[Samba] Samba3+LDAP: Can't join domain.
David Szanto
davidszanto at grupo-iberica.com
Tue Jul 5 16:10:22 GMT 2005
Thanks Louis,
I'm checking it out.
I'll undo my setting and try again with your reciepe.
Thanks for the tip.
David
El Martes, 5 de Julio de 2005 13:33, Louis van Belle escribió:
> I run this setup, my config is posted lastweek.
>
> >-----Oorspronkelijk bericht-----
> >Van: samba-bounces+louis=van-belle.nl at lists.samba.org
> >[mailto:samba-bounces+louis=van-belle.nl at lists.samba.org]
> >Namens David Szanto
> >Verzonden: maandag 4 juli 2005 18:04
> >Aan: samba at lists.samba.org
> >Onderwerp: [Samba] Samba3+LDAP: Can't join domain.
> >
> >Hi everyone!!
> >I'm having a bit of trouble join a Samba 3 PDC with LDAP
> >authentication.
> >First some tips on what system I'm using:
> >- Debian Sarge
> >- Samba 3.0.14a-Debian
> >- OpenLDAP 2.2.24 : Protocol v.3
> >
> >
> >Well, Now I'll explain the problem and show you some log output.
> >
> >When ever I try to join the domain I get the following error:
> >--begin---------------------
> ># net rpc join GICOMMNET
> >Creation of workstation account failed
> >Unable to join domain GICOMMNET.
> >--end---------------------
> >
> >So, I check my logs to see what's wrong and I see this in the
> >Samba log:
> >--begin---------------------
> >[2005/07/04 17:29:36, 0] rpc_server/srv_netlog_nt.c:get_md4pw(244)
> > get_md4pw: Workstation DAVIDSZANTO$: no account in domain
> >Error: modifications require authentication
> >at /usr/share/perl5/smbldap_tools.pm line 1005, <DATA> line 283.
> >[2005/07/04 17:29:39, 0]
> >rpc_server/srv_samr_nt.c:_samr_create_user(2324)
> > _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
> >"davidszanto$"' gave 1
> >--end--------------------
> >
> >So I check if everything alright with my smbldap-useradd
> >command, and I try
> >creating the account manually using exactly the same command.
> >Everything
> >works fine. The account is created and machine davidszanto$
> >is created.
> >
> >So then I scratch my head a bit, and while I'm loosing most of
> >my hair I try
> >something a bit easier. Let's see if I can recover the user
> >list or the
> >group list. I use the "net user -I 192.168.xxx.xxx" and it
> >works fine. I
> >get the whole list and smae with groups. So, if everything
> >looks fine,
> >where's the mistake?
> >
> >I try joining again and this time I check the slapd log as
> >well and I get the
> >biggest transaction log record in history!! :
> >--begin------------------
> >Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got
> >connid=35
> >Jul 4 17:38:49 localhost slapd[8515]: connection_read(10):
> >checking for input
> >on id=35
> >Jul 4 17:38:49 localhost slapd[8515]: do_bind
> >Jul 4 17:38:49 localhost slapd[8515]: ber_get_next on fd 10
> >failed errno=11
> >(Resource temporarily unavailable)
> >Jul 4 17:38:49 localhost slapd[8515]: >>> dnPrettyNormal:
> ><cn=admin,dc=gicomm,dc=iberica,dc=esp>
> >Jul 4 17:38:49 localhost slapd[8515]: <<< dnPrettyNormal:
> ><cn=admin,dc=gicomm,dc=iberica,dc=esp>, <cn=admin,dc=gicomm,dc=i
> >berica,dc=esp>
> >Jul 4 17:38:49 localhost slapd[8515]: do_bind: version=3
> >dn="cn=admin,dc=gicomm,dc=iberica,dc=esp" method=128
> >Jul 4 17:38:49 localhost slapd[8515]: do_bind: v3 bind:
> >"cn=admin,dc=gicomm,dc=iberica,dc=esp" to "cn=admin,dc=gicomm,dc=i
> >berica,dc=esp"
