[Samba] Problem with Samba - Openldap and domain autentication of Windows XP

Claudio Prono claudio.prono at atpss.net
Tue Sep 28 09:47:26 MDT 2010


Ok thanks, i have resolved it...now the samba+ldap part as domain
controller works like a charm!

Thank you to all.

Claudio.


Dale Schroeder ha scritto:
> Claudio,
>
> Your problems may arise from the fact that you have set the
> "workgroup" and "netbios name" to identical values.
>
> [global]
>         workgroup = MEDIADC
>         netbios name = MEDIADC
>
>
> See the last sentence of this link:
>
> On 09/28/2010 4:06 AM, Claudio Prono wrote:
> http://oreilly.com/catalog/samba/chapter/book/ch04_04.html
>
> Dale
>
>
>> Ok, now the join to the domain works, but when i create a new user, and
>> i try to login to the Windows XP domain, the windows says to me "Unable
>> to access. A periferic is not working". (sorry for the poor  traduction,
>> but my windows  is in italian). Into the  samba logs i read this:
>>
>> [2010/09/28 10:07:45.795892,  2] smbd/reply.c:536(reply_special)
>>    netbios connect: name1=MEDIADC        0x20 name2=TESTAFS        0x0
>> [2010/09/28 10:07:45.796139,  2] smbd/reply.c:547(reply_special)
>>    netbios connect: local=mediadc remote=testafs, name type = 0
>> [2010/09/28 10:07:45.799185,  2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/28 10:07:45.801093,  2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/28 10:07:45.801767,  2]
>> lib/smbldap.c:950(smbldap_open_connection)
>>    smbldap_open_connection: connection opened
>> [2010/09/28 10:07:45.865629,  2]
>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>    init_sam_from_ldap: Entry found for user: AFS
>> [2010/09/28 10:07:45.872442,  2] auth/auth.c:304(check_ntlm_password)
>>    check_ntlm_password:  authentication for user [AFS] ->  [AFS] -> 
>> [AFS]
>> succeeded
>> [2010/09/28 10:07:45.872630,  1]
>> rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
>>    _netr_LogonSamLogon: user MEDIADC\AFS has user sid
>> S-1-5-21-3218914170-3340994528-1537192846-3010
>>     but group sid S-1-5-21-1949818787-1514111066-129980733-513.
>>    The conflicting domain portions are not supported for NETLOGON calls
>>
>> This is my testparm (actually):
>>
>> [global]
>>          workgroup = MEDIADC
>>          netbios name = MEDIADC
>>          map to guest = Bad User
>>          passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
>>          log level = 2
>>          printcap name = cups
>>          add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct
>> --makehomedir --homedir /home/%u -f
>>          delete user script = /usr/sbin/ldapsmb -d -u "%u" -f
>>          add group script = /usr/sbin/ldapsmb -a -g "%g" -f
>>          delete group script = /usr/sbin/ldapsmb -d -g "%g" -f
>>          add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g
>> "%g" -f
>>          delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g
>> "%g" -f
>>          add machine script = "/usr/sbin/ldapsmb -a -wks %u -f"
>>          logon path = \\%L\profiles\.msprofile
>>          logon drive = P:
>>          logon home = \\%L\%U\.9xprofile
>>          domain logons = Yes
>>          os level = 99
>>          preferred master = Yes
>>          domain master = Yes
>>          wins support = Yes
>>          ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>>          ldap group suffix = ou=group
>>          ldap idmap suffix = ou=Idmap
>>          ldap machine suffix = ou=Machines
>>          ldap passwd sync = yes
>>          ldap suffix = dc=mediaservice-test,dc=pri
>>          ldap ssl = no
>>          ldap user suffix = ou=people
>>          usershare allow guests = Yes
>>          idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>>          cups options = raw
>>
>> [homes]
>>          comment = Home Directories
>>          valid users = %S, %D%w%S
>>          read only = No
>>          inherit acls = Yes
>>          browseable = No
>>
>> [profiles]
>>          comment = Network Profiles Service
>>          path = %H
>>          read only = No
>>          create mask = 0600
>>          directory mask = 0700
>>          store dos attributes = Yes
>>
>> [users]
>>          comment = All users
>>          path = /home
>>          read only = No
>>          inherit acls = Yes
>>          veto files = /aquota.user/groups/shares/
>>
>> [groups]
>>          comment = All groups
>>          path = /home/groups
>>          read only = No
>>          inherit acls = Yes
>>
>> [printers]
>>          comment = All Printers
>>          path = /var/tmp
>>          create mask = 0600
>>          printable = Yes
>>          browseable = No
>>
>> [print$]
>>          comment = Printer Drivers
