[Samba] Samba3+LDAP: Can't join domain.
David Szanto
dszanto at gmail.com
Mon Jul 4 16:04:27 GMT 2005
Hi everyone!!
I'm having a bit of trouble join a Samba 3 PDC with LDAP authentication.
First some tips on what system I'm using:
- Debian Sarge
- Samba 3.0.14a-Debian
- OpenLDAP 2.2.24 : Protocol v.3
Well, Now I'll explain the problem and show you some log output.
When ever I try to join the domain I get the following error:
--begin---------------------
# net rpc join GICOMMNET
Creation of workstation account failed
Unable to join domain GICOMMNET.
--end---------------------
So, I check my logs to see what's wrong and I see this in the Samba log:
--begin---------------------
[2005/07/04 17:29:36, 0] rpc_server/srv_netlog_nt.c:get_md4pw(244)
get_md4pw: Workstation DAVIDSZANTO$: no account in domain
Error: modifications require authentication
at /usr/share/perl5/smbldap_tools.pm line 1005, <DATA> line 283.
[2005/07/04 17:29:39, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324)
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
"davidszanto$"' gave 1
--end--------------------
So I check if everything alright with my smbldap-useradd command, and I try
creating the account manually using exactly the same command. Everything
works fine. The account is created and machine davidszanto$ is created.
So then I scratch my head a bit, and while I'm loosing most of my hair I try
something a bit easier. Let's see if I can recover the user list or the
group list. I use the "net user -I 192.168.xxx.xxx" and it works fine. I
get the whole list and smae with groups. So, if everything looks fine,
where's the mistake?
I try joining again and this time I check the slapd log as well and I get the
biggest transaction log record in history!! :
--begin------------------
Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35
Jul 4 17:38:49 localhost slapd[8515]: connection_read(10): checking for input
on id=35
Jul 4 17:38:49 localhost slapd[8515]: do_bind
Jul 4 17:38:49 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11
(Resource temporarily unavailable)
Jul 4 17:38:49 localhost slapd[8515]: >>> dnPrettyNormal:
<cn=admin,dc=gicomm,dc=iberica,dc=esp>
Jul 4 17:38:49 localhost slapd[8515]: <<< dnPrettyNormal:
<cn=admin,dc=gicomm,dc=iberica,dc=esp>, <cn=admin,dc=gicomm,dc=i
berica,dc=esp>
Jul 4 17:38:49 localhost slapd[8515]: do_bind: version=3
dn="cn=admin,dc=gicomm,dc=iberica,dc=esp" method=128
Jul 4 17:38:49 localhost slapd[8515]: do_bind: v3 bind:
"cn=admin,dc=gicomm,dc=iberica,dc=esp" to "cn=admin,dc=gicomm,dc=i
berica,dc=esp"
Jul 4 17:38:49 localhost slapd[8515]: send_ldap_result: conn=35 op=0 p=3
Jul 4 17:38:49 localhost slapd[8515]: send_ldap_response: msgid=1 tag=97
err=0
Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35
Jul 4 17:38:49 localhost slapd[8515]: connection_read(10): checking for input
on id=35
Jul 4 17:38:49 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11
(Resource temporarily unavailable)
Jul 4 17:38:49 localhost slapd[8515]: do_search
Jul 4 17:38:49 localhost slapd[8515]: >>> dnPrettyNormal: <>
Jul 4 17:38:49 localhost slapd[8515]: <<< dnPrettyNormal: <>, <>
Jul 4 17:38:49 localhost slapd[8515]: => send_search_entry: dn=""
Jul 4 17:38:49 localhost slapd[8515]: <= send_search_entry
Jul 4 17:38:49 localhost slapd[8515]: send_ldap_result: conn=35 op=1 p=3
Jul 4 17:38:49 localhost slapd[8515]: send_ldap_response: msgid=2 tag=101
err=0
Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35
Jul 4 17:38:50 localhost slapd[8515]: connection_read(10): checking for input
on id=35
Jul 4 17:38:50 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11
(Resource temporarily unavailable)
Jul 4 17:38:50 localhost slapd[8515]: do_search
Jul 4 17:38:50 localhost slapd[8515]: >>> dnPrettyNormal:
<dc=gicomm,dc=iberica,dc=esp>
Jul 4 17:38:50 localhost slapd[8515]: <<< dnPrettyNormal:
