samba - Jun 2004 - Need help configuring Samba3/LDAP PDC

Hello all,
I'm following along in chapter 6 of John Terpstra's "Samba 3 By
Example"
and I've got everything working great up until the point where I join 
the machine to the new domain (step 17 on page 155).  The command *net 
rpc join -U Administrator* fails with the errors below.

palpatine:/var/lib/samba/sbin # net -d 4 rpc join -U Administrator
[2004/06/09 15:13:35, 3] param/loadparm.c:lp_load(3881)
  lp_load: refreshing parameters
[2004/06/09 15:13:35, 3] param/loadparm.c:init_globals(1309)
  Initialising global parameters
[2004/06/09 15:13:35, 3] param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"
[2004/06/09 15:13:35, 3] param/loadparm.c:do_section(3379)
  Processing section "[global]"
  doing parameter unix charset = LOCALE
  doing parameter workgroup = GXT
  doing parameter netbios name = GXTPDC
[2004/06/09 15:13:35, 4] param/loadparm.c:handle_netbios_name(2723)
  handle_netbios_name: set global_myname to: GXTPDC
  doing parameter interfaces = eth0, lo
  doing parameter bind interfaces only = Yes
  doing parameter passdb backend = ldapsam:ldap://ldap.gxt.com
  doing parameter username map = /etc/samba/smbusers
  doing parameter log level = 1
  doing parameter syslog = 0
  doing parameter log file = /var/log/samba/%m
  doing parameter max log size = 50
  doing parameter smb ports = 139 445
  doing parameter name resolve order = wins bcast hosts
  doing parameter time server = Yes
  doing parameter printcap name = CUPS
  doing parameter show add printer wizard = No
  doing parameter add user script = 
/var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
  doing parameter delete user script = 
/var/lib/samba/sbin/smbldap-userdel.pl '%u'
  doing parameter add group script = 
/var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
  doing parameter delete group script = 
/var/lib/samba/sbin/smbldap-groupdel.pl '%g'
  doing parameter add user to group script = 
/var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
  doing parameter delete user from group script = 
/var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
  doing parameter set primary group script = 
/var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u'
  doing parameter add machine script = 
/var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
  doing parameter shutdown script = /var/lib/samba/scripts/shutdown.sh
  doing parameter abort shutdown script = /sbin/shutdown -c
  doing parameter logon script = scripts\logon.bat
  doing parameter logon path = \\%L\profiles\%U
  doing parameter logon drive = X:
  doing parameter domain logons = Yes
  doing parameter preferred master = Yes
  doing parameter wins support = Yes
  doing parameter ldap suffix = dc=gxt,dc=com
  doing parameter ldap machine suffix = ou=people
  doing parameter ldap user suffix = ou=people
  doing parameter ldap group suffix = ou=groups
  doing parameter ldap idmap suffix = ou=idmap
  doing parameter ldap admin dn = cn=admin,dc=gxt,dc=com
  doing parameter idmap backend = ldap://ldap.gxt.com
  doing parameter idmap uid = 10000-20000
  doing parameter idmap gid = 10000-20000
  doing parameter map acl inherit = Yes
  doing parameter printing = cups
  doing parameter printer admin = Administrator
[2004/06/09 15:13:35, 4] param/loadparm.c:lp_load(3913)
  pm_process() returned Yes
[2004/06/09 15:13:35, 2] lib/interface.c:add_interface(79)
  added interface ip=172.17.0.240 bcast=172.17.3.255 nmask=255.255.252.0
[2004/06/09 15:13:35, 2] lib/interface.c:add_interface(79)
  added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
[2004/06/09 15:13:35, 3] libsmb/cliconnect.c:cli_start_connection(1373)
  Connecting to host=GXTPDC
[2004/06/09 15:13:35, 3] lib/util_sock.c:open_socket_out(735)
  Connecting to 172.17.0.240 at port 445
[2004/06/09 15:13:35, 4] lib/time.c:get_serverzone(122)
  Serverzone is 18000
[2004/06/09 15:13:35, 4] rpc_client/cli_netlogon.c:cli_net_req_chal(45)
  cli_net_req_chal: LSA Request Challenge from GXTPDC to GXTPDC: 
1F9217647828E59B
[2004/06/09 15:13:35, 4] libsmb/credentials.c:cred_session_key(59)
  cred_session_key
[2004/06/09 15:13:35, 4] libsmb/credentials.c:cred_create(90)
  cred_create
[2004/06/09 15:13:35, 4] rpc_client/cli_netlogon.c:cli_net_auth2(102)
  cli_net_auth2: srv:\\GXTPDC acct:GXTPDC$ sc:6 mc: GXTPDC chal 
B3BA8E48EB059670 neg: 400701ff
[2004/06/09 15:13:35, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(283)
  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2004/06/09 15:13:35, 3] libsmb/trusts_util.c:just_change_the_password(43)
  just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
[2004/06/09 15:13:35, 1] utils/net_rpc.c:run_rpc_command(141)
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Password:
[2004/06/09 15:14:11, 3] libsmb/cliconnect.c:cli_start_connection(1373)
  Connecting to host=GXTPDC
[2004/06/09 15:14:11, 3] lib/util_sock.c:open_socket_out(735)
  Connecting to 172.17.0.240 at port 445
[2004/06/09 15:14:11, 3] libsmb/cliconnect.c:cli_session_setup_spnego(705)
  Doing spnego session setup (blob length=58)
[2004/06/09 15:14:11, 3] libsmb/cliconnect.c:cli_session_setup_spnego(730)
  got OID=1 3 6 1 4 1 311 2 2 10
[2004/06/09 15:14:11, 3] libsmb/cliconnect.c:cli_session_setup_spnego(737)
  got principal=NONE
[2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
  Got challenge flags:
[2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60890215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_CHAL_TARGET_INFO
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
[2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
  NTLMSSP: Set final flags:
[2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
[2004/06/09 15:14:11, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
  NTLMSSP Sign/Seal - Initialising with flags:
[2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
[2004/06/09 15:14:11, 3] libsmb/cliconnect.c:cli_session_setup(854)
  SPNEGO login failed: Logon failure
[2004/06/09 15:14:11, 1] libsmb/cliconnect.c:cli_full_connection(1461)
  failed session setup with NT_STATUS_LOGON_FAILURE
Could not connect to server GXTPDC
The username or password was not correct.
[2004/06/09 15:14:11, 2] utils/net.c:main(792)
  return code = 1

