Neil Marjoram
2004-Aug-20 10:23 UTC
[Samba] Fedora Core2 / Samba / Ldap / smbldap-tools - No account in Domain.
Sorry for the cross lists post, but my problem seems to involve several areas, and one may be affecting the other. Problem: When logging on with a Windows XP client to the Samba domain I get the error : [2004/08/16 15:38:12, 0] rpc_server/srv_netlog_nt.c:get_md4pw(218) get_md4pw: Workstation ALDEBURGH$: no account in domain Anyone got any ideas ? Heres what I have got most of the config files and logs, shout if you need anything else. I have completely reinstalled the samba server from scratch - it was a RH9 box with the same problem. I am still using the same LDAP database. The next thing I will do is wipe out LDAP database and start again with the latest populate scripts if know one has an answer. Many thanks, Neil. Software : OS : Fedora Core 2 LDAP : Open Ldap 2.1.29-1 Samba : Samba 3.0.5-2 Samba Tools : smbldap-tools 0.8.5-1.1.fc2 NSS_LDAP : nss_ldap-217-1 I have used the Samba-OpenLdap Howto version 1.6 to setup the LDAP server / ACL / Samba etc. Everything is identical to the Idealx setup, except the the workstation accounts are in the same tree as the normal users (as a previous suggestion and many other emails on newgroups) Also one ACL is changed to let nssldap see the loginShell. I know it's not Sign or Seal - Samba 3 doesn't need this reg hack in place (it is in place anyway from a previous Samba 2 connection) Fedora question - When I configure the system to use ldap with authconfig I can't login it says no such user. The fix for this is to change a line in /etc/pam.d/system-auth to: account [default=bad success=ok user_unknown=ignore service_err=ignore \ system_err=ignore authinfo_unavail=ignore] \ /lib/security/$ISA/pam_ldap.so I got this from an old Redhat 9 bug - is this still not fixed ? And will it affect the ldap search on the workstation in Samba? Looking at the ldap log the nssldap user is part responsible for the workstation search. (log below) Here are my config files : /etc/pam.d/system-auth auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 account required /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore \ system_err=ignore authinfo_unavail=ignore] \ /lib/security/$ISA/pam_ldap.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so /etc/samba/smb.conf : [global] netbios name = BURY log file = /var/log/samba/%m.log load printers = yes socket address = xxx.xxx.xxx.xxx socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 #LDAP passdb backend = ldapsam:ldap://server.adastral.ucl.ac.uk idmap backend = ldap:ldap://server.adastral.ucl.ac.uk passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* ldap delete dn = Yes add user script = /usr/local/sbin/smbldap-useradd -m "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" delete user script = /usr/local/sbin/smbldap-userdel "%u" delete group script = /usr/local/sbin/smbldap-groupdel "%g" ldap admin dn = cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk ldap suffix = dc=adastral,dc=ucl,dc=ac,dc=uk ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=People ldap idmap suffix = ou=Idmap ldap ssl = start tls ldap passwd sync = yes #LDAP END logon drive = H: logon home = \\%L\%U logon path = \\%L\%U\profile logon script = common.bat obey pam restrictions = yes pam password change = yes socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 domain master = no domain logons = yes encrypt passwords = yes passwd program = /usr/sbin/smbldap-passwd %u case sensitive = yes wins support = yes dns proxy = no writeable = yes server string = BDC Samba Server printing = cups # preferred master = Yes workgroup = adastral time server = yes os level = 33 printcap name = /etc/printcap # security = user create mode = 740 /etc/ldap.conf host xxx.xxx.xxx.xxx base dc=adastral,dc=ucl,dc=ac,dc=uk rootbinddn cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk nss_base_passwd dc=adastral,dc=ucl,dc=ac,dc=uk?sub nss_base_shadow dc=adastral,dc=ucl,dc=ac,dc=uk?sub nss_base_group ou=Group,dc=adastral,dc=ucl,dc=ac,dc=uk?one ssl yes pam_password md5 /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/redhat/autofs.schema schemacheck on lastmod on allow bind_v2 pidfile /var/run/slapd.pid TLSCertificateFile /etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem TLSCACertificateFile /etc/openldap/ssl/cacert.pem database ldbm suffix "dc=adastral,dc=ucl,dc=ac,dc=uk" rootdn "cn=xxxxxxxx,dc=adastral,dc=ucl,dc=ac,dc=uk" rootpw xxxxxxxxxxxxxxxxxxxxxxxxxxx directory /export/ldap mode 0600 index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,sub,eq index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq replica host=replica.adastral.ucl.ac.uk:389 suffix="dc=adastral,dc=ucl,dc=ac,dc=uk" binddn="cn=replica,dc=adastral,dc=ucl,dc=ac,dc=uk" credentials=xxxxxxxxxxxxxx bindmethod=simple tls=yes access to dn=".*,dc=adastral,dc=ucl,dc=ac,dc=uk" attr=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,loginShell # loginshell added here because console login nssldap could not see it #so it wasn't set to users shell by dn="cn=Manager,dc=adastral,dc=ucl,dc=ac,dc=uk" write by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write by dn="cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk" write by dn="cn=proxyuser,dc=adastral,dc=ucl,dc=ac,dc=uk" read by self write by anonymous auth by * none access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write by * read access to attrs=description,telephoneNumber by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write by self write by * read access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sam baAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainNa me,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write by self read by * none access to dn.base="dc=adastral,dc=ucl,dc=ac,dc=uk" by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write by * none access to dn="ou=People,dc=adastral,dc=ucl,dc=ac,dc=uk" by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write by * none access to dn="ou=Groups,dc=adastral,dc=ucl,dc=ac,dc=uk" by dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" write by dn="cn=smbldap-tools,dc=adastral,dc=ucl,dc=ac,dc=uk" write by * none access to dn=".