For whatever reason I am trying to configure the following environment and am running into trouble towards the end of things. Hopefully I am overlooking something basic, any assistance would be greatly appreciated. 1. Redhat AS 2.1 server running Netscape Directory Server 5.2 2. RHEL3 system using Samba 3.0.8 acting as a PDC integrated with the Netscape LDAP server 3. Win2k/XP clients as domain members 4.**Using crypt and not md5 Following through various documentation I have what I believe is a functional directory server with the appropriate samba schema loaded in. The RHEL3 system is able to act as an ldap client -- via the various idealx tools the directory server has been populated. " net getlocalsid" works, getent passwd/group shows appropriate users, and I can su to the various directory users that exist. However, I am unable to join the domain from a windows machine or even manually access a share via something like "net use * \\server\share /user:Administrator". The directory server is getting a query but I am getting bad user/pw errors. Additionally I cannot ssh/telnet/ftp on the client machine with ldap accounts though I believe this is likely due to using crypt and pam needing modification. -------- A "net use * \\192.168.0.8\test /user:Administrator --with password, returns in the netscape directory log: [16/Nov/2004:10:36:50 -0500] conn=157 op=-1 msgId=-1 - fd=56 slot=56 LDAP connection from 172.16.59.205 to 172.16.59.50 [16/Nov/2004:10:36:50 -0500] conn=157 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3 [16/Nov/2004:10:36:50 -0500] conn=157 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [16/Nov/2004:10:36:50 -0500] conn=157 op=1 msgId=2 - SRCH base="dc=rdu,dc=redhat,dc=com" scope=2 filter="(&(objectClass=sambaDomain)(sambaDomainName=LDAP))" attrs="sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass" [16/Nov/2004:10:36:50 -0500] conn=157 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0 [16/Nov/2004:10:36:50 -0500] conn=157 op=2 msgId=3 - SRCH base="dc=rdu,dc=redhat,dc=com" scope=2 filter="(&(sambaSID=S-1-5-21-709490077-3483046013-2562787883-501)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp" [16/Nov/2004:10:36:50 -0500] conn=157 op=2 msgId=3 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:50 -0500] conn=158 op=-1 msgId=-1 - fd=59 slot=59 LDAP connection from 172.16.59.205 to 172.16.59.50 [16/Nov/2004:10:36:50 -0500] conn=158 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3 [16/Nov/2004:10:36:50 -0500] conn=158 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [16/Nov/2004:10:36:50 -0500] conn=158 op=1 msgId=2 - SRCH base="ou=groups,dc=rdu,dc=redhat,dc=com" scope=1 filter="(&(objectClass=posixGroup)(memberUid=nobody))" attrs="gidNumber" [16/Nov/2004:10:36:50 -0500] conn=158 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:50 -0500] conn=157 op=3 msgId=4 - SRCH base="ou=groups,dc=rdu,dc=redhat,dc=com" scope=2 filter="(&(objectClass=sambaGroupMapping)(gidNumber=99))" attrs="gidNumber sambaSID sambaGroupType sambasidlist description displayName cn objectClass" [16/Nov/2004:10:36:50 -0500] conn=157 op=3 msgId=4 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:50 -0500] conn=157 op=4 msgId=5 - SRCH base="dc=rdu,dc=redhat,dc=com" scope=2 filter="(&(uid=root)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp"[16/Nov/2004:10:36:50 -0500] conn=157 op=4 msgId=5 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:51 -0500] conn=157 op=5 msgId=6 - SRCH base="dc=rdu,dc=redhat,dc=com" scope=2 filter="(&(uid=root)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp"[16/Nov/2004:10:36:51 -0500] conn=157 op=5 msgId=6 - RESULT err=0 tag=101 nentries=0 etime=0 Thanks again for any help, Christian
