Ryan Braun
2005-Jun-15 17:52 UTC
[Samba] Can't join pc to domain with smbldap-tools but can with smbpasswd
I have samba with ldap setup and seems to be running, just I am having trouble having pc's join the domain. The samba/ldap server is running debian sarge (when it was testing, haven't updated since) so samba 3.0.14a-13 and slapd 2.2.23-5. Client pc is windows 2000, and various linux's. smbldap-tools 0.9.1 If I try to join the domain with no entry in the Computers group, windows says there is a bad username and the log file looks like this. [2005/06/14 19:01:12, 2] smbd/server.c:exit_server(609) Closing connections [2005/06/14 19:01:12, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/06/14 19:01:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: root [2005/06/14 19:01:12, 2] passdb/pdb_ldap.c:init_group_from_ldap(2000) init_group_from_ldap: Entry found for group: 512 [2005/06/14 19:01:12, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2005/06/14 19:01:12, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580) Returning domain sid for domain LDAPDOMAIN -> S-1-5-21-3007768992-1764342258-1846594437 [2005/06/14 19:01:13, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324) _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w "ldap-test$"' gave 9 [2005/06/14 19:01:13, 2] smbd/server.c:exit_server(609) Closing connections I'm not sure what the "gave 9" error means or where to look it up. But the ldap-test$ entry gets created without a sambaSAMAccount objectclass. If I run "smbldap-adduser -w ldap-test$" (after removing the existing ldap-test$ entry) it will create the entry but it doesn't have a sambaSAMAcount objectclass. And it won't join the domain. If I create a local user in /etc/passwd and then user smbpasswd -m -a it will create the ldap entry in Computers but it has no posix objectclass. BUT it will allow me to join the pc to the domain. The only problem then (not sure if it's related or not), is that the only user that can login is the root user used to join the pc to the domain, any other users created with smbldap-adduser -a won't authenticate. Any users created with the smbldap scripts can authenticate against any of the linux boxes setup to authenticate against ldap. [2005/06/14 21:36:27, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/06/14 21:36:27, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: ldap-test$ [2005/06/14 21:37:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: windowsguy [2005/06/14 21:37:08, 1] auth/auth_util.c:make_server_info_sam(840) User windowsguy in passdb, but getpwnam() fails! [2005/06/14 21:37:08, 0] auth/auth_sam.c:check_sam_security(324) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2005/06/14 21:37:08, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [windowsguy] -> [windowsguy] FAILED with error NT_STATUS_NO_SUCH_USER then as root [2005/06/14 21:38:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: root [2005/06/14 21:38:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2000) init_group_from_ldap: Entry found for group: 512 [2005/06/14 21:38:22, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2005/06/14 21:38:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: root [2005/06/14 21:38:25, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2005/06/14 21:38:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: root [2005/06/14 21:38:25, 1] smbd/service.c:make_connection_snum(642) ldap-test (192.16.240.141) connect to service profiles initially as user root (uid=0, gid=0) (pid 14108)
John H Terpstra
2005-Jun-15 18:08 UTC
[Samba] Can't join pc to domain with smbldap-tools but can with smbpasswd