> >Jul 4 17:38:49 localhost slapd[8515]: send_ldap_result:
> >conn=35 op=0 p=3
> >Jul 4 17:38:49 localhost slapd[8515]: send_ldap_response:
> >msgid=1 tag=97
> >err=0
> >Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got
> >connid=35
> >Jul 4 17:38:49 localhost slapd[8515]: connection_read(10):
> >checking for input
> >on id=35
> >Jul 4 17:38:49 localhost slapd[8515]: ber_get_next on fd 10
> >failed errno=11
> >(Resource temporarily unavailable)
> >Jul 4 17:38:49 localhost slapd[8515]: do_search
> >Jul 4 17:38:49 localhost slapd[8515]: >>> dnPrettyNormal: <>
> >Jul 4 17:38:49 localhost slapd[8515]: <<< dnPrettyNormal: <>, <>
> >Jul 4 17:38:49 localhost slapd[8515]: => send_search_entry: dn=""
> >Jul 4 17:38:49 localhost slapd[8515]: <= send_search_entry
> >Jul 4 17:38:49 localhost slapd[8515]: send_ldap_result:
> >conn=35 op=1 p=3
> >Jul 4 17:38:49 localhost slapd[8515]: send_ldap_response:
> >msgid=2 tag=101
> >err=0
> >Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got
> >connid=35
> >Jul 4 17:38:50 localhost slapd[8515]: connection_read(10):
> >checking for input
> >on id=35
> >Jul 4 17:38:50 localhost slapd[8515]: ber_get_next on fd 10
> >failed errno=11
> >(Resource temporarily unavailable)
> >Jul 4 17:38:50 localhost slapd[8515]: do_search
> >Jul 4 17:38:50 localhost slapd[8515]: >>> dnPrettyNormal:
> ><dc=gicomm,dc=iberica,dc=esp>
> >Jul 4 17:38:50 localhost slapd[8515]: <<< dnPrettyNormal:
> ><dc=gicomm,dc=iberica,dc=esp>, <dc=gicomm,dc=iberica,dc=esp>
> >Jul 4 17:38:50 localhost slapd[8515]: => bdb_search
> >Jul 4 17:38:50 localhost slapd[8515]:
> >bdb_dn2entry("dc=gicomm,dc=iberica,dc=esp")
> >Jul 4 17:38:50 localhost slapd[8515]: search_candidates:
> >base="dc=gicomm,dc=iberica,dc=esp" (0x00000001) scope=2
> >Jul 4 17:38:50 localhost slapd[8515]: =>
> >bdb_dn2idl( "dc=gicomm,dc=iberica,dc=esp" )
> >Jul 4 17:38:50 localhost slapd[8515]: => bdb_equality_candidates
> >(objectClass)
> >Jul 4 17:38:50 localhost slapd[8515]: => key_read
> >Jul 4 17:38:50 localhost slapd[8515]: <= bdb_index_read:
> >failed (-30990)
> >Jul 4 17:38:50 localhost slapd[8515]: <=
> >bdb_equality_candidates: id=0,
> >first=0, last=0
> >Jul 4 17:38:50 localhost slapd[8515]: => bdb_equality_candidates (uid)
> >Jul 4 17:38:50 localhost slapd[8515]: => key_read
> >Jul 4 17:38:50 localhost slapd[8515]: <= bdb_index_read:
> >failed (-30990)
> >Jul 4 17:38:50 localhost slapd[8515]: <=
> >bdb_equality_candidates: id=0,
> >first=0, last=0
> >Jul 4 17:38:50 localhost slapd[8515]: bdb_search_candidates:
> >id=0 first=1
> >last=0
> >Jul 4 17:38:50 localhost slapd[8515]: bdb_search: no candidates
> >Jul 4 17:38:50 localhost slapd[8515]: send_ldap_result:
> >conn=35 op=2 p=3
> >Jul 4 17:38:50 localhost slapd[8515]: send_ldap_response:
> >msgid=3 tag=101
> >err=0
> >Jul 4 17:38:50 localhost smbd[8612]: [2005/07/04 17:38:50, 0]
> >rpc_server/srv_netlog_nt.c:get_md4pw(244)
> >Jul 4 17:38:50 localhost smbd[8612]: get_md4pw: Workstation
> >DAVIDSZANTO$:
> >no account in domain
> >Jul 4 17:38:50 localhost slapd[8515]: connection_get(10): got
> >connid=35
> >Jul 4 17:38:50 localhost slapd[8515]: connection_read(10):
> >checking for input
> >on id=35
> >Jul 4 17:38:50 localhost slapd[8515]: ber_get_next on fd 10
> >failed errno=0
> >(Success)
> >Jul 4 17:38:50 localhost slapd[8515]: connection_read(10):
> >input error=-2
> >id=35, closing.
