Okay, if anyone can help me, I put all my config and log on http://www.arzurproduction.com/temp/ I cannot join the domain on my Windows XP (Access Deny) So I try : 1- An Administrator user create by smbldap-populate, I have root = Administrator on my /etc/samba/smbusers Error : [2005/03/21 10:09:03, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [administrator] -> [root] FAILED with error NT_STATUS_NO_SUCH_USER 2- The same Administrator but I comment root = Administrator Error : [2005/03/22 09:47:04, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: Administrator [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 512 [2005/03/22 09:47:04, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] -> [administrator] -> [Administrator] succeeded [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT -> S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x00000211) [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT -> S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x00000201; required: 0x00000010) [2005/03/22 09:47:05, 2] smbd/server.c:exit_server(575) Closing connections 3- The same Administrator, I create a root ldap user (same as the old smbldap-tools) [2005/03/22 09:49:42, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/22 09:49:42, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] -> [root] -> [root] succeeded [2005/03/22 09:49:43, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT -> S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/22 09:49:43, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/22 09:49:43, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/22 09:49:43, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/22 09:49:43, 2] smbd/server.c:exit_server(575) Closing connections 4- In root (ldap root) [2005/03/22 09:50:21, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/22 09:50:21, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2005/03/22 09:50:22, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT -> S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/22 09:50:22, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/22 09:50:22, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/22 09:50:22, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/22 09:50:22, 2] smbd/server.c:exit_server(575) Closing connections Thanks all for helping me!
Hi, i think i've found your problem. You've set rootbinddn cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you didn't give that user Admin LDAP rights. Have you done this? http://samba.idealx.org/smbldap-howto.en.html#htoc116 And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111 attention that since you're using an root bind different from Manager, you must give it admin acess. Something like access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write This is a very WIDE configuration, you may restrict which object you admin user can access, in order for it to have write permissions only to samba objects. Something like access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb aAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaPr ofilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSI D,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgori thmicRidBase, Best Regards, Bruno Guerreiro -----Original Message----- From: Poil [mailto:poil@own-you.com] Sent: ter?a-feira, 22 de Mar?o de 2005 8:55 To: samba@lists.samba.org Subject: [Samba] SAMBA3 + LDAP = Round 5 :((( Okay, if anyone can help me, I put all my config and log on http://www.arzurproduction.com/temp/ I cannot join the domain on my Windows XP (Access Deny) So I try : 1- An Administrator user create by smbldap-populate, I have root = Administrator on my /etc/samba/smbusers Error : [2005/03/21 10:09:03, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [administrator] -> [root] FAILED with error NT_STATUS_NO_SUCH_USER 2- The same Administrator but I comment root = Administrator Error : [2005/03/22 09:47:04, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: Administrator [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 512 [2005/03/22 09:47:04, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] -> [administrator] -> [Administrator] succeeded [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT -> S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x00000211) [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT -> S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x00000201; required: 0x00000010) [2005/03/22 09:47:05, 2] smbd/server.c:exit_server(575) Closing connections 3- The same Administrator, I create a root ldap user (same as the old smbldap-tools) [2005/03/22 09:49:42, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/22 09:49:42, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] -> [root] -> [root] succeeded [2005/03/22 09:49:43, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT -> S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/22 09:49:43, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/22 09:49:43, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/22 09:49:43, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/22 09:49:43, 2] smbd/server.c:exit_server(575) Closing connections 4- In root (ldap root) [2005/03/22 09:50:21, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/22 09:50:21, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2005/03/22 09:50:22, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT -> S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/22 09:50:22, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/22 09:50:22, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/22 09:50:22, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/22 09:50:22, 2] smbd/server.c:exit_server(575) Closing connections Thanks all for helping me! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Yes, that's normal. And i see, that you've edited your slapd.conf. Does your setupwork now? Best regards, Bruno Guerreiro -----Original Message----- From: benjamin.dupuis@armorarena-fr.com [mailto:benjamin.dupuis@armorarena-fr.com] Sent: ter?a-feira, 22 de Mar?o de 2005 10:31 To: benjamin.dupuis@armorarena-fr.com Cc: Bruno Guerreiro; 'Poil'; samba@lists.samba.org Subject: Re: [Samba] SAMBA3 + LDAP = Round 5 :((( When checking my samba log I have : [2005/03/22 11:25:39, 0] lib/util_sock.c:get_peer_addr(1136) getpeername failed. Error was Transport endpoint is not connected [2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket_data(430) write_socket_data: write failure. Error = Connection reset by peer [2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket(455) write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset by peer [2005/03/22 11:25:39, 0] lib/util_sock.c:send_smb(647) Error writing 4 bytes to client. -1. (Connection reset by peer) [2005/03/22 11:25:39, 2] smbd/server.c:exit_server(575) Is it normal ? I think no ... :/ benjamin.dupuis@armorarena-fr.com a ?crit :> I've got : > > # users can authenticate and change their password > access to attrs=userPassword,sambaNTPassword,sambaLMPassword > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" write > by self write > by anonymous auth > > # the objectClass needed for everyone > access to attrs=objectClass,entry > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" read > by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read > by dn="cn=postfix-auth,ou=DSA,dc=arzur,dc=local" read > by self read > > # some attributes need to be readable by everyone > access to attrs=uidNumber,gidNumber > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read > by self read > > # some attributes can be writable by users themselves > access to attrs=description,telephoneNumber > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > by self write > by users read > > # some attributes need to be readable so that 'id user' can answer > correctly > access to attrs=@posixAccount,@posixGroup,@inetOrgPerson > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read > by self read > > # some attributes need to be writable for samba > access to >attrs=@sambaSamAccount,@sambaGroupMapping,@sambaTrustPassword,@sambaDomain,@ sambaShare,@sambaConfigOption,@sambaPrivilege> > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > by self read > > # samba need to be able to create the sambaDomain account and > NextFreeUnixId > access to dn="dc=arzur,dc=local" attrs=children > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > access to dn="cn=NextFreeUnixId,dc=arzur,dc=local" > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > access to dn.one="dc=arzur,dc=local" filter="(objectClass=sambaDomain)" > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > > # samba need to be able to create new users account > access to dn="ou=People,dc=arzur,dc=local" > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > > # samba need to be able to create new groups account > access to dn="ou=Groups,dc=arzur,dc=local" > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > > # samba need to be able to create new computers account > access to dn="ou=Computers,dc=arzur,dc=local" > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > > # samba need to be able to create new idmap entries > access to dn="ou=Idmap,dc=arzur,dc=local" > by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write > > # Default access rights > access to * > by self read > > Bruno Guerreiro a ?crit : > >> Hi, i think i've found your problem. >> You've set rootbinddn cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you >> didn't >> give that user Admin LDAP rights. >> Have you done this? >> http://samba.idealx.org/smbldap-howto.en.html#htoc116 >> And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111 >> attention that since you're using an root bind different from >> Manager, you >> must give it admin acess. Something like >> access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write >> >> This is a very WIDE configuration, you may restrict which object you >> admin >> user can access, in order for it to have write permissions only to samba >> objects. >> Something like >> access to >>attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb>> >>aAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaPr>> >>ofilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSI>> >>D,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgori>> >> thmicRidBase, >> >> Best Regards, >> Bruno Guerreiro >> >> -----Original Message----- >> From: Poil [mailto:poil@own-you.com] >> Sent: