Eivind Trondsen
2003-Oct-10 05:28 UTC
[Samba] Wierd failure when adding W2K to Samba3.0.0+LDAP Domain
Dear list
I have been at it for a few day trying to get my SuSE 8.2 server (FREESIDE) to
produce a domain (SKOGFARET) for my Windows 2000 Server machine (BABYLON).
I use OpenLDAP, and the setup seems to work in most ways, except the vital one
[ie. I can mount shares, print, etc...]
When I try to add W2K (BABYLON) to the domain, I get the following error:
"The following error occured attempting to join the domain
"SKOGFARET":
Logon failure: unknown user name or bad password."
The wierd part is that the smbd-log shows that the user (eivind) is indeed
authenticated:
[2003/10/09 16:37:07, 3] auth/auth.c:check_ntlm_password(265)
check_ntlm_password: sam authentication for user [eivind] succeeded
No matter what I do I can't find any way to make the user more visible to
Samba, as it seems it is visible allready....
The user is memeber of Domain Admin, and the OpenLDAP ACLs are wide open for
writing from that user too. What else is required from a user that should be
able to join machines into the domain?
Any hints on what I'm doing wrong would really save my week :-)
I included a readers-digest ldif file of my directory, as well as the config
for slapd and samba.
Regards
--
Eivind Trondsen
LinuxLabs AS
http://www.linuxlabs.no
mailto:eivind.trondsen@linuxlabs.no
-------------- next part --------------
[global]
netbios name = FREESIDE
workgroup = SKOGFARET
os level = 64
prefered master = yes
domain master = yes
local master = yes
security = user
domain logons = yes
passdb backend = ldapsam:ldap://localhost
time server = yes
printing = cups
printcap name = cups
load printers = yes
unix charset = LOCALE
log level = 3
wins support = yes
add user script = ldapsmb -a -u "%u"
delete user script = ldapsmb -d -u "%u"
add machine script = ldapsmb -a -w "%u"
add group script = ldapsmb -a -g "%g"
delete group script = ldapsmb -d -g "%g"
add user to group script = ldapsmb -j -u "%u" -g "%g"
delete user from group script = ldapsmb -j -u "%u" -g "%g"
set primary group script = ldapsmb -m -u "%u" -gid "%g"
idmap backend = ldap:ldap://localhost
idmap uid = 500-2000
idmap gid = 1000-2000
ldap admin dn = cn=ldapadmin,dc=wingnut,dc=no
ldap suffix = dc=wingnut,dc=no
ldap machine suffix = ou=computers
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap user suffix = ou=users
ldap passwd sync = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
browsable = no
[mp3]
path = /local/mp3
comment = Music archive
writable = yes
-------------- next part --------------
dn: dc=wingnut,dc=no
objectClass: dcObject
objectClass: organizationalUnit
dc: wingnut
ou: Wingnut
dn: cn=ldapadmin,dc=wingnut,dc=no
objectClass: person
cn: ldapadmin
sn: LDAP administrator
userPassword:: x
dn: ou=users,dc=wingnut,dc=no
objectClass: organizationalUnit
ou: users
description: Users in Wingnut.no
dn: ou=groups,dc=wingnut,dc=no
objectClass: organizationalUnit
ou: groups
description: Groups used in Wingnut.no
dn: ou=idmaps,dc=wingnut,dc=no
objectClass: organizationalUnit
ou: idmaps
description: These are required for ... something
dn: ou=computers,dc=wingnut,dc=no
objectClass: organizationalUnit
ou:: Y29tcHV0ZXJzIA=description: Computers that are members of the Skogfaret
domain
dn: cn=admin,ou=groups,dc=wingnut,dc=no
cn: admin
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: xx
dn: cn=admin,ou=computers,dc=wingnut,dc=no
cn: admin
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: xx