*,dc=adastral,dc=ucl,dc=ac,dc=uk" by self write by * read Heres the output from an ldapsearch for a workstation: (It's got a shell and home dir so I could prove I could login at the unix prompt) dn: uid=aldeburgh$,ou=People,dc=adastral,dc=ucl,dc=ac,dc=uk uidNumber: 5022 sambaDomainName: ADASTRAL sambaAcctFlags: [W ] objectClass: top objectClass: sambaSamAccount objectClass: posixAccount objectClass: account gidNumber: 251 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 description: Computer Account sambaPrimaryGroupSID: S-1-5-21-946251905-4084600911-3774255997-1503 sambaSID: S-1-5-21-946251905-4084600911-3774255997-11044 cn: aldeburgh$ displayName: aldeburgh$ uid: aldeburgh$ homeDirectory: /home/aldeburgh loginShell: /bin/bash sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxx sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxx sambaPwdLastSet: 1092735020 userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxx Section from the slapd.log file when the workstation is searched. Aug 20 11:19:45 ipswich slapd[24795]: conn=245 fd=25 ACCEPT from IP=xxx.xxx.xxx.xxx:35052 (IP=0.0.0.0:389) Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=1 BIND dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" method=128 Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=1 BIND dn="cn=samba,dc=adastral,dc=ucl,dc=ac,dc=uk" mech=SIMPLE ssf=0 Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=1 RESULT tag=97 err=0 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=2 SRCH base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2 filter="(&(objectClass=sambaDomain)(sambaDomainName=ADASTRAL))" Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=2 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=2 SEARCH RESULT tag=101 err=0 nentries=0 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=3 SRCH base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2 filter="(&(sambaDomainName=ADASTRAL)(objectClass=sambaDomain))" Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=3 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=3 SEARCH RESULT tag=101 err=0 nentries=0 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=4 ADD dn="sambaDomainName=ADASTRAL,dc=adastral,dc=ucl,dc=ac,dc=uk" Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=4 RESULT tag=105 err=68 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=4 RESULT tag=105 err=68 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=5 SRCH base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2 filter="(&(sambaSID=S-1-5-21-946251905-4084600911-3774255997-501)(objectClass=sambaSamAccount))" Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=5 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=5 SEARCH RESULT tag=101 err=0 nentries=0 textAug 20 11:19:45 ipswich slapd[24795]: conn=246 fd=44 ACCEPT from IP=xxx.xxx.xxx.xxx:35053 (IP=0.0.0.0:636) Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=0 BIND dn="cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk" method=128 Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=0 BIND dn="cn=nssldap,dc=adastral,dc=ucl,dc=ac,dc=uk" mech=SIMPLE ssf=0 Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=0 RESULT tag=97 err=0 textAug 20 11:19:45 ipswich slapd[24795]: conn=246 op=1 SRCH base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2 filter="(&(objectClass=posixAccount)(uid=nobody))" Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=1 SEARCH RESULT tag=101 err=0 nentries=1 textAug 20 11:19:45 ipswich slapd[24795]: conn=246 op=2 SRCH base="ou=Group,dc=adastral,dc=ucl,dc=ac,dc=uk" scope=1 filter="(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=uid=nobody,ou=people,dc=adastral,dc=ucl,dc=ac,dc=uk)))" Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=2 SRCH attr=gidNumber Aug 20 11:19:45 ipswich slapd[24795]: conn=246 op=2 SEARCH RESULT tag=101 err=0 nentries=2 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=6 SRCH base="ou=Group,dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2 filter="(&(objectClass=sambaGroupMapping)(gidNumber=99))" Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=6 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=6 SEARCH RESULT tag=101 err=0 nentries=1 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=7 SRCH base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2 filter="(&(uid=ALDEBURGH$)(objectClass=sambaSamAccount))" Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=7 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=7 SEARCH RESULT tag=101 err=0 nentries=1 textAug 20 11:19:45 ipswich slapd[24795]: conn=245 op=8 SRCH base="dc=adastral,dc=ucl,dc=ac,dc=uk" scope=2 filter="(&(uid=ALDEBURGH$)(objectClass=sambaSamAccount))" Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=8 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime Aug 20 11:19:45 ipswich slapd[24795]: conn=245 op=8 SEARCH RESULT tag=101 err=0 nentries=1 textAug 20 11:19:57 ipswich slapd[24795]: conn=245 fd=25 closed Aug 20 11:19:57 ipswich slapd[24795]: conn=246 fd=44 closed Thanks for all your time reading this email, I've gone grey (what left of my hair) over this one. I know it's probably me, a typo or something, but I just can't find it. To have rebuilt the server from scratch and still have the error would point to the ldap server which I did not rebuild. It was built from the populate scripts and with smbldap how to 1.5. Neil -- Neil Marjoram. Systems Manager University College London Adastral Park Campus Martlesham Heath Ipswich Suffolk IP5 3RL 01473 663711