<dc=gicomm,dc=iberica,dc=esp>, <dc=gicomm,dc=iberica,dc=esp>
Jul 4 17:38:50 localhost slapd[8515]: => bdb_search
Jul 4 17:38:50 localhost slapd[8515]:
bdb_dn2entry("dc=gicomm,dc=iberica,dc=esp")
Jul 4 17:38:50 localhost slapd[8515]: search_candidates:
base="dc=gicomm,dc=iberica,dc=esp" (0x00000001) scope=2
Jul 4 17:38:50 localhost slapd[8515]: =>
bdb_dn2idl( "dc=gicomm,dc=iberica,dc=esp" )
Jul 4 17:38:50 localhost slapd[8515]: => bdb_equality_candidates
(objectClass)
Jul 4 17:38:50 localhost slapd[8515]: => key_read
Jul 4 17:38:50 localhost slapd[8515]: <= bdb_index_read: failed (-30990)
Jul 4 17:38:50 localhost slapd[8515]: <= bdb_equality_candidates: id=0,
first=0, last=0
Jul 4 17:38:50 localhost slapd[8515]: => bdb_equality_candidates (uid)
Jul 4 17:38:50 localhost slapd[8515]: => key_read
Jul 4 17:38:50 localhost slapd[8515]: <= bdb_index_read: failed (-30990)
Jul 4 17:38:50 localhost slapd[8515]: <= bdb_equality_candidates: id=0,
first=0, last=0
Jul 4 17:38:50 localhost slapd[8515]: bdb_search_candidates: id=0 first=1
last=0
Jul 4 17:38:50 localhost slapd[8515]: bdb_search: no candidates
Jul 4 17:38:50 localhost slapd[8515]: send_ldap_result: conn=35 op=2 p=3
Jul 4 17:38:50 localhost slapd[8515]: send_ldap_response: msgid=3 tag=101
err=0
Jul 4 17:38:50 localhost smbd[8612]: [2005/07/04 17:38:50, 0]
rpc_server/srv_netlog_nt.c:get_md4pw(244)
Jul 4 17:38:50 localhost smbd[8612]: get_md4pw: Workstation DAVIDSZANTO$:
no account in domain
Jul 4 17:38:50 localhost slapd[8515]: connection_get(10): got connid=35
Jul 4 17:38:50 localhost slapd[8515]: connection_read(10): checking for input
on id=35
Jul 4 17:38:50 localhost slapd[8515]: ber_get_next on fd 10 failed errno=0
(Success)
Jul 4 17:38:50 localhost slapd[8515]: connection_read(10): input error=-2
id=35, closing.
Jul 4 17:38:50 localhost slapd[8515]: connection_closing: readying conn=35
sd=10 for close
Jul 4 17:38:50 localhost slapd[8515]: connection_close: conn=35 sd=10
Jul 4 17:38:51 localhost slapd[8515]: connection_get(10): got connid=36
Jul 4 17:38:51 localhost slapd[8515]: connection_read(10): checking for input
on id=36
Jul 4 17:38:51 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11
(Resource temporarily unavailable)
Jul 4 17:38:51 localhost slapd[8515]: do_bind
Jul 4 17:38:51 localhost slapd[8515]: >>> dnPrettyNormal:
<cn=admin,dc=gicomm,dc=iberica,dc=esp>
Jul 4 17:38:51 localhost slapd[8515]: <<< dnPrettyNormal:
<cn=admin,dc=gicomm,dc=iberica,dc=esp>, <cn=admin,dc=gicomm,dc=i
berica,dc=esp>
Jul 4 17:38:51 localhost slapd[8515]: do_bind: version=3
dn="cn=admin,dc=gicomm,dc=iberica,dc=esp" method=128
Jul 4 17:38:51 localhost slapd[8515]: do_bind: v3 bind:
"cn=admin,dc=gicomm,dc=iberica,dc=esp" to "cn=admin,dc=gicomm,dc=i
berica,dc=esp"
Jul 4 17:38:51 localhost slapd[8515]: send_ldap_result: conn=36 op=0 p=3
Jul 4 17:38:51 localhost slapd[8515]: send_ldap_response: msgid=1 tag=97
err=0
Jul 4 17:38:51 localhost slapd[8515]: connection_get(10): got connid=36
Jul 4 17:38:51 localhost slapd[8515]: connection_read(10): checking for input
on id=36
Jul 4 17:38:51 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11
(Resource temporarily unavailable)
Jul 4 17:38:51 localhost slapd[8515]: do_search
Jul 4 17:38:51 localhost slapd[8515]: >>> dnPrettyNormal: <>
Jul 4 17:38:51 localhost slapd[8515]: <<< dnPrettyNormal: <>, <>
Jul 4 17:38:51 localhost slapd[8515]: => send_search_entry: dn=""
Jul 4 17:38:51 localhost slapd[8515]: <= send_search_entry
Jul 4 17:38:51 localhost slapd[8515]: send_ldap_result: conn=36 op=1 p=3
Jul 4 17:38:51 localhost slapd[8515]: send_ldap_response: msgid=2 tag=101
err=0
Jul 4 17:38:51 localhost slapd[8515]: connection_get(10): got connid=36
Jul 4 17:38:51 localhost slapd[8515]: connection_read(10): checking for input
on id=36
