jo / ak
2004-Aug-15 20:13 UTC
[Samba] join domain - ou=people searched for machine accounts?
When I try to join a domain from a win2k client to a samba 3.0.5 PDC, I get the message "User not found". I use ldapsam, which works fine in all other respects. The strange thing is that the smbldap-useradd scripts terminates with 0, the machine account is created under "ou=systems" in the ldap database - all looks fine. Then a ldap search is triggered with a base "ou=people", nothing is found, and the error occurs. As workaround, I used smbldap-useradd without the "-w". The entry is created under "ou=people", and the join is finished sucessfully. [2004/08/15 21:29:27, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2245) _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w "at-4$"' gave 0 [2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam(293) Finding user at-4$ [2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is at-4$ [2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(239) Trying _Get_Pwnam(), username as uppercase is AT-4$ [2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(247) Checking combinations of 0 uppercase letters in at-4$ [2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals didn't find user [at-4$]! Aug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=0 BIND dn="CN=SAMBA MANAGER,OU=SAMBA,DC=AKWEB,DC=DE" method=128 Aug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=0 RESULT tag=97 err=0 textAug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=1 ADD dn="UID=AT-4$,OU=SYSTEMS,DC=AKWEB,DC=DE" Aug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=1 RESULT tag=105 err=0 textAug 15 21:29:27 at-12 slapd[2881]: conn=1393 op=2 UNBIND Aug 15 21:29:27 at-12 slapd[2881]: conn=-1 fd=35 closed Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=8 SRCH base="ou=People,dc=akweb,dc=de" scope=1 filter="(&(objectClass=posixAccount)(uidat-4$))" Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=8 SEARCH RESULT tag=101 err=0 textAug 15 21:29:27 at-12 slapd[3817]: conn=1392 op=1 UNBIND Aug 15 21:29:27 at-12 slapd[3817]: conn=-1 fd=36 closed Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=9 SRCH base="ou=People,dc=akweb,dc=de" scope=1 filter="(&(objectClass=posixAccount)(uidAT-4$))" Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=9 SEARCH RESULT tag=101 err=0 textAug 15 21:29:28 at-12 slapd[2446]: conn=-1 fd=31 closed Aug 15 21:29:28 at-12 slapd[2446]: conn=-1 fd=32 closed from smb.conf passdb backend = ldapsam:ldap://at-12 add user script = /usr/local/sbin/smbldap-useradd -a -m "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" ldap suffix = dc=akweb,dc=de ldap machine suffix = ou=Systems ldap user suffix = ou=People ldap group suffix = ou=Groups
Paul Gienger
2004-Aug-16 12:52 UTC
[Samba] join domain - ou=people searched for machine accounts?
This is a very very VERY often asked question in this forum, and documented in bugzilla. Computer accounts need to be in the same OU as user accounts. Some (within the samba team) call it a design issue, others (outside the samba team) call it a bug. Perhaps next time you could try the search? jo / ak wrote:>When I try to join a domain from a win2k client to a samba 3.0.5 >PDC, I get the message "User not found". I use ldapsam, which >works fine in all other respects. > >The strange thing is that the smbldap-useradd scripts terminates >with 0, the machine account is created under "ou=systems" in the >ldap database - all looks fine. Then a ldap search is triggered >with a base "ou=people", nothing is found, and the error >occurs. > >As workaround, I used smbldap-useradd without the "-w". The >entry >is created under "ou=people", and the join is finished >sucessfully. > > >[2004/08/15 21:29:27, 3] >rpc_server/srv_samr_nt.c:_samr_create_user(2245) > _samr_create_user: Running the command >`/usr/local/sbin/smbldap-useradd -w "at-4$"' gave 0 >[2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam(293) > Finding user at-4$ >[2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(223) > Trying _Get_Pwnam(), username as lowercase is at-4$ >[2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(239) > Trying _Get_Pwnam(), username as uppercase is AT-4$ >[2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(247) > Checking combinations of 0 uppercase letters in at-4$ >[2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(251) > Get_Pwnam_internals didn't find user [at-4$]! > > > >Aug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=0 BIND >dn="CN=SAMBA MANAGER,OU=SAMBA,DC=AKWEB,DC=DE" method=128 >Aug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=0 RESULT tag=97 >err=0 text>Aug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=1 ADD >dn="UID=AT-4$,OU=SYSTEMS,DC=AKWEB,DC=DE" >Aug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=1 RESULT tag=105 >err=0 text>Aug 15 21:29:27 at-12 slapd[2881]: conn=1393 op=2 UNBIND >Aug 15 21:29:27 at-12 slapd[2881]: conn=-1 fd=35 closed >Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=8 SRCH >base="ou=People,dc=akweb,dc=de" scope=1 >filter="(&(objectClass=posixAccount)(uid>at-4$))" >Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=8 SEARCH RESULT >tag=101 err=0 text>Aug 15 21:29:27 at-12 slapd[3817]: conn=1392 op=1 UNBIND >Aug 15 21:29:27 at-12 slapd[3817]: conn=-1 fd=36 closed >Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=9 SRCH >base="ou=People,dc=akweb,dc=de" scope=1 >filter="(&(objectClass=posixAccount)(uid>AT-4$))" >Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=9 SEARCH RESULT >tag=101 err=0 text>Aug 15 21:29:28 at-12 slapd[2446]: conn=-1 fd=31 closed >Aug 15 21:29:28 at-12 slapd[2446]: conn=-1 fd=32 closed > >from smb.conf > > passdb backend = ldapsam:ldap://at-12 > add user script = /usr/local/sbin/smbldap-useradd -a -m >"%u" > add machine script = /usr/local/sbin/smbldap-useradd -w >"%u" > ldap suffix = dc=akweb,dc=de > ldap machine suffix = ou=Systems > ldap user suffix = ou=People > ldap group suffix = ou=Groups > > > >-- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
Paul Gienger
2004-Aug-16 16:50 UTC
[Samba] join domain - ou=people searched for machine accounts?
