Hi, I'm running Samba 4.0.8, on FreeBSD 9.2, from operating system packages, as a DC. I have a BDC, running the same. I'm using a Windows 7 workstation with "Active Directory Users and Computers" snap-in to manage usernames, passwords, etc. The workstation is part of the domain, and I'm logged on as Administrator in the domain. I can create groups and add members to them when I create them. When I go back to edit group memberships, however, and I select "UNIX Attributes," I get the message "Unwilling to Perform." (While I can view things, and even tell the GUI to add them, unsurprisingly, no actual change is made.) No message appears in any of the samba4 logs. How should I troubleshoot this kind of problem? Other possibly relevant details: There's an OpenLDAP proxy between the Some Unix machines will authenticate via pure LDAP, no Kerberos I use LdapAdmin to view the AD information, to help troubleshoot actually getting pure LDAP auth working. I do not change anything via LdapAdmin, changes happen via the snap-in or by adding clients to the domain at the client. Thanks, ==ml -- Michael W. Lucas - mwlucas at michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code "ILUVMICHAEL" gets you 30% off & helps me.
On Mon, Nov 11, 2013 at 11:05:07AM -0500, Michael W. Lucas wrote:> There's an OpenLDAP proxy between theDang it, I didn't finish this sentence before hitting send. <facepalm> There's an OpenLDAP proxy between the Samba4 DCs and the Unix client machines. The Windows 7 desktop has direct access to the Samba domain, and is a domain member. ==ml -- Michael W. Lucas - mwlucas at michaelwlucas.com, Twitter @mwlauthor http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e coupon code "ILUVMICHAEL" gets you 30% off & helps me.
On 11/11/13 16:05, Michael W. Lucas wrote:> Hi, > > I'm running Samba 4.0.8, on FreeBSD 9.2, from operating system > packages, as a DC. I have a BDC, running the same. I'm using a Windows > 7 workstation with "Active Directory Users and Computers" snap-in to > manage usernames, passwords, etc. The workstation is part of the > domain, and I'm logged on as Administrator in the domain. > > I can create groups and add members to them when I create them. When I > go back to edit group memberships, however, and I select "UNIX > Attributes," I get the message "Unwilling to Perform." (While I can > view things, and even tell the GUI to add them, unsurprisingly, no > actual change is made.) > > No message appears in any of the samba4 logs. > > How should I troubleshoot this kind of problem? > > Other possibly relevant details: > > There's an OpenLDAP proxy between the > > Some Unix machines will authenticate via pure LDAP, no Kerberos > > I use LdapAdmin to view the AD information, to help troubleshoot > actually getting pure LDAP auth working. I do not change anything via > LdapAdmin, changes happen via the snap-in or by adding clients to the > domain at the client. > > Thanks, > ==ml >I get the 'Unwilling to Perform' message on XP, but after that everything works OK, are you clicking the 'Apply' button? Rowland