I've already set Administrator's password with *smbpasswd *and 
*smbldap-password.pl *but I still cannot authenticate.  Anonymous access 
(e.g. *smbclient -L localhost -U%*) works fine so it seems that there is 
something wrong with the LDAP SAM.  I am using the same LDAP directory 
to authenticate linux clients and provide autofs maps and everything is 
working fine... except for Samba.  Has anyone else encountered this 
problem?  Tridge, Terpstra, Allison, are you out there?

I have torn down the LDAP/Samba stack several times and rebuilt it from 
scratch.  I get the same behavior every time.
I am running on SuSE 9.1 using openldap 2.2.6 and samba 3.0.4 (SuSE 
packages).    Thanks in advance!

--aaron

Aaron Ogden wrote:
>
> Hello all,
> I'm following along in chapter 6 of John Terpstra's "Samba 3
By
> Example" and I've got everything working great up until the point 
> where I join the machine to the new domain (step 17 on page 155).  The 
> command *net rpc join -U Administrator* fails with the errors below.
>
> palpatine:/var/lib/samba/sbin # net -d 4 rpc join -U Administrator
> [2004/06/09 15:13:35, 3] param/loadparm.c:lp_load(3881)
>  lp_load: refreshing parameters
> [2004/06/09 15:13:35, 3] param/loadparm.c:init_globals(1309)
>  Initialising global parameters
> [2004/06/09 15:13:35, 3] param/params.c:pm_process(566)
>  params.c:pm_process() - Processing configuration file 
> "/etc/samba/smb.conf"
> [2004/06/09 15:13:35, 3] param/loadparm.c:do_section(3379)
>  Processing section "[global]"
>  doing parameter unix charset = LOCALE
>  doing parameter workgroup = GXT
>  doing parameter netbios name = GXTPDC
> [2004/06/09 15:13:35, 4] param/loadparm.c:handle_netbios_name(2723)
>  handle_netbios_name: set global_myname to: GXTPDC
>  doing parameter interfaces = eth0, lo
>  doing parameter bind interfaces only = Yes
>  doing parameter passdb backend = ldapsam:ldap://ldap.gxt.com
>  doing parameter username map = /etc/samba/smbusers
>  doing parameter log level = 1
>  doing parameter syslog = 0
>  doing parameter log file = /var/log/samba/%m
>  doing parameter max log size = 50
>  doing parameter smb ports = 139 445
>  doing parameter name resolve order = wins bcast hosts
>  doing parameter time server = Yes
>  doing parameter printcap name = CUPS
>  doing parameter show add printer wizard = No
>  doing parameter add user script = 
> /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
>  doing parameter delete user script = 
> /var/lib/samba/sbin/smbldap-userdel.pl '%u'
>  doing parameter add group script = 
> /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
>  doing parameter delete group script = 
> /var/lib/samba/sbin/smbldap-groupdel.pl '%g'
>  doing parameter add user to group script = 
> /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
>  doing parameter delete user from group script = 
> /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
>  doing parameter set primary group script = 
> /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u'
>  doing parameter add machine script = 
> /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
>  doing parameter shutdown script = /var/lib/samba/scripts/shutdown.sh
>  doing parameter abort shutdown script = /sbin/shutdown -c
>  doing parameter logon script = scripts\logon.bat
>  doing parameter logon path = \\%L\profiles\%U
>  doing parameter logon drive = X:
>  doing parameter domain logons = Yes
>  doing parameter preferred master = Yes
>  doing parameter wins support = Yes
>  doing parameter ldap suffix = dc=gxt,dc=com
>  doing parameter ldap machine suffix = ou=people
>  doing parameter ldap user suffix = ou=people
>  doing parameter ldap group suffix = ou=groups
>  doing parameter ldap idmap suffix = ou=idmap
>  doing parameter ldap admin dn = cn=admin,dc=gxt,dc=com
>  doing parameter idmap backend = ldap://ldap.gxt.com
>  doing parameter idmap uid = 10000-20000
>  doing parameter idmap gid = 10000-20000
>  doing parameter map acl inherit = Yes
>  doing parameter printing = cups
>  doing parameter printer admin = Administrator
> [2004/06/09 15:13:35, 4] param/loadparm.c:lp_load(3913)
>  pm_process() returned Yes
