samba - Jul 2004 - Samba3 - LDAP - USRMGR.EXE

Hello,

have some little problems adding user to domain with USRMGR.EXE
My System runs on SuSE 9.1 (2.6.5-7.75-default), samba-3.0.4, 
smbldap-tools-0.8.5, openldap2-2.2.6

If I try to add a new user with USRMGR.EXE I get an error "Access
denied",
but if I look into LDAP the new user was correctly added to LDAP.
If I confirm the error-message and then cancel the "NEW USER" Window
and
typing "F5" for refreshing the USRMGR. I can see the new user.
By doubble-clicking the new User I am able to make any modification to the 
User without any error. 
What could be the problem ?

Here is a part of /var/log/messages that 
Jul 27 12:36:25 samba3 smbd[2149]: [2004/07/27 12:36:25, 0] 
passdb/pdb_ldap.c:ldapsam_add_sam_account(1573) 
Jul 27 12:36:25 samba3 smbd[2149]:   ldapsam_add_sam_account: User 
'i00001' already in the base, with samba attributes 
Jul 27 12:36:25 samba3 smbd[2149]: [2004/07/27 12:36:25, 0] 
rpc_server/srv_samr_nt.c:_samr_create_user(2267) 
Jul 27 12:36:25 samba3 smbd[2149]:   could not add user/computer i00001 to 
passdb.  Check permissions? 

if you need more logs or sambalog with special loglevel just tell me.

The same problem exists when joining a machine to DOMAIN.
On first try => "Access denied" but correctly added to LDAP
On second try => "Welcome to DOMAIN"

Thanks for any help.

Christian Wittmer

---------------------------------
B?ro/Office: +49 (0) 6227/385-120
Email: Christian.Wittmer@InterComponentWare.com

InterComponentWare AG
Otto-Hahn-Strasse 3
69190 Walldorf
Zentrale/Main: +49 (6227) 385-100

http://www.intercomponentware.com
http://www.lifesensor.com

boka <boka@sto-procent.art.pl>
27.07.2004 12:50

 
        To:     Christian.Wittmer@intercomponentware.com
        cc: 
        Subject:        Re: [Samba] Samba3 - LDAP - USRMGR.EXE



>could You send me solution if You will get any ?
shure, if i'll have one.

greetz
chris

Just a hunch, I didnot test myself.
In your smb.conf, did you set the "add user script" to add posix
account as
well as Windows account? If so, there might be a
problem.
>From what I read and understand, the script suppose to add Posix account
only, and samba will add the Windows account. If the Windows account is
added by the "add user script", then Samba has to delete it or modify
it,
which it might not have the previlege or some error comes up that does not
mean what it says.

Hope this helps!

-- Kang Sun

<Christian.Wittmer@intercomponentware.com> wrote in message
news:OFC76E80F3.2450B1FE-ONC1256EDE.002E8C93-C1256EDE.003B237E@intercomponen
tware.com...
Hello,

have some little problems adding user to domain with USRMGR.EXE
My System runs on SuSE 9.1 (2.6.5-7.75-default), samba-3.0.4,
smbldap-tools-0.8.5, openldap2-2.2.6

If I try to add a new user with USRMGR.EXE I get an error "Access
denied",
but if I look into LDAP the new user was correctly added to LDAP.
If I confirm the error-message and then cancel the "NEW USER" Window
and
typing "F5" for refreshing the USRMGR. I can see the new user.
By doubble-clicking the new User I am able to make any modification to the
User without any error.
What could be the problem ?

Here is a part of /var/log/messages that
Jul 27 12:36:25 samba3 smbd[2149]: [2004/07/27 12:36:25, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1573)
Jul 27 12:36:25 samba3 smbd[2149]:   ldapsam_add_sam_account: User
'i00001' already in the base, with samba attributes
Jul 27 12:36:25 samba3 smbd[2149]: [2004/07/27 12:36:25, 0]
rpc_server/srv_samr_nt.c:_samr_create_user(2267)
Jul 27 12:36:25 samba3 smbd[2149]:   could not add user/computer i00001 to
passdb.  Check permissions?

if you need more logs or sambalog with special loglevel just tell me.

The same problem exists when joining a machine to DOMAIN.
On first try => "Access denied" but correctly added to LDAP
On second try => "Welcome to DOMAIN"

Thanks for any help.

