samba - Jul 2003 - Samba-2.2.8a /LDAP can't join domain

-----Original Message-----
From: Scott Phelps [mailto:sphelps@ridgways.com] 
Sent: Friday, July 11, 2003 9:19 PM
To: 'samba@lists.samba.org'
Subject: Samba-2.2.8a & LDAP - Can't join Domain - SID mapping error
 
Hi everyone,
I am at my wits end and am hoping one of you can help me out.
 
I am getting the following error when attempting to join Windows XP/2000 machine
to the domain:
 
"The following error occurred attempting to join the domain
"MY_DOMAIN"
No mapping between account names and security IDs was done.
 
Running Gentoo Linux
Samba 2.2.8a
OpenLDAP 2.0.27
 
I performed the following registry hacks:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters]
"requirestrongkey"=dword:00000000"requiresignorseal"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters]
"requirestrongkey"=dword:00000000"requiresignorseal"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requirestrongkey"=dword:00000000"requiresignorseal"=dword:00000000
 
I am attempting to join the domain as root.
root was added via smbpasswd -a root
domain admin group = root    Was placed in my smb.conf
I set up a fake root user this way in LDAP:
dn: uid=root,ou=People,dc=virginiabeach,dc=net
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaAccount
uidNumber: 0
gidNumber: 0
homeDirectory: /home/root
loginShell: /bin/bash
gecos: root
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
userPassword: {SSHA}GN3hrCs7c8Kgd93df23838hHH
uid: root
pwdLastSet: 1057974221
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 2147483647
pwdMustChange: 2147483647
displayName: root
cn: root
smbHome: \\MY_PDC\homes
homeDrive: Z:
scriptPath: logon.cmd
profilePath: \\MT-PDC\profiles\root
rid: 1000
primaryGroupID: 1001
lmPassword: 639C041927C79D99AAEJKHRJFHKRJKL
ntPassword: 6E1766AB79DDFHGJDHFJJHBJFHBJRHR
acctFlags: [UX         ]
 
The machine name is also in LDAP like this:
dn: uid=MYMACHINE$,ou=Machine,dc=virginiabeach,dc=net
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaAccount
uid: MYMACHINE$
uidNumber: 11014
gidNumber: 11014
homeDirectory: /dev/null
loginShell: /bin/false
gecos: rid96itlaptop windows machine,,,
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
pwdLastSet: 0
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 2147483647
pwdMustChange: 2147483647
displayName: MYMACHINE$
acctFlags: [W]
rid: 23028
primaryGroupID: 23029
homeDrive: U:
smbHome: 
profilePath: 
scriptPath: logon.cmd
lmPassword: xxx
ntPassword: xxx
cn: MYMACHINE$
 
Everything else works, and I am able to log into Linux and a Samba share using a
test user authenticating strictly via LDAP.
 
Any help is greatly appreciated.  Otherwise I will have no hair left!
 
Thanks,
 
-- Scott Phelps

Join the club!  
one thing I found is that if I dont have the master browser setup correctly
(domain logons = yes master browser = yes), then I get that message as well.

