[Samba] Domain login not working with MySQL backend
macleajb at ednet.ns.ca
Sun Mar 6 21:06:19 GMT 2005
Andreas Braun wrote:
> I'm kind of stuck here. I'd like to set up a Samba PDC server using a
> MySQL database backend, so that me and my colleges can easily
> administer the users with a PHP based web interface. I've already
> installed and configured Samba 3.0.11 and MySQL 4.0 on FreeBSD.
> Everything seems to work great, except I can't login. I always get a
> message that says the domain controller is not availabe or the
> computer account is not existing. The log file says:
> "rpc_server/srv_netlog_nt.c:get_md4pw(261) md4pw: Workstation PC1$: no
> account in domain". What did I do wrong? :(
> This is the workstation account:
> Unix username: pc1$
> NT username: pc1$
> Account Flags: [W ]
> User SID: S-1-5-21-3555237956-4202347196-2499260156-3008
> Primary Group SID: S-1-5-21-3555237956-4202347196-2499260156-515
> Full Name: User &
> Home Directory: HomeDir Drive: Logon Script:
> Profile Path: Domain: test
> Account desc: Workstations: Munged dial:
> Logon time: 0
> Logoff time: 0
> Kickoff time: 0
> Password last set: Sun, 06 Mar 2005 19:25:40 UTC
> Password can change: Sun, 06 Mar 2005 19:25:40 UTC
> Password must change: Wed, 18 May 2033 05:33:19 UTC
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> That's what I already did:
> - I've created the user accounts in FreeBSD (user1)
> - I've created the machine accounts in FreeBSD (pc1$)
> - I've added the users in Samba: "pdbedit -a -u user1"
> - I've added the workstation accunts in Samba: "pdbedit -a -m -u pc1"
> - I've checked that the accounts are correctly inserted in the database
> - I can change the computer's domain to the Samba PDC's one
> - I can open home shares using samba accounts
> I have searched around the Internet, but I could not find a solution.
> :( I hope somebody can give me a hint! Thank you!
> Kind regards,
I went through this recently and I'm not sure I'll have _your_ answer,
but some things that were gotcha's on my install :
1. Make sure "net getlocalsid" matches the sids in "net groupmap list".
2. Make sure the userid and machine id's also share this correct SID
parts. Actually now that I think of it, that was the problem I had.
3. Make sure you have an admin account to work with. For me, I did
something like :
net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
and add admin userids to the ntadmin group.
4. Create a userid that has the UID of 500 (according to the HowTo.)
5. 3.0.11 has the very usefull perms to not need to be root options, so
I also did something like :
net rpc rights grant DOMAIN\\Domain Admins" SeMachineAccountPrivilege
SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege -U
6. Added some stuff to smb.conf:
enable privileges = yes
add machine script = /usr/sbin/useradd -d /dev/null -g machines -c
"machine account" -s /bin/false -M %u
7. Go ahead a join a computer to the domain.
More information about the samba