[Samba] Problem with Samba - Openldap and domain autentication of Windows XP
Daniel Müller
mueller at tropenklinik.de
Tue Sep 28 04:22:04 MDT 2010
On Mon, 27 Sep 2010 17:08:12 +0200, Claudio Prono
<claudio.prono at atpss.net>
wrote:
> Gaiseric Vandal ha scritto:
>> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>
>> It is possible to configure scripts that the unix account is created
>> by samba if necessary when samba creates the "Windows" account for the
>> machine. I don't have it set up this way, so I need to create the
>> unix account 1st.
>>
> add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s
> /bin/false %m$
>
> This script automatically add the machine if needed, or i am wrong ?
>> Also, I found that since the underlying unix OS may need validate the
>> machine account, I put my machine accounts in either the same ldap ou
>> as people (or in a sub ou.) ("getent passwd" command may need to show
>> your machine accounts as well as people accounts.)
>>
>> If you have manually created the unix account for the machine, can you
>> them manually create the samba account for it
>>
>> e.g. smbpasswd -m -a SOMEMACHINE
>>
>> (I think you leave the $ off .)
>>
>>
>> I use LDAP for both "unix" and "windows" clients so my config choices
>> may not be applicable to a windows-only client environment.
>>
>>
>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>> Hello all,
>>>
>>> I have some problems to make work a configuration like Samba and
>>> OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>>>
>>> Here is my testparm:
>>>
>>> [global]
>>> workgroup = MEDIADC
>>> netbios name = MEDIADC
>>> map to guest = Bad User
>>> passdb backend =
ldapsam:ldap://afs-test.mediaservice-test.pri
>>> log level = 2
>>> printcap name = cups
>>> add machine script = /usr/sbin/useradd -c Machine -d
>>> /var/lib/nobody -s /bin/false %m$
>>> logon path = \\%L\profiles\.msprofile
>>> logon drive = P:
>>> logon home = \\%L\%U\.9xprofile
>>> domain logons = Yes
>>> os level = 65
>>> preferred master = Yes
>>> domain master = Yes
>>> wins support = Yes
>>> ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>>> ldap group suffix = ou=group
>>> ldap idmap suffix = ou=Idmap
>>> ldap machine suffix = ou=Machines
>>> ldap passwd sync = yes
>>> ldap suffix = dc=mediaservice-test,dc=pri
>>> ldap ssl = no
>>> ldap user suffix = ou=people
>>> usershare allow guests = Yes
>>> idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>>> idmap uid = 1000-60000
>>> idmap gid = 1000-60000
>>> cups options = raw
>>>
>>> [homes]
>>> comment = Home Directories
>>> valid users = %S, %D%w%S
>>> read only = No
>>> inherit acls = Yes
>>> browseable = No
>>>
>>> [profiles]
>>> comment = Network Profiles Service
>>> path = %H
>>> read only = No
>>> create mask = 0600
>>> directory mask = 0700
>>> store dos attributes = Yes
>>>
>>> [users]
>>> comment = All users
>>> path = /home
>>> read only = No
>>> inherit acls = Yes
>>> veto files = /aquota.user/groups/shares/
>>>
>>> [groups]
>>> comment = All groups
>>> path = /home/groups
>>> read only = No
>>> inherit acls = Yes
>>>
>>> [printers]
>>> comment = All Printers
>>> path = /var/tmp
>>> create mask = 0600
>>> printable = Yes
>>> browseable = No
>>>
>>> [print$]
>>> comment = Printer Drivers
>>> path = /var/lib/samba/drivers
>>> write list = @ntadmin, root
>>> force group = ntadmin
>>> create mask = 0664
>>> directory mask = 0775
>>>
>>> [netlogon]
>>> comment = Network Logon Service
>>> path = /var/lib/samba/netlogon
>>> write list = root
>>>
>>> If i try to join a windows xp into the domain i have this results:
>>>
>>> [2010/09/27 14:58:52.229946, 0]
>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>> getpeername failed. Error was Transport endpoint is not connected
>>> [2010/09/27 14:58:52.233371, 2] smbd/reply.c:536(reply_special)
>>> netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
>>> [2010/09/27 14:58:52.233498, 2] smbd/reply.c:547(reply_special)
>>> netbios connect: local=mediadc remote=testafs, name type = 0
>>> [2010/09/27 14:58:52.234068, 2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close
>>> all old resources.
>>> [2010/09/27 14:58:52.233647, 0] lib/util_sock.c:675(write_data)
>>> [2010/09/27 14:58:52.234876, 0]
>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>> getpeername failed. Error was Transport endpoint is not connected
>>> write_data: write failure in writing to client 0.0.0.0. Error
>>> Connection reset by peer
>>> [2010/09/27 14:58:52.236855, 0] smbd/process.c:79(srv_send_smb)
>>> Error writing 4 bytes to client. -1. (Transport endpoint is not
>>> connected)
>>> [2010/09/27 14:58:52.238615, 2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close
>>> all old resources.
>>> [2010/09/27 14:58:52.239888, 2]
>>> lib/smbldap.c:950(smbldap_open_connection)
>>> smbldap_open_connection: connection opened
>>> [2010/09/27 14:58:52.242954, 2]
>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>> init_sam_from_ldap: Entry found for user: Administrator
>>> [2010/09/27 14:58:52.295749, 2] auth/auth.c:304(check_ntlm_password)
>>> check_ntlm_password: authentication for user [Administrator] ->
>>> [Administrator] -> [Administrator] succeeded
>>> [2010/09/27 14:58:52.780610, 0]
>>> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>>> _netr_ServerAuthenticate: no challenge sent to client TESTAFS
>>> [2010/09/27 14:58:53.337111, 2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close
>>> all old resources.
>>> [2010/09/27 14:58:53.338938, 2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close
>>> all old resources.
>>> [2010/09/27 14:58:53.339808, 2]
>>> lib/smbldap.c:950(smbldap_open_connection)
>>> smbldap_open_connection: connection opened
>>> [2010/09/27 14:58:53.342371, 2]
>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>> init_sam_from_ldap: Entry found for user: Administrator
>>> [2010/09/27 14:58:53.347683, 2] auth/auth.c:304(check_ntlm_password)
>>> check_ntlm_password: authentication for user [Administrator] ->
>>> [Administrator] -> [Administrator] succeeded
>>> [2010/09/27 14:58:53.812728, 2]
>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>> Returning domain sid for domain MEDIADC ->
>>> S-1-5-21-1949818787-1514111066-129980733
>>> [2010/09/27 14:58:53.814002, 2]
>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>> Returning domain sid for domain MEDIADC ->
>>> S-1-5-21-1949818787-1514111066-129980733
>>>
>>> As it seems all works fine, but windows give an error like "Access
>>> Denied" and the computer is not added to the domain.
>>>
>>> What can be the problem? How to debug it?
>>>
Read about prexec and postexec in the samba howto.
In my case I run a script the first time a user login and his share is
created.
Greetings
Daniel
>>> Any hint is welcome...
>>>
>>> Cordially,
>>>
>>> Claudio Prono.
>>>
>>>
>>>
>>
>
> --
>
--------------------------------------------------------------------------------
> Claudio Prono OPST
> System Developer
> Gsm: +39-349-54.33.258
> @PSS Srl Tel: +39-011-32.72.100
> Via San Bernardino, 17 Fax: +39-011-32.46.497
> 10141 Torino - ITALY http://atpss.net/disclaimer
>
--------------------------------------------------------------------------------
> PGP Key - http://keys.atpss.net/c_prono.asc
More information about the samba
mailing list