samba - Jun 2002 - [Fwd: ldap + pdc + adding win2k clients...again(sigh)...argh]

hi !

i have a problem with ldap+pdc too, and since no one answered ingo's
request, i will try again.

this is my setting:
i want to maintain a central authentification for my small but mixed
(debian/linux vs w2k) network
i am using debian:samba-2.2.3a; compiled it with ldapsam enabled.
i am using openldap2-2.0.23; compiled it with TLS enabled
simple file-sharing works (at least, none of my users complained)

this is my problem:
whenever i try to join a machine i get the error "Der angegebene
Benutzer existiert nicht" (meaning: "the given user does not
exist")
it took me years to understand, that the "user" is actually the
machine
i want to join.



now this is how i tried to track the problem:
my configuration:
slapd.conf:
----{

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

TLSCertificateFile      /etc/ldap/server.pem
TLSCertificateKeyFile   /etc/ldap/server.pem
TLSCACertificateFile    /etc/ldap/server.pem

schemacheck     on

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
replogfile      /var/lib/ldap/replog
loglevel        256
database        ldbm

suffix          "dc=iemnet"

directory       "/var/lib/ldap"
lastmod on
rootdn  "uid=Manager,ou=Administration,dc=iemnet"
rootpw  xyz

index    primaryGroupID     eq
index    rid                eq
index    uid                eq
index    uidNumber          eq
index    gidNumber          eq
index    cn                 pres,sub,eq
index    objectClass        eq
index    default            sub

access to attribute=userPassword attribute=lmPassword attribute=ntPassword
           by dn="cn=admin,dc=iemnet" write
           by dn="uid=Manager,ou=Administration,dc=iemnet" write
           by anonymous auth
           by self write
           by * none

access to *
           by dn="cn=admin,dc=iemnet" write
           by dn="uid=Manager,ou=Administration,dc=iemnet" write
           by * read


}-----

the [global]-section of my samba.conf
----{
[global]
      netbios name = iemusers
      printing = cups
      printcap name = cups
      load printers = yes

#   guest account = nobody
#   invalid users = root

      security = user
      workgroup = IEM

      server string = %h (Samba %v)

      socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
SO_RCVBUF=4096

      encrypt passwords = true

      wins support = yes

      os level = 100
      domain master = yes
      local master = yes
      preferred master = yes

      domain logons = yes
      logon path = \\%N\%U\.ntprofile
      logon home = \\%N\%U\.ntprofile
      logon drive = M:
      logon script = logon.bat

      domain admin group = @smbadm Manager

      name resolve order = lmhosts host wins bcast
      dns proxy = no

      preserve case = yes
      short preserve case = yes

      unix password sync = true

      passwd program = /usr/bin/passwd %u
      passwd chat = *New\spassword:* %n\n *Re-enter\snew\spassword:* %n\n .

      max log size = 1000
      log level = 10
      syslog only = no
      syslog = 0;

      ldap server = ldap.iemnet
      ldap suffix = dc=iemnet
      ldap admin dn = "uid=Manager,ou=Administration,dc=iemnet"
#   ldap ssl = yes
#   ldap port = 636
      ldap ssl = no
      ldap port = 389
}----
btw: there is no difference when if use "ldap ssl = yes" or
"no"

i have set the password "xyz" with "smbpasswd -w xyz", and
it says, that
it is stored in secrets.tdb.

i have a Manager-account with "uid: root" to join the w2k-machines.
this is in fact the same account as mentioned in slapd.conf and smb.conf
(i believe, that these need not be the same ???)

manager.ldif
----{
dn: uid=Manager,ou=Administration,dc=iemnet
	objectClass: posixAccount
	objectClass: sambaAccount
	loginShell: /bin/sh
	homeDirectory: /tmp
	pwdLastSet: 1023376082
	logonTime: 0
	logoffTime: 0
	kickoffTime: 0
	pwdCanChange: 0
	pwdMustChange: 0
	displayName: Manager
	rid: 500
	primaryGroupID: 1001
	acctFlags: [UX         ]
	cn: Manager
	ntPassword: .......
	lmPassword: .......
	userPassword: {crypt}....
	uidNumber: 0
	gidNumber: 0
	uid: root
}

note, that the effective uid is "root" while the headline says
"uid=Manager".

i have set the password of the Manager-account (root) to "xyz" (the
same
as set with "smbpass -w" and that is given in the slapd.conf) with
"passwd" (i use pam_smbpass.so to sync unix and nt hashes; works
perfectly)

i can log into the linux-machine that is running the samba-server (and
which imports the ldap-users) with "root" "xyz" as well as
with "root"
"{localrootpasswd}". i think this is a security hole but i have not
found a way to avoid this (setting the Manager's login-shell to
/bin/false does not work) but i think this is a pam thing (and it
doesn't matter right now anyhow)

i can add entries to the ldap-tree with "ldapadd -x -D
"uid=Manager,ou=Administration,dc=iemnet" -w xyz -f
template.ldif"
so i have all rights to write and read (i can also search the whole tree).
i cannot do this as a normal (unauthorized) user.

