[Samba] Trouble with PDC setup using Samba 3.0.23 and OpenLDAP
Craig White
craigwhite at azapple.com
Sun Jul 30 13:34:08 GMT 2006
On Sun, 2006-07-30 at 06:40 +0000, Jonathan Poon wrote:
> Hi everyone,
>
> I am trying to setup a PDC using Samba and OpenLDAP. For some reason, I've
> used both the examples provided in the Official Howto and also the
> smbldap-tools howto developed by IDEALX. I am able to get the directory up
> and running. I am able to get the following working:
>
> 1. LDAP Directory server and successful Queries through Samba
> 2. Add user and machine accounts.
> 3. Login using the user account to access shares
>
> However, after adding my machine to the domain and rebooting my Windows 2000
> Professional workstation, I am UNABLE to login to the domain using the same
> User account that I was able to use to access shares on the Samba server.
> Here is what I am getting in the logs for both OpenLDAP and Samba
>
> I'm getting the error bdb_equality_candidates: (uniqueMember) index_param
> failed (18) when its trying to obtain the attribute gidNumber from the LDAP
> logs. In the samba logs, Its getting a Rejecting auth request from client
> DELL machine account DELL$
>
> Also when I do a net rpc info, I don't see any users or groups added...
>
> net rpc info
> Domain Name: POON
> Domain SID: S-1-5-21-2419779023-3102034070-987042703
> Sequence number: 1154241602
> Num users: 0
> Num domain groups: 0
> Num local groups: 0
>
> I don't know where to start...Please let me know if you have had a similar
> experience and found a solution. I appreciate your help very much!
>
> -Jonathan P.
>
>
>
> OPENLDAP.LOG
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 fd=10 ACCEPT from
> IP=127.0.0.1:38290 (IP=0.0.0.0:389)
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 BIND
> dn="cn=samba,ou=DSA,dc=jonathanpoon" method=128
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 BIND
> dn="cn=samba,ou=DSA,dc=jonathanpoon" mech=SIMPLE ssf=0
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 RESULT tag=97 err=0 text=
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=1 SRCH base="" scope=0
> deref=0 filter="(objectClass=*)"
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=1 SRCH attr=supportedControl
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=2 SRCH
> base="dc=jonathanpoon" scope=2 deref=0
> filter="(&(uid=dell$)(objectClass=sambaSamAccount))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=2 SRCH attr=uid uidNumber
> gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
> sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName
> sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
> sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
> sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
> modifyTimestamp sambaLogonHours modifyTimestamp
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=2 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=3 SRCH
> base="dc=jonathanpoon" scope=2 deref=0
> filter="(&(uid=jonathan)(objectClass=sambaSamAccount))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=3 SRCH attr=uid uidNumber
> gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
> sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName
> sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
> sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
> sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
> modifyTimestamp sambaLogonHours modifyTimestamp
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=3 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 fd=18 ACCEPT from
> IP=127.0.0.1:38291 (IP=0.0.0.0:389)
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 BIND
> dn="cn=nssldap,ou=DSA,dc=jonathanpoon" method=128
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 BIND
> dn="cn=nssldap,ou=DSA,dc=jonathanpoon" mech=SIMPLE ssf=0
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 RESULT tag=97 err=0 text=
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=1 SRCH
> base="ou=Users,dc=jonathanpoon" scope=1 deref=0
> filter="(&(objectClass=posixAccount)(uid=jonathan))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=1 SRCH attr=uid userPassword
> uidNumber gidNumber cn homeDirectory loginShell gecos description
> objectClass
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 fd=23 ACCEPT from
> IP=127.0.0.1:38292 (IP=0.0.0.0:389)
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=2 UNBIND
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 fd=18 closed
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=0 BIND
> dn="cn=nssldap,ou=DSA,dc=jonathanpoon" method=128
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=0 BIND
> dn="cn=nssldap,ou=DSA,dc=jonathanpoon" mech=SIMPLE ssf=0
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=0 RESULT tag=97 err=0 text=
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=1 SRCH
> base="ou=Users,dc=jonathanpoon" scope=1 deref=0
> filter="(&(objectClass=posixAccount)(uid=jonathan))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=2 SRCH
> base="ou=Groups,dc=jonathanpoon" scope=1 deref=0
> filter="(&(objectClass=posixGroup)(|(memberUid=jonathan)(uniqueMember=uid=jonathan,ou=users,dc=jonathanpoon)))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=2 SRCH attr=gidNumber
> Jul 29 23:32:41 poontv slapd[6138]: <= bdb_equality_candidates:
> (uniqueMember) index_param failed (18)
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=2 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=4 SRCH
> base="ou=Groups,dc=jonathanpoon" scope=2 deref=0
> filter="(&(objectClass=sambaGroupMapping)(gidNumber=513))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=4 SRCH attr=gidNumber
> sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=4 SEARCH RESULT tag=101
> err=0 nentries=1 text=
>
> SAMBA LOGS
> [2006/07/29 23:35:39, 2] libsmb/credentials.c:creds_server_check(159)
> creds_server_check: credentials check failed.
> [2006/07/29 23:35:39, 2] rpc_server/srv_netlog_nt.c:_net_sam_logon(667)
> _net_sam_logon: creds_server_step failed. Rejecting auth request from
> client DELL machine account DELL$
> [2006/07/29 23:35:50, 2] lib/smbldap.c:smbldap_open_connection(722)
> smbldap_open_connection: connection opened
> [2006/07/29 23:35:50, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
> init_sam_from_ldap: Entry found for user: dell$
> [2006/07/29 23:35:50, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
> init_sam_from_ldap: Entry found for user: jonathan
> [2006/07/29 23:35:50, 2] auth/auth.c:check_ntlm_password(307)
> check_ntlm_password: authentication for user [jonathan] -> [jonathan] ->
> [jonathan] succeeded
>
>
>
> SMB.conf
> [global]
>
> ldap admin dn = "cn=samba,ou=DSA,dc=jonathanpoon"
> ldap ssl = no
> passdb backend = ldapsam:ldap://127.0.0.1
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap machine suffix = ou=Computers
> ldap suffix = dc=jonathanpoon
> ldap passwd sync = yes
----
I am wondering what is in /etc/ldap.conf, specifically the lines:
nss_base_passwd
nss_base_shadow
nss_base_group
Are the computer accounts stored in the same ou as People?
This is likely where your problems with machine accounts and Groups is.
----
>
> [profiles]
> path = /usr/local/samba/profiles
> writeable = yes
> guest ok = yes
> browseable = yes
> create mask = 0777
> directory mask = 0777
> #profile acls = yes
> #csc policy = disable
> #force user = %U
> #valid users = %U @"Domain Admins"
----
I would probably remove the comments from csc policy and profile acls
lines here but that isn't the issue at the moment.
The logs you have quoted above don't show what happened when the DELL$
tried to authenticate nor what happened when you tried getent group (as
far as I can tell) so I am not going to speculate further.
Craig
More information about the samba
mailing list