samba - Feb 2003 - Samba + LDAP = Misery

I have been working on this for weeks now and feel like I am at a dead-end.
I am using Samba 3.0 (Head) and OpenLDAP (2.0) and smbldap-tools 0.7 and
cannot join either a Linux machine or Windows 2000 machine to the domain.
If any of you have some ideas they would be much appreciated.

Highlights:
- I have a root defined (UID and GID of 0).
- Trying to join the domain will successfully add my machine to the LDAP
database.
- I have my users defined and can successfully login to view shares from
either a windows or Linux machine.
- When trying to join domain I use root as the account with permission to
join domain.  The log appears to indicate that root is succesfully
validated.

Bottomw Line:
- Whenver I try to join I always get NT_STATUS_ACCESS_DENIED.  More details
and log messages below.

smb.conf
=====[global]
        workgroup = ELUCIDATION
        netbios name = Boo
        server string = %h server (Samba %v)
        security = user
        obey pam restrictions = Yes
        guest account = guest
        #passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
        passwd program = /usr/local/sbin/smbldap-passwd.pl %u
        passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
        unix password sync = No
        encrypt passwords = Yes
        log level = 5
        log file = /var/log/samba/%m.log
        max log size = 1000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        domain logons = Yes
        logon script = startup.bat
        os level = 80
        preferred master = Yes
        domain master = Yes
        local master = Yes
        dns proxy = No
        wins support = Yes
        ldap suffix = dc=ELUCIDATION
        ldap machine suffix = dc=ELUCIDATION
        ldap user suffix = dc=ELUCIDATION
        ldap admin dn = cn=Manager,dc=ELUCIDATION
        ldap ssl = No
        printing = lprng
        add user script = /usr/local/sbin/smbldap-useradd.pl -m -a %u
        add machine script = /usr/local/sbin/smbldap-useradd.pl -w %u
        panic action = /usr/share/samba/panic-action %d
        #invalid users = root
        admin users = root administrator
        hosts allow = 192.168.1.0/255.255.255.0
        logon drive = H:
        logon home = \\boo\profiles\%u


Attempt to join domain from anther Linux box
==============================asa:~# smbpasswd -j elucidation -r boo
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
cli_nt_setup_creds: auth2 challenge failed
modify_trust_password: unable to setup the PDC credentials to machine BOO.
Error was : NT_STATUS_ACCESS_DENIED.
2003/02/10 21:57:01 : change_trust_account_password: Failed to change
password for domain ELUCIDATION.
Unable to join domain ELUCIDATION.

Log results try to join from another Linux box
==============================[2003/02/10 22:02:10, 2]
passdb/pdb_ldap.c:init_sam_from_ldap(953)
  Entry found for user: asa$
[2003/02/10 22:02:10, 2] passdb/pdb_ldap.c:init_sam_from_ldap(990)
  init_sam_from_ldap: User [asa$] does not exist via system getpwnam!
[2003/02/10 22:02:10, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1581)
  ldapsam_getsampwnam: init_sam_from_ldap failed for user 'ASA$'!
[2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam(288)
  Finding user ASA$
[2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(223)
  Trying _Get_Pwnam(), username as lowercase is asa$
[2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(230)
  Trying _Get_Pwnam(), username as given is ASA$
[2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(247)
  Checking combinations of 0 uppercase letters in asa$
[2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals didn't find user [ASA$]!
[2003/02/10 22:02:10, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (1001, 1001) - sec_ctx_stack_ndx = 0
[2003/02/10 22:02:10, 0] rpc_server/srv_netlog_nt.c:get_md4pw(201)
  get_md4pw: Workstation ASA$: no account in domain
[2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_debug(81)
  000000 net_io_r_auth_2
[2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
          0000 data: cc f3 ff bf 84 83 2c 08
[2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_uint32(592)
          0008 neg_flags: 000001ff
[2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_ntstatus(622)
      000c status: NT_STATUS_ACCESS_DENIED