> >Jul 4 17:38:50 localhost slapd[8515]: connection_closing:
> >readying conn=35
> >sd=10 for close
> >Jul 4 17:38:50 localhost slapd[8515]: connection_close: conn=35 sd=10
> >Jul 4 17:38:51 localhost slapd[8515]: connection_get(10): got
> >connid=36
> >Jul 4 17:38:51 localhost slapd[8515]: connection_read(10):
> >checking for input
> >on id=36
> >Jul 4 17:38:51 localhost slapd[8515]: ber_get_next on fd 10
> >failed errno=11
> >(Resource temporarily unavailable)
> >Jul 4 17:38:51 localhost slapd[8515]: do_bind
> >Jul 4 17:38:51 localhost slapd[8515]: >>> dnPrettyNormal:
> ><cn=admin,dc=gicomm,dc=iberica,dc=esp>
> >Jul 4 17:38:51 localhost slapd[8515]: <<< dnPrettyNormal:
> ><cn=admin,dc=gicomm,dc=iberica,dc=esp>, <cn=admin,dc=gicomm,dc=i
> >berica,dc=esp>
> >Jul 4 17:38:51 localhost slapd[8515]: do_bind: version=3
> >dn="cn=admin,dc=gicomm,dc=iberica,dc=esp" method=128
> >Jul 4 17:38:51 localhost slapd[8515]: do_bind: v3 bind:
> >"cn=admin,dc=gicomm,dc=iberica,dc=esp" to "cn=admin,dc=gicomm,dc=i
> >berica,dc=esp"
> >Jul 4 17:38:51 localhost slapd[8515]: send_ldap_result:
> >conn=36 op=0 p=3
> >Jul 4 17:38:51 localhost slapd[8515]: send_ldap_response:
> >msgid=1 tag=97
> >err=0
> >Jul 4 17:38:51 localhost slapd[8515]: connection_get(10): got
> >connid=36
> >Jul 4 17:38:51 localhost slapd[8515]: connection_read(10):
> >checking for input
> >on id=36
> >Jul 4 17:38:51 localhost slapd[8515]: ber_get_next on fd 10
> >failed errno=11
> >(Resource temporarily unavailable)
> >Jul 4 17:38:51 localhost slapd[8515]: do_search
> >Jul 4 17:38:51 localhost slapd[8515]: >>> dnPrettyNormal: <>
> >Jul 4 17:38:51 localhost slapd[8515]: <<< dnPrettyNormal: <>, <>
> >Jul 4 17:38:51 localhost slapd[8515]: => send_search_entry: dn=""
> >Jul 4 17:38:51 localhost slapd[8515]: <= send_search_entry
> >Jul 4 17:38:51 localhost slapd[8515]: send_ldap_result:
> >conn=36 op=1 p=3
> >Jul 4 17:38:51 localhost slapd[8515]: send_ldap_response:
> >msgid=2 tag=101
> >err=0
> >Jul 4 17:38:51 localhost slapd[8515]: connection_get(10): got
> >connid=36
> >Jul 4 17:38:51 localhost slapd[8515]: connection_read(10):
> >checking for input
> >on id=36
> >Jul 4 17:38:51 localhost slapd[8515]: ber_get_next on fd 10
> >failed errno=11
> >(Resource temporarily unavailable)
> >Jul 4 17:38:51 localhost slapd[8515]: do_search
