thr3ads.net - samba - [Samba] Trouble with PDC setup using Samba 3.0.23 and OpenLDAP [Jul 2006]

If this information is useful, please help other people find it:
Share via:

Jonathan Poon

2006-Jul-30 06:54 UTC

[Samba] Trouble with PDC setup using Samba 3.0.23 and OpenLDAP

Hi everyone,

I am trying to setup a PDC using Samba and OpenLDAP.  For some reason, I've 
used both the examples provided in the Official Howto and also the 
smbldap-tools howto developed by IDEALX.  I am able to get the directory up 
and running.  I am able to get the following working:

1.  LDAP Directory server and successful Queries through Samba
2.  Add user and machine accounts.
3.  Login using the user account to access shares

However, after adding my machine to the domain and rebooting my Windows 2000 
Professional workstation, I am UNABLE to login to the domain using the same 
User account that I was able to use to access shares on the Samba server.  
Here is what I am getting in the logs for both OpenLDAP and Samba

I'm getting the error bdb_equality_candidates: (uniqueMember) index_param 
failed (18) when its trying to obtain the attribute gidNumber from the LDAP 
logs.  In the samba logs, Its getting a Rejecting auth request from client 
DELL machine account DELL$

Also when I do a net rpc info, I don't see any users or groups added...

net rpc info
Domain Name: POON
Domain SID: S-1-5-21-2419779023-3102034070-987042703
Sequence number: 1154241602
Num users: 0
Num domain groups: 0
Num local groups: 0

I don't know where to start...Please let me know if you have had a similar 
experience and found a solution.  I appreciate your help very much!

-Jonathan P.



