[Samba] Problem with Samba - Openldap and domain autentication of Windows XP

Daniel Müller mueller at tropenklinik.de
Tue Sep 28 04:22:04 MDT 2010


On Mon, 27 Sep 2010 17:08:12 +0200, Claudio Prono
<claudio.prono at atpss.net>
wrote:
> Gaiseric Vandal ha scritto:
>> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>
>> It is possible to configure scripts that the unix account is created
>> by samba if necessary when samba creates the "Windows" account for the
>> machine.  I don't have it set up this way, so I need to create the
>> unix account 1st.
>>
> add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
> /bin/false %m$
> 
> This script automatically add the machine if needed, or i am wrong ?
>> Also, I found that since the underlying unix OS may need validate the
>> machine account,  I put my machine accounts in either the same ldap ou
>> as people (or in a sub ou.)  ("getent passwd" command may need to show
>> your machine accounts as well as people accounts.)
>>
>> If you have manually created the unix account for the machine, can you
>> them manually create the samba account for it
>>
>>         e.g. smbpasswd -m -a SOMEMACHINE
>>
>>     (I think you leave the $ off .)
>>
>>
>> I use LDAP for both "unix" and "windows" clients so my config choices
>> may not be applicable to a windows-only client environment.
>>
>>
>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>> Hello all,
>>>
>>> I have some problems to make work a configuration like Samba and
>>> OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>>>
>>> Here is my testparm:
>>>
>>> [global]
>>>          workgroup = MEDIADC
>>>          netbios name = MEDIADC
>>>          map to guest = Bad User
>>>          passdb backend =
ldapsam:ldap://afs-test.mediaservice-test.pri
>>>          log level = 2
>>>          printcap name = cups
>>>          add machine script = /usr/sbin/useradd  -c Machine -d
>>> /var/lib/nobody -s /bin/false %m$
>>>          logon path = \\%L\profiles\.msprofile
>>>          logon drive = P:
>>>          logon home = \\%L\%U\.9xprofile
>>>          domain logons = Yes
>>>          os level = 65
>>>          preferred master = Yes
>>>          domain master = Yes
>>>          wins support = Yes
>>>          ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>>>          ldap group suffix = ou=group
>>>          ldap idmap suffix = ou=Idmap
>>>          ldap machine suffix = ou=Machines
>>>          ldap passwd sync = yes
>>>          ldap suffix = dc=mediaservice-test,dc=pri
>>>          ldap ssl = no
>>>          ldap user suffix = ou=people
>>>          usershare allow guests = Yes
>>>          idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>>>          idmap uid = 1000-60000
>>>          idmap gid = 1000-60000
>>>          cups options = raw
>>>
>>> [homes]
>>>          comment = Home Directories
>>>          valid users = %S, %D%w%S
>>>          read only = No
>>>          inherit acls = Yes
>>>          browseable = No
>>>
>>> [profiles]
>>>          comment = Network Profiles Service
>>>          path = %H
>>>          read only = No
>>>          create mask = 0600
>>>          directory mask = 0700
>>>          store dos attributes = Yes
>>>
>>> [users]
>>>          comment = All users
>>>          path = /home
>>>          read only = No
>>>          inherit acls = Yes
>>>          veto files = /aquota.user/groups/shares/
>>>
>>> [groups]
>>>          comment = All groups
>>>          path = /home/groups
>>>          read only = No
>>>          inherit acls = Yes
>>>
>>> [printers]
>>>          comment = All Printers
>>>          path = /var/tmp
>>>          create mask = 0600
>>>          printable = Yes
>>>          browseable = No
>>>
>>> [print$]
>>>          comment = Printer Drivers
>>>          path = /var/lib/samba/drivers
>>>          write list = @ntadmin, root
>>>          force group = ntadmin
>>>          create mask = 0664
>>>          directory mask = 0775
>>>
>>> [netlogon]
>>>          comment = Network Logon Service
>>>          path = /var/lib/samba/netlogon