> [2004/06/09 15:13:35, 2] lib/interface.c:add_interface(79)
>  added interface ip=172.17.0.240 bcast=172.17.3.255 nmask=255.255.252.0
> [2004/06/09 15:13:35, 2] lib/interface.c:add_interface(79)
>  added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
> [2004/06/09 15:13:35, 3] libsmb/cliconnect.c:cli_start_connection(1373)
>  Connecting to host=GXTPDC
> [2004/06/09 15:13:35, 3] lib/util_sock.c:open_socket_out(735)
>  Connecting to 172.17.0.240 at port 445
> [2004/06/09 15:13:35, 4] lib/time.c:get_serverzone(122)
>  Serverzone is 18000
> [2004/06/09 15:13:35, 4] rpc_client/cli_netlogon.c:cli_net_req_chal(45)
>  cli_net_req_chal: LSA Request Challenge from GXTPDC to GXTPDC: 
> 1F9217647828E59B
> [2004/06/09 15:13:35, 4] libsmb/credentials.c:cred_session_key(59)
>  cred_session_key
> [2004/06/09 15:13:35, 4] libsmb/credentials.c:cred_create(90)
>  cred_create
> [2004/06/09 15:13:35, 4] rpc_client/cli_netlogon.c:cli_net_auth2(102)
>  cli_net_auth2: srv:\\GXTPDC acct:GXTPDC$ sc:6 mc: GXTPDC chal 
> B3BA8E48EB059670 neg: 400701ff
> [2004/06/09 15:13:35, 3] 
> rpc_client/cli_netlogon.c:cli_nt_setup_creds(283)
>  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
> [2004/06/09 15:13:35, 3] 
> libsmb/trusts_util.c:just_change_the_password(43)
>  just_change_the_password: unable to setup creds 
> (NT_STATUS_ACCESS_DENIED)!
> [2004/06/09 15:13:35, 1] utils/net_rpc.c:run_rpc_command(141)
>  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
> Password:
> [2004/06/09 15:14:11, 3] libsmb/cliconnect.c:cli_start_connection(1373)
>  Connecting to host=GXTPDC
> [2004/06/09 15:14:11, 3] lib/util_sock.c:open_socket_out(735)
>  Connecting to 172.17.0.240 at port 445
> [2004/06/09 15:14:11, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(705)
>  Doing spnego session setup (blob length=58)
> [2004/06/09 15:14:11, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(730)
>  got OID=1 3 6 1 4 1 311 2 2 10
> [2004/06/09 15:14:11, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(737)
>  got principal=NONE
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
>  Got challenge flags:
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>  Got NTLMSSP neg_flags=0x60890215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_CHAL_TARGET_INFO
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
>  NTLMSSP: Set final flags:
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>  Got NTLMSSP neg_flags=0x60080215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
>  NTLMSSP Sign/Seal - Initialising with flags:
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>  Got NTLMSSP neg_flags=0x60080215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> [2004/06/09 15:14:11, 3] libsmb/cliconnect.c:cli_session_setup(854)
>  SPNEGO login failed: Logon failure
> [2004/06/09 15:14:11, 1] libsmb/cliconnect.c:cli_full_connection(1461)
>  failed session setup with NT_STATUS_LOGON_FAILURE
> Could not connect to server GXTPDC
> The username or password was not correct.
> [2004/06/09 15:14:11, 2] utils/net.c:main(792)
>  return code = 1
>
> I've already set Administrator's password with *smbpasswd *and 
> *smbldap-password.pl *but I still cannot authenticate.  Anonymous 
> access (e.g. *smbclient -L localhost -U%*) works fine so it seems that 
> there is something wrong with the LDAP SAM.  I am using the same LDAP 
> directory to authenticate linux clients and provide autofs maps and 
> everything is working fine... except for Samba.  Has anyone else 
> encountered this problem?  Tridge, Terpstra, Allison, are you out there?
>
> I have torn down the LDAP/Samba stack several times and rebuilt it 
> from scratch.  I get the same behavior every time.
> I am running on SuSE 9.1 using openldap 2.2.6 and samba 3.0.4 (SuSE 
> packages).    Thanks in advance!
>
> --aaron
>
>
Have you checked the logging on OpenLDAP?  I'd set the loglevel to 488 
and look at the queries samba is doing.  If you have "root = 
administrator admin" in your smbusers file then samba will look for an 
ldap entry with uid=root.  grep the ldap log file for that and comment 
out that line in smbusers if that seems to be the case.

