[Samba] Problem with Samba - Openldap and domain autentication of Windows XP

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Sep 27 09:15:11 MDT 2010


You user script may be adding a LOCAL unix account (in /etc/passwd.)   
Do you see the accounts in there?   You may need to custom script that 
adds the accounts to ldap.

The following may help

https://gna.org/projects/smbldap-tools/


Remember, that being root on your unix system does not automatically 
make you LDAP admin.

If you have a single server then having your unix may be OK-  samba will 
match the samba user to the unix user via the user id.    I have 
multiple server so I use LDAP for unix accounts (previously used NIS.)   
So now an LDAP user has both windows and unix account info.





On 09/27/2010 11:08 AM, Claudio Prono wrote:
>
> Gaiseric Vandal ha scritto:
>    
>> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>
>> It is possible to configure scripts that the unix account is created
>> by samba if necessary when samba creates the "Windows" account for the
>> machine.  I don't have it set up this way, so I need to create the
>> unix account 1st.
>>
>>      
> add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
> /bin/false %m$
>
> This script automatically add the machine if needed, or i am wrong ?
>    
>> Also, I found that since the underlying unix OS may need validate the
>> machine account,  I put my machine accounts in either the same ldap ou
>> as people (or in a sub ou.)  ("getent passwd" command may need to show
>> your machine accounts as well as people accounts.)
>>
>> If you have manually created the unix account for the machine, can you
>> them manually create the samba account for it
>>
>>          e.g. smbpasswd -m -a SOMEMACHINE
>>
>>      (I think you leave the $ off .)
>>
>>
>> I use LDAP for both "unix" and "windows" clients so my config choices
>> may not be applicable to a windows-only client environment.
>>
>>
>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>      
>>> Hello all,
>>>
>>> I have some problems to make work a configuration like Samba and
>>> OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>>>
>>> Here is my testparm:
>>>
>>> [global]
>>>           workgroup = MEDIADC
>>>           netbios name = MEDIADC
>>>           map to guest = Bad User
>>>           passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
>>>           log level = 2
>>>           printcap name = cups
>>>           add machine script = /usr/sbin/useradd  -c Machine -d
>>> /var/lib/nobody -s /bin/false %m$
>>>           logon path = \\%L\profiles\.msprofile
>>>           logon drive = P:
>>>           logon home = \\%L\%U\.9xprofile
>>>           domain logons = Yes
>>>           os level = 65
>>>           preferred master = Yes
>>>           domain master = Yes
>>>           wins support = Yes
>>>           ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>>>           ldap group suffix = ou=group
>>>           ldap idmap suffix = ou=Idmap
>>>           ldap machine suffix = ou=Machines
>>>           ldap passwd sync = yes
>>>           ldap suffix = dc=mediaservice-test,dc=pri
>>>           ldap ssl = no
>>>           ldap user suffix = ou=people
>>>           usershare allow guests = Yes
>>>           idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>>>           idmap uid = 1000-60000
>>>           idmap gid = 1000-60000
>>>           cups options = raw
>>>
>>> [homes]
>>>           comment = Home Directories
>>>           valid users = %S, %D%w%S
>>>           read only = No
>>>           inherit acls = Yes
>>>           browseable = No
>>>
>>> [profiles]
>>>           comment = Network Profiles Service
>>>           path = %H
>>>           read only = No
>>>           create mask = 0600
>>>           directory mask = 0700
>>>           store dos attributes = Yes
>>>
>>> [users]
>>>           comment = All users
>>>           path = /home
>>>           read only = No
>>>           inherit acls = Yes
>>>           veto files = /aquota.user/groups/shares/
>>>
>>> [groups]
>>>           comment = All groups
>>>           path = /home/groups
>>>           read only = No
