[Samba] Fwd: Re: Problem with Samba - Openldap and domain autentication of Windows XP
Claudio Prono
claudio.prono at atpss.net
Tue Sep 28 03:06:37 MDT 2010
Ok, now the join to the domain works, but when i create a new user, and
i try to login to the Windows XP domain, the windows says to me "Unable
to access. A periferic is not working". (sorry for the poor traduction,
but my windows is in italian). Into the samba logs i read this:
[2010/09/28 10:07:45.795892, 2] smbd/reply.c:536(reply_special)
netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
[2010/09/28 10:07:45.796139, 2] smbd/reply.c:547(reply_special)
netbios connect: local=mediadc remote=testafs, name type = 0
[2010/09/28 10:07:45.799185, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/28 10:07:45.801093, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/28 10:07:45.801767, 2] lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2010/09/28 10:07:45.865629, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: AFS
[2010/09/28 10:07:45.872442, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [AFS] -> [AFS] -> [AFS]
succeeded
[2010/09/28 10:07:45.872630, 1]
rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
_netr_LogonSamLogon: user MEDIADC\AFS has user sid
S-1-5-21-3218914170-3340994528-1537192846-3010
but group sid S-1-5-21-1949818787-1514111066-129980733-513.
The conflicting domain portions are not supported for NETLOGON calls
This is my testparm (actually):
[global]
workgroup = MEDIADC
netbios name = MEDIADC
map to guest = Bad User
passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
log level = 2
printcap name = cups
add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct
--makehomedir --homedir /home/%u -f
delete user script = /usr/sbin/ldapsmb -d -u "%u" -f
add group script = /usr/sbin/ldapsmb -a -g "%g" -f
delete group script = /usr/sbin/ldapsmb -d -g "%g" -f
add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g "%g" -f
delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g
"%g" -f
add machine script = "/usr/sbin/ldapsmb -a -wks %u -f"
logon path = \\%L\profiles\.msprofile
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain logons = Yes
os level = 99
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=mediaservice-test,dc=pri
ldap ssl = no
ldap user suffix = ou=people
usershare allow guests = Yes
idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No
[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
How i can debug what is wrong?
Any suggestion?
Cordially,
Claudio Prono.
Gaiseric Vandal ha scritto:
> Wait, you are using samba with openldap backend.
>
> Why are you using useradd ??? with this backend you need smbldap instead.
> like this:
>
> passdb backend = ldapsam:ldap://your ldap server
> ldap passwd sync = yes
> ldap delete dn = Yes
> ldap admin dn = cn=root,dc=domain,dc=com,dc=br
> ldap suffix = dc=domain,dc=com,dc=br
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap idmap suffix = sambaDomainName=DOMAIN
> idmap backend = ldap:ldap://ldap server
> idmap alloc backend = ldap:ldap://ldap server
> idmap uid = 1000-20000
> idmap gid = 1000-20000
> idmap alloc config:range = 1000-20000
> ldap timeout = 15
> ldap connection timeout = 2
> ldap page size = 1024
>
> # add/remove users
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> # add/remove Groups
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> # add/remove user in groups
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
> "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
> "%u" "%g"
> # define primary group of user
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> # add machines in domain
> add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
>
> regards
>
> On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
> <gaiseric.vandal at gmail.com> wrote:
>> You user script may be adding a LOCAL unix account (in
>> /etc/passwd.) Do
>> you see the accounts in there? You may need to custom script that
>> adds the
>> accounts to ldap.
>>
>> The following may help
>>
>> https://gna.org/projects/smbldap-tools/
>>
>>
>> Remember, that being root on your unix system does not automatically
>> make
>> you LDAP admin.
>>
>> If you have a single server then having your unix may be OK- samba
>> will
>> match the samba user to the unix user via the user id. I have
>> multiple
>> server so I use LDAP for unix accounts (previously used NIS.) So
>> now an
>> LDAP user has both windows and unix account info.
>>
>>
>>
>>
>>
>> On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>>
>>> Gaiseric Vandal ha scritto:
>>>
>>>>
>>>> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>>>
>>>> It is possible to configure scripts that the unix account is created
>>>> by samba if necessary when samba creates the "Windows" account for
>>>> the
>>>> machine. I don't have it set up this way, so I need to create the
>>>> unix account 1st.
>>>>
>>>>
>>>
>>> add machine script = /usr/sbin/useradd -c Machine -d
>>> /var/lib/nobody -s
>>> /bin/false %m$
>>>
>>> This script automatically add the machine if needed, or i am wrong ?
>>>
>>>>
>>>> Also, I found that since the underlying unix OS may need validate the
>>>> machine account, I put my machine accounts in either the same
>>>> ldap ou
>>>> as people (or in a sub ou.) ("getent passwd" command may need to
>>>> show
>>>> your machine accounts as well as people accounts.)
>>>>
>>>> If you have manually created the unix account for the machine, can
>>>> you
>>>> them manually create the samba account for it
>>>>
>>>> e.g. smbpasswd -m -a SOMEMACHINE
>>>>
>>>> (I think you leave the $ off .)
>>>>
>>>>
>>>> I use LDAP for both "unix" and "windows" clients so my config choices
>>>> may not be applicable to a windows-only client environment.
>>>>
>>>>
>>>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>>
>>>>>
--
--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
Gsm: +39-349-54.33.258
@PSS Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc
More information about the samba
mailing list