Rich

> Have you checked the logging on OpenLDAP?  I'd set the loglevel
 > to 488 and look at the queries samba is doing.  If you have
 > "root =  administrator admin" in your smbusers file then samba
 > will look for an ldap entry with uid=root.  grep the ldap log
 > file for that and comment out that line in smbusers if that
 > seems to be the case.
 >
 > Rich

Hello Rich (and others), thanks for responding.  I turned up the 
loglevel, fixed some configuration errors in smb.conf, and commented the 
root= entry in smbusers. You were right, Administrator was being mapped 
to 'root'.  Now I can authenticate LDAP users in Samba, e.g.
'smbclient
-L localhost -U Administrator' works properly.  Unfortunately I still 
cannot join the PDC machine to the domain and I think I know why.

When I run 'net rpc join -U Administrator' the machine account gets 
created but it is a posixAccount instead of a sambaSamAccount.  In other 
words it is a normal unix user account that is missing all of the 
samba-related fields.  Samba is calling the IDEALX smbldap-useradd.pl 
script to create the account but obviously I've got an error 
somewhere... the user accounts it creates are not samba-capable.  Does 
anyone know how to fix this?  Did I miss something in smbldap_conf.pm?

On a related note, I've imported lots of NIS data into this LDAP 
directory, so I have lots of valid Unix accounts.  These are working 
properly on LDAP-enabled linux machines, but how do I 'convert' them for
use with Samba?  Ideally I would like to have one record for each user 
that contains all of the samba data as well as the unix data.  Is there 
an easy way to add the appropriate samba fields to 'normal' 
posixAccounts?  Is there a FAQ that covers the procedure?  Any help 
would be welcome.

thanks in advance,
aaron