logon drive = H:
> logon home =
> logon path =
>
> domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = Yes
> wins support = no
> passdb backend = ldapsam:ldap://127.0.0.1/
> # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
> # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
> ldap admin dn = cn=manager,dc=hawarit,dc=com
> ldap suffix = dc=hawarit,dc=com
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Users
>
>#TODO: use tls on ldap server one day!
># ldap ssl = start tls
> ldap ssl = no
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> ldap delete dn = Yes
> #delete user script = /usr/sbin/smbldap-userdel "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> #delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>
> # printers configuration
> printer admin = @"Print Operators"
> load printers = Yes
> create mask = 0640
> directory mask = 0750
> nt acl support = No
> printing = cups
> printcap name = cups
> deadtime = 10
> guest account = nobody
> map to guest = Bad User
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> show add printer wizard = yes
> ; to maintain capital letters in shortcuts in any of the profile folders:
> preserve case = yes
> short preserve case = yes
> case sensitive = no
>
>[homes]
> comment = repertoire de %U, %u
> read only = No
> create mask = 0644
> directory mask = 0775
> browseable = No
>
>[netlogon]
> path = /home/samba/netlogon/
> browseable = No
> read only = yes
>
>[profiles]
> path = /home/samba/profiles
> read only = no
> create mask = 0600
> directory mask = 0700
> browseable = No
> guest ok = Yes
> profile acls = yes
> csc policy = disable
> # next line is a great way to secure the profiles
> force user = %U
> # next line allows administrator to access all profiles
> valid users = %U @"Domain Admins"
>
>[printers]
> comment = Network Printers
> printer admin = @"Print Operators"
> guest ok = yes
> printable = yes
> path = /home/samba/spool/
> browseable = No
> read only = Yes
> printable = Yes
> print command = /usr/bin/lpr -P%p -r %s
> lpq command = /usr/bin/lpq -P%p
> lprm command = /usr/bin/lprm -P%p %j
>
>[print$]
> path = /home/samba/printers
> guest ok = No
> browseable = Yes
> read only = Yes
> valid users = @"Print Operators"
> write list = @"Print Operators"
> create mask = 0664
> directory mask = 0775
>
>[public]
> comment = Repertoire public
> path = /public
> browseable = Yes
> guest ok = Yes
> read only = No
> directory mask = 0775
> create mask = 0664
>
>
More information about the samba
mailing list