Jul 4 17:38:51 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11
(Resource temporarily unavailable)
Jul 4 17:38:51 localhost slapd[8515]: do_search
Jul 4 17:38:51 localhost slapd[8515]: >>> dnPrettyNormal:
<dc=gicomm,dc=iberica,dc=esp>
Jul 4 17:38:51 localhost slapd[8515]: <<< dnPrettyNormal:
<dc=gicomm,dc=iberica,dc=esp>, <dc=gicomm,dc=iberica,dc=esp>
Jul 4 17:38:51 localhost slapd[8515]: => bdb_search
Jul 4 17:38:51 localhost slapd[8515]:
bdb_dn2entry("dc=gicomm,dc=iberica,dc=esp")
Jul 4 17:38:51 localhost slapd[8515]: search_candidates:
base="dc=gicomm,dc=iberica,dc=esp" (0x00000001) scope=2
Jul 4 17:38:51 localhost slapd[8515]: =>
bdb_dn2idl( "dc=gicomm,dc=iberica,dc=esp" )
Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates
(objectClass)
Jul 4 17:38:51 localhost slapd[8515]: => key_read
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read: failed (-30990)
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_equality_candidates: id=0,
first=0, last=0
Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates (uid)
Jul 4 17:38:51 localhost slapd[8515]: => key_read
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read 1 candidates
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_equality_candidates: id=1,
first=243, last=243
Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates
(objectClass)
Jul 4 17:38:51 localhost slapd[8515]: => key_read
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read 97 candidates
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_equality_candidates: id=97,
first=144, last=256
Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates
(objectClass)
Jul 4 17:38:51 localhost slapd[8515]: => key_read
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read 97 candidates
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_equality_candidates: id=97,
first=144, last=256
Jul 4 17:38:51 localhost slapd[8515]: bdb_search_candidates: id=1 first=243
last=243
Jul 4 17:38:51 localhost slapd[8515]: => send_search_entry:
dn="uid=davidszanto,ou=Users,dc=gicomm,dc=iberica,dc=esp"
Jul 4 17:38:51 localhost slapd[8515]: <= send_search_entry
Jul 4 17:38:51 localhost slapd[8515]: send_ldap_result: conn=36 op=2 p=3
Jul 4 17:38:51 localhost slapd[8515]: send_ldap_response: msgid=3 tag=101
err=0
Jul 4 17:38:51 localhost smbd[8613]: nss_ldap: reconnecting to LDAP server...
Jul 4 17:38:51 localhost slapd[8515]: connection_get(14): got connid=37
Jul 4 17:38:51 localhost slapd[8515]: connection_read(14): checking for input
on id=37
Jul 4 17:38:51 localhost slapd[8515]: ber_get_next on fd 14 failed errno=11
(Resource temporarily unavailable)
Jul 4 17:38:51 localhost slapd[8515]: do_bind
Jul 4 17:38:51 localhost slapd[8515]: >>> dnPrettyNormal:
<cn=admin,dc=gicomm,dc=iberica,dc=esp>
Jul 4 17:38:51 localhost slapd[8515]: <<< dnPrettyNormal:
<cn=admin,dc=gicomm,dc=iberica,dc=esp>, <cn=admin,dc=gicomm,dc=i
berica,dc=esp>
Jul 4 17:38:51 localhost slapd[8515]: do_bind: version=3
dn="cn=admin,dc=gicomm,dc=iberica,dc=esp" method=128
Jul 4 17:38:51 localhost slapd[8515]: do_bind: v3 bind:
"cn=admin,dc=gicomm,dc=iberica,dc=esp" to "cn=admin,dc=gicomm,dc=i
berica,dc=esp"
Jul 4 17:38:51 localhost slapd[8515]: send_ldap_result: conn=37 op=0 p=3
Jul 4 17:38:51 localhost slapd[8515]: send_ldap_response: msgid=1 tag=97
err=0
Jul 4 17:38:51 localhost slapd[8515]: connection_get(14): got connid=37
Jul 4 17:38:51 localhost slapd[8515]: connection_read(14): checking for input
on id=37
Jul 4 17:38:51 localhost slapd[8515]: ber_get_next on fd 14 failed errno=11
(Resource temporarily unavailable)
Jul 4 17:38:51 localhost slapd[8515]: do_search
Jul 4 17:38:51 localhost slapd[8515]: >>> dnPrettyNormal:
<dc=gicomm,dc=iberica,dc=esp>
Jul 4 17:38:51 localhost slapd[8515]: <<< dnPrettyNormal:
<dc=gicomm,dc=iberica,dc=esp>, <dc=gicomm,dc=iberica,dc=esp>
Jul 4 17:38:51 localhost slapd[8515]: => bdb_search