are your logs showing anything?
> -----Original Message-----
> From: PHELPS, SCOTT [mailto:SPHELPS@ridgways.com]
> Sent: Friday, July 11, 2003 8:32 PM
> To: samba@lists.samba.org
> Subject: [Samba] Samba-2.2.8a /LDAP can't join domain
> 
> 
>  
>  
> -----Original Message-----
> From: Scott Phelps [mailto:sphelps@ridgways.com] 
> Sent: Friday, July 11, 2003 9:19 PM
> To: 'samba@lists.samba.org'
> Subject: Samba-2.2.8a & LDAP - Can't join Domain - SID mapping
error
>  
> Hi everyone,
> I am at my wits end and am hoping one of you can help me out.
>  
> I am getting the following error when attempting to join 
> Windows XP/2000 machine to the domain:
>  
> "The following error occurred attempting to join the domain 
> "MY_DOMAIN"
> No mapping between account names and security IDs was done.
>  
> Running Gentoo Linux
> Samba 2.2.8a
> OpenLDAP 2.0.27
>  
> I performed the following registry hacks:
> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters]
>
"requirestrongkey"=dword:00000000"requiresignorseal"=dword:00000000
> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters]
>
"requirestrongkey"=dword:00000000"requiresignorseal"=dword:00000000
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon
> \Parameters]
>
"requirestrongkey"=dword:00000000"requiresignorseal"=dword:00000000
>  
> I am attempting to join the domain as root.
> root was added via smbpasswd -a root
> domain admin group = root    Was placed in my smb.conf
> I set up a fake root user this way in LDAP:
> dn: uid=root,ou=People,dc=virginiabeach,dc=net
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaAccount
> uidNumber: 0
> gidNumber: 0
> homeDirectory: /home/root
> loginShell: /bin/bash
> gecos: root
> shadowLastChange: 0
> shadowMax: 0
> shadowWarning: 0
> userPassword: {SSHA}GN3hrCs7c8Kgd93df23838hHH
> uid: root
> pwdLastSet: 1057974221
> logonTime: 0
> logoffTime: 2147483647
> kickoffTime: 2147483647
> pwdCanChange: 2147483647
> pwdMustChange: 2147483647
> displayName: root
> cn: root
> smbHome: \\MY_PDC\homes
> homeDrive: Z:
> scriptPath: logon.cmd
> profilePath: \\MT-PDC\profiles\root
> rid: 1000
> primaryGroupID: 1001
> lmPassword: 639C041927C79D99AAEJKHRJFHKRJKL
> ntPassword: 6E1766AB79DDFHGJDHFJJHBJFHBJRHR
> acctFlags: [UX         ]
>  
> The machine name is also in LDAP like this:
> dn: uid=MYMACHINE$,ou=Machine,dc=virginiabeach,dc=net
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaAccount
> uid: MYMACHINE$
> uidNumber: 11014
> gidNumber: 11014
> homeDirectory: /dev/null
> loginShell: /bin/false
> gecos: rid96itlaptop windows machine,,,
> userPassword: {crypt}x
> shadowLastChange: 0
> shadowMax: 0
> shadowWarning: 0
> pwdLastSet: 0
> logonTime: 0
> logoffTime: 2147483647
> kickoffTime: 2147483647
> pwdCanChange: 2147483647
> pwdMustChange: 2147483647
> displayName: MYMACHINE$
> acctFlags: [W]
> rid: 23028
> primaryGroupID: 23029
> homeDrive: U:
> smbHome: 
> profilePath: 
> scriptPath: logon.cmd
> lmPassword: xxx
> ntPassword: xxx
> cn: MYMACHINE$
>  
> Everything else works, and I am able to log into Linux and a 
> Samba share using a test user authenticating strictly via LDAP.
>  
> Any help is greatly appreciated.  Otherwise I will have no hair left!
>  
> Thanks,
>  
> -- Scott Phelps
>  
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

On Sat, 2003-07-12 at 01:43, Chee Wai Yeung wrote:
Hi,
> 
> have you checked your smb logs? Is the smbd talking to
> your ldap server as a start? Also try to check your
> ldap logs to see if any searches were made to your
> ldap server when the join took place. smbd should be
> searching for something in the line of
> 
> (&(uid=MYMACHINE$)(objectclass=sambaAccount))
> 
> Hope this can help your troubleshooting.
> 
> (PS: your LDIF entries looked ok)
> 
> Chee Wai
> 
Hooooorahhhh!  I got it working!  Although with one bug which I will list at the
bottom of this email.

I am posting how I fixed this for everyone in the future who runs into this
problem.

First I recompiled OpenLDAP with the --include-debug option (It won't log
jack unless you do!)  And set up slapd.conf to loglevel = -1.
It's also a good idea to configure syslog to dump this to it's own file
because it uses /var/log/messages by default.

Second I started Samba and Slapd up and tried to join my new domain from a
Windows XP laptop.

Here's the (pertinent) output from my slapd.log.... sorry it's so long.
I'll continue at the bottom......



