Neil Marjoram
2004-Aug-20 10:23 UTC
[Samba] Fedora Core2 / Samba / Ldap / smbldap-tools - No account in Domain.
Sorry for the cross lists post, but my problem seems to involve several
areas, and one may be affecting the other.
Problem:
When logging on with a Windows XP client to the Samba domain I get the
error :
[2004/08/16 15:38:12, 0] rpc_server/srv_netlog_nt.c:get_md4pw(218)
get_md4pw: Workstation ALDEBURGH$: no account in domain
Anyone got any ideas ?
Heres what I have got most of the config files and logs, shout if you
need anything else.
I have completely reinstalled the samba server from scratch - it was a
RH9 box with the same problem. I am still using the same LDAP database.
The next thing I will do is wipe out LDAP database and start again with
the latest populate scripts if know one has an answer.
Many thanks,
Neil.
Software :
OS : Fedora Core 2
LDAP : Open Ldap 2.1.29-1
Samba : Samba 3.0.5-2
Samba Tools : smbldap-tools 0.8.5-1.1.fc2
NSS_LDAP : nss_ldap-217-1
I have used the Samba-OpenLdap Howto version 1.6 to setup the LDAP
server / ACL / Samba etc. Everything is identical to the Idealx setup,
except the the workstation accounts are in the same tree as the normal
users (as a previous suggestion and many other emails on newgroups) Also
one ACL is changed to let nssldap see the loginShell.
I know it's not Sign or Seal - Samba 3 doesn't need this reg hack in
place (it is in place anyway from a previous Samba 2 connection)
Fedora question -
When I configure the system to use ldap with authconfig I can't login it
says no such user. The fix for this is to change a line in
/etc/pam.d/system-auth to:
account [default=bad success=ok user_unknown=ignore service_err=ignore \
system_err=ignore authinfo_unavail=ignore] \
/lib/security/$ISA/pam_ldap.so
I got this from an old Redhat 9 bug - is this still not fixed ? And will
it affect the ldap search on the workstation in Samba? Looking at the
ldap log the nssldap user is part responsible for the workstation
search. (log below)
Here are my config files :
/etc/pam.d/system-auth
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore \
system_err=ignore authinfo_unavail=ignore] \
/lib/security/$ISA/pam_ldap.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
/etc/samba/smb.conf :
[global]
netbios name = BURY
log file = /var/log/samba/%m.log
load printers = yes
socket address = xxx.xxx.xxx.xxx
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
#LDAP
passdb backend = ldapsam:ldap://server.adastral.ucl.ac.uk
idmap backend = ldap:ldap://server.adastral.ucl.ac.uk
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
ldap delete dn = Yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod
-x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g" "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
ldap admin dn = cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk
ldap suffix = dc=adastral,dc=ucl,dc=ac,dc=uk
ldap group suffix = ou=Group
ldap user suffix = ou=People
ldap machine suffix = ou=People
ldap idmap suffix = ou=Idmap
ldap ssl = start tls
ldap passwd sync = yes
#LDAP END
logon drive = H:
logon home = \\%L\%U
logon path = \\%L\%U\profile
logon script = common.bat
obey pam restrictions = yes
pam password change = yes
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
domain master = no
domain logons = yes
encrypt passwords = yes
passwd program = /usr/sbin/smbldap-passwd %u
case sensitive = yes
wins support = yes
dns proxy = no
writeable = yes
server string = BDC Samba Server
printing = cups
# preferred master = Yes
workgroup = adastral
time server = yes
os level = 33
printcap name = /etc/printcap
# security = user
create mode = 740
/etc/ldap.conf
host xxx.xxx.xxx.xxx
base dc=adastral,dc=ucl,dc=ac,dc=uk
rootbinddn cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk
nss_base_passwd dc=adastral,dc=ucl,dc=ac,dc=uk?sub
nss_base_shadow dc=adastral,dc=ucl,dc=ac,dc=uk?sub
nss_base_group ou=Group,dc=adastral,dc=ucl,dc=ac,dc=uk?one
ssl yes
pam_password md5
/etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/redhat/autofs.schema
schemacheck on
lastmod on
allow bind_v2
pidfile /var/run/slapd.pid
TLSCertificateFile /etc/openldap/ssl/servercrt.pem
TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
database ldbm
suffix "dc=adastral,dc=ucl,dc=ac,dc=uk"
rootdn "cn=xxxxxxxx,dc=adastral,dc=ucl,dc=ac,dc=uk"
rootpw xxxxxxxxxxxxxxxxxxxxxxxxxxx
directory /export/ldap
mode 0600
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
replica host=replica.adastral.ucl.ac.uk:389
suffix="dc=adastral,dc=ucl,dc=ac,dc=uk"
binddn="cn=replica,dc=adastral,dc=ucl,dc=ac,dc=uk"
credentials=xxxxxxxxxxxxxx
bindmethod=simple
tls=yes
access to dn=".*,dc=adastral,dc=ucl,dc=ac,dc=uk"
attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,loginShell
# loginshell added here because console login nssldap could not see it
#so it wasn't set to users shell
by dn="cn=Manager,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by dn="cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by dn="cn=proxyuser,dc=adastral,dc=ucl,dc=ac,dc=uk" read
by self write
by anonymous auth
by * none
access to
attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by * read
access to attrs=description,telephoneNumber
by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by self write
by * read
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sam
baAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainNa
me,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by self read
by * none
access to dn.base="dc=adastral,dc=ucl,dc=ac,dc=uk"
by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by * none
access to dn="ou=People,dc=adastral,dc=ucl,dc=ac,dc=uk"
by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by * none
access to dn="ou=Groups,dc=adastral,dc=ucl,dc=ac,dc=uk"
