I'm trying to integrate Openldap with Samba version 3.0.10. I have populated my LDAP server via smbldap-populate.pl and I've gotten PAM to recognize LDAP as an authentication mechanism. Thus, I can add a user with smbldap-useradd.pl and su to that user. The problem I am having is when I attempt to add a computer from MS Windoze XP. When I attempt to join my domain XP prompts me for a user ID and password. If I enter a user ID of "root" with either my box's actual root password or the password for the LDAP user "uid=Administrator,ou=Users,dc=somedomain,dc=org" I get the following: "unknown user or bad password". I suppose this makes sense because there are only two users in ou=Users (Administrator and nobody) neither of which is "root". Alternatively, if I attempt to join the domain with a user ID of "Administrator" I get "Access is denied". So, my question is do I need to create a LDAP user in ou=Users with a user ID of "root". If so how should I do this and wouldn't it conflict with the root UID in /etc/passwd? I've been trying to follow the directions in "By Example" -> "Making Users Happy" but it seems to be a little sketchy on this topic. I can provide logs on request. Here is my smb.conf: # Global parameters [global] workgroup = PEANUTS server string = Snoopy Samba Server log level = 5 log file = /var/log/samba/log.%m max log size = 50 time server = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat #logon path #logon home domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes #username map = /etc/samba/smbusers # LDAP Related ldap passwd sync = Yes passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=somedomain,dc=org ldap suffix = dc=somedomain,dc=org ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap,dc=somedomain,dc=org # Avoid the risk of UID/GID inconsistencies across systems # by having a common LDAP backend. idmap backend = ldap:ldap://127.0.0.1 # These should match the values specified in smbldap_conf.pm idmap uid = 10000-20000 idmap gid = 10000-20000 map acl inherit = Yes #ldap ssl = start_tls add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' security = user template shell = /bin/false winbind use default domain = no [netlogon] path = /var/lib/samba/netlogon browseable = No root preexec = /var/lib/samba/netlogon/logon.pl %U %I [common] comment = Common material path = /home/common force group = common read only = No create mask = 0774 directory mask = 0775 browseable = No
> > I'm trying to integrate Openldap with Samba version 3.0.10. I have > populated > my LDAP server via smbldap-populate.pl and I've gotten PAM to recognize > LDAP > as an authentication mechanism. Thus, I can add a user with smbldap- > useradd.pl > and su to that user.Can you do a straight login / ssh as that new user?> The problem I am having is when I attempt to add a computer from MS > Windoze XP. > When I attempt to join my domain XP prompts me for a user ID and password. > If I > enter a user ID of "root" with either my box's actual root password or the > password for the LDAP user > "uid=Administrator,ou=Users,dc=somedomain,dc=org" > I get the following: "unknown user or bad password". I suppose this > makes sense > because there are only two users in ou=Users (Administrator and nobody) > neither > of which is "root". Alternatively, if I attempt to join the domain > with a user ID > of "Administrator" I get "Access is denied".Somewhere in those howto's and example books that JHT, et al, has written he says to set the uid of the Administrator to 0. what UID does your administrator have? I believe from vague memory that the smbldap-populate script automatically sets the uid of the Administrator to 0. Just use smbldap-passwd Administrator to make sure that the password is set. then try adding your Machine again. This worked for me last night when I got the same error. tell us what happens. Regards Geoff.
I have done some further investigation and this is what I found. If I
change the uidNumber of
"uid=Administrator,ou=Users,dc=somedomain,dc=org" to 0 Samba will add
a computer to ou=Computers. However, it will still return an error to
the XP machine that is attempting to join the domain. The error code
is "The user name could not be found".
I plowed through the Samba logs and found this interesting tidbit,
though I'm not sure what to make of it. Any help analyzing it would
be greatly appreciated.
//---- Begin log
2005/01/21 15:11:08, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2250)
_samr_create_user: Running the command
`/var/lib/samba/sbin/smbldap-useradd.pl -w 'amp$'' gave 0
[2005/01/21 15:11:08, 5] lib/username.c:Get_Pwnam(293)
Finding user amp$
[2005/01/21 15:11:08, 5] lib/username.c:Get_Pwnam_internals(223)
Trying _Get_Pwnam(), username as lowercase is amp$
[2005/01/21 15:11:08, 5] lib/username.c:Get_Pwnam_internals(239)
Trying _Get_Pwnam(), username as uppercase is AMP$
[2005/01/21 15:11:08, 5] lib/username.c:Get_Pwnam_internals(247)
Checking combinations of 0 uppercase letters in amp$
[2005/01/21 15:11:08, 5] lib/username.c:Get_Pwnam_internals(251)
Get_Pwnam_internals didn't find user [amp$]!
