samba - Jul 2004 - [idx-smbldap-tools ] RE: Samba+LDAP - so close yet so far :) ...STILL NOTSOLVED

Partially Solved:

http://lists.samba.org/archive/samba/2004-May/085233.html

thanks om Wisnu...

Is there anyone succes with place Users and Computers in different ou's ?

regards
reza


-----Original Message-----
From:	Mohammad Reza
Sent:	Thu 7/22/2004 1:56 PM
To:	Craig White; idx-smbldap-tools@lists.IDEALX.org; samba@lists.samba.org
Cc:	
Subject:	[idx-smbldap-tools ] RE: [Samba] Samba+LDAP - so close yet so far  :)
...STILL NOTSOLVED
> Dear lists...
>  
> But this still un-solved the real problem to join w2k to samba3-ldap .
> I'm here with the same situation.
> I even switch my distro to SuSe with same result, still cant join domain.
> Please give us hint how to solve or debug this problem.
>  ----
you will need to work through the examples in the Samba How-to

http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/

I haven't a clue where you are at or what your problem is

Craig


My Problem is, i cant join my w2k machine to Samba-Ldap Server.
Error from w2k machine is "Logon Failure bad user name and password"
when try join with Administrator account and right passwor
My Linux is Fedora Core 2 with samba-3.0.3-5, openldap-2.1.29-1 and
smbldap-tools-0.8.5-1

My configuration  are:

#####smb.conf###########
# Global parameters
[global]
        workgroup = MRAGROUP
        netbios name = PDC-SMB3
        interfaces = 172.16.0.237
        username map = /etc/samba/smbusers
        #admin users= @"Domain Admins"
        server string = Samba Server %v
        security = user
        encrypt passwords = Yes
        min passwd length = 3
        obey pam restrictions = No
        #unix password sync = Yes
        #passwd program = /usr/local/sbin/smbldap-passwd -u %u
 #passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
        ldap passwd sync = Yes
        log level = 5
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        Dos charset = 850
        Unix charset = ISO8859-1
 
        logon script = logon.bat
        logon drive = H:
        logon home         logon path  
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        # passdb backend = ldapsam:"ldap://127.0.0.1/
ldap://slave.idealx.com"
 # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
        #ldap admin dn = cn=samba,ou=Users,dc=idealx,dc=org
        ldap admin dn = cn=Manager,dc=mragroup,dc=net
        ldap suffix = dc=mragroup,dc=net
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Users
        #ldap ssl = start tls
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        #delete user script = /usr/local/sbin/smbldap-userdel "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
        #delete group script = /usr/local/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
        delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g" "%u"
 
        # printers configuration
        printer admin = @"Print Operators"
        load printers = Yes
        create mask = 0640
        directory mask = 0750
        nt acl support = No
        printing = cups
        printcap name = cups
        deadtime = 10
        guest account = nobody
        map to guest = Bad User
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        show add printer wizard = yes
        ; to maintain capital letters in shortcuts in any of the profile
folders:
        preserve case = yes
        short preserve case = yes
        case sensitive = no
 
[homes]
        comment = repertoire de %U, %u
        read only = No
        create mask = 0644
        directory mask = 0775
        browseable = No
 
[netlogon]
        path = /home/netlogon/
 browseable = No
        read only = yes
 
[profiles]
        path = /home/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles
        force user = %U
        # next line allows administrator to access all profiles
        valid users = %U @"Domain Admins"
 
[printers]
        comment = Network Printers
        printer admin = @"Print Operators"
        guest ok = yes
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j
 
[print$]
        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775
 
[public]
        comment = Repertoire public
        path = /home/public
 browseable = Yes
        guest ok = Yes
        read only = No
        directory mask = 0775
        create mask = 0664

######openldap/slapd.conf#############
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
 
database   ldbm
directory  /var/lib/ldap
 
suffix     "dc=mragroup,dc=net"
rootdn     "cn=Manager,dc=mragroup,dc=net"
rootpw     xxxxxx
index      objectClass,uidNumber,gidNumber                  eq
index      cn,sn,uid,displayName                            pres,sub,eq
index      memberUid,mail,givenname                 eq,subinitial
index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq
 
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
      by self write
      by anonymous auth
      by * none
access to *
    by * read

########openldap/ldap.conf#######
HOST 127.0.0.1
BASE dc=mragroup,dc=net

########/etc/openldap.conf#######
host 127.0.0.1
base dc=mragroup,dc=net
rootbinddn cn=nssldap,ou=DSA,dc=mragroup,dc=net
nss_base_passwd         dc=mragroup,dc=net?sub
nss_base_shadow         dc=mragroup,dc=net?sub
nss_base_group          ou=Groups,dc=mragroup,dc=net?one
ssl no
pam_password md5

#######/etc/nsswitch.conf#########
passwd:     files ldap
shadow:     files ldap
group:      files ldap

Creating Users,Computers and Groups with smbldap-tools work fine.

#/usr/local/sbin/smbldap-usershow administrator
dn: uid=Administrator,ou=Users,dc=mragroup,dc=net
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount
gidNumber: 512
uid: Administrator
uidNumber: 0
homeDirectory: /home/Administrator
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\PDC-SMB3\home\Administrator
sambaHomeDrive: H:
sambaProfilePath: \\PDC-SMB3\home\profiles\Administrator\
sambaPrimaryGroupSID: S-1-5-21-987332969-2931392798-896433562-512
sambaSID: S-1-5-21-987332969-2931392798-896433562-2996
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: BBBDA461DC390736B8FCC6137C839435
sambaAcctFlags: [U]
sambaNTPassword: 8116801F88AC668563729B0D847B4AC4
sambaPwdLastSet: 1090472263
sambaPwdMustChange: 1094360263
userPassword: {SSHA}mNLj7lACG35dV1T5cDK7fBgjzN4y5C6H

#getent passwd | grep Administrator
Administrator:x:0:512:Netbios Domain
Administrator:/home/Administrator:/bin/false

#pdbedit -Lv test
--snip--
Unix username:        test
NT username:          test
Account Flags:        [U          ]
User SID:             S-1-5-21-987332969-2931392798-896433562-3000
Primary Group SID:    S-1-5-21-987332969-2931392798-896433562-513
Full Name:            System User
Home Directory:       \\PDC-SMB3\home\test
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         \\PDC-SMB3\home\profiles\test
Domain:               MRAGROUP
Account desc:         System User
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Sat, 14 Dec 1901 03:45:51 GMT
Kickoff time:         Sat, 14 Dec 1901 03:45:51 GMT
Password last set:    Thu, 22 Jul 2004 11:58:12 GMT
Password can change:  0
Password must change: Sun, 05 Sep 2004 11:58:12 GMT
Last bad password   : 0
Bad password count  : 0


 Yes, the guide said (http://idealx.org) i must place Users, and Computers in
different  ou's and i notice that some people place in same ou's ,since 
bug in samba. But even i place in same ou's, still cant join domain, with
same error

Is there something i missed ? please help me 

regards
reza

Hi,

   ldap admin dn = cn=root,dc=juwimm,dc=local
   ldap suffix = ou=juwidc01,dc=juwimm,dc=local
   ldap user suffix = ou=users
   ldap group suffix = ou=groups
   ldap machine suffix = ou=machines 

Works well with samba 3.0.2a on a suse 9.0 machine
> Is there anyone succes with place Users and Computers in 
> different ou's ?
> 
> regards
> reza