I recommend that you follow chapter 5 of the book "Samba-3 by Example". This fully documents every step in minuted detail to get your Samba/LDAP server operational. The last review (done Saturday) used smbldap-tools-0.9.1. If you experience any problems please report them to me directly. Be sure to state the section number and step number that are causing you trouble. I promise to fix anything that is causing trouble in the book. It is simply an impossible task to assist everyone on this list individually with their own custom configuration. - John T. On Wednesday 15 June 2005 11:49, Ryan Braun wrote:> I have samba with ldap setup and seems to be running, just I am having > trouble having pc's join the domain. > > The samba/ldap server is running debian sarge (when it was testing, > haven't updated since) so samba 3.0.14a-13 and slapd 2.2.23-5. Client pc > is windows 2000, and various linux's. smbldap-tools 0.9.1 > > If I try to join the domain with no entry in the Computers group, windows > says there is a bad username and the log file looks like this. > > [2005/06/14 19:01:12, 2] smbd/server.c:exit_server(609) > Closing connections > [2005/06/14 19:01:12, 2] lib/smbldap.c:smbldap_open_connection(692) > smbldap_open_connection: connection opened > [2005/06/14 19:01:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: root > [2005/06/14 19:01:12, 2] passdb/pdb_ldap.c:init_group_from_ldap(2000) > init_group_from_ldap: Entry found for group: 512 > [2005/06/14 19:01:12, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [root] -> [root] -> [root] > succeeded > [2005/06/14 19:01:12, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580) > Returning domain sid for domain LDAPDOMAIN -> > S-1-5-21-3007768992-1764342258-1846594437 > [2005/06/14 19:01:13, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324) > _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd > -w "ldap-test$"' gave 9 > [2005/06/14 19:01:13, 2] smbd/server.c:exit_server(609) > Closing connections > > I'm not sure what the "gave 9" error means or where to look it up. But the > ldap-test$ entry gets created without a sambaSAMAccount objectclass. > > If I run "smbldap-adduser -w ldap-test$" (after removing the existing > ldap-test$ entry) it will create the entry but it doesn't have a > sambaSAMAcount objectclass. And it won't join the domain. > > If I create a local user in /etc/passwd and then user smbpasswd -m -a it > will create the ldap entry in Computers but it has no posix objectclass. > BUT it will allow me to join the pc to the domain. > > The only problem then (not sure if it's related or not), is that the only > user that can login is the root user used to join the pc to the domain, > any other users created with smbldap-adduser -a won't authenticate. Any > users created with the smbldap scripts can authenticate against any of the > linux boxes setup to authenticate against ldap. > > [2005/06/14 21:36:27, 2] lib/smbldap.c:smbldap_open_connection(692) > smbldap_open_connection: connection opened > [2005/06/14 21:36:27, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: ldap-test$ > [2005/06/14 21:37:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: windowsguy > [2005/06/14 21:37:08, 1] auth/auth_util.c:make_server_info_sam(840) > User windowsguy in passdb, but getpwnam() fails! > [2005/06/14 21:37:08, 0] auth/auth_sam.c:check_sam_security(324) > check_sam_security: make_server_info_sam() failed with > 'NT_STATUS_NO_SUCH_USER' > [2005/06/14 21:37:08, 2] auth/auth.c:check_ntlm_password(312) > check_ntlm_password: Authentication for user [windowsguy] -> > [windowsguy] FAILED with error NT_STATUS_NO_SUCH_USER > > then as root > > [2005/06/14 21:38:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: root > [2005/06/14 21:38:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2000) > init_group_from_ldap: Entry found for group: 512 > [2005/06/14 21:38:22, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [root] -> [root] -> [root] > succeeded > [2005/06/14 21:38:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: root > [2005/06/14 21:38:25, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [root] -> [root] -> [root] > succeeded > [2005/06/14 21:38:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: root > [2005/06/14 21:38:25, 1] smbd/service.c:make_connection_snum(642) > ldap-test (192.16.240.141) connect to service profiles initially as user > root (uid=0, gid=0) (pid 14108)-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.