Jul 12 16:43:29 localhost slapd[11546]: ====> cache_find_entry_id( 8 )
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" (found) (1 tries)
Jul 12 16:43:29 localhost slapd[11546]: <= id2entry_r( 8 ) 0x80e96f8 (cache)
Jul 12 16:43:29 localhost slapd[11546]: => test_filter
Jul 12 16:43:29 localhost slapd[11546]:     AND
Jul 12 16:43:29 localhost slapd[11546]: => test_filter_and
Jul 12 16:43:29 localhost slapd[11546]: => test_filter
Jul 12 16:43:29 localhost slapd[11546]:     EQUALITY
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: search access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid"
requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
Jul 12 16:43:29 localhost slapd[11546]: => test_filter
Jul 12 16:43:29 localhost slapd[11546]:     EQUALITY
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: search access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
"objectClass" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
Jul 12 16:43:29 localhost slapd[11546]: <= test_filter_and 6
Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
Jul 12 16:43:29 localhost slapd[11546]: => send_search_entry:
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "entry"
requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid"
requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid"
requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
"pwdLastSet" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
"pwdLastSet" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
"logonTime" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
"logonTime" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
"logoffTime" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
"logoffTime" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
"kickoffTime" requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: read access to
"uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "cn"
requested
Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
Jul 12 16:43:29 localhost slapd[11546]: conn=10 op=1 ENTRY
dn="uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
Jul 12 16:43:29 localhost slapd[11546]: <= send_search_entry
Jul 12 16:43:29 localhost slapd[11546]: ====> cache_return_entry_r( 8 ):
returned (0)
Jul 12 16:43:29 localhost slapd[11500]: daemon: select: listen=6
active_threads=1 tvp=NULL
Jul 12 16:43:29 localhost slapd[11546]: send_ldap_search_result 0::
Jul 12 16:43:29 localhost slapd[11546]: send_ldap_response: msgid=2 tag=101
err=0
Jul 12 16:43:29 localhost slapd[11546]: conn=10 op=1 SEARCH RESULT tag=101 err=0
textJul 12 16:43:29 localhost slapd[11500]: daemon: activity on 1 descriptors
Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on:
Jul 12 16:43:29 localhost slapd[11500]:  15r
Jul 12 16:43:29 localhost slapd[11500]:
Jul 12 16:43:29 localhost slapd[11500]: daemon: read activity on 15
Jul 12 16:43:29 localhost slapd[11500]: connection_get(15)
Jul 12 16:43:29 localhost slapd[11500]: connection_get(15): got connid=8
Jul 12 16:43:29 localhost slapd[11500]: connection_read(15): checking for input
on id=8
Jul 12 16:43:29 localhost slapd[11500]: ber_get_next on fd 15 failed errno=11
(Resource temporarily unavailable)
Jul 12 16:43:29 localhost slapd[11543]: do_search
Jul 12 16:43:29 localhost slapd[11543]: SRCH
"ou=People,dc=MY_DOMAIN,dc=NET" 2 0
Jul 12 16:43:29 localhost slapd[11543]:     1 0 0
Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
Jul 12 16:43:29 localhost slapd[11543]: AND
Jul 12 16:43:29 localhost slapd[11543]: begin get_filter_list
Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
Jul 12 16:43:29 localhost slapd[11543]: EQUALITY
Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
Jul 12 16:43:29 localhost slapd[11543]: EQUALITY
Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
Jul 12 16:43:29 localhost slapd[11543]: end get_filter_list
Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
Jul 12 16:43:29 localhost slapd[11543]:     filter:
(&(objectClass=posixAccount)(uid=MY_COMPUTER$))
Jul 12 16:43:29 localhost slapd[11543]:     attrs:
Jul 12 16:43:29 localhost slapd[11543]:  uid
Jul 12 16:43:29 localhost slapd[11543]:  userPassword
Jul 12 16:43:29 localhost slapd[11543]:  uidNumber
Jul 12 16:43:29 localhost slapd[11543]:  gidNumber
Jul 12 16:43:29 localhost slapd[11543]:  cn
Jul 12 16:43:29 localhost slapd[11543]:  homeDirectory
Jul 12 16:43:29 localhost slapd[11543]:  loginShell
Jul 12 16:43:29 localhost slapd[11543]:  gecos
Jul 12 16:43:29 localhost slapd[11543]:  description
Jul 12 16:43:29 localhost slapd[11543]:  objectClass
Jul 12 16:43:29 localhost slapd[11543]:
Jul 12 16:43:29 localhost slapd[11543]: conn=8 op=6 SRCH
base="ou=People,dc=MY_DOMAIN,dc=NET" scope=2
filter="(&(objectClass=posixAccount)(uid=MY_COMPUTER$))"
Jul 12 16:43:29 localhost slapd[11543]: => ldbm_back_search
