[Samba] Problem with Samba - Openldap and domain autentication of Windows XP

Dale Schroeder dale at BriannasSaladDressing.com
Tue Sep 28 07:44:32 MDT 2010


Claudio,

Your problems may arise from the fact that you have set the "workgroup" 
and "netbios name" to identical values.

[global]
         workgroup = MEDIADC
         netbios name = MEDIADC


See the last sentence of this link:

On 09/28/2010 4:06 AM, Claudio Prono wrote:
http://oreilly.com/catalog/samba/chapter/book/ch04_04.html

Dale


> Ok, now the join to the domain works, but when i create a new user, and
> i try to login to the Windows XP domain, the windows says to me "Unable
> to access. A periferic is not working". (sorry for the poor  traduction,
> but my windows  is in italian). Into the  samba logs i read this:
>
> [2010/09/28 10:07:45.795892,  2] smbd/reply.c:536(reply_special)
>    netbios connect: name1=MEDIADC        0x20 name2=TESTAFS        0x0
> [2010/09/28 10:07:45.796139,  2] smbd/reply.c:547(reply_special)
>    netbios connect: local=mediadc remote=testafs, name type = 0
> [2010/09/28 10:07:45.799185,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/09/28 10:07:45.801093,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/09/28 10:07:45.801767,  2] lib/smbldap.c:950(smbldap_open_connection)
>    smbldap_open_connection: connection opened
> [2010/09/28 10:07:45.865629,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
>    init_sam_from_ldap: Entry found for user: AFS
> [2010/09/28 10:07:45.872442,  2] auth/auth.c:304(check_ntlm_password)
>    check_ntlm_password:  authentication for user [AFS] ->  [AFS] ->  [AFS]
> succeeded
> [2010/09/28 10:07:45.872630,  1]
> rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
>    _netr_LogonSamLogon: user MEDIADC\AFS has user sid
> S-1-5-21-3218914170-3340994528-1537192846-3010
>     but group sid S-1-5-21-1949818787-1514111066-129980733-513.
>    The conflicting domain portions are not supported for NETLOGON calls
>
> This is my testparm (actually):
>
> [global]
>          workgroup = MEDIADC
>          netbios name = MEDIADC
>          map to guest = Bad User
>          passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
>          log level = 2
>          printcap name = cups
>          add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct
> --makehomedir --homedir /home/%u -f
>          delete user script = /usr/sbin/ldapsmb -d -u "%u" -f
>          add group script = /usr/sbin/ldapsmb -a -g "%g" -f
>          delete group script = /usr/sbin/ldapsmb -d -g "%g" -f
>          add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g "%g" -f
>          delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g
> "%g" -f
>          add machine script = "/usr/sbin/ldapsmb -a -wks %u -f"
>          logon path = \\%L\profiles\.msprofile
>          logon drive = P:
>          logon home = \\%L\%U\.9xprofile
>          domain logons = Yes
>          os level = 99
>          preferred master = Yes
>          domain master = Yes
>          wins support = Yes
>          ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>          ldap group suffix = ou=group
>          ldap idmap suffix = ou=Idmap
>          ldap machine suffix = ou=Machines
>          ldap passwd sync = yes
>          ldap suffix = dc=mediaservice-test,dc=pri
>          ldap ssl = no
>          ldap user suffix = ou=people
>          usershare allow guests = Yes
>          idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>          cups options = raw
>
> [homes]
>          comment = Home Directories
>          valid users = %S, %D%w%S
>          read only = No
>          inherit acls = Yes
>          browseable = No
>
> [profiles]
>          comment = Network Profiles Service
>          path = %H
>          read only = No
>          create mask = 0600
>          directory mask = 0700
>          store dos attributes = Yes
>
> [users]
>          comment = All users
>          path = /home
>          read only = No
>          inherit acls = Yes
>          veto files = /aquota.user/groups/shares/
>
> [groups]
>          comment = All groups
>          path = /home/groups
>          read only = No
>          inherit acls = Yes
>
> [printers]
>          comment = All Printers
>          path = /var/tmp
>          create mask = 0600
>          printable = Yes
>          browseable = No
>
> [print$]
