Eduard Witteveen
2005-Aug-12 08:23 UTC
[Samba] Adding machine to domain fails - check permissions? (ldap)
Dear list, Whe i trying to add a machine to the domain(ldap/pdc) i get the following error:> Error: modifications require authentication at > /usr/share/perl5/smbldap_tools.pm line 891, <DATA> line 283. > [2005/08/11 16:46:54, 0] > rpc_server/srv_samr_nt.c:_samr_create_user(2324) > _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w > "eduard-laptop$"' gave 127Since i used the user Administrator, i login from the windows-machine on the linux-computer running samba with the username Administrator (account which is stored inside ldap), i *can* run the command succesfull. (this user is actually root since i changed the gidnumber and the uidnumber both to 0) But when this machine has been added manually to the ldap-database, i still cannot join the domain and samba puts information like the following in the log:> [2005/08/11 17:05:07, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. > ..... > [2005/08/11 17:05:22, 0] lib/smbldap.c:smbldap_search_suffix(1176) > smbldap_search_suffix: Problem during the LDAP search: (Timed out) > [2005/08/11 17:05:22, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2350) > could not add user/computer eduard-laptop$ to passdb. Check > permissions?I've attached the smb.conf for completeness. Furthermore, im running Version 3.0.14a-Ubuntu Please let me know, how i can let samba execute the "add machine script" successfull -- Eduard Witteveen +31 (0)6 414 789 23 nl_NL fy_NL en_US -------------- next part -------------- # Global parameters [global] workgroup = hawarit netbios name = pdc enable privileges = yes # interfaces = 192.168.5.11 username map = /etc/samba/smbusers server string = Samba Server %v security = user encrypt passwords = true # min passwd length = 3 min print space = 3 obey pam restrictions = No #unix password sync = Yes #passwd program = /usr/sbin/smbldap-passwd -u %u #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" ldap passwd sync = Yes log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 100000 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script = logon.bat logon drive = H: logon home logon path domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = no passdb backend = ldapsam:ldap://127.0.0.1/ # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com" # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u)) ldap admin dn = cn=manager,dc=hawarit,dc=com ldap suffix = dc=hawarit,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users #TODO: use tls on ldap server one day! # ldap ssl = start tls ldap ssl = no add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes #delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" #delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" # printers configuration printer admin = @"Print Operators" load printers = Yes create mask = 0640 directory mask = 0750 nt acl support = No printing = cups printcap name = cups deadtime = 10 guest account = nobody map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes ; to maintain capital letters in shortcuts in any of the profile folders: preserve case = yes short preserve case = yes case sensitive = no [homes] comment = repertoire de %U, %u read only = No create mask = 0644 directory mask = 0775 browseable = No [netlogon] path = /home/samba/netlogon/ browseable = No read only = yes [profiles] path = /home/samba/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable # next line is a great way to secure the profiles force user = %U # next line allows administrator to access all profiles valid users = %U @"Domain Admins" [printers] comment = Network Printers printer admin = @"Print Operators" guest ok = yes printable = yes path = /home/samba/spool/ browseable = No read only = Yes printable = Yes print command = /usr/bin/lpr -P%p -r %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j [print$] path = /home/samba/printers guest ok = No browseable = Yes read only = Yes valid users = @"Print Operators" write list = @"Print Operators" create mask = 0664 directory mask = 0775 [public] comment = Repertoire public path = /public browseable = Yes guest ok = Yes read only = No directory mask = 0775 create mask = 0664
Joachim Kieferle
2005-Aug-12 08:36 UTC
[Samba] Adding machine to domain fails - check permissions? (ldap)
Dear Eduard,
as far as I understang JHT in his "Samba by example" in chapter 5,
computers are treated like users. So what worked with me and SuSE9.3 was:
1. in smb.conf
ldap machine suffix = ou=Users
2. in smbldap.conf
computersdn="ou=Users,${suffix}"
Best
Joachim
Eduard Witteveen wrote:
> Dear list,
>
> Whe i trying to add a machine to the domain(ldap/pdc) i get the
> following error:
>
>> Error: modifications require authentication at
>> /usr/share/perl5/smbldap_tools.pm line 891, <DATA> line 283.
