[Samba] Problem with Samba - Openldap and domain autentication of Windows XP
Dale Schroeder
dale at BriannasSaladDressing.com
Tue Sep 28 07:44:32 MDT 2010
Claudio,
Your problems may arise from the fact that you have set the "workgroup"
and "netbios name" to identical values.
[global]
workgroup = MEDIADC
netbios name = MEDIADC
See the last sentence of this link:
On 09/28/2010 4:06 AM, Claudio Prono wrote:
http://oreilly.com/catalog/samba/chapter/book/ch04_04.html
Dale
> Ok, now the join to the domain works, but when i create a new user, and
> i try to login to the Windows XP domain, the windows says to me "Unable
> to access. A periferic is not working". (sorry for the poor traduction,
> but my windows is in italian). Into the samba logs i read this:
>
> [2010/09/28 10:07:45.795892, 2] smbd/reply.c:536(reply_special)
> netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
> [2010/09/28 10:07:45.796139, 2] smbd/reply.c:547(reply_special)
> netbios connect: local=mediadc remote=testafs, name type = 0
> [2010/09/28 10:07:45.799185, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/09/28 10:07:45.801093, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/09/28 10:07:45.801767, 2] lib/smbldap.c:950(smbldap_open_connection)
> smbldap_open_connection: connection opened
> [2010/09/28 10:07:45.865629, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
> init_sam_from_ldap: Entry found for user: AFS
> [2010/09/28 10:07:45.872442, 2] auth/auth.c:304(check_ntlm_password)
> check_ntlm_password: authentication for user [AFS] -> [AFS] -> [AFS]
> succeeded
> [2010/09/28 10:07:45.872630, 1]
> rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
> _netr_LogonSamLogon: user MEDIADC\AFS has user sid
> S-1-5-21-3218914170-3340994528-1537192846-3010
> but group sid S-1-5-21-1949818787-1514111066-129980733-513.
> The conflicting domain portions are not supported for NETLOGON calls
>
> This is my testparm (actually):
>
> [global]
> workgroup = MEDIADC
> netbios name = MEDIADC
> map to guest = Bad User
> passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
> log level = 2
> printcap name = cups
> add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct
> --makehomedir --homedir /home/%u -f
> delete user script = /usr/sbin/ldapsmb -d -u "%u" -f
> add group script = /usr/sbin/ldapsmb -a -g "%g" -f
> delete group script = /usr/sbin/ldapsmb -d -g "%g" -f
> add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g "%g" -f
> delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g
> "%g" -f
> add machine script = "/usr/sbin/ldapsmb -a -wks %u -f"
> logon path = \\%L\profiles\.msprofile
> logon drive = P:
> logon home = \\%L\%U\.9xprofile
> domain logons = Yes
> os level = 99
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
> ldap group suffix = ou=group
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Machines
> ldap passwd sync = yes
> ldap suffix = dc=mediaservice-test,dc=pri
> ldap ssl = no
> ldap user suffix = ou=people
> usershare allow guests = Yes
> idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
> cups options = raw
>
> [homes]
> comment = Home Directories
> valid users = %S, %D%w%S
> read only = No
> inherit acls = Yes
> browseable = No
>
> [profiles]
> comment = Network Profiles Service
> path = %H
> read only = No
> create mask = 0600
> directory mask = 0700
> store dos attributes = Yes
>
> [users]
> comment = All users
> path = /home
> read only = No
> inherit acls = Yes
> veto files = /aquota.user/groups/shares/
>
> [groups]
> comment = All groups
> path = /home/groups
> read only = No
> inherit acls = Yes
>
> [printers]
> comment = All Printers
> path = /var/tmp
> create mask = 0600
> printable = Yes
> browseable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin, root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> write list = root
>
> How i can debug what is wrong?
>
> Any suggestion?
>
> Cordially,
>
> Claudio Prono.
>
>
>
>
> Gaiseric Vandal ha scritto:
>> Wait, you are using samba with openldap backend.
>>
>> Why are you using useradd ??? with this backend you need smbldap instead.
>> like this:
>>
>> passdb backend = ldapsam:ldap://your ldap server
>> ldap passwd sync = yes
>> ldap delete dn = Yes
>> ldap admin dn = cn=root,dc=domain,dc=com,dc=br
>> ldap suffix = dc=domain,dc=com,dc=br
>> ldap machine suffix = ou=Computers
>> ldap user suffix = ou=Users
>> ldap group suffix = ou=Groups
>> ldap idmap suffix = sambaDomainName=DOMAIN
>> idmap backend = ldap:ldap://ldap server
>> idmap alloc backend = ldap:ldap://ldap server
>> idmap uid = 1000-20000
>> idmap gid = 1000-20000
>> idmap alloc config:range = 1000-20000
>> ldap timeout = 15
>> ldap connection timeout = 2
>> ldap page size = 1024
>>
>> # add/remove users
>> add user script = /usr/sbin/smbldap-useradd -m "%u"
>> delete user script = /usr/sbin/smbldap-userdel "%u"
>> # add/remove Groups
>> add group script = /usr/sbin/smbldap-groupadd -p "%g"
>> delete group script = /usr/sbin/smbldap-groupdel "%g"
>> # add/remove user in groups
>> add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
>> "%g"
>> delete user from group script = /usr/sbin/smbldap-groupmod -x
>> "%u" "%g"
>> # define primary group of user
>> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>> # add machines in domain
>> add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
>>
>> regards
>>
>> On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com> wrote:
>>> You user script may be adding a LOCAL unix account (in
>>> /etc/passwd.) Do
>>> you see the accounts in there? You may need to custom script that
>>> adds the
>>> accounts to ldap.
>>>
>>> The following may help
>>>
>>> https://gna.org/projects/smbldap-tools/
>>>
>>>
>>> Remember, that being root on your unix system does not automatically
>>> make
>>> you LDAP admin.
>>>
>>> If you have a single server then having your unix may be OK- samba
>>> will
>>> match the samba user to the unix user via the user id. I have
>>> multiple
>>> server so I use LDAP for unix accounts (previously used NIS.) So
>>> now an
>>> LDAP user has both windows and unix account info.
>>>
>>>
>>>
>>>
>>>
>>> On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>>> Gaiseric Vandal ha scritto:
>>>>
>>>>> Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>>>>
>>>>> It is possible to configure scripts that the unix account is created
>>>>> by samba if necessary when samba creates the "Windows" account for
>>>>> the
>>>>> machine. I don't have it set up this way, so I need to create the
>>>>> unix account 1st.
>>>>>
>>>>>
>>>> add machine script = /usr/sbin/useradd -c Machine -d
>>>> /var/lib/nobody -s
>>>> /bin/false %m$
>>>>
>>>> This script automatically add the machine if needed, or i am wrong ?
>>>>
>>>>> Also, I found that since the underlying unix OS may need validate the
>>>>> machine account, I put my machine accounts in either the same
>>>>> ldap ou
>>>>> as people (or in a sub ou.) ("getent passwd" command may need to
>>>>> show
>>>>> your machine accounts as well as people accounts.)
>>>>>
>>>>> If you have manually created the unix account for the machine, can
>>>>> you
>>>>> them manually create the samba account for it
>>>>>
>>>>> e.g. smbpasswd -m -a SOMEMACHINE
>>>>>
>>>>> (I think you leave the $ off .)
>>>>>
>>>>>
>>>>> I use LDAP for both "unix" and "windows" clients so my config choices
>>>>> may not be applicable to a windows-only client environment.
>>>>>
>>>>>
>>>>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>>>
More information about the samba
mailing list