dn: uid=maxuid,dc=wingnut,dc=no
objectClass: top
objectClass: account
description: 1000
uid: maxuid
dn: uid=eivind,ou=users,dc=wingnut,dc=no
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
uid: eivind
cn: Eivind Trondsen
sn: Trondsen
uidNumber: 500
gidNumber: 1004
homeDirectory: /home/eivind
loginShell: /bin/bash
gecos: Eivind Trondsen
mail: eivind.trondsen@linuxlabs.no
sambaPrimaryGroupSID: S-1-5-21-4133941900-2453046697-2385947492-512
displayName: Eivind Trondsen
sambaPwdCanChange: 1065703187
sambaPwdMustChange: 2147483647
sambaLMPassword: xx
sambaNTPassword: xx
sambaPwdLastSet: 1065703187
sambaAcctFlags: [U ]
sambaDomainName: SKOGFARET
userPassword:: xx
sambaSID: S-1-5-21-4133941900-2453046697-2385947492-500
dn: sambaDomainName=SKOGFARET,dc=wingnut,dc=no
sambaDomainName: SKOGFARET
sambaSID: S-1-5-21-4133941900-2453046697-2385947492
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 5000
sambaNextGroupRid: 5001
structuralObjectClass: sambaDomain
entryUUID: d934dae8-8e91-1027-9e5d-ec8ee5315065
dn: cn=windowsadmin,ou=groups,dc=wingnut,dc=no
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: windowsadmin
gidNumber: 1004
memberUid: eivind
sambaGroupType: 2
displayName: Domain Admins
sambaSID: S-1-5-21-4133941900-2453046697-2385947492-512
dn: cn=siteusers,ou=groups,dc=wingnut,dc=no
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: siteusers
memberUid: eivind
gidNumber: 1000
sambaGroupType: 2
displayName: Domain Users
sambaSID: S-1-5-21-4133941900-2453046697-2385947492-513
dn: cn=guests,ou=groups,dc=wingnut,dc=no
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1005
cn: guests
memberUid: nobody
sambaGroupType: 2
displayName: Domain Guests
description: Local Unix group
sambaSID: S-1-5-21-4133941900-2453046697-2385947492-514
-------------- next part --------------
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.5 2002/11/26 18:26:01
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
# ---------------------------------------------------------------------
# Define global ACLs
# Disable default read access. (later)
access to *
by * read
access to attrs=userPassword
by self auth
access to attr=uid
by * search
# "Secure" Windows passwords
access to attrs=sambaNTPassword,sambaLMPassword
by dn="cn=ldapadmin,dc=wingnut,dc=no" write
by * none
# ---------------------------------------------------------------------
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 128
allow bind_v2
#TLSCipherSuite HIGH:MEDIUM
#TLSCertificateFile /etc/ssl/certs/slapd/server-cert.pem
#TLSCertificateKeyFile /etc/ssl/certs/slapd/private.pem
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=wingnut,dc=no"
directory /var/lib/ldap
rootdn cn=ldapadmin,dc=wingnut,dc=no
rootpw xx
# Indices to maintain
## required by OpenLDAP
index objectclass eq
index cn pres,sub,eq
index sn pres,sub,eq
## required to support pdb_getsampwnam
index uid pres,sub,eq
## required to support pdb_getsambapwrid()
index displayName pres,sub,eq
## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
access to dn=".*,ou=users,dc=wingnut,dc=no"
by dn="uid=eivind,ou=users,dc=wingnut,dc=no" write
by * read
access to dn=".*,ou=computers,dc=wingnut,dc=no"
by dn="uid=eivind,ou=users,dc=wingnut,dc=no" write
by * read
access to dn=".*,ou=groups,dc=wingnut,dc=no"
by dn="uid=eivind,ou=users,dc=wingnut,dc=no" write
by * read
access to dn=".*,ou=idmaps,dc=wingnut,dc=no"
by dn="uid=eivind,ou=users,dc=wingnut,dc=no" write
by * read
Reasonably Related Threads
Wisdom of the Ancients