> >Jul 4 17:38:51 localhost slapd[8515]: >>> dnPrettyNormal:
> ><dc=gicomm,dc=iberica,dc=esp>
> >Jul 4 17:38:51 localhost slapd[8515]: <<< dnPrettyNormal:
> ><dc=gicomm,dc=iberica,dc=esp>, <dc=gicomm,dc=iberica,dc=esp>
> >Jul 4 17:38:51 localhost slapd[8515]: => bdb_search
> >Jul 4 17:38:51 localhost slapd[8515]:
> >bdb_dn2entry("dc=gicomm,dc=iberica,dc=esp")
> >Jul 4 17:38:51 localhost slapd[8515]: search_candidates:
> >base="dc=gicomm,dc=iberica,dc=esp" (0x00000001) scope=2
> >Jul 4 17:38:51 localhost slapd[8515]: =>
> >bdb_dn2idl( "dc=gicomm,dc=iberica,dc=esp" )
> >Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates
> >(objectClass)
> >Jul 4 17:38:51 localhost slapd[8515]: => key_read
> >Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read:
> >failed (-30990)
> >Jul 4 17:38:51 localhost slapd[8515]: <=
> >bdb_equality_candidates: id=0,
> >first=0, last=0
> >Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates (uid)
> >Jul 4 17:38:51 localhost slapd[8515]: => key_read
> >Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read 1 candidates
> >Jul 4 17:38:51 localhost slapd[8515]: <=
> >bdb_equality_candidates: id=1,
> >first=243, last=243
> >Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates
> >(objectClass)
> >Jul 4 17:38:51 localhost slapd[8515]: => key_read
> >Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read 97 candidates
> >Jul 4 17:38:51 localhost slapd[8515]: <=
> >bdb_equality_candidates: id=97,
> >first=144, last=256
> >Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates
> >(objectClass)
> >Jul 4 17:38:51 localhost slapd[8515]: => key_read
> >Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read 97 candidates
> >Jul 4 17:38:51 localhost slapd[8515]: <=
> >bdb_equality_candidates: id=97,
> >first=144, last=256
> >Jul 4 17:38:51 localhost slapd[8515]: bdb_search_candidates:
> >id=1 first=243
> >last=243
> >Jul 4 17:38:51 localhost slapd[8515]: => send_search_entry:
> >dn="uid=davidszanto,ou=Users,dc=gicomm,dc=iberica,dc=esp"
> >Jul 4 17:38:51 localhost slapd[8515]: <= send_search_entry
> >Jul 4 17:38:51 localhost slapd[8515]: send_ldap_result:
> >conn=36 op=2 p=3
> >Jul 4 17:38:51 localhost slapd[8515]: send_ldap_response:
> >msgid=3 tag=101
> >err=0
> >Jul 4 17:38:51 localhost smbd[8613]: nss_ldap: reconnecting
> >to LDAP server...
