[Samba] Fwd: Re: Problem with Samba - Openldap and domain autentication of Windows XP
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Sep 27 10:31:17 MDT 2010
Wait, you are using samba with openldap backend.
Why are you using useradd ??? with this backend you need smbldap instead.
like this:
passdb backend = ldapsam:ldap://your ldap server
ldap passwd sync = yes
ldap delete dn = Yes
ldap admin dn = cn=root,dc=domain,dc=com,dc=br
ldap suffix = dc=domain,dc=com,dc=br
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = sambaDomainName=DOMAIN
idmap backend = ldap:ldap://ldap server
idmap alloc backend = ldap:ldap://ldap server
idmap uid = 1000-20000
idmap gid = 1000-20000
idmap alloc config:range = 1000-20000
ldap timeout = 15
ldap connection timeout = 2
ldap page size = 1024
# add/remove users
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
# add/remove Groups
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
# add/remove user in groups
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
# define primary group of user
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
# add machines in domain
add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
regards
On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com> wrote:
> You user script may be adding a LOCAL unix account (in /etc/passwd.) Do
> you see the accounts in there? You may need to custom script that adds the
> accounts to ldap.
>
> The following may help
>
> https://gna.org/projects/smbldap-tools/
>
>
> Remember, that being root on your unix system does not automatically make
> you LDAP admin.
>
> If you have a single server then having your unix may be OK- samba will
> match the samba user to the unix user via the user id. I have multiple
> server so I use LDAP for unix accounts (previously used NIS.) So now an
> LDAP user has both windows and unix account info.
>
>
>
>
>
> On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>
>> Gaiseric Vandal ha scritto:
>>
>>>
>>> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>>
>>> It is possible to configure scripts that the unix account is created
>>> by samba if necessary when samba creates the "Windows" account for the
>>> machine. I don't have it set up this way, so I need to create the
>>> unix account 1st.
>>>
>>>
>>
>> add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s
>> /bin/false %m$
>>
>> This script automatically add the machine if needed, or i am wrong ?
>>
>>>
>>> Also, I found that since the underlying unix OS may need validate the
>>> machine account, I put my machine accounts in either the same ldap ou
>>> as people (or in a sub ou.) ("getent passwd" command may need to show
>>> your machine accounts as well as people accounts.)
>>>
>>> If you have manually created the unix account for the machine, can you
>>> them manually create the samba account for it
>>>
>>> e.g. smbpasswd -m -a SOMEMACHINE
>>>
>>> (I think you leave the $ off .)
>>>
>>>
>>> I use LDAP for both "unix" and "windows" clients so my config choices
>>> may not be applicable to a windows-only client environment.
>>>
>>>
>>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>
>>>>
>>>> Hello all,
>>>>
>>>> I have some problems to make work a configuration like Samba and
>>>> OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>>>>
>>>> Here is my testparm:
>>>>
>>>> [global]
>>>> workgroup = MEDIADC
>>>> netbios name = MEDIADC
>>>> map to guest = Bad User
>>>> passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
>>>> log level = 2
>>>> printcap name = cups
>>>> add machine script = /usr/sbin/useradd -c Machine -d
>>>> /var/lib/nobody -s /bin/false %m$
>>>> logon path = \\%L\profiles\.msprofile
>>>> logon drive = P:
>>>> logon home = \\%L\%U\.9xprofile
>>>> domain logons = Yes
>>>> os level = 65
>>>> preferred master = Yes
>>>> domain master = Yes
>>>> wins support = Yes
>>>> ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>>>> ldap group suffix = ou=group
>>>> ldap idmap suffix = ou=Idmap
>>>> ldap machine suffix = ou=Machines
>>>> ldap passwd sync = yes
>>>> ldap suffix = dc=mediaservice-test,dc=pri
>>>> ldap ssl = no
>>>> ldap user suffix = ou=people
>>>> usershare allow guests = Yes
>>>> idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>>>> idmap uid = 1000-60000
>>>> idmap gid = 1000-60000