OPENLDAP.LOG
Jul 29 23:32:41 poontv slapd[6138]: conn=215 fd=10 ACCEPT from 
IP=127.0.0.1:38290 (IP=0.0.0.0:389)
Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 BIND 
dn="cn=samba,ou=DSA,dc=jonathanpoon" method=128
Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 BIND 
dn="cn=samba,ou=DSA,dc=jonathanpoon" mech=SIMPLE ssf=0
Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 RESULT tag=97 err=0 textJul 29
23:32:41 poontv slapd[6138]: conn=215 op=1 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=1 SRCH attr=supportedControl
Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=1 SEARCH RESULT tag=101 
err=0 nentries=1 textJul 29 23:32:41 poontv slapd[6138]: conn=215 op=2 SRCH 
base="dc=jonathanpoon" scope=2 deref=0 
filter="(&(uid=dell$)(objectClass=sambaSamAccount))"
Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=2 SRCH attr=uid uidNumber 
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange 
sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName 
sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description 
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword 
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial 
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory 
modifyTimestamp sambaLogonHours modifyTimestamp
Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=2 SEARCH RESULT tag=101 
err=0 nentries=1 textJul 29 23:32:41 poontv slapd[6138]: conn=215 op=3 SRCH 
base="dc=jonathanpoon" scope=2 deref=0 
filter="(&(uid=jonathan)(objectClass=sambaSamAccount))"
Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=3 SRCH attr=uid uidNumber 
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange 
sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName 
sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description 
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword 
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial 
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory 
modifyTimestamp sambaLogonHours modifyTimestamp
Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=3 SEARCH RESULT tag=101 
err=0 nentries=1 textJul 29 23:32:41 poontv slapd[6138]: conn=216 fd=18 ACCEPT
from
IP=127.0.0.1:38291 (IP=0.0.0.0:389)
Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 BIND 
dn="cn=nssldap,ou=DSA,dc=jonathanpoon" method=128
Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 BIND 
dn="cn=nssldap,ou=DSA,dc=jonathanpoon" mech=SIMPLE ssf=0
Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 RESULT tag=97 err=0 textJul 29
23:32:41 poontv slapd[6138]: conn=216 op=1 SRCH
base="ou=Users,dc=jonathanpoon" scope=1 deref=0 
filter="(&(objectClass=posixAccount)(uid=jonathan))"
Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=1 SRCH attr=uid userPassword 
uidNumber gidNumber cn homeDirectory loginShell gecos description 
objectClass
Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=1 SEARCH RESULT tag=101 
err=0 nentries=1 textJul 29 23:32:41 poontv slapd[6138]: conn=217 fd=23 ACCEPT
from
IP=127.0.0.1:38292 (IP=0.0.0.0:389)
Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=2 UNBIND
Jul 29 23:32:41 poontv slapd[6138]: conn=216 fd=18 closed
Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=0 BIND 
dn="cn=nssldap,ou=DSA,dc=jonathanpoon" method=128
Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=0 BIND 
dn="cn=nssldap,ou=DSA,dc=jonathanpoon" mech=SIMPLE ssf=0
Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=0 RESULT tag=97 err=0 textJul 29
23:32:41 poontv slapd[6138]: conn=217 op=1 SRCH
base="ou=Users,dc=jonathanpoon" scope=1 deref=0 
filter="(&(objectClass=posixAccount)(uid=jonathan))"
Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=1 SEARCH RESULT tag=101 
err=0 nentries=1 textJul 29 23:32:41 poontv slapd[6138]: conn=217 op=2 SRCH 
base="ou=Groups,dc=jonathanpoon" scope=1 deref=0 
filter="(&(objectClass=posixGroup)(|(memberUid=jonathan)(uniqueMember=uid=jonathan,ou=users,dc=jonathanpoon)))"
Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=2 SRCH attr=gidNumber
Jul 29 23:32:41 poontv slapd[6138]: <= bdb_equality_candidates: 
(uniqueMember) index_param failed (18)
Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=2 SEARCH RESULT tag=101 
err=0 nentries=0 textJul 29 23:32:41 poontv slapd[6138]: conn=215 op=4 SRCH 
base="ou=Groups,dc=jonathanpoon" scope=2 deref=0 
filter="(&(objectClass=sambaGroupMapping)(gidNumber=513))"
Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=4 SRCH attr=gidNumber 
sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=4 SEARCH RESULT tag=101 
err=0 nentries=1 text
SAMBA LOGS
[2006/07/29 23:35:39, 2] libsmb/credentials.c:creds_server_check(159)
  creds_server_check: credentials check failed.
[2006/07/29 23:35:39, 2] rpc_server/srv_netlog_nt.c:_net_sam_logon(667)
  _net_sam_logon: creds_server_step failed. Rejecting auth request from 
client DELL machine account DELL$
[2006/07/29 23:35:50, 2] lib/smbldap.c:smbldap_open_connection(722)
  smbldap_open_connection: connection opened
[2006/07/29 23:35:50, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: dell$
[2006/07/29 23:35:50, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: jonathan
[2006/07/29 23:35:50, 2] auth/auth.c:check_ntlm_password(307)
  check_ntlm_password:  authentication for user [jonathan] -> [jonathan]
->
[jonathan] succeeded



SMB.conf
[global]

ldap admin dn = "cn=samba,ou=DSA,dc=jonathanpoon"
ldap ssl = no
passdb backend = ldapsam:ldap://127.0.0.1
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap suffix = dc=jonathanpoon
ldap passwd sync = yes

add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = no
#delete user script = /usr/local/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
#delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"

workgroup = POON
netbios name = PDC
enable privileges = yes
comment = Linux Debian Samba Server

security = user
null passwords = No
encrypt passwords = yes

logon drive = U:
logon path = \\%L\profiles\%g
logon script = STARTUP.BAT
domain logons = yes

domain master = yes
local master = yes
preferred master = yes
os level = 255

wins support = yes

time offset = 60
time server = True

log file = /var/log/samba/log.samba
log level = 5
public = No
browseable = No
writable = No

[netlogon]
path = /usr/local/samba/netlogon
locking = no
writeable = no
guest ok = no
browseable = no

[profiles]
path = /usr/local/samba/profiles
writeable = yes
guest ok = yes
browseable = yes
create mask = 0777
directory mask = 0777
#profile acls = yes
#csc policy = disable
#force user = %U
#valid users = %U @"Domain Admins"