>          comment = Printer Drivers
>          path = /var/lib/samba/drivers
>          write list = @ntadmin, root
>          force group = ntadmin
>          create mask = 0664
>          directory mask = 0775
>
> [netlogon]
>          comment = Network Logon Service
>          path = /var/lib/samba/netlogon
>          write list = root
>
> How i can debug what is wrong?
>
> Any suggestion?
>
> Cordially,
>
> Claudio Prono.
>
>
>
>
> Gaiseric Vandal ha scritto:
>> Wait, you are using samba with openldap backend.
>>
>> Why are you using useradd ??? with this backend you need smbldap instead.
>> like this:
>>
>>          passdb backend = ldapsam:ldap://your ldap server
>>          ldap passwd sync = yes
>>          ldap delete dn = Yes
>>          ldap admin dn = cn=root,dc=domain,dc=com,dc=br
>>          ldap suffix = dc=domain,dc=com,dc=br
>>          ldap machine suffix = ou=Computers
>>          ldap user suffix = ou=Users
>>          ldap group suffix = ou=Groups
>>          ldap idmap suffix = sambaDomainName=DOMAIN
>>          idmap backend = ldap:ldap://ldap server
>>          idmap alloc backend = ldap:ldap://ldap server
>>          idmap uid = 1000-20000
>>          idmap gid = 1000-20000
>>          idmap alloc config:range = 1000-20000
>>          ldap timeout = 15
>>          ldap connection timeout = 2
>>          ldap page size = 1024
>>
>>     # add/remove users
>>          add user script = /usr/sbin/smbldap-useradd -m "%u"
>>          delete user script = /usr/sbin/smbldap-userdel "%u"
>>     # add/remove Groups
>>          add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>          delete group script = /usr/sbin/smbldap-groupdel "%g"
>>     # add/remove user in groups
>>          add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
>> "%g"
>>          delete user from group script = /usr/sbin/smbldap-groupmod -x
>> "%u" "%g"
>>     # define primary group of user
>>          set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>>     # add machines in domain
>>          add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
>>
>> regards
>>
>> On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
>> <gaiseric.vandal at gmail.com>   wrote:
>>>   You user script may be adding a LOCAL unix account (in
>>> /etc/passwd.)   Do
>>>   you see the accounts in there?   You may need to custom script that
>>> adds the
>>>   accounts to ldap.
>>>
>>>   The following may help
>>>
>>>   https://gna.org/projects/smbldap-tools/
>>>
>>>
>>>   Remember, that being root on your unix system does not automatically
>>> make
>>>   you LDAP admin.
>>>
>>>   If you have a single server then having your unix may be OK-  samba
>>> will
>>>   match the samba user to the unix user via the user id.    I have
>>> multiple
>>>   server so I use LDAP for unix accounts (previously used NIS.)   So
>>> now an
>>>   LDAP user has both windows and unix account info.
>>>
>>>
>>>
>>>
>>>
>>>   On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>>>   Gaiseric Vandal ha scritto:
>>>>
>>>>>   Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
>>>>>
>>>>>   It is possible to configure scripts that the unix account is created
>>>>>   by samba if necessary when samba creates the "Windows" account for
>>>>> the
>>>>>   machine.  I don't have it set up this way, so I need to create the
>>>>>   unix account 1st.
>>>>>
>>>>>
>>>>   add machine script = /usr/sbin/useradd  -c Machine -d
>>>> /var/lib/nobody -s
>>>>   /bin/false %m$
>>>>
>>>>   This script automatically add the machine if needed, or i am wrong ?
>>>>
>>>>>   Also, I found that since the underlying unix OS may need validate the
>>>>>   machine account,  I put my machine accounts in either the same
>>>>> ldap ou
>>>>>   as people (or in a sub ou.)  ("getent passwd" command may need to
>>>>> show
>>>>>   your machine accounts as well as people accounts.)
>>>>>
>>>>>   If you have manually created the unix account for the machine, can
>>>>> you
>>>>>   them manually create the samba account for it
>>>>>
>>>>>            e.g. smbpasswd -m -a SOMEMACHINE
>>>>>
>>>>>        (I think you leave the $ off .)
>>>>>
>>>>>
>>>>>   I use LDAP for both "unix" and "windows" clients so my config choices
>>>>>   may not be applicable to a windows-only client environment.
>>>>>
>>>>>
>>>>>   On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>>>


More information about the samba mailing list