Jul 12 16:43:29 localhost slapd[11543]: dn2entry_r: dn:
"OU=PEOPLE,DC=MY_DOMAIN,DC=NET"
Jul 12 16:43:29 localhost slapd[11543]: => dn2id(
"OU=PEOPLE,DC=MY_DOMAIN,DC=NET" )
Jul 12 16:43:29 localhost slapd[11543]: ====>
cache_find_entry_dn2id("OU=PEOPLE,DC=MY_DOMAIN,DC=NET"): 3 (1 tries)
Jul 12 16:43:29 localhost slapd[11543]: <= dn2id 3 (in cache)
Jul 12 16:43:29 localhost slapd[11543]: => id2entry_r( 3 )
Jul 12 16:43:29 localhost slapd[11543]: ====> cache_find_entry_id( 3 )
"ou=People,dc=MY_DOMAIN,dc=net" (found) (1 tries)
Jul 12 16:43:29 localhost slapd[11543]: <= id2entry_r( 3 ) 0x80ea280 (cache)
Jul 12 16:43:29 localhost slapd[11543]: search_candidates:
base="OU=PEOPLE,DC=MY_DOMAIN,DC=NET" s=2 d=0
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         AND
Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa0
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         DN SUBTREE
Jul 12 16:43:29 localhost slapd[11543]: => dn2idl(
"@OU=PEOPLE,DC=MY_DOMAIN,DC=NET" )
Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open(
"dn2id.dbb", 73, 600 )Jul 12 16:43:29 localhost slapd[11543]: <=
ldbm_cache_open (cache 0)
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 4
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         OR
Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa1
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         EQUALITY
Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open(
"objectClass.dbb", 73, 600 )
Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 3)
Jul 12 16:43:29 localhost slapd[11543]: => key_read
Jul 12 16:43:29 localhost slapd[11543]: <= index_read 0 candidates
Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates NULL
Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 0
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 0
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         AND
Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa0
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         EQUALITY
Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open(
"objectClass.dbb", 73, 600 )
Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 3)
Jul 12 16:43:29 localhost slapd[11543]: => key_read
Jul 12 16:43:29 localhost slapd[11543]: <= index_read 4 candidates
Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 4
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 4
Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
Jul 12 16:43:29 localhost slapd[11543]:         EQUALITY
Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open(
"uid.dbb", 73, 600 )
Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 4)
Jul 12 16:43:29 localhost slapd[11543]: => key_read
Jul 12 16:43:29 localhost slapd[11543]: <= index_read 1 candidates
Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 0
Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 0
Jul 12 16:43:29 localhost slapd[11500]: daemon: select: listen=6
active_threads=1 tvp=NULL
Jul 12 16:43:29 localhost slapd[11543]: ====> cache_return_entry_r( 3 ):
returned (0)
Jul 12 16:43:29 localhost slapd[11543]: ldbm_search: no candidates
Jul 12 16:43:29 localhost slapd[11543]: send_ldap_search_result 0::
Jul 12 16:43:29 localhost slapd[11543]: send_ldap_response: msgid=7 tag=101
err=0
Jul 12 16:43:29 localhost slapd[11543]: conn=8 op=6 SEARCH RESULT tag=101 err=0
textJul 12 16:43:29 localhost slapd[11500]: daemon: activity on 1 descriptors
Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on:
Jul 12 16:43:29 localhost slapd[11500]:  17r
Jul 12 16:43:29 localhost slapd[11500]:
Jul 12 16:43:29 localhost slapd[11500]: daemon: read activity on 17
Jul 12 16:43:29 localhost slapd[11500]: connection_get(17)
Jul 12 16:43:29 localhost slapd[11500]: connection_get(17): got connid=10
Jul 12 16:43:29 localhost slapd[11500]: connection_read(17): checking for input
on id=10
Jul 12 16:43:29 localhost slapd[11500]: ber_get_next on fd 17 failed errno=0
(Success)
Jul 12 16:43:29 localhost slapd[11500]: connection_read(17): input error=-2
id=10, closing.
Jul 12 16:43:29 localhost slapd[11500]: connection_closing: readying conn=10
sd=17 for close
Jul 12 16:43:29 localhost slapd[11500]: connection_close: deferring conn=10
sd=17
Jul 12 16:43:29 localhost slapd[11542]: do_unbind
Jul 12 16:43:29 localhost slapd[11542]: conn=10 op=2 UNBIND
Jul 12 16:43:29 localhost slapd[11542]: connection_resched: attempting closing
conn=10 sd=17
Jul 12 16:43:29 localhost slapd[11542]: connection_close: conn=10 sd=17
Jul 12 16:43:29 localhost slapd[11542]: daemon: removing 17
Jul 12 16:43:29 localhost slapd[11542]: conn=-1 fd=17 closed
Well, as you can see, the problem was that Samba was looking for MY_COMPUTER$ in
ou=People.  So I took MY_COMPUTER$ out of ou=Machines and put it in ou=People. 
Then when I attempeted to join MY_DOMAIN i got the friendly "Welcome to the
MY_DOMAIN Domain!"  Yay!