Craig White

2006-Jul-30 13:35 UTC

head link

[Samba] Trouble with PDC setup using Samba 3.0.23 and OpenLDAP

On Sun, 2006-07-30 at 06:40 +0000, Jonathan Poon wrote:> Hi everyone,
> 
> I am trying to setup a PDC using Samba and OpenLDAP.  For some reason,
I've
> used both the examples provided in the Official Howto and also the 
> smbldap-tools howto developed by IDEALX.  I am able to get the directory up
> and running.  I am able to get the following working:
> 
> 1.  LDAP Directory server and successful Queries through Samba
> 2.  Add user and machine accounts.
> 3.  Login using the user account to access shares
> 
> However, after adding my machine to the domain and rebooting my Windows
2000
> Professional workstation, I am UNABLE to login to the domain using the same
> User account that I was able to use to access shares on the Samba server.  
> Here is what I am getting in the logs for both OpenLDAP and Samba
> 
> I'm getting the error bdb_equality_candidates: (uniqueMember)
index_param
> failed (18) when its trying to obtain the attribute gidNumber from the LDAP
> logs.  In the samba logs, Its getting a Rejecting auth request from client 
> DELL machine account DELL$
> 
> Also when I do a net rpc info, I don't see any users or groups added...
> 
> net rpc info
> Domain Name: POON
> Domain SID: S-1-5-21-2419779023-3102034070-987042703
> Sequence number: 1154241602
> Num users: 0
> Num domain groups: 0
> Num local groups: 0
> 
> I don't know where to start...Please let me know if you have had a
similar
> experience and found a solution.  I appreciate your help very much!
> 
> -Jonathan P.
> 
> 
> 
> OPENLDAP.LOG
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 fd=10 ACCEPT from 
> IP=127.0.0.1:38290 (IP=0.0.0.0:389)
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 BIND 
> dn="cn=samba,ou=DSA,dc=jonathanpoon" method=128
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 BIND 
> dn="cn=samba,ou=DSA,dc=jonathanpoon" mech=SIMPLE ssf=0
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 RESULT tag=97 err=0
text> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=1 SRCH
base="" scope=0
> deref=0 filter="(objectClass=*)"
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=1 SRCH
attr=supportedControl
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=1 SEARCH RESULT tag=101 
> err=0 nentries=1 text> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=2
SRCH
> base="dc=jonathanpoon" scope=2 deref=0 
> filter="(&(uid=dell$)(objectClass=sambaSamAccount))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=2 SRCH attr=uid uidNumber 
> gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange
> sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName 
> sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description 
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword 
> sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial 
> sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory 
> modifyTimestamp sambaLogonHours modifyTimestamp
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=2 SEARCH RESULT tag=101 
> err=0 nentries=1 text> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=3
SRCH
> base="dc=jonathanpoon" scope=2 deref=0 
> filter="(&(uid=jonathan)(objectClass=sambaSamAccount))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=3 SRCH attr=uid uidNumber 
> gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange
> sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName 
> sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description 
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword 
> sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial 
> sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory 
> modifyTimestamp sambaLogonHours modifyTimestamp
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=3 SEARCH RESULT tag=101 
> err=0 nentries=1 text> Jul 29 23:32:41 poontv slapd[6138]: conn=216
fd=18 ACCEPT from
> IP=127.0.0.1:38291 (IP=0.0.0.0:389)
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 BIND 
> dn="cn=nssldap,ou=DSA,dc=jonathanpoon" method=128
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 BIND 
> dn="cn=nssldap,ou=DSA,dc=jonathanpoon" mech=SIMPLE ssf=0
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 RESULT tag=97 err=0
text> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=1 SRCH
> base="ou=Users,dc=jonathanpoon" scope=1 deref=0 