>>>           inherit acls = Yes
>>>
>>> [printers]
>>>           comment = All Printers
>>>           path = /var/tmp
>>>           create mask = 0600
>>>           printable = Yes
>>>           browseable = No
>>>
>>> [print$]
>>>           comment = Printer Drivers
>>>           path = /var/lib/samba/drivers
>>>           write list = @ntadmin, root
>>>           force group = ntadmin
>>>           create mask = 0664
>>>           directory mask = 0775
>>>
>>> [netlogon]
>>>           comment = Network Logon Service
>>>           path = /var/lib/samba/netlogon
>>>           write list = root
>>>
>>> If i try to join a windows xp into the domain i have this results:
>>>
>>> [2010/09/27 14:58:52.229946,  0]
>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>     getpeername failed. Error was Transport endpoint is not connected
>>> [2010/09/27 14:58:52.233371,  2] smbd/reply.c:536(reply_special)
>>>     netbios connect: name1=MEDIADC        0x20 name2=TESTAFS        0x0
>>> [2010/09/27 14:58:52.233498,  2] smbd/reply.c:547(reply_special)
>>>     netbios connect: local=mediadc remote=testafs, name type = 0
>>> [2010/09/27 14:58:52.234068,  2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>     setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>> all old resources.
>>> [2010/09/27 14:58:52.233647,  0] lib/util_sock.c:675(write_data)
>>> [2010/09/27 14:58:52.234876,  0]
>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>     getpeername failed. Error was Transport endpoint is not connected
>>>     write_data: write failure in writing to client 0.0.0.0. Error
>>> Connection reset by peer
>>> [2010/09/27 14:58:52.236855,  0] smbd/process.c:79(srv_send_smb)
>>>     Error writing 4 bytes to client. -1. (Transport endpoint is not
>>> connected)
>>> [2010/09/27 14:58:52.238615,  2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>     setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>> all old resources.
>>> [2010/09/27 14:58:52.239888,  2]
>>> lib/smbldap.c:950(smbldap_open_connection)
>>>     smbldap_open_connection: connection opened
>>> [2010/09/27 14:58:52.242954,  2]
>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>     init_sam_from_ldap: Entry found for user: Administrator
>>> [2010/09/27 14:58:52.295749,  2] auth/auth.c:304(check_ntlm_password)
>>>     check_ntlm_password:  authentication for user [Administrator] ->
>>> [Administrator] ->   [Administrator] succeeded
>>> [2010/09/27 14:58:52.780610,  0]
>>> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>>>     _netr_ServerAuthenticate: no challenge sent to client TESTAFS
>>> [2010/09/27 14:58:53.337111,  2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>     setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>> all old resources.
>>> [2010/09/27 14:58:53.338938,  2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>     setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>> all old resources.
>>> [2010/09/27 14:58:53.339808,  2]
>>> lib/smbldap.c:950(smbldap_open_connection)
>>>     smbldap_open_connection: connection opened
>>> [2010/09/27 14:58:53.342371,  2]
>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>     init_sam_from_ldap: Entry found for user: Administrator
>>> [2010/09/27 14:58:53.347683,  2] auth/auth.c:304(check_ntlm_password)
>>>     check_ntlm_password:  authentication for user [Administrator] ->
>>> [Administrator] ->   [Administrator] succeeded
>>> [2010/09/27 14:58:53.812728,  2]
>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>     Returning domain sid for domain MEDIADC ->
>>> S-1-5-21-1949818787-1514111066-129980733
>>> [2010/09/27 14:58:53.814002,  2]
>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>     Returning domain sid for domain MEDIADC ->
>>> S-1-5-21-1949818787-1514111066-129980733
>>>
>>> As it seems all works fine, but windows give an error like "Access
>>> Denied" and the computer is not added to the domain.
>>>
>>> What can be the problem? How to debug it?
>>>
>>> Any hint is welcome...
>>>
>>> Cordially,
>>>
>>> Claudio Prono.
>>>
>>>
>>>
>>>        
>>      
>    



More information about the samba mailing list