Torben Thomsen
2004-Mar-11 14:18 UTC
[Samba] LDAP issue, access denied adding machine to domain, and LDAP user can't make unix-login on the box.
Hi,
I have a LDAP backend for my Samba 3.0.2, and everything seems to work
except adding XP machines to the domain, and unix logins with a ldap client.
Since this mail is very long, I have created a small index, so you don't
get exhaustet in the middle of all the logs... ;)
1. LDAP user-creation
2. Group info
3. pam/nss info
4. smb.conf [global]
5. Log from trying to add machine to domain
6. Log fror trying to unix-login the user
7. conclution
1)
I create new users through a webinterface where i have created test3 as
a domain admin and a ldap search returns the following attributes on test3:
uidnumber: 10009
sambasid: S-1-5-21-2409322033-11024189-1315579533-21018
cn: test3
displayname: test3
sn: test3
uid: test3
loginshell: /bin/bash
homedirectory: /samba/home/test3
gidnumber: 512
objectclass: inetOrgPerson
objectclass: sambaSAMAccount
objectclass: posixAccount
sambahomepath: \\LOGIN\homes
sambahomedrive: H:
sambaacctflags: [U ]
sambadomainname: SKOLE1
sambalogonscript: \\LOGIN\logonScript\test3.bat
sambaprofilepath: \\LOGIN\test3\.profile
sambaprimarygroupsid: S-1-5-21-2409322033-11024189-1315579533-512
sambalmpassword: 07E9BB454DCA7EBCAAD3B435B51404EE
sambantpassword: C3F7CE8E37AB104169F3313FF2C6AC6A
userpassword: {MD5}WnsFSpsqzAhNDorh9YhDpA=
I can validate the user with smbclient -L localhost -U test3 but NOT
login the user in linux!
2)
A "net groupmap list" return the interesting parts like:
Domain Admins (S-1-5-21-2409322033-11024189-1315579533-512) -> admin
Domain Computers (S-1-5-21-2409322033-11024189-1315579533-553) -> Domain
Computers
And all the admin tools seems to work as well, smbpasswd, and the
smbldat tools in /usr/local/sbin seems to work (I can create new users
with smbldap-useradd.pl)!
and ls -l /usr/local/sbin returns:
-rwxr-xr-x 1 root staff 27777 Feb 12 16:22 mkntpwd
-rwxr-xr-x 1 root staff 4367 Feb 10 21:05 smbldap-groupadd.pl
-rwxr-xr-x 1 root staff 2324 Feb 10 21:05 smbldap-groupdel.pl
-rwxr-xr-x 1 root staff 7869 Feb 10 21:05 smbldap-groupmod.pl
-rwxr-xr-x 1 root staff 1884 Feb 10 21:05 smbldap-groupshow.pl
-rwxr-xr-x 1 root staff 7158 Feb 10 21:05
smbldap-migrate-accounts.pl
-rwxr-xr-x 1 root staff 4974 Feb 10 21:05
smbldap-migrate-groups.pl
-rwxr-xr-x 1 root staff 5599 Feb 10 21:05 smbldap-passwd.pl
-rwxr-xr-x 1 root staff 8995 Feb 10 21:05 smbldap-populate.pl
-rw-r--r-- 1 root staff 5521 Feb 10 21:05 smbldap-tools.spec
-rwxr-x--x 1 root admin 16100 Mar 2 18:45 smbldap-useradd.pl
-rwxr-x--x 1 root staff 16162 Mar 2 18:37 smbldap-useradd.pl~
-rwxr-xr-x 1 root staff 2950 Feb 10 21:05 smbldap-userdel.pl
-rwxr-xr-x 1 root staff 15085 Feb 10 21:05 smbldap-usermod.pl
-rwxr-xr-x 1 root staff 1826 Feb 10 21:05 smbldap-usershow.pl
-rwxr-x-wx 1 root admin 3842 Mar 4 20:21 smbldap_conf.pm
-rwxr-x-wx 1 root admin 3844 Mar 4 20:17 smbldap_conf.pm~
-rw-r--r-- 1 root staff 18882 Feb 10 21:05 smbldap_tools.pm
3)
I suspect nss/pam as the problem, but I don't know how to solve it...
