samba - Mar 2004 - Samba and LDAP backend - howto docs problems?

Hi all,

I have followed the instructions at 
http://samba.mirror.ac.uk/samba/docs/man/passdb.html in an attempt to 
set up a Samba v3.0.2 (supplied by Redhat as part of RHEL v3.0) PDC.

I have got as far as trying to get a windows 2k box to join this new 
domain that I have created, however this fails with the error "Logon 
failure: unknown user name or password".

Samba itself logs nothing of this failure.

Looking at the LDAP logs, I see that Samba is trying to do the following 
LDAP search: 
(&(&(uid=admin)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))

This search fails, because the ldif displayed in the howto does not 
include the sambaSamAccount objectclass in the admin object:

dn: cn=admin,ou=People,dc=quenya,dc=org
cn: admin
objectclass: top
objectclass: organizationalRole
objectclass: simpleSecurityObject
userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz

Does anyone have any step by step instructions for getting a Win2k box 
to join a Samba domain that is known to work?

Regards,
Graham
--

On Wed, 10 Mar 2004, Graham Leggett wrote:
> Hi all,
>
> I have followed the instructions at
> http://samba.mirror.ac.uk/samba/docs/man/passdb.html in an attempt to
Ok. I am one of the authors of that. It should work. Email me you
smb.conf file and I will try to help.
> set up a Samba v3.0.2 (supplied by Redhat as part of RHEL v3.0) PDC.
>
> I have got as far as trying to get a windows 2k box to join this new
> domain that I have created, however this fails with the error "Logon
> failure: unknown user name or password".
>
> Samba itself logs nothing of this failure.
>
> Looking at the LDAP logs, I see that Samba is trying to do the following
> LDAP search:
>
(&(&(uid=admin)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))
>
> This search fails, because the ldif displayed in the howto does not
> include the sambaSamAccount objectclass in the admin object:
>
> dn: cn=admin,ou=People,dc=quenya,dc=org
> cn: admin
> objectclass: top
> objectclass: organizationalRole
> objectclass: simpleSecurityObject
> userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
>
> Does anyone have any step by step instructions for getting a Win2k box
> to join a Samba domain that is known to work?
Fully documented step-by-step instructions that work with SuSE and Red Hat
are in the new book "Samba-3 by Example" - can be ordered from
Amazon.Com
now. Will ship starting March 26th.

Have you also checked chapter 2 of TOSHARG (The Official Samba-3 HOWTO and
Reference Guide)? While not as comprehensive as the new book, this chapter
was the seed that started the avalance of the "Give us more ..."
litany
that resulted in "Samba-3 by Example".

Have you set up your scripts?
	- add user script
	- delete user script
	- add machine script
	- add group script
	- delete group script
	- add user to group script
	- etc.

Have you test driven each manually to prove that it works?

Have you configured nss_ldap and proven that it works?
	ie: getent passwd
	    getent group

Does:
	pdbedit -Lw

list the users in the old smbpasswd format?

Many, many more questions ... what have you done to demonstrate that each
element of your configuration works?


Cheers,
John T.
-- 
John H Terpstra
Email: jht@samba.org

I also noticed this problem.  I do not know why it happens, but did
noticed the following which may help:

I already have a few machines in an old samba-2.2.8 production
environment.  Those machines are already in dns, nis netgoups, etc.

My new samba 3.0.2a does not restrict to any hosts yet.  So if I run the
command:
/opt/local/samba/bin/smbpasswd -a -m mathpc22$  Then it succeds:
oak:/etc/openldap/ldif # /opt/local/samba/bin/smbpasswd -a -m mathpc22$
Added user mathpc22$.

while if I use a new hostname not listed in my dns/netgroups tables then
it fails
oak:/tmp/samba-3.0.2/source # /opt/local/samba/bin/smbpasswd -a -m diego
Failed to initialise SAM_ACCOUNT for user diego$.
Failed to modify password entry for user diego$

I am leaving the office right (oh man is 7pm, another 12 hour work day)
now so I will try to find out if it wants the machine in dns or netgroups
and will post again to the list to let you know what I find out.

