samba - Mar 2005 - Domain login not working with MySQL backend

Hello!

I'm kind of stuck here. I'd like to set up a Samba PDC server using a 
MySQL database backend, so that me and my colleges can easily administer 
the users with a PHP based web interface. I've already installed and 
configured Samba 3.0.11 and MySQL 4.0 on FreeBSD. Everything seems to 
work great, except I can't login. I always get a message that says the 
domain controller is not availabe or the computer account is not 
existing. The log file says: "rpc_server/srv_netlog_nt.c:get_md4pw(261) 
md4pw: Workstation PC1$: no account in domain". What did I do wrong? :(

This is the workstation account:
Unix username:        pc1$
NT username:          pc1$
Account Flags:        [W          ]
User SID:             S-1-5-21-3555237956-4202347196-2499260156-3008
Primary Group SID:    S-1-5-21-3555237956-4202347196-2499260156-515
Full Name:            User &
Home Directory:       
HomeDir Drive:        
Logon Script:         
Profile Path:         
Domain:               test
Account desc:         
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          0
Kickoff time:         0
Password last set:    Sun, 06 Mar 2005 19:25:40 UTC
Password can change:  Sun, 06 Mar 2005 19:25:40 UTC
Password must change: Wed, 18 May 2033 05:33:19 UTC
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


That's what I already did:

- I've created the user accounts in FreeBSD (user1)

- I've created the machine accounts in FreeBSD (pc1$)

- I've added the users in Samba: "pdbedit -a -u user1"

- I've added the workstation accunts in Samba: "pdbedit -a -m -u
pc1"

- I've checked that the accounts are correctly inserted in the database

- I can change the computer's domain to the Samba PDC's one

- I can open home shares using samba accounts


I have searched around the Internet, but I could not find a solution. :( 
I hope somebody can give me a hint! Thank you!


Kind regards,

camouflageX

Hello,
> using a MySQL database backend, so that me and my colleges can easily 
> administer the users with a PHP based web interface. 
Why you don't you use OpenLDAP and LAM?  LAM is a Web-Based 
admin-interface for Samba- and Unix- LDAP-Accounts written in PHP.
We use it for more than 500 users.

PS: MySQL-Backend is still Beta.

matze

Andreas Braun wrote:
> Hello!
>
> I'm kind of stuck here. I'd like to set up a Samba PDC server using
a
> MySQL database backend, so that me and my colleges can easily 
> administer the users with a PHP based web interface. I've already 
> installed and configured Samba 3.0.11 and MySQL 4.0 on FreeBSD. 
> Everything seems to work great, except I can't login. I always get a 
> message that says the domain controller is not availabe or the 
> computer account is not existing. The log file says: 
> "rpc_server/srv_netlog_nt.c:get_md4pw(261) md4pw: Workstation PC1$: no
> account in domain". What did I do wrong? :(
>
> This is the workstation account:
> Unix username:        pc1$
> NT username:          pc1$
> Account Flags:        [W          ]
> User SID:             S-1-5-21-3555237956-4202347196-2499260156-3008
> Primary Group SID:    S-1-5-21-3555237956-4202347196-2499260156-515
> Full Name:            User &
> Home Directory:       HomeDir Drive:        Logon Script:         
> Profile Path:         Domain:               test
> Account desc:         Workstations:         Munged dial:          
> Logon time:           0
> Logoff time:          0
> Kickoff time:         0
> Password last set:    Sun, 06 Mar 2005 19:25:40 UTC
> Password can change:  Sun, 06 Mar 2005 19:25:40 UTC
> Password must change: Wed, 18 May 2033 05:33:19 UTC
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>
> That's what I already did:
>
> - I've created the user accounts in FreeBSD (user1)
>
> - I've created the machine accounts in FreeBSD (pc1$)
>
> - I've added the users in Samba: "pdbedit -a -u user1"
>
> - I've added the workstation accunts in Samba: "pdbedit -a -m -u
pc1"
>
> - I've checked that the accounts are correctly inserted in the database
>
> - I can change the computer's domain to the Samba PDC's one
>
> - I can open home shares using samba accounts
>
>
> I have searched around the Internet, but I could not find a solution. 
> :( I hope somebody can give me a hint! Thank you!
>
>
> Kind regards,
>
> camouflageX
I went through this recently and I'm not sure I'll have _your_ answer, 
but some things that were gotcha's on my install :

1. Make sure "net getlocalsid" matches the sids in "net groupmap
list".
2. Make sure the userid and machine id's also share this correct SID 
parts. Actually now that I think of it, that was the problem I had.
3. Make sure you have an admin account to work with. For me, I did 
something like :
  net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin
  net groupmap modify ntgroup="Domain Users" unixgroup=users
  net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
  and add admin userids to the ntadmin group.
4. Create a userid that has the UID of 500 (according to the HowTo.)
5. 3.0.11 has the very usefull perms to not need to be root options, so 
I also did something like :
net rpc rights grant DOMAIN\\Domain Admins" SeMachineAccountPrivilege 
SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege -U 
"administrator"
6. Added some stuff to smb.conf:
  enable privileges = yes
  add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 
"machine account" -s /bin/false -M %u
7. Go ahead a join a computer to the domain.

JES