[Samba] Problem with Samba - Openldap and domain autentication of Windows XP

Claudio Prono claudio.prono at atpss.net
Mon Sep 27 10:15:21 MDT 2010



Gaiseric Vandal ha scritto:
> You user script may be adding a LOCAL unix account (in /etc/passwd.)  
> Do you see the accounts in there?   You may need to custom script that
> adds the accounts to ldap.
>
The strange thing is i don't see a local account, like the script is not
executed....
> The following may help
>
> https://gna.org/projects/smbldap-tools/
>
>
Ok, i'll take a look, thank you.
> Remember, that being root on your unix system does not automatically
> make you LDAP admin.
>
> If you have a single server then having your unix may be OK-  samba
> will match the samba user to the unix user via the user id.    I have
> multiple server so I use LDAP for unix accounts (previously used
> NIS.)   So now an LDAP user has both windows and unix account info.
>
If i try to add a user to LDAP manually, and try something like

smbclient -L localhost -U user

The user is authenticated perfectly...so the samba-ldap authentication
seems to work.... The problem is the automatic user and machine add, i
don't realize why it don't work...
>
>
>
>
> On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>
>> Gaiseric Vandal ha scritto:
>>   
>>> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>>
>>> It is possible to configure scripts that the unix account is created
>>> by samba if necessary when samba creates the "Windows" account for the
>>> machine.  I don't have it set up this way, so I need to create the
>>> unix account 1st.
>>>
>>>      
>> add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
>> /bin/false %m$
>>
>> This script automatically add the machine if needed, or i am wrong ?
>>   
>>> Also, I found that since the underlying unix OS may need validate the
>>> machine account,  I put my machine accounts in either the same ldap ou
>>> as people (or in a sub ou.)  ("getent passwd" command may need to show
>>> your machine accounts as well as people accounts.)
>>>
>>> If you have manually created the unix account for the machine, can you
>>> them manually create the samba account for it
>>>
>>>          e.g. smbpasswd -m -a SOMEMACHINE
>>>
>>>      (I think you leave the $ off .)
>>>
>>>
>>> I use LDAP for both "unix" and "windows" clients so my config choices
>>> may not be applicable to a windows-only client environment.
>>>
>>>
>>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>     
>>>> Hello all,
>>>>
>>>> I have some problems to make work a configuration like Samba and
>>>> OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>>>>
>>>> Here is my testparm:
>>>>
>>>> [global]
>>>>           workgroup = MEDIADC
>>>>           netbios name = MEDIADC
>>>>           map to guest = Bad User
>>>>           passdb backend =
>>>> ldapsam:ldap://afs-test.mediaservice-test.pri
>>>>           log level = 2
>>>>           printcap name = cups
>>>>           add machine script = /usr/sbin/useradd  -c Machine -d
>>>> /var/lib/nobody -s /bin/false %m$
>>>>           logon path = \\%L\profiles\.msprofile
>>>>           logon drive = P:
>>>>           logon home = \\%L\%U\.9xprofile
>>>>           domain logons = Yes
>>>>           os level = 65
>>>>           preferred master = Yes
>>>>           domain master = Yes
>>>>           wins support = Yes
>>>>           ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>>>>           ldap group suffix = ou=group
>>>>           ldap idmap suffix = ou=Idmap
>>>>           ldap machine suffix = ou=Machines
>>>>           ldap passwd sync = yes
>>>>           ldap suffix = dc=mediaservice-test,dc=pri
>>>>           ldap ssl = no
>>>>           ldap user suffix = ou=people
>>>>           usershare allow guests = Yes
>>>>           idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>>>>           idmap uid = 1000-60000
>>>>           idmap gid = 1000-60000
>>>>           cups options = raw
>>>>
>>>> [homes]
>>>>           comment = Home Directories
>>>>           valid users = %S, %D%w%S
>>>>           read only = No
>>>>           inherit acls = Yes
>>>>           browseable = No
>>>>
>>>> [profiles]
>>>>           comment = Network Profiles Service
>>>>           path = %H
>>>>           read only = No
>>>>           create mask = 0600
>>>>           directory mask = 0700
>>>>           store dos attributes = Yes
>>>>
>>>> [users]
>>>>           comment = All users
>>>>           path = /home
>>>>           read only = No
>>>>           inherit acls = Yes
>>>>           veto files = /aquota.user/groups/shares/
