[Samba] Fwd: Re: Problem with Samba - Openldap and domain autentication of Windows XP

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Sep 27 10:31:17 MDT 2010


Wait, you are using samba with openldap backend.

Why are you using useradd ??? with this backend you need smbldap instead.
like this:

         passdb backend = ldapsam:ldap://your ldap server
         ldap passwd sync = yes
         ldap delete dn = Yes
         ldap admin dn = cn=root,dc=domain,dc=com,dc=br
         ldap suffix = dc=domain,dc=com,dc=br
         ldap machine suffix = ou=Computers
         ldap user suffix = ou=Users
         ldap group suffix = ou=Groups
         ldap idmap suffix = sambaDomainName=DOMAIN
         idmap backend = ldap:ldap://ldap server
         idmap alloc backend = ldap:ldap://ldap server
         idmap uid = 1000-20000
         idmap gid = 1000-20000
         idmap alloc config:range = 1000-20000
         ldap timeout = 15
         ldap connection timeout = 2
         ldap page size = 1024

    # add/remove users
         add user script = /usr/sbin/smbldap-useradd -m "%u"
         delete user script = /usr/sbin/smbldap-userdel "%u"
    # add/remove Groups
         add group script = /usr/sbin/smbldap-groupadd -p "%g"
         delete group script = /usr/sbin/smbldap-groupdel "%g"
    # add/remove user in groups
         add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
         delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
    # define primary group of user
         set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
    # add machines in domain
         add machine script = /usr/sbin/smbldap-useradd -i -w "%u"