Jul 4 17:38:51 localhost slapd[8515]:
bdb_dn2entry("dc=gicomm,dc=iberica,dc=esp")
Jul 4 17:38:51 localhost slapd[8515]: search_candidates:
base="dc=gicomm,dc=iberica,dc=esp" (0x00000001) scope=2
Jul 4 17:38:51 localhost slapd[8515]: =>
bdb_dn2idl( "dc=gicomm,dc=iberica,dc=esp" )
Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates
(objectClass)
Jul 4 17:38:51 localhost slapd[8515]: => key_read
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read: failed (-30990)
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_equality_candidates: id=0,
first=0, last=0
Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates
(objectClass)
Jul 4 17:38:51 localhost slapd[8515]: => key_read
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read 97 candidates
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_equality_candidates: id=97,
first=144, last=256
Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates (uid)
Jul 4 17:38:51 localhost slapd[8515]: => key_read
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read 1 candidates
Jul 4 17:38:51 localhost slapd[8515]: <= bdb_equality_candidates: id=1,
first=243, last=243
Jul 4 17:38:51 localhost slapd[8515]: bdb_search_candidates: id=1 first=243
last=243
Jul 4 17:38:51 localhost slapd[8515]: => send_search_entry:
dn="uid=davidszanto,ou=Users,dc=gicomm,dc=iberica,dc=esp"
Jul 4 17:38:51 localhost slapd[8515]: <= send_search_entry
Jul 4 17:38:51 localhost slapd[8515]: send_ldap_result: conn=37 op=1 p=3
Jul 4 17:38:51 localhost slapd[8515]: send_ldap_response: msgid=2 tag=101
err=0
.... and on and on repeating it self 2 more seconds ...
--end------------------
I'm not much of an expert on LDAP, actually quite the opposite. I can't
really tell if there's something really wrong here or not.
My configuration files are the following:
-- smb.conf -----------------
[global]
netbios name = GICOMM
workgroup = GICOMMNET
server string = GICOMM (Servidor de Comunicaciones)
passdb backend = ldapsam:ldap://127.0.0.1
username map = /et/samba/smbusers
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
smb ports = 139
preferred master = yes
domain master = yes
local master = yes
domain logons = yes
os level = 255
dns proxy = yes
;wins support = Yes
security = user
encrypt passwords = yes
ldap suffix = dc=gicomm,dc=iberica,dc=esp
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=gicomm,dc=iberica,dc=esp
ldap ssl = no
ldap delete dn = no
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
ldap passwd sync = Yes
add user script = /usr/sbin/smbldap-useradd -a -m -A 1 -D \"H:\" -E
\"%u.bat\" "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-usermod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
template home dir = /etc/skel
template shell = /bin/sh
username map = /etc/samba/users.map
logon script = logon.bat
logon drive = H:
hide dot files = yes
[homes]
...
--end----------------------
And my slapd.conf file:
--slapd.conf---------------------------
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 1
modulepath /usr/lib/ldap
moduleload back_bdb
backend bdb
checkpoint 512 30
database bdb
suffix "dc=gicomm,dc=iberica,dc=esp"
rootdn "cn=admin,dc=gicomm,dc=iberica,dc=esp"
rootpw im_not_telling :-D
directory "/var/lib/ldap"
index objectClass eq
index uid,cn,sn,givenname,mail eq,sub
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
lastmod on
access to *
by dn="cn=admin,dc=gicomm,dc=iberica,dc=esp" write
by dn="uid=root,ou=Users,dc=gicomm,dc=iberica,dc=esp" write
by self write
by * read
--end----------------
As you can see, my slapd.conf ACL is not very restrictive.
I've checked other posts and tested accordinglly, but I stil can't join nor
from a linux workstation nor a W2K workstation.
Well, that's basicly it.
I'd appreciate any help.
Thanx!!
David
More information about the samba
mailing list