Christian Merrill wrote:> For whatever reason I am trying to configure the following environment > and am running into trouble towards the end of things. Hopefully I am > overlooking something basic, any assistance would be greatly appreciated. > > 1. Redhat AS 2.1 server running Netscape Directory Server 5.2 > 2. RHEL3 system using Samba 3.0.8 acting as a PDC integrated with the > Netscape LDAP server > 3. Win2k/XP clients as domain members > 4.**Using crypt and not md5 > > Following through various documentation I have what I believe is a > functional directory server with the appropriate samba schema loaded > in. The RHEL3 system is able to act as an ldap client -- via the > various idealx tools the directory server has been populated. " net > getlocalsid" works, getent passwd/group shows appropriate users, and I > can su to the various directory users that exist. > > However, I am unable to join the domain from a windows machine or even > manually access a share via something like "net use * \\server\share > /user:Administrator". The directory server is getting a query but I > am getting bad user/pw errors. Additionally I cannot ssh/telnet/ftp > on the client machine with ldap accounts though I believe this is > likely due to using crypt and pam needing modification. > > -------- > A "net use * \\192.168.0.8\test /user:Administrator > --with password, returns in the netscape directory log: > > [16/Nov/2004:10:36:50 -0500] conn=157 op=-1 msgId=-1 - fd=56 slot=56 > LDAP connection from 172.16.59.205 to 172.16.59.50 > [16/Nov/2004:10:36:50 -0500] conn=157 op=0 msgId=1 - BIND > dn="cn=Directory Manager" method=128 version=3 > [16/Nov/2004:10:36:50 -0500] conn=157 op=0 msgId=1 - RESULT err=0 > tag=97 nentries=0 etime=0 dn="cn=directory manager" > [16/Nov/2004:10:36:50 -0500] conn=157 op=1 msgId=2 - SRCH > base="dc=rdu,dc=redhat,dc=com" scope=2 > filter="(&(objectClass=sambaDomain)(sambaDomainName=LDAP))" > attrs="sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid > sambaSID sambaAlgorithmicRidBase objectClass" > [16/Nov/2004:10:36:50 -0500] conn=157 op=1 msgId=2 - RESULT err=0 > tag=101 nentries=1 etime=0 > [16/Nov/2004:10:36:50 -0500] conn=157 op=2 msgId=3 - SRCH > base="dc=rdu,dc=redhat,dc=com" scope=2 > filter="(&(sambaSID=S-1-5-21-709490077-3483046013-2562787883-501)(objectClass=sambaSamAccount))" > attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet > sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime > sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath > sambaLogonScript sambaProfilePath description sambaUserWorkstations > sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword > sambaDomainName objectClass sambaAcctFlags sambamungeddial > sambabadpasswordcount sambabadpasswordtime sambapasswordhistory > modifyTimestamp sambalogonhours modifyTimestamp" > [16/Nov/2004:10:36:50 -0500] conn=157 op=2 msgId=3 - RESULT err=0 > tag=101 nentries=0 etime=0 > [16/Nov/2004:10:36:50 -0500] conn=158 op=-1 msgId=-1 - fd=59 slot=59 > LDAP connection from 172.16.59.205 to 172.16.59.50 > [16/Nov/2004:10:36:50 -0500] conn=158 op=0 msgId=1 - BIND > dn="cn=Directory Manager" method=128 version=3 > [16/Nov/2004:10:36:50 -0500] conn=158 op=0 msgId=1 - RESULT err=0 > tag=97 nentries=0 etime=0 dn="cn=directory manager" > [16/Nov/2004:10:36:50 -0500] conn=158 op=1 msgId=2 - SRCH > base="ou=groups,dc=rdu,dc=redhat,dc=com" scope=1 > filter="(&(objectClass=posixGroup)(memberUid=nobody))" attrs="gidNumber" > [16/Nov/2004:10:36:50 -0500] conn=158 op=1 msgId=2 - RESULT err=0 > tag=101 nentries=0 etime=0 > [16/Nov/2004:10:36:50 -0500] conn=157 op=3 msgId=4 - SRCH > base="ou=groups,dc=rdu,dc=redhat,dc=com" scope=2 > filter="(&(objectClass=sambaGroupMapping)(gidNumber=99))" > attrs="gidNumber sambaSID sambaGroupType sambasidlist description > displayName cn objectClass" > [16/Nov/2004:10:36:50 -0500] conn=157 op=3 msgId=4 - RESULT err=0 > tag=101 nentries=0 etime=0 > [16/Nov/2004:10:36:50 -0500] conn=157 op=4 msgId=5 - SRCH > base="dc=rdu,dc=redhat,dc=com" scope=2 > filter="(&(uid=root)(objectClass=sambaSamAccount))" attrs="uid > uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange > sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn > displayName sambaHomeDrive sambaHomePath sambaLogonScript > sambaProfilePath description sambaUserWorkstations sambaSID > sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName > objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount > sambabadpasswordtime sambapasswordhistory modifyTimestamp > sambalogonhours modifyTimestamp"[16/Nov/2004:10:36:50 -0500] conn=157 > op=4 msgId=5 - RESULT err=0 tag=101 nentries=0 etime=0 > [16/Nov/2004:10:36:51 -0500] conn=157 op=5 msgId=6 - SRCH > base="dc=rdu,dc=redhat,dc=com" scope=2 > filter="(&(uid=root)(objectClass=sambaSamAccount))" attrs="uid > uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange > sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn > displayName sambaHomeDrive sambaHomePath sambaLogonScript > sambaProfilePath description sambaUserWorkstations sambaSID > sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName > objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount > sambabadpasswordtime sambapasswordhistory modifyTimestamp > sambalogonhours modifyTimestamp"[16/Nov/2004:10:36:51 -0500] conn=157 > op=5 msgId=6 - RESULT err=0 tag=101 nentries=0 etime=0 > > > Thanks again for any help, > Christian >Ok, managed to fix most of this...however something appears to be goofy with the Administrator account...I cannot access shares with it directly and it won't allow me to join a machine to the domain. Christian
Christian Merrill wrote:> Daniel Wilson wrote: > >> try setting your admin account with >> >> uidNumber=0 >> gidNumber=512 >> primarygroupsid = XXXXX-512 >> >> the uidnumber=0 is the important one i think! >> >> Regards >> Dan >> >> > Here's what I have -- it all looks good, no idea what I'm missing. > I'm thinking something has to be out of place in the directory??? > > [root@dhcp59-205 home]# pdbedit -L -v Administrator > Unix username: Administrator > NT username: Administrator > Account Flags: [U ] > User SID: S-1-5-21-709490077-3483046013-2562787883-2996 > Primary Group SID: S-1-5-21-709490077-3483046013-2562787883-512 > Full Name: Administrator > Home Directory: \\GSSLDAP\home\Administrator > HomeDir Drive: logondrive > Logon Script: > Profile Path: \\GSSLDAP\profiles\Administrator\ > Domain: LDAP > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: Mon, 18 Jan 2038 22:14:07 GMT > Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT > Password last set: Tue, 16 Nov 2004 11:21:34 GMT > Password can change: 0 > Password must change: Fri, 31 Dec 2004 11:21:34 GMT > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > >what is the uidNumber in ldap it must be 0, (has it got a posixAccount objectclass?) Dan -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Wilson Systems Administrator IT & Communications Service University of Sunderland Unit1 Technology Park Chester Road Sunderland SR2 7PT Tel: 0191 515 2695 This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. It is the responsibility of the recipient to ensure that this message and its attachments are virus free. Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically stated.
Andreas wrote:>On Tue, Nov 16, 2004 at 01:49:52PM -0500, Christian Merrill wrote: > > >>Will bump up the logging and see what I can find. Sorry for not posting >>the config portion: >> >> > >I would also take a closer look at the ldap logs to be certain samba is being able >to log in as manager. Can you see if at least the posix part of the computer account >was created? That would mean that at least the smbldap-useradd script was run. > > >I knew all along I was an idiot :). The other steps needed to be done but the culprit was me putting the smbldap scripts in /usr/local/bin and then telling samba to look for them in /usr/local/sbin. Amazing how much better it works now. So I can now join a machine to the domain, however on the XP box I am testing on I am running into an interesting problem. When I login with a user account it takes the authentication, goes blue which is normal, and then reboots the machine. Pretty neat, going to see what event logs show (nothing on the smbd side of things), ever seen anything like this? Christian
On Tue, Nov 16, 2004 at 03:22:11PM -0500, Christian Merrill wrote:> I knew all along I was an idiot :). The other steps needed to be done > but the culprit was me putting the smbldap scripts in /usr/local/bin and > then telling samba to look for them in /usr/local/sbin. Amazing how > much better it works now. So I can now join a machine to the domain, > however on the XP box I am testing on I am running into an interesting > problem. When I login with a user account it takes the authentication, > goes blue which is normal, and then reboots the machine. Pretty neat, > going to see what event logs show (nothing on the smbd side of things), > ever seen anything like this?Never. I knew XP was fragile, but this... ;)