jo / ak wrote:>Zitat von Paul Gienger <pgienger@ae-solutions.com>: > > > >>documented in bugzilla. Computer accounts need to be in the >>same OU as >>user accounts. Some (within the samba team) call it a design >>issue, >>others (outside the samba team) call it a bug. >> >> > >Thank you for pointing this out. My vote is for a bug. Otherwise, >it should be fixed in the docs (for example, in chapter >"10.4.4.5 Configuring Samba" of the 3.0.5 Howto, "ldap user >suffix" and "ldap machine suffix" are different). It should be >mentioned in all LDAP examples that the entries need to be the >same. > >I agree with you in that it should be documented. It is stated as a design issue to put them together (in bugzirra), but then I would consider that leaving the ability to change the ou is a bug in the program, or that not stating that you need to keep them in the same place as a bug in the documentation. After a quick scan (since I have yet to read it fully) of the ... By Example book, I noticed a couple of places where users suffix is specified but computers suffix is not. That's one way around the problem. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
Buchan Milne
2004-Aug-16 18:05 UTC
[Samba] join domain - ou=people searched for machine accounts?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | Subject: | [Samba] join domain - ou=people searched for machine accounts? | From: | jo / ak <jo@akweb.de> | Date: | Sun, 15 Aug 2004 22:12:19 +0200 | To: | samba@lists.samba.org | | When I try to join a domain from a win2k client to a samba 3.0.5 | PDC, I get the message "User not found". I use ldapsam, which | works fine in all other respects. | | The strange thing is that the smbldap-useradd scripts terminates | with 0, the machine account is created under "ou=systems" in the | ldap database - all looks fine. Then a ldap search is triggered | with a base "ou=people", nothing is found, and the error | occurs. | | As workaround, I used smbldap-useradd without the "-w". The | entry | is created under "ou=people", and the join is finished | sucessfully. | | | [2004/08/15 21:29:27, 3] | rpc_server/srv_samr_nt.c:_samr_create_user(2245) | _samr_create_user: Running the command | `/usr/local/sbin/smbldap-useradd -w "at-4$"' gave 0 | [2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam(293) | Finding user at-4$ | [2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(223) | Trying _Get_Pwnam(), username as lowercase is at-4$ | [2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(239) | Trying _Get_Pwnam(), username as uppercase is AT-4$ | [2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(247) | Checking combinations of 0 uppercase letters in at-4$ | [2004/08/15 21:29:27, 5] lib/username.c:Get_Pwnam_internals(251) | Get_Pwnam_internals didn't find user [at-4$]! | | | | Aug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=0 BIND | dn="CN=SAMBA MANAGER,OU=SAMBA,DC=AKWEB,DC=DE" method=128 | Aug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=0 RESULT tag=97 | err=0 text| Aug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=1 ADD | dn="UID=AT-4$,OU=SYSTEMS,DC=AKWEB,DC=DE" | Aug 15 21:29:27 at-12 slapd[2459]: conn=1393 op=1 RESULT tag=105 | err=0 text| Aug 15 21:29:27 at-12 slapd[2881]: conn=1393 op=2 UNBIND | Aug 15 21:29:27 at-12 slapd[2881]: conn=-1 fd=35 closed | Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=8 SRCH | base="ou=People,dc=akweb,dc=de" scope=1 | filter="(&(objectClass=posixAccount)(uid| at-4$))" | Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=8 SEARCH RESULT | tag=101 err=0 text| Aug 15 21:29:27 at-12 slapd[3817]: conn=1392 op=1 UNBIND | Aug 15 21:29:27 at-12 slapd[3817]: conn=-1 fd=36 closed | Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=9 SRCH | base="ou=People,dc=akweb,dc=de" scope=1 | filter="(&(objectClass=posixAccount)(uid| AT-4$))" | Aug 15 21:29:27 at-12 slapd[2881]: conn=1389 op=9 SEARCH RESULT | tag=101 err=0 text| Aug 15 21:29:28 at-12 slapd[2446]: conn=-1 fd=31 closed | Aug 15 21:29:28 at-12 slapd[2446]: conn=-1 fd=32 closed | This is nss_ldap trying to do the equivalent of 'getent passwd AT-4$', since that is what samba asked (samba needs to have a uid for the machine at present). | from smb.conf | | passdb backend = ldapsam:ldap://at-12 | add user script = /usr/local/sbin/smbldap-useradd -a -m | "%u" | add machine script = /usr/local/sbin/smbldap-useradd -w | "%u" | ldap suffix = dc=akweb,dc=de | ldap machine suffix = ou=Systems | ldap user suffix = ou=People | ldap group suffix = ou=Groups At present, you need to configure your nss_ldap that it searches in both the user suffix and the machine suffix for user accounts ... with your current directory layout, the only option (AFAIK) is to have a suffix of dc=akweb,dc=de and a scope of sub in your nss_ldap ldap.conf. Regards, Buchan - -- Buchan Milne Senior Support Technician Obsidian Systems http://www.obsidian.co.za B.Eng RHCE (803004789010797) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBIPdhrJK6UGDSBKcRAnBBAKCmFv1cASFI/88waYKNzqok4r1CKQCfYYwA qoLZd7nywbnenIczeq4mdZI=+hrb -----END PGP SIGNATURE-----