No the issue is this.  I want my Machines in there own OU.  What piece am I
missing here to make Samba work with an Account in Machines only?

My Machine account is in my previous email so here is my /etc/ldap.conf:
# ldap.conf
host 127.0.0.1
base dc=MY_DOMAIN,dc=NET

rootbinddn cn=manager,dc=MY_DOMAIN,dc=NET

pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
pam_password md5

nss_base_passwd         ou=People,dc=MY_DOMAIN,dc=NET?sub
nss_base_shadow         ou=People,dc=MY_DOMAIN,dc=NET?sub
nss_base_group          ou=Group,dc=MY_DOMAIN,dc=NET?one

P.S.  I suspect I need to change shadow, but how?  Can somebody explain what one
and sub mean and how this ties to nss?

Thanks!

-- Scott Phelps

make sure your ldap.conf is set like this, or it wont go searching the tree:

nss_base_passwd dc=domin,dc=com?sub
> -----Original Message-----
> From: PHELPS, SCOTT [mailto:SPHELPS@ridgways.com]
> Sent: Sunday, July 13, 2003 2:19 AM
> To: 'samba@lists.samba.org'
> Subject: Re: [Samba] Samba-2.2.8a /LDAP can't join domain
> 
> 
> On Sat, 2003-07-12 at 01:43, Chee Wai Yeung wrote:
> Hi,
> > 
> > have you checked your smb logs? Is the smbd talking to
> > your ldap server as a start? Also try to check your
> > ldap logs to see if any searches were made to your
> > ldap server when the join took place. smbd should be
> > searching for something in the line of
> > 
> > (&(uid=MYMACHINE$)(objectclass=sambaAccount))
> > 
> > Hope this can help your troubleshooting.
> > 
> > (PS: your LDIF entries looked ok)
> > 
> > Chee Wai
> > 
> Hooooorahhhh!  I got it working!  Although with one bug which 
> I will list at the bottom of this email.  
> 
> I am posting how I fixed this for everyone in the future who 
> runs into this problem.
> 
> First I recompiled OpenLDAP with the --include-debug option 
> (It won't log jack unless you do!)  And set up slapd.conf to 
> loglevel = -1.
> It's also a good idea to configure syslog to dump this to 
> it's own file because it uses /var/log/messages by default.
> 
> Second I started Samba and Slapd up and tried to join my new 
> domain from a Windows XP laptop.
> 
> Here's the (pertinent) output from my slapd.log.... sorry 
> it's so long.
> I'll continue at the bottom......
> 
> 
> 
> Jul 12 16:43:29 localhost slapd[11546]: ====> 
> cache_find_entry_id( 8 ) 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" (found) (1
tries)
> Jul 12 16:43:29 localhost slapd[11546]: <= id2entry_r( 8 ) 
> 0x80e96f8 (cache)
> Jul 12 16:43:29 localhost slapd[11546]: => test_filter
> Jul 12 16:43:29 localhost slapd[11546]:     AND
> Jul 12 16:43:29 localhost slapd[11546]: => test_filter_and
> Jul 12 16:43:29 localhost slapd[11546]: => test_filter
> Jul 12 16:43:29 localhost slapd[11546]:     EQUALITY
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> search access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid"
requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
> Jul 12 16:43:29 localhost slapd[11546]: => test_filter
> Jul 12 16:43:29 localhost slapd[11546]:     EQUALITY
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> search access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" 
> "objectClass" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
> Jul 12 16:43:29 localhost slapd[11546]: <= test_filter_and 6
> Jul 12 16:43:29 localhost slapd[11546]: <= test_filter 6
> Jul 12 16:43:29 localhost slapd[11546]: => send_search_entry: 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> read access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
"entry" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> read access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid"
requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> read access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "uid"
requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> read access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" 
> "pwdLastSet" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> read access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" 
> "pwdLastSet" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> read access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
"logonTime"
> requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> read access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
"logonTime"
> requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> read access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" 
> "logoffTime" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> read access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" 
> "logoffTime" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> read access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" 
