hi, i have read that someone has similar problem to mines, however i didn't find how it solved them . The problem is this: samba as a PDC for a window domain. The authentication is managed with openldap. if i try to change the password of any ldap account with smbpassword i have no error. if i try to access to the shared folder of samba, with windows, it asks me for authentication and it all work. The only thing i'm not able to do is to manage the windows authentication through domain: when i try to join the domain using Administrator it says to me "Can't find user" but in samba log i have: [2004/10/13 11:27:45, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/10/13 11:27:45, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/10/13 11:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485) init_sam_from_ldap: Entry found for user: Administrator [2004/10/13 11:27:45, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [Administrator] -> [Administrator] -> [Administrator] succeeded [2004/10/13 11:27:46, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477) Returning domain sid for domain KOSAVUTU -> S-1-5-21-1603302580-212172761-3240640930 [2004/10/13 11:27:46, 2] smbd/server.c:exit_server(571) Closing connections so Administrator is known, the authentication works, but in some way either samba or windows doesn't communicate well. Any hints ? i'm attaching my smb.conf, hoping it can help. Regards -------------- next part -------------- # # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentary and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not many any basic syntactic # errors. # #======================= Global Settings ====================== [global] ## Browsing/Identification ### workgroup = KOSAVUTU ;netbios name = PDC server string = %h server (Samba %v) syslog = 30 security = user null passwords = true encrypt passwords = true add user script = /usr/sbin/smbldap-useradd -m -a "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = logon.bat logon path = \\PDC\profiles\%g client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No min protocol = LANMAN2 time server = Yes server signing = auto local master = Yes os level = 40 domain logons = Yes preferred master = Yes domain master = Yes wins support = No wins server = 10.0.0.1 log file = /var/log/samba/samba.log.%m log level = 2 passdb:2 auth:2 winbind:2 admin users = root,Administrator passdb backend = ldapsam:ldap://127.0.0.1/ passwd program = /usr/sbin/smbldap-passwd -o %u passwd chat = *new*password* %n\n *new*password:* %n\ *succesfully* passwd chat debug = Yes ldap suffix = dc=sferacarta,dc=com ldap machine suffix = ou=machines ldap user suffix = ou=people ldap group suffix = ou=groups ldap idmap suffix = ou=users ldap admin dn = "cn=Manager,dc=sferacarta,dc=com" ldap ssl = no ldap passwd sync = Yes ldap delete dn = Yes [netlogon] path = /etc/samba/netlogon locking = no browsable = no read only = yes [profiles] path = /etc/samba/profiles read only = no writeable = yes create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable force user = %U valid users = %U "Domain Admins" [homes] comment = Home Directories browseable = no writable = no create mask = 0700 directory mask = 0700 [kosovo] comment = kosovo browseable = yes writable = no path = /kosovo
Different people have different reason for this failure but in your case you need to remember that besides finding Administrator Samba need to find machine trust account as well. If it can't find it the same error message "Can't find user" is reported back to Windows. Check that machine account was successfuly created during joining of the Domain, that flag marks it as a Workstation trust account (W), and that you can see this account with 'getent passwd' request. And a minor note, which probably is unrelated to your problem - don't use '-a' option to smbldap-useradd in your 'add user script' since Samba expects this script to create only Posix account. Igor Samuele Giovanni Tonon wrote:> hi, > i have read that someone has similar problem to mines, however i didn't > find how it solved them . > > The problem is this: samba as a PDC for a window domain. > The authentication is managed with openldap. > > if i try to change the password of any ldap account with smbpassword i > have no error. > if i try to access to the shared folder of samba, with windows, it asks > me for authentication and it all work. > The only thing i'm not able to do is to manage the windows > authentication through domain: when i try to join the domain using > Administrator it says to me "Can't find user" but in samba log i have: > > [2004/10/13 11:27:45, 2] smbd/sesssetup.c:setup_new_vc_session(608) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2004/10/13 11:27:45, 2] smbd/sesssetup.c:setup_new_vc_session(608) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2004/10/13 11:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485) > init_sam_from_ldap: Entry found for user: Administrator > [2004/10/13 11:27:45, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [Administrator] -> > [Administrator] -> [Administrator] succeeded > [2004/10/13 11:27:46, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477) > Returning domain sid for domain KOSAVUTU -> > S-1-5-21-1603302580-212172761-3240640930 > [2004/10/13 11:27:46, 2] smbd/server.c:exit_server(571) > Closing connections > > > so Administrator is known, the authentication works, but in some way > either samba or windows doesn't communicate well. > Any hints ? > > i'm attaching my smb.conf, hoping it can help. > > Regards > > > ------------------------------------------------------------------------ > > # > # Sample configuration file for the Samba suite for Debian GNU/Linux. > # > # > # This is the main Samba configuration file. You should read the > # smb.conf(5) manual page in order to understand the options listed > # here. Samba has a huge number of configurable options most of which > # are not shown in this example > # > # Any line which starts with a ; (semi-colon) or a # (hash) > # is a comment and is ignored. In this example we will use a # > # for commentary and a ; for parts of the config file that you > # may wish to enable > # > # NOTE: Whenever you modify this file you should run the command > # "testparm" to check that you have not many any basic syntactic > # errors. > # > > #======================= Global Settings ======================> > [global] > > ## Browsing/Identification ### > workgroup = KOSAVUTU > ;netbios name = PDC > server string = %h server (Samba %v) > syslog = 30 > security = user > null passwords = true > encrypt passwords = true > > add user script = /usr/sbin/smbldap-useradd -m -a "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > add group script = /usr/sbin/smbldap-groupadd -p "%g" > delete group script = /usr/sbin/smbldap-groupdel "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > add machine script = /usr/sbin/smbldap-useradd -w "%u" > > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > logon script = logon.bat > logon path = \\PDC\profiles\%g > > client NTLMv2 auth = Yes > client lanman auth = No > client plaintext auth = No > min protocol = LANMAN2 > time server = Yes > server signing = auto > > local master = Yes > os level = 40 > domain logons = Yes > preferred master = Yes > domain master = Yes > wins support = No > wins server = 10.0.0.1 > > log file = /var/log/samba/samba.log.%m > log level = 2 passdb:2 auth:2 winbind:2 > admin users = root,Administrator > > passdb backend = ldapsam:ldap://127.0.0.1/ > passwd program = /usr/sbin/smbldap-passwd -o %u > passwd chat = *new*password* %n\n *new*password:* %n\ *succesfully* > passwd chat debug = Yes > ldap suffix = dc=sferacarta,dc=com > ldap machine suffix = ou=machines > ldap user suffix = ou=people > ldap group suffix = ou=groups > ldap idmap suffix = ou=users > ldap admin dn = "cn=Manager,dc=sferacarta,dc=com" > ldap ssl = no > ldap passwd sync = Yes > ldap delete dn = Yes > > [netlogon] > path = /etc/samba/netlogon > locking = no > browsable = no > read only = yes > > [profiles] > path = /etc/samba/profiles > read only = no > writeable = yes > create mask = 0600 > directory mask = 0700 > browseable = No > guest ok = Yes > profile acls = yes > csc policy = disable > force user = %U > valid users = %U "Domain Admins" > > [homes] > comment = Home Directories > browseable = no > writable = no > create mask = 0700 > directory mask = 0700 > > [kosovo] > comment = kosovo > browseable = yes > writable = no > path = /kosovo >
Different people have different reason for this failure but in your case you need to remember that besides finding Administrator Samba need to find machine trust account as well. If it can't find it the same error message "Can't find user" is reported back to Windows. Check that machine account was successfully created during joining of the Domain, that flag marks it as a Workstation trust account (W), and that you can see this account with 'getent passwd' request. And a minor note, which probably is unrelated to your problem - don't use '-a' option to smbldap-useradd in your 'add user script' since Samba expects this script to create only Posix account. Igor Samuele Giovanni Tonon wrote:> hi, > i have read that someone has similar problem to mines, however i didn't > find how it solved them . > > The problem is this: samba as a PDC for a window domain. > The authentication is managed with openldap. > > if i try to change the password of any ldap account with smbpassword i > have no error. > if i try to access to the shared folder of samba, with windows, it asks > me for authentication and it all work. > The only thing i'm not able to do is to manage the windows > authentication through domain: when i try to join the domain using > Administrator it says to me "Can't find user" but in samba log i have: > > [2004/10/13 11:27:45, 