Ryan Braun
2005-Jun-15 18:21 UTC
[Samba] Can't join pc to domain with smbldap-tools but can with smbpasswd
On June 15, 2005 05:49 pm, Ryan Braun wrote:> I have samba with ldap setup and seems to be running, just I am having > trouble having pc's join the domain. > > The samba/ldap server is running debian sarge (when it was testing, > haven't updated since) so samba 3.0.14a-13 and slapd 2.2.23-5. Client pc > is windows 2000, and various linux's. smbldap-tools 0.9.1 >Replying to myself here, but after I sent the message off I noticed I had an older debian package for smbldap-tools installed and the latest tarball installed. I removed the debian package and made sure the configs were setup for the proper paths to the .9.1 scripts. Now when I try to join a machine to the domain samba logs look like it works but windows still says bad username. note. changed hostname to win2k first try, creates ldap entry w/o sambaSAMAccount and windows complains about bad username when adding to domain [2005/06/15 18:17:19, 2] smbd/server.c:exit_server(609) Closing connections [2005/06/15 18:17:19, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/06/15 18:17:19, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: root [2005/06/15 18:17:20, 2] passdb/pdb_ldap.c:init_group_from_ldap(2000) init_group_from_ldap: Entry found for group: 512 [2005/06/15 18:17:20, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2005/06/15 18:17:20, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580) Returning domain sid for domain LDAPDOMAIN -> S-1-5-21-3007768992-1764342258-1846594437 [2005/06/15 18:17:20, 2] smbd/server.c:exit_server(609) Closing connections If I try to join the domain again I get (and leave the ldap entry that was created from above) [2005/06/15 18:18:30, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/06/15 18:18:30, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) init_sam_from_ldap: Entry found for user: root [2005/06/15 18:18:30, 2] passdb/pdb_ldap.c:init_group_from_ldap(2000) init_group_from_ldap: Entry found for group: 512 [2005/06/15 18:18:30, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2005/06/15 18:18:30, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580) Returning domain sid for domain LDAPDOMAIN -> S-1-5-21-3007768992-1764342258-1846594437 [2005/06/15 18:18:31, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324) _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w "win2k$"' gave 9 [2005/06/15 18:18:31, 2] smbd/server.c:exit_server(609) Closing connections So I guess that gave 9 message is reported because the entry already exists, but why is the sambaSAMAccount object class not being added?> If I run "smbldap-adduser -w ldap-test$" (after removing the existing > ldap-test$ entry) it will create the entry but it doesn't have a > sambaSAMAcount objectclass. And it won't join the domain. > > If I create a local user in /etc/passwd and then user smbpasswd -m -a it > will create the ldap entry in Computers but it has no posix objectclass. > BUT it will allow me to join the pc to the domain. > > The only problem then (not sure if it's related or not), is that the only > user that can login is the root user used to join the pc to the domain, > any other users created with smbldap-adduser -a won't authenticate. Any > users created with the smbldap scripts can authenticate against any of the > linux boxes setup to authenticate against ldap. > > [2005/06/14 21:36:27, 2] lib/smbldap.c:smbldap_open_connection(692) > smbldap_open_connection: connection opened > [2005/06/14 21:36:27, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: ldap-test$ > [2005/06/14 21:37:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: windowsguy > [2005/06/14 21:37:08, 1] auth/auth_util.c:make_server_info_sam(840) > User windowsguy in passdb, but getpwnam() fails! > [2005/06/14 21:37:08, 0] auth/auth_sam.c:check_sam_security(324) > check_sam_security: make_server_info_sam() failed with > 'NT_STATUS_NO_SUCH_USER' > [2005/06/14 21:37:08, 2] auth/auth.c:check_ntlm_password(312) > check_ntlm_password: Authentication for user [windowsguy] -> > [windowsguy] FAILED with error NT_STATUS_NO_SUCH_USER > > then as root > > [2005/06/14 21:38:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: root > [2005/06/14 21:38:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2000) > init_group_from_ldap: Entry found for group: 512 > [2005/06/14 21:38:22, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [root] -> [root] -> [root] > succeeded > [2005/06/14 21:38:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: root > [2005/06/14 21:38:25, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [root] -> [root] -> [root] > succeeded > [2005/06/14 21:38:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499) > init_sam_from_ldap: Entry found for user: root > [2005/06/14 21:38:25, 1] smbd/service.c:make_connection_snum(642) > ldap-test (192.16.240.141) connect to service profiles initially as user > root (uid=0, gid=0) (pid 14108)