> >Jul 4 17:38:51 localhost slapd[8515]: connection_get(14): got
> >connid=37
> >Jul 4 17:38:51 localhost slapd[8515]: connection_read(14):
> >checking for input
> >on id=37
> >Jul 4 17:38:51 localhost slapd[8515]: ber_get_next on fd 14
> >failed errno=11
> >(Resource temporarily unavailable)
> >Jul 4 17:38:51 localhost slapd[8515]: do_bind
> >Jul 4 17:38:51 localhost slapd[8515]: >>> dnPrettyNormal:
> ><cn=admin,dc=gicomm,dc=iberica,dc=esp>
> >Jul 4 17:38:51 localhost slapd[8515]: <<< dnPrettyNormal:
> ><cn=admin,dc=gicomm,dc=iberica,dc=esp>, <cn=admin,dc=gicomm,dc=i
> >berica,dc=esp>
> >Jul 4 17:38:51 localhost slapd[8515]: do_bind: version=3
> >dn="cn=admin,dc=gicomm,dc=iberica,dc=esp" method=128
> >Jul 4 17:38:51 localhost slapd[8515]: do_bind: v3 bind:
> >"cn=admin,dc=gicomm,dc=iberica,dc=esp" to "cn=admin,dc=gicomm,dc=i
> >berica,dc=esp"
> >Jul 4 17:38:51 localhost slapd[8515]: send_ldap_result:
> >conn=37 op=0 p=3
> >Jul 4 17:38:51 localhost slapd[8515]: send_ldap_response:
> >msgid=1 tag=97
> >err=0
> >Jul 4 17:38:51 localhost slapd[8515]: connection_get(14): got
> >connid=37
> >Jul 4 17:38:51 localhost slapd[8515]: connection_read(14):
> >checking for input
> >on id=37
> >Jul 4 17:38:51 localhost slapd[8515]: ber_get_next on fd 14
> >failed errno=11
> >(Resource temporarily unavailable)
> >Jul 4 17:38:51 localhost slapd[8515]: do_search
> >Jul 4 17:38:51 localhost slapd[8515]: >>> dnPrettyNormal:
> ><dc=gicomm,dc=iberica,dc=esp>
> >Jul 4 17:38:51 localhost slapd[8515]: <<< dnPrettyNormal:
> ><dc=gicomm,dc=iberica,dc=esp>, <dc=gicomm,dc=iberica,dc=esp>
> >Jul 4 17:38:51 localhost slapd[8515]: => bdb_search
> >Jul 4 17:38:51 localhost slapd[8515]:
> >bdb_dn2entry("dc=gicomm,dc=iberica,dc=esp")
> >Jul 4 17:38:51 localhost slapd[8515]: search_candidates:
> >base="dc=gicomm,dc=iberica,dc=esp" (0x00000001) scope=2
> >Jul 4 17:38:51 localhost slapd[8515]: =>
> >bdb_dn2idl( "dc=gicomm,dc=iberica,dc=esp" )
> >Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates
> >(objectClass)
> >Jul 4 17:38:51 localhost slapd[8515]: => key_read
> >Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read:
> >failed (-30990)
> >Jul 4 17:38:51 localhost slapd[8515]: <=
> >bdb_equality_candidates: id=0,
> >first=0, last=0
> >Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates
> >(objectClass)
> >Jul 4 17:38:51 localhost slapd[8515]: => key_read
> >Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read 97 candidates
> >Jul 4 17:38:51 localhost slapd[8515]: <=
> >bdb_equality_candidates: id=97,
> >first=144, last=256
> >Jul 4 17:38:51 localhost slapd[8515]: => bdb_equality_candidates (uid)
> >Jul 4 17:38:51 localhost slapd[8515]: => key_read
> >Jul 4 17:38:51 localhost slapd[8515]: <= bdb_index_read 1 candidates
> >Jul 4 17:38:51 localhost slapd[8515]: <=
> >bdb_equality_candidates: id=1,
> >first=243, last=243
> >Jul 4 17:38:51 localhost slapd[8515]: bdb_search_candidates:
> >id=1 first=243
> >last=243
> >Jul 4 17:38:51 localhost slapd[8515]: => send_search_entry:
> >dn="uid=davidszanto,ou=Users,dc=gicomm,dc=iberica,dc=esp"
> >Jul 4 17:38:51 localhost slapd[8515]: <= send_search_entry
> >Jul 4 17:38:51 localhost slapd[8515]: send_ldap_result:
> >conn=37 op=1 p=3
> >Jul 4 17:38:51 localhost slapd[8515]: send_ldap_response:
> >msgid=2 tag=101
> >err=0
> >
> >.... and on and on repeating it self 2 more seconds ...
