[Samba] smbldap and samba as a PDC

LiPi - lipixx at gmail.com
Fri Mar 20 17:49:46 GMT 2009

Hi people, first of all, thank you for the quick answers.

This morning I have been trying some things.

1. smbldap configure script: I remember that one week ago I installed
an old debian and I tried it but don't ask me for the results... I
will retry on monday.
2. The SID is obtained with "net get localsid" and is the same that
the one represented in sambaDomain=TESTING, it's also in all the
config files it must be.
3. smbldap-tools is installed from ubuntu sources. It install all the
required packages and dependencies and it works fine. Despite of these
I will revise if all the
dependencies are ok. I tried smbldap-tools from .tar.gz and gave the
same result.
4. I was thinking about a rights problem. I have a user called
"administrador" that have uid=0, "sambaSid"-0 and group "sambaSid"-512
and it's in the Users org. u. in Ldap.
When I try a net rpc join -U administrador, the error shown with
manual command is:
  Error: modifications require authentication at /usr/share/perl5/
smbldap_tools.pm line 1083.

So I modified /etc/ldap/slapd.conf adding the following:
allow update_anon
Then it throws:
Error: Insufficient access at /usr/share/perl5/smbldap_tools.pm line

Is smbldap-tools trying an anonymous access?

Let's try one thing in slapd.conf:
access to *
        by dn="cn=admin,dc=testing,dc=sistemas,dc=upc,dc=es" write
        by * write

and then, manually smbldap-adduser -w machine$, and the machine
account is then created!!!

I can't give write acces to *  as you can understand.

Althought the machine is created, it hasn't got the samba attributes
in Ldap, and then M$Windows nor linux recognize it.

How can I know the user which smbldap is attempting to use to log in
ldap server?
I looked smbldap_bind.conf (both /etc/smbldap-tools and
/etc/opt/IDEALX/smbldap-tools/  .. the last doesn't exist) and there
are the correct
slaveMaster, master, and password settings.

Do you think that smbldap-tools is not seeing correctly the samba
schema from ldap? or something similar?

Thank you all.

If I can solve the problem I think it would be very useful for a lot
of people, look these:
<-- he solves it with giving rights to admin from ebox.

2009/3/20 Wikked one <wikked1 at hotmail.com>:
> LiPi,
>       I too have user smbldap-tools with good success.
> There is a nice little installer package (smbldap-configure)
> that simplifies this process a little bit...
> you can find a version that may be suitable for use here
> http://majen.net/smbldap/
> On another note this looks vaguely familiar and I think it's related to the SID in
> one of the smbldap.conf  or the smbldap_bind.conf files...but that's pure guess on my part but it might be worth
> confirming your SID matches in all your config files.
>> Date: Fri, 20 Mar 2009 09:20:31 -0500
>> From: jht at samba.org
>> To: awilliam at mdah.state.ms.us
>> Subject: Re: [Samba] smbldap and samba as a PDC
>> CC: samba at lists.samba.org
>> Adam Williams wrote:
>> > i never could get smbldaptools to work properly (on fedora and centos),
>> > i always got various perl errors.  i just create the machine accounts by
>> > hand.
>> LiPi/Adam,
>> I have used smbldap-tools since the first version.  This tool is your
>> friend so long as its dependencies are met.  Where its dependencies are
>> not met it can be difficult to diagnose what is missing.  Have you
>> checked the smbldap-tools documentation to see which perl modules are
>> required?  Have you checked to ensure that these perl modules are
>> installed on your system?
>> Did you install the appropriate Linux distro package, or did you install
>> it by hand?
>> 1) If you elected to install by hand you will have to manually satisfy
>> all perl module dependencies.  You may have to use: "perl -MCPAN -e
>> shell" as the means of installing the missing perl modules.
>> 2) If you installed from the official distro packages, please contact
>> the package maintainer regarding correct procedures to ensure that all
>> dependencies are met.
>> I used smbldap-tools in Samba3-ByExample.  Have you checked how it is
>> used in this book?  I used SUSE Linux in the book, but that is pretty
>> close to Fedora Core.  Ubuntu can be a little more challenging, suggest
>> you ask on the ubuntu mailing list.
>> Cheers,
>> John T.
>> > LiPi - wrote:
>> >> Hi people, I have a problem with samba, openldap and the creation of
>> >> machine
>> >> accounts.
>> >> I don't know if here is a good place to ask but I don't receive help in
>> >> other places.. I read many guides, howto's, etc. but
>> >> I can't get around with the solution...
>> >>
>> >>  I have seen an older message to another list (mail.gna.org) asking
>> >> for the
>> >> same problem that I have, it was:
>> >>
>> >>    - [Smbldap-tools-tech] Problem creating machine
>> >> accounts<https://mail.gna.org/public/smbldap-tools-tech/2008-09/msg00001.html>,
>> >>
>> >>    *Jonathan Warrington   (September 24, 2008 - 19:24)*
>> >>
>> >> I didn't know if Jonathan received a response, but I have two
>> >> problems, one
>> >> is exactly the same that's described there, and the other is explained as
>> >> follows:
>> >>
>> >> I have samba + ldap PDC with smbldap-tools, and when I try to join the
>> >> domain I get these error:
>> >>
>> >> root at patata:/# net rpc join -U administrador
>> >>   Password:
>> >>   Creation of workstation account failed
>> >>   Unable to join domain TESTING.
>> >>
>> >>   If I take a look to the logs...:
>> >>   2009/03/19 20:18:42, 0] passdb/pdb_interface.c:pdb_
>> >> default_create_user(329)
>> >>    _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
>> >> patata$' gave 127
>> >>
>> >>  Then manually, smbldap-useradd -w patata$:
>> >>   Error: modifications require authentication at /usr/share/perl5/
>> >> smbldap_tools.pm line 1083.
>> >>
>> >>   And if I create the machine account from phpldapadmin, it works
>> >> perfectly.
>> >>
>> >>   What can I do? I tried:
>> >>    net -U administrador%XXXX rpc rights grant 'TESTING\smbadmins'
>> >> SeMachineAccountPrivilege,
>> >>
>> >>    also tried to modify smbldap.conf and smbldap_bind.conf, and I got
>> >> nothing...
>> >>
>> >>   I followed many howto's and surelly there is something that i'm not
>> >> understanding, but I don't know what. Any suggestion would surely be
>> >> helpful.
>> >>
>> >> getent passwd and getent group works well. If I try to add a machine
>> >> account
>> >> from phpldapadmin, all goes right.
>> >>
>> >> This is my smbldap config:
>> >> http://pastebin.ca/1365687
>> >>
>> >> And this my smb.conf:
>> >> http://pastebin.ca/1365698
>> >>
>> >>
>> >> Thank you all.
>> >>
>> >> LiPi
>> >>
>> --
>> John H Terpstra
>> "If at first you don't succeed, don't go sky-diving!"
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> _________________________________________________________________
> Windows Live™ SkyDrive: Get 25 GB of free online storage.
> http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_skydrive_032009--
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list