2] smbd/sesssetup.c:setup_new_vc_session(608) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2004/10/13 11:27:45, 2] smbd/sesssetup.c:setup_new_vc_session(608) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2004/10/13 11:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485) > init_sam_from_ldap: Entry found for user: Administrator > [2004/10/13 11:27:45, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [Administrator] -> > [Administrator] -> [Administrator] succeeded > [2004/10/13 11:27:46, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477) > Returning domain sid for domain KOSAVUTU -> > S-1-5-21-1603302580-212172761-3240640930 > [2004/10/13 11:27:46, 2] smbd/server.c:exit_server(571) > Closing connections > > > so Administrator is known, the authentication works, but in some way > either samba or windows doesn't communicate well. > Any hints ? > > i'm attaching my smb.conf, hoping it can help. > > Regards > > > ------------------------------------------------------------------------ > > # > # Sample configuration file for the Samba suite for Debian GNU/Linux. > # > # > # This is the main Samba configuration file. You should read the > # smb.conf(5) manual page in order to understand the options listed > # here. Samba has a huge number of configurable options most of which > # are not shown in this example > # > # Any line which starts with a ; (semi-colon) or a # (hash) > # is a comment and is ignored. In this example we will use a # > # for commentary and a ; for parts of the config file that you > # may wish to enable > # > # NOTE: Whenever you modify this file you should run the command > # "testparm" to check that you have not many any basic syntactic > # errors. > # > > #======================= Global Settings ======================> > [global] > > ## Browsing/Identification ### > workgroup = KOSAVUTU > ;netbios name = PDC > server string = %h server (Samba %v) > syslog = 30 > security = user > null passwords = true > encrypt passwords = true > > add user script = /usr/sbin/smbldap-useradd -m -a "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > add group script = /usr/sbin/smbldap-groupadd -p "%g" > delete group script = /usr/sbin/smbldap-groupdel "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > add machine script = /usr/sbin/smbldap-useradd -w "%u" > > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > logon script = logon.bat > logon path = \\PDC\profiles\%g > > client NTLMv2 auth = Yes > client lanman auth = No > client plaintext auth = No > min protocol = LANMAN2 > time server = Yes > server signing = auto > > local master = Yes > os level = 40 > domain logons = Yes > preferred master = Yes > domain master = Yes > wins support = No > wins server = 10.0.0.1 > > log file = /var/log/samba/samba.log.%m > log level = 2 passdb:2 auth:2 winbind:2 > admin users = root,Administrator > > passdb backend = ldapsam:ldap://127.0.0.1/ > passwd program = /usr/sbin/smbldap-passwd -o %u > passwd chat = *new*password* %n\n *new*password:* %n\ *succesfully* > passwd chat debug = Yes > ldap suffix = dc=sferacarta,dc=com > ldap machine suffix = ou=machines > ldap user suffix = ou=people > ldap group suffix = ou=groups > ldap idmap suffix = ou=users > ldap admin dn = "cn=Manager,dc=sferacarta,dc=com" > ldap ssl = no > ldap passwd sync = Yes > ldap delete dn = Yes > > [netlogon] > path = /etc/samba/netlogon > locking = no > browsable = no > read only = yes > > [profiles] > path = /etc/samba/profiles > read only = no > writeable = yes > create mask = 0600 > directory mask = 0700 > browseable = No > guest ok = Yes > profile acls = yes > csc policy = disable > force user = %U > valid users = %U "Domain Admins" > > [homes] > comment = Home Directories > browseable = no > writable = no > create mask = 0700 > directory mask = 0700 > > [kosovo] > comment = kosovo > browseable = yes > writable = no > path = /kosovo >
"Samuele Giovanni Tonon" <samu@sferacarta.com> wrote in message news:416CFCB2.1020906@sferacarta.com...> hi, > i have read that someone has similar problem to mines, however i didn't > find how it solved them . > > The problem is this: samba as a PDC for a window domain. > The authentication is managed with openldap. > > if i try to change the password of any ldap account with smbpassword i > have no error. > if i try to access to the shared folder of samba, with windows, it asks > me for authentication and it all work. > The only thing i'm not able to do is to manage the windows > authentication through domain: when i try to join the domain using > Administrator it says to me "Can't find user" but in samba log i have:Make sure that the ou=machines exists in LDAP. It sounds as if Samba is trying to create the trust account but cannot find something that it needs. I have gotten this message when using /etc/passwd and /etc/group to store POSIX information. This will happen when I have forgotten to create the group "machines" in the /etc/group file.