Diego

On Tue, 9 Mar 2004, John H Terpstra wrote:
> On Wed, 10 Mar 2004, Graham Leggett wrote:
>
> > Hi all,
> >
> > I have followed the instructions at
> > http://samba.mirror.ac.uk/samba/docs/man/passdb.html in an attempt to
>
> Ok. I am one of the authors of that. It should work. Email me you
> smb.conf file and I will try to help.
>
> > set up a Samba v3.0.2 (supplied by Redhat as part of RHEL v3.0) PDC.
> >
> > I have got as far as trying to get a windows 2k box to join this new
> > domain that I have created, however this fails with the error
"Logon
> > failure: unknown user name or password".
> >
> > Samba itself logs nothing of this failure.
> >
> > Looking at the LDAP logs, I see that Samba is trying to do the
following
> > LDAP search:
> >
(&(&(uid=admin)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))
> >
> > This search fails, because the ldif displayed in the howto does not
> > include the sambaSamAccount objectclass in the admin object:
> >
> > dn: cn=admin,ou=People,dc=quenya,dc=org
> > cn: admin
> > objectclass: top
> > objectclass: organizationalRole
> > objectclass: simpleSecurityObject
> > userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
> >
> > Does anyone have any step by step instructions for getting a Win2k box
> > to join a Samba domain that is known to work?
>
> Fully documented step-by-step instructions that work with SuSE and Red Hat
> are in the new book "Samba-3 by Example" - can be ordered from
Amazon.Com
> now. Will ship starting March 26th.
>
> Have you also checked chapter 2 of TOSHARG (The Official Samba-3 HOWTO and
> Reference Guide)? While not as comprehensive as the new book, this chapter
> was the seed that started the avalance of the "Give us more ..."
litany
> that resulted in "Samba-3 by Example".
>
> Have you set up your scripts?
> 	- add user script
> 	- delete user script
> 	- add machine script
> 	- add group script
> 	- delete group script
> 	- add user to group script
> 	- etc.
>
> Have you test driven each manually to prove that it works?
>
> Have you configured nss_ldap and proven that it works?
> 	ie: getent passwd
> 	    getent group
>
> Does:
> 	pdbedit -Lw
>
> list the users in the old smbpasswd format?
>
> Many, many more questions ... what have you done to demonstrate that each
> element of your configuration works?
>
>
> Cheers,
> John T.
> --
> John H Terpstra
> Email: jht@samba.org
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

Graham Leggett schrieb:
> John H Terpstra wrote:
> 
>>>> Have you set up your scripts?
>>>>     - add user script
>>>>     - delete user script
>>>>     - add machine script
>>>>     - add group script
>>>>     - delete group script
>>>>     - add user to group script
>>>>     - etc.
> 
> 
> Another ccomment on the docs - the docs for samldap do not make any 
> mention of the smbldap-tools package, and the fact that it is required 
> in order to produce a usable system.
> 
> And neither the samba docs, nor it would seem the smbldap-tools docs 
> make any mention of what command line settings are supposed to be used 
> in each case.
> 
> Is it possible to add a section to the docs to cover this?
> 
> Regards,
> Graham
> -- 
> 
Hi, yes the tools should be better described as they are in the smb sources
i found it very hard at my first setup ldap smb.
On the other Hand many setups are thinkable with ldap, a description
to the ldap populate is only one way  ( fast , working )
to come to a working smb ldap pdc
Regards

On Wed, 10 Mar 2004, Graham Leggett wrote:
> John H Terpstra wrote:
>
> >>>Have you set up your scripts?
> >>>	- add user script
> >>>	- delete user script
> >>>	- add machine script
> >>>	- add group script
> >>>	- delete group script
> >>>	- add user to group script
> >>>	- etc.
>
> Another ccomment on the docs - the docs for samldap do not make any
> mention of the smbldap-tools package, and the fact that it is required
> in order to produce a usable system.
>
> And neither the samba docs, nor it would seem the smbldap-tools docs
> make any mention of what command line settings are supposed to be used
> in each case.
Well they are mentioned under "Interdomain Trusts" - but I admit that
is
very obtuse.

The use of these tools is documented in the book version of the
Samba-HOWTO-Collection, "The Official Samba-3 HOWTO and Reference
Guide"
available from Amazon.Com. There are 5 chapters that are not in the HOWTO
document - these will be released on April 5th with consent from
Prentice-Hall (the book publisher).
>
> Is it possible to add a section to the docs to cover this?
Please send me your patches. If you are not comfortable sending XML
document patches, send me text to apply and I will put rectify the
problem.

Please note that the HOWTO is a green document - this means it is
continually being updated. Each reprinting of the HOWTO book has the
updates in it also.

- John T.
-- 
John H Terpstra
Email: jht@samba.org