>> [2005/08/11 16:46:54, 0]
>> rpc_server/srv_samr_nt.c:_samr_create_user(2324)
>> _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
>> "eduard-laptop$"' gave 127
>
>
> Since i used the user Administrator, i login from the windows-machine
> on the linux-computer running samba with the username Administrator
> (account which is stored inside ldap), i *can* run the command
> succesfull. (this user is actually root since i changed the gidnumber
> and the uidnumber both to 0)
>
> But when this machine has been added manually to the ldap-database, i
> still cannot join the domain and samba puts information like the
> following in the log:
>
>> [2005/08/11 17:05:07, 0] lib/smbldap.c:smbldap_open(882)
>> smbldap_open: cannot access LDAP when not root..
>> .....
>> [2005/08/11 17:05:22, 0] lib/smbldap.c:smbldap_search_suffix(1176)
>> smbldap_search_suffix: Problem during the LDAP search: (Timed out)
>> [2005/08/11 17:05:22, 0]
>> rpc_server/srv_samr_nt.c:_samr_create_user(2350)
>> could not add user/computer eduard-laptop$ to passdb. Check
>> permissions?
>
>
> I've attached the smb.conf for completeness. Furthermore, im running
> Version 3.0.14a-Ubuntu
>
> Please let me know, how i can let samba execute the "add machine
> script" successfull
>
>------------------------------------------------------------------------
>
># Global parameters
>[global]
> workgroup = hawarit
> netbios name = pdc
> enable privileges = yes
># interfaces = 192.168.5.11
> username map = /etc/samba/smbusers
> server string = Samba Server %v
> security = user
> encrypt passwords = true
># min passwd length = 3
> min print space = 3
> obey pam restrictions = No
> #unix password sync = Yes
> #passwd program = /usr/sbin/smbldap-passwd -u %u
> #passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
> ldap passwd sync = Yes
> log level = 0
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 100000
> time server = Yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> mangling method = hash2
> Dos charset = 850
> Unix charset = ISO8859-1
>
> logon script = logon.bat
> logon drive = H:
> logon home > logon path >
> domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = Yes
> wins support = no
> passdb backend = ldapsam:ldap://127.0.0.1/
> # passdb backend = ldapsam:"ldap://127.0.0.1/
ldap://slave.idealx.com"
> # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
> ldap admin dn = cn=manager,dc=hawarit,dc=com
> ldap suffix = dc=hawarit,dc=com
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Users
>
>#TODO: use tls on ldap server one day!
