[Samba] Problem with Samba - Openldap and domain autentication of Windows XP
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Sep 27 09:15:11 MDT 2010
You user script may be adding a LOCAL unix account (in /etc/passwd.)
Do you see the accounts in there? You may need to custom script that
adds the accounts to ldap.
The following may help
https://gna.org/projects/smbldap-tools/
Remember, that being root on your unix system does not automatically
make you LDAP admin.
If you have a single server then having your unix may be OK- samba will
match the samba user to the unix user via the user id. I have
multiple server so I use LDAP for unix accounts (previously used NIS.)
So now an LDAP user has both windows and unix account info.
On 09/27/2010 11:08 AM, Claudio Prono wrote:
>
> Gaiseric Vandal ha scritto:
>
>> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>
>> It is possible to configure scripts that the unix account is created
>> by samba if necessary when samba creates the "Windows" account for the
>> machine. I don't have it set up this way, so I need to create the
>> unix account 1st.
>>
>>
> add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s
> /bin/false %m$
>
> This script automatically add the machine if needed, or i am wrong ?
>
>> Also, I found that since the underlying unix OS may need validate the
>> machine account, I put my machine accounts in either the same ldap ou
>> as people (or in a sub ou.) ("getent passwd" command may need to show
>> your machine accounts as well as people accounts.)
>>
>> If you have manually created the unix account for the machine, can you
>> them manually create the samba account for it
>>
>> e.g. smbpasswd -m -a SOMEMACHINE
>>
>> (I think you leave the $ off .)
>>
>>
>> I use LDAP for both "unix" and "windows" clients so my config choices
>> may not be applicable to a windows-only client environment.
>>
>>
>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>
>>> Hello all,
>>>
>>> I have some problems to make work a configuration like Samba and
>>> OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>>>
>>> Here is my testparm:
>>>
>>> [global]
>>> workgroup = MEDIADC
>>> netbios name = MEDIADC
>>> map to guest = Bad User
>>> passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
>>> log level = 2
>>> printcap name = cups
>>> add machine script = /usr/sbin/useradd -c Machine -d
>>> /var/lib/nobody -s /bin/false %m$
>>> logon path = \\%L\profiles\.msprofile
>>> logon drive = P:
>>> logon home = \\%L\%U\.9xprofile
>>> domain logons = Yes
>>> os level = 65
>>> preferred master = Yes
>>> domain master = Yes
>>> wins support = Yes
>>> ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>>> ldap group suffix = ou=group
>>> ldap idmap suffix = ou=Idmap
>>> ldap machine suffix = ou=Machines
>>> ldap passwd sync = yes
>>> ldap suffix = dc=mediaservice-test,dc=pri
>>> ldap ssl = no
>>> ldap user suffix = ou=people
>>> usershare allow guests = Yes
>>> idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>>> idmap uid = 1000-60000
>>> idmap gid = 1000-60000
>>> cups options = raw
>>>
>>> [homes]
>>> comment = Home Directories
>>> valid users = %S, %D%w%S
>>> read only = No
>>> inherit acls = Yes
>>> browseable = No
>>>
>>> [profiles]
>>> comment = Network Profiles Service
>>> path = %H
>>> read only = No
>>> create mask = 0600
>>> directory mask = 0700
>>> store dos attributes = Yes
>>>
>>> [users]
>>> comment = All users
>>> path = /home
>>> read only = No
>>> inherit acls = Yes
>>> veto files = /aquota.user/groups/shares/
>>>
>>> [groups]
>>> comment = All groups
>>> path = /home/groups
>>> read only = No
>>> inherit acls = Yes
>>>
>>> [printers]
>>> comment = All Printers
>>> path = /var/tmp
>>> create mask = 0600
>>> printable = Yes
>>> browseable = No
>>>
>>> [print$]
>>> comment = Printer Drivers
>>> path = /var/lib/samba/drivers
>>> write list = @ntadmin, root
>>> force group = ntadmin
>>> create mask = 0664
>>> directory mask = 0775
>>>
>>> [netlogon]
>>> comment = Network Logon Service
>>> path = /var/lib/samba/netlogon
>>> write list = root
>>>
>>> If i try to join a windows xp into the domain i have this results:
>>>
>>> [2010/09/27 14:58:52.229946, 0]
>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>> getpeername failed. Error was Transport endpoint is not connected
>>> [2010/09/27 14:58:52.233371, 2] smbd/reply.c:536(reply_special)
>>> netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
>>> [2010/09/27 14:58:52.233498, 2] smbd/reply.c:547(reply_special)
>>> netbios connect: local=mediadc remote=testafs, name type = 0
>>> [2010/09/27 14:58:52.234068, 2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>> all old resources.
>>> [2010/09/27 14:58:52.233647, 0] lib/util_sock.c:675(write_data)
>>> [2010/09/27 14:58:52.234876, 0]
>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>> getpeername failed. Error was Transport endpoint is not connected
>>> write_data: write failure in writing to client 0.0.0.0. Error
>>> Connection reset by peer
>>> [2010/09/27 14:58:52.236855, 0] smbd/process.c:79(srv_send_smb)
>>> Error writing 4 bytes to client. -1. (Transport endpoint is not
>>> connected)
>>> [2010/09/27 14:58:52.238615, 2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>> all old resources.
>>> [2010/09/27 14:58:52.239888, 2]
>>> lib/smbldap.c:950(smbldap_open_connection)
>>> smbldap_open_connection: connection opened
>>> [2010/09/27 14:58:52.242954, 2]
>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>> init_sam_from_ldap: Entry found for user: Administrator
>>> [2010/09/27 14:58:52.295749, 2] auth/auth.c:304(check_ntlm_password)
>>> check_ntlm_password: authentication for user [Administrator] ->
>>> [Administrator] -> [Administrator] succeeded
>>> [2010/09/27 14:58:52.780610, 0]
>>> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>>> _netr_ServerAuthenticate: no challenge sent to client TESTAFS
>>> [2010/09/27 14:58:53.337111, 2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>> all old resources.
>>> [2010/09/27 14:58:53.338938, 2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>> all old resources.
>>> [2010/09/27 14:58:53.339808, 2]
>>> lib/smbldap.c:950(smbldap_open_connection)
>>> smbldap_open_connection: connection opened
>>> [2010/09/27 14:58:53.342371, 2]
>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>> init_sam_from_ldap: Entry found for user: Administrator
>>> [2010/09/27 14:58:53.347683, 2] auth/auth.c:304(check_ntlm_password)
>>> check_ntlm_password: authentication for user [Administrator] ->
>>> [Administrator] -> [Administrator] succeeded
>>> [2010/09/27 14:58:53.812728, 2]
>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>> Returning domain sid for domain MEDIADC ->
>>> S-1-5-21-1949818787-1514111066-129980733
>>> [2010/09/27 14:58:53.814002, 2]
>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>> Returning domain sid for domain MEDIADC ->
>>> S-1-5-21-1949818787-1514111066-129980733
>>>
>>> As it seems all works fine, but windows give an error like "Access
>>> Denied" and the computer is not added to the domain.
>>>
>>> What can be the problem? How to debug it?
>>>
>>> Any hint is welcome...
>>>
>>> Cordially,
>>>
>>> Claudio Prono.
>>>
>>>
>>>
>>>
>>
>
More information about the samba
mailing list