[Samba] Fwd: Re: Problem with Samba - Openldap and domain autentication of Windows XP

Claudio Prono claudio.prono at atpss.net
Tue Sep 28 03:06:37 MDT 2010


Ok, now the join to the domain works, but when i create a new user, and
i try to login to the Windows XP domain, the windows says to me "Unable
to access. A periferic is not working". (sorry for the poor  traduction,
but my windows  is in italian). Into the  samba logs i read this:

[2010/09/28 10:07:45.795892,  2] smbd/reply.c:536(reply_special)
  netbios connect: name1=MEDIADC        0x20 name2=TESTAFS        0x0
[2010/09/28 10:07:45.796139,  2] smbd/reply.c:547(reply_special)
  netbios connect: local=mediadc remote=testafs, name type = 0
[2010/09/28 10:07:45.799185,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/28 10:07:45.801093,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/28 10:07:45.801767,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2010/09/28 10:07:45.865629,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: AFS
[2010/09/28 10:07:45.872442,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [AFS] -> [AFS] -> [AFS]
succeeded
[2010/09/28 10:07:45.872630,  1]
rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
  _netr_LogonSamLogon: user MEDIADC\AFS has user sid
S-1-5-21-3218914170-3340994528-1537192846-3010
   but group sid S-1-5-21-1949818787-1514111066-129980733-513.
  The conflicting domain portions are not supported for NETLOGON calls

This is my testparm (actually):

[global]
        workgroup = MEDIADC
        netbios name = MEDIADC
        map to guest = Bad User
        passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
        log level = 2
        printcap name = cups
        add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct
--makehomedir --homedir /home/%u -f
        delete user script = /usr/sbin/ldapsmb -d -u "%u" -f
        add group script = /usr/sbin/ldapsmb -a -g "%g" -f
        delete group script = /usr/sbin/ldapsmb -d -g "%g" -f
        add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g "%g" -f
        delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g
"%g" -f
        add machine script = "/usr/sbin/ldapsmb -a -wks %u -f"
        logon path = \\%L\profiles\.msprofile
        logon drive = P:
        logon home = \\%L\%U\.9xprofile
        domain logons = Yes
        os level = 99
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
        ldap group suffix = ou=group
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Machines
        ldap passwd sync = yes
        ldap suffix = dc=mediaservice-test,dc=pri
        ldap ssl = no
        ldap user suffix = ou=people
        usershare allow guests = Yes
        idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        read only = No
        inherit acls = Yes
        browseable = No

[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        create mask = 0600
        directory mask = 0700
        store dos attributes = Yes

[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/

[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        create mask = 0600
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin, root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        write list = root

How i can debug what is wrong?

Any suggestion?

Cordially,

Claudio Prono.


 

Gaiseric Vandal ha scritto:
> Wait, you are using samba with openldap backend.
>
> Why are you using useradd ??? with this backend you need smbldap instead.
> like this:
>
>         passdb backend = ldapsam:ldap://your ldap server
>         ldap passwd sync = yes
>         ldap delete dn = Yes
>         ldap admin dn = cn=root,dc=domain,dc=com,dc=br
>         ldap suffix = dc=domain,dc=com,dc=br
>         ldap machine suffix = ou=Computers
>         ldap user suffix = ou=Users
>         ldap group suffix = ou=Groups
>         ldap idmap suffix = sambaDomainName=DOMAIN
>         idmap backend = ldap:ldap://ldap server
>         idmap alloc backend = ldap:ldap://ldap server
>         idmap uid = 1000-20000
>         idmap gid = 1000-20000
>         idmap alloc config:range = 1000-20000
>         ldap timeout = 15
>         ldap connection timeout = 2
>         ldap page size = 1024
>
>    # add/remove users
>         add user script = /usr/sbin/smbldap-useradd -m "%u"
>         delete user script = /usr/sbin/smbldap-userdel "%u"
>    # add/remove Groups
>         add group script = /usr/sbin/smbldap-groupadd -p "%g"
>         delete group script = /usr/sbin/smbldap-groupdel "%g"
>    # add/remove user in groups
>         add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
> "%g"
>         delete user from group script = /usr/sbin/smbldap-groupmod -x
> "%u" "%g"
>    # define primary group of user
>         set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>    # add machines in domain
>         add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
>
> regards
>
> On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
> <gaiseric.vandal at gmail.com>  wrote:
>>  You user script may be adding a LOCAL unix account (in
>> /etc/passwd.)   Do
>>  you see the accounts in there?   You may need to custom script that
>> adds the
>>  accounts to ldap.
>>
>>  The following may help
>>
>>  https://gna.org/projects/smbldap-tools/
>>
>>
>>  Remember, that being root on your unix system does not automatically
>> make
>>  you LDAP admin.
>>
>>  If you have a single server then having your unix may be OK-  samba
>> will
>>  match the samba user to the unix user via the user id.    I have
>> multiple
>>  server so I use LDAP for unix accounts (previously used NIS.)   So
>> now an
>>  LDAP user has both windows and unix account info.
>>
>>
>>
>>
>>
>>  On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>>
>>>  Gaiseric Vandal ha scritto:
>>>
>>>>
>>>>  Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>>>
>>>>  It is possible to configure scripts that the unix account is created
>>>>  by samba if necessary when samba creates the "Windows" account for
>>>> the
>>>>  machine.  I don't have it set up this way, so I need to create the
>>>>  unix account 1st.
>>>>
>>>>
>>>
>>>  add machine script = /usr/sbin/useradd  -c Machine -d
>>> /var/lib/nobody -s
>>>  /bin/false %m$
>>>
>>>  This script automatically add the machine if needed, or i am wrong ?
>>>
>>>>
>>>>  Also, I found that since the underlying unix OS may need validate the
>>>>  machine account,  I put my machine accounts in either the same
>>>> ldap ou
>>>>  as people (or in a sub ou.)  ("getent passwd" command may need to
>>>> show
>>>>  your machine accounts as well as people accounts.)
>>>>
>>>>  If you have manually created the unix account for the machine, can
>>>> you
>>>>  them manually create the samba account for it
>>>>
>>>>           e.g. smbpasswd -m -a SOMEMACHINE
>>>>
>>>>       (I think you leave the $ off .)
>>>>
>>>>
>>>>  I use LDAP for both "unix" and "windows" clients so my config choices
>>>>  may not be applicable to a windows-only client environment.
>>>>
>>>>
>>>>  On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>>
>>>>>
-- 
--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer               
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc






More information about the samba mailing list