Dear my samba friends & Craig (who has been helping me with this issue so far), please help me with this one :) I have a fedora core 1, samba 3.0.5, and openldap 2.1.*, and smbldap-tools 0.8.4.1 When I try to join the domain [AGUILAS] from my XP (winxp), it is quiting half way through the process. However, I don't completely understand why. I used samba log level 3 to diagonose the problem. As you can see below, the XP machine is authomatically entered in the LDAP directory. dn: uid=winxp$,ou=Computers,dc=wbcoll,dc=edu objectClass: top objectClass: inetOrgPerson objectClass: posixAccount cn: winxp$ sn: winxp$ uid: winxp$ uidNumber: 1001 gidNumber: 553 homeDirectory: /dev/null loginShell: /bin/false description: Computer structuralObjectClass: inetOrgPerson entryUUID: 3b567a82-6b15-1028-949e-a8c9465cf53a creatorsName: cn=Manager,dc=wbcoll,dc=edu createTimestamp: 20040716014307Z entryCSN: 2004071601:43:07Z#0x0001#0#0000 modifiersName: cn=Manager,dc=wbcoll,dc=edu modifyTimestamp: 20040716014307Z Three log files are also automatically created in '/var/log/samba/': 192.168.1.18.log, smbd.log, and xppro.log. LOG FILE 1# 'smbd.log' looks fine: =====================================================[2004/07/15 21:41:06, 3] lib/smbldap.c:smbldap_connect_system(805) ldap_connect_system: succesful connection to the LDAP server ===================================================== LOG FILE 2# '192.168.1.18.log' shows the following error: =====================================================[2004/07/15 22:13:06, 3] smbd/oplock.c:init_oplocks(1302) open_oplock_ipc: opening loopback UDP socket. [2004/07/15 22:13:06, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(303) Linux kernel oplocks enabled [2004/07/15 22:13:06, 3] smbd/oplock.c:init_oplocks(1333) open_oplock ipc: pid = 4520, global_oplock_port 32770 [2004/07/15 22:13:06, 3] lib/access.c:check_access(313) check_access: no hostnames in host allow/deny list. [2004/07/15 22:13:06, 2] lib/access.c:check_access(324) Allowed connection from (192.168.1.18) [2004/07/15 22:13:06, 3] smbd/process.c:process_smb(1092) Transaction 0 of length 72 [2004/07/15 22:13:06, 2] smbd/reply.c:reply_special(219) netbios connect: name1=EAGLEX name2=WINXP [2004/07/15 22:13:06, 2] smbd/reply.c:reply_special(226) netbios connect: local=eaglex remote=winxp, name type = 0 ====================================================='oplock?'... what is that? I think I have seen it in swat before! LOG FILE 3# 'winxp.log'- too long and complicated, yet contains more useful info (I think) :) I have the full file at http://150.208.105.24/smbldap-pdc/winxp_log.html =====================================================LINE 70: check_ntlm_password: mapped user is: [AGUILAS]\[administrator]@[WINXP] LINE 78: init_sam_from_ldap: Entry found for user: Administrator LINE 96: init_group_from_ldap: Entry found for group: 512 LINE 100: check_ntlm_password: sam authentication for user [administrator] succeeded LINE 110: check_ntlm_password: authentication for user [administrator] -> [administrator] -> [Administrator] succeeded Then it does some type of setup for user 'Administrator' LINE 154: winxp (192.168.1.18) connect to service IPC$ initially as user Administrator (uid=0, gid=512) (pid 4447) LINE 468 - 475: [2004/07/15 20:43:06, 3] smbd/service.c:close_cnum(833) winxp (192.168.1.18) closed connection to service IPC$ [2004/07/15 20:43:06, 3] smbd/connection.c:yield_connection(69) Yielding connection to IPC$ [2004/07/15 20:43:06, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/07/15 20:43:06, 3] smbd/process.c:timeout_processing(1332) timeout_processing: End of file from client (client has disconnected). =====================================================After these, the process repeats itself few times. Between the lines, it also looks for 'pipe' and destroyes some things. It also lists 'Transactions' which I have no clue what it is about. I hope I have not given too much information :) I believe Mohammad (sorry if I miss spell your name) is having the same problem with SUSE 9.1 as well. I really like to thank you for putting your time and effort to help me! I hope I will do the same for others, as you will for me! Again, thank you even for taking your time to read my request :) Ambex PS: any moral support will be great at this point of the ball game as well :) PSS: You will find my configuration files from this how to doc I started: http://150.208.105.24/smbldap-pdc.html __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail
>LINE 154: winxp (192.168.1.18) connect to service IPC$ >initially as user Administrator (uid=0, gid=512) (pid >4447) >LINE 468 - 475: >[2004/07/15 20:43:06, 3] >smbd/service.c:close_cnum(833) > winxp (192.168.1.18) closed connection to serviceYour Administrator has a uid=0 so make sure that you're not mapping root = administrator in /etc/samba/smbusers cat /etc/samba/smbusers # Unix_name = SMB_name1 SMB_name2 ... #root = administrator admin nobody = guest pcguest smbguest John
