[Samba] Problem with samba and ldap
Michaël Todorovic
michael.todorovic at free.fr
Sun Jan 13 11:09:38 GMT 2008
Hello and sorry for the late answer,
I tried to change "add machine script" line but this is not the solution I think
: smbldap-useradd returns 0 when computer does not exist in the ldap directory.
Even if I change the line, it always returns 9 when the computer account already
exists.
getent passwd machine_account$ returns nothing because I don't use nss nor pam
for the moment. I'll try later but last time I tried ldap/samba, nss worked like
a charm :) Joining domain (for windows clients) didn't work.
I tried to search in phpldapadmin what was the difference between a computer
account and a user account. My computer account does not have any
sambaSamAccount, just posixAccount ! I think it cannot work like this because
windows clients needs a sambaSamAccount. I tried to add the sambaSamAccount
property to my computer account. PhpLdapAdmin guessed me to put SambaSID
(SID+group number). I tried again to join the domain (with net join and windows
client) and it worked !
Now I am looking for ways to modify the machine adding method in order to put
sambaSamAccount automatically. I don't know if this is normal or if it's a bug
but it works :)
Merci
Regards,
Michaël Todorovic
-----------------------------------------
Selon Quinn Fissler <qfissler at gmail.com>:
Bonjour,
I have seen this behaviour myself on more than one occasion and for
different reasons.
It took some time to diagnose at first but it was an education :-)
The first thing to remember is that samba uses two methods to talk to ldap.
As far as I remember, when you first issue the join, the client tries to log
into to the domain - this fails so it tries to create an account - this is
done by samba using the method configured in smb.conf viz:
add machine script = /usr/sbin/smbldap-useradd -w "%u".
which itself uses a perl module to make the connection and which is
confirgured by the smbldap_bind.conf and smbldap.conf.
Once the script has been called, samba checks that it worked using the
nssldap libraries.
Here, samba does the equivalent of:
getent passwd MyMachineName
Try running this - there are so many reasons it could fail - does it work
from the command line?
As you haven't included this in your description, I presume that it's the
bit you overlooked.
It is configured using ldap.conf - I found that these are in /etc and
/etc/openldap so I hard linked to make one file.
I am going to work now - let us know if you need more help with that file.
Bonne Année !
Regards,
Quinn
On 01/01/2008, Michaël Todorovic <michael.todorovic at free.fr> wrote:
>
> Hello and happy new year :)
>
> I have to set up a samba server as a PDC with a openldap backend. My
> openldap server is fully functionnal and it is not secured yet (so no
> problems with tls). I must use debian etch or lenny.
> My server's IP is 192.168.9.10/24. I have set up a dns server (bind9)
> for my domain named "mik". It's a local domain for testing only. There
> is a piece of the configuration file of bind :
> pdc A 192.168.9.10
> _ldap._tcp.dc._msdcs IN CNAME pdc
> This permits windows clients to find the pdc. When I try to join the
> domain under linux, it fails. I try with "net join mik -U root" on the
> pdc (no other pc than the pdc to test) and it returns :
> Creation of workstation account failed
> Unable to join domain MIK.
> Here are the logs :
> /var/log/samba/log.pdc :
> [2008/01/01 11:44:47, 2] lib/smbldap.c:smbldap_open_connection(786)
> smbldap_open_connection: connection opened
> [2008/01/01 11:44:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
> init_sam_from_ldap: Entry found for user: root
> [2008/01/01 11:44:47, 2] auth/auth.c:check_ntlm_password(309)
> check_ntlm_password: authentication for user [root] -> [root] ->
> [root] succeeded
> [2008/01/01 11:44:49, 0]
> passdb/pdb_interface.c:pdb_default_create_user(329)
> _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
> "pdc$"' gave 9
>
> smbldap-useradd returns 9 when the user already exists in the directory
> but it does not change anything if I delete it. It returns 0 (no
> problems) but joining domain fails again. root authentification is ok :
> the log is produced with the correct password; I tried with a wrong
> password and it said me that the password is bad so the authentification
> is ok.
>
> /var/log/samba/log.192.168.9.10 :
> [2008/01/01 11:44:46, 2] lib/smbldap.c:smbldap_open_connection(786)
> smbldap_open_connection: connection opened
> [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
> get_md4pw: Workstation PDC$: no account in domain
> [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
> _net_auth2: failed to get machine password for account PDC$:
> NT_STATUS_ACCESS_DENIED
>
> I don't know why it tries to find a password for a workstation. It does
> not make sense for me.