># ldap ssl = start tls
> ldap ssl = no
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> ldap delete dn = Yes
> #delete user script = /usr/sbin/smbldap-userdel "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> #delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m
"%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g
"%g" "%u"
>
> # printers configuration
> printer admin = @"Print Operators"
> load printers = Yes
> create mask = 0640
> directory mask = 0750
> nt acl support = No
> printing = cups
> printcap name = cups
> deadtime = 10
> guest account = nobody
> map to guest = Bad User
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> show add printer wizard = yes
> ; to maintain capital letters in shortcuts in any of the profile
folders:
> preserve case = yes
> short preserve case = yes
> case sensitive = no
>
>[homes]
> comment = repertoire de %U, %u
> read only = No
> create mask = 0644
> directory mask = 0775
> browseable = No
>
>[netlogon]
> path = /home/samba/netlogon/
> browseable = No
> read only = yes
>
>[profiles]
> path = /home/samba/profiles
> read only = no
> create mask = 0600
> directory mask = 0700
> browseable = No
> guest ok = Yes
> profile acls = yes
> csc policy = disable
> # next line is a great way to secure the profiles
> force user = %U
> # next line allows administrator to access all profiles
> valid users = %U @"Domain Admins"
>
>[printers]
> comment = Network Printers
> printer admin = @"Print Operators"
> guest ok = yes
> printable = yes
> path = /home/samba/spool/
> browseable = No
> read only = Yes
> printable = Yes
> print command = /usr/bin/lpr -P%p -r %s
> lpq command = /usr/bin/lpq -P%p
> lprm command = /usr/bin/lprm -P%p %j
>
>[print$]
> path = /home/samba/printers
> guest ok = No
> browseable = Yes
> read only = Yes
> valid users = @"Print Operators"
> write list = @"Print Operators"
> create mask = 0664
> directory mask = 0775
>
>[public]
> comment = Repertoire public
> path = /public
> browseable = Yes
> guest ok = Yes
> read only = No
> directory mask = 0775
> create mask = 0664
>
>
Louis van Belle
2005-Aug-12 08:42 UTC
[Samba] Adding machine to domain fails - check permissions? (ldap)
Hi, check this> read this > howto setup samba with ldap ( based on debian ) > >http://lists.samba.org/archive/samba/2005-June/107614.html > > printers and rights setup > http://lists.samba.org/archive/samba/2005-June/107615.html > >Louis>-----Oorspronkelijk bericht----- >Van: samba-bounces+louis=van-belle.nl@lists.samba.org >[mailto:samba-bounces+louis=van-belle.nl@lists.samba.org] >Namens Eduard Witteveen >Verzonden: vrijdag 12 augustus 2005 10:26 >Aan: samba@lists.samba.org >Onderwerp: [Samba] Adding machine to domain fails - check >permissions? (ldap) > >Dear list, > >Whe i trying to add a machine to the domain(ldap/pdc) i get the >following error: > >> Error: modifications require authentication at >> /usr/share/perl5/smbldap_tools.pm line 891, <DATA> line 283. >> [2005/08/11 16:46:54, 0] >> rpc_server/srv_samr_nt.c:_samr_create_user(2324) >> _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w >> "eduard-laptop$"' gave 127 > >Since i used the user Administrator, i login from the >windows-machine on >the linux-computer running samba with the username Administrator >(account which is stored inside ldap), i *can* run the command >succesfull. (this user is actually root since i changed the gidnumber >and the uidnumber both to 0) > >But when this machine has been added manually to the ldap-database, i >still cannot join the domain and samba puts information like the >following in the log: > >> [2005/08/11 17:05:07, 0] lib/smbldap.c:smbldap_open(882) >> smbldap_open: cannot access LDAP when not root.. >> ..... >> [2005/08/11 17:05:22, 0] lib/smbldap.c:smbldap_search_suffix(1176) >> smbldap_search_suffix: Problem during the LDAP search: (Timed out) >> [2005/08/11 17:05:22, 0] >rpc_server/srv_samr_nt.c:_samr_create_user(2350) >> could not add user/computer eduard-laptop$ to passdb. Check >> permissions? > >I've attached the smb.conf for completeness. Furthermore, im running >Version 3.0.14a-Ubuntu > >Please let me know, how i can let samba execute the "add >machine script" >successfull > >-- >Eduard Witteveen >+31 (0)6 414 789 23 >nl_NL fy_NL en_US > >
Eduard Witteveen
2005-Aug-14 09:58 UTC
[Samba] Adding machine to domain fails - check permissions? (ldap)