regards

On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com>  wrote:
>  You user script may be adding a LOCAL unix account (in /etc/passwd.)   Do
>  you see the accounts in there?   You may need to custom script that adds the
>  accounts to ldap.
>
>  The following may help
>
>  https://gna.org/projects/smbldap-tools/
>
>
>  Remember, that being root on your unix system does not automatically make
>  you LDAP admin.
>
>  If you have a single server then having your unix may be OK-  samba will
>  match the samba user to the unix user via the user id.    I have multiple
>  server so I use LDAP for unix accounts (previously used NIS.)   So now an
>  LDAP user has both windows and unix account info.
>
>
>
>
>
>  On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>
>>  Gaiseric Vandal ha scritto:
>>
>>>
>>>  Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>>
>>>  It is possible to configure scripts that the unix account is created
>>>  by samba if necessary when samba creates the "Windows" account for the
>>>  machine.  I don't have it set up this way, so I need to create the
>>>  unix account 1st.
>>>
>>>
>>
>>  add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
>>  /bin/false %m$
>>
>>  This script automatically add the machine if needed, or i am wrong ?
>>
>>>
>>>  Also, I found that since the underlying unix OS may need validate the
>>>  machine account,  I put my machine accounts in either the same ldap ou
>>>  as people (or in a sub ou.)  ("getent passwd" command may need to show
>>>  your machine accounts as well as people accounts.)
>>>
>>>  If you have manually created the unix account for the machine, can you
>>>  them manually create the samba account for it
>>>
>>>           e.g. smbpasswd -m -a SOMEMACHINE
>>>
>>>       (I think you leave the $ off .)
>>>
>>>
>>>  I use LDAP for both "unix" and "windows" clients so my config choices
>>>  may not be applicable to a windows-only client environment.
>>>
>>>
>>>  On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>
>>>>
>>>>  Hello all,
>>>>
>>>>  I have some problems to make work a configuration like Samba and
>>>>  OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>>>>
>>>>  Here is my testparm:
>>>>
>>>>  [global]
>>>>            workgroup = MEDIADC
>>>>            netbios name = MEDIADC
>>>>            map to guest = Bad User
>>>>            passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
>>>>            log level = 2
>>>>            printcap name = cups
>>>>            add machine script = /usr/sbin/useradd  -c Machine -d
>>>>  /var/lib/nobody -s /bin/false %m$
>>>>            logon path = \\%L\profiles\.msprofile
>>>>            logon drive = P:
>>>>            logon home = \\%L\%U\.9xprofile
>>>>            domain logons = Yes
>>>>            os level = 65
>>>>            preferred master = Yes
>>>>            domain master = Yes
>>>>            wins support = Yes
>>>>            ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>>>>            ldap group suffix = ou=group
>>>>            ldap idmap suffix = ou=Idmap
>>>>            ldap machine suffix = ou=Machines
>>>>            ldap passwd sync = yes
>>>>            ldap suffix = dc=mediaservice-test,dc=pri
>>>>            ldap ssl = no
>>>>            ldap user suffix = ou=people
>>>>            usershare allow guests = Yes
>>>>            idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>>>>            idmap uid = 1000-60000
>>>>            idmap gid = 1000-60000
>>>>            cups options = raw
>>>>
>>>>  [homes]
>>>>            comment = Home Directories
>>>>            valid users = %S, %D%w%S
>>>>            read only = No
>>>>            inherit acls = Yes
>>>>            browseable = No
>>>>
>>>>  [profiles]
>>>>            comment = Network Profiles Service
>>>>            path = %H
>>>>            read only = No
>>>>            create mask = 0600
>>>>            directory mask = 0700
>>>>            store dos attributes = Yes
>>>>
>>>>  [users]
>>>>            comment = All users
>>>>            path = /home
>>>>            read only = No
>>>>            inherit acls = Yes
>>>>            veto files = /aquota.user/groups/shares/
>>>>
>>>>  [groups]
>>>>            comment = All groups
>>>>            path = /home/groups
>>>>            read only = No
>>>>            inherit acls = Yes
>>>>
>>>>  [printers]
>>>>            comment = All Printers
>>>>            path = /var/tmp
>>>>            create mask = 0600
>>>>            printable = Yes
>>>>            browseable = No
>>>>
>>>>  [print$]
>>>>            comment = Printer Drivers
>>>>            path = /var/lib/samba/drivers
>>>>            write list = @ntadmin, root
>>>>            force group = ntadmin
>>>>            create mask = 0664
>>>>            directory mask = 0775
>>>>
>>>>  [netlogon]
>>>>            comment = Network Logon Service
>>>>            path = /var/lib/samba/netlogon
>>>>            write list = root
>>>>
>>>>  If i try to join a windows xp into the domain i have this results:
>>>>
>>>>  [2010/09/27 14:58:52.229946,  0]
>>>>  lib/util_sock.c:1432(get_peer_addr_internal)
>>>>      getpeername failed. Error was Transport endpoint is not connected
>>>>  [2010/09/27 14:58:52.233371,  2] smbd/reply.c:536(reply_special)
>>>>      netbios connect: name1=MEDIADC        0x20 name2=TESTAFS        0x0
>>>>  [2010/09/27 14:58:52.233498,  2] smbd/reply.c:547(reply_special)
>>>>      netbios connect: local=mediadc remote=testafs, name type = 0
>>>>  [2010/09/27 14:58:52.234068,  2]
>>>>  smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>      setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>>>  all old resources.
>>>>  [2010/09/27 14:58:52.233647,  0] lib/util_sock.c:675(write_data)
>>>>  [2010/09/27 14:58:52.234876,  0]
>>>>  lib/util_sock.c:1432(get_peer_addr_internal)
>>>>      getpeername failed. Error was Transport endpoint is not connected
>>>>      write_data: write failure in writing to client 0.0.0.0. Error
>>>>  Connection reset by peer
>>>>  [2010/09/27 14:58:52.236855,  0] smbd/process.c:79(srv_send_smb)
>>>>      Error writing 4 bytes to client. -1. (Transport endpoint is not
>>>>  connected)
>>>>  [2010/09/27 14:58:52.238615,  2]
>>>>  smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>      setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>>>  all old resources.
>>>>  [2010/09/27 14:58:52.239888,  2]
>>>>  lib/smbldap.c:950(smbldap_open_connection)
>>>>      smbldap_open_connection: connection opened
>>>>  [2010/09/27 14:58:52.242954,  2]
>>>>  passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>>      init_sam_from_ldap: Entry found for user: Administrator
>>>>  [2010/09/27 14:58:52.295749,  2] auth/auth.c:304(check_ntlm_password)
>>>>      check_ntlm_password:  authentication for user [Administrator] ->
>>>>  [Administrator] ->     [Administrator] succeeded
>>>>  [2010/09/27 14:58:52.780610,  0]
>>>>  rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>>>>      _netr_ServerAuthenticate: no challenge sent to client TESTAFS
>>>>  [2010/09/27 14:58:53.337111,  2]
>>>>  smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>      setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>>>  all old resources.
>>>>  [2010/09/27 14:58:53.338938,  2]
>>>>  smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>      setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>>>>  all old resources.
>>>>  [2010/09/27 14:58:53.339808,  2]
>>>>  lib/smbldap.c:950(smbldap_open_connection)
>>>>      smbldap_open_connection: connection opened
>>>>  [2010/09/27 14:58:53.342371,  2]
>>>>  passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>>      init_sam_from_ldap: Entry found for user: Administrator
>>>>  [2010/09/27 14:58:53.347683,  2] auth/auth.c:304(check_ntlm_password)
>>>>      check_ntlm_password:  authentication for user [Administrator] ->
>>>>  [Administrator] ->     [Administrator] succeeded
>>>>  [2010/09/27 14:58:53.812728,  2]
>>>>  rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>>      Returning domain sid for domain MEDIADC ->
>>>>  S-1-5-21-1949818787-1514111066-129980733
>>>>  [2010/09/27 14:58:53.814002,  2]
>>>>  rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>>      Returning domain sid for domain MEDIADC ->
>>>>  S-1-5-21-1949818787-1514111066-129980733
>>>>
>>>>  As it seems all works fine, but windows give an error like "Access
>>>>  Denied" and the computer is not added to the domain.
>>>>
>>>>  What can be the problem? How to debug it?
>>>>
>>>>  Any hint is welcome...
>>>>
>>>>  Cordially,
>>>>
>>>>  Claudio Prono.
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>  --
>  To unsubscribe from this list go to the following URL and read the
>  instructions:  https://lists.samba.org/mailman/options/samba
>



More information about the samba mailing list