> "kickoffTime" requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: => access_allowed: 
> read access to 
> "uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net" "cn"
requested
> Jul 12 16:43:29 localhost slapd[11546]: <= root access granted
> Jul 12 16:43:29 localhost slapd[11546]: conn=10 op=1 ENTRY 
> dn="uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net"
> Jul 12 16:43:29 localhost slapd[11546]: <= send_search_entry
> Jul 12 16:43:29 localhost slapd[11546]: ====> 
> cache_return_entry_r( 8 ): returned (0)
> Jul 12 16:43:29 localhost slapd[11500]: daemon: select: 
> listen=6 active_threads=1 tvp=NULL
> Jul 12 16:43:29 localhost slapd[11546]: send_ldap_search_result 0::
> Jul 12 16:43:29 localhost slapd[11546]: send_ldap_response: 
> msgid=2 tag=101 err=0
> Jul 12 16:43:29 localhost slapd[11546]: conn=10 op=1 SEARCH 
> RESULT tag=101 err=0 text> Jul 12 16:43:29 localhost slapd[11500]:
daemon: activity on 1
> descriptors
> Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on:
> Jul 12 16:43:29 localhost slapd[11500]:  15r
> Jul 12 16:43:29 localhost slapd[11500]:
> Jul 12 16:43:29 localhost slapd[11500]: daemon: read activity on 15
> Jul 12 16:43:29 localhost slapd[11500]: connection_get(15)
> Jul 12 16:43:29 localhost slapd[11500]: connection_get(15): 
> got connid=8
> Jul 12 16:43:29 localhost slapd[11500]: connection_read(15): 
> checking for input on id=8
> Jul 12 16:43:29 localhost slapd[11500]: ber_get_next on fd 15 
> failed errno=11 (Resource temporarily unavailable)
> Jul 12 16:43:29 localhost slapd[11543]: do_search
> Jul 12 16:43:29 localhost slapd[11543]: SRCH 
> "ou=People,dc=MY_DOMAIN,dc=NET" 2 0
> Jul 12 16:43:29 localhost slapd[11543]:     1 0 0
> Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
> Jul 12 16:43:29 localhost slapd[11543]: AND
> Jul 12 16:43:29 localhost slapd[11543]: begin get_filter_list
> Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
> Jul 12 16:43:29 localhost slapd[11543]: EQUALITY
> Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
> Jul 12 16:43:29 localhost slapd[11543]: begin get_filter
> Jul 12 16:43:29 localhost slapd[11543]: EQUALITY
> Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
> Jul 12 16:43:29 localhost slapd[11543]: end get_filter_list
> Jul 12 16:43:29 localhost slapd[11543]: end get_filter 0
> Jul 12 16:43:29 localhost slapd[11543]:     filter: 
> (&(objectClass=posixAccount)(uid=MY_COMPUTER$))
> Jul 12 16:43:29 localhost slapd[11543]:     attrs:
> Jul 12 16:43:29 localhost slapd[11543]:  uid
> Jul 12 16:43:29 localhost slapd[11543]:  userPassword
> Jul 12 16:43:29 localhost slapd[11543]:  uidNumber
> Jul 12 16:43:29 localhost slapd[11543]:  gidNumber
> Jul 12 16:43:29 localhost slapd[11543]:  cn
> Jul 12 16:43:29 localhost slapd[11543]:  homeDirectory
> Jul 12 16:43:29 localhost slapd[11543]:  loginShell
> Jul 12 16:43:29 localhost slapd[11543]:  gecos
> Jul 12 16:43:29 localhost slapd[11543]:  description
> Jul 12 16:43:29 localhost slapd[11543]:  objectClass
> Jul 12 16:43:29 localhost slapd[11543]:
> Jul 12 16:43:29 localhost slapd[11543]: conn=8 op=6 SRCH 
> base="ou=People,dc=MY_DOMAIN,dc=NET" scope=2 
> filter="(&(objectClass=posixAccount)(uid=MY_COMPUTER$))"
> Jul 12 16:43:29 localhost slapd[11543]: => ldbm_back_search
> Jul 12 16:43:29 localhost slapd[11543]: dn2entry_r: dn: 
> "OU=PEOPLE,DC=MY_DOMAIN,DC=NET"
> Jul 12 16:43:29 localhost slapd[11543]: => dn2id( 
> "OU=PEOPLE,DC=MY_DOMAIN,DC=NET" )
> Jul 12 16:43:29 localhost slapd[11543]: ====> 
> cache_find_entry_dn2id("OU=PEOPLE,DC=MY_DOMAIN,DC=NET"): 3 (1
tries)
> Jul 12 16:43:29 localhost slapd[11543]: <= dn2id 3 (in cache)
> Jul 12 16:43:29 localhost slapd[11543]: => id2entry_r( 3 )
> Jul 12 16:43:29 localhost slapd[11543]: ====> 
> cache_find_entry_id( 3 ) "ou=People,dc=MY_DOMAIN,dc=net" 
> (found) (1 tries)
> Jul 12 16:43:29 localhost slapd[11543]: <= id2entry_r( 3 ) 
> 0x80ea280 (cache)
> Jul 12 16:43:29 localhost slapd[11543]: search_candidates: 
> base="OU=PEOPLE,DC=MY_DOMAIN,DC=NET" s=2 d=0
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]:         AND
> Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa0
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]:         DN SUBTREE
> Jul 12 16:43:29 localhost slapd[11543]: => dn2idl( 
> "@OU=PEOPLE,DC=MY_DOMAIN,DC=NET" )
> Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open( 
> "dn2id.dbb", 73, 600 )Jul 12 16:43:29 localhost slapd[11543]: 
> <= ldbm_cache_open (cache 0)
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 4
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]:         OR
> Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa1
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]:         EQUALITY
> Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
> Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open( 
> "objectClass.dbb", 73, 600 )
> Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 3)
> Jul 12 16:43:29 localhost slapd[11543]: => key_read
> Jul 12 16:43:29 localhost slapd[11543]: <= index_read 0 candidates
> Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates NULL
> Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 0
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 0
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]:         AND
> Jul 12 16:43:29 localhost slapd[11543]: => list_candidates 0xa0
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]:         EQUALITY
> Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
> Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open( 
> "objectClass.dbb", 73, 600 )
> Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 3)
> Jul 12 16:43:29 localhost slapd[11543]: => key_read
> Jul 12 16:43:29 localhost slapd[11543]: <= index_read 4 candidates
> Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 4
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 4
> Jul 12 16:43:29 localhost slapd[11543]: => filter_candidates
> Jul 12 16:43:29 localhost slapd[11543]:         EQUALITY
> Jul 12 16:43:29 localhost slapd[11543]: => equality_candidates
> Jul 12 16:43:29 localhost slapd[11543]: => ldbm_cache_open( 
> "uid.dbb", 73, 600 )
> Jul 12 16:43:29 localhost slapd[11543]: <= ldbm_cache_open (cache 4)
> Jul 12 16:43:29 localhost slapd[11543]: => key_read
> Jul 12 16:43:29 localhost slapd[11543]: <= index_read 1 candidates
> Jul 12 16:43:29 localhost slapd[11543]: <= equality_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 1
> Jul 12 16:43:29 localhost slapd[11543]: <= list_candidates 0
> Jul 12 16:43:29 localhost slapd[11543]: <= filter_candidates 0
> Jul 12 16:43:29 localhost slapd[11500]: daemon: select: 
> listen=6 active_threads=1 tvp=NULL
> Jul 12 16:43:29 localhost slapd[11543]: ====> 
> cache_return_entry_r( 3 ): returned (0)
> Jul 12 16:43:29 localhost slapd[11543]: ldbm_search: no candidates
> Jul 12 16:43:29 localhost slapd[11543]: send_ldap_search_result 0::
> Jul 12 16:43:29 localhost slapd[11543]: send_ldap_response: 
> msgid=7 tag=101 err=0
> Jul 12 16:43:29 localhost slapd[11543]: conn=8 op=6 SEARCH 
> RESULT tag=101 err=0 text> Jul 12 16:43:29 localhost slapd[11500]:
daemon: activity on 1
> descriptors
> Jul 12 16:43:29 localhost slapd[11500]: daemon: activity on:
> Jul 12 16:43:29 localhost slapd[11500]:  17r
> Jul 12 16:43:29 localhost slapd[11500]:
> Jul 12 16:43:29 localhost slapd[11500]: daemon: read activity on 17
> Jul 12 16:43:29 localhost slapd[11500]: connection_get(17)
> Jul 12 16:43:29 localhost slapd[11500]: connection_get(17): 
> got connid=10
> Jul 12 16:43:29 localhost slapd[11500]: connection_read(17): 
> checking for input on id=10
> Jul 12 16:43:29 localhost slapd[11500]: ber_get_next on fd 17 
> failed errno=0 (Success)
> Jul 12 16:43:29 localhost slapd[11500]: connection_read(17): 
> input error=-2 id=10, closing.
> Jul 12 16:43:29 localhost slapd[11500]: connection_closing: 
> readying conn=10 sd=17 for close
> Jul 12 16:43:29 localhost slapd[11500]: connection_close: 
> deferring conn=10 sd=17
> Jul 12 16:43:29 localhost slapd[11542]: do_unbind
> Jul 12 16:43:29 localhost slapd[11542]: conn=10 op=2 UNBIND
> Jul 12 16:43:29 localhost slapd[11542]: connection_resched: 
> attempting closing conn=10 sd=17
> Jul 12 16:43:29 localhost slapd[11542]: connection_close: 
> conn=10 sd=17
> Jul 12 16:43:29 localhost slapd[11542]: daemon: removing 17
> Jul 12 16:43:29 localhost slapd[11542]: conn=-1 fd=17 closed
> Well, as you can see, the problem was that Samba was looking 
> for MY_COMPUTER$ in ou=People.  So I took MY_COMPUTER$ out of 
> ou=Machines and put it in ou=People.  Then when I attempeted 
> to join MY_DOMAIN i got the friendly "Welcome to the 
> MY_DOMAIN Domain!"  Yay!
> 
> No the issue is this.  I want my Machines in there own OU.  
> What piece am I missing here to make Samba work with an 
> Account in Machines only?
> 
> My Machine account is in my previous email so here is my 
> /etc/ldap.conf:
> # ldap.conf
> host 127.0.0.1
> base dc=MY_DOMAIN,dc=NET
> 
> rootbinddn cn=manager,dc=MY_DOMAIN,dc=NET
> 
> pam_filter objectclass=posixaccount
> pam_login_attribute uid
> pam_member_attribute gid
> pam_password md5
> 
> nss_base_passwd         ou=People,dc=MY_DOMAIN,dc=NET?sub
> nss_base_shadow         ou=People,dc=MY_DOMAIN,dc=NET?sub
> nss_base_group          ou=Group,dc=MY_DOMAIN,dc=NET?one
> 
> P.S.  I suspect I need to change shadow, but how?  Can 
> somebody explain what one and sub mean and how this ties to nss?
> 
> Thanks!
> 
> -- Scott Phelps
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