My /etc/nsswitch.conf :
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
4)
----- SMB.CONF -----
[global]
workgroup = SKOLE1
passdb backend = ldapsam:ldap://127.0.0.1/
ldap suffix = dc=login
ldap machine suffix = ou=machines
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap admin dn = "cn=admin,dc=login"
ldap passwd sync = yes
ldap delete dn = yes
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
ldap ssl = no
passwd chat debug = Yes
passwd program =/usr/local/bin/smbldap-passwd.pl -o %u
passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/local/sbin/smbldap-useradd.pl -a -w "%m"
add user script = /usr/local/sbin/smbldap-useradd.pl -a "%u"
delete user script = /usr/local/sbin/smbldap-useradd.pl -d "%u"
add group script = /usr/local/sbin/smbldap-useradd.pl -a -g "%g"
delete group script = /usr/local/sbin/smbldap-useradd.pl -d -g
"%g"
add user to group script = /usr/local/sbin/smbldap-useradd.pl -j -u
"%u" -g "%g"
delete user from group script = /usr/local/sbin/smbldap-useradd.pl
-j -u "%u" -g "%g"
set primary group script = /usr/local/sbin/smbldap-useradd.pl -m -u
"%u" -gid "%g"
server string = thePri Samba Server
netbios name = THEPRI
#printcap name = cups
load printers = no
#printing = cups
log file = /var/log/samba/%m.log
log level = 3
max log size = 5000
security = user
encrypt passwords = true
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = yes
os level = 40
domain master = yes
preferred master = yes
domain logons = yes
wins support = yes
dns proxy = no
admin users = @admin
5)
---- SYSLOG ----
Log from attempt to add a machine to the domain:
The XP just gives me an "access denied"-dialog:
Sorry about the length, I just submittet everything since I don't know
what would be relevant for debugging... One of the last lines tells me
it has to do with permissions.... but why...
Mar 11 15:28:49 compaq slapd[395]: conn=271 fd=22 ACCEPT from
IP=127.0.0.1:33162 (IP=0.0.0.0:389)
Mar 11 15:28:49 compaq slapd[487]: conn=271 op=0 BIND
dn="cn=admin,dc=login" method=128
Mar 11 15:28:49 compaq slapd[487]: conn=271 op=0 BIND
dn="cn=admin,dc=login" mech=simple ssf=0
Mar 11 15:28:49 compaq slapd[487]: conn=271 op=0 RESULT tag=97 err=0 textMar 11
15:28:49 compaq slapd[481]: conn=271 op=1 SRCH base="dc=login"
scope=2
filter="(&(objectClass=sambaDomain)(sambaDomainName=SKOLE1))"
Mar 11 15:28:49 compaq slapd[481]: conn=271 op=1 SRCH
attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid
sambaSID sambaAlgorithmicRidBase objectClass
Mar 11 15:28:49 compaq slapd[481]: conn=271 op=1 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:49 compaq slapd[487]: conn=271 op=2 SRCH
base="dc=login"
scope=2
filter="(&(&(uid=test3)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))"
Mar 11 15:28:49 compaq slapd[487]: conn=271 op=2 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Mar 11 15:28:49 compaq slapd[487]: conn=271 op=2 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:49 compaq slapd[395]: conn=272 fd=31 ACCEPT
from
IP=127.0.0.1:33163 (IP=0.0.0.0:389)
Mar 11 15:28:49 compaq slapd[481]: conn=272 op=0 BIND dn="" method=128
Mar 11 15:28:49 compaq slapd[481]: conn=272 op=0 RESULT tag=97 err=0 textMar 11
15:28:49 compaq slapd[487]: conn=272 op=1 SRCH base="dc=login"
scope=2 filter="(&(objectClass=posixAccount)(uid=test3))"
Mar 11 15:28:49 compaq slapd[487]: conn=272 op=1 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Mar 11 15:28:49 compaq slapd[487]: conn=272 op=1 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:49 compaq slapd[481]: conn=272 op=2 SRCH
base="dc=login"
scope=2 filter="(uid=test3)"
Mar 11 15:28:49 compaq slapd[481]: conn=272 op=2 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:49 compaq slapd[487]: conn=272 op=3 SRCH
base="dc=login"
scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=test3)(uniqueMember=uid=test3,ou=people,dc=login)))"
Mar 11 15:28:49 compaq slapd[487]: conn=272 op=3 SRCH attr=cn
userPassword memberUid uniqueMember gidNumber
Mar 11 15:28:49 compaq slapd[487]: conn=272 op=3 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 15:28:49 compaq slapd[481]: conn=271 op=3 SRCH
base="ou=groups,dc=login" scope=2
filter="(&(objectClass=sambaGroupMapping)(gidNumber=512))"
Mar 11 15:28:49 compaq slapd[481]: conn=271 op=3 SRCH attr=gidNumber
sambaSID sambaGroupType description displayName cn objectClass
Mar 11 15:28:49 compaq slapd[481]: conn=271 op=3 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:49 compaq slapd[487]: conn=272 op=4 SRCH
base="dc=login"
scope=2 filter="(&(objectClass=posixAccount)(uid=test3))"