>>>          write list = root
>>>
>>> If i try to join a windows xp into the domain i have this results:
>>>
>>> [2010/09/27 14:58:52.229946,  0]
>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>    getpeername failed. Error was Transport endpoint is not connected
>>> [2010/09/27 14:58:52.233371,  2] smbd/reply.c:536(reply_special)
>>>    netbios connect: name1=MEDIADC        0x20 name2=TESTAFS        0x0
>>> [2010/09/27 14:58:52.233498,  2] smbd/reply.c:547(reply_special)
>>>    netbios connect: local=mediadc remote=testafs, name type = 0
>>> [2010/09/27 14:58:52.234068,  2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close
>>> all old resources.
>>> [2010/09/27 14:58:52.233647,  0] lib/util_sock.c:675(write_data)
>>> [2010/09/27 14:58:52.234876,  0]
>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>    getpeername failed. Error was Transport endpoint is not connected
>>>    write_data: write failure in writing to client 0.0.0.0. Error
>>> Connection reset by peer
>>> [2010/09/27 14:58:52.236855,  0] smbd/process.c:79(srv_send_smb)
>>>    Error writing 4 bytes to client. -1. (Transport endpoint is not
>>> connected)
>>> [2010/09/27 14:58:52.238615,  2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close
>>> all old resources.
>>> [2010/09/27 14:58:52.239888,  2]
>>> lib/smbldap.c:950(smbldap_open_connection)
>>>    smbldap_open_connection: connection opened
>>> [2010/09/27 14:58:52.242954,  2]
>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>    init_sam_from_ldap: Entry found for user: Administrator
>>> [2010/09/27 14:58:52.295749,  2] auth/auth.c:304(check_ntlm_password)
>>>    check_ntlm_password:  authentication for user [Administrator] ->
>>> [Administrator] ->  [Administrator] succeeded
>>> [2010/09/27 14:58:52.780610,  0]
>>> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>>>    _netr_ServerAuthenticate: no challenge sent to client TESTAFS
>>> [2010/09/27 14:58:53.337111,  2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close
>>> all old resources.
>>> [2010/09/27 14:58:53.338938,  2]
>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close
>>> all old resources.
>>> [2010/09/27 14:58:53.339808,  2]
>>> lib/smbldap.c:950(smbldap_open_connection)
>>>    smbldap_open_connection: connection opened
>>> [2010/09/27 14:58:53.342371,  2]
>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>    init_sam_from_ldap: Entry found for user: Administrator
>>> [2010/09/27 14:58:53.347683,  2] auth/auth.c:304(check_ntlm_password)
>>>    check_ntlm_password:  authentication for user [Administrator] ->
>>> [Administrator] ->  [Administrator] succeeded
>>> [2010/09/27 14:58:53.812728,  2]
>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>    Returning domain sid for domain MEDIADC ->
>>> S-1-5-21-1949818787-1514111066-129980733
>>> [2010/09/27 14:58:53.814002,  2]
>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>    Returning domain sid for domain MEDIADC ->
>>> S-1-5-21-1949818787-1514111066-129980733
>>>
>>> As it seems all works fine, but windows give an error like "Access
>>> Denied" and the computer is not added to the domain.
>>>
>>> What can be the problem? How to debug it?
>>>
Read about prexec and postexec in the samba howto.
In my case I run a script the first time a user login and his share is
created.

Greetings 
Daniel

>>> Any hint is welcome...
>>>
>>> Cordially,
>>>
>>> Claudio Prono.
>>>
>>>
>>>    
>>
> 
> -- 
>
--------------------------------------------------------------------------------
> Claudio Prono                         OPST
> System Developer               
>                                       Gsm: +39-349-54.33.258
> @PSS Srl                              Tel: +39-011-32.72.100
> Via San Bernardino, 17                Fax: +39-011-32.46.497
> 10141 Torino - ITALY                  http://atpss.net/disclaimer
>
--------------------------------------------------------------------------------
> PGP Key - http://keys.atpss.net/c_prono.asc


More information about the samba mailing list