[Samba] Problem with Samba - Openldap and domain autentication of Windows XP

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Sep 27 10:39:49 MDT 2010


The default user add script in samba may not be quiet appropriate for 
creating local users on your particular platform.   How do you manually 
create local users?  Does it match up to how the scripts are trying to 
do it?

You may need to read thru the openldap documentation to see the 
appropriate commands for creating ldap users (I use Sun Directory Server 
not openldap .)

Alternately, you could use an LDIF file as a template for a new user, 
and just import the user.   I use apache directory studio for LDAP 
management.

Below is an example of a unix user, before the samba account has been 
created.   (Unix password would also need to be set.)


dn: uid=jsmith,ou=people,o=mycompany.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
cn: John Smith
gidNumber: 500
homeDirectory: /home/smith
sn: Smith
uid: jsmith
uidNumber: 301
c: US
displayName: John Smith
facsimileTelephoneNumber: 888-555-1212
gecos: John Smith
givenName: John
l: Woburn
loginShell: /bin/tcsh
mail: John.Smith at mycompany.com
mail: jsmith at mycompany.com
mobile: UNKNOWN
o: My Company
postalCode: 12345
st: CA
street: 500 Pretroli Aiv
telephoneNumber: 888-555-1212
userPassword:




On 09/27/2010 12:15 PM, Claudio Prono wrote:
>
> Gaiseric Vandal ha scritto:
>    
>> You user script may be adding a LOCAL unix account (in /etc/passwd.)
>> Do you see the accounts in there?   You may need to custom script that
>> adds the accounts to ldap.
>>
>>      
> The strange thing is i don't see a local account, like the script is not
> executed....
>    
>> The following may help
>>
>> https://gna.org/projects/smbldap-tools/
>>
>>
>>      
> Ok, i'll take a look, thank you.
>    
>> Remember, that being root on your unix system does not automatically
>> make you LDAP admin.
>>
>> If you have a single server then having your unix may be OK-  samba
>> will match the samba user to the unix user via the user id.    I have
>> multiple server so I use LDAP for unix accounts (previously used
>> NIS.)   So now an LDAP user has both windows and unix account info.
>>
>>      
> If i try to add a user to LDAP manually, and try something like
>
> smbclient -L localhost -U user
>
> The user is authenticated perfectly...so the samba-ldap authentication
> seems to work.... The problem is the automatic user and machine add, i
> don't realize why it don't work...
>    
>>
>>
>>
>> On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>      
>>> Gaiseric Vandal ha scritto:
>>>
>>>        
>>>> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>>>
>>>> It is possible to configure scripts that the unix account is created
>>>> by samba if necessary when samba creates the "Windows" account for the
>>>> machine.  I don't have it set up this way, so I need to create the
>>>> unix account 1st.
>>>>
>>>>
>>>>          
>>> add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
>>> /bin/false %m$
>>>
>>> This script automatically add the machine if needed, or i am wrong ?
>>>
>>>        
>>>> Also, I found that since the underlying unix OS may need validate the
>>>> machine account,  I put my machine accounts in either the same ldap ou
>>>> as people (or in a sub ou.)  ("getent passwd" command may need to show
>>>> your machine accounts as well as people accounts.)
>>>>
>>>> If you have manually created the unix account for the machine, can you
>>>> them manually create the samba account for it
>>>>
>>>>           e.g. smbpasswd -m -a SOMEMACHINE
>>>>
>>>>       (I think you leave the $ off .)
>>>>
>>>>
>>>> I use LDAP for both "unix" and "windows" clients so my config choices
>>>> may not be applicable to a windows-only client environment.
>>>>
>>>>
>>>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>>
>>>>          
>>>>> Hello all,
>>>>>
>>>>> I have some problems to make work a configuration like Samba and
>>>>> OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>>>>>
>>>>> Here is my testparm:
>>>>>
>>>>> [global]
>>>>>            workgroup = MEDIADC
>>>>>            netbios name = MEDIADC
>>>>>            map to guest = Bad User
>>>>>            passdb backend =
>>>>> ldapsam:ldap://afs-test.mediaservice-test.pri
>>>>>            log level = 2
>>>>>            printcap name = cups
>>>>>            add machine script = /usr/sbin/useradd  -c Machine -d
>>>>> /var/lib/nobody -s /bin/false %m$
>>>>>            logon path = \\%L\profiles\.msprofile
>>>>>            logon drive = P:
>>>>>            logon home = \\%L\%U\.9xprofile
>>>>>            domain logons = Yes
>>>>>            os level = 65
>>>>>            preferred master = Yes
>>>>>            domain master = Yes
>>>>>            wins support = Yes
>>>>>            ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>>>>>            ldap group suffix = ou=group
>>>>>            ldap idmap suffix = ou=Idmap
>>>>>            ldap machine suffix = ou=Machines
>>>>>            ldap passwd sync = yes
>>>>>            ldap suffix = dc=mediaservice-test,dc=pri
>>>>>            ldap ssl = no
>>>>>            ldap user suffix = ou=people
>>>>>            usershare allow guests = Yes
>>>>>            idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>>>>>            idmap uid = 1000-60000
>>>>>            idmap gid = 1000-60000