> filter="(&(objectClass=posixAccount)(uid=jonathan))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=1 SRCH attr=uid
userPassword
> uidNumber gidNumber cn homeDirectory loginShell gecos description 
> objectClass
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=1 SEARCH RESULT tag=101 
> err=0 nentries=1 text> Jul 29 23:32:41 poontv slapd[6138]: conn=217
fd=23 ACCEPT from
> IP=127.0.0.1:38292 (IP=0.0.0.0:389)
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=2 UNBIND
> Jul 29 23:32:41 poontv slapd[6138]: conn=216 fd=18 closed
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=0 BIND 
> dn="cn=nssldap,ou=DSA,dc=jonathanpoon" method=128
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=0 BIND 
> dn="cn=nssldap,ou=DSA,dc=jonathanpoon" mech=SIMPLE ssf=0
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=0 RESULT tag=97 err=0
text> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=1 SRCH
> base="ou=Users,dc=jonathanpoon" scope=1 deref=0 
> filter="(&(objectClass=posixAccount)(uid=jonathan))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=1 SEARCH RESULT tag=101 
> err=0 nentries=1 text> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=2
SRCH
> base="ou=Groups,dc=jonathanpoon" scope=1 deref=0 
>
filter="(&(objectClass=posixGroup)(|(memberUid=jonathan)(uniqueMember=uid=jonathan,ou=users,dc=jonathanpoon)))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=2 SRCH attr=gidNumber
> Jul 29 23:32:41 poontv slapd[6138]: <= bdb_equality_candidates: 
> (uniqueMember) index_param failed (18)
> Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=2 SEARCH RESULT tag=101 
> err=0 nentries=0 text> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=4
SRCH
> base="ou=Groups,dc=jonathanpoon" scope=2 deref=0 
> filter="(&(objectClass=sambaGroupMapping)(gidNumber=513))"
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=4 SRCH attr=gidNumber 
> sambaSID sambaGroupType sambaSIDList description displayName cn objectClass
> Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=4 SEARCH RESULT tag=101 
> err=0 nentries=1 text> 
> SAMBA LOGS
> [2006/07/29 23:35:39, 2] libsmb/credentials.c:creds_server_check(159)
>   creds_server_check: credentials check failed.
> [2006/07/29 23:35:39, 2] rpc_server/srv_netlog_nt.c:_net_sam_logon(667)
>   _net_sam_logon: creds_server_step failed. Rejecting auth request from 
> client DELL machine account DELL$
> [2006/07/29 23:35:50, 2] lib/smbldap.c:smbldap_open_connection(722)
>   smbldap_open_connection: connection opened
> [2006/07/29 23:35:50, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
>   init_sam_from_ldap: Entry found for user: dell$
> [2006/07/29 23:35:50, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
>   init_sam_from_ldap: Entry found for user: jonathan
> [2006/07/29 23:35:50, 2] auth/auth.c:check_ntlm_password(307)
>   check_ntlm_password:  authentication for user [jonathan] -> [jonathan]
->
> [jonathan] succeeded
> 
> 
> 
> SMB.conf
> [global]
> 
> ldap admin dn = "cn=samba,ou=DSA,dc=jonathanpoon"
> ldap ssl = no
> passdb backend = ldapsam:ldap://127.0.0.1
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap machine suffix = ou=Computers
> ldap suffix = dc=jonathanpoon
> ldap passwd sync = yes----
I am wondering what is in /etc/ldap.conf, specifically the lines:

nss_base_passwd  
nss_base_shadow  
nss_base_group  

Are the computer accounts stored in the same ou as People?

This is likely where your problems with machine accounts and Groups is.
----> 
> [profiles]
> path = /usr/local/samba/profiles
> writeable = yes
> guest ok = yes
> browseable = yes
> create mask = 0777
> directory mask = 0777
> #profile acls = yes
> #csc policy = disable
> #force user = %U
> #valid users = %U @"Domain Admins"----
I would probably remove the comments from csc policy and profile acls
lines here but that isn't the issue at the moment.

The logs you have quoted above don't show what happened when the DELL$
tried to authenticate nor what happened when you tried getent group (as
far as I can tell) so I am not going to speculate further.

Craig

Maybe Matching Threads

Search for more possibly parallel threads

samba - Jul 2006 - Trouble with PDC setup using Samba 3.0.23 and OpenLDAP

[Samba] Trouble with PDC setup using Samba 3.0.23 and OpenLDAP

[Samba] Trouble with PDC setup using Samba 3.0.23 and OpenLDAP

Maybe Matching Threads