by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write
by * none
access to dn=".*,dc=adastral,dc=ucl,dc=ac,dc=uk"
by self write
by * read
Heres the output from an ldapsearch for a workstation: (It's got a shell
and home dir so I could prove I could login at the unix prompt)
dn: uid=aldeburgh$,ou=People,dc=adastral,dc=ucl,dc=ac,dc=uk
uidNumber: 5022
sambaDomainName: ADASTRAL
sambaAcctFlags: [W ]
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
gidNumber: 251
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
description: Computer Account
sambaPrimaryGroupSID: S-1-5-21-946251905-4084600911-3774255997-1503
sambaSID: S-1-5-21-946251905-4084600911-3774255997-11044
cn: aldeburgh$
displayName: aldeburgh$
uid: aldeburgh$
homeDirectory: /home/aldeburgh
loginShell: /bin/bash
sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxx
sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxx
sambaPwdLastSet: 1092735020
userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxx
Section from the slapd.log file when the workstation is searched.
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 fd=25 ACCEPT from
IP=xxx.xxx.xxx.xxx:35052 (IP=0.0.0.0:389)
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=1 BIND
dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" method=128
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=1 BIND
dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" mech=SIMPLE ssf=0
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=1 RESULT tag=97 err=0
textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=2 SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(objectClass=sambaDomain)(sambaDomainName=ADASTRAL))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=2 SRCH
attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid
sambaSID sambaAlgorithmicRidBase objectClass
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=2 SEARCH RESULT
tag=101 err=0 nentries=0 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=3
SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(sambaDomainName=ADASTRAL)(objectClass=sambaDomain))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=3 SRCH
attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid
sambaSID sambaAlgorithmicRidBase objectClass
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=3 SEARCH RESULT
tag=101 err=0 nentries=0 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=4
ADD
dn="sambaDomainName=ADASTRAL,dc=adastral,dc=ucl,dc=ac,dc=uk"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=4 RESULT tag=105
err=68 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=4 RESULT tag=105
err=68 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=5 SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(sambaSID=S-1-5-21-946251905-4084600911-3774255997-501)(objectClass=sambaSamAccount))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=5 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=5 SEARCH RESULT
tag=101 err=0 nentries=0 textAug 20 11:19:45 ipswich slapd[24795]: conn=246
fd=44 ACCEPT from
IP=xxx.xxx.xxx.xxx:35053 (IP=0.0.0.0:636)
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=0 BIND
dn="cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk" method=128
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=0 BIND
dn="cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk" mech=SIMPLE ssf=0
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=0 RESULT tag=97 err=0
textAug 20 11:19:45 ipswich slapd[24795]: conn=246 op=1 SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(objectClass=posixAccount)(uid=nobody))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 textAug 20 11:19:45 ipswich slapd[24795]: conn=246 op=2
SRCH
base="ou=Group,dc=adastral,dc=ucl,dc=ac,dc=uk" scope=1
filter="(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=uid=nobody,ou=people,dc=adastral,dc=ucl,dc=ac,dc=uk)))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=2 SRCH attr=gidNumber
Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=2 SEARCH RESULT
tag=101 err=0 nentries=2 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=6
SRCH
base="ou=Group,dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(objectClass=sambaGroupMapping)(gidNumber=99))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=6 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn
objectClass
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=6 SEARCH RESULT
tag=101 err=0 nentries=1 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=7
SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(uid=ALDEBURGH$)(objectClass=sambaSamAccount))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=7 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=7 SEARCH RESULT
tag=101 err=0 nentries=1 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=8
SRCH
base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2
filter="(&(uid=ALDEBURGH$)(objectClass=sambaSamAccount))"
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=8 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime
Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=8 SEARCH RESULT
tag=101 err=0 nentries=1 textAug 20 11:19:57 ipswich slapd[24795]: conn=245
fd=25 closed
Aug 20 11:19:57 ipswich slapd[24795]: conn=246 fd=44 closed
Thanks for all your time reading this email, I've gone grey (what left
of my hair) over this one. I know it's probably me, a typo or something,
but I just can't find it. To have rebuilt the server from scratch and
still have the error would point to the ldap server which I did not
rebuild. It was built from the populate scripts and with smbldap how to
1.5.
Neil
--
Neil Marjoram.
Systems Manager
University College London
Adastral Park Campus
Martlesham Heath
Ipswich
Suffolk
IP5 3RL
01473 663711
Reasonably Related Threads
Wisdom of the Ancients