>
> It seems to be a known problem but still no answers. You can find my
> configuration files in enclosives ;)
>
> Here are the versions used of samba, openldap ans smbldap-tools :
> samba:
> Installé : 3.0.28-1~lenny1
> Candidat : 3.0.28-1~lenny1
> Table de version :
> *** 3.0.28-1~lenny1 0
> 500 http://security.debian.org lenny/updates/main Packages
> 100 /var/lib/dpkg/status
> 3.0.27a-1 0
> 500 http://ftp.fr.debian.org lenny/main Packages
>
> slapd:
> Installé : 2.3.38-1+lenny1
> Candidat : 2.3.38-1+lenny1
> Table de version :
> *** 2.3.38-1+lenny1 0
> 500 http://security.debian.org lenny/updates/main Packages
> 100 /var/lib/dpkg/status
> 2.3.38-1 0
> 500 http://ftp.fr.debian.org lenny/main Packages
>
> smbldap-tools:
> Installé : 0.9.4-1
> Candidat : 0.9.4-1
> Table de version :
> *** 0.9.4-1 0
> 500 http://ftp.fr.debian.org lenny/main Packages
> 100 /var/lib/dpkg/status
>
>
> Maybe one clue : slapd log says me that some keys are not indexed. I
> don't think that it hurts (this is just for performance ?)
>
> Do you have some tip to make the pdc functionnal ? If you need more
> information, please do not hesitate to ask.
> Best regards,
>
> Michaël Todorovic
>
>
> # Global parameters
> [global]
> workgroup = mik
> netbios name = PDC
> security = user
> enable privileges = yes
> server string = Samba Server %v
> encrypt passwords = Yes
> min passwd length = 3
>
> unix password sync = yes
> ldap passwd sync = yes
> passwd program = /usr/sbin/smbldap-passwd -u "%u"
> passwd chat = "Changing *\nNew password*" %n\n "*Retype new
> password*" %n\n"
>
> log level = 2
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 100000
> time server = Yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> mangling method = hash2
> Dos charset = 850
> Unix charset = ISO8859-1
>
> logon script = logon.bat
> logon drive = H:
> logon home =
> logon path =
>
> domain logons = Yes
> domain master = Yes
> os level = 65
> preferred master = Yes
> wins support = yes
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=admin,dc=mik
> ldap suffix = dc=mik
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
> "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>
> # printers configuration
> #printer admin = @"Print Operators"
> load printers = Yes
> create mask = 0640
> directory mask = 0750
> #force create mode = 0640
> #force directory mode = 0750
> nt acl support = No
> deadtime = 10
> guest account = nobody
> map to guest = Bad User
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> show add printer wizard = yes
> ; to maintain capital letters in shortcuts in any of the profile
> folders:
> preserve case = yes
> short preserve case = yes
> case sensitive = no
>
> [netlogon]
> path = /pdc/samba/netlogon/
> browseable = No
> read only = no
>
> [profiles]
> path = /pdc/samba/profiles
> read only = no
> create mask = 0600
> directory mask = 0700
> browseable = No
> guest ok = Yes
> profile acls = yes
> csc policy = disable
> # next line is a great way to secure the profiles
> force user = %U
> # next line allows administrator to access all profiles
> valid users = %U "Domain Admins"
>
> [public]
> path = /tmp
> guest ok = yes
> browseable = Yes
> writable = yes
>
> # This is the main slapd configuration file. See slapd.conf(5) for more
> # info on the configuration options.
>
> #######################################################################
> # Global Directives:
>
> # Features to permit
> #allow bind_v2
>
> # Schema and objectClass definitions
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/inetorgperson.schema
> include /etc/ldap/schema/samba.schema
>
> # Where the pid file is put. The init.d script
> # will not stop the server if you change this.
> pidfile /var/run/slapd/slapd.pid
>
> # List of arguments that were passed to the server
> argsfile /var/run/slapd/slapd.args
>
> # Read slapd.conf(5) for possible values
> loglevel none
>
> # Where the dynamically loaded modules are stored
> modulepath /usr/lib/ldap
> moduleload back_bdb
>
> # The maximum number of entries that is returned for a search operation
> sizelimit 500
>
> # The tool-threads parameter sets the actual amount of cpu's that is used
> # for indexing.
> tool-threads 1
>
> #######################################################################
> # Specific Backend Directives for bdb:
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> backend bdb
> checkpoint 512 30
>
> #######################################################################
> # Specific Backend Directives for 'other':
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> #backend <other>
>
> #######################################################################
> # Specific Directives for database #1, of type bdb:
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> database bdb
>
> # The base of your directory in database #1
> suffix "dc=mik"
>
> # rootdn directive for specifying a superuser on the database. This is
> needed
> # for syncrepl.
