samba - Oct 2004 - account is not autorized to connect from this station.

Hi all,

(i'am beginner)
i have samba 3.0.7 and ldap 2.1.30-3 installed on linux debian sarge
My users account are stored in ldap (ou=people,dc=alsace,dc=iufm,dc=fr)
I used idealx smbldaptools .0.8.5 to :
- populate LDAP (account administrator is created, id administrator 
gives " uid=0(Administrator) gid=512(Domain Admins) groupes=512(Domain 
Admins)"
- add my machine accoun (named i-dp-test) by :  smbldap-useradd -w i-dp-test
- created some user accounts by : smbldap-useradd -a -m -c "Pat DUBAU"
pat

For tests i did :
- pdbvedit -Vl : lists all my users/computers with samba attributes. So OK
- smbclient -L   FS1 : prompts me a password, i give the *root's* 
password then i get  :
        Domain=[DOMI] OS=[Unix] Server=[Samba 3.0.7-Debian]

        Sharename       Type      Comment
        ---------       ----      -------
        commun          Disk      commun aux profs et _tudiants
        compta          Disk      fichiers du service comptable
        prothee         Disk      acc__ prothee
        netlogon        Disk      Network Logon Service
        IPC$            IPC       IPC Service (Samba 3.0.7-Debian)
        ADMIN$          IPC       IPC Service (Samba 3.0.7-Debian)
    Domain=[DOMI] OS=[Unix] Server=[Samba 3.0.7-Debian]

        Server               Comment
        ---------            -------
        FS1                  Samba 3.0.7-Debian

        Workgroup            Master
        ---------            -------
        DOMI                 FS1
        INFORMATIQUE         I_AM
        MSHOME               I_NN
        WORKGROUP            I-ADMRESEAU


My problem :
when i change the workgroup to domain DOMI on workstation i-dp-test, i'm 
prompted for user and password, i give *administrator *and his password, 
but i get the errror message : 
    "The following error occured while attempting to join domain IDOM
    The account is not autorized to connect from this station."
Note : The machine is windows XP Sp1

I'm looking for a few days now about that problem, but i can't find out 
what's wrong.
Thank you for any help

*Here my smn.conf  file :
*[global]
netbios name = FS1
workgroup = DOMI
security = user
encrypt passwords = no
admin users= @"Domain Admins"

interfaces=192.168.251.8
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes

log file = /var/log/samba/%m.log
log level = 3
max log size = 5000

add machine script = /usr/local/sbin/smbldap-useradd -w %u"
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
#add user script = /usr/local/sbin/smbldap-useradd -m "%u"
#add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
#add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
#add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
#delete user from group script = /usr/local/sbin/smbldap-groupmod -x 
"%u" "%g"
#set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
#delete user script = /usr/local/sbin/smbldap-userdel "%u"
#delete group script = /usr/local/sbin/smbldap-groupdel "%g"

obey pam restrictions = Yes

passdb backend = ldapsam:ldap://127.0.0.1/
ldap suffix = dc=alsace,dc=iufm,dc=fr
ldap admin dn = "cn=admin,dc=alsace,dc=iufm,dc=fr"
ldap ssl=no
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
#ldap idmap suffix = ou=Users
ldap passwd sync = Yes
#***********************************************************************************
ldap passwd sync = Yes

[commun]
comment = commun aux profs et ?tudiants
volume = commun
path = /home/samba/commun
guest ok=yes
read only = no
writeable = yes

[compta]
comment = fichiers du service comptable
path = /home/samba/fichiers/compta
public = yes
writeable = yes
read only = no
create mask = 0750
valid users = @compta

[prothee]
comment = acc?s ? prothee
path=/home/samba/prothee
public = yes
writeable = yes
read only = no
create mask = 0750
valid users = "prothee"

[netlogon]
path = /home/samba/netlogon
browseable = no
read only = yes

*Here's me slapd.conf file :
*
# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel        256
# Create a replication log in /var/lib/ldap for use by slurpd.
replogfile      /var/log/ldap.log

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_ldbm

#######################################################################
# Specific Backend Directives for ldbm:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend         ldbm

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend                <other>

#######################################################################
# Specific Directives for database #1, of type ldbm:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        ldbm