Log Results Attempting to Join Domain from Windows 2000
=======================================[2003/02/10 22:06:33, 4]
rpc_server/srv_pipe.c:api_rpcTNP(1340)
  api_rpcTNP: NETLOGON op 0x5 - api_rpcTNP: rpc command: NET_AUTH
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_debug(81)
  000000 net_io_q_auth
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
          0000 undoc_buffer: 00119f60
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
              0004 uni_max_len: 00000006
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
              0008 undoc      : 00000000
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
              000c uni_str_len: 00000006
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
              0010 buffer     : \.\.B.O.O...
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
              001c uni_max_len: 00000006
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
              0020 undoc      : 00000000
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
              0024 uni_str_len: 00000006
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
              0028 buffer     : J.O.H.N.$...
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint16(563)
          0034 sec_chan: 0002
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
              0038 uni_max_len: 00000005
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
              003c undoc      : 00000000
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
              0040 uni_str_len: 00000005
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
              0044 buffer     : J.O.H.N...
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
          004e data: 19 60 39 05 08 91 3a 58
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_debug(81)
  000000 net_io_r_auth
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
          0000 data: d0 f3 ff bf bc 2f 2d 08
[2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_ntstatus(622)
      0008 status: NT_STATUS_ACCESS_DENIED

Hi.

The server shares take a bit to come up in the browse
window, but after that each shares dirs/files come up
quickly.

Is this because I have a seperate PDC samba server
doing the authentication where as the rest of my samba
servers are file servers only?

This is Redhat 7.3/smb 2.2.7/SGI_XFS file system/gig-e
network.

Bri-



__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com

Beware of having machine account$ in /etc/passwd and ldap database.
( the problem seems to be in /etc/passwd )
Other difference I can see is 
I do not use 227a syntax for ldap setting but 302alpha. 
Hope this help