> rootdn "cn=admin,dc=mik"
> rootpw {SSHA}wDFytSLjQhvYo1aiIXXRXKYtnwAk6Fkk
>
> # Where the database file are physically stored for database #1
> directory "/var/lib/ldap"
>
> # For the Debian package we use 2MB as default but be sure to update this
> # value if you have plenty of RAM
> dbconfig set_cachesize 0 2097152 0
>
> # Sven Hartge reported that he had to set this value incredibly high
> # to get slapd running at all. See http://bugs.debian.org/303057
> # for more information.
>
> # Number of objects that can be locked at the same time.
> dbconfig set_lk_max_objects 1500
> # Number of locks (both requested and granted)
> dbconfig set_lk_max_locks 1500
> # Number of lockers
> dbconfig set_lk_max_lockers 1500
>
> # Indexing options for database #1
> index objectClass eq
> index cn pres, sub, eq
> index memberUid eq, subinitial
> index sambaSID eq
>
> # Save the time that the entry gets modified, for database #1
> lastmod on
>
> # Where to store the replica logs for database #1
> # replogfile /var/lib/ldap/replog
>
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> access to
> attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange
> by dn="cn=admin,dc=mik" write
> by anonymous auth
> by self write
> by * none
>
> # Ensure read access to the base for things like
> # supportedSASLMechanisms. Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
>
> # The admin dn has full write access, everyone else
> # can read everything.
> access to *
> by dn="cn=admin,dc=mik" write
> by * read
>
> # For Netscape Roaming support, each user gets a roaming
> # profile for which they have write access to
> #access to dn=".*,ou=Roaming,o=morsnet"
> # by dn="cn=admin,dc=mik" write
> # by dnattr=owner write
>
> #######################################################################
> # Specific Directives for database #2, of type 'other' (can be bdb too):
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> #database <other>
>
> # The base of your directory for database #2
> #suffix "dc=debian,dc=org"
>
> # $Source: $
> # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
> #
> # smbldap-tools.conf : Q & D configuration file for smbldap-tools
>
> # This code was developped by IDEALX (http://IDEALX.org/) and
> # contributors (their names can be found in the CONTRIBUTORS file).
> #
> # Copyright (C) 2001-2002 IDEALX
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of the GNU General Public License
> # as published by the Free Software Foundation; either version 2
> # of the License, or (at your option) any later version.
> #
> # This program is distributed in the hope that it will be useful,
> # but WITHOUT ANY WARRANTY; without even the implied warranty of
> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> # GNU General Public License for more details.
> #
> # You should have received a copy of the GNU General Public License
> # along with this program; if not, write to the Free Software
> # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
> # USA.
>
> # Purpose :
> # . be the configuration file for all smbldap-tools scripts
>
>
>
##############################################################################
> #
> # General Configuration
> #
>
>
##############################################################################
>
> # Put your own SID. To obtain this number do: "net getlocalsid".
> # If not defined, parameter is taking from "net getlocalsid" return
> SID="S-1-5-21-2693224835-1467424543-666700523"
>
> # Domain name the Samba server is in charged.
> # If not defined, parameter is taking from smb.conf configuration file
> # Ex: sambaDomain="IDEALX-NT"
> sambaDomain="MIK"
>
>
>
##############################################################################
> #
> # LDAP Configuration
> #
>
>
##############################################################################
>
> # Notes: to use to dual ldap servers backend for Samba, you must patch
> # Samba with the dual-head patch from IDEALX. If not using this patch
> # just use the same server for slaveLDAP and masterLDAP.
> # Those two servers declarations can also be used when you have
> # . one master LDAP server where all writing operations must be done
> # . one slave LDAP server where all reading operations must be done
> # (typically a replication directory)
>
> # Slave LDAP server
> # Ex: slaveLDAP=127.0.0.1
> # If not defined, parameter is set to "127.0.0.1"
> slaveLDAP="127.0.0.1"
>
> # Slave LDAP port
> # If not defined, parameter is set to "389"
> slavePort="389"
>
> # Master LDAP server: needed for write operations
> # Ex: masterLDAP=127.0.0.1
> # If not defined, parameter is set to "127.0.0.1"
> masterLDAP="127.0.0.1"
>
> # Master LDAP port
> # If not defined, parameter is set to "389"
> masterPort="389"
>
> # Use TLS for LDAP
> # If set to 1, this option will use start_tls for connection
> # (you should also used the port 389)
> # If not defined, parameter is set to "1"
> ldapTLS="0"
>
> # How to verify the server's certificate (none, optional or require)
> # see "man Net::LDAP" in start_tls section for more details
> verify="require"
>
> # CA certificate
> # see "man Net::LDAP" in start_tls section for more details
> #cafile="/etc/smbldap-tools/ca.pem"
>
> # certificate to use to connect to the ldap server
> # see "man Net::LDAP" in start_tls section for more details
> #clientcert="/etc/smbldap-tools/smbldap-tools.pem"
>
> # key certificate to use to connect to the ldap server
> # see "man Net::LDAP" in start_tls section for more details
> #clientkey="/etc/smbldap-tools/smbldap-tools.key"
>
> # LDAP Suffix
> # Ex: suffix=dc=IDEALX,dc=ORG
> suffix="dc=mik"
>
> # Where are stored Users
> # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn for
> usersdn
> usersdn="ou=Users,${suffix}"
>
> # Where are stored Computers
> # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn for
> computersdn
> computersdn="ou=Computers,${suffix}"
>
> # Where are stored Groups
> # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn for
> groupsdn
> groupsdn="ou=Groups,${suffix}"
>
> # Where are stored Idmap entries (used if samba is a domain member server)
> # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
> # Warning: if 'suffix' is not set here, you must set the full dn for
> idmapdn
> idmapdn="ou=Idmap,${suffix}"
>
> # Where to store next uidNumber and gidNumber available for new users and
> groups
> # If not defined, entries are stored in sambaDomainName object.
> # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
> # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
>
> # Default scope Used
> scope="sub"
>
> # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
> hash_encrypt="SSHA"
>
> # if hash_encrypt is set to CRYPT, you may set a salt format.
> # default is "%s", but many systems will generate MD5 hashed
> # passwords if you use "$1$%.8s". This parameter is optional!
> crypt_salt_format="%s"
>
>
>
##############################################################################
> #
> # Unix Accounts Configuration
> #
>
>
##############################################################################
>
> # Login defs
> # Default Login Shell
> # Ex: userLoginShell="/bin/bash"
> userLoginShell="/bin/bash"
>
> # Home directory
> # Ex: userHome="/home/%U"
> userHome="/pdc/samba/users/%U"
>
> # Default mode used for user homeDirectory
> userHomeDirectoryMode="700"
>
> # Gecos
> userGecos="System User"
>
> # Default User (POSIX and Samba) GID
> defaultUserGid="513"
>
> # Default Computer (Samba) GID
> defaultComputerGid="515"
>
> # Skel dir
> skeletonDir="/etc/skel"
>
> # Default password validation time (time in days) Comment the next line if
> # you don't want password to be enable for defaultMaxPasswordAge days (be
> # careful to the sambaPwdMustChange attribute's value)
> defaultMaxPasswordAge="45"
>
>
>
##############################################################################
> #
> # SAMBA Configuration
> #
>
>
##############################################################################
>
> # The UNC path to home drives location (%U username substitution)
> # Just set it to a null string if you want to use the smb.conf 'logon
> home'
> # directive and/or disable roaming profiles
> # Ex: userSmbHome="\\PDC-SMB3\%U"
> userSmbHome="\\PDC\%U"
>
> # The UNC path to profiles locations (%U username substitution)
> # Just set it to a null string if you want to use the smb.conf 'logon
> path'
> # directive and/or disable roaming profiles
> # Ex: userProfile="\\PDC-SMB3\profiles\%U"
> userProfile="\\PDC\profiles\%U"
>
> # The default Home Drive Letter mapping
> # (will be automatically mapped at logon time if home directory exist)
> # Ex: userHomeDrive="H:"
> userHomeDrive="H:"
>
> # The default user netlogon script name (%U username substitution)
> # if not used, will be automatically username.cmd
> # make sure script file is edited under dos
> # Ex: userScript="startup.cmd" # make sure script file is edited under dos
> userScript="logon.bat"
>
> # Domain appended to the users "mail"-attribute
> # when smbldap-useradd -M is used
> # Ex: mailDomain="idealx.com"
> #mailDomain="idealx.com"
>
>
>
##############################################################################
> #
> # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
> #
>
>
##############################################################################
>
> # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm)
> but
> # prefer Crypt::SmbHash library
> with_smbpasswd="1"
> smbpasswd="/usr/bin/smbpasswd"
>
> # Allows not to use slappasswd (if with_slappasswd == 0 in
> smbldap_conf.pm)
> # but prefer Crypt:: libraries
> with_slappasswd="0"
> slappasswd="/usr/sbin/slappasswd"
>
> # comment out the following line to get rid of the default banner
> # no_banner="1"
>
>
> ############################
> # Credential Configuration #
> ############################
> # Notes: you can specify two differents configuration if you use a
> # master ldap for writing access and a slave ldap server for reading
> access
> # By default, we will use the same DN (so it will work for standard Samba
> # release)
> slaveDN="cn=admin,dc=mik"
> slavePw="secret"
> masterDN="cn=admin,dc=mik"
> masterPw="secret"
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list