Mar 11 15:28:49 compaq slapd[487]: conn=272 op=4 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Mar 11 15:28:49 compaq slapd[487]: conn=272 op=4 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:49 compaq slapd[481]: conn=272 op=5 SRCH
base="dc=login"
scope=2 filter="(&(objectClass=posixAccount)(uid=test3))"
Mar 11 15:28:49 compaq slapd[481]: conn=272 op=5 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Mar 11 15:28:49 compaq slapd[481]: conn=272 op=5 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 14:28:49 compaq smbd[5768]: [2004/03/11 14:28:49, 0]
smbd/service.c:set_admin_user(321)
Mar 11 14:28:49 compaq smbd[5768]: test3 logged in as admin user (root
privileges)
Mar 11 15:28:49 compaq slapd[487]: conn=272 op=6 SRCH base="dc=login"
scope=2 filter="(uid=test3)"
Mar 11 15:28:49 compaq slapd[487]: conn=272 op=6 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:49 compaq slapd[481]: conn=272 op=7 SRCH
base="dc=login"
scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=test3)(uniqueMember=uid=test3,ou=people,dc=login)))"
Mar 11 15:28:49 compaq slapd[481]: conn=272 op=7 SRCH attr=cn
userPassword memberUid uniqueMember gidNumber
Mar 11 15:28:49 compaq slapd[481]: conn=272 op=7 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 15:28:49 compaq slapd[487]: conn=271 op=4 SRCH
base="dc=login"
scope=2
filter="(&(&(uid=root)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))"
Mar 11 15:28:49 compaq slapd[487]: conn=271 op=4 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Mar 11 15:28:49 compaq slapd[487]: conn=271 op=4 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 15:28:49 compaq slapd[395]: conn=271 fd=22 closed
Mar 11 15:28:49 compaq slapd[395]: conn=272 fd=31 closed
Mar 11 15:28:50 compaq slapd[395]: conn=273 fd=22 ACCEPT from
IP=127.0.0.1:33164 (IP=0.0.0.0:389)
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=0 BIND
dn="cn=admin,dc=login" method=128
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=0 BIND
dn="cn=admin,dc=login" mech=simple ssf=0
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=0 RESULT tag=97 err=0 textMar 11
15:28:50 compaq slapd[481]: conn=273 op=1 SRCH base="dc=login"
scope=2
filter="(&(objectClass=sambaDomain)(sambaDomainName=SKOLE1))"
Mar 11 15:28:50 compaq slapd[481]: conn=273 op=1 SRCH
attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid
sambaSID sambaAlgorithmicRidBase objectClass
Mar 11 15:28:50 compaq slapd[481]: conn=273 op=1 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:50 compaq slapd[487]: conn=273 op=2 SRCH
base="dc=login"
scope=2
filter="(&(&(uid=test3)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))"
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=2 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=2 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:50 compaq slapd[395]: conn=274 fd=31 ACCEPT
from
IP=127.0.0.1:33165 (IP=0.0.0.0:389)
Mar 11 15:28:50 compaq slapd[481]: conn=274 op=0 BIND dn="" method=128
Mar 11 15:28:50 compaq slapd[481]: conn=274 op=0 RESULT tag=97 err=0 textMar 11
15:28:50 compaq slapd[487]: conn=274 op=1 SRCH base="dc=login"
scope=2 filter="(&(objectClass=posixAccount)(uid=test3))"
Mar 11 15:28:50 compaq slapd[487]: conn=274 op=1 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Mar 11 15:28:50 compaq slapd[487]: conn=274 op=1 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:50 compaq slapd[487]: conn=274 op=2 SRCH
base="dc=login"
scope=2 filter="(uid=test3)"
Mar 11 15:28:50 compaq slapd[487]: conn=274 op=2 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:50 compaq slapd[481]: conn=274 op=3 SRCH
base="dc=login"
scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=test3)(uniqueMember=uid=test3,ou=people,dc=login)))"
Mar 11 15:28:50 compaq slapd[481]: conn=274 op=3 SRCH attr=cn
userPassword memberUid uniqueMember gidNumber
Mar 11 15:28:50 compaq slapd[481]: conn=274 op=3 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 15:28:50 compaq slapd[487]: conn=273 op=3 SRCH
base="ou=groups,dc=login" scope=2
filter="(&(objectClass=sambaGroupMapping)(gidNumber=512))"
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=3 SRCH attr=gidNumber
sambaSID sambaGroupType description displayName cn objectClass
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=3 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:50 compaq slapd[487]: conn=274 op=4 SRCH
base="dc=login"
scope=2 filter="(&(objectClass=posixAccount)(uid=test3))"
Mar 11 15:28:50 compaq slapd[487]: conn=274 op=4 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Mar 11 15:28:50 compaq slapd[487]: conn=274 op=4 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:50 compaq slapd[481]: conn=274 op=5 SRCH
base="dc=login"