# The base of your directory in database #1
suffix          "dc=alsace,dc=iufm,dc=fr"
# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# Indexing options for database #1
index           objectClass eq
index      uidNumber,gidNumber                  eq
index      cn,sn,uid,displayName                            pres,sub,eq
index      memberUid,mail,givenname                 eq,subinitial
index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq


# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attribute=userPassword
        by dn="cn=admin,dc=alsace,dc=iufm,dc=fr" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=alsace,dc=iufm,dc=fr" write
        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=alsace,dc=iufm,dc=fr" write
#        by dnattr=owner write

#######################################################################
# Specific Directives for database #2, of type 'other' (can be ldbm
too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database        <other>

# The base of your directory for database #2
#suffix         "dc=debian,dc=org"

> obey pam restrictions = Yes
I don't know how samba deals with this line, since it has it's own 
parameter for workstation in the LDAP schema, but with straight UNIX you 
can't log in on any machine that isn't listed under the 'host' 
attribute.  Try removing this line.

-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger@ae-solutions.com

In the mean time i found by myself.
The error is in the smb.conf file. I  changed encrypt passwords = no to 
encrypt passwords = yes.
and now it works!! :-)
Hope  that could help someone else.
> Hi all,
>
> (i'am beginner)
> i have samba 3.0.7 and ldap 2.1.30-3 installed on linux debian sarge
> My users account are stored in ldap (ou=people,dc=alsace,dc=iufm,dc=fr)
> I used idealx smbldaptools .0.8.5 to :
> - populate LDAP (account administrator is created, id administrator 
> gives " uid=0(Administrator) gid=512(Domain Admins) groupes=512(Domain
> Admins)"
> - add my machine accoun (named i-dp-test) by :  smbldap-useradd -w 
> i-dp-test
> - created some user accounts by : smbldap-useradd -a -m -c "Pat
DUBAU"
> pat
>
> For tests i did :
> - pdbvedit -Vl : lists all my users/computers with samba attributes. 
> So OK
> - smbclient -L   FS1 : prompts me a password, i give the *root's* 
> password then i get  :
>        Domain=[DOMI] OS=[Unix] Server=[Samba 3.0.7-Debian]
>
>        Sharename       Type      Comment
>        ---------       ----      -------
>        commun          Disk      commun aux profs et _tudiants
>        compta          Disk      fichiers du service comptable
>        prothee         Disk      acc__ prothee
>        netlogon        Disk      Network Logon Service
>        IPC$            IPC       IPC Service (Samba 3.0.7-Debian)
>        ADMIN$          IPC       IPC Service (Samba 3.0.7-Debian)
>    Domain=[DOMI] OS=[Unix] Server=[Samba 3.0.7-Debian]
>
>        Server               Comment
>        ---------            -------
>        FS1                  Samba 3.0.7-Debian
>
>        Workgroup            Master
>        ---------            -------
>        DOMI                 FS1
>        INFORMATIQUE         I_AM
>        MSHOME               I_NN
>        WORKGROUP            I-ADMRESEAU
>
>
> My problem :
> when i change the workgroup to domain DOMI on workstation i-dp-test, 
> i'm prompted for user and password, i give *administrator *and his 
> password, but i get the errror message :    "The following error 
> occured while attempting to join domain IDOM
>    The account is not autorized to connect from this station."
> Note : The machine is windows XP Sp1
>
> I'm looking for a few days now about that problem, but i can't find
> out what's wrong.
> Thank you for any help
>
> *Here my smn.conf  file :
> *[global]
> netbios name = FS1
> workgroup = DOMI
> security = user
> encrypt passwords = no
> admin users= @"Domain Admins"
>
> interfaces=192.168.251.8
> domain logons = Yes
> os level = 35
> preferred master = Yes
> domain master = Yes
>
> log file = /var/log/samba/%m.log
> log level = 3
> max log size = 5000
>
> add machine script = /usr/local/sbin/smbldap-useradd -w %u"
> add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false 
> -M %u
> #add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> #add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> #add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> #add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
> #delete user from group script = /usr/local/sbin/smbldap-groupmod -x 
> "%u" "%g"
> #set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g" "%u"
> #delete user script = /usr/local/sbin/smbldap-userdel "%u"
> #delete group script = /usr/local/sbin/smbldap-groupdel "%g"
>