ter?a-feira, 22 de Mar?o de 2005 8:55 >> To: samba@lists.samba.org >> Subject: [Samba] SAMBA3 + LDAP = Round 5 :((( >> >> >> Okay, if anyone can help me, I put all my config and log on >> http://www.arzurproduction.com/temp/ >> >> I cannot join the domain on my Windows XP (Access Deny) >> >> So I try : >> 1- An Administrator user create by smbldap-populate, I have root = >> Administrator on my /etc/samba/smbusers >> Error : >> [2005/03/21 10:09:03, 2] auth/auth.c:check_ntlm_password(312) >> check_ntlm_password: Authentication for user [administrator] -> >> [root] FAILED with error NT_STATUS_NO_SUCH_USER >> >> >> 2- The same Administrator but I comment root = Administrator >> Error : >> [2005/03/22 09:47:04, 2] lib/smbldap.c:smbldap_open_connection(692) >> smbldap_open_connection: connection opened >> [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) >> init_sam_from_ldap: Entry found for user: Administrator >> [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) >> init_group_from_ldap: Entry found for group: 512 >> [2005/03/22 09:47:04, 2] auth/auth.c:check_ntlm_password(305) >> check_ntlm_password: authentication for user [administrator] -> >> [administrator] -> [Administrator] succeeded >> [2005/03/22 09:47:05, 2] >> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) >> Returning domain sid for domain ARZUR-NT -> >> S-1-5-21-1874299889-3982645529-2160850509 >> [2005/03/22 09:47:05, 2] >> rpc_server/srv_samr_nt.c:access_check_samr_object(93) >> _samr_open_domain: ACCESS DENIED (requested: 0x00000211) >> [2005/03/22 09:47:05, 2] >> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) >> Returning domain sid for domain ARZUR-NT -> >> S-1-5-21-1874299889-3982645529-2160850509 >> [2005/03/22 09:47:05, 2] >> rpc_server/srv_samr_nt.c:access_check_samr_function(115) >> _samr_create_user: ACCESS DENIED (granted: 0x00000201; required: >> 0x00000010) >> [2005/03/22 09:47:05, 2] smbd/server.c:exit_server(575) >> Closing connections >> >> >> 3- The same Administrator, I create a root ldap user (same as the old >> smbldap-tools) >> [2005/03/22 09:49:42, 2] lib/smbldap.c:smbldap_open_connection(692) >> smbldap_open_connection: connection opened >> [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) >> init_sam_from_ldap: Entry found for user: root >> [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) >> init_group_from_ldap: Entry found for group: 513 >> [2005/03/22 09:49:42, 2] auth/auth.c:check_ntlm_password(305) >> check_ntlm_password: authentication for user [administrator] -> >> [root] -> [root] succeeded >> [2005/03/22 09:49:43, 2] >> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) >> Returning domain sid for domain ARZUR-NT -> >> S-1-5-21-1874299889-3982645529-2160850509 >> [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) >> init_group_from_ldap: Entry found for group: 515 >> [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) >> init_ldap_from_sam: Setting entry for user: poil-barebone$ >> [2005/03/22 09:49:43, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) >> ldapsam_modify_entry: Failed to modify user dn= >> uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient >> access >> >> [2005/03/22 09:49:43, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) >> ldapsam_add_sam_account: failed to modify/add user with uid = >> poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) >> [2005/03/22 09:49:43, 0] >> rpc_server/srv_samr_nt.c:_samr_create_user(2272) >> could not add user/computer poil-barebone$ to passdb. Check >> permissions? >> [2005/03/22 09:49:43, 2] smbd/server.c:exit_server(575) >> Closing connections >> >> >> 4- In root (ldap root) >> [2005/03/22 09:50:21, 2] lib/smbldap.c:smbldap_open_connection(692) >> smbldap_open_connection: connection opened >> [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) >> init_sam_from_ldap: Entry found for user: root >> [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) >> init_group_from_ldap: Entry found for group: 513 >> [2005/03/22 09:50:21, 2] auth/auth.c:check_ntlm_password(305) >> check_ntlm_password: authentication for user [root] -> [root] -> >> [root] succeeded >> [2005/03/22 09:50:22, 2] >> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) >> Returning domain sid for domain ARZUR-NT -> >> S-1-5-21-1874299889-3982645529-2160850509 >> [2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) >> init_group_from_ldap: Entry found for group: 515 >> [2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) >> init_ldap_from_sam: Setting entry for user: poil-barebone$ >> [2005/03/22 09:50:22, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) >> ldapsam_modify_entry: Failed to modify user dn= >> uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient >> access >> >> [2005/03/22 09:50:22, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) >> ldapsam_add_sam_account: failed to modify/add user with uid = >> poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) >> [2005/03/22 09:50:22, 0] >> rpc_server/srv_samr_nt.c:_samr_create_user(2272) >> could not add user/computer poil-barebone$ to passdb. Check >> permissions? >> [2005/03/22 09:50:22, 2] smbd/server.c:exit_server(575) >> Closing connections >> >> >> Thanks all for helping me! >> >> >
Hi again.
