[Samba] Problem with Samba - Openldap and domain autentication of Windows XP
Claudio Prono
claudio.prono at atpss.net
Mon Sep 27 09:08:12 MDT 2010
Gaiseric Vandal ha scritto:
> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>
> It is possible to configure scripts that the unix account is created
> by samba if necessary when samba creates the "Windows" account for the
> machine. I don't have it set up this way, so I need to create the
> unix account 1st.
>
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s
/bin/false %m$
This script automatically add the machine if needed, or i am wrong ?
> Also, I found that since the underlying unix OS may need validate the
> machine account, I put my machine accounts in either the same ldap ou
> as people (or in a sub ou.) ("getent passwd" command may need to show
> your machine accounts as well as people accounts.)
>
> If you have manually created the unix account for the machine, can you
> them manually create the samba account for it
>
> e.g. smbpasswd -m -a SOMEMACHINE
>
> (I think you leave the $ off .)
>
>
> I use LDAP for both "unix" and "windows" clients so my config choices
> may not be applicable to a windows-only client environment.
>
>
> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>> Hello all,
>>
>> I have some problems to make work a configuration like Samba and
>> OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>>
>> Here is my testparm:
>>
>> [global]
>> workgroup = MEDIADC
>> netbios name = MEDIADC
>> map to guest = Bad User
>> passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
>> log level = 2
>> printcap name = cups
>> add machine script = /usr/sbin/useradd -c Machine -d
>> /var/lib/nobody -s /bin/false %m$
>> logon path = \\%L\profiles\.msprofile
>> logon drive = P:
>> logon home = \\%L\%U\.9xprofile
>> domain logons = Yes
>> os level = 65
>> preferred master = Yes
>> domain master = Yes
>> wins support = Yes
>> ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>> ldap group suffix = ou=group
>> ldap idmap suffix = ou=Idmap
>> ldap machine suffix = ou=Machines
>> ldap passwd sync = yes
>> ldap suffix = dc=mediaservice-test,dc=pri
>> ldap ssl = no
>> ldap user suffix = ou=people
>> usershare allow guests = Yes
>> idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>> idmap uid = 1000-60000
>> idmap gid = 1000-60000
>> cups options = raw
>>
>> [homes]
>> comment = Home Directories
>> valid users = %S, %D%w%S
>> read only = No
>> inherit acls = Yes
>> browseable = No
>>
>> [profiles]
>> comment = Network Profiles Service
>> path = %H
>> read only = No
>> create mask = 0600
>> directory mask = 0700
>> store dos attributes = Yes
>>
>> [users]
>> comment = All users
>> path = /home
>> read only = No
>> inherit acls = Yes
>> veto files = /aquota.user/groups/shares/
>>
>> [groups]
>> comment = All groups
>> path = /home/groups
>> read only = No
>> inherit acls = Yes
>>
>> [printers]
>> comment = All Printers
>> path = /var/tmp
>> create mask = 0600
>> printable = Yes
>> browseable = No
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/drivers
>> write list = @ntadmin, root
>> force group = ntadmin
>> create mask = 0664
>> directory mask = 0775
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /var/lib/samba/netlogon
>> write list = root
>>
>> If i try to join a windows xp into the domain i have this results:
>>
>> [2010/09/27 14:58:52.229946, 0]
>> lib/util_sock.c:1432(get_peer_addr_internal)
>> getpeername failed. Error was Transport endpoint is not connected
>> [2010/09/27 14:58:52.233371, 2] smbd/reply.c:536(reply_special)
>> netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
>> [2010/09/27 14:58:52.233498, 2] smbd/reply.c:547(reply_special)
>> netbios connect: local=mediadc remote=testafs, name type = 0
>> [2010/09/27 14:58:52.234068, 2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/27 14:58:52.233647, 0] lib/util_sock.c:675(write_data)
>> [2010/09/27 14:58:52.234876, 0]
>> lib/util_sock.c:1432(get_peer_addr_internal)
>> getpeername failed. Error was Transport endpoint is not connected
>> write_data: write failure in writing to client 0.0.0.0. Error
>> Connection reset by peer
>> [2010/09/27 14:58:52.236855, 0] smbd/process.c:79(srv_send_smb)
>> Error writing 4 bytes to client. -1. (Transport endpoint is not
>> connected)
>> [2010/09/27 14:58:52.238615, 2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/27 14:58:52.239888, 2]
>> lib/smbldap.c:950(smbldap_open_connection)
>> smbldap_open_connection: connection opened
>> [2010/09/27 14:58:52.242954, 2]
>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>> init_sam_from_ldap: Entry found for user: Administrator
>> [2010/09/27 14:58:52.295749, 2] auth/auth.c:304(check_ntlm_password)
>> check_ntlm_password: authentication for user [Administrator] ->
>> [Administrator] -> [Administrator] succeeded
>> [2010/09/27 14:58:52.780610, 0]
>> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>> _netr_ServerAuthenticate: no challenge sent to client TESTAFS
>> [2010/09/27 14:58:53.337111, 2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/27 14:58:53.338938, 2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/27 14:58:53.339808, 2]
>> lib/smbldap.c:950(smbldap_open_connection)
>> smbldap_open_connection: connection opened
>> [2010/09/27 14:58:53.342371, 2]
>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>> init_sam_from_ldap: Entry found for user: Administrator
>> [2010/09/27 14:58:53.347683, 2] auth/auth.c:304(check_ntlm_password)
>> check_ntlm_password: authentication for user [Administrator] ->
>> [Administrator] -> [Administrator] succeeded
>> [2010/09/27 14:58:53.812728, 2]
>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>> Returning domain sid for domain MEDIADC ->
>> S-1-5-21-1949818787-1514111066-129980733
>> [2010/09/27 14:58:53.814002, 2]
>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>> Returning domain sid for domain MEDIADC ->
>> S-1-5-21-1949818787-1514111066-129980733
>>
>> As it seems all works fine, but windows give an error like "Access
>> Denied" and the computer is not added to the domain.
>>
>> What can be the problem? How to debug it?
>>
>> Any hint is welcome...
>>
>> Cordially,
>>
>> Claudio Prono.
>>
>>
>>
>
--
--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
Gsm: +39-349-54.33.258
@PSS Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc
More information about the samba
mailing list