> obey pam restrictions = Yes
>
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap suffix = dc=alsace,dc=iufm,dc=fr
> ldap admin dn = "cn=admin,dc=alsace,dc=iufm,dc=fr"
> ldap ssl=no
> ldap user suffix = ou=People
> ldap machine suffix = ou=Computers
> ldap group suffix = ou=Groups
> #ldap idmap suffix = ou=Users
> ldap passwd sync = Yes
>
#***********************************************************************************
>
> ldap passwd sync = Yes
>
> [commun]
> comment = commun aux profs et ?tudiants
> volume = commun
> path = /home/samba/commun
> guest ok=yes
> read only = no
> writeable = yes
>
> [compta]
> comment = fichiers du service comptable
> path = /home/samba/fichiers/compta
> public = yes
> writeable = yes
> read only = no
> create mask = 0750
> valid users = @compta
>
> [prothee]
> comment = acc?s ? prothee
> path=/home/samba/prothee
> public = yes
> writeable = yes
> read only = no
> create mask = 0750
> valid users = "prothee"
>
> [netlogon]
> path = /home/samba/netlogon
> browseable = no
> read only = yes
>
> *Here's me slapd.conf file :
> *
> # Schema and objectClass definitions
> include         /etc/ldap/schema/core.schema
> include         /etc/ldap/schema/cosine.schema
> include         /etc/ldap/schema/nis.schema
> include         /etc/ldap/schema/inetorgperson.schema
> include         /etc/ldap/schema/samba.schema
> # Schema check allows for forcing entries to
> # match schemas for their objectClasses's
> schemacheck     on
>
> # Where the pid file is put. The init.d script
> # will not stop the server if you change this.
> pidfile         /var/run/slapd/slapd.pid
>
> # List of arguments that were passed to the server
> argsfile        /var/run/slapd.args
>
> # Read slapd.conf(5) for possible values
> loglevel        256
> # Create a replication log in /var/lib/ldap for use by slurpd.
> replogfile      /var/log/ldap.log
>
> # Where the dynamically loaded modules are stored
> modulepath      /usr/lib/ldap
> moduleload      back_ldbm
>
> #######################################################################
> # Specific Backend Directives for ldbm:
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> backend         ldbm
>
> #######################################################################
> # Specific Backend Directives for 'other':
> # Backend specific directives apply to this backend until another
> # 'backend' directive occurs
> #backend                <other>
>
> #######################################################################
> # Specific Directives for database #1, of type ldbm:
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> database        ldbm
>
> # The base of your directory in database #1
> suffix          "dc=alsace,dc=iufm,dc=fr"
> # Where the database file are physically stored for database #1
> directory       "/var/lib/ldap"
>
> # Indexing options for database #1
> index           objectClass eq
> index      uidNumber,gidNumber                  eq
> index      cn,sn,uid,displayName                            pres,sub,eq
> index      memberUid,mail,givenname                 eq,subinitial
> index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq
>
>
> # Save the time that the entry gets modified, for database #1
> lastmod         on
>
> # Where to store the replica logs for database #1
> # replogfile    /var/lib/ldap/replog
>
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> access to attribute=userPassword
>        by dn="cn=admin,dc=alsace,dc=iufm,dc=fr" write
>        by anonymous auth
>        by self write
>        by * none
>
> # Ensure read access to the base for things like
> # supportedSASLMechanisms.  Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
>
> # The admin dn has full write access, everyone else
> # can read everything.
> access to *
>        by dn="cn=admin,dc=alsace,dc=iufm,dc=fr" write
>        by * read
>
> # For Netscape Roaming support, each user gets a roaming
> # profile for which they have write access to
> #access to dn=".*,ou=Roaming,o=morsnet"
> #        by dn="cn=admin,dc=alsace,dc=iufm,dc=fr" write
> #        by dnattr=owner write
>
> #######################################################################
> # Specific Directives for database #2, of type 'other' (can be ldbm
too):
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> #database        <other>
>
> # The base of your directory for database #2
> #suffix         "dc=debian,dc=org"
>
>

-- 
--------------------------------------------------------------------------------------------
Patrick DUBAU
IUFM d'Alsace -  Service Informatique : "Parfois d?truire, souvent
construire, toujours Servir"
200 avenue de Colmar 67100 STRASBOURG
T?l?phone: 03.88.40.79.76
----------------------------------------------------------------------------------------------