On Thu, 2004-07-15 at 21:24, abebe lsslp wrote:> Dear my samba friends & Craig (who has been helping me > with this issue so far), please help me with this one > :) I have a fedora core 1, samba 3.0.5, and openldap > 2.1.*, and smbldap-tools 0.8.4.1 > > When I try to join the domain [AGUILAS] from my XP > (winxp), it is quiting half way through the process. > However, I don't completely understand why. I used > samba log level 3 to diagonose the problem. As you can > see below, the XP machine is authomatically entered in > the LDAP directory. > > dn: uid=winxp$,ou=Computers,dc=wbcoll,dc=edu > objectClass: top > objectClass: inetOrgPerson > objectClass: posixAccount > cn: winxp$ > sn: winxp$ > uid: winxp$ > uidNumber: 1001 > gidNumber: 553 > homeDirectory: /dev/null > loginShell: /bin/false > description: Computer > structuralObjectClass: inetOrgPerson > entryUUID: 3b567a82-6b15-1028-949e-a8c9465cf53a > creatorsName: cn=Manager,dc=wbcoll,dc=edu > createTimestamp: 20040716014307Z > entryCSN: 2004071601:43:07Z#0x0001#0#0000 > modifiersName: cn=Manager,dc=wbcoll,dc=edu > modifyTimestamp: 20040716014307Z > > Three log files are also automatically created in > '/var/log/samba/': 192.168.1.18.log, smbd.log, and > xppro.log. > > LOG FILE 1# > > 'smbd.log' looks fine: > =====================================================> [2004/07/15 21:41:06, 3] > lib/smbldap.c:smbldap_connect_system(805) > ldap_connect_system: succesful connection to the > LDAP server > =====================================================> > LOG FILE 2# > > '192.168.1.18.log' shows the following error: > =====================================================> [2004/07/15 22:13:06, 3] > smbd/oplock.c:init_oplocks(1302) > open_oplock_ipc: opening loopback UDP socket. > [2004/07/15 22:13:06, 3] > smbd/oplock_linux.c:linux_init_kernel_oplocks(303) > Linux kernel oplocks enabled > [2004/07/15 22:13:06, 3] > smbd/oplock.c:init_oplocks(1333) > open_oplock ipc: pid = 4520, global_oplock_port > 32770 > [2004/07/15 22:13:06, 3] > lib/access.c:check_access(313) > check_access: no hostnames in host allow/deny list. > [2004/07/15 22:13:06, 2] > lib/access.c:check_access(324) > Allowed connection from (192.168.1.18) > [2004/07/15 22:13:06, 3] > smbd/process.c:process_smb(1092) > Transaction 0 of length 72 > [2004/07/15 22:13:06, 2] > smbd/reply.c:reply_special(219) > netbios connect: name1=EAGLEX name2=WINXP > [2004/07/15 22:13:06, 2] > smbd/reply.c:reply_special(226) > netbios connect: local=eaglex remote=winxp, name > type = 0 > =====================================================> 'oplock?'... what is that? I think I have seen it in > swat before! > > LOG FILE 3# > > 'winxp.log'- too long and complicated, yet contains > more useful info (I think) :) I have the full file at > http://150.208.105.24/smbldap-pdc/winxp_log.html > =====================================================> LINE 70: check_ntlm_password: mapped user is: > [AGUILAS]\[administrator]@[WINXP] > LINE 78: init_sam_from_ldap: Entry found for user: > Administrator > LINE 96: init_group_from_ldap: Entry found for group: > 512 > LINE 100: check_ntlm_password: sam authentication for > user [administrator] succeeded > LINE 110: check_ntlm_password: authentication for > user [administrator] -> [administrator] -> > [Administrator] succeeded > > Then it does some type of setup for user > 'Administrator' > > LINE 154: winxp (192.168.1.18) connect to service IPC$ > initially as user Administrator (uid=0, gid=512) (pid > 4447) > LINE 468 - 475: > [2004/07/15 20:43:06, 3] > smbd/service.c:close_cnum(833) > winxp (192.168.1.18) closed connection to service > IPC$ > [2004/07/15 20:43:06, 3] > smbd/connection.c:yield_connection(69) > Yielding connection to IPC$ > [2004/07/15 20:43:06, 3] > smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2004/07/15 20:43:06, 3] > smbd/process.c:timeout_processing(1332) > timeout_processing: End of file from client (client > has disconnected). > =====================================================> After these, the process repeats itself few times. > Between the lines, it also looks for 'pipe' and > destroyes some things. It also lists 'Transactions' > which I have no clue what it is about. I hope I have > not given too much information :) I believe Mohammad > (sorry if I miss spell your name) is having the same > problem with SUSE 9.1 as well. > > I really like to thank you for putting your time and > effort to help me! I hope I will do the same for > others, as you will for me! Again, thank you even for > taking your time to read my request :) > > Ambex > > PS: any moral support will be great at this point of > the ball game as well :) > > PSS: You will find my configuration files from this > how to doc I started: http://150.208.105.24/smbldap-pdc.html---- The logs you sent through don't provide enough clues. The only thing that even suggests a problem was the one line about> smbd/process.c:timeout_processing(1332) > timeout_processing: End of file from client (client > has disconnected).You are attempting to join WinXP to domain, are asked for the name/password/domain of a user who has sufficient privileges to add a machine to the domain and it fails to finish? The machine is indeed added to LDAP - that's all I can figure out from your email. First off - my understanding is that Machine accounts should still be located in the People subtree and not in the Computers subtree because subsequent searches will not locate it there. If this has been fixed, I'm sure someone will correct me. Secondly - ldap log? Thirdly - why not up the samba log level while you are debugging? Don't you want to figure the problem out? Craig
>PSS: You will find my configuration files from this >how to doc I started: http://150.208.105.24/smbldap-pdc.html > >I took a look at what you have and there are a couple of issues. 1. You have configured in smbldap tools the machine account container as ou=Users, but in smb.conf you have it in ou=Computers. These should match, and also match your user container per bug #674 and #987. 2. You don't have the full configuration for the smbldap tools scripts. There are parameters with quotes around them that aren't in there, you should have something like this: add user script = /usr/sbin/smbldap-useradd -a -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" of course, make sure that your paths line up, this is from my standard 'sample for mailing to the list' configuration so it's generic. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Cell: 701-306- Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto:pgienger@ae-solutions.com