[Samba] Problem with Samba - Openldap and domain autentication of Windows XP
Claudio Prono
claudio.prono at atpss.net
Mon Sep 27 10:15:21 MDT 2010
Gaiseric Vandal ha scritto:
> You user script may be adding a LOCAL unix account (in /etc/passwd.)
> Do you see the accounts in there? You may need to custom script that
> adds the accounts to ldap.
>
The strange thing is i don't see a local account, like the script is not
executed....
> The following may help
>
> https://gna.org/projects/smbldap-tools/
>
>
Ok, i'll take a look, thank you.
> Remember, that being root on your unix system does not automatically
> make you LDAP admin.
>
> If you have a single server then having your unix may be OK- samba
> will match the samba user to the unix user via the user id. I have
> multiple server so I use LDAP for unix accounts (previously used
> NIS.) So now an LDAP user has both windows and unix account info.
>
If i try to add a user to LDAP manually, and try something like
smbclient -L localhost -U user
The user is authenticated perfectly...so the samba-ldap authentication
seems to work.... The problem is the automatic user and machine add, i
don't realize why it don't work...
>
>
>
>
> On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>
>> Gaiseric Vandal ha scritto:
>>
>>> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>>
>>> It is possible to configure scripts that the unix account is created
>>> by samba if necessary when samba creates the "Windows" account for the
>>> machine. I don't have it set up this way, so I need to create the
>>> unix account 1st.
>>>
>>>
>> add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s
>> /bin/false %m$
>>
>> This script automatically add the machine if needed, or i am wrong ?
>>
>>> Also, I found that since the underlying unix OS may need validate the
>>> machine account, I put my machine accounts in either the same ldap ou
>>> as people (or in a sub ou.) ("getent passwd" command may need to show
>>> your machine accounts as well as people accounts.)
>>>
>>> If you have manually created the unix account for the machine, can you
>>> them manually create the samba account for it
>>>
>>> e.g. smbpasswd -m -a SOMEMACHINE
>>>
>>> (I think you leave the $ off .)
>>>
>>>
>>> I use LDAP for both "unix" and "windows" clients so my config choices
>>> may not be applicable to a windows-only client environment.
>>>
>>>
>>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>
>>>> Hello all,
>>>>
>>>> I have some problems to make work a configuration like Samba and
>>>> OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>>>>
>>>> Here is my testparm:
>>>>
>>>> [global]
>>>> workgroup = MEDIADC
>>>> netbios name = MEDIADC
>>>> map to guest = Bad User
>>>> passdb backend =
>>>> ldapsam:ldap://afs-test.mediaservice-test.pri
>>>> log level = 2
>>>> printcap name = cups
>>>> add machine script = /usr/sbin/useradd -c Machine -d
>>>> /var/lib/nobody -s /bin/false %m$
>>>> logon path = \\%L\profiles\.msprofile
>>>> logon drive = P:
>>>> logon home = \\%L\%U\.9xprofile
>>>> domain logons = Yes
>>>> os level = 65
>>>> preferred master = Yes
>>>> domain master = Yes
>>>> wins support = Yes
>>>> ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>>>> ldap group suffix = ou=group
>>>> ldap idmap suffix = ou=Idmap
>>>> ldap machine suffix = ou=Machines
>>>> ldap passwd sync = yes
>>>> ldap suffix = dc=mediaservice-test,dc=pri
>>>> ldap ssl = no
>>>> ldap user suffix = ou=people
>>>> usershare allow guests = Yes
>>>> idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>>>> idmap uid = 1000-60000
>>>> idmap gid = 1000-60000
>>>> cups options = raw
>>>>
>>>> [homes]
>>>> comment = Home Directories
>>>> valid users = %S, %D%w%S
>>>> read only = No
>>>> inherit acls = Yes
>>>> browseable = No
>>>>
>>>> [profiles]
>>>> comment = Network Profiles Service
>>>> path = %H
>>>> read only = No
>>>> create mask = 0600
>>>> directory mask = 0700
>>>> store dos attributes = Yes
>>>>
>>>> [users]
>>>> comment = All users
>>>> path = /home
>>>> read only = No
>>>> inherit acls = Yes
