Christoph Rudorff
2003-Nov-18 12:51 UTC
Fwd: Re: [Samba] smbpasswd fails to add machine account with ldapsam
,--------------- Weitergeleitete Nachricht (Anfang)
Betreff: Re: [Samba] smbpasswd fails to add machine account with ldapsam
Absender: Christoph Rudorff
Datum: Mon, 17 Nov 2003 19:58:19 +0100
Newsgruppe: linux.samba
Pirkka Luukkonen wrote:
> Hi!
>
> I am seeing other users with the same problem as I have.
confirmed.
> My samba also fails to add machine accounts.
Here it works (samba 3.0.0 Mandrake 9.2). I can create machine accounts on
the fly. But if I switch to ldap backend, joining a domain fails. Windows
finally says: "account not found" (english to german to english
translation).
But samba called the smbldap-useradd.pl and it made the correct entry to
ldap - posixAccount, no sambaSamAccount. The related lines are commented
out in the Perl script: "# Objectclass sambaSAMAccount is now added
directly by samba when joigning the domain (for samba3)" - obviously not.
So far all seems quite ok, but then windows (I guess) tries to login with
the new account and fails. So most interesting is the ldap.log:
[...]
Nov 17 16:57:58 Monster slapd[24668]: conn=345 fd=27 ACCEPT from
IP=127.0.0.1:35799 (IP=0.0.0.0:389)
Nov 17 16:57:58 Monster slapd[9932]: conn=345 op=0 BIND
dn="cn=Manager,dc=mki,dc=fh-duesseldorf,dc=de" method=128
Nov 17 16:57:58 Monster slapd[9932]: conn=345 op=0 BIND
dn="cn=Manager,dc=mki,dc=fh-duesseldorf,dc=de" mech=simple ssf=0
Nov 17 16:57:58 Monster slapd[9932]: conn=345 op=0 RESULT tag=97 err=0
text Nov 17 16:57:58 Monster slapd[9932]: conn=345 op=1 ADD
dn="uid=nopliz$,ou=Hosts,dc=mki,dc=fh-duesseldorf,dc=de"
Nov 17 16:57:59 Monster slapd[9932]: conn=345 op=1 RESULT tag=105 err=0
text Nov 17 16:57:59 Monster slapd[24668]: conn=342 fd=25 closed
Nov 17 16:57:59 Monster slapd[24668]: conn=344 fd=28 closed
So far so happy but then:
Nov 17 16:57:59 Monster slapd[9932]: conn=341 op=3 SRCH
base="ou=People,dc=mki,dc=fh-duesseldorf,dc=de" scope=1
filter="(&(objectClass=posixAccount)(uid=nopliz$))"
Nov 17 16:57:59 Monster slapd[9932]: conn=341 op=3 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Nov 17 16:57:59 Monster slapd[9932]: conn=341 op=3 SEARCH RESULT tag=101
err=0 nentries=0 text Nov 17 16:57:59 Monster slapd[404]: conn=345 op=2 UNBIND
Nov 17 16:57:59 Monster slapd[404]: conn=345 fd=27 closed
Nov 17 16:57:59 Monster slapd[9932]: conn=341 op=4 SRCH
base="ou=People,dc=mki,dc=fh-duesseldorf,dc=de" scope=1
filter="(&(objectClass=posixAccount)(uid=NOPLIZ$))"
Nov 17 16:57:59 Monster slapd[9932]: conn=341 op=4 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Nov 17 16:57:59 Monster slapd[9932]: conn=341 op=4 SEARCH RESULT tag=101
err=0 nentries=0 text Nov 17 16:57:59 Monster slapd[24668]: conn=339 fd=10
closed
Nov 17 16:57:59 Monster slapd[24668]: conn=341 fd=26 closed
ou=People ?!?!?!? Wrong! In our case must be ou=Hosts.
Also the samba documentation makes me wonder:
"ldap machine suffix (G)
It specifies where machines should be added to the ldap tree."
Ok, samba adds at the correct place but how about lookup? Even if I enter
some nonsense values to all suffixes, samba always ask "ou=People".
I guess its time for a bug report.
