[Samba] Problem with Samba - Openldap and domain autentication of Windows XP

Claudio Prono claudio.prono at atpss.net
Mon Sep 27 09:08:12 MDT 2010 


Gaiseric Vandal ha scritto:
> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>
> It is possible to configure scripts that the unix account is created
> by samba if necessary when samba creates the "Windows" account for the
> machine.  I don't have it set up this way, so I need to create the
> unix account 1st.
>
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
/bin/false %m$

This script automatically add the machine if needed, or i am wrong ?
> Also, I found that since the underlying unix OS may need validate the
> machine account,  I put my machine accounts in either the same ldap ou
> as people (or in a sub ou.)  ("getent passwd" command may need to show
> your machine accounts as well as people accounts.)
>
> If you have manually created the unix account for the machine, can you
> them manually create the samba account for it
>
>         e.g. smbpasswd -m -a SOMEMACHINE
>
>     (I think you leave the $ off .)
>
>
> I use LDAP for both "unix" and "windows" clients so my config choices
> may not be applicable to a windows-only client environment.
>
>
> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>> Hello all,
>>
>> I have some problems to make work a configuration like Samba and
>> OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>>
>> Here is my testparm:
>>
>> [global]
>>          workgroup = MEDIADC
>>          netbios name = MEDIADC
>>          map to guest = Bad User
>>          passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
>>          log level = 2
>>          printcap name = cups
>>          add machine script = /usr/sbin/useradd  -c Machine -d
>> /var/lib/nobody -s /bin/false %m$
>>          logon path = \\%L\profiles\.msprofile
>>          logon drive = P:
>>          logon home = \\%L\%U\.9xprofile
>>          domain logons = Yes
>>          os level = 65
>>          preferred master = Yes
>>          domain master = Yes
>>          wins support = Yes
>>          ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>>          ldap group suffix = ou=group
>>          ldap idmap suffix = ou=Idmap
>>          ldap machine suffix = ou=Machines
>>          ldap passwd sync = yes
>>          ldap suffix = dc=mediaservice-test,dc=pri
>>          ldap ssl = no
>>          ldap user suffix = ou=people
>>          usershare allow guests = Yes
>>          idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>>          idmap uid = 1000-60000
>>          idmap gid = 1000-60000
>>          cups options = raw
>>
>> [homes]
>>          comment = Home Directories
>>          valid users = %S, %D%w%S
>>          read only = No
>>          inherit acls = Yes
>>          browseable = No
>>
>> [profiles]
>>          comment = Network Profiles Service
>>          path = %H
>>          read only = No
>>          create mask = 0600
>>          directory mask = 0700
>>          store dos attributes = Yes
>>
>> [users]
>>          comment = All users
>>          path = /home
>>          read only = No
>>          inherit acls = Yes
>>          veto files = /aquota.user/groups/shares/
>>
>> [groups]
>>          comment = All groups
>>          path = /home/groups
>>          read only = No
>>          inherit acls = Yes
>>
>> [printers]
>>          comment = All Printers
>>          path = /var/tmp
>>          create mask = 0600
>>          printable = Yes
>>          browseable = No
>>
>> [print$]
>>          comment = Printer Drivers
>>          path = /var/lib/samba/drivers
>>          write list = @ntadmin, root
>>          force group = ntadmin
>>          create mask = 0664
>>          directory mask = 0775
>>
>> [netlogon]
>>          comment = Network Logon Service
>>          path = /var/lib/samba/netlogon
>>          write list = root
>>
>> If i try to join a windows xp into the domain i have this results:
>>
>> [2010/09/27 14:58:52.229946,  0]
>> lib/util_sock.c:1432(get_peer_addr_internal)
>>    getpeername failed. Error was Transport endpoint is not connected
>> [2010/09/27 14:58:52.233371,  2] smbd/reply.c:536(reply_special)
>>    netbios connect: name1=MEDIADC        0x20 name2=TESTAFS        0x0
>> [2010/09/27 14:58:52.233498,  2] smbd/reply.c:547(reply_special)
>>    netbios connect: local=mediadc remote=testafs, name type = 0
>> [2010/09/27 14:58:52.234068,  2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/27 14:58:52.233647,  0] lib/util_sock.c:675(write_data)
>> [2010/09/27 14:58:52.234876,  0]
>> lib/util_sock.c:1432(get_peer_addr_internal)
>>    getpeername failed. Error was Transport endpoint is not connected
>>    write_data: write failure in writing to client 0.0.0.0. Error
>> Connection reset by peer
>> [2010/09/27 14:58:52.236855,  0] smbd/process.c:79(srv_send_smb)
>>    Error writing 4 bytes to client. -1. (Transport endpoint is not
>> connected)
>> [2010/09/27 14:58:52.238615,  2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/27 14:58:52.239888,  2]
>> lib/smbldap.c:950(smbldap_open_connection)
>>    smbldap_open_connection: connection opened
>> [2010/09/27 14:58:52.242954,  2]
>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>    init_sam_from_ldap: Entry found for user: Administrator
>> [2010/09/27 14:58:52.295749,  2] auth/auth.c:304(check_ntlm_password)
>>    check_ntlm_password:  authentication for user [Administrator] ->
>> [Administrator] ->  [Administrator] succeeded
>> [2010/09/27 14:58:52.780610,  0]
>> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>>    _netr_ServerAuthenticate: no challenge sent to client TESTAFS
>> [2010/09/27 14:58:53.337111,  2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/27 14:58:53.338938,  2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/27 14:58:53.339808,  2]
>> lib/smbldap.c:950(smbldap_open_connection)
>>    smbldap_open_connection: connection opened
>> [2010/09/27 14:58:53.342371,  2]
>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>    init_sam_from_ldap: Entry found for user: Administrator
>> [2010/09/27 14:58:53.347683,  2] auth/auth.c:304(check_ntlm_password)
>>    check_ntlm_password:  authentication for user [Administrator] ->
>> [Administrator] ->  [Administrator] succeeded
>> [2010/09/27 14:58:53.812728,  2]
>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>    Returning domain sid for domain MEDIADC ->
>> S-1-5-21-1949818787-1514111066-129980733
>> [2010/09/27 14:58:53.814002,  2]
>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>    Returning domain sid for domain MEDIADC ->
>> S-1-5-21-1949818787-1514111066-129980733
>>
>> As it seems all works fine, but windows give an error like "Access
>> Denied" and the computer is not added to the domain.
>>
>> What can be the problem? How to debug it?
>>
>> Any hint is welcome...
>>
>> Cordially,
>>
>> Claudio Prono.
>>
>>
>>    
>

-- 
--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer               
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc

More information about the samba mailing list