>>>> cups options = raw
>>>>
>>>> [homes]
>>>> comment = Home Directories
>>>> valid users = %S, %D%w%S
>>>> read only = No
>>>> inherit acls = Yes
>>>> browseable = No
>>>>
>>>> [profiles]
>>>> comment = Network Profiles Service
>>>> path = %H
>>>> read only = No
>>>> create mask = 0600
>>>> directory mask = 0700
>>>> store dos attributes = Yes
>>>>
>>>> [users]
>>>> comment = All users
>>>> path = /home
>>>> read only = No
>>>> inherit acls = Yes
>>>> veto files = /aquota.user/groups/shares/
>>>>
>>>> [groups]
>>>> comment = All groups
>>>> path = /home/groups
>>>> read only = No
>>>> inherit acls = Yes
>>>>
>>>> [printers]
>>>> comment = All Printers
>>>> path = /var/tmp
>>>> create mask = 0600
>>>> printable = Yes
>>>> browseable = No
>>>>
>>>> [print$]
>>>> comment = Printer Drivers
>>>> path = /var/lib/samba/drivers
>>>> write list = @ntadmin, root
>>>> force group = ntadmin
>>>> create mask = 0664
>>>> directory mask = 0775
>>>>
>>>> [netlogon]
>>>> comment = Network Logon Service
>>>> path = /var/lib/samba/netlogon
>>>> write list = root
>>>>
>>>> If i try to join a windows xp into the domain i have this results:
>>>>
>>>> [2010/09/27 14:58:52.229946, 0]
>>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>> getpeername failed. Error was Transport endpoint is not connected
>>>> [2010/09/27 14:58:52.233371, 2] smbd/reply.c:536(reply_special)
>>>> netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
>>>> [2010/09/27 14:58:52.233498, 2] smbd/reply.c:547(reply_special)
>>>> netbios connect: local=mediadc remote=testafs, name type = 0
>>>> [2010/09/27 14:58:52.234068, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>>> all old resources.
>>>> [2010/09/27 14:58:52.233647, 0] lib/util_sock.c:675(write_data)
>>>> [2010/09/27 14:58:52.234876, 0]
>>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>> getpeername failed. Error was Transport endpoint is not connected
>>>> write_data: write failure in writing to client 0.0.0.0. Error
>>>> Connection reset by peer
>>>> [2010/09/27 14:58:52.236855, 0] smbd/process.c:79(srv_send_smb)
>>>> Error writing 4 bytes to client. -1. (Transport endpoint is not
>>>> connected)
>>>> [2010/09/27 14:58:52.238615, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>>> all old resources.
>>>> [2010/09/27 14:58:52.239888, 2]
>>>> lib/smbldap.c:950(smbldap_open_connection)
>>>> smbldap_open_connection: connection opened
>>>> [2010/09/27 14:58:52.242954, 2]
>>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>> init_sam_from_ldap: Entry found for user: Administrator
>>>> [2010/09/27 14:58:52.295749, 2] auth/auth.c:304(check_ntlm_password)
>>>> check_ntlm_password: authentication for user [Administrator] ->
>>>> [Administrator] -> [Administrator] succeeded
>>>> [2010/09/27 14:58:52.780610, 0]
>>>> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>>>> _netr_ServerAuthenticate: no challenge sent to client TESTAFS
>>>> [2010/09/27 14:58:53.337111, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>>> all old resources.
>>>> [2010/09/27 14:58:53.338938, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>>> all old resources.
>>>> [2010/09/27 14:58:53.339808, 2]
>>>> lib/smbldap.c:950(smbldap_open_connection)
>>>> smbldap_open_connection: connection opened
>>>> [2010/09/27 14:58:53.342371, 2]
>>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>> init_sam_from_ldap: Entry found for user: Administrator
>>>> [2010/09/27 14:58:53.347683, 2] auth/auth.c:304(check_ntlm_password)
>>>> check_ntlm_password: authentication for user [Administrator] ->
>>>> [Administrator] -> [Administrator] succeeded
>>>> [2010/09/27 14:58:53.812728, 2]
>>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>> Returning domain sid for domain MEDIADC ->
>>>> S-1-5-21-1949818787-1514111066-129980733
>>>> [2010/09/27 14:58:53.814002, 2]
>>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>> Returning domain sid for domain MEDIADC ->
>>>> S-1-5-21-1949818787-1514111066-129980733
>>>>
>>>> As it seems all works fine, but windows give an error like "Access
>>>> Denied" and the computer is not added to the domain.
>>>>
>>>> What can be the problem? How to debug it?
>>>>
>>>> Any hint is welcome...
>>>>
>>>> Cordially,
>>>>
>>>> Claudio Prono.
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list