Eduard Witteveen wrote:>> Error: modifications require authentication at >> /usr/share/perl5/smbldap_tools.pm line 891, <DATA> line 283. >> [2005/08/11 16:46:54, 0] >> rpc_server/srv_samr_nt.c:_samr_create_user(2324) >> _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w >> "eduard-laptop$"' gave 127 > >I didnt read the log file completely, before this message there were also some other messages:> root@pdc:/var/log/samba# cat log.eduard-laptop > [2005/08/12 15:15:26, 0] lib/util_sock.c:write_socket_data(430) > write_socket_data: write failure. Error = Connection reset by peer > [2005/08/12 15:15:26, 0] lib/util_sock.c:write_socket(455) > write_socket: Error writing 4 bytes to socket 25: ERRNO = Connection > reset by peer > [2005/08/12 15:15:26, 0] lib/util_sock.c:send_smb(647) > Error writing 4 bytes to client. -1. (Connection reset by peer) > [2005/08/12 15:15:28, 0] lib/util_sock.c:write_socket_data(430) > write_socket_data: write failure. Error = Connection reset by peer > [2005/08/12 15:15:28, 0] lib/util_sock.c:write_socket(455) > write_socket: Error writing 4 bytes to socket 25: ERRNO = Connection > reset by peer > [2005/08/12 15:15:28, 0] lib/util_sock.c:send_smb(647) > Error writing 4 bytes to client. -1. (Connection reset by peer) > Error: modifications require authentication at > /usr/share/perl5/smbldap_tools.pm line 891, <DATA> line 283. > [2005/08/12 15:15:38, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324) > _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w > "eduard-laptop$"' gave 127 > root@pdc:/var/log/samba#I assume that this means that the smbldap_tools.pm script cannot connect to the ldap server. Therefore i opened the file and found the following code:> sub get_next_id($$) { > my $ldap_base_dn = shift; > my $attribute = shift; > my $tries = 0; > my $found=0; > my $next_uid_mesg; > my $nextuid; > if ($ldap_base_dn =~ m/$config{usersdn}/i) { > # when adding a new user, we'll check if the uidNumber available > is not > # already used for a computer's account > $ldap_base_dn=$config{suffix} > } > do { > $next_uid_mesg = $ldap->search( > base => > $config{sambaUnixIdPooldn}, > filter => > "(objectClass=sambaUnixIdPool)", > scope => "base" > ); > $next_uid_mesg->code && die "Error looking for next uid"; > if ($next_uid_mesg->count != 1) { > die "Could not find base dn, to get next $attribute"; > } > my $entry = $next_uid_mesg->entry(0); > $nextuid = $entry->get_value($attribute); > my $modify=$ldap->modify( "$config{sambaUnixIdPooldn}", > changes => [ > replace => [ > $attribute => $nextuid + 1 ] > ] > ); > $modify->code && die "Error: ", $modify->error;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^> # let's check if the id found is really free (in ou=Groups or > ou=Users)... > my $check_uid_mesg = $ldap->search( > base => $ldap_base_dn, > filter => > "($attribute=$nextuid)", > ); > $check_uid_mesg->code && die "Cannot confirm $attribute $nextuid > is free"; > if ($check_uid_mesg->count == 0) { > $found=1; > return $nextuid; > } > $tries++; > print "Cannot confirm $attribute $nextuid is free: checking for > the next one\n" > } while ($found != 1); > die "Could not allocate $attribute!"; > }This means that the variable $config{sambaUnixIdPooldn} contains something we dont like. I assume that this came from the file /etc/smbldap-tools/smbldap.conf This contains the value:> sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"(i checked this one and it exists in ldap) Also:> suffix="dc=hawarit,dc=com"I've read the other documentation, but it doesnt give me any clue's Joachim told me to store the machines in the Users organisation-unit. Could somebody please give me some more pointers? -- Eduard Witteveen +31 (0)6 414 789 23 nl_NL fy_NL en_US -------------- next part -------------- # $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ # $Id: smbldap.conf,v 1.15 2004/10/14 09:53:14 jtournier Exp $ # # smbldap-tools.conf : Q & D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose : # . be the configuration file for all smbldap-tools scripts ############################################################################## # # General Configuration # ############################################################################## # Put your own SID # to obtain this number do: net getlocalsid #SID="S-1-5-21-1911238739-97561441-2706018148" SID="S-1-5-21-183558713-2656141884-2480778994" ############################################################################## # # LDAP Configuration # ############################################################################## # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. # Those two servers declarations can also be used when you have # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done # (typically a replication directory) # Ex: slaveLDAP=127.0.0.1 