[Samba] Problem with Samba - Openldap and domain autentication of Windows XP
Claudio Prono
claudio.prono at atpss.net
Tue Sep 28 09:47:26 MDT 2010
Ok thanks, i have resolved it...now the samba+ldap part as domain
controller works like a charm!
Thank you to all.
Claudio.
Dale Schroeder ha scritto:
> Claudio,
>
> Your problems may arise from the fact that you have set the
> "workgroup" and "netbios name" to identical values.
>
> [global]
> workgroup = MEDIADC
> netbios name = MEDIADC
>
>
> See the last sentence of this link:
>
> On 09/28/2010 4:06 AM, Claudio Prono wrote:
> http://oreilly.com/catalog/samba/chapter/book/ch04_04.html
>
> Dale
>
>
>> Ok, now the join to the domain works, but when i create a new user, and
>> i try to login to the Windows XP domain, the windows says to me "Unable
>> to access. A periferic is not working". (sorry for the poor traduction,
>> but my windows is in italian). Into the samba logs i read this:
>>
>> [2010/09/28 10:07:45.795892, 2] smbd/reply.c:536(reply_special)
>> netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
>> [2010/09/28 10:07:45.796139, 2] smbd/reply.c:547(reply_special)
>> netbios connect: local=mediadc remote=testafs, name type = 0
>> [2010/09/28 10:07:45.799185, 2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/28 10:07:45.801093, 2]
>> smbd/sesssetup.c:1390(setup_new_vc_session)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
>> all old resources.
>> [2010/09/28 10:07:45.801767, 2]
>> lib/smbldap.c:950(smbldap_open_connection)
>> smbldap_open_connection: connection opened
>> [2010/09/28 10:07:45.865629, 2]
>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>> init_sam_from_ldap: Entry found for user: AFS
>> [2010/09/28 10:07:45.872442, 2] auth/auth.c:304(check_ntlm_password)
>> check_ntlm_password: authentication for user [AFS] -> [AFS] ->
>> [AFS]
>> succeeded
>> [2010/09/28 10:07:45.872630, 1]
>> rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
>> _netr_LogonSamLogon: user MEDIADC\AFS has user sid
>> S-1-5-21-3218914170-3340994528-1537192846-3010
>> but group sid S-1-5-21-1949818787-1514111066-129980733-513.
>> The conflicting domain portions are not supported for NETLOGON calls
>>
>> This is my testparm (actually):
>>
>> [global]
>> workgroup = MEDIADC
>> netbios name = MEDIADC
>> map to guest = Bad User
>> passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
>> log level = 2
>> printcap name = cups
>> add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct
>> --makehomedir --homedir /home/%u -f
>> delete user script = /usr/sbin/ldapsmb -d -u "%u" -f
>> add group script = /usr/sbin/ldapsmb -a -g "%g" -f
>> delete group script = /usr/sbin/ldapsmb -d -g "%g" -f
>> add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g
>> "%g" -f
>> delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g
>> "%g" -f
>> add machine script = "/usr/sbin/ldapsmb -a -wks %u -f"
>> logon path = \\%L\profiles\.msprofile
>> logon drive = P:
>> logon home = \\%L\%U\.9xprofile
>> domain logons = Yes
>> os level = 99
>> preferred master = Yes
>> domain master = Yes
>> wins support = Yes
>> ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
>> ldap group suffix = ou=group
>> ldap idmap suffix = ou=Idmap
>> ldap machine suffix = ou=Machines
>> ldap passwd sync = yes
>> ldap suffix = dc=mediaservice-test,dc=pri
>> ldap ssl = no
>> ldap user suffix = ou=people
>> usershare allow guests = Yes
>> idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
>> cups options = raw
>>
>> [homes]
>> comment = Home Directories
>> valid users = %S, %D%w%S
>> read only = No
>> inherit acls = Yes
>> browseable = No
>>
>> [profiles]
>> comment = Network Profiles Service
>> path = %H
>> read only = No
>> create mask = 0600
>> directory mask = 0700
>> store dos attributes = Yes
>>
>> [users]
>> comment = All users
>> path = /home
>> read only = No
>> inherit acls = Yes
>> veto files = /aquota.user/groups/shares/
>>
>> [groups]
>> comment = All groups
>> path = /home/groups
>> read only = No
>> inherit acls = Yes
>>
>> [printers]
>> comment = All Printers
>> path = /var/tmp
>> create mask = 0600
>> printable = Yes
>> browseable = No
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/drivers
>> write list = @ntadmin, root
>> force group = ntadmin
>> create mask = 0664
>> directory mask = 0775
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /var/lib/samba/netlogon
>> write list = root
>>
>> How i can debug what is wrong?