You did create that object (cn=samba,ou=DSA,dc=arzur,dc=local), right?
Could you please try binding with the cn=Manager,dc=arzur,dc=local instead?
Bruno Guerreiro
-----Original Message-----
From: benjamin.dupuis@armorarena-fr.com
[mailto:benjamin.dupuis@armorarena-fr.com]
Sent: ter?a-feira, 22 de Mar?o de 2005 10:49
To: Bruno Guerreiro
Subject: Re: [Samba] SAMBA3 + LDAP = Round 5 :(((
Bruno Guerreiro a ?crit :
Yes, that's normal.
And i see, that you've edited your slapd.conf.
Does your setupwork now?
Best regards,
Bruno Guerreiro
-----Original Message-----
From: benjamin.dupuis@armorarena-fr.com
[mailto:benjamin.dupuis@armorarena-fr.com]
Sent: ter?a-feira, 22 de Mar?o de 2005 10:31
To: benjamin.dupuis@armorarena-fr.com
Cc: Bruno Guerreiro; 'Poil'; samba@lists.samba.org
Subject: Re: [Samba] SAMBA3 + LDAP = Round 5 :(((
When checking my samba log I have :
[2005/03/22 11:25:39, 0] lib/util_sock.c:get_peer_addr(1136)
getpeername failed. Error was Transport endpoint is not connected
[2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket_data(430)
write_socket_data: write failure. Error = Connection reset by peer
[2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket(455)
write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection
reset by peer
[2005/03/22 11:25:39, 0] lib/util_sock.c:send_smb(647)
Error writing 4 bytes to client. -1. (Connection reset by peer)
[2005/03/22 11:25:39, 2] smbd/server.c:exit_server(575)
Is it normal ? I think no ... :/
benjamin.dupuis@armorarena-fr.com a ?crit :
I've got :
# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" write
by self write
by anonymous auth
# the objectClass needed for everyone
access to attrs=objectClass,entry
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" read
by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
by dn="cn=postfix-auth,ou=DSA,dc=arzur,dc=local" read
by self read
# some attributes need to be readable by everyone
access to attrs=uidNumber,gidNumber
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
by self read
# some attributes can be writable by users themselves
access to attrs=description,telephoneNumber
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
by self write
by users read
# some attributes need to be readable so that 'id user' can answer
correctly
access to attrs=@posixAccount,@posixGroup,@inetOrgPerson
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
by self read
# some attributes need to be writable for samba
access to
attrs=@sambaSamAccount,@sambaGroupMapping,@sambaTrustPassword,@sambaDomain,@
sambaShare,@sambaConfigOption,@sambaPrivilege
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
by self read
# samba need to be able to create the sambaDomain account and
NextFreeUnixId
access to dn="dc=arzur,dc=local" attrs=children
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
access to dn="cn=NextFreeUnixId,dc=arzur,dc=local"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
access to dn.one="dc=arzur,dc=local"
filter="(objectClass=sambaDomain)"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
# samba need to be able to create new users account
access to dn="ou=People,dc=arzur,dc=local"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=arzur,dc=local"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=arzur,dc=local"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
# samba need to be able to create new idmap entries
access to dn="ou=Idmap,dc=arzur,dc=local"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
# Default access rights
access to *
by self read
Bruno Guerreiro a ?crit :
Hi, i think i've found your problem.
You've set rootbinddn cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you
didn't
give that user Admin LDAP rights.
Have you done this?
http://samba.idealx.org/smbldap-howto.en.html#htoc116
And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111
attention that since you're using an root bind different from
Manager, you
must give it admin acess. Something like
access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write
This is a very WIDE configuration, you may restrict which object you
admin
user can access, in order for it to have write permissions only to samba
objects.