scope=2 filter="(&(objectClass=posixAccount)(uid=test3))"
Mar 11 15:28:50 compaq slapd[481]: conn=274 op=5 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Mar 11 15:28:50 compaq slapd[481]: conn=274 op=5 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 14:28:50 compaq smbd[5769]: [2004/03/11 14:28:50, 0]
smbd/service.c:set_admin_user(321)
Mar 11 14:28:50 compaq smbd[5769]: test3 logged in as admin user (root
privileges)
Mar 11 15:28:50 compaq slapd[487]: conn=274 op=6 SRCH base="dc=login"
scope=2 filter="(uid=test3)"
Mar 11 15:28:50 compaq slapd[487]: conn=274 op=6 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:50 compaq slapd[481]: conn=274 op=7 SRCH
base="dc=login"
scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=test3)(uniqueMember=uid=test3,ou=people,dc=login)))"
Mar 11 15:28:50 compaq slapd[481]: conn=274 op=7 SRCH attr=cn
userPassword memberUid uniqueMember gidNumber
Mar 11 15:28:50 compaq slapd[481]: conn=274 op=7 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 15:28:50 compaq slapd[487]: conn=273 op=4 SRCH
base="dc=login"
scope=2
filter="(&(&(uid=root)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))"
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=4 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=4 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 15:28:50 compaq slapd[487]: conn=273 op=5 SRCH
base="dc=login"
scope=2
filter="(&(&(uid=monster1$)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))"
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=5 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=5 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 15:28:50 compaq slapd[481]: conn=274 op=8 SRCH
base="dc=login"
scope=2 filter="(&(objectClass=posixAccount)(uid=monster1$))"
Mar 11 15:28:50 compaq slapd[481]: conn=274 op=8 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Mar 11 15:28:50 compaq slapd[481]: conn=274 op=8 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:50 compaq slapd[487]: conn=274 op=9 SRCH
base="dc=login"
scope=2 filter="(&(objectClass=posixAccount)(uid=monster1$))"
Mar 11 15:28:50 compaq slapd[487]: conn=274 op=9 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Mar 11 15:28:50 compaq slapd[487]: conn=274 op=9 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:50 compaq slapd[481]: conn=273 op=6 SRCH
base="ou=groups,dc=login" scope=2
filter="(&(objectClass=sambaGroupMapping)(gidNumber=553))"
Mar 11 15:28:50 compaq slapd[481]: conn=273 op=6 SRCH attr=gidNumber
sambaSID sambaGroupType description displayName cn objectClass
Mar 11 15:28:50 compaq slapd[481]: conn=273 op=6 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 15:28:50 compaq slapd[487]: conn=273 op=7 SRCH
base="dc=login"
scope=2
filter="(&(&(uid=monster1$)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))"
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=7 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=7 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 15:28:50 compaq slapd[487]: conn=273 op=8 SRCH
base="dc=login"
scope=2
filter="(&(sambaSID=S-1-5-21-2409322033-11024189-1315579533-21014)(objectClass=sambaSamAccount))"
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=8 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=8 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 15:28:50 compaq slapd[481]: conn=273 op=9 SRCH
base="dc=login"
scope=2 filter="(&(uid=monster1$)(objectClass=sambaSamAccount))"
Mar 11 15:28:50 compaq slapd[481]: conn=273 op=9 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Mar 11 15:28:50 compaq slapd[481]: conn=273 op=9 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 15:28:50 compaq slapd[487]: conn=273 op=10 SRCH
base="dc=login"
scope=2
filter="(&(sambaSID=S-1-5-21-2409322033-11024189-1315579533-21014)(|(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))"
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=10 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=10 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 15:28:50 compaq slapd[487]: conn=273 op=11 ADD
dn="uid=monster1$,ou=machines,dc=login"
Mar 11 15:28:50 compaq slapd[487]: conn=273 op=11 RESULT tag=105 err=68
textMar 11 14:28:50 compaq smbd[5769]: [2004/03/11 14:28:50, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1634)
Mar 11 14:28:50 compaq smbd[5769]: ldapsam_add_sam_account: failed to
modify/add user with uid = monster1$ (dn =
uid=monster1$,ou=machines,dc=login)
Mar 11 14:28:50 compaq smbd[5769]: [2004/03/11 14:28:50, 0]
rpc_server/srv_samr_nt.c:_samr_create_user(2251)
Mar 11 14:28:50 compaq smbd[5769]: could not add user/computer
monster1$ to passdb. Check permissions?