>>
>> Any suggestion?
>>
>> Cordially,
>>
>> Claudio Prono.
>>
>>
>>
>>
>> Gaiseric Vandal ha scritto:
>>> Wait, you are using samba with openldap backend.
>>>
>>> Why are you using useradd ??? with this backend you need smbldap
>>> instead.
>>> like this:
>>>
>>> passdb backend = ldapsam:ldap://your ldap server
>>> ldap passwd sync = yes
>>> ldap delete dn = Yes
>>> ldap admin dn = cn=root,dc=domain,dc=com,dc=br
>>> ldap suffix = dc=domain,dc=com,dc=br
>>> ldap machine suffix = ou=Computers
>>> ldap user suffix = ou=Users
>>> ldap group suffix = ou=Groups
>>> ldap idmap suffix = sambaDomainName=DOMAIN
>>> idmap backend = ldap:ldap://ldap server
>>> idmap alloc backend = ldap:ldap://ldap server
>>> idmap uid = 1000-20000
>>> idmap gid = 1000-20000
>>> idmap alloc config:range = 1000-20000
>>> ldap timeout = 15
>>> ldap connection timeout = 2
>>> ldap page size = 1024
>>>
>>> # add/remove users
>>> add user script = /usr/sbin/smbldap-useradd -m "%u"
>>> delete user script = /usr/sbin/smbldap-userdel "%u"
>>> # add/remove Groups
>>> add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>> delete group script = /usr/sbin/smbldap-groupdel "%g"
>>> # add/remove user in groups
>>> add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
>>> "%g"
>>> delete user from group script = /usr/sbin/smbldap-groupmod -x
>>> "%u" "%g"
>>> # define primary group of user
>>> set primary group script = /usr/sbin/smbldap-usermod -g
>>> "%g" "%u"
>>> # add machines in domain
>>> add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
>>>
>>> regards
>>>
>>> On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
>>> <gaiseric.vandal at gmail.com> wrote:
>>>> You user script may be adding a LOCAL unix account (in
>>>> /etc/passwd.) Do
>>>> you see the accounts in there? You may need to custom script that
>>>> adds the
>>>> accounts to ldap.
>>>>
>>>> The following may help
>>>>
>>>> https://gna.org/projects/smbldap-tools/
>>>>
>>>>
>>>> Remember, that being root on your unix system does not automatically
>>>> make
>>>> you LDAP admin.
>>>>
>>>> If you have a single server then having your unix may be OK- samba
>>>> will
>>>> match the samba user to the unix user via the user id. I have
>>>> multiple
>>>> server so I use LDAP for unix accounts (previously used NIS.) So
>>>> now an
>>>> LDAP user has both windows and unix account info.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>>>> Gaiseric Vandal ha scritto:
>>>>>
>>>>>> Do you have an underlying unix account for the pc (eg
>>>>>> SOMEMACHINE$)
>>>>>>
>>>>>> It is possible to configure scripts that the unix account is
>>>>>> created
>>>>>> by samba if necessary when samba creates the "Windows" account for
>>>>>> the
>>>>>> machine. I don't have it set up this way, so I need to create the
>>>>>> unix account 1st.
>>>>>>
>>>>>>
>>>>> add machine script = /usr/sbin/useradd -c Machine -d
>>>>> /var/lib/nobody -s
>>>>> /bin/false %m$
>>>>>
>>>>> This script automatically add the machine if needed, or i am
>>>>> wrong ?
>>>>>
>>>>>> Also, I found that since the underlying unix OS may need
>>>>>> validate the
>>>>>> machine account, I put my machine accounts in either the same
>>>>>> ldap ou
>>>>>> as people (or in a sub ou.) ("getent passwd" command may need to
>>>>>> show
>>>>>> your machine accounts as well as people accounts.)
>>>>>>
>>>>>> If you have manually created the unix account for the machine, can
>>>>>> you
>>>>>> them manually create the samba account for it
>>>>>>
>>>>>> e.g. smbpasswd -m -a SOMEMACHINE
>>>>>>
>>>>>> (I think you leave the $ off .)
>>>>>>
>>>>>>
>>>>>> I use LDAP for both "unix" and "windows" clients so my config
>>>>>> choices
>>>>>> may not be applicable to a windows-only client environment.
>>>>>>
>>>>>>
>>>>>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>>>>
--
--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
Gsm: +39-349-54.33.258
@PSS Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc
More information about the samba
mailing list