On Sun, 2003-07-13 at 19:42, s9410821@pop3.student.utwente.nl wrote:
Hi Scott,
> 
> I've had the same message and wasn't getting any further with it
for some time,
> until someone pointed me to my resolution of groups and id's which is
done
> through nss, check your nsswitch.conf and libnss-ldap.conf or your
> /etc/ldap/ldap.conf (depends on your distro, I use debian). With both of us
it
> was that ldap didn't look in the group tree from the ldap directory
> You can fix this here(this is mine):
> nss_base_passwd         dc=blah,dc=com?sub
> nss_base_shadow         ou=Users,dc=blah,dc=com?one
> nss_base_group          ou=Groups,dc=blah,dc=com?one
> 
> Hope to be of help and good luck (when it works, it works like a charm)
> Regards,
> 
> Bas
> 
AND...
On Sun, 2003-07-13 at 18:08, _Chris McKeever_ wrote: 
make sure your ldap.conf is set like this, or it wont go searching the
tree:
> 
> nss_base_passwd dc=domin,dc=com?sub
> 
> 


Thanks guys!  You both are right.  I really appreciate the help!
BTW.  I am so stoked to have this working.  It is going to feel so
rightious to 'format C:' my hard drive on my Windoze PDC next weekend!

Samba/OpenLDAP/GQ rock!

Regards,

Scott