Something like
access to
attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb
aAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaPr
ofilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSI
D,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgori
thmicRidBase,
Best Regards,
Bruno Guerreiro
-----Original Message-----
From: Poil [mailto:poil@own-you.com]
Sent: ter?a-feira, 22 de Mar?o de 2005 8:55
To: samba@lists.samba.org
Subject: [Samba] SAMBA3 + LDAP = Round 5 :(((
Okay, if anyone can help me, I put all my config and log on
http://www.arzurproduction.com/temp/
I cannot join the domain on my Windows XP (Access Deny)
So I try :
1- An Administrator user create by smbldap-populate, I have root =
Administrator on my /etc/samba/smbusers
Error :
[2005/03/21 10:09:03, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [administrator] ->
[root] FAILED with error NT_STATUS_NO_SUCH_USER
2- The same Administrator but I comment root = Administrator
Error :
[2005/03/22 09:47:04, 2] lib/smbldap.c:smbldap_open_connection(692)
smbldap_open_connection: connection opened
[2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
init_sam_from_ldap: Entry found for user: Administrator
[2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
init_group_from_ldap: Entry found for group: 512
[2005/03/22 09:47:04, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [administrator] ->
[administrator] -> [Administrator] succeeded
[2005/03/22 09:47:05, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
Returning domain sid for domain ARZUR-NT ->
S-1-5-21-1874299889-3982645529-2160850509
[2005/03/22 09:47:05, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2005/03/22 09:47:05, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
Returning domain sid for domain ARZUR-NT ->
S-1-5-21-1874299889-3982645529-2160850509
[2005/03/22 09:47:05, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_create_user: ACCESS DENIED (granted: 0x00000201; required:
0x00000010)
[2005/03/22 09:47:05, 2] smbd/server.c:exit_server(575)
Closing connections
3- The same Administrator, I create a root ldap user (same as the old
smbldap-tools)
[2005/03/22 09:49:42, 2] lib/smbldap.c:smbldap_open_connection(692)
smbldap_open_connection: connection opened
[2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
init_sam_from_ldap: Entry found for user: root
[2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
init_group_from_ldap: Entry found for group: 513
[2005/03/22 09:49:42, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [administrator] ->
[root] -> [root] succeeded
[2005/03/22 09:49:43, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
Returning domain sid for domain ARZUR-NT ->
S-1-5-21-1874299889-3982645529-2160850509
[2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
init_group_from_ldap: Entry found for group: 515
[2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929)
init_ldap_from_sam: Setting entry for user: poil-barebone$
[2005/03/22 09:49:43, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552)
ldapsam_modify_entry: Failed to modify user dn=
uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient
access
[2005/03/22 09:49:43, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994)
ldapsam_add_sam_account: failed to modify/add user with uid =
poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local)
[2005/03/22 09:49:43, 0]
rpc_server/srv_samr_nt.c:_samr_create_user(2272)
could not add user/computer poil-barebone$ to passdb. Check
permissions?
[2005/03/22 09:49:43, 2] smbd/server.c:exit_server(575)
Closing connections
4- In root (ldap root)
[2005/03/22 09:50:21, 2] lib/smbldap.c:smbldap_open_connection(692)
smbldap_open_connection: connection opened
[2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
init_sam_from_ldap: Entry found for user: root
[2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
init_group_from_ldap: Entry found for group: 513
[2005/03/22 09:50:21, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [root] -> [root] ->
[root] succeeded
[2005/03/22 09:50:22, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
Returning domain sid for domain ARZUR-NT ->
S-1-5-21-1874299889-3982645529-2160850509
[2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
init_group_from_ldap: Entry found for group: 515
[2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929)
init_ldap_from_sam: Setting entry for user: poil-barebone$
[2005/03/22 09:50:22, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552)
ldapsam_modify_entry: Failed to modify user dn=
uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient
access
[2005/03/22 09:50:22, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994)
ldapsam_add_sam_account: failed to modify/add user with uid =
poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local)
[2005/03/22 09:50:22, 0]
rpc_server/srv_samr_nt.c:_samr_create_user(2272)
could not add user/computer poil-barebone$ to passdb. Check
permissions?
[2005/03/22 09:50:22, 2] smbd/server.c:exit_server(575)
Closing connections
Thanks all for helping me!
No same error :-(