[Samba] Adding machine to domain fails - check permissions? (ldap)

Eduard Witteveen samba at nergens.org
Sun Aug 14 10:02:07 GMT 2005 

Eduard Witteveen wrote:

>> Error: modifications require authentication at 
>> /usr/share/perl5/smbldap_tools.pm line 891, <DATA> line 283.
>>   [2005/08/11 16:46:54, 0] 
>> rpc_server/srv_samr_nt.c:_samr_create_user(2324)
>> _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w 
>> "eduard-laptop$"' gave 127
>
>
I didnt read the log file completely, before this message there were 
also some other messages:

> root at pdc:/var/log/samba# cat log.eduard-laptop
> [2005/08/12 15:15:26, 0] lib/util_sock.c:write_socket_data(430)
>   write_socket_data: write failure. Error = Connection reset by peer
> [2005/08/12 15:15:26, 0] lib/util_sock.c:write_socket(455)
>   write_socket: Error writing 4 bytes to socket 25: ERRNO = Connection 
> reset by peer
> [2005/08/12 15:15:26, 0] lib/util_sock.c:send_smb(647)
>   Error writing 4 bytes to client. -1. (Connection reset by peer)
> [2005/08/12 15:15:28, 0] lib/util_sock.c:write_socket_data(430)
>   write_socket_data: write failure. Error = Connection reset by peer
> [2005/08/12 15:15:28, 0] lib/util_sock.c:write_socket(455)
>   write_socket: Error writing 4 bytes to socket 25: ERRNO = Connection 
> reset by peer
> [2005/08/12 15:15:28, 0] lib/util_sock.c:send_smb(647)
>   Error writing 4 bytes to client. -1. (Connection reset by peer)
> Error: modifications require authentication at 
> /usr/share/perl5/smbldap_tools.pm line 891, <DATA> line 283.
> [2005/08/12 15:15:38, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324)
>   _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w 
> "eduard-laptop$"' gave 127
> root at pdc:/var/log/samba#


I assume that this means that the smbldap_tools.pm script cannot connect 
to the ldap server. Therefore i opened the file and found the following 
code:

> sub get_next_id($$) {
>   my $ldap_base_dn = shift;
>   my $attribute = shift;
>   my $tries = 0;
>   my $found=0;
>   my $next_uid_mesg;
>   my $nextuid;
>   if ($ldap_base_dn =~ m/$config{usersdn}/i) {
>     # when adding a new user, we'll check if the uidNumber available 
> is not
>     # already used for a computer's account
>     $ldap_base_dn=$config{suffix}
>   }
>   do {
>     $next_uid_mesg = $ldap->search(
>                                           base => 
> $config{sambaUnixIdPooldn},
>                                           filter => 
> "(objectClass=sambaUnixIdPool)",
>                                           scope => "base"
>                                          );
>     $next_uid_mesg->code && die "Error looking for next uid";
>     if ($next_uid_mesg->count != 1) {
>       die "Could not find base dn, to get next $attribute";
>     }
>     my $entry = $next_uid_mesg->entry(0);
>                 $nextuid = $entry->get_value($attribute);
>     my $modify=$ldap->modify( "$config{sambaUnixIdPooldn}",
>                                      changes => [
>                                                  replace => [ 
> $attribute => $nextuid + 1 ]
>                                                 ]
>                                    );
>     $modify->code && die "Error: ", $modify->error;


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

>     # let's check if the id found is really free (in ou=Groups or 
> ou=Users)...
>     my $check_uid_mesg = $ldap->search(
>                                               base => $ldap_base_dn,
>                                               filter => 
> "($attribute=$nextuid)",
>                                              );
>     $check_uid_mesg->code && die "Cannot confirm $attribute $nextuid 
> is free";
>     if ($check_uid_mesg->count == 0) {
>       $found=1;
>       return $nextuid;
>     }
>     $tries++;
>     print "Cannot confirm $attribute $nextuid is free: checking for 
> the next one\n"
>   } while ($found != 1);
>   die "Could not allocate $attribute!";
> }


This means that the variable $config{sambaUnixIdPooldn} contains 
something we dont like.  I assume that this came from the file 
/etc/smbldap-tools/smbldap.conf

This contains the value:

> sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"


(i checked this one and it exists in ldap)

Also:

> suffix="dc=hawarit,dc=com"



I've read the other documentation, but it doesnt give me any clue's 
Joachim told me to store the machines in the Users organisation-unit.

Could somebody please give me some more pointers?

-- 
Eduard Witteveen
+31 (0)6 414 789 23
nl_NL  fy_NL  en_US

-------------- next part --------------
# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.15 2004/10/14 09:53:14 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

#  Purpose :
#       . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID
# to obtain this number do: net getlocalsid
#SID="S-1-5-21-1911238739-97561441-2706018148"
SID="S-1-5-21-183558713-2656141884-2480778994"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have 
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"

# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=hawarit,dc=com"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
# 
# Unix Accounts Configuration
# 
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="99"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
userSmbHome="\\pdc\homes\%U"

# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
userProfile="\\pdc\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.cmd"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="hawarit.com"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
-------------- next part --------------
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=manager,dc=hawarit,dc=com"
slavePw="password"
masterDN="cn=manager,dc=hawarit,dc=com"
masterPw="password"

More information about the samba mailing list