>>>>
>>>> [groups]
>>>>           comment = All groups
>>>>           path = /home/groups
>>>>           read only = No
>>>>           inherit acls = Yes
>>>>
>>>> [printers]
>>>>           comment = All Printers
>>>>           path = /var/tmp
>>>>           create mask = 0600
>>>>           printable = Yes
>>>>           browseable = No
>>>>
>>>> [print$]
>>>>           comment = Printer Drivers
>>>>           path = /var/lib/samba/drivers
>>>>           write list = @ntadmin, root
>>>>           force group = ntadmin
>>>>           create mask = 0664
>>>>           directory mask = 0775
>>>>
>>>> [netlogon]
>>>>           comment = Network Logon Service
>>>>           path = /var/lib/samba/netlogon
>>>>           write list = root
>>>>
>>>> If i try to join a windows xp into the domain i have this results:
>>>>
>>>> [2010/09/27 14:58:52.229946,  0]
>>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>>     getpeername failed. Error was Transport endpoint is not connected
>>>> [2010/09/27 14:58:52.233371,  2] smbd/reply.c:536(reply_special)
>>>>     netbios connect: name1=MEDIADC        0x20 name2=TESTAFS       
>>>> 0x0
>>>> [2010/09/27 14:58:52.233498,  2] smbd/reply.c:547(reply_special)
>>>>     netbios connect: local=mediadc remote=testafs, name type = 0
>>>> [2010/09/27 14:58:52.234068,  2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>     setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>> close
>>>> all old resources.
>>>> [2010/09/27 14:58:52.233647,  0] lib/util_sock.c:675(write_data)
>>>> [2010/09/27 14:58:52.234876,  0]
>>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>>     getpeername failed. Error was Transport endpoint is not connected
>>>>     write_data: write failure in writing to client 0.0.0.0. Error
>>>> Connection reset by peer
>>>> [2010/09/27 14:58:52.236855,  0] smbd/process.c:79(srv_send_smb)
>>>>     Error writing 4 bytes to client. -1. (Transport endpoint is not
>>>> connected)
>>>> [2010/09/27 14:58:52.238615,  2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>     setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>> close
>>>> all old resources.
>>>> [2010/09/27 14:58:52.239888,  2]
>>>> lib/smbldap.c:950(smbldap_open_connection)
>>>>     smbldap_open_connection: connection opened
>>>> [2010/09/27 14:58:52.242954,  2]
>>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>>     init_sam_from_ldap: Entry found for user: Administrator
>>>> [2010/09/27 14:58:52.295749,  2] auth/auth.c:304(check_ntlm_password)
>>>>     check_ntlm_password:  authentication for user [Administrator] ->
>>>> [Administrator] ->   [Administrator] succeeded
>>>> [2010/09/27 14:58:52.780610,  0]
>>>> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>>>>     _netr_ServerAuthenticate: no challenge sent to client TESTAFS
>>>> [2010/09/27 14:58:53.337111,  2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>     setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>> close
>>>> all old resources.
>>>> [2010/09/27 14:58:53.338938,  2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>     setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>> close
>>>> all old resources.
>>>> [2010/09/27 14:58:53.339808,  2]
>>>> lib/smbldap.c:950(smbldap_open_connection)
>>>>     smbldap_open_connection: connection opened
>>>> [2010/09/27 14:58:53.342371,  2]
>>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>>     init_sam_from_ldap: Entry found for user: Administrator
>>>> [2010/09/27 14:58:53.347683,  2] auth/auth.c:304(check_ntlm_password)
>>>>     check_ntlm_password:  authentication for user [Administrator] ->
>>>> [Administrator] ->   [Administrator] succeeded
>>>> [2010/09/27 14:58:53.812728,  2]
>>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>>     Returning domain sid for domain MEDIADC ->
>>>> S-1-5-21-1949818787-1514111066-129980733
>>>> [2010/09/27 14:58:53.814002,  2]
>>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>>     Returning domain sid for domain MEDIADC ->
>>>> S-1-5-21-1949818787-1514111066-129980733
>>>>
>>>> As it seems all works fine, but windows give an error like "Access
>>>> Denied" and the computer is not added to the domain.
>>>>
>>>> What can be the problem? How to debug it?
>>>>
>>>> Any hint is welcome...
>>>>
>>>> Cordially,
>>>>
>>>> Claudio Prono.
>>>>
>>>>
>>>>
>>>>        
>>>      
>>    
>
>
> !DSPAM:1,4ca0b6f6238981143519241!
>
>
>

-- 
--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer               
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc






More information about the samba mailing list