my ldap-entry for a sample-w2k-client is:
xenakis.ldif
---{
dn: uid=xenakis$,ou=Windows,ou=Hosts,dc=iemnet
	objectClass: sambaAccount
	objectClass: posixAccount
	objectClass: ipHost
	uidNumber: 20106
	ipHostNumber: 192.168.7.106
	gidNumber: 20000
	homeDirectory: /tmp
	loginShell: /bin/false
	uid: xenakis$
	pwdLastSet: 1023464353
	logonTime: 0
	logoffTime: 0
	kickoffTime: 0
	pwdCanChange: 0
	pwdMustChange: 0
	displayName: xenakis$
	cn: xenakis$
	rid: 20106
	primaryGroupID: 3003
	lmPassword: 71B669514F2A1F3AAAD3B435B51404EE
	ntPassword: EAF65F7EC7EDFDBD2C2C59A951A459FD
	acctFlags: [UW         ]
}---

now, the error i get when joining the w2k-client appears everytime i
succesfully authenticate any(!) user.
i get the same error for my normal account "zmoelnig"
"geheim" and for
"root" "xyz". so i guessed that the ACLs in the slapd.conf
are somehow
wrong, but then i think not, since i can add ldap-entries from the
linux-console

if a matching posix-account (xenakis$) in the /etc/passwd exists on the
samba-server, and i create the samba-machine account with "smbpasswd -a
-w XENAKIS", i CAN join the domain (a sambaAccount entry is created in
the ldap-directory), but only sometimes!! (this seems to be not very
stable), but i do not want to do this, i want my w2k-clients to be
stored in the ldap-tree.

hope, some of you can point me into the right direction

mfg.ca.ser
IOhannes

PS:i have had some logfiles (syslog@ldap-server, log.nmbd@samba-server, 
log.smbdc@samba.server) attached, but i think my message was rejected, 
so i leave them out now

Samuel GAUTIER wrote:
> For joining w2k stations the computer accout need to exist into your
> /etc/passwd file (and in your "Computers" container) and the
"root" user
> need to exist into your LDAP directory as in your /etc/passwd. And you
> must use this account for joining the domain.
> 
> computer account :
> 
> station1$:x:3003:100:station1:/dev/null:/bin/false
> 
> I hope it can help you !!
> 
> see you !!
> sam
> 
ah thanks for answering.
i still do not really get it:
1.) machine account:
i do authentificate both linux and windows users via my ldap-server (eg: 
posixAccount and sambaAccount).
do i really (???) have to have an entry in my /etc/passwd-file for the 
machine-account ??
is it not enough to have a posixAccount in the LDAP-directory for the 
machine ???

2.) root-account:
with the advent of my ldap-directory, root-accounts came out everywhere.
i never know which one is meant:
anyhow, i guess a root account is ok, if i can (linux) log into the 
machine using this account+password and after typing "whoami" i get 
"root". is this right ?

i stress it again: no matter which user i give for joining the 
w2k-client, i will always get a "user unknown"(meaning the 
machine-account) error, as long as i provide a valid user/password-set 
(else i get a "wrong password or username" which is ok)


now i have discovered something else:
trying to join an nt4-client seems to work.
i then have to reboot the nt-machine (of course).
when i try to login as a net-user, i get approx (it is in german, and i 
do not have access to the nt-machine right now) this error-message:
"no machine-account or password for the machine-account is wrong"

what does this want to express ?
is the MACHINE.SID (of the samba) wrong ?

by the way, this message is thrown extremely(!) fast, and there does not 
seem to be a call on the ldap-server (at least the syslog does say nothing)


mfg.csda.dr
IOhannes

IOhannes zmoelnig wrote:
> Samuel GAUTIER wrote:
> 
>> For joining w2k stations the computer accout need to exist into your
>> /etc/passwd file (and in your "Computers" container) and the
"root" user
>> need to exist into your LDAP directory as in your /etc/passwd. And you
>> must use this account for joining the domain.
>>
>> computer account :
>>
>> station1$:x:3003:100:station1:/dev/null:/bin/false
>>
>> I hope it can help you !!
>>
i have successfully managed to add the w2k-client to the domain;
however, i still fail to authenticate against the PDC (both in w2k and NT4)

the error message when trying to login as  a net-user reads:
"Das System konnte Sie nicht bei dieser Dom?ne anmelden, da das 
Computerkonto des Systems in seiner prim?ren Dom?ne fehlt oder das 
Kennwort f?r dieses Computerkonto falsch ist"
("The system could not log you into this domain, since the 
machine-account for this system is missing in the primary domain or the 
password for this machine-account is wrong")

the most interesting thing (for me) is, that this error appears so fast.
i think, that the samba-server is not connected at all.
even the log.nmbd stays very quiet.

i really do not know where to look for ???

mfg.cd.sar
IOhannes