> >--end------------------
> >
> >I'm not much of an expert on LDAP, actually quite the
> >opposite. I can't
> >really tell if there's something really wrong here or not.
> > My configuration files are the following:
> >
> >-- smb.conf -----------------
> >[global]
> >
> >netbios name = GICOMM
> >workgroup = GICOMMNET
> >server string = GICOMM (Servidor de Comunicaciones)
> >
> >passdb backend = ldapsam:ldap://127.0.0.1
> >username map = /et/samba/smbusers
> >log file = /var/log/samba/%m.log
> >max log size = 50
> >socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >smb ports = 139
> >
> >preferred master = yes
> >domain master = yes
> >local master = yes
> >domain logons = yes
> >os level = 255
> >dns proxy = yes
> >;wins support = Yes
> >security = user
> >encrypt passwords = yes
> >
> >ldap suffix = dc=gicomm,dc=iberica,dc=esp
> >ldap machine suffix = ou=Computers
> >ldap user suffix = ou=Users
> >ldap group suffix = ou=Groups
> >ldap idmap suffix = ou=Idmap
> >ldap admin dn = cn=admin,dc=gicomm,dc=iberica,dc=esp
> >ldap ssl = no
> >ldap delete dn = no
> >ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
> >ldap passwd sync = Yes
> >
> >add user script = /usr/sbin/smbldap-useradd -a -m -A 1 -D \"H:\" -E
> >\"%u.bat\" "%u"
> >delete user script = /usr/sbin/smbldap-userdel "%u"
> >add machine script = /usr/sbin/smbldap-useradd -w "%u"
> >add group script = /usr/sbin/smbldap-groupadd -p "%g"
> >delete group script = /usr/sbin/smbldap-groupdel "%g"
> >add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> >delete user from group script = /usr/sbin/smbldap-usermod -x "%u" "%g"
> >set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> >template home dir = /etc/skel
> >template shell = /bin/sh
> >username map = /etc/samba/users.map
> >
> >logon script = logon.bat
> >logon drive = H:
> >hide dot files = yes
> >
> >[homes]
> >...
> >--end----------------------
> >
> >And my slapd.conf file:
> >--slapd.conf---------------------------
> >allow bind_v2
> >
> >include /etc/ldap/schema/core.schema
> >include /etc/ldap/schema/cosine.schema
> >include /etc/ldap/schema/nis.schema
> >include /etc/ldap/schema/inetorgperson.schema
> >include /etc/ldap/schema/samba.schema
> >
> >schemacheck on
> >pidfile /var/run/slapd/slapd.pid
> >argsfile /var/run/slapd.args
> >loglevel 1
> >
> >modulepath /usr/lib/ldap
> >moduleload back_bdb
> >
> >backend bdb
> >checkpoint 512 30
> >
> >database bdb
> >
> >suffix "dc=gicomm,dc=iberica,dc=esp"
> >rootdn "cn=admin,dc=gicomm,dc=iberica,dc=esp"
> >rootpw im_not_telling :-D
> >
> >directory "/var/lib/ldap"
> >
> >index objectClass eq
> >index uid,cn,sn,givenname,mail eq,sub
> >index uidNumber eq
> >index gidNumber eq
> >index memberUid eq
> >index sambaSID eq
> >index sambaPrimaryGroupSID eq
> >index sambaDomainName eq
> >index default sub
> >
> >lastmod on
> >
> >access to *
> > by dn="cn=admin,dc=gicomm,dc=iberica,dc=esp" write
> > by dn="uid=root,ou=Users,dc=gicomm,dc=iberica,dc=esp" write
> > by self write
> > by * read
> >
> >--end----------------
> >
> >As you can see, my slapd.conf ACL is not very restrictive.
> >
> >I've checked other posts and tested accordinglly, but I stil
> >can't join nor
> >from a linux workstation nor a W2K workstation.
> >
> >Well, that's basicly it.
> >I'd appreciate any help.
> >Thanx!!
> >David
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list