>>          path = /var/lib/samba/drivers
>>          write list = @ntadmin, root
>>          force group = ntadmin
>>          create mask = 0664
>>          directory mask = 0775
>>
>> [netlogon]
>>          comment = Network Logon Service
>>          path = /var/lib/samba/netlogon
>>          write list = root
>>
>> How i can debug what is wrong?
>>
>> Any suggestion?
>>
>> Cordially,
>>
>> Claudio Prono.
>>
>>
>>
>>
>> Gaiseric Vandal ha scritto:
>>> Wait, you are using samba with openldap backend.
>>>
>>> Why are you using useradd ??? with this backend you need smbldap
>>> instead.
>>> like this:
>>>
>>>          passdb backend = ldapsam:ldap://your ldap server
>>>          ldap passwd sync = yes
>>>          ldap delete dn = Yes
>>>          ldap admin dn = cn=root,dc=domain,dc=com,dc=br
>>>          ldap suffix = dc=domain,dc=com,dc=br
>>>          ldap machine suffix = ou=Computers
>>>          ldap user suffix = ou=Users
>>>          ldap group suffix = ou=Groups
>>>          ldap idmap suffix = sambaDomainName=DOMAIN
>>>          idmap backend = ldap:ldap://ldap server
>>>          idmap alloc backend = ldap:ldap://ldap server
>>>          idmap uid = 1000-20000
>>>          idmap gid = 1000-20000
>>>          idmap alloc config:range = 1000-20000
>>>          ldap timeout = 15
>>>          ldap connection timeout = 2
>>>          ldap page size = 1024
>>>
>>>     # add/remove users
>>>          add user script = /usr/sbin/smbldap-useradd -m "%u"
>>>          delete user script = /usr/sbin/smbldap-userdel "%u"
>>>     # add/remove Groups
>>>          add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>>          delete group script = /usr/sbin/smbldap-groupdel "%g"
>>>     # add/remove user in groups
>>>          add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
>>> "%g"
>>>          delete user from group script = /usr/sbin/smbldap-groupmod -x
>>> "%u" "%g"
>>>     # define primary group of user
>>>          set primary group script = /usr/sbin/smbldap-usermod -g
>>> "%g" "%u"
>>>     # add machines in domain
>>>          add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
>>>
>>> regards
>>>
>>> On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com>   wrote:
>>>>   You user script may be adding a LOCAL unix account (in
>>>> /etc/passwd.)   Do
>>>>   you see the accounts in there?   You may need to custom script that
>>>> adds the
>>>>   accounts to ldap.
>>>>
>>>>   The following may help
>>>>
>>>>   https://gna.org/projects/smbldap-tools/
>>>>
>>>>
>>>>   Remember, that being root on your unix system does not automatically
>>>> make
>>>>   you LDAP admin.
>>>>
>>>>   If you have a single server then having your unix may be OK-  samba
>>>> will
>>>>   match the samba user to the unix user via the user id.    I have
>>>> multiple
>>>>   server so I use LDAP for unix accounts (previously used NIS.)   So
>>>> now an
>>>>   LDAP user has both windows and unix account info.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>   On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>>>>   Gaiseric Vandal ha scritto:
>>>>>
>>>>>>   Do you have an underlying unix account for the pc (eg
>>>>>> SOMEMACHINE$)
>>>>>>
>>>>>>   It is possible to configure scripts that the unix account is
>>>>>> created
>>>>>>   by samba if necessary when samba creates the "Windows" account for
>>>>>> the
>>>>>>   machine.  I don't have it set up this way, so I need to create the
>>>>>>   unix account 1st.
>>>>>>
>>>>>>
>>>>>   add machine script = /usr/sbin/useradd  -c Machine -d
>>>>> /var/lib/nobody -s
>>>>>   /bin/false %m$
>>>>>
>>>>>   This script automatically add the machine if needed, or i am
>>>>> wrong ?
>>>>>
>>>>>>   Also, I found that since the underlying unix OS may need
>>>>>> validate the
>>>>>>   machine account,  I put my machine accounts in either the same
>>>>>> ldap ou
>>>>>>   as people (or in a sub ou.)  ("getent passwd" command may need to
>>>>>> show
>>>>>>   your machine accounts as well as people accounts.)
>>>>>>
>>>>>>   If you have manually created the unix account for the machine, can
>>>>>> you
>>>>>>   them manually create the samba account for it
>>>>>>
>>>>>>            e.g. smbpasswd -m -a SOMEMACHINE
>>>>>>
>>>>>>        (I think you leave the $ off .)
>>>>>>
>>>>>>
>>>>>>   I use LDAP for both "unix" and "windows" clients so my config
>>>>>> choices
>>>>>>   may not be applicable to a windows-only client environment.
>>>>>>
>>>>>>
>>>>>>   On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>>>>

-- 
--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer               
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc






More information about the samba mailing list