chris
`--------------- Weitergeleitete Nachricht (Ende)
Aaron Smith
2003-Nov-18 14:08 UTC
Fwd: Re: [Samba] smbpasswd fails to add machine account with ldapsam
This is only slightly connected, but since I've been meaning to send an email about it ANYWAY, I figured I'd throw it in with this discussion. What *I* ran in to with the "ldap machine suffix" option for the smb.conf file is that I had to enter the ENTIRE base name. Is this by design? For example, if I had the following in my smb.conf: ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap suffix = dc=pandora-net,dc=com Then Samba would be unable to find ANYTHING in the ldap directory. After looking at the ldap logs, I noticed that Samba was trying to find People info with a base dn of JUST "ou=People". It wouldn't add the rest of the dn listed in the "ldap suffix" directive. I ended up having to enter the entire dn for each subgroup to get it to work. Does the order of the directives make a difference? In other words, would the above work if I had put the "ldap suffix" FIRST? On Tue, 2003-11-18 at 07:51, Christoph Rudorff wrote:> > Also the samba documentation makes me wonder: > > "ldap machine suffix (G) > It specifies where machines should be added to the ldap tree." > > Ok, samba adds at the correct place but how about lookup? Even if I enter > some nonsense values to all suffixes, samba always ask "ou=People". > > I guess its time for a bug report. > > > chris > > `--------------- Weitergeleitete Nachricht (Ende)-- ----------------------------------------- "The pain of war could not exceed, the woe of aftermath. The drums will shake the castle walls The ringwraiths ride in black...." -Led Zeppelin "The Battle of Evermoore"
Christoph Rudorff
2003-Nov-19 17:50 UTC
Fwd: Re: [Samba] smbpasswd fails to add machine account with ldapsam
Hello! The test report from today: I compiled the 3.0.1pre3 version because ChangeLog says something about "cannot access LDAP when not root.." -> Bug #281 but is not solved 100%. smbldap-useradd.pl is doing fine, but samba still does not create sambaSamAccount. Samba still looks up machine accounts with ou=People regardless what I configure. Further testing is delayed until monday. chris ps: if anyone needs the full log(s) - no problem. /var/log/messages while trying to join a w2k client to DC: -- /usr/local/sbin/smbldap-useradd.pl: called with -w ,-d ,/dev/null ,-g ,Domain Computers ,-c ,Machine Account ,-s ,/bin/false ,nopliz$ smbd3[23018]: [2003/11/19 18:26:10, 0] lib/smbldap.c:smbldap_open(800) smbd3[23018]: smbldap_open: cannot access LDAP when not root.. smbd3[23018]: [2003/11/19 18:26:10, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1639) smbd3[23018]: ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (Insufficient access) smbd3[23018]: ldapsam_search_one_group: Query was: ou=Groups,dc=mki,dc=fh-duesseldorf,dc=de, (&(objectClass=sambaGroupMapping)(gidNumber=553)) smbd3[23018]: [2003/11/19 18:26:10, 0] lib/smbldap.c:smbldap_open(800) smbd3[23018]: smbldap_open: cannot access LDAP when not root.. smbd3[23018]: [2003/11/19 18:26:10, 0] lib/smbldap.c:smbldap_search_suffix(1076) smbd3[23018]: smbldap_search_suffix: Problem during the LDAP search: (Insufficient access) smbd3[23018]: [2003/11/19 18:26:10, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2333) smbd3[23018]: could not add user/computer nopliz$ to passdb. Check permissions? -- ps: why must it be root? A connection to ldap as "Manager" should be sufficent.
Curtis Grote
2003-Dec-24 14:02 UTC
[Samba] Re: Fwd: Re: smbpasswd fails to add machine account with ldapsam
Chris, I am experiencing the same behaviour using samba 3.0.1. I have had to uncomment the lines in smbldap-useradd.pl in order for the machine accounts to be added with a sambaSAMAccount objectclass. Samba is not adding the objectclass when joining the domain as the comment in the section states it should, but the change then allows the subsequent lookup for People (which I agree with you should really be Computers) to work. Is this the way you have your PDC under LDAP working? Did you file a bug report? I would be very interested to hear how you are doing with your project as I have been struggling with this for a couple of months now and have finally gotten the machine accounts to be added thanks to your post. I'm running under SuSE 8.2 Curtis Grote Memorial Hospital On Tue, 18 Nov 2003 13:51:43 +0100, Christoph Rudorff wrote:> ,--------------- Weitergeleitete Nachricht (Anfang) > > Betreff: Re: [Samba] smbpasswd fails to add machine account with > ldapsam Absender: Christoph Rudorff > Datum: Mon, 17 Nov 2003 19:58:19 +0100 Newsgruppe: linux.samba > > Pirkka Luukkonen wrote: > > > Hi! > > > > I am seeing other users with the same problem as I have. > > confirmed. > > > My samba also fails to add machine accounts. > > Here it works (samba 3.0.0 Mandrake 9.2). I can create machine accounts > on the fly. But if I switch to ldap backend, joining a domain fails. > Windows finally says: "account not found" (english to german to english > translation). > > But samba called the smbldap-useradd.pl and it made the correct entry > to ldap - posixAccount, no sambaSamAccount. The related lines are > commented out in the Perl script: "# Objectclass sambaSAMAccount is now > added directly by samba when joigning the domain (for samba3)" - > obviously not. > > > Ok, samba adds at the correct place but how about lookup? Even if I > enter some nonsense values to all suffixes, samba always ask > "ou=People". > > I guess its time for a bug report. > > > chris > > `--------------- Weitergeleitete Nachricht (Ende)