slaveLDAP="127.0.0.1" slavePort="389" # Master LDAP : needed for write operations # Ex: masterLDAP=127.0.0.1 masterLDAP="127.0.0.1" masterPort="389" # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) ldapTLS="0" # How to verify the server's certificate (none, optional or require) # see "man Net::LDAP" in start_tls section for more details verify="require" # CA certificate # see "man Net::LDAP" in start_tls section for more details cafile="/etc/smbldap-tools/ca.pem" # certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientcert="/etc/smbldap-tools/smbldap-tools.pem" # key certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientkey="/etc/smbldap-tools/smbldap-tools.key" # LDAP Suffix # Ex: suffix=dc=IDEALX,dc=ORG suffix="dc=hawarit,dc=com" # Where are stored Users # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" usersdn="ou=Users,${suffix}" # Where are stored Computers # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" computersdn="ou=Computers,${suffix}" # Where are stored Groups # Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" groupsdn="ou=Groups,${suffix}" # Where are stored Idmap entries (used if samba is a domain member server) # Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" idmapdn="ou=Idmap,${suffix}" # Where to store next uidNumber and gidNumber available sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" # Default scope Used scope="sub" # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) hash_encrypt="SSHA" # if hash_encrypt is set to CRYPT, you may set a salt format. # default is "%s", but many systems will generate MD5 hashed # passwords if you use "$1$%.8s". This parameter is optional! crypt_salt_format="%s" ############################################################################## # # Unix Accounts Configuration # ############################################################################## # Login defs # Default Login Shell # Ex: userLoginShell="/bin/bash" userLoginShell="/bin/bash" # Home directory # Ex: userHome="/home/%U" userHome="/home/%U" # Gecos userGecos="System User" # Default User (POSIX and Samba) GID defaultUserGid="513" # Default Computer (Samba) GID defaultComputerGid="515" # Skel dir skeletonDir="/etc/skel" # Default password validation time (time in days) Comment the next line if # you don't want password to be enable for defaultMaxPasswordAge days (be # careful to the sambaPwdMustChange attribute's value) defaultMaxPasswordAge="99" ############################################################################## # # SAMBA Configuration # ############################################################################## # The UNC path to home drives location (%U username substitution) # Ex: \\My-PDC-netbios-name\homes\%U # Just set it to a null string if you want to use the smb.conf 'logon home' # directive and/or disable roaming profiles userSmbHome="\\pdc\homes\%U" # The UNC path to profiles locations (%U username substitution) # Ex: \\My-PDC-netbios-name\profiles\%U # Just set it to a null string if you want to use the smb.conf 'logon path' # directive and/or disable roaming profiles userProfile="\\pdc\profiles\%U" # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: H: for H: userHomeDrive="H:" # The default user netlogon script name (%U username substitution) # if not used, will be automatically username.cmd # make sure script file is edited under dos # Ex: %U.cmd # userScript="startup.cmd" # make sure script file is edited under dos userScript="%U.cmd" # Domain appended to the users "mail"-attribute # when smbldap-useradd -M is used mailDomain="hawarit.com" ############################################################################## # # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) # ############################################################################## # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but # prefer Crypt::SmbHash library with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" -------------- next part -------------- ############################ # Credential Configuration # ############################ # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN="cn=manager,dc=hawarit,dc=com" slavePw="password" masterDN="cn=manager,dc=hawarit,dc=com" masterPw="password"
Eduard Witteveen
2005-Aug-19 11:17 UTC
[Samba] Adding machine to domain fails - check permissions? (ldap)
I made a short summary of the current situation, and i hope that someone can give me some pointers The summary can be found at: http://nergens.org/download/ldap-problems.pdf -- Eduard Witteveen +31 (0)6 414 789 23 nl_NL fy_NL en_US