>>>> veto files = /aquota.user/groups/shares/
>>>>
>>>> [groups]
>>>> comment = All groups
>>>> path = /home/groups
>>>> read only = No
>>>> inherit acls = Yes
>>>>
>>>> [printers]
>>>> comment = All Printers
>>>> path = /var/tmp
>>>> create mask = 0600
>>>> printable = Yes
>>>> browseable = No
>>>>
>>>> [print$]
>>>> comment = Printer Drivers
>>>> path = /var/lib/samba/drivers
>>>> write list = @ntadmin, root
>>>> force group = ntadmin
>>>> create mask = 0664
>>>> directory mask = 0775
>>>>
>>>> [netlogon]
>>>> comment = Network Logon Service
>>>> path = /var/lib/samba/netlogon
>>>> write list = root
>>>>
>>>> If i try to join a windows xp into the domain i have this results:
>>>>
>>>> [2010/09/27 14:58:52.229946, 0]
>>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>> getpeername failed. Error was Transport endpoint is not connected
>>>> [2010/09/27 14:58:52.233371, 2] smbd/reply.c:536(reply_special)
>>>> netbios connect: name1=MEDIADC 0x20 name2=TESTAFS
>>>> 0x0
>>>> [2010/09/27 14:58:52.233498, 2] smbd/reply.c:547(reply_special)
>>>> netbios connect: local=mediadc remote=testafs, name type = 0
>>>> [2010/09/27 14:58:52.234068, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>> close
>>>> all old resources.
>>>> [2010/09/27 14:58:52.233647, 0] lib/util_sock.c:675(write_data)
>>>> [2010/09/27 14:58:52.234876, 0]
>>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>> getpeername failed. Error was Transport endpoint is not connected
>>>> write_data: write failure in writing to client 0.0.0.0. Error
>>>> Connection reset by peer
>>>> [2010/09/27 14:58:52.236855, 0] smbd/process.c:79(srv_send_smb)
>>>> Error writing 4 bytes to client. -1. (Transport endpoint is not
>>>> connected)
>>>> [2010/09/27 14:58:52.238615, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>> close
>>>> all old resources.
>>>> [2010/09/27 14:58:52.239888, 2]
>>>> lib/smbldap.c:950(smbldap_open_connection)
>>>> smbldap_open_connection: connection opened
>>>> [2010/09/27 14:58:52.242954, 2]
>>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>> init_sam_from_ldap: Entry found for user: Administrator
>>>> [2010/09/27 14:58:52.295749, 2] auth/auth.c:304(check_ntlm_password)
>>>> check_ntlm_password: authentication for user [Administrator] ->
>>>> [Administrator] -> [Administrator] succeeded
>>>> [2010/09/27 14:58:52.780610, 0]
>>>> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>>>> _netr_ServerAuthenticate: no challenge sent to client TESTAFS
>>>> [2010/09/27 14:58:53.337111, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>> close
>>>> all old resources.
>>>> [2010/09/27 14:58:53.338938, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>> close
>>>> all old resources.
>>>> [2010/09/27 14:58:53.339808, 2]
>>>> lib/smbldap.c:950(smbldap_open_connection)
>>>> smbldap_open_connection: connection opened
>>>> [2010/09/27 14:58:53.342371, 2]
>>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>> init_sam_from_ldap: Entry found for user: Administrator
>>>> [2010/09/27 14:58:53.347683, 2] auth/auth.c:304(check_ntlm_password)
>>>> check_ntlm_password: authentication for user [Administrator] ->
>>>> [Administrator] -> [Administrator] succeeded
>>>> [2010/09/27 14:58:53.812728, 2]
>>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>> Returning domain sid for domain MEDIADC ->
>>>> S-1-5-21-1949818787-1514111066-129980733
>>>> [2010/09/27 14:58:53.814002, 2]
>>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>> Returning domain sid for domain MEDIADC ->
>>>> S-1-5-21-1949818787-1514111066-129980733
>>>>
>>>> As it seems all works fine, but windows give an error like "Access
>>>> Denied" and the computer is not added to the domain.
>>>>
>>>> What can be the problem? How to debug it?
>>>>
>>>> Any hint is welcome...
>>>>
>>>> Cordially,
>>>>
>>>> Claudio Prono.
>>>>
>>>>
>>>>
>>>>
>>>
>>
>
>
> !DSPAM:1,4ca0b6f6238981143519241!
>
>
>
--
--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
Gsm: +39-349-54.33.258
@PSS Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc
More information about the samba
mailing list