---- Messages d?origine ----
De: "John Peak" <jpeak@yahoo.com>
Date: Mardi, F&eacute;vrier 11, 2003 4:32 am
Objet: [Samba] Samba + LDAP = Misery
> I have been working on this for weeks now and feel like I am at a 
> dead-end.
> I am using Samba 3.0 (Head) and OpenLDAP (2.0) and smbldap-tools 
> 0.7 and
> cannot join either a Linux machine or Windows 2000 machine to the 
> domain.If any of you have some ideas they would be much appreciated.
> 
> Highlights:
> - I have a root defined (UID and GID of 0).
> - Trying to join the domain will successfully add my machine to 
> the LDAP
> database.
> - I have my users defined and can successfully login to view 
> shares from
> either a windows or Linux machine.
> - When trying to join domain I use root as the account with 
> permission to
> join domain.  The log appears to indicate that root is succesfully
> validated.
> 
> Bottomw Line:
> - Whenver I try to join I always get NT_STATUS_ACCESS_DENIED.  
> More details
> and log messages below.
> 
> smb.conf
> =====> [global]
>        workgroup = ELUCIDATION
>        netbios name = Boo
>        server string = %h server (Samba %v)
>        security = user
>        obey pam restrictions = Yes
>        guest account = guest
>        #passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
>        passwd program = /usr/local/sbin/smbldap-passwd.pl %u
>        passwd chat = *new*password* %n\n *new*password* %n\n 
> *successfully*        unix password sync = No
>        encrypt passwords = Yes
>        log level = 5
>        log file = /var/log/samba/%m.log
>        max log size = 1000
>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>        domain logons = Yes
>        logon script = startup.bat
>        os level = 80
>        preferred master = Yes
>        domain master = Yes
>        local master = Yes
>        dns proxy = No
>        wins support = Yes
>        ldap suffix = dc=ELUCIDATION
>        ldap machine suffix = dc=ELUCIDATION
>        ldap user suffix = dc=ELUCIDATION
>        ldap admin dn = cn=Manager,dc=ELUCIDATION
>        ldap ssl = No
>        printing = lprng
>        add user script = /usr/local/sbin/smbldap-useradd.pl -m -a %u
>        add machine script = /usr/local/sbin/smbldap-useradd.pl -w %u
>        panic action = /usr/share/samba/panic-action %d
>        #invalid users = root
>        admin users = root administrator
>        hosts allow = 192.168.1.0/255.255.255.0
>        logon drive = H:
>        logon home = \\boo\profiles\%u
> 
> 
> Attempt to join domain from anther Linux box
> ==============================> asa:~# smbpasswd -j elucidation -r boo
> cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
> cli_nt_setup_creds: auth2 challenge failed
> modify_trust_password: unable to setup the PDC credentials to 
> machine BOO.
> Error was : NT_STATUS_ACCESS_DENIED.
> 2003/02/10 21:57:01 : change_trust_account_password: Failed to change
> password for domain ELUCIDATION.
> Unable to join domain ELUCIDATION.
> 
> Log results try to join from another Linux box
> ==============================> [2003/02/10 22:02:10, 2]
passdb/pdb_ldap.c:init_sam_from_ldap(953)
>  Entry found for user: asa$
> [2003/02/10 22:02:10, 2] passdb/pdb_ldap.c:init_sam_from_ldap(990)
>  init_sam_from_ldap: User [asa$] does not exist via system getpwnam!
> [2003/02/10 22:02:10, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1581)
>  ldapsam_getsampwnam: init_sam_from_ldap failed for user 'ASA$'!
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam(288)
>  Finding user ASA$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(223)
>  Trying _Get_Pwnam(), username as lowercase is asa$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(230)
>  Trying _Get_Pwnam(), username as given is ASA$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(247)
>  Checking combinations of 0 uppercase letters in asa$
> [2003/02/10 22:02:10, 5] lib/username.c:Get_Pwnam_internals(251)
>  Get_Pwnam_internals didn't find user [ASA$]!
> [2003/02/10 22:02:10, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>  pop_sec_ctx (1001, 1001) - sec_ctx_stack_ndx = 0
> [2003/02/10 22:02:10, 0] rpc_server/srv_netlog_nt.c:get_md4pw(201)
>  get_md4pw: Workstation ASA$: no account in domain
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_debug(81)
>  000000 net_io_r_auth_2
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
>          0000 data: cc f3 ff bf 84 83 2c 08
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>          0008 neg_flags: 000001ff
> [2003/02/10 22:02:10, 5] rpc_parse/parse_prs.c:prs_ntstatus(622)
>      000c status: NT_STATUS_ACCESS_DENIED
> 
> Log Results Attempting to Join Domain from Windows 2000
> =======================================> [2003/02/10 22:06:33, 4]
rpc_server/srv_pipe.c:api_rpcTNP(1340)
>  api_rpcTNP: NETLOGON op 0x5 - api_rpcTNP: rpc command: NET_AUTH
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_debug(81)
>  000000 net_io_q_auth
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>          0000 undoc_buffer: 00119f60
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0004 uni_max_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0008 undoc      : 00000000
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              000c uni_str_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
>              0010 buffer     : \.\.B.O.O...
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              001c uni_max_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0020 undoc      : 00000000
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0024 uni_str_len: 00000006
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
>              0028 buffer     : J.O.H.N.$...
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint16(563)
>          0034 sec_chan: 0002
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0038 uni_max_len: 00000005
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              003c undoc      : 00000000
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint32(592)
>              0040 uni_str_len: 00000005
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:dbg_rw_punival(764)
>              0044 buffer     : J.O.H.N...
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
>          004e data: 19 60 39 05 08 91 3a 58
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_debug(81)
>  000000 net_io_r_auth
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_uint8s(679)
>          0000 data: d0 f3 ff bf bc 2f 2d 08
> [2003/02/10 22:06:33, 5] rpc_parse/parse_prs.c:prs_ntstatus(622)
>      0008 status: NT_STATUS_ACCESS_DENIED
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>