>>>>>            cups options = raw
>>>>>
>>>>> [homes]
>>>>>            comment = Home Directories
>>>>>            valid users = %S, %D%w%S
>>>>>            read only = No
>>>>>            inherit acls = Yes
>>>>>            browseable = No
>>>>>
>>>>> [profiles]
>>>>>            comment = Network Profiles Service
>>>>>            path = %H
>>>>>            read only = No
>>>>>            create mask = 0600
>>>>>            directory mask = 0700
>>>>>            store dos attributes = Yes
>>>>>
>>>>> [users]
>>>>>            comment = All users
>>>>>            path = /home
>>>>>            read only = No
>>>>>            inherit acls = Yes
>>>>>            veto files = /aquota.user/groups/shares/
>>>>>
>>>>> [groups]
>>>>>            comment = All groups
>>>>>            path = /home/groups
>>>>>            read only = No
>>>>>            inherit acls = Yes
>>>>>
>>>>> [printers]
>>>>>            comment = All Printers
>>>>>            path = /var/tmp
>>>>>            create mask = 0600
>>>>>            printable = Yes
>>>>>            browseable = No
>>>>>
>>>>> [print$]
>>>>>            comment = Printer Drivers
>>>>>            path = /var/lib/samba/drivers
>>>>>            write list = @ntadmin, root
>>>>>            force group = ntadmin
>>>>>            create mask = 0664
>>>>>            directory mask = 0775
>>>>>
>>>>> [netlogon]
>>>>>            comment = Network Logon Service
>>>>>            path = /var/lib/samba/netlogon
>>>>>            write list = root
>>>>>
>>>>> If i try to join a windows xp into the domain i have this results:
>>>>>
>>>>> [2010/09/27 14:58:52.229946,  0]
>>>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>>>      getpeername failed. Error was Transport endpoint is not connected
>>>>> [2010/09/27 14:58:52.233371,  2] smbd/reply.c:536(reply_special)
>>>>>      netbios connect: name1=MEDIADC        0x20 name2=TESTAFS
>>>>> 0x0
>>>>> [2010/09/27 14:58:52.233498,  2] smbd/reply.c:547(reply_special)
>>>>>      netbios connect: local=mediadc remote=testafs, name type = 0
>>>>> [2010/09/27 14:58:52.234068,  2]
>>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>>      setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>>> close
>>>>> all old resources.
>>>>> [2010/09/27 14:58:52.233647,  0] lib/util_sock.c:675(write_data)
>>>>> [2010/09/27 14:58:52.234876,  0]
>>>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>>>      getpeername failed. Error was Transport endpoint is not connected
>>>>>      write_data: write failure in writing to client 0.0.0.0. Error
>>>>> Connection reset by peer
>>>>> [2010/09/27 14:58:52.236855,  0] smbd/process.c:79(srv_send_smb)
>>>>>      Error writing 4 bytes to client. -1. (Transport endpoint is not
>>>>> connected)
>>>>> [2010/09/27 14:58:52.238615,  2]
>>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>>      setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>>> close
>>>>> all old resources.
>>>>> [2010/09/27 14:58:52.239888,  2]
>>>>> lib/smbldap.c:950(smbldap_open_connection)
>>>>>      smbldap_open_connection: connection opened
>>>>> [2010/09/27 14:58:52.242954,  2]
>>>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>>>      init_sam_from_ldap: Entry found for user: Administrator
>>>>> [2010/09/27 14:58:52.295749,  2] auth/auth.c:304(check_ntlm_password)
>>>>>      check_ntlm_password:  authentication for user [Administrator] ->
>>>>> [Administrator] ->    [Administrator] succeeded
>>>>> [2010/09/27 14:58:52.780610,  0]
>>>>> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>>>>>      _netr_ServerAuthenticate: no challenge sent to client TESTAFS
>>>>> [2010/09/27 14:58:53.337111,  2]
>>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>>      setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>>> close
>>>>> all old resources.
>>>>> [2010/09/27 14:58:53.338938,  2]
>>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>>>      setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>>>>> close
>>>>> all old resources.
>>>>> [2010/09/27 14:58:53.339808,  2]
>>>>> lib/smbldap.c:950(smbldap_open_connection)
>>>>>      smbldap_open_connection: connection opened
>>>>> [2010/09/27 14:58:53.342371,  2]
>>>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>>>      init_sam_from_ldap: Entry found for user: Administrator
>>>>> [2010/09/27 14:58:53.347683,  2] auth/auth.c:304(check_ntlm_password)
>>>>>      check_ntlm_password:  authentication for user [Administrator] ->
>>>>> [Administrator] ->    [Administrator] succeeded
>>>>> [2010/09/27 14:58:53.812728,  2]
>>>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>>>      Returning domain sid for domain MEDIADC ->
>>>>> S-1-5-21-1949818787-1514111066-129980733
>>>>> [2010/09/27 14:58:53.814002,  2]
>>>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>>>      Returning domain sid for domain MEDIADC ->
>>>>> S-1-5-21-1949818787-1514111066-129980733
>>>>>
>>>>> As it seems all works fine, but windows give an error like "Access
>>>>> Denied" and the computer is not added to the domain.
>>>>>
>>>>> What can be the problem? How to debug it?
>>>>>
>>>>> Any hint is welcome...
>>>>>
>>>>> Cordially,
>>>>>
>>>>> Claudio Prono.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>            
>>>>
>>>>          
>>>
>>>        
>>
>> !DSPAM:1,4ca0b6f6238981143519241!
>>
>>
>>
>>      
>    



More information about the samba mailing list