Christian Wittmer

---------------------------------
Büro/Office: +49 (0) 6227/385-120
Email: Christian.Wittmer@InterComponentWare.com

InterComponentWare AG
Otto-Hahn-Strasse 3
69190 Walldorf
Zentrale/Main: +49 (6227) 385-100

http://www.intercomponentware.com
http://www.lifesensor.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

"Kang Sun" <ksun@abinitio.com>
Sent by: 
samba-bounces+christian.wittmer=intercomponentware.com@lists.samba.org
27.07.2004 16:00

 
        To:     samba@lists.samba.org
        cc: 
        Subject:        [Samba] Re: Samba3 - LDAP - USRMGR.EXE

Hi Kang Sun,
>Just a hunch, I didnot test myself.
>In your smb.conf, did you set the "add user script" to add posix
account
as
>well as Windows account? If so, there might be a problem.
>From what I read and understand, the script suppose to add Posix account
>only, and samba will add the Windows account. If the Windows account is
I tested it and if I add a user via USRMGR there is only a "posix
account"
in LDAP, but samba did not add the samba specific data to ldap. I only get 
an error like "User not found"
And I could not find any error in log.smbd.
>added by the "add user script", then Samba has to delete it or
modify it,
>which it might not have the previlege or some error comes up that does 
not
>mean what it says.
>
>Hope this helps!
Any other idea ?

Thanks
Chris

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Post your "add user script" line from smb.conf
You might be missing a flag or something.
> I tested it and if I add a user via USRMGR there is only a "posix
account"
> in LDAP, but samba did not add the samba specific data to ldap. I only get 
> an error like "User not found"
> And I could not find any error in log.smbd.

-- 

-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings@njs.netlab.cz	|
-----------------------------------------------------------------

"Jim C." <jcllings@javahop.com>
Sent by: 
samba-bounces+christian.wittmer=intercomponentware.com@lists.samba.org
28.07.2004 18:05

 
        To:     samba@lists.samba.org
        cc: 
        Subject:        [Samba] Re: Samba3 - LDAP - USRMGR.EXE

>Post your "add user script" line from smb.conf
>You might be missing a flag or something.
 add user script = smbldap-useradd -m "%u"

My line in was correct but /etc/ldap.conf was not.
The problem was that LDAP searches the Machine in ou=People but it should 
search in ou=Machines.
So I had to modifiy /etc/ldap.conf as following

---snip----
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd        ou=People,dc=icw,dc=com?sub
#nss_base_shadow        ou=People,dc=icw,dc=com?sub
nss_base_group  ou=Groups,dc=icw,dc=com?sub
nss_base_hosts  ou=Machines,dc=icw,dc=com?sub

I needed to comment nss_base_passwd, nss_base_shadow ( not using NIS , 
Jerome Tournier)

Now it works without any problems

Thanks
Christian

-- 

-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com  AIM: WyteLi0n  ICQ: 123291844             |
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings@njs.netlab.cz            |
-----------------------------------------------------------------

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

"Jim C." <jcllings@javahop.com>
29.07.2004 21:09

 
        To:     Christian.Wittmer@intercomponentware.com
        cc: 
        Subject:        Re: [Samba] Re: Samba3 - LDAP - USRMGR.EXE

>It may have been fixed but in 3.0.2a there is a bug having to do with 
>the users OU.  Due to this bug, we have to put users and machines in the 
>same OU.  Can't wait till they fix that one.
I'm using 3.0.4.

And it works fine for me with two OU's, ou=Machines and ou=People

Chris

> "Jim C." <jcllings@javahop.com>
> Sent by: 
> samba-bounces+christian.wittmer=intercomponentware.com@lists.samba.org
> 28.07.2004 18:05
> 
> 
>         To:     samba@lists.samba.org
>         cc: 
>         Subject:        [Samba] Re: Samba3 - LDAP - USRMGR.EXE
> 
> 
> 
>>Post your "add user script" line from smb.conf
>>You might be missing a flag or something.
> 
> 
>  add user script = smbldap-useradd -m "%u"
> 
> My line in was correct but /etc/ldap.conf was not.
> The problem was that LDAP searches the Machine in ou=People but it 
should 
> search in ou=Machines.
> So I had to modifiy /etc/ldap.conf as following
> 
> ---snip----
> # RFC2307bis naming contexts
> # Syntax:
> # nss_base_XXX          base?scope?filter
> # where scope is {base,one,sub}
> # and filter is a filter to be &'d with the
> # default filter.
> # You can omit the suffix eg:
> # nss_base_passwd       ou=People,
> # to append the default base DN but this
> # may incur a small performance impact.
> #nss_base_passwd        ou=People,dc=icw,dc=com?sub
> #nss_base_shadow        ou=People,dc=icw,dc=com?sub
> nss_base_group  ou=Groups,dc=icw,dc=com?sub
> nss_base_hosts  ou=Machines,dc=icw,dc=com?sub
> 
> I needed to comment nss_base_passwd, nss_base_shadow ( not using NIS , 
> Jerome Tournier)
> 
> Now it works without any problems
> 
> Thanks
> Christian
> 
-- 

-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com  AIM: WyteLi0n  ICQ: 123291844             |
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings@njs.netlab.cz            |
-----------------------------------------------------------------