Mar 11 15:28:50 compaq slapd[395]: conn=273 fd=22 closed
Mar 11 15:28:50 compaq slapd[395]: conn=274 fd=31 closed
6)
log from attempt to ssh to the box:
It looks like the LDAP tries to filter shadowAccount, and that could be
the problem, BUT i have tried to create users with that ObjectClass ass
well without any luck!
Mar 11 16:01:42 compaq slapd[395]: conn=282 fd=22 ACCEPT from
IP=127.0.0.1:33177 (IP=0.0.0.0:389)
Mar 11 16:01:42 compaq slapd[487]: conn=282 op=0 BIND dn="" method=128
Mar 11 16:01:42 compaq slapd[487]: conn=282 op=0 RESULT tag=97 err=0 textMar 11
16:01:42 compaq slapd[481]: conn=282 op=1 SRCH base="dc=login"
scope=2 filter="(&(objectClass=posixAccount)(uid=test3))"
Mar 11 16:01:42 compaq slapd[481]: conn=282 op=1 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Mar 11 16:01:42 compaq slapd[481]: conn=282 op=1 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 16:01:42 compaq slapd[487]: conn=282 op=2 SRCH
base="dc=login"
scope=2 filter="(uid=test3)"
Mar 11 16:01:42 compaq slapd[487]: conn=282 op=2 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 16:01:42 compaq slapd[481]: conn=282 op=3 SRCH
base="dc=login"
scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=test3)(uniqueMember=uid=test3,ou=people,dc=login)))"
Mar 11 16:01:42 compaq slapd[481]: conn=282 op=3 SRCH attr=cn
userPassword memberUid uniqueMember gidNumber
Mar 11 16:01:42 compaq slapd[481]: conn=282 op=3 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 16:01:43 compaq slapd[395]: conn=282 fd=22 closed
Mar 11 16:01:43 compaq slapd[395]: conn=283 fd=22 ACCEPT from
IP=127.0.0.1:33178 (IP=0.0.0.0:389)
Mar 11 16:01:43 compaq slapd[487]: conn=283 op=0 BIND dn="" method=128
Mar 11 16:01:43 compaq slapd[487]: conn=283 op=0 RESULT tag=97 err=0 textMar 11
16:01:43 compaq slapd[481]: conn=283 op=1 SRCH base="dc=login"
scope=2 filter="(&(objectClass=posixAccount)(uid=test3))"
Mar 11 16:01:43 compaq slapd[481]: conn=283 op=1 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Mar 11 16:01:43 compaq slapd[481]: conn=283 op=1 SEARCH RESULT tag=101
err=0 nentries=1 textMar 11 16:01:43 compaq slapd[487]: conn=283 op=2 SRCH
base="dc=login"
scope=2 filter="(&(objectClass=shadowAccount)(uid=test3))"
Mar 11 16:01:43 compaq slapd[487]: conn=283 op=2 SRCH attr=uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire shadowFlag
Mar 11 16:01:43 compaq slapd[487]: conn=283 op=2 SEARCH RESULT tag=101
err=0 nentries=0 textMar 11 16:01:45 compaq slapd[395]: conn=283 fd=22 closed
7)
My primary focus is to add the machines to domain, but i would like help
with both issues if anyone could help
Thanks in advance...
/Torben T
zergio
2004-Mar-11 14:35 UTC
[Samba] LDAP issue, access denied adding machine to domain, and LDAP user can't make unix-login on the box.
I think you need to delete sting: ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) I got similar problem with adding machine account. Stated above helped, thank to @beast@.