[2005/01/21 15:11:08, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 samr_io_r_create_user
[2005/01/21 15:11:08, 5] rpc_parse/parse_prs.c:prs_uint32(642)
0000 data1: 00000000
[2005/01/21 15:11:08, 5] rpc_parse/parse_prs.c:prs_uint32(642)
0004 data2: 00000000
[2005/01/21 15:11:08, 5] rpc_parse/parse_prs.c:prs_uint16(613)
0008 data3: 0000
[2005/01/21 15:11:08, 5] rpc_parse/parse_prs.c:prs_uint16(613)
000a data4: 0000
[2005/01/21 15:11:08, 5] rpc_parse/parse_prs.c:prs_uint8s(729)
000c data5: 00 00 00 00 00 00 00 00
[2005/01/21 15:11:08, 5] rpc_parse/parse_prs.c:prs_uint32(642)
0014 access_granted: 00000000
[2005/01/21 15:11:08, 5] rpc_parse/parse_prs.c:prs_uint32(642)
0018 user_rid : 00000000
[2005/01/21 15:11:08, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
001c status: NT_STATUS_NO_SUCH_USER
[2005/01/21 15:11:08, 5] rpc_server/srv_pipe.c:api_rpcTNP(1578)
api_rpcTNP: called samr successfully
//---- End log
>>
>> I'm trying to integrate Openldap with Samba version 3.0.10. I have
>> populated my LDAP server via smbldap-populate.pl and I've gotten
PAM to recognize>> LDAP as an authentication mechanism. Thus, I can add a user with
smbldap-
>> useradd.pl and su to that user.
>Can you do a straight login / ssh as that new user?
Yes
>> The problem I am having is when I attempt to add a computer from MS
>> Windoze XP.
>> When I attempt to join my domain XP prompts me for a user ID and
password.
>> If I
>> enter a user ID of "root" with either my box's actual
root password or the
>> password for the LDAP user
>> "uid=Administrator,ou=Users,dc=somedomain,dc=org"
>> I get the following: "unknown user or bad password". I
suppose this
>> makes sense
>> because there are only two users in ou=Users (Administrator and nobody)
>> neither
>> of which is "root". Alternatively, if I attempt to join the
domain
>> with a user ID
>> of "Administrator" I get "Access is denied".
>Somewhere in those howto's and example books that JHT, et al, has
written he
>says to set the uid of the Administrator to 0. what UID does your
>administrator have? I believe from vague memory that the smbldap-populate
>script automatically sets the uid of the Administrator to 0. Just use
>smbldap-passwd Administrator to make sure that the password is set. then try
>adding your Machine again. This worked for me last night when I got the
>same error.
>tell us what happens.
>Regards Geoff.
> Geoff Scott: > > [...] > > > tell us what happens. > > What happens is, that RHAS3 gets all mixed upo (Openldap 2.2.20) as to > what's root and what's administrator. > > This is a *LOUSY* solution and worthy by all men of utter condemnation. > > --Tonnihmmm. I was just quoting from JHT's book samba by example: Making Users Happy step 11# In the above listing, you can see that the user Administrator has been given UID=998. This means that operations conducted from a Windows client using tools such as the Domain User Manager fails under UNIX because the management of user and group accounts requires that the UID=0. You decide to rectify this immediately as demonstrated here: root# cd /var/lib/samba/sbin root# ./smbldap-usermod.pl -u 0 Administrator OK. I see the criticism, but where's your solution? You know, on the postfix user lists those guys will tell you you're a dweeb and then tell you where to RTFM, but at least they tell you where in the README's to find the info. I've posted here a number of times and never gotten a response. I don't think that my questions were that silly. But rather than let someone else sit around wondering how to fix a problem, I am trying to help. What have you done to help this fellow lister? Look, I don't want to flame.... But do something constructive. I can't help this guy anymore. His problem is beyond me. It looks like you can tho.... So please do. Regards Geoff